ViRobot
Home HOME > Security Info

Security Info

Threats DB

Spyware.Rogue.Dr.28672

Aliases  
Typical Symptoms  Auto-execution on rebooting,POP-UP Window,Hide the file,System speed down
Discovered  [korea] 2009-10-07
 [Foreign] 0000-00-00
Type  Spyware ActiveField  
Damage/Distribution
Origin  Korea Encryption  NO
Target of infection  Execution,ETC
Scan engine needed
2009-10-07 [Able to detect & repair]
  • Free scan
  • Free trial download
Description

[Symptom of Infection]

Spyware.Rogue.Dr.28672 is a spyware which downloads other malicious codes by accessing to certain site without user agreement.

- It shows advertisment webpage continuously, and tries accessing to certain blog(http://***o.**.to) constantly.
- It registers itself to registry for auto-execution on Windows Loading.

*Related malicious codes*

1. Adware.PCVaccineProgram.R
2. Adware.AntiStop.R
3. Adware.Yacson.R

*Related URLs*

1. http://*********.wo.to/*****t.exe
2. http://***.kr/ad.php
3. http://******ox.co.kr/?ptn=*****oy&inty=*****
4. http://ad.***.kr/popup/popup.php?seq=5&dom=ad
5. http://*****isk.com

*Files*
Spyware.Rogue.Dr.28672 creates files like below.

- (Root Folder)\covolt.exe
- (Root Folder)\FireWall - EX.exe
- (System Folder)\dllcache\okir.exe
- (System Folder)\okir.system

*Registries*

Spyware.Rogue.Dr.28672 creates registries like below.

HKLM\SOFTWARE\Classes\exefile\shell\open
Name: (Default Value)
Key: (System Folder)\okir.system

HKLM\SOFTWARE\Classes\exefile\shell\runas
Name: command
Key: (System Folder)\okir.system

HKLM\SOFTWARE\Classes\.system
Name: (Default Value)
Key: sister

HKLM\SOFTWARE\Classes\sister\shell\1 
Name: command
Key: (System Folder)\dllcache\okir.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: FireWall EX Ver
Key: (Root Folder)\FireWall - EX.exe

[Notation]

- "(Root Folder)" could be different by OS, and generally this is "C:\" which is a Windows installed disk driver.
- "(System Folder)" could be different by OS, and generally this is "C:Windows\System (Windows 95/98/Me), C:Winnt\System32 (Windows NT/2000), C:Windows\System32 (Windows XP)".
Removal Instructions

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose all files in scan option.
- ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.
List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap