How To Clean New Virus W32/VBWorm.PEC

W32/VBWorm.PEC           2
Agustus 2008

Be carefull with Doraeman, Sin Chan dan
Tom & Jerry new virus came from indonesian

 

*THE ROAD TO SYUHADA*

--------------------------------------

*WAHAI DIRI...*

*JIKA KAU TIDAK GUGUR DI MEDAN JUANG...*

*KAU TETAP AKAN MATI...*

*WALAU DI ATAS RANJANG...

 

 

This virus detect by
Norman Security Suite with name W32/VBWorm.PEC.

This sample image for the virus detect by norman.

 

Norman Security Suite detected
like  W32/VBWorm.PEC (image
1).

Image1,
Norman Security Suite detect “Pilem Lutchu” name W32/VBWorm.PEC

 

Traits
File Virus

Traits this file virus like image : (see
image 2)

• 
  

  
  Employ icon Real
  Player (software media player
  made in Real Media)



• 
  

  
  Have size “129” kb



• 
  

  
  Type file “application”



• 
  

  
  Extention “exe”

Image 2, Contoh file virus
W32/VBWorm.PEC

 

Trend / Efect Virus

If the computer infected by virus W32/VBWorm.PEC, the
virus will block some function windows like System Configuration Utility /
MSConfig, Folder Options, and System Restore.

 

See image 3

Image
3, Script virus destroy program task manager and function windows

 

To manipulate
user, virus make a folder with name “pilem lutchu” (see image 4), to My
Documents and flashdisk / removable drive / external harddisk. The Folder
contain 3 file virus like sample image 3 file virus (contain Doraemon-Pistol
Perubah Tubuh Sebagian.rm.exe, Sinchan-Menginap
Di Sekolah.rm.exe, TOM
& JERRY 2.rm.exe).

 

Image
4, Folder make by virus for My Documents and flashdisk

 

W32/VBWorm.PEC leave
message to My Computer, with change “support information” from system
properties My Computer. Than Drive C, with make file “ THE
ROAD TO SYUHADA” , contain file virus (see image 5).

Image
5, Make message by virus W32/VBWorm.PEC

 

File Virus and Distribution

Beyon infection, the virus W32/VBWorm.PEC will
be make some file virus, like this :

• 
  

  
  C:\antiZionisme.rm.exe



• 
  

  
  C:\WINDOWS\Help\explorer.exe



• 
  

  
  C:\WINDOWS\system32\300403.exe



• 
  

  
  
  C:\WINDOWS\system32\aparaparsaparyangparipircapar.exe



• 
  

  
  C:\WINDOWS\system32\HacKid's.exe

File virus to  My Documents, with
folder “pilem lutchu”

• 
  

  
  Doraemon-Pistol change Tubuh
  Sebagian.rm.exe



• 
  

  
  Sinchan-Menginap Di Sekolah.rm.exe



• 
  

  
  TOM & Jerry 2.rm.exe

The virus distribution file like :

• 
  

  
  C:\WINDOWS\system32\060785.bat
  



• 
  

  
  C:\WINDOWS\system32\050587.vbs
  



• 
  

  
  C:\WINDOWS\system32\appdata.vbs
  



• 
  

  
  C:\WINDOWS\system32\run4.bat



• 
  

  
  C:\THE ROAD TO SYUHADA.ini
  



• 
  

  
  C:\WINDOWS\system32\oeminfo.ini

(see image 6).

Image

6, 3 name file virus “Pilem Lutchu”

 

Manipulate
Registri

The virus make string registry to
startup windows :

• 
  

  
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

noboe = C:\WINDOWS\Help\explorer.exe

• 
  

  
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon

Shell = Explorer.exe
%SystemRoot%\system32\060785.bat

 

• 
  

  
  HKEY_CURRENT_USER\Control
  Panel\Desktop

SCRNSAVE.EXE =
%SystemRoot%\system32\300403.exe

ScreenSaveActive = 1

ScreenSaveTimeOut = 60

 

• 
  

  
  HKEY_LOCAL_MACHINE\
  SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ system

NoDispScrSavPage = 1

 

• 
  

  
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoFolderOptions = 1

• 
  

  
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\ SystemRestore

DisableConfig = 1

DisableSR = 1

• 
  

  
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
  \MSCONFIG.EXE

(Default) =
%SystemRoot%\system32\appdata.vbs

• 
  

  
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Hidden = 0

HideFileExt = 1

• 
  

  
  HKEY_LOCAL_MACHINE\
  SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer
  \Advanced\Folder\SuperHidden

UncheckedValue = 0

• 
  

  
  HKEY_LOCAL_MACHINE\
  SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer
  \Advanced\Folder\Hidden\SHOWALL

DefaultValue = 1

 

• 
  

  
  HKEY_LOCAL_MACHINE\
  SOFTWARE\Classes\.txt\shell\Open\command

(Default) = c:\Program Files\Internet
Explorer\IEXPLORE.EXE

• 
  

  
  HKEY_LOCAL_MACHINE\
  SOFTWARE\Classes\.reg\shell\Merge\command

(Default) =

 

• 
  

  
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat

• 
  

  
  
  HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot

AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat

• 
  

  
  
  HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot

AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat

• 
  

  
  
  HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot

AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat

 

How clean this virus :

1. 
   

   
   Login safe
   mode.



2. 
   

   
   Employ tools task manager, like Itty
   Bitty Process Manager

recomen :
http://majorgeeks.com/Itty_Bitty_Process_Manager_d4690.html

 

kill process, ( see image 7)

• 
  

  
  C:\WINDOWS\Help\explorer.exe



• 
  

  
  C:\WINDOWS\system32\300403.exe



• 
  

  
  
  C:\WINDOWS\system32\aparaparsaparyangparipircapar.exe



• 
  

  
  C:\WINDOWS\system32\HacKid's.exe

Image
7, employ Itty Bitty Process Manager for kill virus active

3. 
   

   
   Del string registry or employ this
   script to save as like repair.inf

[Version]

Signature="$Chicago$"

Provider=Vaksincom Oyee

 

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

 

[UnhookRegKey]

HKLM,
SOFTWARE\Classes\batfile\shell\open\command,,,"""%1"" %*"

HKLM,
SOFTWARE\Classes\comfile\shell\open\command,,,"""%1"" %*"

HKLM,
SOFTWARE\Classes\exefile\shell\open\command,,,"""%1"" %*"

HKLM,
SOFTWARE\Classes\piffile\shell\open\command,,,"""%1"" %*"

HKLM,
SOFTWARE\Classes\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM,
SOFTWARE\Classes\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"

HKLM,
SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM,
SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM,
SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM,
SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden,0x00010001,1

HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HideFileExt,0x00010001,0

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
UncheckedValue,0x00010001,1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,
DefaultValue,0x00010001,0

 

[del]

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, noboe

HKCU, Control Panel\Desktop,
SCRNSAVE.EXE

HKCU,
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKLM, SOFTWARE\Classes\.reg\shell

HKLM, SOFTWARE\Classes\.txt\shell

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, NoDispScrSavPage

HKLM,
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR

HKLM,
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig

 

4. 
   

   
   Then virus file virus like :

• 
  

  
  Icon “Real Player”



• 
  

  
  Extension *.exe



• 
  

  
  Size 129 kb