Wednesday, January 12, 2011

Malware Ebetazijl.B: Made in Spain?

Ebetazijl.B. ".. Abrir la carpeta the ver los archivos .." is the Spanish language in English is "Open folder to view files". It's a little hard to read the name of the malware on this one. Previously we ever get Ebetazijl.A not create a shortcut on flash disk. In addition to VB-Shortcut, Ebetazijl.B add malware data created using Visual Basic and create a shortcut, even though we got some variants created using C + + and Delphi.

A. File Info

Name: Ebetazijl.B
Origin: Unknown
File Size: 36.0 KB
Packer: -
Programming: Visual Basic 6.0
Icon: Winlogon.exe
Type: Worm

B. Malware Name

The name of this worm was taken from the name of the Product Name is always there Ebetazijl.B text as shown in the picture below:

Properties Ebetazijl.B

C. Shortcut and Autorun

As written in the early discussion, this malware is making the same shortcuts as worm-Shortcut VB.

Folder and Shortcut Ebetazijl.B

However, there is a difference in the target of the shortcut and usually, VB-Shortcut always had hidden all the folders on the flash disk, while Ebetazijl.B just create a shortcut of all shortcuts lead to the autorun.exe file. Here are the contents textnya:

1.% SystemRoot% \ system32 \ rundll32.exe url.dll, FileProtocolHandler DrivesGuideInfo \ autorun.exe?
Autoplay appearance in the picture above, is the result made by Ebetazijl.B autorun as seen in the image below:

Autorun Ebetazijl.B

With the help of autorun.inf files on top, then if the user selects the menu open on the flash disk, which is on the run is a worm with the name of autorun.exe Ebetazijl.B contained in the folder:
1.DrivesGuideInfo - S-1-7-21-1439977401-7444491467-600013330-9141
Drives Ebetazijl.B

Folder for S-1-7-21-1439977401-7444491467-600013330-9141 looks just like the Recycle Bin, this worm adds desktop.ini inside the folder.

Companion Ebetazijl.B

In other words, in analogy to autorun with autoplay function will call the worm Ebetazijl.B contained in the folder:

DrivesGuideInfo \ S-1-7-21-1439977401-7444491467-600013330-9141 \ autorun.exe

While users will also enable the worm Ebetazijl.B if you run a shortcut on flash disk that leads the target file in the folder:

DrivesGuideInfo \ autorun.exe

D. Infection

Trying to update with utilizing an Internet connection to the website:

http://www.0-0-0-0-0-0-0-0-0-0-0-0-0-18- ... .... info / (partially obscured text)

Make 2 startup in order to be activated immediately after entering the windows and can be viewed in Msconfig.
1.HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ NVIDIA Media Center Library
C: \ WINDOWS \ winlogon.exe
HKCU \ \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ NVIDIA Media Center Library <> C: \ WINDOWS \ winlogon.exe
This worm to deceive a user with the same icon winlogon.exe file of Windows. Because the most fundamental difference is, winlogon (Windows) is in the process System Idle Ebetazijl.B while in Explorer.

Process Ebetazijl.B
Ebetazijl.B worm can be cleaned by using PCMAV 4.5 Update Build1. For users who have not become infected do not have to worry because with the ability to dispel PCMAV RTP-Ebetazijl.B worm.


PCMAV Detection

PCMAV Cleaning

PCMAV 4.5 Update Build1

To eradicate this virus or another virus variant, PCMAV 4.5 Update Build1 been present with the addition of 65 new virus variant identification. For those users PCMAV 4.5, it is strongly recommended to update immediately, so that you PCMAV can recognize and eradicate the virus more.

To obtain and use PCMAV update, you simply run PCMAV.exe, the computer must be actively connected to the Internet. If an Internet connection using a proxy, specify the proxy configuration in the file proxy.txt. Automatic Updates feature from PCMAV will automatically download and update the database of PCMAV. You also can update at any time by right-clicking the icon PCMAV the system tray and choose Update.

For those of you who want to update the files manually, you can download the file through some of these links: (mirror)

Put the downloaded file (update.vdb) into the folder \ vdb. If previously there has been a long update file, you simply overwrite. Make sure once again, that the update file name is update.vdb, if different, just change the name. And later when you return PCMAV run, he is in condition was updated.

List of virus addition to PCMAV 4.5 Update Build1:
Autoit.FB, Autoit.FC, Autoit.FC.ini, Autoit-ReplaceIcon.B, Autoit-ReplaceIcon.C, Baidu, Baidu.dll, Baidu.dns,, Baidu.inf, Beds, Bekol, BudiLuhur.C, BudiLuhur.C.inf, DelPS, DelPS.ini, Ebetazijl.A, Ebetazijl.A.inf, Ebetazijl.A.ini, Ebetazijl.B, Ebetazijl.B.lnk, HB10, Malingsi.AA, Malingsi.Y, Malingsi.Z, Malingsi.Z.dll, Malingsi.Z.exe, Malingsi.Z.ini, Malingsi.Z.mrc, Mshearts.vbs.C, MsKunti.vbs, MsKunti.vbs.html, MsKunti.vbs.inf, MsKunti.vbs.ini, MsKunti.vbs.txt, Nami-Ternate, Nami-Ternate.bat.A, Nami-Ternate.bat.B, Nami-Ternate.bat.C, Nami-Ternate.bat.D, Nami-Ternate.inf.A, Nami-Ternate.inf.B, Nami-Ternate.ini.A, Nami-Ternate.ini.B, Nami-Ternate.ini.C, Nami-Ternate.txt.A, Nami-Ternate.txt.B, Poet-Kompti, Poet-Kompti.txt, RedWines.B, Samok.vbs, Samok.vbs.bat, Samok.vbs.inf, Serviks.C, Serviks.C.html, Serviks.C.inf, Serviks.C.vbs, Sherry, VB-Shortcut-WLogon.A, VB-Shortcut-WLogon.B, VB-Shortcut-WLogon.C, VB-Shortcut-WLogon.D, VB-Shortcut-WLogon.E, VB-Shortcut-WLogon.F, VB-Shortcut-WLogon.G,


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Best Buy Printable Coupons