How to Prevent and Remove the Packed.Win32.Black.a

How to Prevent and Remove the Backdoor.LolBot

1. What is the Backdoor.LolBot

Backdoor.LolBot is a very harmful backdoor Trojan that will gain access to your computer system without your knowledge when you least expect it. Backdoor.LolBot is able to spread via instant messenger applications such as Yahoo or Skype. Backdoor.LolBot will send messages to all your contacts and attempt to spread to them too. The last thing that anybody wants is to be the reason why their friend’s computers get infected.
Backdoor.LolBot may not come alone and may come bundled with many other parasites. This of course adds to the risk factor. Backdoor.LolBot is able to also spread via removable drives such as USB flash drives. Backdoor.LolBot will destroy your entire computer system and be the cause of your internet connection decreasing in speed.

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%AppData%\HEX-5823-6893-6818\jutched.exe %Temp%\xxf.exe	180,224 bytes
2	%Temp%\5397694.exe %Windir%\nvsvc32.exe	75,776 bytes
3	%Temp%\dw.log	78 bytes
4	%Windir%\mdl.dl	2,314 bytes
5	[file and pathname of the sample #1]	147,456 bytes
6	%System%\winrtsnr.txt	0 bytes
7	%Windir%\wintybrd.png	3,416 bytes
8	%Windir%\wintybrdf.jpg	3,968 bytes

Notes:
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:
- %AppData%\HEX-5823-6893-6818

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
nvsvc32.exe	%Windir%\nvsvc32.exe	3,096,576 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
DW20.EXE	[pathname with a string SHARE]\dw20.exe	20,480 bytes

c. Registry Modifications

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  - NVIDIA driver monitor = "%Windir%\nvsvc32.exe"
  so that nvsvc32.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
  - NVIDIA driver monitor = "%Windir%\nvsvc32.exe"
  so that nvsvc32.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  - Java Update Manager = "%AppData%\HEX-5823-6893-6818\jutched.exe"
  - NVIDIA driver monitor = "%Windir%\nvsvc32.exe"
  so that jutched.exe runs every time Windows starts
  so that nvsvc32.exe runs every time Windows starts

The following Registry Value was modified:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  - Start Page =

c. Other details

The following port was open in the system:

Port	Protocol	Process
1061	TCP	nvsvc32.exe (%Windir%\nvsvc32.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.201.100.46	80
174.37.200.82	80
69.89.31.75	80
178.63.79.107	1866

The data identified by the following URLs was then requested from the remote web server:
- http://122.201.100.46/~kengolfo/tmp/go.exe
- http://174.37.200.82/index.php
- http://kissfendi.com/wp-content/uploads/karissa.jpg

3. How-to's

a. How to prevent the Backdoor.LolBot ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Backdoor.LolBot Manually?

Step 1 : Use Windows Task Manager to Remove Backdoor.LolBot Processes

nvsvc32.exe
DW20.EXE

Step 2 : Use Registry Editor to Remove Backdoor.LolBot Registry Values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Java Update Manager = "%AppData%\HEX-5823-6893-6818\jutched.exe"
NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page =

Step3: Detect and Delete Other Backdoor.LolBot Files

%AppData%\HEX-5823-6893-6818\jutched.exe
%Temp%\xxf.exe
%Temp%\5397694.exe
%Windir%\nvsvc32.exe
%Temp%\dw.log
%Windir%\mdl.dl
[file and pathname of the sample #1]
%System%\winrtsnr.txt
%Windir%\wintybrd.png
%Windir%\wintybrdf.jpg

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm