| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 88549 | 2008-03-31 16:25:00 | Black Pegasus Making The Rounds.... | SurferJoe46 (51) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 654636 | 2008-03-31 16:25:00 | Just a head's up here . . . . . this is in my correspondence this AM in SOCAL . . . it's from my friends in a white hat facility in Guam and Subic Bay . Black Pegasus corrupts or makes changes to: svchost . exe, transmit . exe, isetup . exe, autorun . inf, diffuse . dat, p3g4sus . dat . One big tip-off if you have BP is you will already have transmit . exe . . . Maybe! The virus files are very hidden in your drives . You will likely not see them . :dogeye: This virus will also duplicate all your folders, so if you have 2000 folders in your hard disk it will become 4000 folders . If you are near max'd out in your HDDs, you will flood them with the chance of totally corrupting your installation . The size of the folders are 0 bytes, but really they will set aside about 256k for their position . name as Windows manages empty folders with that value anyway; if you see folders that have 227KB size, that's the actual virus call and the extension is the application . It's a baddie . . . . and there's a lot of corruption it seems to be doing with more info coming in all the time . There is a lot of midnight oil and Twinkies (geek-speed) being consumed to get this off the internet or to harden the world-wide PCs . It's right now in the wild, but a good firewall and a decent DSL router/hub is a good starting security device . Here's a (LONG) list of what it does . THE FIRST TIME IT ENTERS OR IS CALLED, AND BEFORE REBOOT OR RESTART: * Disables Windows Safe Mode * Hides Virus From Task List THEN THE REGISTRY GETS SOME MANIPULATION: * Disables FIND feature in Microsoft Windows * Disables RUN feature in Microsoft Windows * Hides File Extension Of Know Windows Files * Hides Hidden Files * Disables Removable Autorun * Replaces Registered Owner with s Bl4ck P3g4sUs) * Replaces Registered Organization (My Computer Properties, Registered Organization is changed to: S0ci3ty 0f H4ck3rs Unlimit3d) WINDOW NAME MONITORING (It will Minimize this unseen window, putting it below the Taskbar where it cannot be Max'd or Restored) From this point on, Black Pegasus will monitor all open programs . If Black Pegasus sees a match on the list below it will automatically minimize the program, again below the Taskbar . Here are the list of programs: (not case-sensitive) * antivirus * anti-virus * anti * virus * anti-malware * protect * malware * antispyware * spyware * process * notepad * winpatrol * spy * adware * anvir * heal * policy * detector * remover * removal * lavasoft * pestpatrol * eliminator * eliminate * spycop * doctor * spysweeper * cleaner * ad-ware * autorun * viewer * blocker * ahnlab * sysinternal * Authentium * Avast * AVG * BitDefender * CAT-QuickHeal * ClamAV * DrWeb * eSafe * eTrust-Vet * Ewido * FileAdvisor * Fortinet * F-Prot * F-Secure * Ikarus * Kaspersky * washer * McAfee * NOD32 * Norman * Panda * Sophos * Sunbelt * Symantec * norton * TheHacker * VBA32 * VirusBuster * Webwasher-Gateway * ATF-Cleaner * destroy * scan * terminat * task manager * task * share * watch * alert * attention * registry * wordpad * folder options * pegasus * hex * wscript * V3 * Alladin * alwil * avira * Bit9 * fileadvisor * clam * dr . web * doctor web * grisoft * nvc * platinum * prevx * firewall * sunbelt * system restore Then the LOCAL/REMOVABLE DRIVE will be infected with or without a reboot/restart needed: * Writes TRANSMIT . exe * Writes ISETUP . exe * Writes autorun . inf * P3g4sus sets mode to +Read Only, +System, +Hidden Next it WRITES to the TEXT FILE: * Dumps text file named PEGASUS . DOC Now, the P3G4SUS FINALE, this is after the unsuspecting SYSOP reboots . . . tomorrow or next week . . or whenever that usually happens: * Loads p3g4sus in startup (thereby hooking registry) * Loading startup anti deletion key (p3g4sus auto start key registry, delete command removed) * Mimics legitimate M$ programs with fake/mimed screens and key-commands and macros . All appears normal in Windows) Screen burst (which MAY or MAY NOT appear in a flash . . look quick . . . it doesn't last long!!!) details below: (looks like a DOS screen - white font on black screen, usually in a small box on the left side of the screen): LOOP LOOP LOOP LOOP LOOP LOOP LOOP LOOP END END END END END END END END END END END Automatic Removal . Yeah! . Good Luck!l: To remove this virus download Panda Antivirus --> Download ( . softpedia . com/get/Antivirus/Panda-Antivirus-Titanium . shtml" target="_blank">www . softpedia . com) Download this tool also to re-enable Task Manager, Regedit, Folder Options and etc . --> Download HERE ( . softpedia . com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool . shtml" target="_blank">www . softpedia . com) Update your Antivirus first before doing a full scan . Scan your "My Computer" with a right click on the icon and use your built-in aftermarket or Panda scanner for this . You DO have a scanner . . . right? Remove the virus in both/all drives BEFORE ANY REBOOT OR RESTART! THIS IS IMPERATIVE!!!! . This virus does not just hide in M$ or Windows op files . It can and WILL hide in data files, MP3 or ripped music/videos . You may notice that a little chunk of RAM is missing also . . . this is the way BG keeps ahead of AV and protection programs . . . it's already running and then cannot be modified . . . an old dos hang-up from a long time ago about open files and such . After that AND ONLY AFTER THE ABOVE IS ACCOMPLISHED . . . . restart your computer immediately . Then use the Registry Repair Tool from the Panda download to re-enable Task Manager, Regedit, Folder Options and etc . Manual Bl4ck P3g4SuS Removal Instructions: 1 . Run HJT in Safe Mode if you can get there that is, and kill this process: (c:\Windows\Systen32\SVCHOST . EXE) . 2 . Use RRT to remove restrictions from your PC, check all check boxes then press REMOVE button . 3 . You are about to remove or delete the virus backup files . PLEASE TAKE NOTE OF THE FILE PATH, just pay attention here . . but ultimately delete them . . . it will cause you trouble in the next re-boot if you don't . If you don't see this happening, then assume it is OK and you can just skip this part . The infection may not have set with a cold-boot or restart yet . You are very fortunate if this is so . That is, however a BIG assumption . This virus is morphing moment-by-moment and is very virile and replicating with unknown morphs! NOW . . . . while still in HJT/safe mode: * Delete WINLOGON . EXE found in "c:\Program Files\System\" folder . * Delete SVCHOST . EXE found in "c:\Windows\Systen32\" folder . * Delete SVHOST . EXE found in "c:\Windows\System32\" folder . * Delete LSASS . EXE found in "c:\Windows\" folder . * Delete DRACU . EXE found in "c:\Windows\" folder . * Delete PROGGY . EXE found in "c:\Program Files\" folder . * Delete ISETUP . EXE found in "c:\Windows\System32\" folder . * Delete TRANSMIT . EXE found in "c:\Windows\System32\" folder . * Delete P364SUS . DAT found in "c:\Windows\System32\" folder . * Delete DIFFUSE . DAT found in "c:\Windows\System32\" folder . * Delete ISETUP . EXE, TRANSMIT . EXE and AUTORUN . INF found in the root directory of your local drives (eg . C:\, D:\, E:\ . . etc . ) * And you're done . . :dogeye: :eek: :waughh: . Reboot, and if you're paranoid, go thru it all over again . I got this from some friends in the Philippines, and they spend almost every waking moment on keeping these nasties off PCs . They are all white hats and this is their devotion . Hopefully no-one in NZ has any troubles with this virus . It can happen with poor security, un-done M$ updates and/or going to nasty sites and opening strange (and not-so-strange) emails . If you use "Preview" in your email, you are actually opening the door for viral insertions . Turn that option OFF! And of course, stop running in ADMIN Mode! Don't trust McAfee or Norton to be up on this . . they are usually several days late and a few keystrokes behind the curve . Unbelievable as it may seem, Windows resident Firewall is already tuned-up to keep this guy out . . . . but are YOUR updates, up to date? Got SP2? Hahahahah! -oO0Oo- EDIT: As I wrote this, there's some new chatter about it: C/P from them as follows . . . . . . . . . . . . . . "the only way to remove it would be either in DOS mode or via tools like killbox killbox was able to be closed by w32 kilabot :p itty bitty process manager by Merijn (hijackthis author) gets the job done I've consulted him on how to prevent those annoying things from closing my program . being a good guy himself, he gave pointers on how to hook as much functions so any other possible way of closing the app is superseeded . " Mis-spellings are from the excitement and fury of this infection . They are working their keyboards into smoke . |
SurferJoe46 (51) | ||
| 654637 | 2008-03-31 16:40:00 | Gads! This is #4 on the Google hit-list now too. Just for kicks and giggles, right click on MY COMPUTER and goto>>PROPERTIES and check to whom your 'puter is registered. |
SurferJoe46 (51) | ||
| 654638 | 2008-03-31 17:24:00 | Jeeez Joe... we wake up to April Fools day to see your post!!! Is it for real or what?? Ken :badpc: |
kenj (9738) | ||
| 654639 | 2008-03-31 18:43:00 | Jeeez Joe... we wake up to April Fools day to see your post!!! Is it for real or what?? Ken :badpc: Good question. I would say the the USA is still on 31/3/2008 or if you prefer this would be 3/31/2008. |
Sweep (90) | ||
| 654640 | 2008-03-31 18:55:00 | Pwned | zqwerty (97) | ||
| 654641 | 2008-03-31 19:58:00 | Good question. I would say the the USA is still on 31/3/2008 or if you prefer this would be 3/31/2008. Errm... If Joe got his info from Guam/Philippines, then they are already in April Fools' Day. So - is it real or not? - I must say it has some of the hallmarks of a hoax (way too much detail for something so new, plus exhortations to delete a lot of Windows system files as part of the "solution"...). Or maybe it's reverse psychology - releasing a virus on April Fools' would be pretty sneaky! |
MushHead (10626) | ||
| 654642 | 2008-03-31 21:19:00 | Maybe they celebrate Apr 1nth on March 31st . Dunnow . . . but I got it in my "IN" box this AM . . . and the source has always been reputable b4 . Time will tell . . . . It doesn't hurt to be cautious . |
SurferJoe46 (51) | ||
| 654643 | 2008-03-31 21:32:00 | this was first reported on February 25 this year, so unlikely to be an April fools joke. that being said, it might be advisable for beginners not to run through the manual removal instructions, as it could render your PC useless. |
Jan Birkeland (4741) | ||
| 654644 | 2008-03-31 23:37:00 | why just DOS and Killbox? Surely linux is an easier fix? | Thebananamonkey (7741) | ||
| 654645 | 2008-04-01 01:04:00 | why just DOS and Killbox? Surely linux is an easier fix? Because most people who use PCs think "Linux" is a sunburn balm or drain cleaner. |
SurferJoe46 (51) | ||
| 1 | |||||