This category of virus has different varitions which have one or more of the following characteristics.
It is a threat that attempts to steal vital information from the user involved in online gaming activity and is capable of connecting to a remote site to download possible updates of its application. It is a Trojan that will start itself automatically and steal passwords of onlinegames on the infected machines.
It monitors the infected computer to steal password and other confidential information.
It attempts to steal passwords, login details, and other user information.
As keylogger program it can capture all user keystrokes (including confidential details such username, password, credit card number, etc.). As a hacktool it could be used by attackers to break into a system.
As a malicious trojan horse or bot it may pose security risk for the infected system and/or to its network. I will list the details of the different variations of this virus | | Manually Editing registry to remove the virus entries You can edit the registry by using the windows built in registry editor. Click on Start > Run to open the run command box in XP, whereas in Vista the box is already open. type regedit and press Enter or Ok , that will open the registry editor. Now Click on Edit > Find. You can use this box to find a particular registry key/ value. In order to do that, copy the last part of the registry keys if they are inside curly braces {}, after the last / (forward slash) and then paste it into this box, or type in the name of the malware in the box and press "Find Next", if the search stops , you should either see a message saying "Finished searching through the registry"or it will stop at that key found. The found item will be displayed in blue selection. You can delete the entire key, that is the entry in the left side of the panel, once you confirm yourself that this key belongs to the malware by looking at the entire key and comparing it with the ones listed here, and by looking at the values that it has created in the right side of the panel. In case you are not sure if you want to remove the key, you can remove the values in the right side panel instead, that will also cripple the functioning of the malware. To delete a key/ value, use the mouse pointer to select it first, then right click on it to see a menu and select delete from it, then say yes to the confirmation alert. Alternately you can press the delete key on the keyboard to delete the selected entry. You can also use the names of the files / folders created by the malware to search for their associated keys in the registry. Once you have deleted an entry, press the F3 key on the keyboard to search for the next occurance of the entry, do this till you reach the end of the registry. Now copy the second registry key/ filename and repeat the above procedure. This is a tedious process and takes time and effort, but there is no better way to make sure the malware is out of your computer. Variation1 (Infostealer.Gamepass)
if you look at the different infections / installations of this virus installer, you will see that it generates semi random file names. The DLL filename that it generates are 6 to 7 characters long, and then it appends a "K" at the end of that name and saves it as and EXE and as an EXE.BAT file. It then creates an entry of the DLL file inside the registry. So practically you may come across any number of file names. So instead of looking at the virus file names, try to identify which programs belong to your computer and familiarize with them so that you will be able to identify if there is anything else than that you know. | Case 1 see full report
These are the files it creates in an infected computer, delete them
C:\Windows\System32\cenbezn.dll
C:\Windows\System32\cenbeznk.exe
C:\Windows\System32\cenbeznk.exe.bat
You will find this process in the Task Manager, End it
cenbeznk.exe
You will find this entry in the windows registry , remove it.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = "cenbezn.dll" | | Case 2 see full report These are the files it creates in an infected computer, delete them
C:\Windows\System32\zongximk.exe
C:\Windows\System32\zongxim.dll
C:\Windows\System32\zongximk.exe.bat You will find this process in the Task Manager, End it
zongximk.exe
You will find this entry in the windows registry , remove it.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = "zongxim.dll" | | Case 3 see full report These are the files it creates in an infected computer, delete them
C:\Windows\system32\woodkenk.exe
C:\Windows\system32\woodken.dll
C:\Windows\system32\woodkenk.exe.bat
You will find this process in the Task Manager, End it
woodkenk.exe
You will find this entry in the windows registry , remove it.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = "woodken.dll" | Case 4 see full report
These are the files it creates in an infected computer, delete them
C:\Windows\system32\xuntxnk.exe
C:\Windows\system32\xuntxn.dll
C:\Windows\system32\xuntxnk.exe.bat
You will find this process in the Task Manager, End it
xuntxnk.exe
You will find this entry in the windows registry , remove it.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = "xuntxn.dll" | | Variation 2 see full report These are the files it creates in an infected computer, delete them
C:\Windows\555888
C:\Windows\c11vbn.mmm
C:\Windows\667673M.exe
C:\Windows\667673MM.DLL
You will find this process in the Task Manager, End it
667673M.exe
You will find this entry in the windows registry , remove it.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinSysM = "C:\Windows\667673M.exe" | | Variation3 If you look at this variation, it generates semi random filenames. It creates a 8 character long alpha numeric name and saves it as CFG and a DLL in the System32 folder. It then creates a 7 character long filename and saves it as a SYS file, it also creates a kernel mode driver of that file name, and adds several registry keys including this name. | Case 1 see full report These are the files it creates in an infected computer, delete them
C:\Windows\System32\9CA963CA.cfg
C:\Windows\System32\9CA963CA.dll
C:\Windows\System32\d7b49fa.sys Creates a kernel mode driver
d7b49fa.sys These are the registry keys it creates, delete them. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CA963CA-107C-4089-B0AB-31380F90D7E3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CA963CA-107C-4089-B0AB-31380F90D7E3}\InprocServer32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_D7B49FA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_D7B49FA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_D7B49FA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d7b49fa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d7b49fa\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d7b49fa\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_D7B49FA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_D7B49FA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_D7B49FA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d7b49fa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d7b49fa\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d7b49fa\Enum | | Case 2 see full report These are the files it creates in an infected computer, delete them
C:\Windows\System32\5243F5FA.cfg
C:\Windows\System32\5243F5FA.dll
C:\Windows\System32\c39e8db.sys Creates a kernel mode driver
c39e8db.sys These are the registry keys it creates, delete them. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5243F5FA-75D6-4469-90A8-A181E2AAAA5B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5243F5FA-75D6-4469-90A8-A181E2AAAA5B}\InprocServer32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C39E8DB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C39E8DB\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C39E8DB\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c39e8db
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c39e8db\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c39e8db\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C39E8DB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C39E8DB\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C39E8DB\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c39e8db
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c39e8db\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c39e8db\Enum | | Varitaion4 (Infostealer.Bankos) See the full report
This has capability to send out email message(s) with the built-in SMTP client engine. These are the files it creates in an infected computer, delete them
C:\Windows\control.ctr
C:\Windows\ponto.DLL
C:\Windows\system32\xuntxnk.exe.bat
and probably these
C:\Windows\System32\Winrun.exe
C:\Windows\System32\ischot.exe
C:\Windows\System32\Xred1.exe
C:\Windows\System32\Zred2.exe
C:\Windows\System32\MscheldB.exe
C:\Windows\System32\svscheld.exe You may find these processes in the Task Manager, End them
xuntxnk.exe, Winrun.exe, ischot.exe, Xred1.exe, Zred2.exe, MscheldB.exe, Mscheldncx.exe, svscheld.exe
You will find these entres in the windows registry , remove them
HKEY_CURRENT_USER\WinRegnw
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
star1 = "C:\Windows\System32\Winrun.exe"
star2 = "C:\Windows\System32\ischot.exe"
star3 = "C:\Windows\System32\Xred1.exe"
star4 = "C:\Windows\System32\Zred2.exe"
star6 = "C:\Windows\System32\MscheldB.exe"
star7 = "C:\Windows\System32\Mscheldncx.exe"
star8 = "C:\Windows\System32\svscheld.exe" |
|
