This is new variant of those d**n Chinese virus maker, It’s working same like older technique in old ARP Spoofing part II, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get your sensitive information, etc.
Know your enemy!
How actually this virus working? It’s actually attacking your network, no matter what operating system you’re using, what browser you’re using, this virus can reach windows, linux and mac. Actually this virus active on windows platform but in linux or mac with wine application installed on it this virus can active! Browser? Any browser can hijacked! said internet explorer, mozilla firefox, opera, even new google browser chrome! in short words “anyone, anything, can be infected by this virus“.
To know this virus active in your computer, the easiest way is looking from yahoo messenger error script the code for this virus is “]“
Once active this virus will downloading 2 master files: gameeeeeee.vbs and gameeeeeee.pif. File gameeeeeee.vbs will executed gameeeeeee.pif
Network Attack:
After virus build completed, it will started to attack your network using winipsec.dll Virus will broadcast to every computer in your network, once he found router/gateway virus will try to change infected computer IP mac address same with router/gateway mac address.
Once this happen (I hope not happen to you) virus will declare himself as router/gateway in your network and can easily infected all computers in your network. This is the new part of this ARP spoofing, Virus will try using default share windows, he will try to send files AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll to %systemroot%\WINDOWS\AppPatch If this happen, your computer will halt/frozzen!
Same like older version virus will modified your “hosts” files. In short words hosts files working almost same like DNS so it’s can redirected you to any website they want, it DANGEROUS for newbie out there, this trick can manipulate you, example: you think you access on your online banking, you don’t even know Virus log your login and password
SOLUTION
1. Disconnected any computers from the network.
2. Kill virus process which active by injected system process using unlocker.
First install unlocker then delete and unlock all virus files one by one following this step:
-system.exe
-HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll, HBZG.dll, HBSO2.dll, HBQQSG.dll, HBSOUL.dll
-AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll
-HBKernel32.sys, eth8023.sys
3. Deleted and clean your system using norman mallware cleaner.
4. Repair your registry change by virus using this code, save as repair.inf
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″”"
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObject
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, 0
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 3PMmUpdate
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HBService32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectsDelayLoad, ThunderAdvise
5. Fix your hosts file using hijackthis.
Run hijackthis choose misc tools section, on system tools choose open hosts file manager, delete all after line 127.0.0.1 localhost
6. Delete all temporary and temporary internet files using ATF Cleaner.
7. For best protection, I recommended you to protect your computer using Anti ARP Sniffer
Info from www.istanto.net
Nov
22
