KALONZO VIRUS
kalonzo virus Discovered: August 26, 2007
Type: Worm
Infection mode:Removable storage device Infection Length: 93.6kb
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the worm is executed, it copies itself as the following files: %System%\"DirectX\Dinput\csrss.exe" %Windir%\"SoftwareDistribution\DataStore\Logs\lsass.exe" then creates the following file, referencing the previously created files:%Windir%\Autorun.infThe worm also creates the following files on all drives found:[DRIVE LETTER]:\AUTORUN.INF[DRIVE LETTER]:\open.exe It then sets the following registry keys in order to disable system restoration as well as change default folder options: HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore",-----DisableConfig HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"----DisableSR HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"---LimitSystemRestoreCheckpointing HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"-----DisableMSI HCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-----DisableFolderOptions HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableFolderOptions HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"-- DisableControlPanel HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" --DisablecontrolPanel HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- --DisableFind HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableRun HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableShellSearchButton HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableEntireNetwork HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- DisableSecurityTab HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",-- DisableHiddenfile HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", --DisableShowSuperHiddenHCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"-- HideFileExtension
When the worm is executed, it copies itself as the following files: %System%\"DirectX\Dinput\csrss.exe" %Windir%\"SoftwareDistribution\DataStore\Logs\lsass.exe" then creates the following file, referencing the previously created files:%Windir%\Autorun.infThe worm also creates the following files on all drives found:[DRIVE LETTER]:\AUTORUN.INF[DRIVE LETTER]:\open.exe It then sets the following registry keys in order to disable system restoration as well as change default folder options: HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore",-----DisableConfig HLM, "SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"----DisableSR HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"---LimitSystemRestoreCheckpointing HLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"-----DisableMSI HCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-----DisableFolderOptions HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableFolderOptions HLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"-- DisableControlPanel HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" --DisablecontrolPanel HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- --DisableFind HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", ---disableRun HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableShellSearchButton HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\", --DisableEntireNetwork HCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\",-- DisableSecurityTab HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\",-- DisableHiddenfile HCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\", --DisableShowSuperHiddenHCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"-- HideFileExtension
The KALONZO virus has a tendency of closing running processes that have the potential of stopping it's own process.These include any process that has the words "ANTI, VIRUS, SYMAN, NOD32, TASK......." The worm then may display a message and picture asking the user to vote for Kalonzo,and when you click the picture it direct you to kalonzo website if you are connected to internet. For removal tool call:020-3537066
1 comment:
testing
Post a Comment