Tuesday, May 19, 2009

k4l0n62.sys.vbs (autorun/VBS) virus (a.k.a W32.SillyDC, W32.SillyFDC by Symantec)

1. Introduction

This virus goes by various monickers. It is recognised by some Indonesian text "wahai anak2 ..." appearing in the Internet Explorer window title as shown in a sample screenshot below:

The following procedure describes how we cleaned up the effects of this virus. Our PCs are installed with Symantec Anti-virus Corporate Edition which detected and the virus files, but did not revert the Internet Explorer window title to its default. This procedure may not be true for all circumstances. You should check with your anti-virus solution providers.

Useful Ref: http://virscan.org/report/0f14e9dd1094b56b076606eed159362c.html

2. Registry entries affected

Windows Registry key for IE Window Title
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title key = Wahai anak2 Triakti... Belajarlah yang rajin. Jangan ngebokep mulu...

In some cases, there was also an entry in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Key value was Ageia pointing to recycle.vbs in C:\Windows\System32, but recycle.vbs already removed by SAVCE.

3. Key files dropped by virus

k4l0n62.sys.vbs (can be deposited anywhere in user's folders)
recycle.vbs (normally found in C:\Windows\System32)

4. Actions taken

a. booted up and scanned PC with Avira, Avast, Spybot S&D from UBCD v3.50
In some instances, trojans were reported on Temporary IE files, and removed by Avira. None reported the k4l0n62.sys.vbs or its alias.

b. In some instances, k4l0n62.sys.vbs files were found on PC but with ZERO bytes.
booted up PC normally, updated Symantec AV Corp Edition's virus signatures, and ran a full scan. No virus was reported.

c. Reviewed Threat History in SAVCE. Found several reports of W32.SillyDC & W32.SillyFDC infections from external drives & C: that were cleaned.

d. Configured Scheduled Full Scan in SAVCE to take place at 12pm daily.

e. Verified that Windows Registry configured to disable Autorun as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf - value set to @SYS:DoesNotExist

f. Deleted HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Window Title key so that IE displays default title in window.

g. Searched and ensure k4l0n62.sys.vbs and recycle.vbs are not found on PC.

h. Scanned external drives with SAVCE to ensure W32.SillyDC/FDC & other malware not found.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)