Results 1 to 8 of 8

Thread: VideoPlay: a very complicated malware

  1. #1
    leofelix is offline Member
    Join Date
    Oct 2008
    Location
    Italy
    Posts
    1,668

    Default VideoPlay: a very complicated malware

    There is in the wild another kind of very dangeorus and complicated Malware,
    It is called "Videoplay", it simulate a a real VideoPlayer and has a ridicolous EULA too.
    It installs a rootkit generally called matrix312013.exe (the numbers may change), it also creates a folder named Resycled and a file called autorun.inf for every HDD or partition and USB flash drive you have.
    Some infected DLL are loaded at every system start up.

    It has an "uninstaller" too: do not use it, it will download other malware.

    HOW TO DETECT AND REMOVE IT:

    You can use Gmer in order to detect it

    GMER

    (Please read the FAQ http://www.gmer.net/faq.php )

    But you need Avenger in order to remove it

    Swandog46's Public Anti-Malware Tools

    Just copy the Gmer log file in order to create a script for Avenger similar to this one:
    Code:
    Files to delete:
    C:\autorun.inf
    %systemroot%\system32\drivers\gaopdxXXXXXX.sys
    %systemroot%\system32\gaopdxXXXXXX.dll
    %systemroot%\system32\drivers\gaopdxserv.sys
    %systemroot%\system32\dll.dll
    %systemroot%\system32\gaopdxcounter
    %ProgramFiles%\Mozilla Firefox\components\iamfamous.dll
    Folders to delete:
    C:\resycled
    %temp%
    %windir%\temp
    %ProgramFiles%\videoplay
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gaopdxvx
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoplay
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videopLay
    Drivers to delete:
    Gaopdxserv.sys

    Now you have to add these lines to the script

    Code:
    Files to delete:
    X: \autorun.inf
    
    Folders to delete:
    X: \resycled
    X stands for each unit infected



    You have to replace

    gaopdxXXXXXX.dll, gaopdxXXXXXX.sys

    with the infected ones that Gmer detected.

    Avenger may fail to delete some infected files if so you can use ComboFix to remove them

    A guide and tutorial on using ComboFix

    (Please be careful when using ComboFix)

    Here is a sample of code of infected autorun.inf

    Code:
    [autorun]
    ;wncipfomqnlskolfdvpizzazdqhizrdsyfnkdlrfdjwqkqd
    Shellexecute="resycled\ntldr.com c: "
    ;tjyrhdxbgwgalmxkcmbngkmgqosxswefclalcxyaipfxssdspblvoufktjzwqvpmvphelwemzckw
    Ccpvda
    Shell\Open\command="resycled\ntldr.com c: "
    ;lnitmjsgrzzfiikhtpmirwaszk
    I hope nobody will get infected, of course

    I would thank my friend crazy.cat who was the first in Italy to analyse this type of malware
    Last edited by leofelix; 19th February 2009 at 07:06.

  2. #2
    seti is offline Member
    Join Date
    Nov 2008
    Posts
    1,923

    Exclamation

    thanks for the warning ver good post

  3. #3
    leofelix is offline Member
    Join Date
    Oct 2008
    Location
    Italy
    Posts
    1,668

    Default

    thanks for your appreciation seti,
    do you think it's understandable enough?

  4. #4
    HappyAndyK's Avatar
    HappyAndyK is offline Site Administrator
    Join Date
    Jun 2008
    Posts
    7,559

    Default

    Thanks for the heads up.

    "Panda Security has recently released research with evidence proving that Digg.com, the popular news aggregation service, is being used by cyber-criminals to distribute VideoPlay adware. Criminals execute their attacks by leaving comments on news items related to celebrity videos. On a first analysis, PandaLabs has detected more than 50 profiles leaving these types of comments on Digg.com."
    Is it the same as this adware videoplay : Ever heard the term "Rickrolling"? Malware distributors have... - PandaLabs

  5. #5
    seti is offline Member
    Join Date
    Nov 2008
    Posts
    1,923

    Default

    Quote Originally Posted by leofelix View Post
    thanks for your appreciation seti,
    do you think it's understandable enough?
    Well I could understand it and if I can then anyone can my friend

  6. #6
    iMav's Avatar
    iMav is offline Gold Member
    Join Date
    Jul 2008
    Posts
    921

    Default

    Interesting. Thank you for the heads up. Andy sir you too. Much appreciated.

  7. #7
    nitinagarwal1988's Avatar
    nitinagarwal1988 is offline Microsoft MVP
    Join Date
    Jan 2009
    Location
    Pilani, India
    Posts
    1,570

    Default

    thats was very good information......i have UAC enabled, windows defender enabled and eset nod32 security suite installed but never got a hit of any infection and i hope so that i also remain safe in future too..
    is there any chances that it will be able to enter in my PC??

    thanks.

  8. #8
    leofelix is offline Member
    Join Date
    Oct 2008
    Location
    Italy
    Posts
    1,668

    Default

    Quote Originally Posted by nitinagarwal1988 View Post
    thats was very good information......i have UAC enabled, windows defender enabled and eset nod32 security suite installed but never got a hit of any infection and i hope so that i also remain safe in future too..
    is there any chances that it will be able to enter in my PC??

    thanks.
    You're welcome.
    I think that security is above all a way of thinking

    However the most of antivirus and antispyware are now able to detect this kind of malware.
    A good HIPS can help a lot to prevent virus damage
    Please, attention when downloading from P2P programmes and be careful when reading EULA

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22