Here we have a Rootkit.0Access.XGen Virus/Malware attack, which kept sending out requests to websites (most likely to continue the malicious attacks on the host computer). We made a change in the TrendMicro settings to now block automatic access of certain websites, so we are being notified of Unauthorized URL’s.
Virus/Malware: enkai.exe
Hard Drive Location:
C:\Documents and Settings\%username%\Application Data\Yvqouw
Remember to always look for bogus folders in the Application Data directory. Yvgouw is definitely bogus.
There was also a variant bogus folder with the files xono.oco and xono.tmp:
C:\Documents and Settings\%username%\Application Data\Ungue
Also remember to take this time to clean out:
C:\Documents and Settings\%username%\Local Settings\Temp
Registry Location:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The blocked websites:
http://nahwisohch.ru/bin/xxl.bin
http://munaeghohz.ru/bin/xxl.bin
http://jupaizeuph.ru/bin/xxl.bin
Virus/Malware: enkai.exe
Hard Drive Location:
C:\Documents and Settings\%username%\Application Data\Yvqouw
Remember to always look for bogus folders in the Application Data directory. Yvgouw is definitely bogus.
There was also a variant bogus folder with the files xono.oco and xono.tmp:
C:\Documents and Settings\%username%\Application Data\Ungue
Also remember to take this time to clean out:
C:\Documents and Settings\%username%\Local Settings\Temp
Registry Location:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The blocked websites:
http://nahwisohch.ru/bin/xxl.bin
http://munaeghohz.ru/bin/xxl.bin
http://jupaizeuph.ru/bin/xxl.bin
No comments:
Post a Comment