Sunday, November 04, 2007

Zayle Letzel Trojan

"Todo por ti Letzel"

What's the Zayle Trojan
The Zayle or Letzel is a trojan virus that attacks the USB devices, such as regular pen drives, USB storages, digital cameras, ipods, mp3 players, etc. This can be recognized when you see the hidden system file autorun.inf along an executable named crsvc.exe (Zarteck), this prevents the pen drive from being safely removed, and it may prevent the device from being formatted.

The autorun.inf file can be opened with notepad and a couple of text images can be seen (as shown below).

Zayle could be a rearrange of the name Elyza, and the message posted by the hacker reads "TODO POR TI LETZEL", which means "All for you Letzel". This could be dedicated either to the hacker's girlfriend or this could be dedicated to the architect Jan Letzel, who created the Hiroshima Peace Memorial, just mere speculation.


HowTo get rid of Zayle
  1. Disable the system restore feature. Go to the Control Panel -> System -> System Restore And disable the Restore system by clicking on the Deactivate System Restore on all units check box. Accept it and close this dialog window.
  2. From the Task Manager find a process named crsvc.exe and kill it.
  3. Disable the 'hide protected Operating system files' option from the folder options. Go to Tools -> folder options -> See -> Hide Protected operating system files and deselect this option, so the hidden system files appear listed on the explorer.
  4. From the explorer, do not open the pendrive with double click, this will re-enable the trojan. Explore it instead by right clicking on the drive letter icon.
  5. Delete the autorun.inf and the crsv.exe files.
  6. Open the regedit, Start menu -> run (or click [Win]+r then type regedit on the dialog box and accept. On the regedit explorer look for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and there you will find an entry named syslog that calls the crsvc.exe file, remove this entry and restart your computer.
  7. The infection is gone.

Zayle's Signature
Autorun signature left by this trojan at the autorun.inf file when it infects the pendrive (very creative and romantic):

[autorun]
open=crsvc.exe
shell\1=ZAYLE
shell\1\Command=crsvc.exe
shellexecute=crsvc.exe

TODO POR TI LETZEL (All for you Letzel)
[A heart text image]


[A rose text image]
Publié par à l'adresse No comments:
Libellés :
Subscribe to: Posts (Atom)