Tuesday, September 9, 2008

Trojan-GameThief.Win32.OnLineGames.srhe

recently my PC was infected by a Trojan that damaged some files. according to Kaspersky, the name of the Trojan is "Trojan-GameThief.Win32.OnLineGames.srhe." unfortunately, i was out of the country when it got infected (my friend had been using the PC) and when i returned it had caused a lot of damage.


nature of the Trojan:

1. restarts the PC on its own
2. damages .jpeg files
3. disables the internet connection
4. prevents anti-virus software from updating its database
5. spreads upon disk access


method of cloning:

the Trojan spreads through any portable media (including CD, DVD and flash drives). it uses an autorun.inf file stored in the root of the media, where it executes a couple of batch files (.bat) and .com files. these in turn access other drives connected to the PC and infects them in turn. so just formatting the main drive an reinstalling the system is not enough. when you access an infected drive, the autorun.inf re-activates the Trojan from hibernation.


identifying an infected PC:

an infected PC can be easily identified by using a dir/a command on a DOS prompt. however, this might give false results if used from within Windows. so you might have to bootup to a DOS prompt using a Windows 98 bootable CD.

you should see an autorun.inf, a couple of unidentified .bat files and a couple of unidentified .com files. usually the system doesn't leave any .com files on the root. and the only present .bat file on the root should be the autoexec.bat file. if other unknown .bat files or .com files are present, you can suspect an infection.


manual removal of the Trojan:

if Kaspersky is present and updated, it will automatically remove the Trojan upon accessing the disks. however, if you don't use anti-virus software or if your virus database is out-of-date, you can use this manual cleaning process.

1. disable systems restore on all drives.
2. restart the PC and boot using a Windows 98 bootable disk.
3. type dir/a on the DOS prompt.
4. use the attrib function with the parameters -a -s -h -r to remove all assigned attributes to the autorun.inf and other unidentified .bat and .com files on the root.
5. delete the autorun.inf and all other unidentified .bat and .com files.
6. follow steps 3–5 for all logical disk drives on your PC and those conneted to your PC.
7. once the cleaning process is done, you can remove the Windows 98 CD and restart you PC.
8. re-install Windows. if you fail to follow the process in steps 3–6, the Trojan will re-activate itself from hibernation, upon re-installing Windows. so it is important to follow the steps carefully.

i have just explained how i removed the Trojan from my PC. there might be better methods of doing this. just let me know if you find one. re-installing windows is not a compulsory step, however, if your PC is prevented from connecting to the internet or if you see damaged .jpeg files, you should re-install.

good luck cleaning Trojans.

No comments: