hantaner.worm (help)

[Acoustic Goat]

Recently my computer was infected with the hantaner.worm virus. I contacted
McAfee's online staff, but the several methods they suggested, were not
successful.
Initially, I used their online scan and it found the virus in the following
files:

C:\_RESTORE\ARCHIVE\FS936.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS923.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS931.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS931.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS937.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS739.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS788.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS788.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS788.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS789.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS789.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS790.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS791.CAB W32/HLLP.Hantaner.worm
C:\_RESTORE\ARCHIVE\FS792.CAB W32/HLLP.Hantaner.worm

But, using all methods suggested by them (disabling restore, scanning in
DOS safe mode scan, and even after scanning with their online scan again)
the virus can't be found again. However, it's continuing to mess up the
functions of many programs. Typically, they are either very slow to start
or not at all.

Any suggestions will be greatly appreciated.

Thanks

 

[FromTheRafters]

I don't think that the malware *in* the restore folder is at all
responsible for the symptoms the OP described. I think AG
should disable restore, reboot, re-enable restore, reboot, (to
purge the restore points), and then scan.

Windows ME or XP?

That's ME, Art ~ XP has c:\sytem volume information\_restore..
or some such thing.

 

[null]

I think AG
should disable restore, reboot, re-enable restore, reboot, (to
purge the restore points), and then scan.

Another purging method that I played with involves the use of the ME
system boot disk. I found that the deltree command works, however
slowly, to delete c:_restore and all its subdirectories. You should
first invoke smartdev.exe which is in the \windows\command folder.
Even at that, deltree /y c:_restore takes quite a few minutes to
complete. Lotsa .CPY files under c:\_restore\temp

With Win 98, if you want to deltree something, you can find a
deltree.exe that works under a OLD DOS folder on the system cd disk.
My purpose was to only delete Windows (but nothing else) before
re-installing. So the command is deltree /y c:\windows


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

Another purging method that I played with involves the use of the ME
system boot disk. I found that the deltree command works, however
slowly, to delete c:_restore and all its subdirectories.

I asked Heather once to ask her friends in the ME groups about
any possible ill effects of deleting the _restore folder. The response
I got was there is no ill effect, dependant on another setting which
tells the OS to go ahead and re-create the missing folder on restart.

I don't remember the setting, or the possible ill effect, but I think
I saved that info on my disk somewhere. If I run across it, I will
let you know if you want.

You should
first invoke smartdev.exe which is in the \windows\command folder.
Even at that, deltree /y c:_restore takes quite a few minutes to
complete. Lotsa .CPY files under c:\_restore\temp

With Win 98, if you want to deltree something, you can find a
deltree.exe that works under a OLD DOS folder on the system cd disk.
My purpose was to only delete Windows (but nothing else) before
re-installing. So the command is deltree /y c:\windows

Thanks for that info, Art. It might come in handy when I retire
my Win98 machine and use it as a test box.

 

[Blevins]

Recently my computer was infected with the hantaner.worm virus.

Been playing on Kazaa have we? I'm surprised that whatever AV you're
using didn't prevent the infection being as Hantaner is anything but
new.

 

[Blevins]

Recently my computer was infected with the hantaner.worm virus.

Been playing on Kazaa have we? I'm surprised that whatever AV you're
using didn't prevent the infection being as Hantaner is anything but
new.

 

[Blevins]

Recently my computer was infected with the hantaner.worm virus.

Been playing on Kazaa have we? I'm surprised that whatever AV you're
using didn't prevent the infection being as Hantaner is anything but
new.

 

[Acoustic Goat]

Windows ME or XP? Have you uninstalled Kazza? Have you found and
purged the Kazaa and IE download directories? What other av scanners
have you tried?

Art
http://www.epix.net/~artnpeg

sorry, I neglected to write much information. I'm just so sick of this
virus. I'm using Windows ME. I didn't uninstall Kazaa, because I didn't
know that would have anything to do with it. McAfee never touched upon
that.
I haven't purged either directories yet, but will do so. And, McAfee is the
only av scanner I've tried.

Thank you, for your suggestions Art.

 

[Acoustic Goat]

I don't think that the malware *in* the restore folder is at all
responsible for the symptoms the OP described. I think AG
should disable restore, reboot, re-enable restore, reboot, (to
purge the restore points), and then scan.


That's ME, Art ~ XP has c:\sytem volume information\_restore..
or some such thing.

Ok, I'll give this a shot, as I never tried this in this sequence. Thanks

 

[Acoustic Goat]

Been playing on Kazaa have we? I'm surprised that whatever AV you're
using didn't prevent the infection being as Hantaner is anything but
new.

No, I've never caught anything on Kazaa. I caught this on a site dl'ing a
serial for a really lame screen shot grabber program. The program wasn't
worth this hassle.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Thu, 17

No, I've never caught anything on Kazaa. I caught this on a site dl'ing a
serial for a really lame screen shot grabber program. The program wasn't
worth this hassle.

Snagging a serial shouldn't cause trouble, or was it a gen?
Easier to use "print screen" and "paste" in Irfan.

Bart

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Thu, 17

No, it was a serial. Here's what it was for and the location: Fullshot
Standard, Professional, Enterprise Editions 7.0
http://www.serials.ws/all/?l=f&pn=8

That requires Javascript to open a popup that sends a .cab file.
Inside are a dll and an inf to register it.
The dll looks like it tries to hijack the download to a site called
www2.skoobidoo
maybe a true coder can pick it apart better than me.
It's here:
http://www2.skoobidoo.com/softwares//Download_2.cab

Just another reason NOT to have Javascript on unless your browser is
configured to treat it safely. My Opera 606 shows the file as text only,
and I had to plug its addy into my FTP client and to get it intact.

Bart

 

[David W. Hodgins]

http://www2.skoobidoo.com/softwares//Download_2.cab

It appears it downloads and installs http://www2.skoobidoo.com/softwares/mscache.dll

mscache.dll appears load and run http://www2.blazefind.com/bye/ms_updates.php?lang=en
which looks like it hijacks your browser search page, forcing it to go through http://www2.blazefind.com/bye/blazefind.css

mscache.dll also runs http://www2.skoobidoo.com/php/update_loader.php?os=xxx
and http://www2.skoobidoo.com/php/welcome.php?os=xxx
neither of which currently seem do do anything.

Both of the sites are hosted by isprime.com, so you can complain to (e-mail address removed),
or the the feed for isprime.com at (e-mail address removed).

An AdAware log (appended), shows these files are already known, so I'm not
going to dig any further.

Regards, Dave Hodgins


UpdateLoader Malware Object recognized!
Type : File
Data : download_2.zip
Category : Malware
Comment : Object "Download_UL.dll" found in this archive.
Object : E:\scan\
FileSize : 13 KB
Created on : 2003-07-17 22:02:49
Last accessed : 2003-07-17 04:00:00
Last modified : 2003-07-17 21:24:26


Object "Download_UL.dll" found in this archive.

UpdateLoader Malware Object recognized!
Type : File
Data : mscache.dll
Category : Malware
Comment : Object : E:\scan\
FileSize : 84 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003
FileDescription : update_loader Module
InternalName : update_loader
OriginalFilename : update_loader.DLL
ProductName : update_loader Module
Created on : 2003-07-17 22:02:53
Last accessed : 2003-07-17 04:00:00
Last modified : 2003-07-17 21:33:26

 

[Tim]

In Message-ID:<[email protected]> posted on Thu, 17


That requires Javascript to open a popup that sends a .cab file.
Inside are a dll and an inf to register it.
The dll looks like it tries to hijack the download to a site called
www2.skoobidoo
maybe a true coder can pick it apart better than me.
It's here:
http://www2.skoobidoo.com/softwares//Download_2.cab

Just another reason NOT to have Javascript on unless your browser is
configured to treat it safely. My Opera 606 shows the file as text only,
and I had to plug its addy into my FTP client and to get it intact.

Bart

I went there with Mozilla Firebird 0.6 with Javascript enabled. Didn't
have any download started. All that popped up was a Javascript box
with the serial numbers for the aforementioned app.

IE6 very nicely asked me if I wanted to install a plugin for
Blazefinder though.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

I went there with Mozilla Firebird 0.6 with Javascript enabled. Didn't
have any download started. All that popped up was a Javascript box
with the serial numbers for the aforementioned app.

That's what I get with K-Meleon plus Javascript
or in Opera if I disable automatic redirection.

Bart

 

[Acoustic Goat]

Yes, it seems when I dl'ed the file, I allowed Blazefind to set a
searchbar under my IE URL bar.
I got rid of that and found a folder containing the skoobidoo files,
which I also deleted. Maybe I didn't receive the virus through that
serial number d/l, but my system started acting funky right after that
and then I scanned and found the hantaner.worm.
After many scans later, I can't find the virus again. Most of the
programs that were acting screwy before, have started acting properly
again. But, there's still a couple that open slugishly and sometimes
freeze my system for a minute, before opening.
And, when I've viewed files and folders using find files, some files
and folders look faded in color, slightly transparent, as if they've
been tainted.

well, internet explorer isn't working properly again. can't get online
using it anymore. I have tried repairing it, but it's just not working.

 

[Gabriele Neukam]

On that special day, Acoustic Goat, ([email protected]) said...

well, internet explorer isn't working properly again. can't get online
using it anymore. I have tried repairing it, but it's just not working.

There are alternatives like Mozilla or Opera. They admittedly don't
allow for such nifty things like add-on bars, but OTOH they cannot be
compromised that easily, eg by startup site or search engine hijackers.

I prefer Opera, although it is adware, because of its fast response.
menawhile it can even handle broken JavaScript (at least a bit).


Gabriele Neukam

(e-mail address removed)

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Sat, 19 Jul

I prefer Opera, although it is adware, because of its fast response.
menawhile it can even handle broken JavaScript (at least a bit).

Easy to toggle JS on and off via F-12, and best to leave it off,
so you aren't even confronted with its idiosyncracies.

Bart

 

[David W. Hodgins]

Yes, it seems when I dl'ed the file, I allowed Blazefind to set a searchbar under
my IE URL bar. I got rid of that and found a folder containing the skoobidoo files,
which I also deleted.

You may still have the .cab file. I had converted it to a .zip file, so I could use my
dos utilities to look at it. Adaware only recognized the copy in the .zip file, not in
the .cab file.

Maybe I didn't receive the virus through that serial number d/l, but my system started
acting funky right after that and then I scanned and found the hantaner.worm. After
many scans later, I can't find the virus again. Most of the programs that were acting
screwy before, have started acting properly again. But, there's still a couple that open
slugishly and sometimes freeze my system for a minute, before opening.
And, when I've viewed files and folders using find files, some files and folders look
faded in color, slightly transparent, as if they've been tainted.

The scripts that are executed may have been changed between when you ran them, and when
I looked at them, so there's no telling what else they downloaded, just by looking at
them.

In addition to running multiple virus scanners, you should run every trojan finder you
can find. Start with Spybot Search & Destroy, which you can download from
http://security.kolla.de/index.php?lang=en&page=download

Check http://www.alken.nl/online-virus.html for more links to virus and trojan
scanners.

Regards, Dave Hodgins