+ Post New Thread
Results 1 to 2 of 2
Windows Thread, Annoying csrss.exe final.exe virus in Technical; Recently, I've been finding increasing instances of an annoying virus, it's still not picked up by Anti-Virus software (Sophos, AVG, ...
  1. #1
    AXE
    AXE is offline
    AXE's Avatar
    Join Date
    Dec 2008
    Location
    Right here. Right Now.
    Posts
    192
    Thank Post
    188
    Thanked 55 Times in 18 Posts
    Rep Power
    22

    Annoying csrss.exe final.exe virus

    Recently, I've been finding increasing instances of an annoying virus, it's still not picked up by Anti-Virus software (Sophos, AVG, Norton, NOD, Avast, F-Secure etc.).
    It infects automatically via removable storage\USB\Firewire devices (when formatted as NTFS) and over a network via UNC\shares (will also crack a WEP key on wireless networks to spread).
    Usually runs the process csrss.exe at 100% (not the genuine csrss.exe).

    It's easy to remove via recovery console, but still leaves some lasting damage to the registry.

    Creates the following files:
    %SYSTEMROOT%\csrss.exe
    %SYSTEMROOT%\ctfmon.exe
    %SYSTEMROOT%\logonui.exe
    %SYSTEMROOT%\msnmsgr.exe
    %SYSTEMROOT%\userinit.exe

    And in each NTFS drive root:
    Autorun.inf
    Autorun.exe
    Recycler.exe
    System Volume Information.exe
    Final.exe

    Changes the registry:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\
    - Adds entries to autorun from removable storage devices
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    - Sets Userinit to "%SYSTEMROOT%\system32\userinit.exe, %SYSTEMROOT%\csrss.exe" normally "%SYSTEMROOT%\system32\userinit.exe,"
    - Sets System to "%SYSTEMROOT%\userinit.exe" normally ""
    HKLM\SOFTWARE\Microsoft\Security Center\
    - Sets AntiVirusDisableNotify to 1 normally 0
    - Sets AntiVirusOverride to 1 normally 0
    - Sets FirewallDisableNotify to 1 normally 0
    - Sets FirewallOverride to 1 normally 0
    - Sets FirstRunDisabled to 1 normally absent
    - Sets UpdatesDisableNotify to 1 normally 0
    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\Folder\HideFileExt\
    - Sets Type to "By Rover" normally "checkbox"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\Folder\SuperHidden\
    - Sets Type to "By Rover" normally "checkbox"
    - Sets UncheckedValue to 0 normally 1
    HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\
    - Sets ShowSuperHidden to 0
    - Sets SuperHidden to 0
    - Sets HideFileExt to 1
    HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
    - Sets DisallowRun to 1 normally absent
    HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun\
    Adds entries for:
    - regedit, taskmgr, cmd, rstrui, msconfig and various other anti-virus\anti-malware products
    HKCU\Software\Policies\Microsoft\Windows\System\
    - Sets DisableCMD to 1 normally absent
    HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
    - Sets DisableTaskMgr to 1 normally absent
    - Sets DisableRegistryTools to 1 normally absent
    HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies
    - Sets Allow Programmatic Cut_Copy_Paste to 0 normally absent

    It's easy enough to script a repair to the registry. Hope this helps someone.
    Last edited by AXE; 20th August 2009 at 03:02 AM.

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Can you upload it to http://www.virustotal.com/ and see who *does* catch it?

SHARE:
+ Post New Thread

Similar Threads

  1. Annoying Virus (confick-E)
    By GrahamWibbly in forum Windows
    Replies: 120
    Last Post: 6th June 2009, 07:54 AM
  2. SMSS.exe Virus? (Major Outbreak!)
    By Zoom7000 in forum Windows
    Replies: 12
    Last Post: 29th May 2009, 07:49 PM
  3. Exe files
    By sippo in forum Wireless Networks
    Replies: 22
    Last Post: 29th September 2008, 09:37 AM
  4. Lsass.exe and Lssas.exe
    By ndavies in forum Network and Classroom Management
    Replies: 5
    Last Post: 30th October 2007, 03:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •