2. Introduction Quick Facts
Khatra.exe has the following behavior:
• Added as a Registry auto start to load
Virus infection is one big issue for a layman computer user as any virus
Program on Boot up
infection may result in loss and corruption of important data. Even when a virus
• Created as a process on disk
is removed from your computer by the antivirus installed on your computer the
• Executed as a Process
infections and other damages caused by the virus may still remain. The
• Has code inserted into its Virtual
infections which remains after virus removal includes invisible folder options in
Memory space by other programs
windows explorer, task manager still disabled, registry editing disabled and
• Copied to multiple locations on the
some autorun.inf files created by the virus in the root drive of each partition.
system
Here we will share the methods to repair such damages caused by the virus
• Deleted as a process from disk
Khatra.exe.
• Created as a new Background Service on
KHATRA.exe is a virus which automatically closes your browser whenever you the machine
try to open a browser and search remove khatra.exe. You cannot delete • Created by processes which appear to be
khatra.exe, gHost.exe or Xplorer.exe which is created by the same virus as checking for interception by security
these processes will keep running. products
• Creates multiple folders
Let us discuss how HandsFree Networks has found out a removal procedure to • Prevents access to Task Manager and
delete khatra.exe or gHost.exe or Xplorer.exe virus. Control panel.
System Changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
%SystemDrive%KHATRA.exe
%windir%Xplorer.exe
%windir%systemgHost.exe
<system folder>KHATRA.exe
The presence of the following registry modifications:
Added value: "G_Host"
With data: ""%windir%systemgHost.exe" /Reproduce"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
Added value: "Xplorer"
With data: "<system folder>KHATRA.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
Added value: "Taskman"
With data: "<system folder>KHATRA.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Added value: "Xplorer"
With data: ""%windir%Xplorer.exe" /Windows"
To subkey: HKLMSOFTWAREKHATRAStartup_List
Added value: "load"
With data: "<system folder>KHATRA.exe"
To subkey: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
2
3. Khatra.exe virus Detection / Prevention using HandsFree Tool:
DART 27 “System Star-up Control” is enabled and it prevents any changes happening to system related registry keys. When Khatra
virus initiates it tries to add values into the registry which is been blocked using this DART. And the user is also alerted about the
same via the Dashboard.
In Dashboard under security we would see the alerts for the same. The screen shot below show how we check these alerts.
Once we click details it would show us the complete list of events causing these alerts, as shown below.
3
4. Analysis of Khatra virus process creation & registry value addition
An analysis of the Khatra virus process creation and registry value addition, we check this through the event log of that machine,
as mentioned above.
This clearly shows that the “KHATRA.exe” starts to initiate and tries to create registry values in the startup which have been
prevented by the HandsFree Tool proactively.
4
5. Prevent / Remove using HandsFree Tool
This virus adds few entries into the registry value & also there are 3 file which reside on the machine. The 3 files are khatra.exe,
Xplorer.exe & gHost.exe. We can prevent as well as remove these files and registry values using DART 240 - Intrusion Protection
Management & DART 218 –Clean folder, to prevent and remove these files from the machine.
We add these values in DART 240 under “Items to Disable” to permanently prevent these registry values from adding.
RegKey,,HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun,G_Host,c:windowssystemgHost.exe
/Reproduce
RegKey,,HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun,Xplorer,c:windowssystem32KHATRA
.exe
Regkey,,HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon,Taskman,c:windowssystem32KHATRA.exe
Regkey,,HKLMSOFTWAREKHATRAStartup_List,Xplorer,c:windowsXplorer.exe /Windows
Regkey,,HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows,load,c:windowssystem32KHATRA.exe
If the value is already been added we need to manually remove them from the above mentioned location.
To delete the files from the machine we can use any of the “Clean folder’ DARTs we have taken DART 218 is this case study.
We add the following value in DART 218 under “Directory or file to scan” section,
1, 1, c:windowssystem,v1
1, 1, c:windowssystem32,v2
We add the following in the “File Groups” section.
v1, Xplorer.exe, gHost.exe
v2,KHATRA.exe
5
6. Procedure to remove Khatra.exe virus manually
1. Go to task manager and select regsvr.exe (if found), gHost.exe, khatra.exe, Xplorer.exe rt click and select end process tree.
Press WIN+r or start>RUN
2. Type cmd and hit enter
3. GO to the the drive where your OS is installed
4. In the command prompt make sure you get the command line as c: or d: (this can be achieved by the command "cd .."
without quotes)
5. Type attrib -s -h -r khatra.exe
Repeat the same process for the location c:windowssystem32
6. Type del khatra.exe
7. Follow the same process for gHost.exe & Xplorer.exe as they are also part of the virus.
To make sure that the virus is out of you pc , check your registry
1. win+R type regedit
2. ctrl+F type in search one by 1 the names of the 3 processes i.e khatra,gHost,Xplorer
3. Search the entire registry n go-on deleting the values you find.
6
