ARP Spoofing:PART III, W32/RootKit.STG, Gameeeeeee.vbs, Gameeeeeee.pif

This is new variant of those d**n Chinese virus maker, It’s working sameテあlike older technique in oldテあARP Spoofingテあpart II, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get yourテあsensitive information, etc.

Know your enemy!

How actually this virus working? It’s actually attacking your network, no matter what operating system you’re using, what browser you’re using, this virus can reachテあ windows, linux and mac. Actually this virus active on windows platform but in linuxテあ or mac with wine application installed on it this virus can active! Browser? Any browser can hijacked! said internet explorer, mozilla firefox, opera, even new google browser chrome! in short words “anyone, anything, can be infected by this virus“.

To know this virus active in your computer, the easiest way is lookingテあfrom yahoo messenger error script the code for this virus is “]

yahoo.jpg

Same like older version it will hijack source of any website you access with modification code through fake gateway which infected for virus spreading,テあYou have toテあstop access internet if you alreadyテあknow you’re infected.

hijack.jpg

Once active this virus will downloading 2 master files: gameeeeeee.vbs and gameeeeeee.pif. File gameeeeeee.vbs will executed gameeeeeee.pif

gameeeeeee.jpg

After gameeeeeee.pif executed virus will automatically deleted himself and created file ThunderAdvise.dll on %systemroot%\WINDOWS\Downloaded Program Files and file Update.dll on %systemroot%\WINDOWS\

Once your internet connectivity active, ThunderAdvise.dll will downloaded many many of virus resource, here is the list:

%systemroot%\Documents and Settings\%user%\Local Settings\temp
liv1.tmp, liv2.tmp, liv3.tmp, liv4.tmp, liv5.tmp, 6.tmp, 7.tmp, 8.tmp, makecab.exe, winipsec.dll, 001.cab, 002.cab, 003.cab, 004.cab, etc….

%systemroot%\Documents and Settings\%user%\Local Settings\Temporary Internet Files
Office[1].htm, Sina[1].htm, 001[1].cab, 002[1].cab, 003[1].cab, 004[1].cab, etc….

%systemroot%\WINDOWS\AppPatch
AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll

%systemroot%\WINDOWS\system32
system.exe, HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll, E0D39066.dll (random), 9fd8db.sys (random), etc….

%systemroot%\WINDOWS\system32\drivers
HBKernel32.sys, eth8023.sys

Network Attack:

After virus build completed, it will started to attack your network using winipsec.dll Virus will broadcast to every computer in your network, once he found router/gateway virus will try to change infected computer IP mac address same with router/gateway mac address.

mac.jpg

Once this happen (I hope not happen to you) virus will declare himself as router/gateway in your network and can easily infected all computers in your network. This is the new part of this ARP spoofing, Virus will try using default share windows, he will try to send files AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll to %systemroot%\WINDOWS\AppPatch If this happen, your computer will halt/frozzen!

Same like older version virus will modified your “hosts” files. In short words hosts files working almost same like DNS so it’s can redirected you to any website theyテあ want, it DANGEROUS for newbie out there, this trick can manipulate you, example: you think you access on your online banking, you don’t even know Virus log your login and password.. BAD BAD GUYS 沽

hosts.jpg

SOLUTION

Using norman network protection can help you eliminate this virus. This tool can help you looking on which computers have been broadcasting to download and spreading virus. In case many people false to eliminate this virus because it back again and again once internet active.

nnp.jpg

===============================
REMOVE THIS D**N THING NOW!
===============================

1. Disconnected any computers from the network.

2. Kill virus process which active by injected system process using this tool

unlocker.jpg

First install unlocker then delete and unlock all virus files one by one following this step:

-system.exe
-HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll
-AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll
-HBKernel32.sys, eth8023.sys

3. Deleted and clean your system using norman mallware cleaner.

テあnorman.jpg

4. Repair your registry change by virus using this code, save as repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″””
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObject
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, 0

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 3PMmUpdate
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HBService32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectsDelayLoad, ThunderAdvise

In case if this code converted wrong download the original source in HERE

5. Fix your hosts file using hijackthis.

テあhijackthis.jpg

Runテあ hijackthis choose misc tools section, on system tools choose open hosts file manager, delete all after line 127.0.0.1 localhost

6. Delete all temporary and temporary internet files using ATF Cleaner.

7. For best protection, I recommended you to scan your computer once each 3 days using your best antivirus programs with new updated.

Good luck 泗

Similar Posts:

14 thoughts on “ARP Spoofing:PART III, W32/RootKit.STG, Gameeeeeee.vbs, Gameeeeeee.pif”

  1. the virus mutates again now …
    recently where I got a virus called do.qwertyy.cn reply
    Istanto, have yet to detect?
    There are crucial questions, which I still doubt.
    1. What is Deep Freeze can be transparent by this virus?
    2. What made possible the virus was resident on the client computer, and then at a certain date this virus is active again? which time residents, (before the current time) this virus does not affect anything.
    Thanks for the previous tutorial …
    hopefully can still keep working.

  2. 1. deepfreeze can not pass the virus on except the fault of the user himself, unless there is a network change, although its effects wear deepfreeze.
    2. This virus is not actively downloading slowly with some supporting files, after he actively takes approximately 1-2 hours to scan a network (depending also from the wide range of local ip) had started to change the MAC address.

  3. I hit the ARP network, how can I fix? network was the problem I have wireless and cable, as well as lots of clients (faculty). if cleaned one by one can take a lot of time. please help send to my email. thanks

  4. Find used source of any computer virus! If you’ve met destroy / reinstall it if not sure I can clean. It is also busy area especially when the network takes days and fingers to a computer analysis which was broadcast, while prevention can use static MAC addresses are not used to let me spread while checking the computer about where to be master, yes …. good luck

  5. Hi all, This virus has evolute and created new varian using name aig.vbs and aig.scr watchout when you see this files on your local user temp folder, disabled it spreading by rename wscript.exe in your windows/system32 with any name without .exe extension this should stopped virus for a time and I will write new article on how to cleaned it.

  6. damn i got dis fucken wirus too…am fucken damn pissed up…can anybody tell me how can i stoped it…am new user on computer…so i dono how to clean it:(

  7. This virus is always updated.. So I think you have to learn how they spreaded from this article.. you can stop it… neither get good antivirus protection such a norman or norton.

  8. Use arp command in command prompt, type “arp -a” see where MAC/Physical Address totally same with your gateway MAC/Physical Address, If you’re in big network with one gateway. If you found it try to unplug it from network and then re-check again in next 1 hour (use for browsing the net to activate virus) you will found another if virus has another backup in another computers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.