This is new variant of those d**n Chinese virus maker, It’s working same like older technique in old ARP Spoofing part II, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get your sensitive information, etc.

Know your enemy!

How actually this virus working? It’s actually attacking your network, no matter what operating system you’re using, what browser you’re using, this virus can reach  windows, linux and mac. Actually this virus active on windows platform but in linux  or mac with wine application installed on it this virus can active! Browser? Any browser can hijacked! said internet explorer, mozilla firefox, opera, even new google browser chrome! in short words “anyone, anything, can be infected by this virus“.

To know this virus active in your computer, the easiest way is looking from yahoo messenger error script the code for this virus is “]

yahoo.jpg

Same like older version it will hijack source of any website you access with modification code through fake gateway which infected for virus spreading, You have to stop access internet if you already know you’re infected.

hijack.jpg

Once active this virus will downloading 2 master files: gameeeeeee.vbs and gameeeeeee.pif. File gameeeeeee.vbs will executed gameeeeeee.pif

gameeeeeee.jpg

After gameeeeeee.pif executed virus will automatically deleted himself and created file ThunderAdvise.dll on %systemroot%\WINDOWS\Downloaded Program Files and file Update.dll on %systemroot%\WINDOWS\

Once your internet connectivity active, ThunderAdvise.dll will downloaded many many of virus resource, here is the list:

%systemroot%\Documents and Settings\%user%\Local Settings\temp
liv1.tmp, liv2.tmp, liv3.tmp, liv4.tmp, liv5.tmp, 6.tmp, 7.tmp, 8.tmp, makecab.exe, winipsec.dll, 001.cab, 002.cab, 003.cab, 004.cab, etc….

%systemroot%\Documents and Settings\%user%\Local Settings\Temporary Internet Files
Office[1].htm, Sina[1].htm, 001[1].cab, 002[1].cab, 003[1].cab, 004[1].cab, etc….

%systemroot%\WINDOWS\AppPatch
AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll

%systemroot%\WINDOWS\system32
system.exe, HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll, E0D39066.dll (random), 9fd8db.sys (random), etc….

%systemroot%\WINDOWS\system32\drivers
HBKernel32.sys, eth8023.sys

Network Attack:

After virus build completed, it will started to attack your network using winipsec.dll Virus will broadcast to every computer in your network, once he found router/gateway virus will try to change infected computer IP mac address same with router/gateway mac address.

mac.jpg

Once this happen (I hope not happen to you) virus will declare himself as router/gateway in your network and can easily infected all computers in your network. This is the new part of this ARP spoofing, Virus will try using default share windows, he will try to send files AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll to %systemroot%\WINDOWS\AppPatch If this happen, your computer will halt/frozzen!

Same like older version virus will modified your “hosts” files. In short words hosts files working almost same like DNS so it’s can redirected you to any website they  want, it DANGEROUS for newbie out there, this trick can manipulate you, example: you think you access on your online banking, you don’t even know Virus log your login and password.. BAD BAD GUYS :D

hosts.jpg

SOLUTION

Using norman network protection can help you eliminate this virus. This tool can help you looking on which computers have been broadcasting to download and spreading virus. In case many people false to eliminate this virus because it back again and again once internet active.

nnp.jpg

===============================
REMOVE THIS D**N THING NOW!
===============================

1. Disconnected any computers from the network.

2. Kill virus process which active by injected system process using this tool

unlocker.jpg

First install unlocker then delete and unlock all virus files one by one following this step:

-system.exe
-HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll
-AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll
-HBKernel32.sys, eth8023.sys

3. Deleted and clean your system using norman mallware cleaner.

 norman.jpg

4. Repair your registry change by virus using this code, save as repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″”"
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObject
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, 0

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 3PMmUpdate
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HBService32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectsDelayLoad, ThunderAdvise

In case if this code converted wrong download the original source in HERE

5. Fix your hosts file using hijackthis.

 hijackthis.jpg

Run  hijackthis choose misc tools section, on system tools choose open hosts file manager, delete all after line 127.0.0.1 localhost

6. Delete all temporary and temporary internet files using ATF Cleaner.

7. For best protection, I recommended you to scan your computer once each 3 days using your best antivirus programs with new updated.

Good luck :)

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

SIMILAR POST :

Incoming search terms:

  • windows arp spoofer has stopped working
  • arpspoof: unknown physical layer type 0x323
  • norman network protection
  • glendale web design
  • arpspoof: unknown physical layer type
  • rootkit remover arp poisoning
  • Sıkıs vıdeoları
  • unknown physical layer type 0x323
  • vbs get arp
  • arp rootkit
  • win arp spoofer has stopped working
  • winarpspoof for dnsspoof
  • windows arp spoofer has stopped working error
  • windows arp spoofer stop working
  • windows arp spoofer stop working when i spoof
  • regedit arp
  • PIF ou VBS
  • arp spoofer has stopped working
  • arp spoofing
  • arp table in lan using vb net open source
  • arp virus resident
  • arp virus rootkit
  • arp+rootkit
  • CAB-002/CAB-003
  • gameeeeeee vbs
  • itsikişi
  • pif file windows xp
  • windows arp spoofing has stop working

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!


This entry was posted on Sunday, November 16th, 2008 at 9:53 PM and is filed under Computer And Internet, Miscellaneous, Personal, Tips & Trick. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.