Virus Win32 Plut
1. Summary:
Plut is a prepending virus infecting all executables (*.exe) found on local disks.
Aliases:
Kaspersky: Virus.Win32.Plut.a
Norman: W32/Plut.A
2. Detailed description:
Virus Plut after it's execution creates following files:
C:\Documents and Settings\%USERPROFILE%\Desktop\Baca.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\Hik.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\My Computer.exe
C:\Setup.exe
C:\%WINDOWS%\robe.exe
C:\%WINDOWS%\system32\funny3.bmp
C:\%WINDOWS%\system32\syskg.exe
C:\%WINDOWS%\xplorer.exe
and runs the created “syskg.exe” file. This file runs in the background (the user does not notice it) and searches the local drives for executable files. Found files are infected afterwards.
The “funny3.bmp“ file is set as a background wallpaper.
It modifies the registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\HideDesktopIcons]
[HKCU\Software\Policies\Microsoft\Windows\System]
"DisableCMD" = "1"
It also creates a registry key that is probably author's signature:
[HKCU\Software\KageMukashi]
3. Cleaning:
- Reboot the PC into the safe mode.
- Remove these registry keys:
[HKCU\Software\KageMukashi]
[HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\HideDesktopIcons]
- Fix the value of the registry key „DisableCMD“ to „0“:
[HKCU\Software\Policies\Microsoft\Windows\System]
"DisableCMD" = "1"
set to:
"DisableCMD" = "0"
- Delete following files:
C:\Documents and Settings\%USERPROFILE%\Desktop\Hik.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\Baca.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\My Computer.exe
C:\Setup.exe
C:\%WINDOWS%\robe.exe
C:\%WINDOWS%\system32\funny3.bmp
C:\%WINDOWS%\system32\syskg.exe
C:\%WINDOWS%\xplorer.exe
- Reboot the computer back into the normal mode.
- Run a complete antivirus test which will remove the prepended body of the worm from the infected executables.
0 writebacks [03/07/2007 09:50]
[]
permanent link
|
