Monday, 14 April 2008

New Service or Virus?

New viruses are every where but this one I came across the other day, I love viruses they are like little puzzles sometimes, anyway here is what I did.

Service name dkancz
Display name dkancz
Description Microsoft .NET Framework TPM
Path to executable
C:\WINDOWS\system32\SvChOsT.EXE –k dkancz

If you explorer the registry you will find that not only does this start as a service but it also has in parameters a dll named bnglxz.dll to remove this I changed the name of the file to prevent it exciting again in this case .dllx an extension that can’t be run and then removed the service from the current control set

ie HKY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\
and find the service dkancz and delete it

After you've delete this key and reboot check if the service has come back if it doesn't then you have removed it from starting up however you need to look deeper as to how it got there.

Sophos has now ID the virus as Mal/PcClient-A

No comments: