blog of Guganeshan.T

1. Do you see one or more of the following files getting created in the root of every drive you access?:
   • autorun.inf
   • autorun.ini
   • fun.exe
   • download.exe
   • coursework.exe
   • crazya.exe
   • oalvm.com [EDITED ON 10th JUNE]
2. Do you see any of the executables mentioned above (the ones with the .exe or .com extension) running in the ‘processes’ list of the task manager?
3. Do you get an ‘Open with’ dialogue box when you double-click a drive in “My Computer”, instead of it getting opened?
4. Do you see any of the above mentioned executable files in the “C:\Documents and Settings\All Users\Application Data” folder?
5. Do you see the words: “gods must be creazy” in the title bar of Internet Explorer? yeah you read it right, it must be written as “crazy” but the creator has written it as “creazy”! 🙂

Then its time to panic! (a little). Because the computer is infected with a Trojan…

I am used to the practice of suspending anti-virus software to conserve memory (specially when using memory intensive software like Microsoft Visual Studio) and got the computer infected with a Trojan when I shared my thumb drive with another person!

I thought its just a poor old Trojan that I can remove in a second using the existing anti-virus software, but it didn’t even detect it.

Terminating the process named crazya.exe was impossible (I even tried the “TaskKill” DOS command repeatedly in a loop with the /f option to force the termination, but no use.

The biggest surprise came when I Googled the file name “crazya.exe”… I got only 7 results in Google!. Out of which, 1 is from a Chinese web site, and 1 from Sri Lanka itself. That meant trouble for me because it means, either it has no cure or its a new Trojan. But I confirmed its a Trojan only from those 7 results I found (Non of them had a tool to clean it… but one of them mentioned the well-known HijackThis diagnostic tool)

One site named it as: “Trojan horse Generic8.GHY”. And another one said its from the malware group named: “Trojan.agent.gen”.

Anyway, what I did to get rid of it was:

1. Ran HijackThis (its a free diagnostic tool)
2. In the list of processes and registry entries it lists, I selected all the entries that had the word “crazya.exe” (other executable names were not there for me)
3. Clicked on the “Fix Checked” button
4. Deleted the files I mentioned, manually from the root of every drive

That’s it… it was gone.

Warning: They recommend users to create a HijackThis log from the tool and to post it in anti-adware/malware forums to let the experts diagnose the problem. If you don’t know what you are doing, you might delete important registry entries using the excellent HijackThis tool.

[EDIT: In another PC, HijackThis tool alone was not enough, and I had to restart the PC in ‘Safe Mode’ and delete the files (mentioned at the beginning of the post) in the root of every drive. Because the files were running in memory.]

Hope this helps someone

UPDATE [on 10th February 2009]:

I tried the latest “Kaspersky Anti-Virus 2009 Free 30 Day Trial” with an infected thumb drive, and the software detects and deletes the Trojan files. Hope this helps someone (download and try the Kaspersky Anti-Virus 2009 free trial from “trials” page here: http://www.kaspersky.com/trials

And thank you very much for the comments.