Sound card virus program disguised AdWare.Win32.Agent.eih

The use of sound procedures are in place to hide viruses, insidious enough, creative enough.

Virus Name: AntiVir: —
AVG: —
Kaspersky: not-a-virus: AdWare.Win32.Agent.eih
NOD32v2: archive damaged
Rising: —
VT killing rate: 4 / 36 (11.12%)
VT Scan Time: 2008.08.23 10:19:38 (CET)

EQS Lab ID: 080823036
Virus size: 264 KB (270,457 bytes)
MD5 code: 66F6DA5DC11BD99D15BFEA50AC710A2E
Virus Type: malicious program
The main mode of transmission: the network
Platform test: WinXP SP3 system (the default Shell for BBlean) EQSecurity (HIPS) Live
Damage:

Virus:

After running modify the registry Start Page

2008-08-23 19:27:15 modify the registry content

Process path: F: \ Once \ soundman \ soundman.exe
Path of the registry: HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main
Name of the registry: Start Page
After the change: http://www.go2000.cn/
Before the change: http://www.shendu.com/
Trigger rules: All the rules of procedure -> IE browser-related -> * \ Software \ Microsoft \ Internet explorer \ Main

Amend the relevant registry search

2008-08-23 19:27:15 create a registry value

Process path: F: \ Once \ soundman \ soundman.exe
Path of the registry: HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ SearchScopes \ (5B8225C7-757A-44B2-96BB-1E3AC529B03B)
Name of the registry: [Key]
Trigger rules: All the rules of procedure -> IE browser-related -> * \ Software \ Microsoft \ Internet explorer \ Search *

2008-08-23 19:27:15 modify the registry content

  Process path: F: \ Once \ soundman \ soundman.exe
Path of the registry: HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ SearchScopes \ (24588FA4-10F1-41D7-B19D-6E22361E47FA)
Name registry: URL
After the change: http://www.baidu.com/s?wd = (searchTerms) & tn = go2000_pg & cl = 3 & ie = utf-8
Trigger rules: All the rules of procedure -> IE browser-related -> * \ Software \ Microsoft \ Internet explorer \ Search *

The creation of start of

2008-08-23 19:27:15 create a registry value

Process path: F: \ Once \ soundman \ soundman.exe
Path of the registry: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Name registry: SoundMan
Trigger rules: All the rules of procedure -> run automatically -> * \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *

The key: to amend the relevant registry IE

HIPS preventive measures: changes in procedures to prevent new to IE-related registry.

One Response to “Sound card virus program disguised AdWare.Win32.Agent.eih”

  1. Drappsycleple Says:

    Hello!
    Check out
    an excellent search engine –
    baza sie pojebala
    P.S. Yahoo – everything will be found! Google: nothing was really lost…

    Bye to everyone!

Leave a Reply