Haven't blogged for a very long time. Guess I was too busy. And because of the change of environment this year.
Infected by a virus last week. Not sure how it happened. But it came from a handy drive. Called it the Jovana virus.
Because it creates a recycler folder called Jovana in each drive.
C:\documents and settings\administrator\application data\yjty.exe
C:\Documents and Settings\Administrator\csrss.exe
I tried to delete these file but the the process was still running. Killing it Process Explorer was also fruitless.
Then I tried Unlocker. Only then I was able to delete the file. Need to find the program.
Here is the content of the autorun file.
"sêË×ÄÑÀÊÄêÎ׊ÄÌäêëàñ×ÄÊËŒŠ×ÄÊËœš÷L?DAdlq?dw?nmkslakdl?l?wqdw?ÝÆÂÁôûÄâëáÝÆÖÁÂüëàñäæôûñüáìäæüæËÄÌÜÎÄÙÆËÛÂÕÙÖËâàëâôäæüñûôäÆÑüáûôäÆÑÜÁÔÛÄÑËÁÇÂÖÆÜâÖÆÄÉüáâæâÆÄËÎÛÔÆâëÆÔÜÛÄÆüáñÄÆëáâ÷ÙÂËÖÆüâÖÄÆëâëáÔÛÄÆìüáäæÛÔÌÁÔÛÄÆÁ×üëôÙÖÌÜÎÖÆÌÒÔÖÙÂËÔÆôûüÄÆÌÀÔÛËÂÝÆËÄÖÉÂÖÒÉàîÀÆö
open=JOVANA/pojatar.exe
action=Open folder to view files using Windows Explorer
icon=JOVANA/pojatar.exe
Shell\open\command=JOVANA/pojatar.exe
shell\open\command=JOVANA/pojatar.exe
USEAUTOPLAY=1
Then it created a lot of processes in the temp folder.
It also modifies the registry by creating a few startup entries.
Here is one of the entry created:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell"="explorer.exe,C:\\Documents"
The rest I forgot cause I deleted them as soon as it came out.
If the process is still alive, it will create all the entries into the registry. Only after I killed it that I was able to fully stop it from modifying the registry.
This is taken from ThreatExpert.com
JOVANA.EXE has been seen to perform the following behavior:
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This process creates other processes on disk
Executes Processes stored in Temporary Folders
This Process Deletes Other Processes From Disk
Executes a Process
Injects code into other processes
Copies files
JOVANA.EXE has been the subject of the following behavior:
Created as a process on disk
Executed from Temporary Folders
Has code inserted into its Virtual Memory space by other programs
Added as a Registry auto start to load Program on Boot up
Deleted as a process from disk
Terminated as a Process
Executed as a Process
Copied to multiple locations on the system
【诗巫景Ho-Liak】吃晚饭的不错选择@新龙婆海鲜酒家
-
想找一个不错的餐厅和家人或宴请亲戚朋友吃晚餐?个人建议这间坐落于诗巫中央警局后方的新龙婆海鲜酒家。之前它在江滨公园对面的龙婆茶餐室营业已经获得本地人的好评,现在搬到现有的地址营业,生意还是持续的门庭若市。
现在这地点跟之前的比起来,停车位比较方便,而且有更大的营业空间。餐馆分为两层楼。底楼是开放式的,而一楼就备有...
6 years ago
No comments:
Post a Comment