Kalvin's Web Diary: USB Virus, MgHla and Me

This is the web Diary and I will blog whenever I feel good to blog. I don't know how blogs were classified .. this is just a Personal Diary or my own views upon things happening around me. Most of the Posts in this blog are written in Myanmar (Burma) Native Language, known as Burmese/Myanmarsar (Not Myanmese or Barmen). This blog is composed with Winkalaw Font. I recommend you to get the Winkalaw 3 (modified) from the link below.

« Home | Flood Around Mandalay »

USB Virus, MgHla and Me

0 Comments

MgHla ( MgHla's Blog )

a[m'Du ,lMuOD;rvm;...USB storage device awGxJul;wJh taumifav;... vkdcsifw,fqkd&if 'Dae&muae uvpfvkyfNyD; &,lyg... olUbmomol xnfhxm;&if bmrS rjzpfbl; pdwfcsyg... zip zkdifudk ajz... xGufvmwJh MTH.exe udk run vkdufr,f qkd&ifawmh tvkyfvkyfygw,f... bmvkyfvJqkdawmh USB memory stick awG tJ'DuGefysLwmrSm wyfvkdufr,fqkd MTH.exe zkdif tJ'D USB memory xJ a&mufoGm;vdrfhr,f... digital camera wyfvnf; a&mufrSmyJ... Norton eJY ppfMunfhw,f rodbl;... Trend Micro eJYppfMunfhw,f rodbl;wJh... jrefrmEkdifiHu wpfa,mufa,muf a&;xm;wm jzpfEkdifw,f... tJ'D MTH.exe rEÅav;rSm awmfawmf ysHUaew,fqkdyJ...

MTH.exe udk zsufcscsifw,fqkd&if... aemufxyf USB storage device awGxJ rul;csifawmhbl; qkd&if 'Dvkd vkyfyg...
1. Task Manager xJ0if Processes tab udka&G;...
2. tJ'DxJrSm iousb.exe udk &Sm... right click vkyfNyD; End process tree udka&G;...
3. NyD;&if Windows explorer xJ0ifNyD; c:\Windows\System32 udkoGm; iousb.exe udk&SmNyD; zsufjypfvkdufyg...

--xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx--

Kalvin

If a person run the program by clicking the exe file and it will start working the following process.

That program will work like a trojan (TSR).

Spreading method is very poor, it try to stay in system process.

And try to modify the registry database in order to run everytime the PC was booted.

It seems to copy every USB Storage device attached to the infected PC.

But this software lack of autorun ability which most of the virus killer used to check.

Still don't know the intention of this program but it was poorly developed.

And I dun think this program was developed by myanmar programmer because it spreading in other countries several days/weeks ago.

Following report was taken from zonealarm firewall.

That's what the mth.exe do

--xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx--

Description Project1 was prevented from modifying registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Rating Medium

Date / Time 2006/10/08 18:33:36+6:00 GMT

Type Registry

Subtype Set Value

Data HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,

Program D:\WINDOWS\system32\iousb.exe

Action Taken Blocked

--xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx--

Description Project1 was prevented from modifying registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Rating Medium

Date / Time 2006/10/08 18:33:36+6:00 GMT

Type Registry

Subtype Set Value

Data HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,

Program Q:\MTH.exe

Action Taken Blocked

--xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx-- --xx--

Credit to Mg Hla and Kalvin for this post

MgHla's Blog is Here

0 Comments Published by Kalvin on Tuesday, October 17, 2006 at 6:52 PM.

0 Responses to “USB Virus, MgHla and Me”

About Me

Name : Kalvin Alexander
Occupation : Analyst/Programmer
Location : In Between PC & Books
Hometown : Mandalay
Country : Myanmar
Blogging from : Singapore

Page Loads :