Kaitex Virus

[rod147]

I appear to have been infected with the Kaitex.E virus.
The executable file is called ZPWKNDVH.EXE

Boot time Avast scans, Spybot, Ad-Aware and Windows Defender seem unable to clean it away.

One of the noticable effects it is having is if I try to run regedit or Msconfig, they are closed as soon as I run them.

Can anyone offer some helpful advise to assist?

Thanks,
Rod.

[FreewheelinFrank]

ZPWKNDVH.EXE

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', search for and upload the above file to VirusTotal for analysis if possible. Post the results here.

[rod147]

File zpwkndvh.exe received on 11.07.2008 21:43:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 18/36 (50%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.11.7.1 2008.11.07 -
AntiVir 7.9.0.26 2008.11.07 TR/Crypt.TPM.Gen
Authentium 5.1.0.4 2008.11.07 W32/Heuristic-THX!Eldorado
Avast 4.8.1248.0 2008.11.07 -
AVG 8.0.0.161 2008.11.07 Win32/Themida
BitDefender 7.2 2008.11.07 GenPack:Generic.Malware.SI!FLWprng.2C9569DD
CAT-QuickHeal 9.50 2008.11.07 (Suspicious) - DNAScan
ClamAV 0.94.1 2008.11.07 -
DrWeb 4.44.0.09170 2008.11.07 Trojan.Packed.650
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6195 2008.11.06 -
Ewido 4.0 2008.11.07 -
F-Prot 4.4.4.56 2008.11.07 W32/Heuristic-THX!Eldorado
F-Secure 8.0.14332.0 2008.11.07 SDBot.gen9
Fortinet 3.117.0.0 2008.11.07 -
GData 19 2008.11.07 GenPack:Generic.Malware.SI!FLWprng.2C9569DD
Ikarus T3.1.1.45.0 2008.11.07 Trojan.Crypt.TPM
K7AntiVirus 7.10.519 2008.11.07 -
Kaspersky 7.0.0.125 2008.11.07 -
McAfee 5426 2008.11.06 -
Microsoft 1.4104 2008.11.07 -
NOD32 3595 2008.11.07 a variant of Win32/Packed.Themida
Norman 5.80.02 2008.11.07 SDBot.gen9
Panda 9.0.0.4 2008.11.07 -
PCTools 4.4.2.0 2008.11.07 Packed/Themida
Prevx1 V2 2008.11.07 Cloaked Malware
Rising 21.02.42.00 2008.11.07 -
SecureWeb-Gateway 6.7.6 2008.11.07 Trojan.Crypt.TPM.Gen
Sophos 4.35.0 2008.11.07 Sus/ComPack
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.07 W32.IRCBot.Gen
TheHacker 6.3.1.1.144 2008.11.07 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.06 -
ViRobot 2008.11.7.1457 2008.11.07 -
VirusBuster 4.5.11.0 2008.11.07 Packed/Themida
Additional information
File size: 716528 bytes
MD5...: 6be7e5a9bcdedd8a7fb23989e4284fcf
SHA1..: 6116fa03f3754713d69cb2c3ff5ab93f0ec8facf
SHA256: aef6c6fc7e2f67ad83397fe67e0b8408f2921a39cb4855d0ba71c5b0e040b51f
SHA512: 83b6958889d7a06d4aa95a3394e6ffc5d4a65b18e70273fce9b342abce4368e6
0890195b257d2fd9e73f731b5b3f2e24c02bdc680ab1c6d4e0549db73b193275
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.3%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x45e014
timedatestamp.....: 0x48fcc67c (Mon Oct 20 17:57:16 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x5b000 0xbe00 7.96 8b254a328b57fcee21e1f6fa684e21d0
.rsrc 0x5c000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x5d000 0x1000 0x200 1.44 49afb735702f03c1cea53a6a4526dac1
wlan 0x5e000 0x17a000 0xa1e00 7.91 51fccce6265a58cab2d2287ce1b2431c

( 2 imports )
> KERNEL32.dll: CreateFileA, ExitProcess
> COMCTL32.dll: InitCommonControls

( 0 exports )
 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=006517C8F0AF8F50EEA70A910865F700D697E1E3
packers (Authentium): Themida
packers (F-Prot): Themida

[FreewheelinFrank]

The exe seems to be an encrypted file. How did you know it was Kaitex.E?

Try a scan with DrWeb CureIT!

You can download this on another computer if necessary.

[polonus]

Hi rod147,

Discovered: October 27, 2008
Updated: October 27, 2008 9:25:32 PM
Type: Trojan, Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the worm can connect to an IRC channel and listen for commands from the remote attacker. Then, the remote attacker can access the compromised computer and perform any of the following actions:

    * Control the IRC client on the compromised computer
    * Update the Trojan
    * Send the Trojan to other IRC channels
    * Download and execute files, some of which may be additional malware
    * May copy itself to shared folders on other computers
    * Perform Denial of Service (DoS) attacks against a specific target
    * Delete itself from the compromised computer

Recommendations

All users and administrators are requested to adhere to the following basic security "best practices":

    * Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    * Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    * Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    * Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    * Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    * If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    * Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    * Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    * If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    * In cleansing this irc trojan, Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP


   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat, use a full scan with MBAM to be downloaded here: http://www.malwarebytes.org/mbam/program/mbam-setup.exe

polonus

[rod147]

The exe seems to be an encrypted file. How did you know it was Kaitex.E?

I used a program called Startup Mechanic which identified it as Kaitex.E virus.

[FreewheelinFrank]

Try a scan with DrWeb CureIT! above or This Virus removal Tool