Sunday, August 12, 2007

XP Entertainments - New AV Killer Trojan

XP Entertainments is probably a new variant of AvKiller trojan. As of now, only few AV's detect the malicious files.
The dropper - named U.exe - drops following files/folders:
\windows\system32\head.exe
\windows\system32\XPEntertainmentsUninstall.exe
\windows\system32\SoUI.dll
\program files\SoftPortal


Registry entries created by the trojan:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4748B0B3-B964-41C3-AE0A-F1345E0AC3C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\\\SoUI.dll"

[HKEY_CURRENT_USER\Software\SoftPortal]
"BasePath"="C:\\Program Files\\SoftPortal\\"


Above-mentioned files contain references to following malicious websites (Do NOT visit these sites):
http://xpsite.org/head/?wmid=3&pid=1
http://api.automaticavupdate.com/UI/v1.1/Soft/
http://api.automaticavupdate.com/UI/v1.1/

Last two links listed above redirect to www.expertantivirus.com, which is the home of rogue software - ExpertAntivirus.

The trojan also adds an Add/Remove Programs entry called XP Entertainments, as shown in below screen shot:


Following screen shot shows that SoUI.dll is injected into Explorer.exe's address space:


This trojan does not allow various AntiVirus and Firewall software - like ZoneAlarm, Outpost, Microsoft AntiSpyware - to run properly. These programs crash as soon as they are started! Following screen shot shows the fate of ZoneAlarm firewall:


More information about this trojan can be found here.

4 Comments:

Anonymous Anonymous said...

"Windows XP default theme missing!"
Hi, I need help on Windows Themes???? I tried everything to start my windows themes but when I try to start the themes from Services it says: Error 126: the specified module could not be found. :( What do I do? plzz help me....its driving me crazyyyyyyy thankz

Pleaseeeeeeeeeeeeeeeee helpppp!!!!!!!!!!!!!

8:04 AM  
Anonymous Anonymous said...

Use Linux like Ubuntu escape from M$ Windows menace!

4:12 PM  
Anonymous Nick said...

Hi,

looks like my XP is/was infected by this trojan (killav)that Trend couldn't removed, (Adaware did something about it but still...). I removed registry entries and deleted the SouI.dll (no head.exe). HOWEVER each time I run IE it tries to connect to r1.automaticavupdate.com... but fortunately it gave an invalide address. HOW do I get rid of this command???

Rgds

Nick

4:06 PM  
Anonymous Anonymous said...

Solution from Search-and-destroy.
If you own a computer, you must have antispyware to keep it running at its best. The problem is choosing a scan that works. I have tried many different types of scans in the past and then I ran across Search-and-destroy Antispyware. I have to say that the antispyware solution from Search-and-destroy is the best that I have used to date. It gets the job done and keeps my computer working like new. If you are interested in seeing for yourself just how good this antispyware works you can click on http://www.Search-and-destroy.com/antispyware.html to learn more. I’m sure it would be worth your time to check it out.

5:10 PM  

Post a Comment

<< Home