February 27, 2006 Virus Alert - TROJ_QOOLOGIC.AA
TROJ_QOOLOGIC.AA
Virus type: Trojan
Destructive: No
Aliases: Qoolaid
Pattern file needed: 2.992.04
Scan engine needed: 7.000
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: Medium
Distribution Potential: Low
--------------------------------------------------------------------------------
Description :
This Trojan arrives as a file downloaded from the Internet when an unsuspecting user visits a malicious Web site.
Upon execution, it drops several files on the affected system. Three of these files, having random file names, are dropped into the Windows system folder. Trend Micro detects them as TROJ_QOOLAID.V and TROJ_QOOLOGIC.BD.
It installs itself as a Content Menu Handler. Content Menu Handlers are legitimate Windows system components that display a shortcut menu whenever a user right-clicks anywhere on the screen. By installing itself as one of the said components, this Trojan is able to stay memory-resident, allowing it to wait for an affected system to establish an Internet connection. Once it detects an Internet connection, it downloads possibly malicious files.
This Trojan has rootkit capabilities, which enable it to hide its files and processes to avoid immediate detection. The said malicious files and processes, however, can still be viewed using the command prompt.
Solution :
Removing Related Malware
To fully remove all associated malware, perform the clean solution for the following malware:
TROJ_QOOLAID.V
TROJ_QOOLOGIC.BD
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE the path and file name of all files detected as TROJ_QOOLOGIC.AA.
Trend Micro customers need to download the latest virus pattern file before scanning their system. Other users can use Housecall, the Trend Micro online virus scanner.
Restarting in Safe Mode
This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.
Editing the Registry
This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Winsync = "%System%\{Random} reg_run"
(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Removing Random CLSIDs from the Registry
This procedure removes random CLSID keys created by this malware. You will need the file name(s) detected earlier.
Still in the Registry Editor, in the left panel, navigate and right click this key and then select "Find":
HKEY_CLASSES_ROOT>CLSID
In the Find dialog box, type the file name of the malware detected earlier.
(NOTE: Make sure that only the data checkbox is selected, then click Find Next.)
Once found, on the left panel, note down the CLSID (the characters enclosed in curly brackets, {}).
Click Find next to search for the next CLSIDs with the file name detected earlier. Repeat until the "Finished searching through the registry." dialog box appears.
(Note: Make sure to note down each CLSIDs that correspond to the detected malware name.)
In the left panel, navigate to this key:
HKEY_CLASSES_ROOT>CLSID>{Noted CLSID}
In the right panel, check if this value-data pair exists:
(Default) = "{Value detected earlier}"
In the left panel, navigate to this key:
HKEY_CLASSES_ROOT>CLSID>{Noted CLSID}>InprocServer32
In the right panel, check if this value-data pair exists:
(Default) = "{Malware path and file name}"
If both procedures 7 and 9 are true, delete this key:
HKEY_CLASSES_ROOT>CLSID>{Noted CLSID}
If not, proceed with the next CLSID. Repeat steps 6 to 10 for each of the noted CLSIDs.
Close the Registry Editor.
Important Windows XP Cleaning Instructions
Users running Windows XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your system normally before performing the following solution.
Scan your system with Trend Micro antivirus and delete files detected as TROJ_QOOLOGIC.AA. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
For additional information about this threat, see Technical Details.
--------------------------------------------------------------------------------
Source: Trend Micro, Inc.
