Malware use new method to active on next reboot in Windows XP

Discussion in 'malware problems & news' started by egomoo, Jan 9, 2011.

Thread Status:
Not open for further replies.
  1. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    While doing removal with "antivirus 2010",I have found a new method to active malware on Windows startup.

    C:\WINDOWS\winSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

    NOD32 detect as Win32/Sirefef.CB

    http://www.threatexpert.com/report.aspx?md5=53243938af9118b8d674a5f82ea43d19

    We all know a malware must be active on the next boot and we know lots of Registry startup items which AutoRun scans.

    the file shsvcs.dll will run on windows start and create vbma*.sys.

    So that TDSSKiller could not delete vbma*.sys file after reboot
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,660
    Location:
    USA
    It looks like on a clean machine that this dll should only be in system32 and SysWOW64 if you have a 64 bit machine. I'm not finding much other info on it. It looks like you could block it with SRP by only allowing it to run from the locations I specified and nowhere else, if I am correct in assuming it shouldn't exist anywhere else.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.