Monday, August 25, 2008

Virus Alert: Mnl6on3.com

Yesterday, I discovered that my PC got infected with this new kind of virus. At first I didn't mind it because my AV is detecting nothing but soon after it started to affect my work. The first that I have noticed is that your disk drives are opening in a new window even though you’ve set in the folder options that it will open in the same window. Things got worse when I can’t open my Yahoo Messenger. I suspected it as some kind of Malware or Trojan so I looked on the Internet for some removal tools. I ran a scan through these tools and I was able to detect MNL6ON3.COM. I looked for some info about this and here’s what I have found out.

MNL6ON3.COM (data courtesy of Prevx.com)

1. COVERT ANALYSIS OF: MNL6ON3.COM
File Names Used: 4
Paths Used: 3
Common File Name: MNL6ON3.COM
Common Path: %TEMP%\
Vendor Information: No Vendor details specified
MNL6ON3.COM may use 4 or more path and file names, these are the most common:
1: %WINDIR%\SYSTEM32\CKVO.EXE
2: %WINDIR%\SYSTEM32\DDR.EXE
3: ?:\MNL6ON3.COM
File Name Structure: Normal
File and Path Structure: Suspicious, code execution from unusual location

2. RELATIONSHIP ANALYSIS OF: MNL6ON3.COM
Malicious Objects Created: None
Malicious Creators: 1
Malware Run Keys: None
Self Persists:
Antivirus Detection: No third party antivirus detection observed
Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: MNL6ON3.COM
The following behaviors have been observed for this object:
  • Installs programs.
  • Deletes programs. (no wonder my YM got deleted)
  • Runs other programs.
  • Creates copies of itself.
It was a Malware. I did another scan with another tool and luckily I found out where ckvo.exe and its dll components, ckvo0.dll and ckvo1.dll are hiding. I also found another file, n.com, which I suspect is also a filename of mnl6on3.com. What I did, with the help of Master, are the following:

1. Copy the filenames and its location.
2. Reboot the pc into safe mode.
3. Run regedit and delete the registry entries of those files.
4. Locate the actual files in system32 and delete them. I used Filezilla to locate the hidden files as windows explorer can’t see them.
5. To make sure autorun.inf (a component of the malware that I’ve found in my local drives) is turned off, open msconfig, go to the startup tab and disable any programs that aren’t needed.
6. Reboot your pc as normal and run another scan to make sure it is removed. I suggest you run scans from different AV.

I hope this helps for those who have already and will encounter this virus in the future. Just a tip though, act immediately once you suspect that your pc is acting strange (like slow startup, etc.) and your AV has detected any files that needs to be fixed manually.