April 10, 2009


W32/VBWorm.QXE (bulubebek)

This is not a new virus that most people say. This virus has been detected back in 10 October 2008. Maybe you just get infected by it and no people reported it to antivirus company before. That's why your antivirus can't detected it.

This is the history about this so called new virue. Previously, there is this virus name Kenshin, Doraemon, and Naruto. Most of them has the same ability, that is to destroy and delete your System file. Actually, it's not being destroy. They only HIDE it in the same directory.
After Donal Bebek saw this virus, and somewhere in Jepang, someone is actually modify the virus and make more powerful. Donal Bebek come up with new idea and on 10 october 2008, the world has witnessed a new born virus called Bulubebek. But, recently the spreading rate has increase as even I do not know why and how.
Locally in Indonesia, a ten thousand plus computer has reported that they ara infected with virus.

Bulubebek is written in High Level Programming languange, the famous Visual Basic with it's file size 53 KB only. The virus has 2 original file, the EXE and it's INF.

what will happen if you are infected with the virus.

Norman security suite detected the virus as VbWorm.QXE.

After the virus is activated, it will write certain file so that it will automatically activated when you turn on your computer. It will also create file in your %systemroot% and in your Document Setting.
The file that the virus created:



C:\Document and Settings\%User%\autorun.inf

C:\Document and Settings\%User%\bulubebek.ini

This file will be created in every of your volume



This is how it auto start when you turn on your computer

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell = explorer.exe script.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell = explorer.exe script.exe

Defence System

To defend itself, it will prevent the user to access some Windows function such as Task Manager, Folder Option, and CMD. To do this, it write some script in your registry.


- CheckedValue=2
- DefaultValue = 2
- UncheckedValue = 2


- CheckedValue= 0
- DefaultValue = 0


- CheckedValue= 2
- DefaultValue = 2


- CheckedValue= 0
- DefaultValue = 0
- UncheckedValue = 0


- CheckedValue= 0
- DefaultValue = 0
- UncheckedValue = 0


- CheckedValue= 2
- DefaultValue = 2
- UncheckedValue = 2


- CheckedValue= 1
- DefaultValue = 1


- CheckedValue= 0
- DefaultValue = 0


- NoFolderOptions


- DisableRegistryTools


- Hidden = 2
- HideFileExt = 1
ShowSuperHidden = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor

AutoRun = exit

HKEY_CURRENT_USER\Software\Microsoft\Command Processor

AutoRun = exit

It also prevent Windows from using “Microsoft Visual Studio Debugging Tools”, file SPYXX.EXE. When Windows or certain drivers and program access the file, a message box will popup telling you that the file is unavailable. it actually because the virus altered some string in registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.EXE

debugger = TAI BEBEK

Error message from SPYXX.EXE

Spreading method

Flash Disk is the major media where this virus spread itself by copying Autorun.inf and bulubebek.ini to your Flash Disk.

string inside the Autorun.inf

Unlike other viruses, this virus won't harm the host. The maker of this virus has no intention of harming the host. More likely, it's only because of the fun and competition between each virus maker.
The only effect that come out after this virus activated is:

1.Try to hide all of your File/Folder in the Flash Disk or the host (Computer).

2.Make a clone of your File/Folder (with the original name).

3.Used your system resources. It use the Folder icon in System32

See the type, it says Application. Not Folder. This is the virus!!!


Before you carry out this procedure, MAKE SURE:

1.You are OFFLINE

2.Disable your System Restore for the time being. (Windows ME/XP only)

3.Kill the virus process in memory using alternative program of Task Manager such as Procesxp or other similar tool that can access the Running Process Memory. You can use TuneUp Utilities but you have to buy it.

4.Bulubebek virus has the Folder icon with the name LSASS.EXE

5.Right click (in Procesxp) and select Kill Process Tree.

The sctipt below will revert your registry back to it original content. Copy the sciprt below to Notepad and save as “Repair.inf” with the quote. After that:

1.Right click Repair.inf

2.Click install and you're done.

********** copy below after this comment ******************








HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2

HKCU, Software\Microsoft\Command Processor, AutoRun,0,


HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe

HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

************ Do not copy this LINE *******

Search and destroy your file that has been duplicate by the virus.

If your Folder Option is still unavailable, Log Off your computer and recover you original File or Folder using the command and properties below.

To delete the duplicate file, please use the DETAIL view to make it for to spot for the virus and your original file. The properties below will help you to recognize the virus application:

1.Using the Folder icon
2.File size is only 53 KB
3.The extension is EXE
4.Filetype is Application

Use Search funtion to locate the virus.

Most of your originial file is not LOST but it is SUPERHIDDEN. It means, you file is treated as System File to prevent from being edited or recover. The next step will help you get your file back.

This will be done by using the ATTRIB command in Command Prompt.

Click “Start

Click “Run

Type “CMD”, press [ENTER]

Change the directory to your Flash Drive (i.e: the drive letter such as E:, F:, and so on)
Enter this command: cd /D [Drive Letter]: ***[ ] is not inluded

Enter this command: ATTRIB –s –h –r /s /d and then press [ENTER]

I didn't change my drive letter because I only change my directory.

To ensure that the virus has been cleaned, update your antivirus and scan.

If you have any comment or suggestion, please comment below.

No comments:

Post a Comment

Whats your thought on this post?