With everything I saw during this virus experience, I know that it's very hard to be completely secure on the internet.
This virus is a real PITA to remove. (Pain in the a.....)
Look,it's since 3 work day im working on it and...he's still there. But I got the goods weapon to kill it, im just want to know who is the creator of this sh....
I will give you somes information first : It seem to come from Russia or something poor european country. He is working as decribed previously in somes specialised forum : Data injection in process.
He's also working with a lot of thing....He's opening a back door and he use your computer to send spam all around the world. He lets his friend enter into your system by creating others virus. I got a lot of proof of this.
As I see on my test system, I got two theory of his function:
1 - He modify your AV system to work against you! Yes, it modify the way your AV work to crash your system. In fact, your AV become a weapon for him. He use it to delete all your software because your AV dont see that he is deleting all your important file.
2 - He inject himself into all your software.
I used a bunch of software to recolt information :
- Process Explorer : To see each process ID Tree and process data protection
- CurrPorts to see every tcp connection going out my system
-Jetico Personal Firewall : A good an light firewall to block it from reporting
-AVG virus removal tools
-Microsoft malicious software remover : This tools help a lot in case of major infection. The virus had infiltrated.....986 of my .DLL and .EXE file on my system.
So, As I see, the virus is reporting him to a lot of server all around the world. This is a real devil. Look at this :
And when you close the TCP Connection, it open 100 others connexion in 3 seconde to said : "Hey, im the boss, get out moron, let's me do my work"
I found that he is reporting to server ip :
218.93.205.24:65520 203.146.251.62:3305 218.93.205.24:65520 216.245.213.194:80 221.5.74.39:65520 67.43.236.67:10324 61.120.62.28:3305
After discover this, I found thise file on a site treating of malware :
http://cgi.mtc.sri.com/popups/binaries/08-12-2009/d41d8cd98f00b204e9800998ecf8427e.html
32 AV SYSTEM : MISSED.
Really Dangerous, really hard to clean! Good luck, I got a lot of information on it, e-mail me if needed. (After readed 300 forums talking about that I mean...)