W32.Harakit

Being a lazy Sunday, I decided to clean up some folders on my computer.
I noticed in my Shared folder that there was a file named "gfvjfe.exe" with the folder icon.
Stupidly, I double-clicked it and executed it thinking it'd browse into it.
When nothing happened, I instantly realised I've been had and disabled my internet connection.

Quickly skimming through task manager processes, nothing seemed out of place.
My Windows Explorer options were changed though, hidden files were now hidden and system folders/files arent showing.

Something is up.

The culprit (File properties):
Filename: gfvjfe.exe
File version: 5.0.0.2
Language: Russian
Size: 497kb

How it got there:
It spreads itself via the network through share folders which have write access or removable drives. Luckily, its fairly simple to fix and doesnt do much damage.

The damage:
It creates a file called "csrcs.exe" in the System32 folder under Windows.

First notable change, as already mentioned, is that it hides hidden/system folders and files.

Second noticable change was that csrcs.exe attempts to create "autorun.inf" in system32, triggering my NOD32 to display a giant red screen.

The fix:
Using task manager to kill off csrcs.exe, I then deleted it and scanned my registry.

It links itself in the registry in the following locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit the "Shell" key from "Explorer.exe csrcs.exe" to "Explorer.exe"
Lastly, clean up multiple 0 byte "khq" files found at the root of your drives (ie. C:\khq, D:\khq, etc)

If you have a more severe infection of this trojan, check out this link for more information.
 
Update: 05/04/2010
I forgot to mention, I had all ports forwarded to my computer and there were some unprotected shared folders which had write access.
 
Block off public access to those ports and you should be fine. To figure out which ports it is, see here.
 
Copyright © Twig's Tech Tips
Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog