This is new variant of those d**n Chinese virus maker, It’s working sameテあlike older technique in oldテあARP Spoofingテあpart II, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get yourテあsensitive information, etc.

Know your enemy!

How actually this virus working? It’s actually attacking your network, no matter what operating system you’re using, what browser you’re using, this virus can reachテあ windows, linux and mac. Actually this virus active on windows platform but in linuxテあ or mac with wine application installed on it this virus can active! Browser? Any browser can hijacked! said internet explorer, mozilla firefox, opera, even new google browser chrome! in short words “anyone, anything, can be infected by this virus“.

To know this virus active in your computer, the easiest way is lookingテあfrom yahoo messenger error script the code for this virus is “]

yahoo.jpg

Same like older version it will hijack source of any website you access with modification code through fake gateway which infected for virus spreading,テあYou have toテあstop access internet if you alreadyテあknow you’re infected.

hijack.jpg

Once active this virus will downloading 2 master files: gameeeeeee.vbs and gameeeeeee.pif. File gameeeeeee.vbs will executed gameeeeeee.pif

gameeeeeee.jpg

After gameeeeeee.pif executed virus will automatically deleted himself and created file ThunderAdvise.dll on %systemroot%\WINDOWS\Downloaded Program Files and file Update.dll on %systemroot%\WINDOWS\

Once your internet connectivity active, ThunderAdvise.dll will downloaded many many of virus resource, here is the list:

%systemroot%\Documents and Settings\%user%\Local Settings\temp
liv1.tmp, liv2.tmp, liv3.tmp, liv4.tmp, liv5.tmp, 6.tmp, 7.tmp, 8.tmp, makecab.exe, winipsec.dll, 001.cab, 002.cab, 003.cab, 004.cab, etc….

%systemroot%\Documents and Settings\%user%\Local Settings\Temporary Internet Files
Office[1].htm, Sina[1].htm, 001[1].cab, 002[1].cab, 003[1].cab, 004[1].cab, etc….

%systemroot%\WINDOWS\AppPatch
AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll

%systemroot%\WINDOWS\system32
system.exe, HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll, E0D39066.dll (random), 9fd8db.sys (random), etc….

%systemroot%\WINDOWS\system32\drivers
HBKernel32.sys, eth8023.sys

Network Attack:

After virus build completed, it will started to attack your network using winipsec.dll Virus will broadcast to every computer in your network, once he found router/gateway virus will try to change infected computer IP mac address same with router/gateway mac address.

mac.jpg

Once this happen (I hope not happen to you) virus will declare himself as router/gateway in your network and can easily infected all computers in your network. This is the new part of this ARP spoofing, Virus will try using default share windows, he will try to send files AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll to %systemroot%\WINDOWS\AppPatch If this happen, your computer will halt/frozzen!

Same like older version virus will modified your “hosts” files. In short words hosts files working almost same like DNS so it’s can redirected you to any website theyテあ want, it DANGEROUS for newbie out there, this trick can manipulate you, example: you think you access on your online banking, you don’t even know Virus log your login and password.. BAD BAD GUYS :D

hosts.jpg

SOLUTION

Using norman network protection can help you eliminate this virus. This tool can help you looking on which computers have been broadcasting to download and spreading virus. In case many people false to eliminate this virus because it back again and again once internet active.

nnp.jpg

===============================
REMOVE THIS D**N THING NOW!
===============================

1. Disconnected any computers from the network.

2. Kill virus process which active by injected system process using this tool

unlocker.jpg

First install unlocker then delete and unlock all virus files one by one following this step:

-system.exe
-HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll
-AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll
-HBKernel32.sys, eth8023.sys

3. Deleted and clean your system using norman mallware cleaner.

テあnorman.jpg

4. Repair your registry change by virus using this code, save as repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″””
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObject
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, 0

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 3PMmUpdate
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HBService32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectsDelayLoad, ThunderAdvise

In case if this code converted wrong download the original source in HERE

5. Fix your hosts file using hijackthis.

テあhijackthis.jpg

Runテあ hijackthis choose misc tools section, on system tools choose open hosts file manager, delete all after line 127.0.0.1 localhost

6. Delete all temporary and temporary internet files using ATF Cleaner.

7. For best protection, I recommended you to scan your computer once each 3 days using your best antivirus programs with new updated.

Good luck :)

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!