This is not a new virus that most people say. This virus has been detected back in 10 October 2008. Maybe you just get infected by it and no people reported it to antivirus company before. That's why your antivirus can't detected it.
This is the history about this so called new virue. Previously, there is this virus name Kenshin, Doraemon, and Naruto. Most of them has the same ability, that is to destroy and delete your System file. Actually, it's not being destroy. They only HIDE it in the same directory.
After Donal Bebek saw this virus, and somewhere in Jepang, someone is actually modify the virus and make more powerful. Donal Bebek come up with new idea and on 10 october 2008, the world has witnessed a new born virus called Bulubebek. But, recently the spreading rate has increase as even I do not know why and how.
Locally in Indonesia, a ten thousand plus computer has reported that they ara infected with virus.
Bulubebek is written in High Level Programming languange, the famous Visual Basic with it's file size 53 KB only. The virus has 2 original file, the EXE and it's INF.
what will happen if you are infected with the virus.
Norman security suite detected the virus as VbWorm.QXE.
INFECTION
After the virus is activated, it will write certain file so that it will automatically activated when you turn on your computer. It will also create file in your %systemroot% and in your Document Setting.
The file that the virus created:
%systemroot%\Script.exe
%systemroot%\LSASS.exe
C:\Document and Settings\%User%\autorun.inf
C:\Document and Settings\%User%\bulubebek.ini
This file will be created in every of your volume
C:\bulubebek.ini
C:\autorunlinf
This is how it auto start when you turn on your computer
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe script.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe script.exe
Defence System
To defend itself, it will prevent the user to access some Windows function such as Task Manager, Folder Option, and CMD. To do this, it write some script in your registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
- CheckedValue=2
- DefaultValue = 2
- UncheckedValue = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
- CheckedValue= 0
- DefaultValue = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- CheckedValue= 2
- DefaultValue = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
- CheckedValue= 0
- DefaultValue = 0
- UncheckedValue = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
- CheckedValue= 0
- DefaultValue = 0
- UncheckedValue = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
- CheckedValue= 2
- DefaultValue = 2
- UncheckedValue = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
- CheckedValue= 1
- DefaultValue = 1
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
- CheckedValue= 0
- DefaultValue = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFolderOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden = 2
- HideFileExt = 1
ShowSuperHidden = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
AutoRun = exit
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
AutoRun = exit
It also prevent Windows from using “Microsoft Visual Studio Debugging Tools”, file SPYXX.EXE. When Windows or certain drivers and program access the file, a message box will popup telling you that the file is unavailable. it actually because the virus altered some string in registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.EXE
debugger = TAI BEBEK
Error message from SPYXX.EXE
Spreading method
Flash Disk is the major media where this virus spread itself by copying Autorun.inf and bulubebek.ini to your Flash Disk.
string inside the Autorun.inf
EFFECT
Unlike other viruses, this virus won't harm the host. The maker of this virus has no intention of harming the host. More likely, it's only because of the fun and competition between each virus maker.
The only effect that come out after this virus activated is:
1.Try to hide all of your File/Folder in the Flash Disk or the host (Computer).
2.Make a clone of your File/Folder (with the original name).
3.Used your system resources. It use the Folder icon in System32
See the type, it says Application. Not Folder. This is the virus!!!
CLEANING BULUBEBEK VIRUS
Before you carry out this procedure, MAKE SURE:
1.You are OFFLINE
2.Disable your System Restore for the time being. (Windows ME/XP only)
3.Kill the virus process in memory using alternative program of Task Manager such as Procesxp or other similar tool that can access the Running Process Memory. You can use TuneUp Utilities but you have to buy it.
4.Bulubebek virus has the Folder icon with the name LSASS.EXE
5.Right click (in Procesxp) and select Kill Process Tree.
The sctipt below will revert your registry back to it original content. Copy the sciprt below to Notepad and save as “Repair.inf” with the quote. After that:
1.Right click Repair.inf
2.Click install and you're done.
********** copy below after this comment ******************
[Version]
Signature="$Chicago$"
Provider=xenomorf
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
************ Do not copy this LINE *******
Search and destroy your file that has been duplicate by the virus.
If your Folder Option is still unavailable, Log Off your computer and recover you original File or Folder using the command and properties below.
To delete the duplicate file, please use the DETAIL view to make it for to spot for the virus and your original file. The properties below will help you to recognize the virus application:
1.Using the Folder icon
2.File size is only 53 KB
3.The extension is EXE
4.Filetype is Application
Use Search funtion to locate the virus.
Most of your originial file is not LOST but it is SUPERHIDDEN. It means, you file is treated as System File to prevent from being edited or recover. The next step will help you get your file back.
This will be done by using the ATTRIB command in Command Prompt.
Click “Start”
Click “Run”
Type “CMD”, press [ENTER]
Change the directory to your Flash Drive (i.e: the drive letter such as E:, F:, and so on)
Enter this command: cd /D [Drive Letter]: ***[ ] is not inluded
Enter this command: ATTRIB –s –h –r /s /d and then press [ENTER]
I didn't change my drive letter because I only change my directory.
To ensure that the virus has been cleaned, update your antivirus and scan.
If you have any comment or suggestion, please comment below.
No comments:
Post a Comment
Whats your thought on this post?