Last week I got IRC bot virus in my server. I don’t know the virus name but I cleaned it manually. We’re not talking about this IRC bot virus cause it really simple cleaned manually using ANSAV UPX tools and Hidden Revealer I cleaned it in within short 1 minutes 
In this article we will write to clean YM and Skype bot virus Worm:Coutsonif.A
This virus spreading using social technique and autorun.inf, since it using social technique this virus can spreading easy. Did you ever received message from your TRUSTED friend like this sample?
Listen to me, don’t so easy clicked any link in email or anything! even it come from trusted source. In this case social technique can make you in danger position, Think if virus collecting your financial information :p
When you download this virus it will making 2 random file in %systemroot%\Documents and Settings\%user%\Local Settings\Temp with extension .tmp and .exe then created vshost.exe with size 122kb, file will available on every drive root.
Virus will also make another files:
- %systemroot%\autorun.inf [all drive]
- %systemroot%\RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
- %systemroot%\WINDOWS\system32\sysmgr.exe
- %systemroot%\WINDOWS\TEMP\5755.tmp
- %systemroot%\windows\system32\crypts.dll
- %systemroot%\windows\system32\msvcrt2.dll
It wil also change your registry to automatically started when your computers booting. Beside that, old autorun.inf technique also adopted in this virus spreading:
Virus will change your registry to allowed only 11 maximum active application, it also blocking your maximum port to only port 8000.
Automatic Update:
This virus will try to automatically update himself to this address list:
66.90.103.169:99/a.exe
66.90.103.169:6666/lsass .exe
66.90.103.169:443/crss .exe
TCP:72.249.94.146:7008 Port:27
TCP:127.0.0.1:1092 Port:30
TCP:66.90.103.169:99 Port:29
TCP:66.90.103.169:6666 Port:30
TCP:66.90.103.169:443 Port:30
Port 80 IP:83.133.127.5
Port 80 IP:68.180.151.74
Port 25 IP:127.0.0.1
Port 80 IP:65.55.21.250
TCP:83.133.127.5:443 Port:17
TCP:65.54.186.47:443 Port:17
Port 80 IP:87.248.208.54
TCP:89.149.254.14:443 Port:21
Port 80 IP:64.4.33.7
Port 80 IP:207.46.11.121
Port 80 IP:65.54.186.47
Port 80 IP:88.221.26.64
TCP:65.55.16.123:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:29
TCP:88.221.165.186:443 Port:29
TCP:83.133.127.5:443 Port:18
TCP:89.149.254.14:443 Port:2
TCP:65.55.16.123:443 Port:27
TCP:65.54.186.47:443 Port:27
TCP:92.122.112.124:443 Port:27
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:28
TCP:89.149.254.14:443 Port:21
Simple steps to cleaning Coutsonif.A:
1. Disable “System Restore” when in cleaning process.
2. Disable “autoplay/autorun” function by:
- Start -> Run -> Type “gpedit.msc” -> Computer Configuration -> Administrative Templates -> System -> look on “Turn off autoplay” -> Properties -> Setting tab -> Enabled
3. Kill active virus process in background, You can use any task manager tools such as Security Task Manager, just killed sysmgr.exe, vshost.exe, winservices.exe, *.tmp
*TMP is random.
4. Repair your registry files using code below or download repair.inf
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, SessionInformation, ProgramCount, 0×00010001,3
HKCU, AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current,,,”C:\WINDOWS\media\Windows XP Pop-up Blocked.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current,,,”C:\Windows\media\Windows XP Recycle.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\Navigating\.Current,,,”C:\Windows\media\Windows XP Start.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\SecurityBand\.current,,,”C:\WINDOWS\media\Windows XP Information Bar.wav”
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft(R) System Manager
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, bMaxUserPortWindows Service help
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, MaxUserPort
5. Deleted this file list, when it hard you can use File Assasin tools:
- \vshost.exe [all drive]
- \autorun.inf [all drive]
- \RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
- \Documents and Settings\%user%\Local Settings\Temp
A415.tmp (random)
034.exe (Random)
Lady_Eats_Her_Shit–www.youtube.com
- \WINDOWS\system32\sysmgr.exe
- \WINDOWS\TEMP\5755.tmp
- \windows\system32\crypts.dll
- \windows\system32\msvcrt2.dll
6. Re-checking your system to make sure it clean using your best antivirus or use Norman Malware Cleaner
Done, Have a good day everyone 
SIMILAR POST :
- Remove MaHaDeWa VBS.Autorun.AM
- Remove W32/VBWorm.QXE (bulubebek)
- HOW TO: Remove Facebook Virus W32/Obfuscated.D2!genr
- Remove virus AMBURADUL (all varian)
Incoming search terms:
- viros za Skype
- ym port 443
- why dont you ever listen to me
- virus worm
- virus skype
- virus port 8000
- c \windows\media\windows recycle wav server extension failed
- skipename2 exe
- invalid root in registry key hkcu\appevents\schemes\apps\explorer\navigating\current
- how to disable autorun 443
- file extension tmp
- Coutsonif A skype
- ym themes with skype
If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!
Did you know?
Tag cloud
Blogs Statistic
Subscribe my feed
January 27th, 2010 at 8:04 AM
Puno vam HVALA!!! THANK’S
June 21st, 2010 at 1:29 PM
hi! do you know where I can download the myth busters theme song (mp3)?, thank you..! Mike.