Wednesday, August 08, 2007

Nhatquanghlan Update

I recently noticed a spurt in the traffic to my blog which is apparently caused by people looking for answers to the Nhatquanghlan worm. Well, over here in Chandigarh, it seems that this virus is just about in all computers and is being spread by the ubiquitous pen/usb/zip/thumb drive. From my ruminations on the net and frequent tinkering around the ward computer that gets reinfected almost every day, I have made certain observations that seem to make some conclusions about this worm.
1. This worm spreads by USB drives though it is possible that other portable media may be involved too.
2. It causes the task manager, the folder options, registry files to be altered.
3. It can be diagnosed by the above symptoms.
4. There is a crappy looking folder icon that is seen (with same name as the original folder), the file size of which is 282 kb.
5. It makes the computer slow down, and no anti-virus as of now seems to catch hold of it.
6. Inability to stop the USB drive from remove hardware safely option.
7. Inability to format the USB drive.
8. The worm is an autorun .exe file and executes and infects every time a USB drive is plugged in.
Cure:
1. Download Hijack this(free), and the task manager fix of the interra group (also free), and a program called spybot killer.
2. Run the hijack this (rename it first or it wont start), and fix all files with scvhost.exe (not svchost.exe), run spybot, and then task manager fix. This should cure it. As u learn more about viruses, hijack this is probably the most useful program to have.
3. Reboot, and should run ok.
Prevention:
1. USB hygiene is paramount. Disable autorun (wont happen unless infection is cleared first) using administrative tools.
2. Do not run any program from the USB drive, copy paste on to computer first.
3. Scan USB drive all the times.
4. Format USB drive often.
5. Read about hakaglan on the web.

All the best.


6 comments:

billwoo said...

Sat Sri Akal, Shrinked Immaculate,

I'm in Chiang Mai, Thailand (American), trying to help a friend of mine here whose whole LAN (five computers) has been paralyed by nhatquanglan.

Appreciate your comments, and hope you will expand on them or report further.

"phir melenge" Uncle Sally

Unknown said...

Hi..
Thanks for this entry. It helped me get rid of nhatquanglan from my laptop, but forgive me for being a total computer illiterate, but how do I disable autorun? My flash disk still has the virus, and I can't format it...!

Unknown said...

Thanks. You have saved my PC from 'nhatquanglan'.

Robin Batra said...

baai ji, gaah paa taa tussi taan !!

Unknown said...

Sorry for posting a comment on some thing written an year ago...

but I faced the problem quite recently.. Your instructions are clear...
but i am unable to find proper download for task manager fix from interra group... where do i get this....
And also what does rename hijack this mean... Do i have to change the application tyoe as well...?
Can you give a more detailed explanation.....?

Shrinked Immaculate said...

Srikanth, I am quite sure that all anti-virus programs as of now catch this virus. I think you can download AVG free and it will do the trick.

Locations of visitors to this page