How to Prevent and Remove the Packed.Win32.Katusha.o
|
| No. | Filename | Size |
| 1 | %AppData%\Microsoft\stor.cfg | 924 bytes |
| 2 | %AppData%\Microsoft\svchost.exe | 93,696 bytes |
| 3 | %AppData%\Microsoft\Windows\shell.exe | 107,008 bytes |
| 4 |
%Temp%\dwm.exe [file and pathname of the sample #1] |
117,248 bytes |
- Notes:
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
b. Memory Modifications
- There were new memory pages created in the address space of the system process(es):
[filename of
the sample #1]
svchost.exe
shell.exe
c. Registry Modifications
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- svchost = "%AppData%\Microsoft\svchost.exe"
so that svchost.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
- ProxyServer = "http=127.0.0.1:50370"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Shell = "explorer.exe,%AppData%\Microsoft\Windows\shell.exe"
so that shell.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- The following Registry Values were modified:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
- ProxyEnable =
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
- ProxyEnable =
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
- ProxyEnable =
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
- ProxyEnable =
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
- ProxyEnable =
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- load =
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
d. Other details
-
There were registered attempts to establish connection with the remote hosts. The connection details are:
| Remote Host | Port Number |
| 66.199.251.242 | 80 |
| 66.96.217.165 | 80 |
| 74.54.90.2 | 80 |
- The data identified by the following URLs was then
requested from the remote web server:
- http://freenetgameonline.com/images/im133.jpg?tq=gKZEtzwS%2FQHS6gqtfl%2FzdcWqBP0%2FSPZS0ahz9TwJ%2FQBS34D4CIfB4w%3D%3D
- http://freenetgameonline.com/images/im133.jpg?tq=gKZEtzwS%2FQHS6gqtfl%2FzdcWqBP0%2FSPZS0ahz9jwJ%2FQBS34D4CIfB4w%3D%3D
- http://bookknowlege.com/images/im133.jpg?tq=gJ4WKyddqK2FngtpalPcusWQWyh9VvD8ncdHPgsj3Lq1l1I6CVCou8STVzp5Jam6sYZQOyxFq8%2FGhlA7OQXqrsfnVjxpE6W6arVJKhLINQ4%3D
- http://bookknowlege.com/images/im133.jpg?tq=gL4SKyddqK2Fvgp6JgS9uLDAJjwOVKi8srNSPX9QrbzCxlM8CkWqvZ3nRz4LUam4zaURMH5KkUkqEsg1Dg%3D%3D
- http://freenetgameonline.com/images/im133.jpg?tq=gHZutDwS%2FQHSOjriaUfxgiWz%2BAiHweM%3D
- http://freeonlinedatingtips.net/images/dating1.jpg?tq=pdT%2Ffq%2BTyQUW6KEaKyA%3D
3. How-to's
a. How to prevent the Packed.Win32.Katusha.o ?
Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Packed.Win32.Katusha.o Manually?
Step 1 : Use Windows Task Manager to Remove Packed.Win32.Katusha.o Processes
[filename of the sample #1]
svchost.exe
shell.exe
Step 2 : Use Registry Editor to Remove
Packed.Win32.Katusha.o Registry Values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
svchost = "%AppData%\Microsoft\svchost.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
ProxyServer = "http=127.0.0.1:50370"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "explorer.exe,%AppData%\Microsoft\Windows\shell.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
ProxyEnable =
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
ProxyEnable =
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
ProxyEnable =
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet
Settings]
ProxyEnable =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
ProxyEnable =
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
load =
Step3: Detect and Delete Other Packed.Win32.Katusha.o Files
%AppData%\Microsoft\stor.cfg
%AppData%\Microsoft\svchost.exe
%AppData%\Microsoft\Windows\shell.exe
%Temp%\dwm.exe
[file and pathname of the sample #1]
c. How to Remove these trojans Instantly?
Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
4. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm