enkai.exe

Here we have a Rootkit.0Access.XGen Virus/Malware attack, which kept sending out requests to websites (most likely to continue the malicious attacks on the host computer). We made a change in the TrendMicro settings to now block automatic access of certain websites, so we are being notified of Unauthorized URL’s.

Virus/Malware: enkai.exe

Hard Drive Location:
C:\Documents and Settings\%username%\Application Data\Yvqouw
Remember to always look for bogus folders in the Application Data directory. Yvgouw is definitely bogus.

There was also a variant bogus folder with the files xono.oco and xono.tmp:
C:\Documents and Settings\%username%\Application Data\Ungue

Also remember to take this time to clean out:
C:\Documents and Settings\%username%\Local Settings\Temp

Registry Location:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The blocked websites:
http://nahwisohch.ru/bin/xxl.bin
http://munaeghohz.ru/bin/xxl.bin
http://jupaizeuph.ru/bin/xxl.bin

No comments:

Post a Comment