Discussion on 'How do you enable Registry Editing again if it has ...?'

(2) On December 01, 2007 at 8:55 pm Mdezzani [0] said:

I used the suggested VBS link and it works and is very simple.

(1) On March 23, 2007 at 8:05 pm Alfidai [161] said:

This section is for technical experts who want to know more.

W32/Brontok-C is an email worm that sends itself to the addresses gathered from the infected computer, skipping email addresses that contain the following strings :

PLASA,TELKOM,INDO,.CO.ID,.GO.ID,.MIL.ID,.SCH.ID,.NET.ID,.OR.ID,.AC.ID,.WEB.ID,.WAR.NET.ID,ASTAGA,GAUL,BOLEH,EMAILKU,SATU

W32/Brontok-C may arrive attached with a filename randomly chosed from the following :

winword.exe

kangen.exe

ccapps.exe

syslove.exe

untukmu.exe

myheart.exe

my heart.exe

jangan dibuka.exe

The email is sent with a blank subject line and the following message text :

-- Hentikan kebobrokan di negeri ini --

1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA ( Send to "NUSAKAMBANGAN")

2. Stop Free Sex, Aborsi, & Prostitusi ( Go To HELL )

3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.

4. SAY NO TO DRUGS !!!

-- KIAMAT SUDAH DEKAT --

Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah

By: HVM31 -- JowoBot #VM Community --

!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

When first run W32/Brontok-C copies itself to:

\Local Settings\Application Data\csrss.exe

\Local Settings\Application Data\inetinfo.exe

\Local Settings\Application Data\lsass.exe

\Local Settings\Application Data\services.exe

\Local Settings\Application Data\smss.exe

\Local Settings\Application Data\winlogon.exe

\Empty.pif

\Templates\Brengkolang.com

\ShellNew\sempalong.exe

\eksplorasi.exe

\repclient1's Setting.scr

W32/Brontok-C will create a remote task in the following location in order to run a copy of itself on a daily basis to maintain infection :

\Tasks\At1.job

W32/Brontok-C attempts to download files from a remote website to the following location :

\Local Settings\Application Data\ListHost11.txt

\Local Settings\Application Data\Update.11.Bron.Tok.bin

At the time of writing these files were unavailable from the remote website.

The following registry entries are created to run W32/Brontok-C on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Tok-Cirrhatus

\Local Settings\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Bron-Spizaetus

\ShellNew\sempalong.exe

The following registry entry is changed to run eksplorasi.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell

Explorer.exe "\eksplorasi.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup).

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableRegistryTools

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoFolderOptions

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableCMD

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Hidden

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HideFileExt

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

ShowSuperHidden

Sign in to add your own comment. (This only takes a few seconds.)

Answers.com > Wiki Answers > Categories > Technology > Computers > Computer Software and Applications > Question > Discussion of "How do you enable Registry Editing again if it has ...?"