Suspicious File Ino6.exe[solved]

gilb_4
edited June 2008 in Sample submission

Hi there:


I'm submitting this file that is spreading via autorun.inf. Bitdefender 2008 (updated today 2008/03/25) wasn't able to detect it as malware or anything alike.


It seems that it tries to write keys in the registry automatically and disables showing hidden files and protected system files.


the password is:


infected


Greetings from Mexico


Gil


Here is another file that creates when this thing infects the system. This file is on %systemroot%\system32 folder.


The password is:


infected


Help because i was careless and got myself infected :(:(:(


It cannot be detect running with task manager neither with sysinternals process explorer. (I know it is running because it doesn't allows me to change the setting 'show hidden files and folders' neither 'show protected system files'


Ok I'm doing more research about this annoying freaking files. It seems that it registers the next files (see the attatchment):


amvo0.dll


amvo1.dll


I used sysinternals process monitor and it seems that amvo1 is "running" (i.e. loaded) within explorer.exe; I noticed that because explorer.exe was the process that is constantly refreshing the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden


Key value to '2'. This action efectively disables the ability to show hidden files.


The password for the zip is again:


infected


Regards.


PS. I found this information 'googling' for the files:


http://mssadik73.blogspot.com/2008/01/dcom-virus.html


Thanks a lot

Comments