Tuesday, February 24, 2009

Win32 Virus

Virus.Win32.Nsag.a is a detection for an infected copy of the Windows' wininet.dll file. The purpose of this infection is to transfer calls to the HttpSendRequest function to a malicious .dll file.
There are several pieces of malware which install Virus.Win32.Nsag.a, (often referred to as Smitfraud). Smitfraud and Nsag are quite similar, and have the following in common:
When the malware which installs Nsag is run, two main .dll files are dropped into the system directory.
One of these .dll files is around 7 KB in size, and is usually named oleadm.dll. It serves as AdWare/Trojan-Downloader. Normally this file is detected as Trojan-Downloader.Win32.Agent.ns.
The other file however, oleadm32.dll, is an infected copy of the system's wininet.dll file, an important Windows file. In some cases infection corrupts the file, which will result in a crash of explorer.exe when the file is loaded.
The malware uses a technique to ensure that oleadm32.dll will replace the system's wininet.dll file without warning when the infected system is restarted.
There are quite a few variants of Smitfraud. They are best known for altering the desktop wallpaper. In most cases the changed wallpaper displays a message about a 'Trojan-Spy.HTML.Smitfraud.c infection'.
These wallpapers are dropped into the system directory as ws.bmp, which will be detected by Kaspersky Anti-Virus as not-virus:BadJoke.Win32.Nsag.a


Removal instructions
Make sure Kaspersky Anti-Virus is up to date.
Perform a full system scan and disinfect or delete all objects detected as infected.
Navigate to %sysdir% (Most likely C:\Windows\System32)
Find wininet.dll and rename it to wininet.dl
Wait a few moments. A new, clean version of wininet.dll should appear
Reboot the system and disinfect or delete the infected wininet.dl file

No comments:

Post a Comment