W32/Checkout!91d0b88a
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm
Virus Characteristics
-- Update August 12, 2007 --
The risk assessment of this threat has been updated to
This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:
* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.
* Security Center
* winvnc4
Adds the following values to the registry:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"
The worm connects to an IRC channel on {blocked}.basecase.info.
Indications of Infection
* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.
Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .
Friday, December 7, 2007
Pulasi virus, tangismu virus
Win32.VB.BG
Type: Trojan
In the wild: No
Reported Infections: Low
Distribution Potential: Low
Damage Potential: Low to medium
Static file: Yes
File size: 46.5 kb
Method of propagation:
• The malware spreads itself by creating "Autorun .inf" and a "dapat.exe" onto hard drive partitions,including removable media(eg flsh disk, memory card).
It hides the autorun.inf by changing its file attributes
Aliases:
• Kaspersky: Virus.Win32.VB.bg
• F-Secure: Virus.Win32.VB.bg
• Grisoft: Worm/VB.ZU
• Eset: Win32/VB.DA
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops files
• Lowers security settings
• Registry modification
• Eject itself to every file with the following extension dbf,jpg,dbs,mdb,doc and xls
Files It copies itself to the following locations:
• C:\pulasi.txt
• %SYSDIR%\"Sedihmu.inf"
• %SYSDIR%\pencaria\smss.exe
• %SYSDIR%\pencaria\services.exe
• %SYSDIR%\pencaria\lsass.exe
• %drive%\documents.exe
• %drive%\adalah\dapat.exe
It creates the following directory:
• %drive%\adalah
The following files are created:
– C:\pulasi.txt This is a non malicious text file with the following content:
• TANGISMU
M4k3 B3T3R L1V3 WITH VIRUS
H4T1KU B3T4P4 B3RS3DIH
benar - benar jau, tak kan dapat ku gapai
Tangisku bukan milikmu
Tangismu adalah milikku
tak ada lagi yang ku kejar saat ini
nant nanti aku mulai berkobar
saat,ini aku akan mulai mengejar yang
Aku terpaksa,lakukan ini krana kau yang mengawali..
4LL FR13ND 1NDU5TR14L C0MMUN1TY ENDON3SIA
SP3CI4L TH4NKS TO S4INT 4ND SINN3RS C0MMUN1TY
JOWAT FAMILY ENDONESIA
– %WINDIR%\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
Registry The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
•c:\pulasi.txt
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• "Shell"="Explorer.exe"
• "Userinit"="%SYSDIR%\userinit.exe"
New value:
• "System"="Explorer.exe "%SYSDIR%\pencaria\services.exe"
• "Userinit"="%SYSDIR%\Pencaria\lsass.exe"
– [HKCR\exefile]
Old value:
• @="Application"
New value:
• @="File"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
Old value:
• "Auto"="1"
• "Debugger"="drwtsn32 -p %ld -e %ld -g"
New value:
• "Auto"="1"
• "Debugger"="%SYSDIR%\pencaria\lsass.exe"
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• "Hidden"=%user defined settings%
• "HideFileExt"=%user defined settings%
• "ShowSuperHidden"=%user defined settings%
New value:
• "Hidden"=dword:00000000
• "HideFileExt"=dword:00000001
• "ShowSuperHidden"=dword:00000000
– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
Old value:
• "AlternateShell"="cmd.exe"
New value:
• "AlternateShell"="%SYSDIR%\pencaria\lsass.exe"
– [HKCR\lnkfile\shell\open\command]
Old value:
• @=" "%1" %*"
New value:
• @=" "%SYSDIR%\pencaria\lsass.exe" "%1" %*"
– [HKCR\piffile\shell\open\command]
Old value:
• @=""%1" %*"
New value:
• @="%SYSDIR%\pencaria\lsass.exe"" "%1" %*"
– [HKCR\batfile\shell\open\command]
Old value:
• @=""%1" %*"
New value:
• @="%SYSDIR%\pencaria\lsass.exe" "%1" %*"
– [HKCR\comfile\shell\open\command]
Old value:
• @=""%1" %*"
New value:
• @="%SYSDIR%\pencaria\lsass.exe" "%1" %*"
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Old value:
• "DisableCMD"=%user defined settings%
• "DisableTaskMgr"=%user defined settings%
• "DisableRegistryTools"=%user defined settings%
New value:
• "DisableCMD"=dword:00000001
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Old value:
• "NoFolderOptions"=%user defined settings%
New value:
• "NoFolderOptions"=dword:00000001
– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
Old value:
• "DisableConfig"=%user defined settings%
• "DisableSR"=%user defined settings%
New value:
• "DisableConfig"=dword:00000001
• "DisableSR"=dword:00000001
– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
New value:
• "LimitSystemRestoreCheckpointing"=dword:00000001
• "DisableMSI"=dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState]
New value:
• "FullPathAddress"=dword:00000001
Process termination List of processes that are terminated:
• regedit.exe; AVP.exe; rtvscan.exe; NAV.exe; VSHWIN32.exe;
ProcessManager.exe; RegistryEditor.exe; Msiexec.exe; avgemc.exe;
nvcoas.exe; mcvsescn.exe; firefox.exe; TASKMGR.EXE; setup.exe;
Opera.exe; avguad.exe.; avgnt.exe; killvb.exe; Msi.exe
Processes with one of the following strings are terminated:
• ANT; BRO; VIR; TASK; REG; ASM; DBG; W32; BUG; HEX; DETEC; PROC; WALK;
REST; AVS; OPTIONS; AVG; SYMANTEC; PANDA; MCAFEE; PC-CILLIN; F-PROT;
KASPERSKY; VAKSIN; ANTI; VIRUS
Processes containing one of the following window titles are terminated:
• RegEdit_RegEdit
• Registry Editor
• Folder Options
• Local Settings
The following service is disabled:
• System Restore
Programming language:
•The malware program was written in Visual Basic.
Type: Trojan
In the wild: No
Reported Infections: Low
Distribution Potential: Low
Damage Potential: Low to medium
Static file: Yes
File size: 46.5 kb
Method of propagation:
• The malware spreads itself by creating "Autorun .inf" and a "dapat.exe" onto hard drive partitions,including removable media(eg flsh disk, memory card).
It hides the autorun.inf by changing its file attributes
Aliases:
• Kaspersky: Virus.Win32.VB.bg
• F-Secure: Virus.Win32.VB.bg
• Grisoft: Worm/VB.ZU
• Eset: Win32/VB.DA
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops files
• Lowers security settings
• Registry modification
• Eject itself to every file with the following extension dbf,jpg,dbs,mdb,doc and xls
Files It copies itself to the following locations:
• C:\pulasi.txt
• %SYSDIR%\"Sedihmu.inf"
• %SYSDIR%\pencaria\smss.exe
• %SYSDIR%\pencaria\services.exe
• %SYSDIR%\pencaria\lsass.exe
• %drive%\documents.exe
• %drive%\adalah\dapat.exe
It creates the following directory:
• %drive%\adalah
The following files are created:
– C:\pulasi.txt This is a non malicious text file with the following content:
• TANGISMU
M4k3 B3T3R L1V3 WITH VIRUS
H4T1KU B3T4P4 B3RS3DIH
benar - benar jau, tak kan dapat ku gapai
Tangisku bukan milikmu
Tangismu adalah milikku
tak ada lagi yang ku kejar saat ini
nant nanti aku mulai berkobar
saat,ini aku akan mulai mengejar yang
Aku terpaksa,lakukan ini krana kau yang mengawali..
4LL FR13ND 1NDU5TR14L C0MMUN1TY ENDON3SIA
SP3CI4L TH4NKS TO S4INT 4ND SINN3RS C0MMUN1TY
JOWAT FAMILY ENDONESIA
– %WINDIR%\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
Registry The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
•c:\pulasi.txt
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• "Shell"="Explorer.exe"
• "Userinit"="%SYSDIR%\userinit.exe"
New value:
• "System"="Explorer.exe "%SYSDIR%\pencaria\services.exe"
• "Userinit"="%SYSDIR%\Pencaria\lsass.exe"
– [HKCR\exefile]
Old value:
• @="Application"
New value:
• @="File"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
Old value:
• "Auto"="1"
• "Debugger"="drwtsn32 -p %ld -e %ld -g"
New value:
• "Auto"="1"
• "Debugger"="%SYSDIR%\pencaria\lsass.exe"
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• "Hidden"=%user defined settings%
• "HideFileExt"=%user defined settings%
• "ShowSuperHidden"=%user defined settings%
New value:
• "Hidden"=dword:00000000
• "HideFileExt"=dword:00000001
• "ShowSuperHidden"=dword:00000000
– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
Old value:
• "AlternateShell"="cmd.exe"
New value:
• "AlternateShell"="%SYSDIR%\pencaria\lsass.exe"
– [HKCR\lnkfile\shell\open\command]
Old value:
• @=" "%1" %*"
New value:
• @=" "%SYSDIR%\pencaria\lsass.exe" "%1" %*"
– [HKCR\piffile\shell\open\command]
Old value:
• @=""%1" %*"
New value:
• @="%SYSDIR%\pencaria\lsass.exe"" "%1" %*"
– [HKCR\batfile\shell\open\command]
Old value:
• @=""%1" %*"
New value:
• @="%SYSDIR%\pencaria\lsass.exe" "%1" %*"
– [HKCR\comfile\shell\open\command]
Old value:
• @=""%1" %*"
New value:
• @="%SYSDIR%\pencaria\lsass.exe" "%1" %*"
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Old value:
• "DisableCMD"=%user defined settings%
• "DisableTaskMgr"=%user defined settings%
• "DisableRegistryTools"=%user defined settings%
New value:
• "DisableCMD"=dword:00000001
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Old value:
• "NoFolderOptions"=%user defined settings%
New value:
• "NoFolderOptions"=dword:00000001
– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
Old value:
• "DisableConfig"=%user defined settings%
• "DisableSR"=%user defined settings%
New value:
• "DisableConfig"=dword:00000001
• "DisableSR"=dword:00000001
– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
New value:
• "LimitSystemRestoreCheckpointing"=dword:00000001
• "DisableMSI"=dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState]
New value:
• "FullPathAddress"=dword:00000001
Process termination List of processes that are terminated:
• regedit.exe; AVP.exe; rtvscan.exe; NAV.exe; VSHWIN32.exe;
ProcessManager.exe; RegistryEditor.exe; Msiexec.exe; avgemc.exe;
nvcoas.exe; mcvsescn.exe; firefox.exe; TASKMGR.EXE; setup.exe;
Opera.exe; avguad.exe.; avgnt.exe; killvb.exe; Msi.exe
Processes with one of the following strings are terminated:
• ANT; BRO; VIR; TASK; REG; ASM; DBG; W32; BUG; HEX; DETEC; PROC; WALK;
REST; AVS; OPTIONS; AVG; SYMANTEC; PANDA; MCAFEE; PC-CILLIN; F-PROT;
KASPERSKY; VAKSIN; ANTI; VIRUS
Processes containing one of the following window titles are terminated:
• RegEdit_RegEdit
• Registry Editor
• Folder Options
• Local Settings
The following service is disabled:
• System Restore
Programming language:
•The malware program was written in Visual Basic.
W32/Xiaoho.worm
W32/Xiaoho.worm
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/1/2007
Date Added: 8/1/2007
Origin: N/A
Length: Varies
Type: Virus
SubType: Worm
Virus Characteristics
This detection is for a worm which tries to copy itself to removable drives. It will destroy systems it's used on by infecting all .exe files and changing their icons to the Chinese character HAO.
Upon execution, the worm drops a copy of itself into the Windows System folder:
* %SysDir%\exloroe.exe
The worm creates the following registry keys to activate itself:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\: "ϵͳÉèÖÃ"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath: "%SystemRoot%\system32\exloroe.exe"
It spreads by dropping files named autorun.inf and xiaohao.exe on removable drives and setting file attributes as hidden.
The worm infects .exe files by overwriting them or corrupting them beyond repair. This changes their icon to Chinese word HAO.
and changes active window title as "X14o-H4o":
The file C:\Jilu.txt is created to list all the infected files.
The worm also infects .html, .htm, .asp and other script files by inserting iframe with a reference a remote URL.
It also changes system time to Jan 17, 2005 to try to disable antivirus programs.
Indications of Infection
* The infected files' icons change to be the Chinese character HAO.
* Active windows have their title changed to "X14o-H4o',27h,'s Virus"
Method of Infection
This worm may come via malicious link, or it may be spread by its intended method of infected removable drives.
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Aliases
Virus.Win32.Agent.ai, Virus.Win32.Agent.o, W32.Hauxi, W32/Hoaix-A, W32/XiaoHao.A
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/1/2007
Date Added: 8/1/2007
Origin: N/A
Length: Varies
Type: Virus
SubType: Worm
Virus Characteristics
This detection is for a worm which tries to copy itself to removable drives. It will destroy systems it's used on by infecting all .exe files and changing their icons to the Chinese character HAO.
Upon execution, the worm drops a copy of itself into the Windows System folder:
* %SysDir%\exloroe.exe
The worm creates the following registry keys to activate itself:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\: "ϵͳÉèÖÃ"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath: "%SystemRoot%\system32\exloroe.exe"
It spreads by dropping files named autorun.inf and xiaohao.exe on removable drives and setting file attributes as hidden.
The worm infects .exe files by overwriting them or corrupting them beyond repair. This changes their icon to Chinese word HAO.
and changes active window title as "X14o-H4o":
The file C:\Jilu.txt is created to list all the infected files.
The worm also infects .html, .htm, .asp and other script files by inserting iframe with a reference a remote URL.
It also changes system time to Jan 17, 2005 to try to disable antivirus programs.
Indications of Infection
* The infected files' icons change to be the Chinese character HAO.
* Active windows have their title changed to "X14o-H4o',27h,'s Virus"
Method of Infection
This worm may come via malicious link, or it may be spread by its intended method of infected removable drives.
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Aliases
Virus.Win32.Agent.ai, Virus.Win32.Agent.o, W32.Hauxi, W32/Hoaix-A, W32/XiaoHao.A
w32Babelloh virus
w32Babelloh virus
Discovered: December 5, 2007
Type: Worm
Infection Length: 51,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Once executed, the worm creates the following mutex so only one instance of the worm is running:
NameOfMutexObject2
The worm creates the following files:
* %SystemDrive%\cblogsvr.ini
* %SystemDrive%\mgrShell.exe
* %SystemDrive%\spoolsv32.exe
* %SystemDrive%\wmiprvse.exe
* %Temp%\L4SD\1CE993C1.db
* %Temp%\~RHF514.log
It also creates the following files with hidden and system attributes on removable and mapped network media:
* %DriveLetter%:\RECYCLER
* %DriveLetter%:\autorun.inf
* %DriveLetter%:\RECYCLER\desktop.exe
* %DriveLetter%:\RECYCLER\desktop.ini
The worm may also copy and spread in encrypted form to local .doc, .docx and .ros documents as the following file:
%DriveLetter%:\RECYCLER\[8 HEXADECIMAL CHARACTERS].db
It creates the following registry entries, so that it runs every time when Windows starts:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"PolicyRun" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winmgmt" = "%SystemDrive%\wmiprvse.exe"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Run\"winmgmt" = "%SystemDrive%\wmiprvse.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
It modifies following values in registry subkeys:
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\"ServiceCurrent" = "11"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"Type" = "10"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\"ServiceCurrent" = "11"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\"Type" = "10"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "B5"
It checks for internet access by connecting to the following site:
windowsupdate.microsoft.com
The worm drops additional malware which opens a back door and attempts to connect with following predetermined sites on TCP ports 80, 8080 or 8088:
* lack.bpa.nu
* qack.bpa.nu
* pbwoman.6600.org
Discovered: December 5, 2007
Type: Worm
Infection Length: 51,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Once executed, the worm creates the following mutex so only one instance of the worm is running:
NameOfMutexObject2
The worm creates the following files:
* %SystemDrive%\cblogsvr.ini
* %SystemDrive%\mgrShell.exe
* %SystemDrive%\spoolsv32.exe
* %SystemDrive%\wmiprvse.exe
* %Temp%\L4SD\1CE993C1.db
* %Temp%\~RHF514.log
It also creates the following files with hidden and system attributes on removable and mapped network media:
* %DriveLetter%:\RECYCLER
* %DriveLetter%:\autorun.inf
* %DriveLetter%:\RECYCLER\desktop.exe
* %DriveLetter%:\RECYCLER\desktop.ini
The worm may also copy and spread in encrypted form to local .doc, .docx and .ros documents as the following file:
%DriveLetter%:\RECYCLER\[8 HEXADECIMAL CHARACTERS].db
It creates the following registry entries, so that it runs every time when Windows starts:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"PolicyRun" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winmgmt" = "%SystemDrive%\wmiprvse.exe"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Run\"winmgmt" = "%SystemDrive%\wmiprvse.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
It modifies following values in registry subkeys:
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\"ServiceCurrent" = "11"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"Type" = "10"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\"ServiceCurrent" = "11"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\"Type" = "10"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "B5"
It checks for internet access by connecting to the following site:
windowsupdate.microsoft.com
The worm drops additional malware which opens a back door and attempts to connect with following predetermined sites on TCP ports 80, 8080 or 8088:
* lack.bpa.nu
* qack.bpa.nu
* pbwoman.6600.org
Wednesday, October 17, 2007
kalonzo virus kibaki virus raila virus removal tool
Is You computer down with the kibaki virus, Kalonzo Virus, Raila virus, Brontok, W32RontokBro@mm or any other virus . If yes get intouch with experts 020-3537066
W32rontokbro@mm
size:90kb
Type:Worm
Affected system:Window Platform
Mode of spread:Removable disk
W32RontokBro@mm is a worm for the Windows platform.
W32RontokBro@mm will attempt to copy itself to network and removable drives, using filenames including Open.exe, Music.exe and Empty.pif.
The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.
When first run W32RontokBro@mm copies itself to some of the following: filenames:\fonts\smss.exe\oobe\isperror\shell.exe\IExplorer.exe\System32.exe\Empty.pif and creates the following file:\Autorun.inf - may be deleted.W32RontokBro@mm also attempts to copy itself to existing filenames with EXE extensions, but with an extra space between the filename and the extension, eg if it finds the file "Example.exe" it may copy itself to the same folder as "Example .exe" W32RontokBro@mm attempts to terminate process, close windows and delete registry entries related to security and anti-virus applications, and may restart an infected computer.W32RontokBro@mm may also display a fake error message with the title "Warning" and the text "Illegal Application", before attempting to terminate processes related to security and anti-virus applications.The following registry entries are set to run the W32RontokBro@mm on startup:HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogonservices\fonts\smss.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBootAlternateShell\fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonUserinit\userinit.exe, \fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonshell
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkb
HKLM\Software\Microsoft\Windows\CurrentVersion\RunservicesW32/RontokBr may set the following registry entries to run files other than itself on
startup:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugDebugger\Shell.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkbdrivers\AUTO.txt Some of the following registry entries are set or modified, so that W32RontokBro@mm is run when files are run with the extensions listed:HKCR\exefile\shell\open\command(default)
\fonts\smss.exe %1 %*HKCR\lnkfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\piffile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\batfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\comfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*Some of the following registry entries may also be set, usually to one of two values:HKCR\exefile(default)
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebugAuto
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFind
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableCMD
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDesktop
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableConfig
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerLimitSystemRestoreCheckpointing
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerDisableMSI
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetStateFullPathAddress
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHideFileExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedShowSuperHidden
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeCaption
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeText
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
Type:Worm
Affected system:Window Platform
Mode of spread:Removable disk
W32RontokBro@mm is a worm for the Windows platform.
W32RontokBro@mm will attempt to copy itself to network and removable drives, using filenames including Open.exe, Music.exe and Empty.pif.
The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.
When first run W32RontokBro@mm copies itself to some of the following: filenames:\fonts\smss.exe\oobe\isperror\shell.exe\IExplorer.exe\System32.exe\Empty.pif and creates the following file:\Autorun.inf - may be deleted.W32RontokBro@mm also attempts to copy itself to existing filenames with EXE extensions, but with an extra space between the filename and the extension, eg if it finds the file "Example.exe" it may copy itself to the same folder as "Example .exe" W32RontokBro@mm attempts to terminate process, close windows and delete registry entries related to security and anti-virus applications, and may restart an infected computer.W32RontokBro@mm may also display a fake error message with the title "Warning" and the text "Illegal Application", before attempting to terminate processes related to security and anti-virus applications.The following registry entries are set to run the W32RontokBro@mm on startup:HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogonservices\fonts\smss.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBootAlternateShell\fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonUserinit\userinit.exe, \fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonshell
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkb
HKLM\Software\Microsoft\Windows\CurrentVersion\RunservicesW32/RontokBr may set the following registry entries to run files other than itself on
startup:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugDebugger\Shell.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkbdrivers\AUTO.txt Some of the following registry entries are set or modified, so that W32RontokBro@mm is run when files are run with the extensions listed:HKCR\exefile\shell\open\command(default)
\fonts\smss.exe %1 %*HKCR\lnkfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\piffile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\batfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\comfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*Some of the following registry entries may also be set, usually to one of two values:HKCR\exefile(default)
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebugAuto
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFind
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableCMD
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDesktop
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableConfig
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerLimitSystemRestoreCheckpointing
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerDisableMSI
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetStateFullPathAddress
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHideFileExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedShowSuperHidden
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeCaption
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeText
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
kibaki virus
KIBAKI TOSHA VIRUS(w32.kibtos)
Type: Worm
Technical Name:W32.Kibtos,w32autorun
Infection Length: Depend with variant(129kb current variant)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Its designed using visual basic and packed with level one protection software to prevent reverse engineering and decompilation.When the worm is executed, it copies itself as the following files
windows "addins\services.exe ",creating file atrribute SYSTEM Or HIDDEN Or READONLY
windows "web\printers\prtwebvw.exe" creating file atrribute SYSTEM Or HIDDEN Or READONLY
windows "java\classes\lsass.exe" creating file atrribute SYSTEM Or HIDDEN Or READONLY
It contain the real tech timer which used to copy the file to any removable media insertedThe timer also used to kill any running security software using Function killer()
it create file open.exe and autorun.inf to any inserted removable media
The worm then may display a message and picture at intervals of 20-30 minutes asking the user to vote for Kibaki.
========================================================================================================================================================================================== HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\SafeBoot\", REG_SZ, "AlternateShell", GetWindowsPath & "appname
HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", REG_SZ, "yahoo messager", "Explorer.exe " & Chr(&H22) & winpath & appname & Chr(&H22)
HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug", REG_SZ, "Debugger", Chr(&H22) & winpath & "appname" & Chr(&H22)
HLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug", REG_SZ, "Auto", "1" ========================================================================================================================================================================================== HCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",---------disable older option
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", -------disable folder option
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"------------ "DisableSR
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer",------------limit systemrestore point
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"--------------disabl installer ========================================================================================================================================================================================== HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",------hide file extension
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", hide super hidden file
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", ------disable hidden files ========================================================================================================================================================================================== It call the following function
Public Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Public Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileA" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
Public Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As LongPublic Declare Function SetFileAttributes Lib "kernel32" Alias "SetFileAttributesA" (ByVal lpFileName As String, ByVal dwFileAttributes As Long) As Long
Public Declare Function GetFileAttributes Lib "kernel32" Alias "GetFileAttributesA" (ByVal lpFileName As String) As LongPublic Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As LongPublic Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long
Public Declare Function GetCurrentProcess Lib "kernel32" () As LongPublic Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Public Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Public Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long) As Long
Public Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As LongPublic Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Public Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Public Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Public Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As Long
Public Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
Public Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Public Declare Function PaintDesktop Lib "user32.dll" (ByVal hwnd As Long) As LongPublic Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Declare Function CloseWindow Lib "user32" (ByVal hwnd As Long) As LongPublic Declare Function GetSystemDirectory Lib "kernel32.dll" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Function GetWindowsDirectory Lib "kernel32.dll" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Function CreateDirectory Lib "kernel32" Alias "CreateDirectoryA" (ByVal lpPathName As String, lpSecurityAttributes As SECURITY_ATTRIBUTES) As Long
Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Public Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long
Public Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As LongPrivate
Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias CreateToolhelp32Snapshot" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As LongPrivate Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Public Function ShutDownApplication(ByVal ApplicationName As String) As Boolean
Public Function SetTopMostWindow(hwnd As Long, Topmost As Boolean) As Long
Public Function KeyboardProc(ByVal ncode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
For removal tool call:020-3537066
Type: Worm
Technical Name:W32.Kibtos,w32autorun
Infection Length: Depend with variant(129kb current variant)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Its designed using visual basic and packed with level one protection software to prevent reverse engineering and decompilation.When the worm is executed, it copies itself as the following files
windows "addins\services.exe ",creating file atrribute SYSTEM Or HIDDEN Or READONLY
windows "web\printers\prtwebvw.exe" creating file atrribute SYSTEM Or HIDDEN Or READONLY
windows "java\classes\lsass.exe" creating file atrribute SYSTEM Or HIDDEN Or READONLY
It contain the real tech timer which used to copy the file to any removable media insertedThe timer also used to kill any running security software using Function killer()
it create file open.exe and autorun.inf to any inserted removable media
The worm then may display a message and picture at intervals of 20-30 minutes asking the user to vote for Kibaki.
========================================================================================================================================================================================== HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\SafeBoot\", REG_SZ, "AlternateShell", GetWindowsPath & "appname
HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", REG_SZ, "yahoo messager", "Explorer.exe " & Chr(&H22) & winpath & appname & Chr(&H22)
HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug", REG_SZ, "Debugger", Chr(&H22) & winpath & "appname" & Chr(&H22)
HLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug", REG_SZ, "Auto", "1" ========================================================================================================================================================================================== HCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",---------disable older option
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", -------disable folder option
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"------------ "DisableSR
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer",------------limit systemrestore point
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"--------------disabl installer ========================================================================================================================================================================================== HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",------hide file extension
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", hide super hidden file
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", ------disable hidden files ========================================================================================================================================================================================== It call the following function
Public Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Public Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileA" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
Public Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As LongPublic Declare Function SetFileAttributes Lib "kernel32" Alias "SetFileAttributesA" (ByVal lpFileName As String, ByVal dwFileAttributes As Long) As Long
Public Declare Function GetFileAttributes Lib "kernel32" Alias "GetFileAttributesA" (ByVal lpFileName As String) As LongPublic Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As LongPublic Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long
Public Declare Function GetCurrentProcess Lib "kernel32" () As LongPublic Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Public Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Public Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long) As Long
Public Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As LongPublic Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Public Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Public Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Public Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As Long
Public Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
Public Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Public Declare Function PaintDesktop Lib "user32.dll" (ByVal hwnd As Long) As LongPublic Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Declare Function CloseWindow Lib "user32" (ByVal hwnd As Long) As LongPublic Declare Function GetSystemDirectory Lib "kernel32.dll" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Function GetWindowsDirectory Lib "kernel32.dll" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Function CreateDirectory Lib "kernel32" Alias "CreateDirectoryA" (ByVal lpPathName As String, lpSecurityAttributes As SECURITY_ATTRIBUTES) As Long
Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Public Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long
Public Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As LongPrivate
Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias CreateToolhelp32Snapshot" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As LongPrivate Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Public Function ShutDownApplication(ByVal ApplicationName As String) As Boolean
Public Function SetTopMostWindow(hwnd As Long, Topmost As Boolean) As Long
Public Function KeyboardProc(ByVal ncode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
For removal tool call:020-3537066
kalonzo virus
kalonzo virus
Discovered: August 26, 2007
Type: Worm Infection mode:Removable storage device
Infection Length: 117kb
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the worm is executed, it copies itself as the following files:
%System%\"DirectX\Dinput\csrss.exe"
%Windir%\"installer\lsass.exe"
then creates the following file, referencing the previously created files:%Windir%\Autorun.infThe worm also creates the following files on all drives found:[DRIVE LETTER]:\AUTORUN.INF[DRIVE LETTER]:\open.exe
It then sets the following registry keys in order to disable system restoration as well as change default folder options:
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore",-----DisableConfig
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"----DisableSR
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"---LimitSystemRestoreCheckpointing
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"-----DisableMSI
HCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-----DisableFolderOptions
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableFolderOptions
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"-- DisableControlPanel
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" --DisablecontrolPanel
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- --DisableFind
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableRun
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableShellSearchButton
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableEntireNetwork
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- DisableSecurityTab
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",-- DisableHiddenfile
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", --DisableShowSuperHiddenHCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"-- HideFileExtensio
The KALONZO virus has a tendency of closing running processes that have the potential of stopping it's own process.These include any process that has the words
"ANTI, VIRUS, SYMAN, NOD32, TASK......."
The worm then may display a message and picture asking the user to vote for Kalonzo,and when you click the picture it direct you to kalonzo website if you are connected to internet. For removal tool call:020-3537066
Discovered: August 26, 2007
Type: Worm Infection mode:Removable storage device
Infection Length: 117kb
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the worm is executed, it copies itself as the following files:
%System%\"DirectX\Dinput\csrss.exe"
%Windir%\"installer\lsass.exe"
then creates the following file, referencing the previously created files:%Windir%\Autorun.infThe worm also creates the following files on all drives found:[DRIVE LETTER]:\AUTORUN.INF[DRIVE LETTER]:\open.exe
It then sets the following registry keys in order to disable system restoration as well as change default folder options:
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore",-----DisableConfig
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"----DisableSR
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"---LimitSystemRestoreCheckpointing
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"-----DisableMSI
HCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-----DisableFolderOptions
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableFolderOptions
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"-- DisableControlPanel
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" --DisablecontrolPanel
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- --DisableFind
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableRun
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableShellSearchButton
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableEntireNetwork
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- DisableSecurityTab
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",-- DisableHiddenfile
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", --DisableShowSuperHiddenHCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"-- HideFileExtensio
The KALONZO virus has a tendency of closing running processes that have the potential of stopping it's own process.These include any process that has the words
"ANTI, VIRUS, SYMAN, NOD32, TASK......."
The worm then may display a message and picture asking the user to vote for Kalonzo,and when you click the picture it direct you to kalonzo website if you are connected to internet. For removal tool call:020-3537066
Subscribe to:
Comments (Atom)