The virus infects the system by creating an entry "aux" or "aux#" with the location to the virus. Some variants have also been seen to copy a legitimate Windows file name and to copy itself under a different location to help avoid detection. The entry in the AUX location may have a completely randomized name. It is a DLL file but may not end in .DLL.
When programs are loaded that query and load information from the above key, the DLL file is loaded into memory and it creates a worker thread. An interesting point of stealth is that there will be no trace of a handle to the file nor will any programs see it loaded as a dll module.
Once loaded, the thread (program instructions) will start looping making system calls to perform some actions without stopping. This is why system performance seems to go down without any specific trace of high CPU usage in the Task Manager.
The virus will patch entry points in kernel32 (CreateProcessW) and WS2_32 (This handles network connectivity). The CreateProcess hook allows the virus to stop a process from loading if the command line it was started with contains certain strings like "cmd" or "reged".
It also creates a small file in the SYSTEM32 folder "sqlsodbc.chm". I do not know the purpose of this file and the contents appear to be random characters (might be coded).
1.) I removed by installing infected drive as a slave drive into another PC that had updated virus scan software. I scanned the slave drive for viruses and deleted them. *Make note of the file names and paths
2.) I re-installed the drive back into the original PC and booted in safe mode (F8). Network cables unplugged)
3.) Disable System restore.
4.) re-scanned drive for viruses.
5.) Searched Registery for the files that were found in the scan and deleted them.
6.) Rebooted in normal mode and scanned again. If clean plag in network cable and reboot and then re-enable system restore.
I hope this helps folks that have been infected.
Article ID: 47, Created On: 6/11/2009, Modified: 11/1/2013