This is new variant of those d**n Chinese virus maker, It’s working same like older technique in old ARP Spoofing part II, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get your sensitive information, etc.

Know your enemy!

How actually this virus working? It’s actually attacking your network, no matter what operating system you’re using, what browser you’re using, this virus can reach  windows, linux and mac. Actually this virus active on windows platform but in linux  or mac with wine application installed on it this virus can active! Browser? Any browser can hijacked! said internet explorer, mozilla firefox, opera, even new google browser chrome! in short words “anyone, anything, can be infected by this virus“.

To know this virus active in your computer, the easiest way is looking from yahoo messenger error script the code for this virus is “]

yahoo.jpg

Same like older version it will hijack source of any website you access with modification code through fake gateway which infected for virus spreading, You have to stop access internet if you already know you’re infected.

hijack.jpg

Once active this virus will downloading 2 master files: gameeeeeee.vbs and gameeeeeee.pif. File gameeeeeee.vbs will executed gameeeeeee.pif

gameeeeeee.jpg

After gameeeeeee.pif executed virus will automatically deleted himself and created file ThunderAdvise.dll on %systemroot%\WINDOWS\Downloaded Program Files and file Update.dll on %systemroot%\WINDOWS\

Once your internet connectivity active, ThunderAdvise.dll will downloaded many many of virus resource, here is the list:

%systemroot%\Documents and Settings\%user%\Local Settings\temp
liv1.tmp, liv2.tmp, liv3.tmp, liv4.tmp, liv5.tmp, 6.tmp, 7.tmp, 8.tmp, makecab.exe, winipsec.dll, 001.cab, 002.cab, 003.cab, 004.cab, etc….

%systemroot%\Documents and Settings\%user%\Local Settings\Temporary Internet Files
Office[1].htm, Sina[1].htm, 001[1].cab, 002[1].cab, 003[1].cab, 004[1].cab, etc….

%systemroot%\WINDOWS\AppPatch
AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll

%systemroot%\WINDOWS\system32
system.exe, HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll, E0D39066.dll (random), 9fd8db.sys (random), etc….

%systemroot%\WINDOWS\system32\drivers
HBKernel32.sys, eth8023.sys

Network Attack:

After virus build completed, it will started to attack your network using winipsec.dll Virus will broadcast to every computer in your network, once he found router/gateway virus will try to change infected computer IP mac address same with router/gateway mac address.

mac.jpg

Once this happen (I hope not happen to you) virus will declare himself as router/gateway in your network and can easily infected all computers in your network. This is the new part of this ARP spoofing, Virus will try using default share windows, he will try to send files AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll to %systemroot%\WINDOWS\AppPatch If this happen, your computer will halt/frozzen!

Same like older version virus will modified your “hosts” files. In short words hosts files working almost same like DNS so it’s can redirected you to any website they  want, it DANGEROUS for newbie out there, this trick can manipulate you, example: you think you access on your online banking, you don’t even know Virus log your login and password.. BAD BAD GUYS :D

hosts.jpg

SOLUTION

Using norman network protection can help you eliminate this virus. This tool can help you looking on which computers have been broadcasting to download and spreading virus. In case many people false to eliminate this virus because it back again and again once internet active.

nnp.jpg

===============================
REMOVE THIS D**N THING NOW!
===============================

1. Disconnected any computers from the network.

2. Kill virus process which active by injected system process using this tool

unlocker.jpg

First install unlocker then delete and unlock all virus files one by one following this step:

-system.exe
-HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll
-AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll
-HBKernel32.sys, eth8023.sys

3. Deleted and clean your system using norman mallware cleaner.

 norman.jpg

4. Repair your registry change by virus using this code, save as repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″”"
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObject
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, 0

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 3PMmUpdate
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HBService32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectsDelayLoad, ThunderAdvise

In case if this code converted wrong download the original source in HERE

5. Fix your hosts file using hijackthis.

 hijackthis.jpg

Run  hijackthis choose misc tools section, on system tools choose open hosts file manager, delete all after line 127.0.0.1 localhost

6. Delete all temporary and temporary internet files using ATF Cleaner.

7. For best protection, I recommended you to scan your computer once each 3 days using your best antivirus programs with new updated.

Good luck :)

Share |

Speed Reading Software

SEARCH ENGINE KEYWORD RESULTS :
  • arp spoofing infect exe
  • www hbbo net
  • howto rootkit vbs source
  • infected computer changes the gateway mac address
  • qwertyy cn
  • arp virus source code
  • help laptop kena virus rootkit
  • router host files changed by rootkits
  • GameeeEeee pif
  • browser hijacker arp spoofing
  • arp virüsü
  • create pif file with vbs
  • arp broadcast virus removal
  • mac address spoofing virus
  • how to remove browsing arp
  • arp broadcast virus
  • how do you know if you are infected with ARP virus
  • scr arp broadcast
  • arp spoofing open source code in java
  • hijack gameeeeeee pif
  • arp broadcast virus windows
  • Virus Remove Mac-address of Gateway from System
  • system exe update dll deep freeze
  • hijack www404
  • arp virus removal
  • eth8023 sys AcSpecf dll
  • Code ARP Spoofing coding java
  • Gameeeeeee pif
  • bad Gameeeeeee pif
  • mac spoof rootkit
  • how to remove arp virus
  • arp rootkit
  • cara mencek terkena virus confickers
  • virus macintosh rootkit
  • virus spoof gateway mac
  • virus too many arp responses
  • virus source code vbs
  • vbs arp
  • arp spoofing virus
  • cara setting registry biar tidak terkena virus
  • How about PIF SRC or VBS files?
  • How to arp spoofing worm tutorial
  • arp spoofing source
  • windows which process using arp
  • virus broadcasting in network tools
  • how do i stop arp broadcasting
  • arp spoofing video
  • arp poisoning source code
  • acspecf dll
  • arp spoofing source code
  • software protection from arp spoofing
  • vbs sikiş
  • cara menggunakan rootkit
  • arp broadcasting
  • kill ARP virus
  • can I do to stop the MAC Spoofing
  • formula for virus spreading
  • virus arp may 2009
  • mac spoofing virus
  • Windows ARP Spoofer sourcecode
  • cara bersihin rootkit
  • reg setting arp -s
  • tutorial ARP FReeze
  • registry 003 rootkit
  • stop arp spoofing on router
  • rootkit eth8023
  • gameeeeeee 5
  • 9fd8db sys
  • arp spoofing sourcecode c
  • source code arp spoofing
  • arp spoofing java
  • infected arp net
  • Gameeeeeee vbs
  • windows arp tools
  • gameeeeeee
  • gameeeeeee pif
  • source code ARP
  • ARP virus remover
  • broadcast virus
  • Cara menggunakan ARP
  • cara menggunakan ARP Poisoning
  • unlock STG video protection
  • windows arp spoofer has stopped working
  • java arp spoofer
  • dll spoofing tutorial
  • arp spoofer java code
  • spoof source code java
  • arp spoofer virus cleaner
  • delete the Root kit from the gateway ?
  • ARP spoofing code implementation
  • vbs script root kit
  • w32 rootkit
  • ARP poisoning with java
  • arp exe banyak sekali
  • arp spoofing java code
  • virus tembus deepfreeze
  • ARP Freeze
  • linux arp spoofing protection

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!


This entry was posted on Sunday, November 16th, 2008 at 9:53 PM and is filed under Computer And Internet, Miscellaneous, Personal, Tips & Trick. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.