Saturday, February 28, 2009

How to Remove RVHOST.exe Virus/Worm


Discovered: December 12, 2006
Updated: December 13, 2006 3:26:10 AM
Also Known As: IM-Worm.Win32.Sohanad.t [Kaspersky], W32/Sohana-R [Sophos]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

W32.Yautoit.N is a worm that spreads through Yahoo! Instant Messenger.

Once executed, the worm downloads a file from the following location:

The worm then saves the downloaded file as the following file:

The worm creates the following file on shared drives:
%System%\new folder.exe

The worm then creates the following Windows job file with settings to execute RVHOST.exe at 9:00am every day:

The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe " RVHOST.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "%System%\RVHOST.exe"

The worm also creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\"shared" = "[SHARED DRIVE]\New Folder.exe"

The worm then modifies the following registry entries to disable the Task Manager and the Registry Editor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"

The worm also modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"AtTaskMaxHours" = "0"

The worm then deletes the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"Run" = "BkavFw"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"Run" = "IEProtection"

The worm ends the following processes and closes applications if they are running:
Registry Editor
Task Manager
"System Configuration"

Next, the worm sends the following messages through Yahoo! Instant Messenger:
"E may, vao day coi co con nho nay ngon lam [http://]

"Vao day nghe bai nay di ban [http://]"

"Vao day nghe bai nay di ban [http://]"

"Biet tin gi chua, vao day coi di [http://]"

"Trang Web nay coi cung hay, vao coi thu di [http://]"

"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? [http://]"

"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... [http://]"

"Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... [http://]"

"Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... [http://]"

"Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...[http://]"

Info: Thanks to symantec.

Rvhost.exe Removal Tool

To remove this virus/worm automatically
just download the tool here :

Double click it after downloading, and have it running on it's own. Wait for it to finish scanning and removing the malwares and viruses on your pc. You will know when it's done when the text file appear containing the scan results. And your finish.
Make sure to disable any antivirus you have before executing the tool.


No comments: