VBS/Roor

This page shows details and results of our analysis on the malware VBS/Roor

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4417 (2004-12-29)

Updated DAT

4571 (2005-08-31)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2004-12-29

Description Modified

2008-06-24

Malware Proliferation

Characteristics

When executed, this malware creates the following files to multi folders :

  • Desktop.ini
  • Folder.htt

Creates the following registry entries:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\AboutURLs\error = "http: //www.geoc{removed}ies.com/hedda_marie_tolentino/index.htm"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = "about:error"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "0"

Delete the following registry entrie:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExtShellViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}

Append itself to the files with the following extension names:

  • htm
  • html
  • htt

Shut down the system when on Sept 26th.

Delete the following directory:

  • %WinDir%\Web
    (where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Symptoms

  • Presence of files and registry entries mentioned earlier

Method of Infection

Running an infected file will cause the virus to append itself to all HTT, HTM and HTML files.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants