This is the web Diary and I will blog whenever I feel good to blog. I don't know how blogs were classified .. this is just a Personal Diary or my own views upon things happening around me. Most of the Posts in this blog are written in Myanmar (Burma) Native Language, known as Burmese/Myanmarsar (Not Myanmese or Barmen). This blog is composed with Winkalaw Font. I recommend you to get the Winkalaw 3 (modified) from the link below.



Download WinKalaw Font Unofficial Version 3 for Better Reading

MgHla ( MgHla's Blog )

a[m'Du ,lMuOD;rvm;...USB storage device awGxJul;wJh taumifav;... vkdcsifw,fqkd&if 'Dae&muae uvpfvkyfNyD; &,lyg... olUbmomol xnfhxm;&if bmrS rjzpfbl; pdwfcsyg... zip zkdifudk ajz... xGufvmwJh MTH.exe udk run vkdufr,f qkd&ifawmh tvkyfvkyfygw,f... bmvkyfvJqkdawmh USB memory stick awG tJ'DuGefysLwmrSm wyfvkdufr,fqkd MTH.exe zkdif tJ'D USB memory xJ a&mufoGm;vdrfhr,f... digital camera wyfvnf; a&mufrSmyJ... Norton eJY ppfMunfhw,f rodbl;... Trend Micro eJYppfMunfhw,f rodbl;wJh... jrefrmEkdifiHu wpfa,mufa,muf a&;xm;wm jzpfEkdifw,f... tJ'D MTH.exe rEÅav;rSm awmfawmf ysHUaew,fqkdyJ...

MTH.exe
udk zsufcscsifw,fqkd&if... aemufxyf USB storage device awGxJ rul;csifawmhbl; qkd&if 'Dvkd vkyfyg...
1. Task Manager xJ0if Processes tab udka&G;...
2. tJ'DxJrSm iousb.exe udk &Sm... right click vkyfNyD; End process tree udka&G;...
3. NyD;&if Windows explorer xJ0ifNyD; c:\Windows\System32 udkoGm; iousb.exe udk&SmNyD; zsufjypfvkdufyg...

 --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx--

 --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx-- 

Kalvin

If a person run the program by clicking the exe file and it will start working the following process.
 
That program will work like a trojan (TSR).
Spreading method is very poor, it try to stay in system process.
And try to modify the registry database in order to run everytime the PC was booted.
It seems to copy every USB Storage device attached to the infected PC.
But this software lack of autorun ability which most of the virus killer used to check.
 
Still don't know the intention of this program but it was poorly developed.
And I dun think this program was developed by myanmar programmer because it spreading in other countries several days/weeks ago.
 
Following report was taken from zonealarm firewall.
 
That's what the mth.exe do
 
 --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx-- 
 
Description   Project1 was prevented from modifying registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Rating        Medium

Date / Time   2006/10/08 18:33:36+6:00 GMT

Type          Registry

Subtype       Set Value

Data          HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,

Program       D:\WINDOWS\system32\iousb.exe

Action Taken  Blocked
 
 --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx-- 
 
Description   Project1 was prevented from modifying registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Rating        Medium

Date / Time   2006/10/08 18:33:36+6:00 GMT

Type          Registry

Subtype       Set Value

Data          HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,

Program       Q:\MTH.exe

Action Taken  Blocked
 
 --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx--  --xx-- 
 
Credit to Mg Hla and Kalvin for this post
 
MgHla's Blog is Here

Published by Kalvin on Tuesday, October 17, 2006 at 6:52 PM.

0 Responses to “USB Virus, MgHla and Me”

Post a Comment

Links to this post

Create a Link

About Me


Click View Kalvin's Blogger 

Profile
Name : Kalvin Alexander
Occupation : Analyst/Programmer
Location : In Between PC & Books
Hometown : Mandalay
Country : Myanmar
Blogging from : Singapore
Page Loads : free statistics

Search in this Blog



XML
Powered by Blogger templates
Powered by

Visit 

W3Schools

NativeMyanmar Forumer
warez-bb Member





Presented by Kalvin