Re: CSRSS.EXE Virus That Won't Go Away

From: "Swapnesh" <swap_par205@xxxxxxxxxxxxx>

| But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
| can press CTRL+ALT+DEL.
| u can see there under PROCESS tab.OK
| And it says its a system service .
| Now when window starts it will try to run CSRR.exe and when anything is not
| found it symply tell File not found.
| So give it the file it wants. Though file was infected and was removed u
| can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
| ????
| If n then u should try .
| And has "ugetnome" tried to remove registry and seen that it works ??

It is a well established methodology to use the name of legitimate MS Windows Kernel files
for the name of viral and non-viral malware. This is designed to lure you into a false
sense of security. You see the name of the excutable running, assume that it is a OS file
and think it is OK. -- WRONG. One must examine WHERE the excutable is being excuted from.
Since replacing a a OS Kernel file could break the OS, it has to be executed from a non OS
standard location.

In the case of this infector; %windir%\SYSTEM32\VIVNUFFTO\CSRSS.EXE
%windir%\SYSTEM32\VIVNUFFTO is not a Windows OS folder. It was created by the infector.

Sample infectors that use the name CSRSS.EXE are...

W32/Buchon.c@MM --

W32/Sober.l@MM --

W32/Melare@MM --

W32/Netsky.ab@MM --

MultiDropper-JW --

Downloader-MC --

An example of a file name that is the most often used is; SVCHOST.EXE. There are *many*
viral and non-viral infectors that use this name. If this file is found on a Win9x/ME PC
then you are almost guarateed to be infected. If it is found on a NT based PC then one must
look at the location of where it is being executed. In addition many use variations upon
this name such as; SCVHOST.EXE

If SVCHOST.EXE is found in the root of C: (C:\SVCHOST.EXE) then there is a high chance of
this being the CodeBlue worm.
W32/CodeBlue.worm --

If SVCHOST.EXE is found in %windir% then there is a high chance of this being the Cozit
W32/Cozit.worm --

If SVCHOST.EXE is found in %windir%\SYSTEM32\DRIVERS then there is a high chance of this
being a nachi worm variant.
W32/Nachi.worm.c --