Tuesday, August 11, 2009

How to get rid of the MaHasona Virus

Scroll down to the section titled "how to delete MaHasona" if you want a quick fix. (For those who might be interested, the paragraphs below explain how I got round to figuring it out)


Just a few days ago I came across a particularly annoying worm called MaHasona. (Mahasona is a phantom of sri lankan folklore and if I remember correctly it had something to do with a human body with a bears head.. and the head faced backwards.. but let's not get carried away.) Annoying because my antivirus software wouldn't detect it and I was more or less powerless to remove it. Of course, your own antivirus solution may work better than mine but just in case it fails, I think I might be able to help you. (WHY do people create virusses? Couldn't they just create a good piece of software that could do some good in the world?)

The basic process.


After some digging around in the bowels of my windows PC and some googling I found two things related to MaHasona.
First of all, I found that MaHasona is a worm and according to my experience spreads via pen drives which are also called flash drives. So , obviously, there had to be a malicious file on the infected flash drives.... and hey presto! there it was... an ugly .exe file called MaHasona.exe. (It's not visible in windows explorer straight away.. i'll get to that in a minute).

Second, no matter how many times I tried to delete this .exe file from my flash drive, it just kept reappearing. That meant there had to be something causing the reappearing or more specifically, something that kept on making new copies of MaHasona in the flash drive.. and it had to be running in the background as all worms and viruses do (I don't know much about viruses.. pls post a comment if I'm wrong.) A bit of googling on the MaHasona virus told me that in this case it happened to be a process called explorar.exe

I think these two components (the MaHasona.exe file and the explorar process) work by creating each other in a kind of cycle.
First an infected flash drive is plugged into an uninfected computer. The computer then runs the "autorun.inf" file of the flash drive. The virus has turned the normally innocent autorun file into something that tells the computer to run the virus.. i.e MaHasona.exe which is on the flash drive. The MaHasona.exe in turn creates the process Explorar.exe in the host computer(which will run in the background every time you turn on your computer... until you get rid of it). Explorar will constantly be on the look out for new flash drives to be plugged in to the computer. When new flash drives are plugged in, it (Explorar) will then create MaHasona on those flash drives.. Those flash drives will be plugged into other computers and the copy of MaHasona on them will create the Explorar process on those other computers... and the cycle continues.. (This is just my guess at how this thing works.. and it agrees pretty well with the rudimentary experiments I did)

After all those juicy (and possibly uninteresting) details let's get down to business......

HERE'S HOW TO DELTE MaHaSONA

First, make sure you don't have any flash drive plugged in.

Next enter the windows task manager (Ctrl + Alt + delete) and go to the processes tab. There should be a process called explorar.exe (be careful to select explorar and not explorer.) Select it and click the "end process" button. Then click "Yes" on the warning dialog that appears.
You've stopped exlporar.exe

Go to windows explorer and go to you system32 folder.
Is should be in a path such as C:\windows\system32
If you can't find it [the system32 folder] try making "hidden files and folders" visible by clicking
tools>folder options and under the view tab select the option button saying "show hidden files and folders". (do not change these setting untill we've completed dissinfecting the flash drive as well... I'll tell you how to do that in a minute)

The explorar.exe file is inside the system32 folder... but even when you get inside the systen folder it's not visible straight away.
To make it visible, again go to tools>folder options and under the view tab deselect the entry which says "Hide protected operating system files". There... Now it should be visible...
Change the view type in windows explorer to "details" and then organize the file in alphabetical order (by clicking the header of the name coloumn) to make it easier to find the file we need.

Once you find explorar.exe delete it. (click "yes" on the warning dialog that appears when you hit delete")

You've disinfected you're computer.....

Now for your flash drive.
Plug it in and do not let autorun open the drive. Autorun is the feature which asks you what you want to do when the flash drive is first plugged in. Click "cancel" on this dialog box. (it may or may not appear depending on the flash drive. )

Go to "my computer" and check the drive letter assigned to your flash drive. (again do not double click or open the flash drive here. Just check the letter written in front of the icon which represents the flash drive.)

Go to Start and click Run and type the drive letter of your flash drive in the field titled "open". For example if your flash drive is drive H: type "H:" (without the quotations) and hit enter.
Explorer will then open your flash drive. If you didn't change the settings in the "folder options" dialog and left them the way they were when we deleted "explorar.exe" you should be able to
see two files called "MaHasona.exe" and "autorun.inf".
Delete both of them

(If you get an error like "cannot delete etc etc..." check if a process called MaHasona.exe is running under the process tab of the task manager.. If it is then I've got a bit of bad news. If you read the description above, you'd know that if MaHasona.exe is executed it will make a copy of explorar.exe in the system32 folder. You'll have to go back to the beginning and start again....This is why it's so crucial that you don't open your flash drive using autorun or by simply double clicking in windows explorer.)


Congrats.... you now have a MaHasona free PC!
Hope I helped.

That's as far as I got on my own. A little more research showed me an additional step.
Go to Start> Run and then type "Msconfig" and hit enter.
Under the "startup" tab there should be an entry titled "explorar.exe". I personally 'feel' that it's now harmless because we deleted the file that this entry runs but just to be through let's deactivate that as well. Just deselect the check box and click apply. You may need to restart your computer.

A disclaimer..
I am not a computer professional and I have described the procedure above because it worked on my computer. While there is a good chance that it will work for you as well, I cannot guarantee it. Also, please be careful when you are using the Msconfig the utility. Misuse may cause serious damage to your operating system according to the Msconfig help file.
Posted by at
Labels: , , , ,

8 comments:

  1. THISARAOctober 12, 2009 at 11:05 AM

    Thank u sooooooooooooooooooooo much..
    THISARA
    Sri Lanka

    ReplyDelete
  2. Kanishka DilshanNovember 20, 2009 at 10:19 PM

    Click here to download Mahasona removal tool

    ReplyDelete
  3. Mahela007December 11, 2009 at 8:44 PM

    yeah.. You can also use the tool. But this way, you'll also learn something about your PC..
    Glad to help, Thisara

    ReplyDelete
  4. K_ZONEJanuary 19, 2010 at 2:59 AM

    THank Very much All Of YOu ! ! !

    K_ZONE®

    ReplyDelete
  5. UnknownMay 3, 2010 at 7:56 AM

    thank u thank u soooo much
    from sri lanka lolz

    ReplyDelete
  6. Mahela007July 30, 2010 at 9:00 AM

    ELA kiri :-D

    ReplyDelete
  7. Lalinda PereraFebruary 18, 2011 at 3:07 AM

    Thank you sooo much
    will this help with my Phone memory tooo
    please reply for this

    ReplyDelete
    Replies
    1. Mahela007December 31, 2014 at 2:02 AM

      Sorry.. I don't know about windows phone. I know this reply is long overdue. Sorry about that

      Delete

Subscribe to: Post Comments (Atom)