How to
Prevent and Remove the VBInject.KR
|
| No. | Filename | Size |
| 1 |
%AppData%\C-76947-8457-2745\msnliveap.exe %Temp%\8570.exe [file and pathname of the sample #1] |
4,512,256 bytes |
| 2 |
%AppData%\msnl.exe %Temp%\7158193.exe |
470 bytes |
- Notes:
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- The following directory was created:
- %AppData%\C-76947-8457-2745
b. Memory Modifications
- There were new memory pages created in the address space of the system process(es):
| Process Name | Process Filename | Main Module Size |
| msnl.exe | %AppData%\msnl.exe | 65,536 bytes |
c. Registry Modifications
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- Windows System Guard = "%AppData%\msnl.exe"
so that msnl.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- WindowsDriverControl = "%AppData%\C-76947-8457-2745\msnliveap.exe"
so that msnliveap.exe runs every time Windows starts
d. Other details
-
The following ports were open in the system:
| Port | Protocol | Process |
| 1059 | TCP | msnl.exe (%AppData%\msnl.exe) |
| 1060 | UDP | msnl.exe (%AppData%\msnl.exe) |
-
There were registered attempts to establish connection with the remote hosts. The connection details are:
| Remote Host | Port Number |
| 109.123.108.61 | 81 |
| 98.158.190.129 | 81 |
| 81.173.18.21 | 80 |
-
The data identified by the following URLs was then requested from the remote web server:
- http://dickolsthoorn.nl/biz.exe
- http://dickolsthoorn.nl/newbin.exe
3. How-to's
a. How to prevent the VBInject.KR ?
Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the VBInject.KR Manually?
Step 1 : Use Windows Task Manager to Remove VBInject.KR Processes
%AppData%\msnl.exe
Step 2 : Use Registry Editor to Remove
VBInject.KR Registry Values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows System Guard = "%AppData%\msnl.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
WindowsDriverControl = "%AppData%\C-76947-8457-2745\msnliveap.exe"
Step3: Detect and Delete Other VBInject.KR Files
%AppData%\C-76947-8457-2745\msnliveap.exe
%Temp%\8570.exe
[file and pathname of the sample #1]
%AppData%\msnl.exe
%Temp%\7158193.exe
c. How to Remove these trojans Instantly?
Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
4. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm