Hows this Nasty one

Ivork

Expert Member
Joined
Nov 9, 2005
Messages
1,235
Reaction score
110
Location
Kimberley
Hows this nasty one. Doing the rounds on flash disks....
I think it must be local, as a quick search for the offending files runsvr.exe and OSDSP.exe reveals nothing. And none of the major anti-virus programs pick the thing up.

It fills up your task manager and brings your system to a grinding halt.
http://www.yellow-mini.co.za/taskmgr.jpg
And bombs itself out half the time with it's stupid OSDSP 4.4 has encounted an error
http://www.yellow-mini.co.za/osdsp.jpg
Indeed a very poor attempt at a virus, but still a major PITAss.

Must say it's the smartest batchfile I've seen for a while.
http://www.yellow-mini.co.za/virus_batchfile.txt
A batchfile of Note, i give the guy credit for that!

Lol, I love the sneaky AT entries from NT's old schedular.

It runs a service http://www.yellow-mini.co.za/service.jpg

It arrives on the flash as an autorun.inf
http://www.yellow-mini.co.za/virus_inf.txt

Dissables your firewall, resets your permissions, and allows the guy a remote desktop session to your system - scary stuff.
Donnno what the other running services do.
runsvr -L -d -p 53 -t -e cmd.exe
That's a DNS port, what it's upto i don't know.

Here's how I got rid of it. Made myself a writeup for next time so I'll share it with you guys. But I take NO responsibility if it does any damage or messes up your system. Totally Own risk.

-----------------------------------------------

System restore off, make reg backup, proceed in safe mode
Delete all files below in safe mode. (Mostly all system,hidden,read-only so Attrib –S –H –R on each file – windows explorer does not see them even with “show hidden files incl protected operating and system files” )

All .Bat files in /windows/temp folder.

%windir%\system32\Rstd.exe
%windir%\system32\runsvr.exe
%windir%\system32\rmtdsk.dll
%windir%\system32\dsksvc.sys
%windir%\system32\crv.exe

[EDIT] crv.exe - check out the file names I'm telling you to delete VS the file names at the bottom of this one and only article I can find http://www.prevx.com/filenames/2150221936046097085-X1/CRV.EXE.html but the info is sketchy and they don't really know.

%windir%\system32\Restore\osDSP.exe
%windir%\system32\Restore\Dskconf.msc
%windir%\system32\Restore\Shell.cat
%windir%\system32\Restore\Dsksvc.SYS

%windir%\system32\Restore\snd.exe
%windir%\system32\Restore\strt.exe
%windir%\system32\Restore\runsvr.exe

Autorun.inf In %windir%\system32>
Autorun.inf in %windir%\system32\restore>
Autorun.inf in root.

Delete reg keys below if found in:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
DisplayName
ObjectName
Description
USB Drivers
FailureActions
Error control
Count
Nextinstance
Start
Type
ImagePath
AllowMultipleTSSessions
fAllowToGetHelp
0 Root\LEGACY_AVP\0000
userinit - or change as described below

Change reg key below back
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\Rstd.exe"

Userinit should just be, including the comma: C:\WINDOWS\system32\userinit.exe,
(Don’t botch this or you can might never login again)

Change “Allow Multiple TS Sessions” to 0
Delete “autoadminlogon”

Delete all keys below if found:
DisplayName
ObjectName
Description
USB Drivers
FailureActions
Error control
Count
Nextinstance
Start
Type
ImagePath
fAllowToGetHelp



Change or delete Reg Keys below
[HKEY_Local_Machine\System\CurrentControlSet\Control\Terminal Server]

AllowTSconnections Delete
fDenyTSConnections change to 1
fAllowToGetHelp change to 0
AllowMultipleTSSessions delete

Delete the entire reg entrys for:
HKEY_Local_Machine\System\CurrentControlSet\Services\Medium Access
and
HKEY_Local_Machine\System\CurrentControlSet\Services\AVP
(or use the sc delete command, donno which is better.)


Delete all the AT entries. “AT /delete” The service must be running for this (which it won’t be in safe mode).
at 10:05 /interactive /EVERY:M,T,W,TH,F,S,SU "%windir%\system32\Restore\strt.exe

Don't forget to clean offending flash drives incl any external hard drives. (might be a good idea to turn off autorun as well)
CMD into root of the flash drive:

attrib -s -h -r autorun.inf
del autorun.inf
attrib -s -h -r osdsp.exe
del osdsp.exe
 
Last edited:
upload it to virustotal and see what they say.

Don't have the original files anymore - only the notes i made as on this page. Will do when i come accross it again - or maybe the next person that does can do the honors and/or let me know.

[EDIT] I have informed Trend Micro (Secure Data SA) last week and they working on it.
 
Last edited:
OK, for the non members who keep mailing my website address (why don't you just join the forum and post a question so i don't have to repeat myself?)

Delete all files below in safe mode. (Mostly all system,hidden,read-only so Attrib –S –H –R on each file – windows explorer does not see them even with “show hidden files incl protected operating and system files” )

If you don't understand that, I wouldn't suggest going this alone. But your risk. # = a chirp, not to be actually typed.
Lets do the first two:
%windir%\system32\Rstd.exe
%windir%\system32\runsvr.exe


Start - Run -cmd # hit enter
#brings you to command prompt

C: # hit enter
cd C:\windows\system32 # hit enter
attrib -S -R -H Rstd.exe #hit enter
dir rstd.* #hit enter - now the file should be visible in both command prompt and windows explorer.
del rstd.exe #hit enter

#next one:
attrib -S -H -R runsvr.exe
del runsvr.exe

and so forth..............

I'm not explaining how to backup the registry - google for it.
But make sure you have the security file as well. Put it in a nice place and REMEMBER where those files are so you can access them from the repair console if need be.

If you feeling out of your depth - don't dissable system restore. Make a restore point. (you can always revert back to it, although you'll be back at square one, if you stuff it up, or my instructions don't work for you.) Once you are 100% sure all is OK, then dissable system restore, reboot, and enable again.
 
Ivork - you're the man. Just had a lady's laptop infected with this - She'd been tearing her hair out for weeks and two different Computer shops failed to find it. Googled OSDSP.exe and came up with your post 1st thing. Cleaned her machine up spiffy - thanks!

She heaped praise on me, but I told her "Nah - the guy you gotta thank is in Kimberley...!"

Thanks again.

(AVG 8 and spybot missed it completely :sick: ) I used a Hardy Heron live cd to find and delete the hidden system32 files.

PS: Got home to find my flash drive infected with the thing too - got rid of it quicksmart!
 
Last edited:
A friend of mine came across this virus and subsequently found this thread. This seems to be the only place this nasty piece of work is mentioned, so thanks Ivork for posting about it.

The file osdsp.exe itself seems to have been compiled by a product called Quick Batch Compiler by Abyss Media.

I submitted it to AVG yesterday and they said it will be detected in the next AVG update.

Update: It looks like this virus also installs a copy of the Terminal Server Service (termsrv.dll) from XP SP2 Beta which allows incoming remote desktop connections without logging you off, might be worth reapplying SP3 if you've been caught by this virus and are using XP.
 
Last edited:
thnx a lot for the help, but could some one please explain to me how it is possible that non of the major virus companies have incuded a scan for it yet? this virus is spreading at such a rate! oh and how did you get a list of the files it installed?
 
thnx a lot for the help, but could some one please explain to me how it is possible that non of the major virus companies have incuded a scan for it yet? this virus is spreading at such a rate! oh and how did you get a list of the files it installed?

Still not? wow. well it has been submitted to them. And you can figure out the files it installs from the batchfile (as i posted at the beginning).

PS welcome to mybroadband Dbadash.

.
 
Still not? wow. well it has been submitted to them.
:mad: Still not! I don't know what has happened to AVG, when I've submitted things to them in the past they've released the new definitions within hours. This time it's been more than two weeks and it still isn't being detected.
And you can figure out the files it installs from the batchfile (as i posted at the beginning).
Thanks Ivork, that was some good detective work.
 
I sent them a reminder shortly after the above post and got a reply saying it would be detected in the next update. Sure enough, anti-virus database version 270.5.4/1567, which I've just received, detects osDSP.exe as Worm/Generic_c.G.
 
Top
Sign up to the MyBroadband newsletter
X