Notes on Cool Rahul

Malware File Name: RAHUL’SVIRUSPROTECTION.VBE

Mode of Infection: Removable Drives

Description:

The file claims that this is an “antivirus program” is intended to repair your computer. Some of his claims are true as it deletes the “smss.exe”,”killer.exe”,”Funny UST Scandal.exe”,”iph.exe”,”scvvhsot.exe” which are
known to be malwares.

It resets the restrictions in registry for Disbaled Registry Tool,Taskmanager, and Folder Option. The Following are the Registry entriesValues reseted to “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

It resets the value to Show all hidden files by changing the registry value to “1”
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

But it also changes the below registry entries,

· The Internet Explorer’s Title bar is changed to “LORD RAHUL COOL”

· The Start Page is changed to WWW.nyd.zoomshare.COM

This script makes changes in your registry by attaching itself (“Rahul’sVirusprotection.vbe1″) to userinit.exe which makes his file execute every time we open computer and log on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”,

Value = userinit.exe, c:\windows\system32\wscript.exe
“c:\windows\system32\Rahul’sVirusprotection.vbe”

The malware Checks for the following files in “system directory”, “Windows directory” and deletes it

Files deleted in Sytem Directory (C:\windows\system32 , c:\winnt\system32)

sunil_thetopper.vbs

sunilthetopper.vbs

Prajan’sVirusprotection.vbs

PrajanVirusprotection.vbs

Virusprotection.vbs

boot.vbs

semiantivirus.vbs

scvvhsot.exe

blastclnnn.exe

dxdlg.exe

wprop.exe

boot.vbs”,false

imapd.exe

imapdb.exe

imapdc.dll”,false

imapdd.dll”,false

imapde.dll”,false

kinza.exe

isetup.exe

Drivers\etc\hints.exe

kinzadir -> All Files in this directory is deleted

Files deleted in Windows Directory (C:\windows\, c:\winnt\)

smss.exe

killer.exe

Funny UST Scandal.exe

iph.exe

system.bat

scvvhsot.exe

More over this script scans for removal storage device like floppy and pen drive every 10 seconds to propagate. Also it makes an “autorun.inf” file with following lines in these devices if it finds them inserted

[autorun]

open=wscript.exe Rahul’sVirusprotection.vbe

icon=%systemroot%\System32\SHELL32.dll,8″

action=Open folder to view files

shell\open=Open

shell\open\Command=wscript.exe Rahul’sVirusprotection.vbe

shell\Auto=AutoPlay

shell\Auto\Command=wscript.exe Rahul’sVirusprotection.vbe

shell\Explore\Command=wscript.exe Rahul’sVirusprotection.vbe

shell\Find=Search…

shell\Find\Command=wscript.exe Rahul’sVirusprotection.vbe

shell\Format…=Format…

shell\Format…\Command=wscript.exe Rahul’sVirusprotection.vbe

MALWARE 2 :

Malware File Name: VirusRemoval.vbs

Mode of Infection: Removable Drives

Description:

The file claims that this is an “antivirus program” is intended to repair the computer from the most know malwares and reset the registry changes done by those malwares.

The malware stores a copy of itself to System directory.

It resets the restrictions in registry for Disbaled Registry Tool,Taskmanager, and Folder Option. The Following are the Registry entries Values reseted to “0”

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

The file also resets the value of Shell entry in the winlogon registry entry to the default,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Value=”explorer.exe”

But it also changes the below registry entries,

· The Internet Explorer’s Title bar is changed to ” Sujin.com.np”

· The Start Page is changed to http://sujin.com.np/

This script makes changes in your registry by attaching itself (“Rahul’sVirusprotection.vbe1″) to userinit.exe which makes his file execute every time we open computer and log on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”,

Value = userinit.exe, c:\windows\system32\wscript.exe
“c:\windows\system32\VirusRemoval.vbs ”

The malware Checks for the following files and if found it is deleted,
killvbs.vbs

ravmon.exe

sxs.exe

winfile.exe

run.wsh

More over this script scans for removal storage device like floppy and pen drive every 10 seconds to propagate. Also it makes an “autorun.inf” file with following lines in these devices if it finds them inserted

[autorun]

open=wscript.exe VirusRemoval.vbs

shell\open=Open

shell\open\Command=wscript.exe VirusRemoval.vbs

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    Leave a comment

    Your email address will not be published. Required fields are marked *