Author Topic: WORM VIRUS WIN32:SYSPATCH  (Read 47573 times)

0 Members and 1 Guest are viewing this topic.

Offline CHENAN

  • Newbie
  • *
  • Posts: 7
WORM VIRUS WIN32:SYSPATCH
« on: December 23, 2008, 02:15:38 PM »
yesterday i got a massage from avast that i got a worm virus called "win32:syspatch"
when i wanted to erase it,it said that this the file is read only and when i clicked OK the first massage appeared again..
i want to know how i can erase this file... and what this file already done yo my computer...
here the screen pictures:
in the first picture it's the name of the file and where it is

http://www.upit.ws/uploads/aa00671315491.bmp



the second picture showing the error when i want to erase in handily

http://www.upit.ws/uploads/5751394484822.bmp



the third picture showing the virus

http://www.upit.ws/uploads/cbc92ed350ccb.bmp



the forth picture showing the massage after

http://www.upit.ws/uploads/65a6e707b9001.bmp




THANKS.

« Last Edit: December 23, 2008, 02:18:58 PM by CHENAN »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #1 on: December 23, 2008, 02:22:45 PM »
Can you inform the file as being a false positive? (click on the bottom right of the virus warning message).

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).
The best things in life are free.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #2 on: December 23, 2008, 02:25:19 PM »
this is most probably not a false positive... are you able to enter the recovery console on your OS cd and replace the system32\user32.dll with the one from dllcache?

Offline CHENAN

  • Newbie
  • *
  • Posts: 7
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #3 on: December 23, 2008, 02:28:26 PM »
YES i doen it and it showed 14\38 and some anti viruses:

Avast  Win32:SysPatch
DrWeb  BackDoor.Zapinit 
eTrust-Win32/Pruserinf
F-Secure Trojan.Win32.Patched.bb
GData  Win32:SysPatch 
Kaspersky Trojan.Win32.Patched.bb
Microsoft  Virus:Win32/Mariofev.A
NOD32  Win32/Pinit
Panda  W32/Patched.D
Rising  Trojan.Win32.Patched.bi
SecureWeb-Gateway  Win32.LooksLike.NewMalware
Sophos Troj/User32Hk-A
TrendMicro  Possible_Patch 1


and MAXX i tried it and it said that somebody or some softwere using it
« Last Edit: December 23, 2008, 02:32:44 PM by CHENAN »

Offline rankkis

  • Newbie
  • *
  • Posts: 1
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #4 on: December 23, 2008, 02:34:49 PM »
yesterday i got a massage from avast that i got a worm virus called "win32:syspatch"
when i wanted to erase it,it said that this the file is read only and when i clicked OK the first massage appeared again..
i want to know how i can erase this file... and what this file already done yo my computer...
here the screen pictures:
in the first picture it's the name of the file and where it is´
...

I had (and am having) Exactly the same thing on my computer today!

Offline CHENAN

  • Newbie
  • *
  • Posts: 7
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #5 on: December 23, 2008, 02:35:48 PM »
so what i need to do?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #6 on: December 23, 2008, 02:37:06 PM »
How exactly did avast allow this file to be infected? Does the signature was added later?

Maxx, won't the command
sfc /scannow
replace that file with the original one in the CD?
The best things in life are free.

Offline CHENAN

  • Newbie
  • *
  • Posts: 7
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #7 on: December 23, 2008, 02:39:13 PM »
yes...
and i tried to replace and it said that somebody or some softwere using it.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #8 on: December 23, 2008, 02:40:57 PM »
chenan: that's not possible.. you probably not entered the recovery console to do the cleaning...

anyway, you can try to rollback your system to some clean restore point..

Tech: i don't know, haven't tried it... the detection was added yesterday, becasuse we have had to wait for the ppl to upgrade to the latest version (highly important update of the server version and ADNM)... version 4.7 allowed to delete/chest the system files and we can't offer this option to an average Joe..

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #9 on: December 23, 2008, 02:44:09 PM »
btw: the file is infected via some strange exploit... i don't have any detailed analysis and don't know if the hole has already been fixed by MS update.. but probably it was, cause MS catches the patched file..

Offline CHENAN

  • Newbie
  • *
  • Posts: 7
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #10 on: December 23, 2008, 02:45:20 PM »
MAXX:i downloaded from 3 sites this file and when i copied him to the file when the virus there it's was showing that i can't do this because someone is using it..
wait 2 minutes i will do screen picture for this...

and how did your fixed this problem?


EDITED:i successfuled to do something else and it showing me this now:
http://www.upit.ws/uploads/80dd07a38b8c1.JPG
« Last Edit: December 23, 2008, 02:49:58 PM by CHENAN »

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #11 on: December 23, 2008, 02:50:32 PM »
it's still the same problem... you're not in the recovery console (on your OS setup cd)... another choice is to mount the drive to another PC and do the replacement of user32

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #12 on: December 23, 2008, 02:51:26 PM »
Hi Chenan,

As soon as the Trojan is activated, it leaves following files on the computer::

%Windir%\nview.dll

The virus furthermore creates the following file:

%System%\atmapi.sys

Then the virus creates the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"zwpInit_Dlls" = "C:\WINDOWS\nview.dll"

The Trojan changes following files to start the threat every time the OS  starts:

%System%\user32.dll
%System%\dllcache\user32.dll


The original legit file user32.dll the Trojan keeps within the following folder:

%System%\[RANDOM FILE NAME]

The threat makes the computer restarts whenever the user32.dll file takes effect.

The virus creates the following encrypted  DLL files:

%Windir%\Help\access.cni
%Windir%\Help\mwrem.cin


The virus saves the encrypted information especially in these DLL's and then uses the following registry values to do so:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\”zwpInit_Dlls” = “C:\WINDOWS\nview.dll”
HKEY_LOCAL_MACHINE\SOFTWARE\1\"Path" = "C:\WINDOWS\help\access.cni"
HKEY_LOCAL_MACHINE\SOFTWARE\1\"Key" = "[ENCRYPTION KEY]"
HKEY_LOCAL_MACHINE\SOFTWARE\1\"DLoad" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\2\"Path" = "C:\WINDOWS\help\mwrem.cin"
HKEY_LOCAL_MACHINE\SOFTWARE\2\"Key" = "[ENCRYPTION KEY]"
HKEY_LOCAL_MACHINE\SOFTWARE\2\"DLoad" = "0"

Finally the Trojan opens up a backdoor on the infected machine to access to address with IP-number 58.65.239.86 enabling the attacker to do the following:

Closing down processes
Monitoring network traffic
Downloading of executable files

To cleanse one should make a copy of the registry first, in case something should go wrong,
Disable temporarily system restore and cleanse running SafeMode, then re-enable system restore and
normal mode when the malware has left your computer, you can first try a full scan with DrWeb's CureIt,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #13 on: December 23, 2008, 02:53:48 PM »
Maybe you can use http://www.softpedia.com/get/System/Boot-Manager-Disk/MoveOnBoot.shtml to move/copy the file.
Take care, you're changing a system critical file. Be sure the version you're adding/copying is the right one. Otherwise, you may be avoided to boot!

To cleanse one should make a copy of the registry first, in case something should go wrong
I DO suggest ERUNT http://www.larshederer.homepage.t-online.de/erunt/ for this work.
The best things in life are free.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: WORM VIRUS WIN32:SYSPATCH
« Reply #14 on: December 23, 2008, 02:59:12 PM »
polonus, the registry key value is not always "zwpInit_Dlls", it's randomly changed...