win32.Perlovga.A Options

[iSergiwa]

Hi,

recently, when i right click a drive letter (c, d, e), i notice a new item in the top of the context menu; 'Autoplay', when i click on it, a new window of windows explorer opens showing the contentes of that drive, this hapens even if i select the "open each folder in the same folder" option!

some exe files are created every time i do this...

two files is created in the root of the drive i select called copy.exe and host exe

two other file is created in the windows folder called svchost.exe xcopy.exe

two other files created in the system32 folder called temp1.exe and temp2.exe

svchost.exe and host.exe have been reported by KAV as Trojan-Dropper.Win32.Small.apl

copy.exe and xcopy.exe have been reported by KAV as Virus.Win32.Perlovga.a

temp1.exe has been reported by KAV as Virus.Win32.Perlovga.b

temp2.exe has been reported by KAV as Backdoor.Win32.small.lo

well, KAV can detect and delete all these files but they do return back when i click again on the "Autoplay" item!

any ideas?

thank you for reading and being patient

Edit: You may also try this tool: http://www.softpedia.com/get/Security/Secu...oval-Tool.shtml

This post has been edited by lucianbara: 20.03.2007 19:32

[alexrider1234]

Svchost is usually the program for running services with a .dll extension, and copy.exe is the program the system uses to copy files, and normally autoplay would be in the context menu, but it should only be in it for removable devices and cds, so i can't think why it is for your hard drive. If its allowed on this forum, post a hijack this log and ill have a look at it for you.

[Don Pelotas]

First of all do a full scan with max settings and system restore disabled.

http://forum.kaspersky.com/index.php?showtopic=21869

[iSergiwa]

First of all do a full scan with max settings and system restore disabled.

http://forum.kaspersky.com/index.php?showtopic=21869

I did!

I, too, did a full scan with 'max sittings' with BitDefender v9.0 & Norton Antivirus 2005 (all up to date) and got nearly the same results!

Obviously, KAV (and the other two AVs) are dealing with the payload or the 'side effects' of the virus not with the virus itself! It's obvious that the virus (not me) added that item (Autoplay) to the context menu of the non-removable drives and 'linked' it with a malicious script to create itself and/or other malicious programs!

I think the solution is to detect the program that is responsible for doing all of that!

Note: if I right-clicked the drive and selected "open", every thing go normal, no programs are created, no svchost.exe is running at startup (I forgot to tell you about that in my first post) and the contents of the drive appear in the same window!

It's a challenge to me as I'm not that beginner with virus related matters. I want to state that I did every thing you can do in this case as an advance user and need more advance steps which I'm asking for now!

or…

You can do the job guys for me please and detect the virus that is responsible for that and tell me to go update….bingo!

Thank you for reading and being patient

[Don Pelotas]

Of course it would be great if it was just detected by Kaspersky or any other AV/AT, but unless you can send the files to the lab (or someone else does), then it will be difficult to help.

If you do have the files that you suspect, then send them:

1) Put the suspected virus in a password-protected zip or rar file.
2) Compose an email message (only short description) and attach the zip file.
3) Include the password in the body/subject of the email. If you suspect a false positive, then include "Possible false positive" in the subjectline.
4) Send the zip file to newvirus@kaspersky.com

While you wait, you can try the ewido micro scanner, download here, also have you checked your hostfile if it's intact and the IE restrictedzone etc. Another free scanner you could try is superantispyware.com

[iSergiwa]

Of course it would be great if it was just detected by Kaspersky or any other AV/AT, but unless you can send the files to the lab (or someone else does), then it will be difficult to help.

BINGO!!!

After two cups of black coffee while my little noisy son is 'eating rice with angels' (literal translating of arabic expression means sleeping) i found out the fellowing :

Every time KAV detects the malicious exe files it misses (and so do i) at least one of them so it recreate itself when i double-click the drive again!

This time I manually deleted all the malicious files, removed the svchost.exe from registy so it doesn't run at start up anymore and then i did reboot my computer!

But the "Aoutrun" item still there and when i double-click the drive, an error message appears saying that theres no such file called copy.exe!

I then regedit, did some search and found out these three registry keys that are apparently added by the virus to add an item to the context menu for every drive I have in my computer C, D and E :

CODE

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

I deleted those keys and the item disappeared and the 'Open' item came back to the top of the menu as the default selection so when I double-click the drive it normally shows the contents of it in the same window and no exe files are created!

Looks like problem solved!

Thank you for reading and being patient

This post has been edited by iSergiwa: 20.09.2006 20:08

[sondad]

this is a nice subject thank you for discussing it. these 3 viruses " copy.exe, host.exe, autorun.ini " usually transmitt between pcs by flash memory storage. I had exactly similar problems happened with me as you mentioned and what is interresting that they multiply in all your hard partitions in a crazy way with high transmission rate to all storage devices and high infectivity rate to any pc using these infected storage devices. I managed to remove them completely from my pc using mcafee antivirus but it also removed the infected scvchost.exe with them which caused an error messege when I boot the system which I also easily managed to remove it by using "Eusing Free Registry Cleaner" which is free to use and download from download.com

[Shreker]

H!
iSergiwa
I also be in attack win32.Perlovga.A. It's noisy virus.
I thinking as you & go clean the registry. It's help.
P.S.But Why KAV can't support the stronger protection, that viruses can't enter to computer.

[Don Pelotas]

H!
iSergiwa
I also be in attack win32.Perlovga.A. It's noisy virus.
I thinking as you & go clean the registry. It's help.
P.S.But Why KAV can't support the stronger protection, that viruses can't enter to computer.

Hi Shreker & welcome

It is strong, but no anti-virus will catch every virus at any given time, but Kaspersky is definitely at the top detectionwise...even if you did get infected.

[inviktus]

BINGO!!!

After two cups of black coffee while my little noisy son is 'eating rice with angels' (literal translating of arabic expression means sleeping) i found out the fellowing :

Every time KAV detects the malicious exe files it misses (and so do i) at least one of them so it recreate itself when i double-click the drive again!

This time I manually deleted all the malicious files, removed the svchost.exe from registy so it doesn't run at start up anymore and then i did reboot my computer!

But the "Aoutrun" item still there and when i double-click the drive, an error message appears saying that theres no such file called copy.exe!

I then regedit, did some search and found out these three registry keys that are apparently added by the virus to add an item to the context menu for every drive I have in my computer C, D and E :

CODE

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

I deleted those keys and the item disappeared and the 'Open' item came back to the top of the menu as the default selection so when I double-click the drive it normally shows the contents of it in the same window and no exe files are created!

Looks like problem solved!

Thank you for reading and being patient

Thats great, you helped me alot. Only one problem now, and that is when I remove all traces of 'copy.exe' from the registry, when i reboot, its back there again and I cant remove this 'autoplay' thing from the context menu (right click)

any ideas? what exactly were your searches for in registry?

[dawgg]

Search for "copy.exe" in registry.

You may want to do it in SafeMode

If i was you, I'll create a backup of the registry entries you remove

[iSergiwa]

Thats great, you helped me alot. Only one problem now, and that is when I remove all traces of 'copy.exe' from the registry, when i reboot, its back there again and I cant remove this 'autoplay' thing from the context menu (right click)

any ideas? what exactly were your searches for in registry?

Hello inviktus

here's my analysis of this case:

Windows automaticly detectes any partition of your hard disk as a CD/DVD-ROM/RAM/WR if it finds a file called 'autorun.inf' in the root directory of it and it adds a sub menu item 'autoplay' to the context menu of that partition and stores these information in the registry!

when the virus 'win32.Perlovga.A' runs, it generates a text file and names it 'autorun.inf' and put it in the root directory of the partition it infects!

here's is the contents of the autorun.inf:

CODE

[autorun]
open=copy.exe

you then delete the exe files and remove all traces of 'copy.exe' from the registry and restart your system, but you (and so does KAV) always forget to delete the 'autorun.inf' file!!!

you then restart your system. when windows boots back, it finds the 'autorun.inf' again, so it recreat the menu item of the context mean again and again

here's what you should do :

After you make sure that you delete all exe files and remove all traces of 'copy.exe' and 'host.exe' from the registry, you MUST delete the autorun.inf file from the root of every partition you have, if you don't do that, the registry will be filled again with 'copy.exe' and 'host.exe' and the 'autoplay' thing will come back again!

Thank you for reading and being patient

This post has been edited by iSergiwa: 17.12.2006 12:02

[reza_sadeghi]

HOOOORAAAAA…..
I deleted this stupid virus from my PC finally and successfully.

This is the story : last week I copy some files from Master at the university into my USB Flash and past them to My PC at Home to use.
Then I noticed that my PC works exactly iSergiwa explain in this topic.
After I tried some other Avs to find and solve the PB just Kaspersky AV knew at least the name of this virus.
Then I found this topic and guide of iSergiwa at here.
So I did it ' s Guide carefully and before restart the OS I deleted all autorun.inf files in Drives roots manually and did registry strings too.

Then I restart the PC.
And finally…..everything is back OK . I am here again to show my happiness and thanks iSergiwa for nice topic & Kaspersky AV Forum too. And of course show others reality.

Thanks from Iran.

[spiderman]

Hello inviktus

here's my analysis of this case:

Windows automaticly detectes any partition of your hard disk as a CD/DVD-ROM/RAM/WR if it finds a file called 'autorun.inf' in the root directory of it and it adds a sub menu item 'autoplay' to the context menu of that partition and stores these information in the registry!

when the virus 'win32.Perlovga.A' runs, it generates a text file and names it 'autorun.inf' and put it in the root directory of the partition it infects!

here's is the contents of the autorun.inf:

CODE

[autorun]
open=copy.exe

you then delete the exe files and remove all traces of 'copy.exe' from the registry and restart your system, but you (and so does KAV) always forget to delete the 'autorun.inf' file!!!

you then restart your system. when windows boots back, it finds the 'autorun.inf' again, so it recreat the menu item of the context mean again and again

here's what you should do :

After you make sure that you delete all exe files and remove all traces of 'copy.exe' and 'host.exe' from the registry, you MUST delete the autorun.inf file from the root of every partition you have, if you don't do that, the registry will be filled again with 'copy.exe' and 'host.exe' and the 'autoplay' thing will come back again!

Thank you for reading and being patient

Hi iSergiwa,
I tried doing all of what you had discussed above. But I'm currently facing 3 problems.

1. when i delete the keys in the registry, the "autoplay" in the rightclick menu of c drive does not vanish.
2. "....remove all traces of 'copy.exe' and 'host.exe' from the registry...", how do i do this? Is it that deleting the 6 keys you mentioned above the same as this?
3. The most important of all, I can view, but can't delete/modify/save the autorun.inf file. So what do i do?

Thanks,
Spiderman

This post has been edited by spiderman: 30.01.2007 14:13

[Lucian Bara]

Hello
Try this suggestion: http://forum.kaspersky.com/index.php?showtopic=29779

[spiderman]

Hello
Try this suggestion: http://forum.kaspersky.com/index.php?showtopic=29779

that was fast and that was simply great !!!
thanks a lot.

[iSergiwa]

Hello Spiderman,

Thank God you got rid of this silly virus!

For any one else who still can't do it here's my answers:

1. when i delete the keys in the registry, the "autoplay" in the rightclick menu of c drive does not vanish.

The "autoplay" file still there >> do DELETE it

2. "....remove all traces of 'copy.exe' and 'host.exe' from the registry...", how do i do this? Is it that deleting the 6 keys you mentioned above the same as this?

Start Menu >> Run >> regedit.exe >> Enter >> F3 >> copy.exe >> Enter >> Find a key contains 'copy.exe'? >> DELETE it

3. The most important of all, I can view, but can't delete/modify/save the autorun.inf file. So what do i do?

Are you sure this file is not in a CD/DVD drive? if yes, then restart your pc in safe mode then delete it

Hello reza_sadeghi

HOOOORAAAAA….. 
I deleted this stupid virus from my PC finally and successfully.

This is the story : last week I copy some files from Master at the university into my USB Flash and past them to My PC at Home to use.
Then I noticed that my PC works exactly iSergiwa explain in this topic.
After I tried some other Avs to find and solve the PB just Kaspersky AV knew at least the name of this virus.
Then I found this topic and guide of iSergiwa at here.
So I did it ' s Guide carefully and before restart the OS I deleted all autorun.inf files in Drives roots manually and did registry strings too.

Then I restart the PC.
And finally…..everything is back OK . I am here again to show my happiness and thanks iSergiwa for nice topic & Kaspersky AV Forum too. And of course show others reality.

Thanks from Iran.

I'm very happy for your happiness

God bless

Thank you for reading and being patient

[dawgg]

Thanks for tutorial iSergiwa, would be useful for many people with this problem or similar. the problem is that the autorun file isn't itself a malicious file so cant be added into signatures

[iSergiwa]

Thanks for tutorial iSergiwa, would be useful for many people with this problem or similar.

Such tutorial with more than 5332 visites and more than that number of thanks and references to it scattered on the net this is the first time i receive a "Thanks" from one of the Gold beta testers i respect!

so THANK YOU

the problem is that the autorun file isn't itself a malicious file so cant be added into signatures

Yes, but this file has two attributes make it malicious in my opinion:
1 - it is usually found in a root directory of a fixed drive which is VERY odd!
2 - it contains a reference to a malicious program (copy.exe) which KAV itself detects!!!

I would added it into signatures with those two conditions:

Is it found in the root directory of a CD/DVD?
if YES >> NULL
if NO
Does it contain a reference to "copy.exe" previously detected as perlovga?
if NO >> NULL
if YES >> DELETE IT

Thank you for reading and being patient

[Lucian Bara]

autorun.inf can be there it won't effect the operation of a normal computer (on a fixed drive it will ignore it), so removing that will solve nothing. The registry entries in mountpoints2 have to be cleaned up.