Remove Kavo virus aka Trojan.Packed.NsAnti

Introduction :
Recently a collegue of mine ask me to fix her external harddisk after virus infection that left residues auto files. But her laptop caught the infection and Symantec were not very successful in removing it due to its characterics.

Trojan.Packed.NsAnti or Better known as Kavo is a virus is created with a packer tool that compresses, encrypts or obfuscates Windows PE files. Malware authors often use packers to conceal threats from detection by antivirus software. Trojan.Packed.NsAnti detects a packer that is not known to be used for legitimate purposes.

Enviroment :
Microsoft Windows

Installation / Usage :
1. Download “Kavo Killer” from this Taiwan site [LINK]
2. Because the application was code in Chinese, the character might not show.
3.
The application screen, there is only a button. It basically say “Begin Disinfection“.
4. Click on the button and when done, it would pop up another dialog.

What Kavo Killer does under the hood is deleting files such as autorun.inf and ntdelect.com on hard drive and USB drive. Kavo Killer also enable back the registry entry that disable showing of hidden files.

* After using Kavo Killer on the machine, suggested to goto Windows Safe Mode and do a Full System Scan with your antivirus.

Now moving back the external hard drive that all has the infection, located on each invidual root folder I found

autorun.inf
uxkktr.cmd
vva0hc0p.cmd

Contain of autorun.inf :
;fofiw32wkalS7wis1DSklw9d14dAAi42jiZ4wa62k3qssqriws7aaDd2ws40Swq3sDiwK80r799lr0srLkk3K3lqXIeZiaK24i1e
[AutoRun]
;ilpSkKi2s583aksZosesi2iKi31L
open=uxkktr.cmd
;Ld4ikkl54Li
shell\open\Command=uxkktr.cmd
;w58e1so05J8liSwoi229Sws3Le1wwijd07wLDZ4cLija2KDowl523j2Knok3H0s2Di1daaadkSKAiA47kqw9wes5Li
shell\open\Default=1
;0LpZ7a32ea92n0KelL4
shell\explore\Command=uxkktr.cmd
;qs2oHL3fsJDlK909wkeK3a3pm2Dw2wAk07dIa0De4Z3kFfd0iKas1aZL3leiwq4d3a4Lk24j7kkj5w2e5SidJlXlr8ro09w

I deleted all those and the folder were disinfected. Please note that I’m using Ubuntu to delete the files, so there is no danger of file running accidentally.

Next Page →

• Recently Written

  • Install Cisco ASDM on Cisco ASA
  • Unable to get router cert or router does not have a cert: needed to find DN
  • Connect VirtualBox host to Cisco router under GNS3 VirtualBox edition
  • %BGP-4-VPNV4NH_MASK : Nexthop [IP_address] may not be reachable from neigbor [IP_address] – not /32 mask
  • Uncompress Cisco IOS for GNS3
  • Deposit foreign cheque from AdBrite into Malaysia banks
  • Open PowerPoint slideshow in a different window
  • Fixing the Error 0×80070091 The directory is not empty
  • Finding application that is utilizing which network port
  • Install Cisco Pagent IOS TGN traffic generator on GNS3

• Categories

  • Life
  • Photography
  • Tech
    • Linux
    • Network

• Archives

  • January 2012
  • December 2011
  • October 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • May 2010
  • March 2010
  • January 2010
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • December 2007
  • November 2007
  • September 2007
  • August 2007
  • July 2007
  • May 2007

• Admin

  • Log in
  • WordPress
  • XHTML

• 
  

• About

  I'm Loy and welcome to my blog. I'm an IT engineer which spend a lot time tinkering with technology, while away from work I enjoy capturing the moments and enjoying God's greatest gift - Appetite. Hope you find the information here useful or entertaining. Feel free to feedback about my blogs or give a shoutout.

• Blogroll

  • Blog of Purple Flute
  • D’ Ayumni House
  • Development Blog
  • Documentation
  • ekmy3n Diary & Journey Of Life
  • JuzWeb.com

• Advertisement

  
  
  

• Stats

  
  
  

  

• Subscribe

  
  
  

  Enter your email address:

• Shout!Out