Re: CSRSS.EXE Virus That Won't Go Away



From: "Swapnesh" <swap_par205@xxxxxxxxxxxxx>

| But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
| can press CTRL+ALT+DEL.
| u can see there under PROCESS tab.OK
| And it says its a system service .
|
| Now when window starts it will try to run CSRR.exe and when anything is not
| found it symply tell File not found.
|
| So give it the file it wants. Though file was infected and was removed u
| can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
| ????
| If n then u should try .
| And has "ugetnome" tried to remove registry and seen that it works ??
|

It is a well established methodology to use the name of legitimate MS Windows Kernel files
for the name of viral and non-viral malware. This is designed to lure you into a false
sense of security. You see the name of the excutable running, assume that it is a OS file
and think it is OK. -- WRONG. One must examine WHERE the excutable is being excuted from.
Since replacing a a OS Kernel file could break the OS, it has to be executed from a non OS
standard location.

In the case of this infector; %windir%\SYSTEM32\VIVNUFFTO\CSRSS.EXE
%windir%\SYSTEM32\VIVNUFFTO is not a Windows OS folder. It was created by the infector.

Sample infectors that use the name CSRSS.EXE are...

C:\CSRSS.EXE
W32/Buchon.c@MM -- http://vil.nai.com/vil/content/v_130857.htm

%WinDir%\MSAGENT\WIN32\CSRSS.EXE
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm

%WinDir%\CSRSS.EXE
W32/Melare@MM -- http://vil.nai.com/vil/content/v_100306.htm

%WinDir%\CSRSS.EXE
W32/Netsky.ab@MM -- http://vil.nai.com/vil/content/v_124873.htm

%WinDir%\CSRSS.EXE
MultiDropper-JW -- http://vil.nai.com/vil/content/v_101115.htm

%WinDir%\CSRSS.EXE
Downloader-MC -- http://vil.nai.com/vil/content/v_126644.htm



An example of a file name that is the most often used is; SVCHOST.EXE. There are *many*
viral and non-viral infectors that use this name. If this file is found on a Win9x/ME PC
then you are almost guarateed to be infected. If it is found on a NT based PC then one must
look at the location of where it is being executed. In addition many use variations upon
this name such as; SCVHOST.EXE

Examples:
If SVCHOST.EXE is found in the root of C: (C:\SVCHOST.EXE) then there is a high chance of
this being the CodeBlue worm.
W32/CodeBlue.worm -- http://vil.nai.com/vil/content/v_99202.htm

If SVCHOST.EXE is found in %windir% then there is a high chance of this being the Cozit
worm.
W32/Cozit.worm -- http://vil.nai.com/vil/content/v_99761.htm

If SVCHOST.EXE is found in %windir%\SYSTEM32\DRIVERS then there is a high chance of this
being a nachi worm variant.
W32/Nachi.worm.c -- http://vil.nai.com/vil/content/v_101025.htm




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



.