Friday, October 5, 2007

Kalonzo virus

kalonzo virus
Discovered: August 26, 2007
Type: Worm
Infection mode:Removable storage device
Infection Length: 93.6kb
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

When the worm is executed, it copies itself as the following files:
%System%\"DirectX\Dinput\csrss.exe"
%Windir%\"SoftwareDistribution\DataStore\Logs\lsass.exe"
then creates the following file, referencing the previously created files:%Windir%\Autorun.infThe worm also creates the following files on all drives found:[DRIVE LETTER]:\AUTORUN.INF[DRIVE LETTER]:\open.exe
It then sets the following registry keys in order to disable system restoration as well as change default folder options:
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore",-----DisableConfig
HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"----DisableSR
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"---LimitSystemRestoreCheckpointing
HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"-----DisableMSI
HCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-----DisableFolderOptions
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableFolderOptions
HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"-- DisableControlPanel
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" --DisablecontrolPanel
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- --DisableFind
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableRun
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableShellSearchButton
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableEntireNetwork
HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- DisableSecurityTab
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",-- DisableHiddenfile
HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", --DisableShowSuperHiddenHCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"-- HideFileExtensio

The KALONZO virus has a tendency of closing running processes that have the potential of stopping it's own process.These include any process that has the words
"ANTI, VIRUS, SYMAN, NOD32, TASK......."
The worm then may display a message and picture asking the user to vote for Kalonzo,and when you click the picture it direct you to kalonzo website if you are connected to internet. For removal tool call:020-3537066

w32RontokBro@mm

size:90kb
Type:Worm
Affected system:Window Platform
Mode of spread:Removable disk

W32/RontokBro is a worm for the Windows platform.
W32/RontokBro will attempt to copy itself to network and removable drives, using filenames including Open.exe, Music.exe and Empty.pif.
The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.
When first run W32/RontokBro copies itself to some of the following: filenames:\fonts\smss.exe\oobe\isperror\shell.exe\IExplorer.exe\System32.exe\Empty.pif and creates the following file:\Autorun.inf - may be deleted.W32/RontokBro also attempts to copy itself to existing filenames with EXE extensions, but with an extra space between the filename and the extension, eg if it finds the file "Example.exe" it may copy itself to the same folder as "Example .exe" W32/RontokBro attempts to terminate process, close windows and delete registry entries related to security and anti-virus applications, and may restart an infected computer.W32/RontokBro may also display a fake error message with the title "Warning" and the text "Illegal Application", before attempting to terminate processes related to security and anti-virus applications.The following registry entries are set to run the W32/RontokBro on startup:HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogonservices\fonts\smss.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBootAlternateShell\fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonUserinit\userinit.exe, \fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonshell
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkb
HKLM\Software\Microsoft\Windows\CurrentVersion\RunservicesW32/RontokBr may set the following registry entries to run files other than itself on

startup:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugDebugger\Shell.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkbdrivers\AUTO.txt Some of the following registry entries are set or modified, so that W32/RontokBro is run when files are run with the extensions listed:HKCR\exefile\shell\open\command(default)
\fonts\smss.exe %1 %*HKCR\lnkfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\piffile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\batfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\comfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*Some of the following registry entries may also be set, usually to one of two values:HKCR\exefile(default)

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebugAuto
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFind
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableCMD
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDesktop
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableConfig
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerLimitSystemRestoreCheckpointing
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerDisableMSI
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetStateFullPathAddress
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHideFileExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedShowSuperHidden
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeCaption
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeText
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable

Was this information Helpful?