Latest Threats

Generic.bfr!bm!4906ED​63F4F7

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

Virus News

Expect targeted attacks after massive Epsilon email breach, say experts

Computerworld - Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers. Full Story

 

 
Blog

Generic Dropper!1FE3FA763FAB Trojan and how to clean

Dropper/Malware.743370
AVG (GriSoft) Generic10.AQTP (Trojan horse)
avira TR/Dropper.Gen2
Kaspersky Trojan-Dropper.Win32.Flystud.aaw
BitDefender Gen:Variant.EvilEPL.5
clamav Trojan.Agent-148768
Dr.Web Trojan.Siggen2.1469
eSafe (Alladin) Suspicious file
F-Prot W32/Trojan2.NJZO
FortiNet W32/Autorun!worm
Microsoft Backdoor:Win32/FlyAgent.E
Eset Win32/FlyStudio.OHD trojan (variant)
norman W32/Hupigon.DIEY
rising Backdoor.Win32.ECode.se
Sophos Troj/PWS-BRB
Trend Micro TROJ_UNDEF.EQ
vba32 Trojan.Win32.Pasta.ipb
V-Buster Trojan.Shutdowner!UaIp5WA/Iv0 (trojan)

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

 

The following files were analyzed:

21f45caf86b3fef0da76ebc889c56144616b79bd

The following files have been added to the system:
  • %TEMP%\BClib\krnln.fne
  • %PROGRAMFILES%\Ycesezors\srvany.exe
  • %TEMP%\BClib\Exmlrpc.fne
  • C:\???????2.0????.rar
  • %TEMP%\E_4\Exmlrpc.fne
  • %TEMP%\BClib\dp1.fne
  • %TEMP%\BClib\krnln.fnr
  • %TEMP%\_eviip.tmp
  • %WINDIR%\SYSTEM32\Pzriccnss.exe
  • %TEMP%\E_4\krnln.fnr
  • %WINDIR%\SYSTEM32\Pzriccnss.dll
  • %TEMP%\E_4\dp1.fne
  • %WINDIR%\Fonts\7c1d5cd6872f50006a77be9d6d56769f.dat
The following files were temporarily written to disk then later removed:
  • C:\BRC_Setup.exe
  • %TEMP%\nsf1.tmp
  • C:\BRC_Setup.exe_And DeleteMe.bat
The following registry elements have been created:
  • HKEY_CURRENT_USER\SOFTWARE\FLYSKY\
  • HKEY_CURRENT_USER\SOFTWARE\FLYSKY\E\
  • HKEY_CURRENT_USER\SOFTWARE\FLYSKY\E\INSTALL\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\
  • HKEY_LOCAL_MACHINE\SOFTWARE\RISING\
  • HKEY_LOCAL_MACHINE\SOFTWARE\RISING\KAKA\
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\YCESEZORS\PARAMETERS\
The following registry elements have been changed:
  • HKEY_CURRENT_USER\SOFTWARE\FLYSKY\E\INSTALL\PATH = %TEMP%\BClib\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CHECK_ASSOCIATIONS = NO
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOW_PLACEMENT = [binary data]
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\AUTORECOVER = 2
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\0 = [binary data]
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\1 = C:\Raiden\Goat_1.5.235.1931.zip
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\2 = C:\sample\Sample.zip
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\3 = C:\sample\bc_amp.zip
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\MTIME = 100
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\NAME = 120
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\SIZE = 80
  • HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\TYPE = 120
  • HKEY_LOCAL_MACHINE\SOFTWARE\RISING\KAKA\PROCRUN = 0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\YCESEZORS\PARAMETERS\APPLICATION = %WINDIR%\SYSTEM32\Pzriccnss.exe -s

To remove this infection,

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

You should be good to go.