Hidrag virus

Discussion in 'NOD32 version 2 Forum' started by soul_trinity, Sep 12, 2003.

Thread Status:
Not open for further replies.
  1. soul_trinity

    soul_trinity Registered Member

    Joined:
    Sep 12, 2003
    Posts:
    2
    I've only just installed Nod32 and after running it for the first time found the Hidrag.A virus on my computer. It has infected pretty much all of my .exe files.

    Nod32 can't clean the files, and deleting the exe files means my programs won't run anymore. Is there any way to get rid of this virus without having to delete the infected exe files? I've done a search of the internet but can't find any info about getting rid of this virus!

    I've read that this virus is harmless - so if it can't be gotten rid of without resorting to deleting the files, should I just leave it on my computer? I'd really prefer not to have to install all my programs again!

    Thanks for any advice you can give me.
     
  2. radicalb21

    radicalb21 Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    164
    Location:
    USA
    Here is the information I found on your Win32.Hidrag virus:

    Win32.Hidrag



    Hidrag is a non-dangerous memory resident parasitic Win32 virus. The virus infects Win32 PE EXE files. While infecting the virus encrypts a block of victim files.

    When the Hidrag virus runs it creates a copy of itself that is about 36K in size and places it in the Windows directory using the name svchost.exe. Next Hidrag registers this file in the system registry auto-run key:


    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    PowerManager = %WindowsDir%\SVCHOST.EXE

    Hidrag then stays in Windows memory as an active process, searches for EXE files on all drives - starting with the C: drive - and infects them.

    The virus does not manifest itself in any way.

    The virus contains the following encrypted text strings:


    Hidden Dragon virus. Born in a tropical swamp.
    PowerManagerMutant

    Was there anything else after the name of the virus like an .A or a number? If it was Win32.Hidrag.A that you were referring to you are already protected as of 1.427 virus signatures. But to be sure this isn't a new variant I would suggest quarantine the file and send to ESET to be analyzed. If I find out more info I will post it here. Could you also post a screen shot of your system information this would be helpful.
     
  3. radicalb21

    radicalb21 Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    164
    Location:
    USA
    Send copy of the virus as an email attachment to samples@nod32.com . You should also do a scan of your system with an online scanner I would recommend using trend micro online scanner and panda antivirus online scanner.
     
  4. soul_trinity

    soul_trinity Registered Member

    Joined:
    Sep 12, 2003
    Posts:
    2
    Thanks radicalb21

    Yes the virus is Win32.Hidrag.A. The info you posted was pretty much what I found too - just no info on getting rid of it!

    Wasn't sure what you meant when you said to post a screenshot of my system info, but I'm running on Windows XP Pro (with SP 1), Pentium4 2.60 GHz.

    When you say to email the virus, do you mean the SVCHOST.EXE file?

    Will try the online scanners. Thanks.
     
Thread Status:
Not open for further replies.