Hows this nasty one. Doing the rounds on flash disks....
I think it must be local, as a quick search for the offending files runsvr.exe and OSDSP.exe reveals nothing. And none of the major anti-virus programs pick the thing up.
It fills up your task manager and brings your system to a grinding halt.
http://www.yellow-mini.co.za/taskmgr.jpg
And bombs itself out half the time with it's stupid OSDSP 4.4 has encounted an error
http://www.yellow-mini.co.za/osdsp.jpg
Indeed a very poor attempt at a virus, but still a major PITAss.
Must say it's the smartest batchfile I've seen for a while.
http://www.yellow-mini.co.za/virus_batchfile.txt
A batchfile of Note, i give the guy credit for that!
Lol, I love the sneaky AT entries from NT's old schedular.
It runs a service http://www.yellow-mini.co.za/service.jpg
It arrives on the flash as an autorun.inf
http://www.yellow-mini.co.za/virus_inf.txt
Dissables your firewall, resets your permissions, and allows the guy a remote desktop session to your system - scary stuff.
Donnno what the other running services do.
Here's how I got rid of it. Made myself a writeup for next time so I'll share it with you guys. But I take NO responsibility if it does any damage or messes up your system. Totally Own risk.
-----------------------------------------------
System restore off, make reg backup, proceed in safe mode
Delete all files below in safe mode. (Mostly all system,hidden,read-only so Attrib –S –H –R on each file – windows explorer does not see them even with “show hidden files incl protected operating and system files” )
All .Bat files in /windows/temp folder.
%windir%\system32\Rstd.exe
%windir%\system32\runsvr.exe
%windir%\system32\rmtdsk.dll
%windir%\system32\dsksvc.sys
%windir%\system32\crv.exe
[EDIT] crv.exe - check out the file names I'm telling you to delete VS the file names at the bottom of this one and only article I can find http://www.prevx.com/filenames/2150221936046097085-X1/CRV.EXE.html but the info is sketchy and they don't really know.
%windir%\system32\Restore\osDSP.exe
%windir%\system32\Restore\Dskconf.msc
%windir%\system32\Restore\Shell.cat
%windir%\system32\Restore\Dsksvc.SYS
%windir%\system32\Restore\snd.exe
%windir%\system32\Restore\strt.exe
%windir%\system32\Restore\runsvr.exe
Autorun.inf In %windir%\system32>
Autorun.inf in %windir%\system32\restore>
Autorun.inf in root.
Delete reg keys below if found in:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
DisplayName
ObjectName
Description
USB Drivers
FailureActions
Error control
Count
Nextinstance
Start
Type
ImagePath
AllowMultipleTSSessions
fAllowToGetHelp
0 Root\LEGACY_AVP\0000
userinit - or change as described below
Change reg key below back
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\Rstd.exe"
Userinit should just be, including the comma: C:\WINDOWS\system32\userinit.exe,
(Don’t botch this or you can might never login again)
Change “Allow Multiple TS Sessions” to 0
Delete “autoadminlogon”
Delete all keys below if found:
DisplayName
ObjectName
Description
USB Drivers
FailureActions
Error control
Count
Nextinstance
Start
Type
ImagePath
fAllowToGetHelp
Change or delete Reg Keys below
[HKEY_Local_Machine\System\CurrentControlSet\Control\Terminal Server]
AllowTSconnections Delete
fDenyTSConnections change to 1
fAllowToGetHelp change to 0
AllowMultipleTSSessions delete
Delete the entire reg entrys for:
HKEY_Local_Machine\System\CurrentControlSet\Services\Medium Access
and
HKEY_Local_Machine\System\CurrentControlSet\Services\AVP
(or use the sc delete command, donno which is better.)
Delete all the AT entries. “AT /delete” The service must be running for this (which it won’t be in safe mode).
at 10:05 /interactive /EVERY:M,T,W,TH,F,S,SU "%windir%\system32\Restore\strt.exe
Don't forget to clean offending flash drives incl any external hard drives. (might be a good idea to turn off autorun as well)
CMD into root of the flash drive:
attrib -s -h -r autorun.inf
del autorun.inf
attrib -s -h -r osdsp.exe
del osdsp.exe
I think it must be local, as a quick search for the offending files runsvr.exe and OSDSP.exe reveals nothing. And none of the major anti-virus programs pick the thing up.
It fills up your task manager and brings your system to a grinding halt.
http://www.yellow-mini.co.za/taskmgr.jpg
And bombs itself out half the time with it's stupid OSDSP 4.4 has encounted an error
http://www.yellow-mini.co.za/osdsp.jpg
Indeed a very poor attempt at a virus, but still a major PITAss.
Must say it's the smartest batchfile I've seen for a while.
http://www.yellow-mini.co.za/virus_batchfile.txt
A batchfile of Note, i give the guy credit for that!
Lol, I love the sneaky AT entries from NT's old schedular.
It runs a service http://www.yellow-mini.co.za/service.jpg
It arrives on the flash as an autorun.inf
http://www.yellow-mini.co.za/virus_inf.txt
Dissables your firewall, resets your permissions, and allows the guy a remote desktop session to your system - scary stuff.
Donnno what the other running services do.
That's a DNS port, what it's upto i don't know.runsvr -L -d -p 53 -t -e cmd.exe
Here's how I got rid of it. Made myself a writeup for next time so I'll share it with you guys. But I take NO responsibility if it does any damage or messes up your system. Totally Own risk.
-----------------------------------------------
System restore off, make reg backup, proceed in safe mode
Delete all files below in safe mode. (Mostly all system,hidden,read-only so Attrib –S –H –R on each file – windows explorer does not see them even with “show hidden files incl protected operating and system files” )
All .Bat files in /windows/temp folder.
%windir%\system32\Rstd.exe
%windir%\system32\runsvr.exe
%windir%\system32\rmtdsk.dll
%windir%\system32\dsksvc.sys
%windir%\system32\crv.exe
[EDIT] crv.exe - check out the file names I'm telling you to delete VS the file names at the bottom of this one and only article I can find http://www.prevx.com/filenames/2150221936046097085-X1/CRV.EXE.html but the info is sketchy and they don't really know.
%windir%\system32\Restore\osDSP.exe
%windir%\system32\Restore\Dskconf.msc
%windir%\system32\Restore\Shell.cat
%windir%\system32\Restore\Dsksvc.SYS
%windir%\system32\Restore\snd.exe
%windir%\system32\Restore\strt.exe
%windir%\system32\Restore\runsvr.exe
Autorun.inf In %windir%\system32>
Autorun.inf in %windir%\system32\restore>
Autorun.inf in root.
Delete reg keys below if found in:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
DisplayName
ObjectName
Description
USB Drivers
FailureActions
Error control
Count
Nextinstance
Start
Type
ImagePath
AllowMultipleTSSessions
fAllowToGetHelp
0 Root\LEGACY_AVP\0000
userinit - or change as described below
Change reg key below back
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\Rstd.exe"
Userinit should just be, including the comma: C:\WINDOWS\system32\userinit.exe,
(Don’t botch this or you can might never login again)
Change “Allow Multiple TS Sessions” to 0
Delete “autoadminlogon”
Delete all keys below if found:
DisplayName
ObjectName
Description
USB Drivers
FailureActions
Error control
Count
Nextinstance
Start
Type
ImagePath
fAllowToGetHelp
Change or delete Reg Keys below
[HKEY_Local_Machine\System\CurrentControlSet\Control\Terminal Server]
AllowTSconnections Delete
fDenyTSConnections change to 1
fAllowToGetHelp change to 0
AllowMultipleTSSessions delete
Delete the entire reg entrys for:
HKEY_Local_Machine\System\CurrentControlSet\Services\Medium Access
and
HKEY_Local_Machine\System\CurrentControlSet\Services\AVP
(or use the sc delete command, donno which is better.)
Delete all the AT entries. “AT /delete” The service must be running for this (which it won’t be in safe mode).
at 10:05 /interactive /EVERY:M,T,W,TH,F,S,SU "%windir%\system32\Restore\strt.exe
Don't forget to clean offending flash drives incl any external hard drives. (might be a good idea to turn off autorun as well)
CMD into root of the flash drive:
attrib -s -h -r autorun.inf
del autorun.inf
attrib -s -h -r osdsp.exe
del osdsp.exe
Last edited: