Virus - Win32 - Darksnow
1. Summary
Virus Darksnow is 33kB long and spreads through infected MS Word documents.
Aliases:
Sophos: W32/Blic-A
Symantec: W32.Darksnow
2. Detailes description:
Virus Darksnow creates following files in the system directory:
%SYSTEM%\blackice.ini
%SYSTEM%\blackice.exe
%SYSTEM%\kernel.dll
%USERPROFILE%\My Documents\resume.xlw
Afterwards it infects Word
template (normal.dot) file. Hereby it gets executed every time the Word gets started and inffects all the user documents.
This file can be found in:
%USERPROFILE%\Application Data\Microsoft\Templates\Normal.dot
It also modyfies registry in order to run at the system startup:
[HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run" = "%System%blackice.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\blackice.exe"
In order to be able to infect Office XP documents, it modifies also these keys:
[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"AccessVBOM" = "01"
[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"
[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"AccessVBOM" = "01"
[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"
Afterwards the virus “injects to” the Explorer process. This way it guards the “blackice.exe” process. If it does not run, the injected Explorer will run it.
3. Cleaning:
- Reboot the PC into the safe mode.
- Delete following registry keys:
[HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run" = "%System%blackice.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\blackice.exe"
- Change the following registry values from „01“ to „00“ value:
[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"AccessVBOM" = "01"
[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"
[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"AccessVBOM" = "01"
[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"
- delete following files:
%SYSTEM%\blackice.ini
%SYSTEM%\blackice.exe
%SYSTEM%\kernel.dll
%USERPROFILE%\Application Data\Microsoft\Templates\Normal.dot
%USERPROFILE%\My Documents\resume.xlw
- Reboot the PC back into the normal mode
0 writebacks [03/03/2007 08:10]
[]
permanent link
|
