Re my last post on Hotmail/Gmail/Yahoo email accounts being highjacked.
(See the post here: http://rebmordechaiwrites.blogspot.com/2010/01/is-your-email-account-sending-out-links.html)
Latest news is that it is indeed of Chinese origin and what makes this special is that it was not written by some criminal gang or even by some kids trying to break into computers for fun. This virus was created by the Chniese government to monitor its own people using online email accounts.
See article in The Daily Telepgraph here:
http://www.telegraph.co.uk/technology/google/7034995/Security-specialist-has-evidence-of-Chinese-attack-on-Google.html
The Virus has been given the name: Hydraq
How to identify the virus:
There will be a registry key like this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS]
To view the registry entry:
START -> Run
Type: regedit.exe and hit Enter (or click OK)
Open the relivent tree nodes until the key is found (or not).
If this key is present then it means that the virus has been installed as a system Windows Service on your computer.
To see the service do the following:
START ->Run
Type: services.msc and hit Enter (or click OK)
Sort the header by Name field and look for a Service with the same name as the registry key.
This will be RaS[the four characters from the reg key]
Note: This should not to be confused with Microsoft Remote Access Connection Manager - RASMANS.DLL which is a genuine Windows Service.
Obviously our Chinese friends chose the name in order to make it look as if it was a standard Microsoft Windows Service.
We need to stop this Service:
1. Right click on the RaS Service and select STOP.
2. Wait for the Service to stop.
3. Right click again on the Service and select Properties.
4. In the Properties window, change the Startup Type to Manual.
Removing the Service:
You can delete the following registry keys or use a tool to do it for you:
The keys are these:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS]\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS]\Security
Alternatively you can download this file which contains a Windows Service removal tool:
http://www.vbrad.com/ondadl/dl_srvany.zip
Once downloaded, extract srvinstw.exe from the zip file.
This is a very simple tool which can be used to create and also remove Windows Services.
In fact the tool makes it too simple to remove services so be very careful when using it so that you don't remove the wrong one.
Double click to execute srvinstw.exe and wait for the Window to come up.
Choose "Remove Service" option and click Next.
The next screen will have a drop downlist box whoes contents is a complete list of every service installed on your computer.
From the Drop down list box. Select the RaS[xxx] Service. Make sure that the RaS[xxxx] Service is highlighted in blue or the tool will delete the first on the list!
Run Services.msc again to confirm that the Service (virus) has been removed.
Don't forget to check your email account options to remove all virus references.
(See my post on this. Use the link is at the top of this page)
Lastly, run a full Antivirus scan to remove the virus files.
Thats all folks
No comments:
Post a Comment