Comments on: Nine-Ball = Gumblar Redux? – 40,000 websites compromised

By: Tore Eriksson

Tore Eriksson — Sun, 30 Aug 2009 20:19:03 +0000

I have struggled with this malware all weekend. It’s called Krap.w and seems to be very new. All google hits are just hours old. No antivirus company has any news on it. It reinstalls a three-digit exe file every reboot, like 266.exe in temporary internet files folder, and also a random eight digit folder in user\temp\, eg. user\temp\15736234\ where three files are created: 15736234 15736234.ins and 15736234.exe (same random eight digits). F-secure’s antivirus program now detects and stops it from taking over the system, but does not find the installer yet. Neither have I.

By: TheOne

TheOne — Fri, 14 Aug 2009 11:43:40 +0000

Well last time i booted into windows my desktop-background was izohore.bmp and a strange “Anti Virus” Software was scanning some files. So it seems like i have got this thing. The Problem was that i could not Run any App like firefox or taskmanager since the “AV” “detected an infection” So i quickliy shut down my computer and booted into Linux. I mounted the WINDOWS partition and fount strange nubered exe in an stange numbered folder in /all users/Application Data/ and the izohore.bmp in \user\Local Settings\Temp\ but i couldnot find any other file yet. I used ClamAV to scan this partition but it did not even find the exe in the “app data” folder(since it is not the best choice anyway). It seems like this scarware uses varied names to store its data but the server.exe and socks.exe should exist i think and the names do not seem like they varie.
Since the Program doesnot seem to corrupt any random data, im going to reboot into windows and see what i can do there since i have removed ev erything if found concerning this virus. Thank you

By: Lori

Lori — Fri, 10 Jul 2009 20:18:46 +0000

i have this virus on my computer and was unable to access certain websites. now whenever i try to open IE 7 to any page, it shows trughtsa.com, sticks there for a while, an adobe error comes up and then the whole program shuts down. how do i get this off of my computer???? please help!!!

By: Jacob

Jacob — Tue, 07 Jul 2009 21:31:01 +0000

Hi, after reading this im absolutely positive that i have this on my computer. It seems to block my anti virus from working.
(I have Trend Micro) You’re website is the only place i’ve found information on this so far. If you could help me in removing it, or direct me somewhere that can it would be greatly appreciated.

By: demantos

demantos — Thu, 25 Jun 2009 07:54:07 +0000

Hi ANdrew.
I’m Korean malware analzer.
I try to download above url but my dns is not resolv that domain name.
SO would you please send me a copy of the binaries?

Thanks.