Thursday, October 30, 2008

Baca Bro Virus

I would like to share with anyone have this virus.

Symptom
No able to launch TaskManager, as it will auto close (Not Disabled by administrator)
No able to launch Regedit.exe as disabled by administrator
You'll found a txt file at C:\Baca Bro !!!.txt
Unable to install any application/run setup bcoz it will auto close

P/S : You dun have to think you could google Antivirus or similar keyword on your browser, bcoz it will auto close your browser.

1st We need to get alternative 3rd party Task manager, i recommend Starter
http://www.snapfiles.com/opinions/Starter/Starter.html

2nd Replace your Task Manager with Process Explorer, which have more details compare with taskmgr.exe
http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

3rd Enable to view SUPER HIDDEN FOLDER, Please download this regtick
http://www.snapfiles.com/get/regtick.html

4th Disable system restore, by follow these steps
- Right Click "My Computer" select System Restore tab and check the small box "Turn Off System Restore"

Lets Start....

Run Starter, kill these processes currently running, KILL THESE PROCESSES IF RUNS UNDER "YOUR USERNAME" NOT THE "SYSTEM". If you accidently kill any process under System, no worry.. Either your pc auto restart or just u need to reboot your pc.

j.exe
o.exe
b.exe
csrss.exe
lsass.exe
services.exe
smss.exe
sv.exe
winlogon.exe

Done, now you should able to run your task manager. Please user Process Explorer. Double check any of these process listed above still running. If yes, please kill it. Completed then now we'll remove the physical files used by this virus. Please access to these locationd and remove all the files

IMPORTANT : PLEASE USE "SHIFT+DELETE"

User>\Local Settings\Application Data\dv[random>\yesbron.com
User>\Local Settings\Application Data\jalak[random>.com
Windows>\_default[random>.pif
Windows>\j[random>.exe
Windows>\o[random>.exe
Windows>\sa[random>\ib[random>.exe
System>\c[random>.com
System>\n\b[random>.exe
System>\n[random>\csrss.exe
System>\n[random>\lsass.exe
System>\n[random>\services.exe
System>\n[random>\smss.exe
System>\n[random>\sv.exe
System>\n[random>\winlogon.exe
Windows>\Tasks\At1.job
Windows>\Tasks\At2.job
System>\n5817\c.bron.tok.txt
C:\Baca Bro !!!.txt <----- If your window installed on C drive,
if D it would be D:\Baca Bro !!!.txt and so on.



Once done, proceed to remove registry

Use regtick to enable your regedit.exe, done proceed to remove the registry entry

The following registry entries are created to run yesbron.com, _default[random>.pif, j[random>.exe and sv[random>.exe on startup:[/span>

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
[random characters>
User>\Local Settings\Application Data\dv[random>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
[random characters>
Windows>\_default.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[random characters>
System>\n\sv[random>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[random characters>
Windows>\j[random>.exe

The following registry entries are changed to run j.exe and o.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "[Windows>\o[random>.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file [Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
System>\userinit.exe,[Windows>\j[random>.exe

(the default value for this registry entry is "[Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:
HKCU\Software\Brontok\

That's all. Thanks

Credits to: MOFO

No comments: