JamiiForums |The Home of Great Thinkers - View Single Post - How to remove Raila Odinga virus
Thread: How to remove Raila Odinga virus
View Single Post
  #4  
Old 29th May 2008, 09:51 AM
Invisible's Avatar
Invisible Invisible is offline
Invisible is around but busy!
Robot
Points: 6,336,637, Level: 100 Points: 6,336,637, Level: 100 Points: 6,336,637, Level: 100
Activity: 9% Activity: 9% Activity: 9%
 
Join Date: Sat Feb 2006
Location: Here...!
Posts: 6,046
Thanks: 506
Thanked 1,456 Times in 433 Posts
Rep Power: 100000
Invisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of lightInvisible is a glorious beacon of light
Send a message via MSN to Invisible
Default
And as per McAfee:
Quote:
Virus Characteristics
Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes. The file is a nullsoft installer file.

Upon running, it drops and displays a picture file of "Raila Odinga", this is just an attention drawer. Apart from copying itself to the system Raila Odinga.gif is also placed on the desktop and repeatedly opened.

In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it:
  • c:\WINDOWS\system32\drivers\Raila Odinga.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "(Default)"
    Data: C:\WINDOWS\system32\drivers\Raila Odinga
It drops an innocent file called "system.dll" having a filesize of 10240 bytes.
  • c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System.dll
  • c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System.dll
A link file is added as:
c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk

Indications of Infection
  • Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes
  • Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editor.
Method of Infection
  • Manual infection - there's no exploit associated to it
Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations

Aliases

DR/NSIS.Voter.A (H+Bedv), TROJ_VOTERAI.A (Trend), Trojan.NSIS.Voter.a (Kaspersky), W32/Voterai.worm.b, Worm/Generic.BQP (Grisoft)
__________________
Ficha Upumbavu wako; Usiifiche Hekima yako!

Thank you for supporting JF! <---(click to support us)
 Waliochangia 2010: <--- (click to read)
JINSI YA KUCHANGIA JF<---(click to read)

24/7 Email SUPPORT: support@jamiiforums.com
Reply With Quote