TECHNICAL CASE STUDY   Virus – KHATRA.exe                    1
Introduction                                                                        Quick Facts                           ...
Khatra.exe virus Detection / Prevention using HandsFree Tool: DART 27 “System Star-up Control” is enabled and it prevents ...
Analysis of Khatra virus process creation & registry value addition An analysis of the Khatra virus process creation and r...
Prevent / Remove using HandsFree Tool This virus adds few entries into the registry value & also there are 3 file which re...
Procedure to remove Khatra.exe virus manually  1.   Go to task manager and select regsvr.exe (if found), gHost.exe, khatra...
Do you want to find how to handle more                                                                                 Sup...
Upcoming SlideShare
Loading in …5
×

Technical case study on khatra exe virus

1,496 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,496
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Technical case study on khatra exe virus

  1. 1. TECHNICAL CASE STUDY Virus – KHATRA.exe 1
  2. 2. Introduction Quick Facts Khatra.exe has the following behavior: • Added as a Registry auto start to loadVirus infection is one big issue for a layman computer user as any virus Program on Boot upinfection may result in loss and corruption of important data. Even when a virus • Created as a process on diskis removed from your computer by the antivirus installed on your computer the • Executed as a Processinfections and other damages caused by the virus may still remain. The • Has code inserted into its Virtualinfections which remains after virus removal includes invisible folder options in Memory space by other programswindows explorer, task manager still disabled, registry editing disabled and • Copied to multiple locations on thesome autorun.inf files created by the virus in the root drive of each partition. systemHere we will share the methods to repair such damages caused by the virus • Deleted as a process from diskKhatra.exe. • Created as a new Background Service onKHATRA.exe is a virus which automatically closes your browser whenever you the machinetry to open a browser and search remove khatra.exe. You cannot delete • Created by processes which appear to bekhatra.exe, gHost.exe or Xplorer.exe which is created by the same virus as checking for interception by securitythese processes will keep running. products • Creates multiple foldersLet us discuss how HandsFree Networks has found out a removal procedure to • Prevents access to Task Manager anddelete khatra.exe or gHost.exe or Xplorer.exe virus. Control panel.System ChangesThe following system changes may indicate the presence of this malware: The presence of the following files: %SystemDrive%KHATRA.exe %windir%Xplorer.exe %windir%systemgHost.exe <system folder>KHATRA.exe The presence of the following registry modifications: Added value: "G_Host" With data: ""%windir%systemgHost.exe" /Reproduce" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun Added value: "Xplorer" With data: "<system folder>KHATRA.exe" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun Added value: "Taskman" With data: "<system folder>KHATRA.exe" To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Added value: "Xplorer" With data: ""%windir%Xplorer.exe" /Windows" To subkey: HKLMSOFTWAREKHATRAStartup_List Added value: "load" With data: "<system folder>KHATRA.exe" To subkey: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 2
  3. 3. Khatra.exe virus Detection / Prevention using HandsFree Tool: DART 27 “System Star-up Control” is enabled and it prevents any changes happening to system related registry keys. When Khatra virus initiates it tries to add values into the registry which is been blocked using this DART. And the user is also alerted about the same via the Dashboard. In Dashboard under security we would see the alerts for the same. The screen shot below show how we check these alerts. Once we click details it would show us the complete list of events causing these alerts, as shown below. 3
  4. 4. Analysis of Khatra virus process creation & registry value addition An analysis of the Khatra virus process creation and registry value addition, we check this through the event log of that machine, as mentioned above. This clearly shows that the “KHATRA.exe” starts to initiate and tries to create registry values in the startup which have been prevented by the HandsFree Tool proactively. 4
  5. 5. Prevent / Remove using HandsFree Tool This virus adds few entries into the registry value & also there are 3 file which reside on the machine. The 3 files are khatra.exe, Xplorer.exe & gHost.exe. We can prevent as well as remove these files and registry values using DART 240 - Intrusion Protection Management & DART 218 –Clean folder, to prevent and remove these files from the machine. We add these values in DART 240 under “Items to Disable” to permanently prevent these registry values from adding. RegKey,,HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun,G_Host,c:windowssystemgHost.exe /Reproduce RegKey,,HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun,Xplorer,c:windowssystem32KHATRA .exe Regkey,,HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon,Taskman,c:windowssystem32KHATRA.exe Regkey,,HKLMSOFTWAREKHATRAStartup_List,Xplorer,c:windowsXplorer.exe /Windows Regkey,,HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows,load,c:windowssystem32KHATRA.exe If the value is already been added we need to manually remove them from the above mentioned location. To delete the files from the machine we can use any of the “Clean folder’ DARTs we have taken DART 218 is this case study. We add the following value in DART 218 under “Directory or file to scan” section, 1, 1, c:windowssystem,v1 1, 1, c:windowssystem32,v2 We add the following in the “File Groups” section. v1, Xplorer.exe, gHost.exe v2,KHATRA.exe 5
  6. 6. Procedure to remove Khatra.exe virus manually 1. Go to task manager and select regsvr.exe (if found), gHost.exe, khatra.exe, Xplorer.exe rt click and select end process tree. Press WIN+r or start>RUN 2. Type cmd and hit enter 3. GO to the the drive where your OS is installed 4. In the command prompt make sure you get the command line as c: or d: (this can be achieved by the command "cd .." without quotes) 5. Type attrib -s -h -r khatra.exe Repeat the same process for the location c:windowssystem32 6. Type del khatra.exe 7. Follow the same process for gHost.exe & Xplorer.exe as they are also part of the virus. To make sure that the virus is out of you pc , check your registry 1. win+R type regedit 2. ctrl+F type in search one by 1 the names of the 3 processes i.e khatra,gHost,Xplorer 3. Search the entire registry n go-on deleting the values you find. 6
  7. 7. Do you want to find how to handle more Support task with less effort? Sign up now for a free trial at www.handsfreenetworks.comTo learn more about HandsFree Networks and our solution, visit www.handsfreenetworks.comHandsFree Networks and related HandsFree Networks Inc. logos are registered trademarks ofHandsFree Networks Inc.Copyright ©2010 HandsFree Networks. All rights reserved. All other company, product and brandnames are trademarks of their respective owners. 7

×