It claims to be a non malicious virus that infects PE executables and simply inserts a line of text into the file and registry; but, we at AGA say otherwise.
Hidrag is being defined as "not a dangerous memory resident parasitic Win32 virus". The first listing of the Win32 HiDrag was from Kaspersky Labs; they list its finding/inception date as June 4 2003
Win32 HiDrag virus infects Win32 PE .EXE files. While infecting these files the virus encrypts a portion of the victim file. Those using any P2P network should take note in this fact; bigger is not always better.
When the virus is run it creates a copy of itself somewhere around 36K in size in the host computers root Windows directory; it then creates the file "svchost.exe" and registers this file in the system registry auto-start key:
The virus then stays in the host computers Windows memory as an active process, it then searches the host computer for EXE files on all drives starting with C: and infects ALL .exe files. This would seem to indicate that the host computers A: and/or B: drives are safe from the hidrag virus.
A precautionary measure in dealing with this threat could be to change the name of C: drive to B: if that drive letter is not already in use; at least, while dealing with the deletion of this little pest.
Supposedly the virus does not manifest itself in any way; yet, contains the encrypted text strings:
PowerManagerMutant
The odd thing is that only a very select few AV companies software seems to pick this little dragon up; namely, Kaspersky, NOD; and, AVG Grisoft. Kaspersky and NOD are the same company in different countries and AVG is unreachable.
The problem with this is that it appears that the so-called W32Hi-drag is actually a WIN32 Jeefo virus that is spread throughout the host computer via a 'dropper' and in a matter of hours all .exe files on the host computer are infected.
Why then the Hi-Drag analysis by a few AV companies? We don't know; but, We do care.
On a W2k system or a WIN-XP system it is fairly easy to abort the spread. The W32 Jeefo is spread by a 'dropper' exe that is inserted into the hosts root folder, WINNT or Windows, as a generic svchost.exe that then creates a service called 'Power Manager' that starts automaticaly each time the computer is booted up.
First the user needs to kill the svchost.exe in the infected computers root directory in order to stop the spread of this virus during disinfection. When attempting to delete the file svchost.exe the user will be told that it is in use and cannot be deleted; still, it MUST be deleted.
Task Manager will not let you delete this file either and the same 'in-use' message will appear. A great piece of software that I keep handy on a floppy disk is ProgKill, it kills whatever you tell it to; or, use the SysInternals software called ProcExp (links to both homepages are at the bottom of this page)
Now shut down the svchost.exe with either of those programs. Immediatly after terminating the process delete the file svchost.exe and go to the next step.
Next use a good AntiVirus program such as SRNMicro Solo Anti Virus or Sophos Anti Virus (both at the top of our Top ten AV Software, and as yet, uncracked) Have your AV software run a scan and clean and delete all infected files; it is a good idea to put your original OS (Windows) CD in the drive in case a system file needs to be deleted.
Next, open your start tab and click 'Run' type CMD into the text box and hit enter. The command prompt DOS-like shell will open. Type 'SFC /purgecache' and, with your Windows CD in the main CD-Rom drive, hit enter. This will force Windows to purge its DLL cache and repopulate with clean system files. After the scan/purge/clean is finished type 'SFC /Enable' and hit enter again. This will make sure that your OS has its System File Checker enabled.
For maximum security AGA Consulting offers a security template that is run in the Windows Management Instrumentation Console (WMI) All a user has to do is substitute the main user name with thier own and this security template will do the rest.
As always, a step by step picture guide is available below.
Http://www.Sysinternals.com - For ProcExp.exe
Http://www.leprechaun.com.au - For KillProg.exe
Http://www.srnmicro.com - For Solo AntiVirus - They offer a free trial - Great Piece of Software!!!
Http://www.sophos.com - For Sophos Anti Virus - They offer a free trial - Great AV Software!!!
From 'Control Panel' open Administrative Tools
In 'Administrative Tools' open 'Services'
In 'Services' Panel find 'Power Manager'
Right click 'Power Manager' and in the Properties box click 'Disable' and close.
From the 'Start' Tab type CMD and hit enter.
In the 'Command Prompt' shell type SFC /purgecache and hit enter; let the program run its purge.
Then when finished type SFC /enable and hit enter and close the 'Command Prompt' shell.
Need more help - Contact AGA Consulting
And remember; sometimes the good guys are not who you think they are!!!
Also - We don't get paid to endorse ANYONE; we use what works and endorse the software WE use!!!
