Saturday, June 16, 2007

RontokBro virus::solution for missing folder options, registry editor.

Solution for Folder options missing , Registry editing disabled by Administrator Information about Virus.

  • * Solution to resolve your problem
  • * How to disable or enable Windows Me System Restore
  • * How to turn off or turn on Windows XP System Restore
  • * Tool to reset shell\open\command registry subkeys



Infected by virus name RontokBro@Mn

W32.Rontokbro@mm is a mass-mailing worm that causes system instability

Details of this Virus :

When W32.Rontokbro@mm is executed, it performs the following actions:

1. Copies itself as the following files:

* C:\Windows\PIF\CVT.exe
* %UserProfile%\APPDATA\IDTemplate.exe
* %UserProfile%\APPDATA\services.exe
* %UserProfile%\APPDATA\lsass.exe
* %UserProfile%\APPDATA\inetinfo.exe
* %UserProfile%\APPDATA\csrss.exe
* %UserProfile%\APPDATA\winlogon.exe
* %UserProfile%\Programs\Startup\Empty.pif
* %UserProfile%\Templates\A.kotnorB.com
* %System%\3D Animation.scr

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the folder:

%UserProfile%\Local Settings\Application Data\Bron.tok-24

3. Overwrites C:\Autoexec.bat with the following text:

"pause"

4. Adds the value:

"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.
5. Adds the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

6. Modifies the value:

"DisableRegistryTools" = "1"
"DisableCMD" = "2"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System

7. Modifies the value:

"NoFolderOptions" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\

8. Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

%UserProfile%\Templates\A.kotnorB.com

9. Reboots the computer when it detects a window whose title contains one of the following strings:

* ..
* .@
* @.
* .ASP
* .EXE
* .HTM
* .JS
* .PHP
* ADMIN
* ADOBE
* AHNLAB
* ALADDIN
* ALERT
* ALWIL
* ANTIGEN
* APACHE
* APPLICATION
* ARCHIEVE
* ASDF
* ASSOCIATE
* AVAST
* AVG
* AVIRA
* BILLING@
* BLACK
* BLAH
* BLEEP
* BUILDER
* CANON
* CENTER
* CILLIN
* CISCO
* CMD.
* CNET
* COMMAND
* COMMAND PROMPT
* CONTOH
* CONTROL
* CRACK
* DARK
* DATA
* DATABASE
* DEMO
* DETIK
* DEVELOP
* DOMAIN
* DOWNLOAD
* ESAFE
* ESAVE
* ESCAN
* EXAMPLE
* FEEDBACK
* FIREWALL
* FOO@
* FUCK
* FUJITSU
* GATEWAY
* GOOGLE
* GRISOFT
* GROUP
* HACK
* HAURI
* HIDDEN
* HP.
* IBM.
* INFO@
* INTEL.
* KOMPUTER
* LINUX
* LOG OFF WINDOWS
* LOTUS
* MACRO
* MALWARE
* MASTER
* MCAFEE
* MICRO
* MICROSOFT
* MOZILLA
* MYSQL
* NETSCAPE
* NETWORK
* NEWS
* NOD32
* NOKIA
* NORMAN
* NORTON
* NOVELL
* NVIDIA
* OPERA
* OVERTURE
* PANDA
* PATCH
* POSTGRE
* PROGRAM
* PROLAND
* PROMPT
* PROTECT
* PROXY
* RECIPIENT
* REGISTRY
* RELAY
* RESPONSE
* ROBOT
* SCAN
* SCRIPT HOST
* SEARCH R
* SECURE
* SECURITY
* SEKUR
* SENIOR
* SERVER
* SERVICE
* SHUT DOWN
* SIEMENS
* SMTP
* SOFT
* SOME
* SOPHOS
* SOURCE
* SPAM
* SPERSKY
* SUN.
* SUPPORT
* SYBARI
* SYMANTEC
* SYSTEM CONFIGURATION
* TEST
* TREND
* TRUST
* UPDATE
* UTILITY
* VAKSIN
* VIRUS
* W3.
* WINDOWS SECURITY.VBS
* WWW
* XEROX
* XXX
* YOUR
* ZDNET
* ZEND
* ZOMBIE

10. May also launch a ping flood attack on the following sites:

* israel.gov.il
* playboy.com

11. Gathers email addresses from files with the following extensions on all local drives from C to Y:

* .asp
* .cfm
* .csv
* .doc
* .eml
* .html
* .php
* .txt
* .wab

12. Avoids sending itself to email addresses that contain any of the following strings in the domain name:

* PLASA
* TELKOM
* INDO
* .CO.ID
* .GO.ID
* .MIL.ID
* .SCH.ID
* .NET.ID
* .OR.ID
* .AC.ID
* .WEB.ID
* .WAR.NET.ID
* ASTAGA
* GAUL
* BOLEH
* EMAILKU
* SATU

13. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

* smtp.
* mail.
* ns1.

14. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

Attachment:

Kangen.exe

Solution

* Disable System Restore (Windows Me/XP).
* Update the virus definitions if you have any anti-virus program.
* Run a full system scan and delete all the files detected. Use the Security Response "Tool to reset shell\open\command registry subkeys."
* Delete any values added to the registry.
* Delete the scheduled task.



1. To disable System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
4. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

6. Exit the Registry Editor.


6. To delete the scheduled tasks added by the worm

Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
In the Control Panel window, double click Scheduled Tasks.
Right click the task icon and select Properties from pop-up menu.
The properties of the task is displayed.
Delete the task if the contents of the Run text box in the task pane, matches the following:

%UserProfile%\Templates\A.kotnorB.com

How to turn off or turn on Windows XP System Restore

* Click Start.

*

Right-click My Computer, and then click Properties.

*

On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. If you do not see the System Restore tab, you are not logged on to Windows as an Administrator.

*

Click Apply.

*

When you see the confirmation message, click Yes.

* Click OK.



2. To update the virus definitions

Update your definitions with any anti-virus program you have.

3. To scan for and delete the infected files

1. Run a full system scan.
2. If any files are detected, click Delete.


4. Using the Security Response "Tool to reset shell\open\command registry subkeys."
This risk makes changes to the Windows registry that may prevent you from running executable files. Security Response has developed a tool to reset these values to the default settings. This tool is the easiest way to fix this.

Info:
As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.

For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.

They may also change a registry value so that you cannot run the Registry Editor at all.



FOLLOW THESE STEPS:

1. Download the file UnHookExec.inf and save it to your Windows desktop.

(If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.)

Note: The tool has a .inf file extension.

2. Locate the download file, either on the Windows desktop or the floppy disk.

3. Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

4. Follow any other instructions for the threat that you are trying to remove.


5. To delete the value from the registry


Important: We strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.

Manual steps to export registry subkeys
You can follow these steps to export a registry subkey before you edit it.

Note:: Do not follow these steps to export a whole registry subtree. (HKEY_CURRENT_USER is an example of such a subtree.) If you must back up whole registry subtrees, back up the whole registry instead.

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and then click the subkey that contains the value that you want to edit.
4. On the File menu, click Export.
5. In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, and then click Save.


Modify the specified subkeys only.

1. Click Start > Run.
2. Type regedit
3. Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry.