Sophos Detects Computer Virus Scar-H

Security company Sophos has just spotted one Windows PC virus that it has termed as Scar-H. The company's security researchers disclosed that this malware's payload systematically substituted each .exe file belonging to the computer's C: drive with its own duplicate.

Also, as the entire procedure begins from the root directory of the system, the impact, which is bad, is pretty fast. Incidentally, Windows default debugger is Drwtsn32.exe that's made to seize a file dumping processes, along with a collision log. The dumping file is displayed as a message of error to Microsoft. Thereafter, W32/Scar-H easily substitutes Drwtsn32.exe with its own duplicate.

Thus, whenever Windows summons Drwtsn32.exe to deal with one that's not usual, Windows creates one more W32/Scar-H process. This summoning procedure of Drwtsn32.exe continues indefinitely and recursively until the host PC gets totally unresponsive.

Subsequently, if the PC is rebooted, a message appears that says that Windows was unable to start as the <Windows root>\system32\ntoskrnl.exe file is corrupt or absent. It then instructs to re-install the mentioned .exe file. In reality, the message means that the virus W32/Scar-H has effectively substituted ntoskrnl.exe.

Incidentally, the substituted filenames will remain unchanged. Consequently, these filenames fuel the volatile nature of the combination. And as multiple file substitutions take place within the system's C: drive, crash down of an application is inevitable.

Explains Sophos, W32/Scar-H proliferates by adding AutoRun files to tools that correspond with drive letters. Besides, the virus proliferates onto any tool which corresponds with a particular drive letter via the creation of a few files containing the concealed factor.

Remarking about how the virus works, Sophos researchers stated that hardly in the present days, did one come across a malware item, which was solely created to destruct a victim's PC. W32/Scar-H was one instance of those malicious programs that literally blasted on the victimized PC.

However, the virus could be cleaned from an infected PC via the elimination of all its copies as well as the registry entries associated with it. Furthermore, the actual files must be brought in after resorting to a backup data,or relevant application re-installed, suggested Sophos.

Related article: Spike in Attacks Causes Early Release of Windows Patch

» SPAMfighter News - 18-05-2010

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial