Notes on Cool Rahul
Malware File Name: RAHUL’SVIRUSPROTECTION.VBE
Mode of Infection: Removable Drives
Description:
The file claims that this is an “antivirus program” is intended to repair your computer. Some of his claims are true as it deletes the “smss.exe”,”killer.exe”,”Funny UST Scandal.exe”,”iph.exe”,”scvvhsot.exe” which are
known to be malwares.
It resets the restrictions in registry for Disbaled Registry Tool,Taskmanager, and Folder Option. The Following are the Registry entriesValues reseted to “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
It resets the value to Show all hidden files by changing the registry value to “1”
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
But it also changes the below registry entries,
· The Internet Explorer’s Title bar is changed to “LORD RAHUL COOL”
· The Start Page is changed to WWW.nyd.zoomshare.COM
This script makes changes in your registry by attaching itself (“Rahul’sVirusprotection.vbe1″) to userinit.exe which makes his file execute every time we open computer and log on.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”,
Value = userinit.exe, c:\windows\system32\wscript.exe
“c:\windows\system32\Rahul’sVirusprotection.vbe”
The malware Checks for the following files in “system directory”, “Windows directory” and deletes it
Files deleted in Sytem Directory (C:\windows\system32 , c:\winnt\system32)
sunil_thetopper.vbs
sunilthetopper.vbs
Prajan’sVirusprotection.vbs
PrajanVirusprotection.vbs
Virusprotection.vbs
boot.vbs
semiantivirus.vbs
scvvhsot.exe
blastclnnn.exe
dxdlg.exe
wprop.exe
boot.vbs”,false
imapd.exe
imapdb.exe
imapdc.dll”,false
imapdd.dll”,false
imapde.dll”,false
kinza.exe
isetup.exe
Drivers\etc\hints.exe
kinzadir -> All Files in this directory is deleted
Files deleted in Windows Directory (C:\windows\, c:\winnt\)
smss.exe
killer.exe
Funny UST Scandal.exe
iph.exe
system.bat
scvvhsot.exe
More over this script scans for removal storage device like floppy and pen drive every 10 seconds to propagate. Also it makes an “autorun.inf” file with following lines in these devices if it finds them inserted
[autorun]
open=wscript.exe Rahul’sVirusprotection.vbe
icon=%systemroot%\System32\SHELL32.dll,8″
action=Open folder to view files
shell\open=Open
shell\open\Command=wscript.exe Rahul’sVirusprotection.vbe
shell\Auto=AutoPlay
shell\Auto\Command=wscript.exe Rahul’sVirusprotection.vbe
shell\Explore\Command=wscript.exe Rahul’sVirusprotection.vbe
shell\Find=Search…
shell\Find\Command=wscript.exe Rahul’sVirusprotection.vbe
shell\Format…=Format…
shell\Format…\Command=wscript.exe Rahul’sVirusprotection.vbe
MALWARE 2 :
Malware File Name: VirusRemoval.vbs
Mode of Infection: Removable Drives
Description:
The file claims that this is an “antivirus program” is intended to repair the computer from the most know malwares and reset the registry changes done by those malwares.
The malware stores a copy of itself to System directory.
It resets the restrictions in registry for Disbaled Registry Tool,Taskmanager, and Folder Option. The Following are the Registry entries Values reseted to “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
The file also resets the value of Shell entry in the winlogon registry entry to the default,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Value=”explorer.exe”
But it also changes the below registry entries,
· The Internet Explorer’s Title bar is changed to ” Sujin.com.np”
· The Start Page is changed to http://sujin.com.np/
This script makes changes in your registry by attaching itself (“Rahul’sVirusprotection.vbe1″) to userinit.exe which makes his file execute every time we open computer and log on.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”,
Value = userinit.exe, c:\windows\system32\wscript.exe
“c:\windows\system32\VirusRemoval.vbs ”
The malware Checks for the following files and if found it is deleted,
killvbs.vbs
ravmon.exe
sxs.exe
winfile.exe
run.wsh
More over this script scans for removal storage device like floppy and pen drive every 10 seconds to propagate. Also it makes an “autorun.inf” file with following lines in these devices if it finds them inserted
[autorun]
open=wscript.exe VirusRemoval.vbs
shell\open=Open
shell\open\Command=wscript.exe VirusRemoval.vbs
