Sophos Detects Computer Virus Scar-H
Security company Sophos has just spotted one Windows PC virus that it has termed as Scar-H. The company's security researchers disclosed that this malware's payload systematically substituted each .exe file belonging to the computer's C: drive with its own duplicate.
Also, as the entire procedure begins from the root directory of the system, the impact, which is bad, is pretty fast. Incidentally, Windows default debugger is Drwtsn32.exe that's made to seize a file dumping processes, along with a collision log. The dumping file is displayed as a message of error to Microsoft. Thereafter, W32/Scar-H easily substitutes Drwtsn32.exe with its own duplicate.
Thus, whenever Windows summons Drwtsn32.exe to deal with one that's not usual, Windows creates one more W32/Scar-H process. This summoning procedure of Drwtsn32.exe continues indefinitely and recursively until the host PC gets totally unresponsive.
Subsequently, if the PC is rebooted, a message appears that says that Windows was unable to start as the <Windows root>\system32\ntoskrnl.exe file is corrupt or absent. It then instructs to re-install the mentioned .exe file. In reality, the message means that the virus W32/Scar-H has effectively substituted ntoskrnl.exe.
Incidentally, the substituted filenames will remain unchanged. Consequently, these filenames fuel the volatile nature of the combination. And as multiple file substitutions take place within the system's C: drive, crash down of an application is inevitable.
Explains Sophos, W32/Scar-H proliferates by adding AutoRun files to tools that correspond with drive letters. Besides, the virus proliferates onto any tool which corresponds with a particular drive letter via the creation of a few files containing the concealed factor.
Remarking about how the virus works, Sophos researchers stated that hardly in the present days, did one come across a malware item, which was solely created to destruct a victim's PC. W32/Scar-H was one instance of those malicious programs that literally blasted on the victimized PC.
However, the virus could be cleaned from an infected PC via the elimination of all its copies as well as the registry entries associated with it. Furthermore, the actual files must be brought in after resorting to a backup data,or relevant application re-installed, suggested Sophos.
Related article: Spike in Attacks Causes Early Release of Windows Patch
» SPAMfighter News - 18-05-2010