JamiiForums |The Home of Great Thinkers - View Single Post - How to remove Raila Odinga virus
Thread: How to remove Raila Odinga virus
View Single Post
  #3  
Old 29th May 2008, 09:43 AM
Invisible's Avatar
Invisible Invisible is offline
Invisible is around but busy!
Robot
Points: 6,331,668, Level: 100 Points: 6,331,668, Level: 100 Points: 6,331,668, Level: 100
Activity: 10% Activity: 10% Activity: 10%
 
Join Date: Sat Feb 2006
Location: Here...!
Posts: 6,046
Thanks: 506
Thanked 1,455 Times in 432 Posts
Rep Power: 100000
Invisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of light
Send a message via MSN to Invisible
Default
Well Shy,

I might be mistaken but I do believe if someone follows my instructions can get rid of it.

Technical details

This Trojan has a malicious payload. It is a Windows PE EXE file. The Trojan components may vary in size from 17KB to 286KB.

Installation

Once launched, the Trojan extracts a file with the following name from its body to the current user's desktop:

Raila Odinga.gif

and launches it. The user will see the following image:



The Trojan also copies its executable file to the following directory:
%System%\drivers\RailaOdinga.exe

It also extracts the following file from its body:
%Temp%\nswC.tmp\System.dll

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\drivers\RailaOdinga"

The Trojan also creates the following shortcut:
%Documents and Settings%\Start Menu \Programs\Autorun\RailaOdinga.lnk

When this shortcut is run, the Trojan executable file will be launched.


Payload

The Trojan copies its executable file to all removable media under the following name:

:\smss.exe

It also copies the extracted image:

:\Raila Odinga.gif

stands for the letter of the removable disk.

The Trojan creates an autorun.inf file in the root of the removable disk. This file will automatically launch the Trojan executable file when the user attempts to open the infected disk using Explorer.

The Trojan also recursively copies its executable file to all folders on the removable disk. These copies use the names of files which are located in these folders together with an .exe extension.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

* Use Task Manager to terminate the Trojan process.
* Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
* Delete the following system registry key parameter:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\drivers\RailaOdinga"

* Delete the following files:

%Temp%\nswC.tmp\System.dll %System%\drivers\RailaOdinga.exe %Documents and Settings%\ Start Menu \Programs\Autorun\RailaOdinga.lnk

* Delete the following file from the desktop:

Raila Odinga.gif

* Delete all copies of the Trojan from removable disks.
* Delete the autorun.inf file from the root directory of all removable disks.
__________________
Ficha Upumbavu wako; Usiifiche Hekima yako!

Thank you for supporting JF! <---(click to support us)
 Waliochangia 2010: <--- (click to read)
JINSI YA KUCHANGIA JF<---(click to read)

24/7 Email SUPPORT: support@jamiiforums.com
Reply With Quote