WORM_BHARAT.A

Malware type: Worm

Aliases: Email-Worm.Win32.VB.ct (Kaspersky), W32/Rontokbro.gen@MM (McAfee), Bloodhound.Overpacked (Symantec), TR/Crypt.U.Gen (Avira), Mal/Packer (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Medium

Infection Channel 1 : Propagates via email


Infection Channel 2 : Propagates via network shares


Infection Channel 3 : Propagates via peer-to-peer networks


Infection Channel 4 : Propagates via IRC


Description: 

This worm propagates via network shares. It drops a copy of itself in certain shared folders.

It also propagates via email using Messaging Application Programming Interface (MAPI) to send its messages. It sends a copy of itself as an attachment to email messages it sends. It gathers target addresses in the Windows Address Book (WAB).

Furthermore, this worm propagates via peer-to-peer (P2P) networks. It drops copies of itself using different file names in certain hardcoded folders related to various P2P programs.

In addition, it propagates via Internet Relay Chat (IRC). It sends a certain message to target recipients, followed by a copy of itself.

It disables various system services. It also restarts the affected system once it detects certain processes running on the system.

For additional information about this threat, see:

Description created: Feb. 27, 2007 3:58:08 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 231,936 Bytes

Initial samples received on: Sep 16, 2006

Payload 1: Disables services

Payload 2: Restarts system

Trigger condition 1: Upon detection of certain strings in running processes

Payload 3: Drops files

Payload 4: Changes Internet Explorer Start, Search, and Local pages

Payload 5: Modifies computer registration information

Details:

Installation

Upon execution, this worm drops the following copies of itself:

  • %System Root%\Are you my enemy.exe
  • %System Root%\FriendEQUALsuX.exe
  • %System%\Bharatayuda.EXE
  • %System%\eminem.exe
  • %System%\gotohellfrenz.exe
  • %System%\hellyah.exe
  • %System%\Kurawas.exe
  • %System%\maniacs.exe
  • %System%\Pandawas.exe
  • %System%\wayangs.exe
  • %System%\XXrocks.exe
  • %Windows%\BANGSAT.EXE
  • %Windows%\CantiknaCayangquw.scr
  • %Windows%\Cherboundz.exe
  • %Windows%\Cirebons.exe
  • %Windows%\GNB.exe
  • %Windows%\Hottest Story Ever.exe
  • %Windows%\Mooks.EXE
  • %Windows%\Padang Kurusetra.exe
  • %Windows%\YouSUcx.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It also drops the following non-malicious files:

  • %System%\OemInfo.ini
  • %System%\oemlogo.bmp
  • %Windows%\darkness.jpg
  • %Windows%\excel.ico
  • %Windows%\file.htm
  • %Windows%\word.ico

It creates the following registry entries as a part of its installation:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = "Bharatayuda was here now"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Window Title = "Bharatayuda was here now"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
Bharatayuda = "Bharatayuda"
Kurawa = "Kurawa"
Pandawa = "Pandawa"
Hastina = "Hastina"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\WOW\boot.description
Worm.dll = "Bharatayuda Worm"

Autostart Techniques

To enable its automatic execution at every system startup, this worm creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Command Processor
AutoRun = "echo off|%System%\Pandawas.exe|cls"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Run
System handler = "%System%\Pandawas.exe /register"
Hot Inside = "%Windows%\Hottest Story Ever.exe"
What Frenz = "%Root%\FriendEQUALsuX.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ctfmon.exe = "%System%\ctfmon.exe %System%\eminem.exe,"
RPCall_WIN2K = "%System%\Kurawas.exe /register"
CirebonPunya = "%System%\XXrocks.exe"
Bharatayuda = "%Windows%\GNB.exe"
Duwee wong Cerbon = "%Windows%\Cirebons.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
System Monitoring = "%Windows%\Mooks.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\WOW\boot
LAPAS.EXE = "%Windows%\Mooks.EXE"
Worm.dll = "%Windows%\Cirebons.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\User Shell Folder
Startup = "%Windows%\YouSUcx.exe"

It also modifies the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe %System%\gotohellfrenz.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
System = "%System%\Kurawas.exe"

(Note: The default value data of the said registry entry is blank.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\Pandawas.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = "%Windows%\CantiknaCayangquw.scr"

(Note: The default value data of the said registry entry is (NONE).)

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%System%\Kurawas.exe"

(Note: The default value data of the said registry entry is blank.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "%System%\gotohellfrenz.exe"

(Note: The default value data of the said registry entry is cmd.exe.)

This worm employs registry shell spawning. It modifies the following registry entries to enable its automatic execution once a certain file or folder is executed or opened:

HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entries is %1" %*.)

HKEY_CLASSES_ROOT\giffile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\htmlfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\jpegfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entries is %Program Files%\Internet Explorer\iexplore.exe" -nohome.)

HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entry is %System\mshta.exe "%1" %*.)

HKEY_CLASSES_ROOT\inffile\shell\open\command
(Default)= "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\inifile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entries is %SystemRoot%\System32\NOTEPAD.EXE %1.)

HKEY_CLASSES_ROOT\MIDFile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\mp3file\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\mpegfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\QuickTime.3gp\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\WMAFile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entries is user-defined.)

HKEY_CLASSES_ROOT\regfile\shell\open\command
(Default) = "cmd.exe /c del "%1""

(Note: The default value data of the said registry entry is regedit.exe "%1.)

HKEY_CLASSES_ROOT\rtffile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entry is %Program Files%\Windows NT\Accessories\WORDPAD.EXE "%1.)

HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entry is %1" /S.)

HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
(Default) = "%System%\gotohellfrenz.exe%1"

(Note: The default value data of the said registry entry is %SystemRoot%\System32\WScript.exe "%1" %*.)

It also creates the following registry entries as part of its shell spawning technique:

HKEY_CLASSES_ROOT\HTTfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

HKEY_CLASSES_ROOT\SOFTWARE\Classes\
lnkfile\shell\open\command
(Default) = "%System%\gotohellfrenz.exe%1"

Other Registry Modifications

This worm creates the following registry entries to change the icon of certain files to the default Microsoft Word icon:

HKEY_CLASSES_ROOT\BMP\DefaultIcon
(Default) = "%Windows%\word.ico"

HKEY_CLASSES_ROOT\QuickTime.3gp\DefaultIcon
(Default) = "%Windows%\word.ico"

HKEY_CLASSES_ROOT\wmffile\DefaultIcon
(Default) = "%Windows%\word.ico"

It creates the following registry enties to change the icon of specific drives to the default Microsoft Word icon:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Shell Icons
3 = "%Windows%\word.ico"
4 = "%Windows%\word.ico"
6 = "%Windows%\word.ico"
8 = "%Windows%\word.ico"
11 = "%Windows%\word.ico"

(Note: 3 is the Closed Folder icon; 4 is the Open Folder icon; 6 is the icon for 3.5" Floppy Disk drive; 8 is the Hard Drive icon, and; 11 is the icon for the CD-ROM drive.)

It creates the following registry entries to change the icon and corresponding label of My Network Places, My Computer, and My Documents to the default Microsoft Excel icon:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon
(Default) = "%Windows%\excel.ico"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon
(Default) = "%Windows%\excel.ico"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon
(Default) = "%Windows%\excel.ico"

It creates the following registry entries to change the labels of My Network Places, My Computer, My Documents, Recycle Bin, and Internet Explorer on the affected system's desktop:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{208D2C60-3AEA-1069-A2D7-08002B30309D}
(Default) = "Bima"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
(Default) = "Pandawa"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{450D8FBA-AD25-11D0-98A8-0800361B1103}
(Default) = "Yudhistira"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{645FF040-5081-101B-9F08-00AA002F954E}
(Default) = "Arjuna"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{871C5380-42A0-1069-A2EA-08002B30309D}
(Default) = "Nakula Sadewa"

It unhides files with System attribute by creating the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Policies
ShowSuperHidden = "1"

It creates the following registry entry to remove certain settings from the Display option in Control Panel:

Settings tab

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
NoDispSettingsPage = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoDispSettingsPage = "1"

Appearance tab

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
NoDispAppearancePage = "1"

Screen Saver tab

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
NoDispScrSavPage = "1"

Background tab

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
NoDispBackgroundPage = "1"

It creates the following registry entries to disable Windows Task Manager, command prompt, and Registry Editor:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableCMD = "1"
DisableTaskMgr = "1"
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\System
DisableCMD = "1"
DisableTaskMgr = "1"
DisableRegistryTools = "1"

It creates the following registry entries to remove certain buttons in the Add/Remove Programs option in Control Panel:

Change or Remove button

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Uninstall
NoRemovePage = "1"

Add New Programs button

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Uninstall
NoAddPage = "1"

Add/Remove Windows Components button HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Uninstall
NoWindowsSetupPage = "1"

It creates the following registry entries to remove certain options in Windows Explorer:

Removes Shut Down from Start Menu and disable Shut Down button in the Windows Security dialog box

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoClose = "1"

Prevents user from logging off on Windows 2000

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoLogOff = "1"

Removes Run command from the Start Menu

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoRun = "1"

Removes Folder Options item from all Windows Explorer menus and Control Panel

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoFolderOptions = "1"

Prevents users from connecting to the Windows Update Web site

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoWindowsUpdate = "1"

Removes Help from the Start Menu

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoSMHelp = "1"

Removes Search from the Start Menu

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoFind = "1"

Prevents users from opening Taskbar and Start Menu properties dialog box

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoSetTaskbar = "1"

Prevents Display in Control Panel from running

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoDispCpl = "1"

Hides menus when right-clicking on items or the taskbar

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu = "1"

Removes shortcut menus from the desktop and Windows Explorer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu = "1"

It creates the following registry entries to disable System Restore and remove the System Restore tab from the Control Panel's system options:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"
DisableSR = "1"

It disables Windows pop-up notifications when modifying system files by creating the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\SystemFileProtection
ShowPopups = "0"

It turns off the creation of checkpoints by Windows Installer. It does the said routine by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing = "1"

It restricts users to install only programs assigned by a system administrator. It does the said routine by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Installer
DisableMSI = "1"

(Note: The default value data of this entry is 0.)

It allows Terminal Services administrators to install and configure programs remotely. It does the said routine by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Installer
EnableAdminTSRemote = "1"

(Note: The default value data of the said registry entries is 0.)

It also modifies the following registry entries:

HKEY_CLASSES_ROOT\AVIFile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %System%\quartz.dll,-100.)

HKEY_CLASSES_ROOT\chm.file\DefaultIcon
(Default) = "%WWindows%\word.ico"

(Note: The default value data of the said registry entry is %Windows%\hh.exe,0.)

HKEY_CLASSES_ROOT\exefile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %1.)

HKEY_CLASSES_ROOT\Folder\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %SystemRoot%\System32\shell32.dll,3.)

HKEY_CLASSES_ROOT\giffile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe,9.)

HKEY_CLASSES_ROOT\htmlfile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe,1.)

HKEY_CLASSES_ROOT\icofile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %1.)

HKEY_CLASSES_ROOT\txtfile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %SystemRoot%\system32\shell32.dll,-152.)

HKEY_CLASSES_ROOT\WinRAR\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %Program Files%\WinRAR\WinRAR.exe,0.)

HKEY_CLASSES_ROOT\WinRAR.ZIP\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %Program Files%\WinRAR\WinRAR.exe,0.)

HKEY_CLASSES_ROOT\WMAFile\DefaultIcon
(Default) = "%Windows%\word.ico"

HKEY_CLASSES_ROOT\WMVFile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entries is dxmasf.dll,-500.)

HKEY_CLASSES_ROOT\jpegfile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe,8.)

HKEY_CLASSES_ROOT\m3ufile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %System%\quartz.dll,-203.)

HKEY_CLASSES_ROOT\MIDFile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %System%\quartz.dll,-301.)

HKEY_CLASSES_ROOT\mp3file\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %System%\quartz.dll,-203.)

HKEY_CLASSES_ROOT\mpegfile\DefaultIcon
(Default) = "%Windows%\word.ico"

(Note: The default value data of the said registry entry is %System%\quartz.dll,-103.)

It creates the following registry entries to change the icon of Recycle Bin to the default Microsoft Excel icon:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
(Default) = "%Windows%\excel.ico"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
Full = "%Windows%\excel.ico"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\CLSID\
{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
Empty = "%Windows%\excel.ico"

It modifies the following registry entry to hide files with System and Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is user-defined. The value data for showing files with the Hidden attribute is 1.)

It modifies the following registry entry to hide file extension names:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
HideFileExt ="1"

(Note: The default value data of the said registry entry is user-defined. The value data for showing file extension names is 1.)

It modifies the following registry entry to hide files with System attribute:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
SuperHidden = "0"

(Note: The default value data of the said registry entry is user-defined. The value data for showing files with the System attribute is 1.)

This worm disables the Windows File Protection by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCDisable = "ffffff9d"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\system
shutdownwithoutlogon = "0"

(Note: The default value data of the said registry entry is 1.)

It disables extensions to the Command Processor by modifying the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Command Processor
EnableExtensions = "0"

(Note: The default value data of the said registry entry is 1.)

It modifies the Internet Explorer Start, Search, and Local pages by modifying the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Search Page = "%Windows%\file.htm"
Local Page = "%Windows%\file.htm"
Start Page = "%Windows%\file.htm"

(Note: The default value data of the said registry entries is user-defined.)

It changes the affected system's registration information by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion
RegisteredOrganization = "Bharatayuda"
RegisteredOwner = "Pandawa"
ProductName = "Pandawa"
ProductId = "Bharatayuda"

(Note: The default value data of the said registry entries is user-defined.)

It also modifies the following registry entries to display a message box after a user presses CTRL%20ALT%20DEL to log on to the affected system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = "Only God"
LegalNoticeText = "Don`t ever judge me coz u don`t know me..!! Don`t ever judge me coz u just see me from the outside...!! Don`t ever give a statement for me coz u don`t understand me..!! Only God that knowing who i am..!! Only God that can judge me..!!"

(Note: The default value data of the said registry entries is blank.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
ReportBootOk = "0"

(Note: The default value data of the said registry entry is 1.)

This worm modifies the following registry entries to change the time format displayed on the affected computer's system tray:

HKEY_CURRENT_USER\Control Panel\International
s1159 = "F#H Comunity"

(Note: The default value data of the said registry entry is AM.)

HKEY_CURRENT_USER\Control Panel\International
s2359 = "F#H Comunity"

(Note: The default value data of the said registry entry is PM.)

HKEY_CURRENT_USER\Control Panel\International
sCountry = "Cirebon Indonesia"

(Note: The default value data of the said registry entry is United States.)

HKEY_CURRENT_USER\Control Panel\International
sCurrency = "Rupiah"

(Note: The default value data of the said registry entry is $.)

HKEY_CURRENT_USER\Control Panel\International
sLongDate = "yyyy, dd MMMM, dddd"

(Note: The default value data of the said registry entry is dddd, MMMM dd, yyyy.)

HKEY_CURRENT_USER\Control Panel\International
sShortDate = "yyyy/d/M"

(Note: The default value data of the said registry entry is M/d/yyyy.)

HKEY_CURRENT_USER\Control Panel\International
sTime = "*"

(Note: The default value data of the said registry entry is :.)

HKEY_CURRENT_USER\Control Panel\International
sTimeFormat = "tt ss:mm:h"

(Note: The default value data of the said registry entry is h:mm:ss tt.)

Propagation Routines

This worm propagates via email. It sends a copy of itself as an attachment to email messages it sends. The email message it sends out has the following details:

Subject: Hey Dude here the hottest story for you..
Message body: ll know how hot it is...!
Attachment: Hottest Story Ever.exe

It uses the Messaging Application Programming Interface (MAPI) to send its messages. It gathers target addresses in the Windows Address Book (WAB).

It also propagates via network shares. It drops a copy of itself in shares C$ to Z$.

Moreover, it propagates via peer-to-peer (P2P) networks. It drops copies of itself using the following file names:

  • Account Internet Banking.exe
  • Bharatayuda Story.exe
  • cerita panas.exe
  • cerita seru.exe
  • Curiculum Vitae.exe
  • CVnya.exe
  • data dari temen.exe
  • data karyawan baru.exe
  • Data proposal.exe
  • Diary.exe
  • Digital Imaging Tutorial.exe
  • hot story.exe
  • katalog diskon.exe
  • kerjaan kantor.exe
  • kumpulan puisi cinta.exe
  • lirik lagu.exe
  • my diary.exe
  • my secret file.exe
  • new file.exe
  • Nomer Pin Atm.exe
  • puisi cinta untukmu.exe
  • ramalan bintang.exe
  • surat cinta.exe
  • surat perjanjian.exe
  • tugas kuliahku.exe
  • Tutorial Animasi Flash.exe

It drops its copies in the following hardcoded paths related to various P2P programs:

  • C:\Program Files\BearShare\Shared
  • C:\Program Files\Edonkey2000\Incoming
  • C:\Program Files\Grokster\My Grokster
  • C:\Program Files\Kazaa Lite\My Shared Folder
  • C:\Program Files\Kazaa\My Shared Folder
  • C:\Program Files\KMD\My Shared Folder
  • C:\Program Files\Morpheus\My Shared Folder
  • D:\Program Files\BearShare\Shared
  • D:\Program Files\Edonkey2000\Incoming
  • D:\Program Files\Grokster\My Grokster
  • D:\Program Files\Kazaa Lite\My Shared Folder
  • D:\Program Files\Kazaa\My Shared Folder
  • D:\Program Files\KMD\My Shared Folder
  • D:\Program Files\Morpheus\My Shared Folder

In addition, it propagates via Internet Relay Chat (IRC). It sends the following message to target recipients, followed by a copy of itself:

Hey Dude here the hottest story for you..
Hottest Story Ever.exe

Other Details

This worm restarts the affected system once it detects the following processes running on the affected system:

  • 16Edit.exe
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • a2hijackfree.exe
  • ACKWIN32.EXE
  • ADVXDWIN.EXE
  • AgentSvr.exe
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTS.EXE
  • APVXDWIN.EXE
  • ashAvast.exe
  • ashmaisv.exe
  • ashQuick.exe
  • AspackDie.exe
  • aswupdsv.exe
  • ATCON.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUTODOWN.EXE
  • AutoTrace.exe
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVENGINE.EXE
  • avg.exe
  • avgcc.exe
  • AVGCC32.EXE
  • Avgctrl.exe
  • avgemc.exe
  • avgnt.exe
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • avguard.exe
  • avgupsvc.exe
  • avgw.exe
  • avkpop.exe
  • AVKSERV.EXE
  • avkservice.exe
  • avkwctl9.exe
  • AVLITE.EXE
  • AVLTMAIN.EXE
  • AVNT.EXE
  • avp.com
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • avscan.exe
  • Avsched32.exe
  • AVSYNMGR.EXE
  • AVTASK.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD32.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE.EXE
  • AVXW.EXE
  • bdlite.exe
  • bdmcon.exe
  • bdsubmit.exe
  • BLACKD.EXE
  • BLACKICE.EXE
  • cafix.exe
  • calmav.exe
  • CAV.exe
  • CAVTray.exe
  • CClaw.exe
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • Cheat Engine.exe
  • clamav.exe
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CMGRDIAN.EXE
  • CONNECTIONMONITOR.EXE
  • CPDCLNT.EXE
  • Cuztomizer.exe
  • defscangui.exe
  • DEFWATCH.EXE
  • DEVENV.EXE
  • dkernel.exe
  • DOORS.EXE
  • drwtsn32.exe
  • DTaskManager.exe
  • DVP95.EXE
  • DVP95_0.EXE
  • dxdiag.exe
  • ECENGINE.EXE
  • EFPEADM.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXCEL.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • Filemon.exe
  • FINDVIRU.EXE
  • Fix-It.exe
  • fnrb32.exe
  • FP-WIN.EXE
  • FPROT.EXE
  • freecell.exe
  • FRONTPG.EXE
  • FRW.EXE
  • FrzState.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsavstrt.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • GENERICS.EXE
  • GIANTAntiSpywareMain.exe
  • GIANTAntiSpywareUpdater.exe
  • GUARD.EXE
  • GUARDDOG.EXE
  • HexEditor.exe
  • HijackThis.exe
  • iamapp.exe
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICNTMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • idag.exe
  • IFACE.EXE
  • InoRpc.exe
  • InoRT.exe
  • InoTask.exe
  • install.exe
  • IOMON98.EXE
  • ISRV95.EXE
  • iTunes.exe
  • JEDI.EXE
  • Kernelmoduleunloader.exe
  • KillBox.exe
  • LDNETMON.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • mcvsescn.exe
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • mgtweak.exe
  • MINILOG.EXE
  • mmc.exe
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • mplayer2.exe
  • MSACCESS.EXE
  • msdev.exe
  • MSE7.EXE
  • mshearts.exe
  • MSVCMON.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NDD32.EXE
  • NeoWatchLog.exe
  • netstat.exe
  • NETUTILS.EXE
  • NGenFix.exe
  • nipsvc.exe
  • NISSERV.EXE
  • nisum.exe
  • njeeves.exe
  • NMAIN.EXE
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • nopdb.exe
  • NORMIST.EXE
  • NPROTECT.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NTPMON.EXE
  • ntrtscan.EXE
  • NTVDM.EXE
  • NTXconfig.exe
  • Nui.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • nvcoas.exe
  • Nvcod.exe
  • nvsvc32.exe
  • NWService.exe
  • NWTOOL16.EXE
  • opscan.exe
  • PADMIN.EOUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • pavproxy.exe
  • PavPrSrv.exe
  • PAVSCHED.EXE
  • PAVSRV51.EXE
  • PAVW.EXE
  • PCCIOMON.exe
  • PCClient.exe
  • pccmain.exe
  • pccntmon.EXE
  • pccwin97.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PCMAV-CLN.exe
  • PCMAV-RTP.exe
  • PCMAV.exe
  • pcscan.EXE
  • PEDASM.EXE
  • PERSFW.EXE
  • PINBALL.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • PORTMONITOR.EXE
  • PowerPack.exe
  • POWERPNT.EXE
  • PrivacyExpert.exe
  • Process Explorer.exe
  • PROCESSMONITOR.EXE
  • PROCEXP.EXE
  • PVIEW95.EXE
  • QuickTimePlayer.exe
  • RAV7.EXE
  • RAV7WIN.EXE
  • Realmon.exe
  • realplay.exe
  • RegCleaner.exe
  • RegMedical.exe
  • Regmon.exe
  • RESCUE.EXE
  • ResHacker.exe
  • rl.exe
  • rtvscan.exe
  • RTVSCN95.EXE
  • SAFEWEB.EXE
  • sbserv.exe
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • Security Task Manager.exe
  • SERV95.EXE
  • setup.exe
  • SMC.EXE
  • sndvol32.exe
  • sol.exe
  • SPHINX.EXE
  • spider.exe
  • SpyProtector.exe
  • SPYXX.EXE
  • SS3EDIT.EXE
  • sscansvc.exe
  • SWEEP95.EXE
  • SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • sysmechanic.exe
  • TaskMan.exe
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TFAK.EXE
  • TweakUI.exe
  • ud.exe
  • uedit32.exe
  • UnFSG.exe
  • UnPEC.exe
  • Unpgui.exe
  • Update.exe
  • utilman.exe
  • vbcmserv.exe
  • VbCons.exe
  • VBReFormer 3.9 free.exe
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VFP6.EXE
  • VFP6RUN.EXE
  • VIR-HELP.EXE
  • VPC32.exe
  • VPDN_LU.exe
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSMAIN.EXE
  • vsmon.exe
  • VSSTAT.EXE
  • W32dsm87.exe
  • W32DSM89.EXE
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WIMMUN32.EXE
  • winamp.exe
  • winampa.exe
  • WindowsDefender.exe
  • WinTweak.exe
  • WINWORD.EXE
  • wmplayer.exe
  • wordpad.exe
  • WRADMIN.EXE
  • WRCTRL.EXE
  • write.exe
  • WSWEEPNT.EXE
  • Zanda.exe
  • ZAPRO.EXE
  • Zlh.exe
  • ZONEALARM.EXE

It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Vincent R. Cabuag

Updated By: Jasen Sumalapao

Revision History:

First pattern file version: 3.756.05
First pattern file release date: Sep 16, 2006
 
May 12, 2008 - Modified Malware Report

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 5.215.00

Pattern release date: Apr 14, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Enabling The Registry Editor

This malware disables the Registry Editor. To restore the said system tool, perform the following instructions:

  1. Open Notepad. Click Start>Run, type Notepad, then press Enter.
  2. Copy and paste the following:
  3. Save this file as C:\RESTORE.VBS.
  4. Click C:\RESTORE.VBS, then press Enter.
  5. Click Yes at the prompt of the message box.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Command Processor
  3. In the right panel, locate and delete the entry:
    AutoRun = "echo off|%System%\Pandawas.exe|cls"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>User Shell Folder
  5. In the right panel, locate and delete the entry:
    Startup = "%Windows%\YouSUcx.exe"
    (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the following entries:
    • Bharatayuda = "%Windows%\GNB.exe"
    • CirebonPunya = "%System%\XXrocks.exe"
    • ctfmon.exe = "%System%\ctfmon.exe %System%\eminem.exe,"
    • Duwee wong Cerbon = "%Windows%\Cirebons.exe"
    • RPCall_WIN2K = "%System%\Kurawas.exe /register"
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Run
  9. In the right panel, locate and delete the following entries:
    • Hot Inside = "%Windows%\Hottest Story Ever.exe"
    • System handler = "%System%\Pandawas.exe /register"
    • What Frenz = "%System Root%\FriendEQUALsuX.exe"

    (Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>WOW>boot
  11. In the right panel, locate and delete the following entries:
    • LAPAS.EXE = "%Windows%\Mooks.EXE"
    • Worm.dll = "%Windows%\Cirebons.exe"
  12. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  13. In the right panel, locate and delete the entry:
    System Monitoring = "%Windows%\Mooks.EXE"
  14. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Explorer>Shell Icons
  15. In the right panel, locate and delete the following entries:
    • 3 = "%Windows%\word.ico"
    • 4 = "%Windows%\word.ico"
    • 6 = "%Windows%\word.ico"
    • 8 = "%Windows%\word.ico"
    • 11 = "%Windows%\word.ico"
  16. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>CLSID>
    {208D2C60-3AEA-1069-A2D7-08002B30309D}>
    DefaultIcon
  17. In the right panel, locate and delete the entry:
    (Default) = "%Windows%\excel.ico"
  18. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>CLSID>
    {20D04FE0-3AEA-1069-A2D8-08002B30309D}>
    DefaultIcon
  19. In the right panel, locate and delete the entry:
    (Default) = "%Windows%\excel.ico"
  20. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>CLSID>
    {208D2C60-3AEA-1069-A2D7-08002B30309D}
  21. In the right panel, locate and delete the entry:
    (Default) = "Bima"
  22. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>CLSID>
    {20D04FE0-3AEA-1069-A2D8-08002B30309D}
  23. In the right panel, locate and delete the entry:
    (Default) = " Pandawa"
  24. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>CLSID>
    {450D8FBA-AD25-11D0-98A8-0800361B1103}
  25. In the right panel, locate and delete the entry:
    (Default) = " Arjuna"
  26. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>CLSID>
    {871C5380-42A0-1069-A2EA-08002B30309D}
  27. In the right panel, locate and delete the entry:
    (Default) = " Nakula Sadewa"
  28. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>Policies
  29. In the right panel, locate and delete the entry:
    ShowSuperHidden = "1"
  30. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Policies>System
  31. In the right panel, locate and delete the following entries:
    • NoDispSettingsPage = "1"
    • NoDispAppearancePage = "1"
    • NoDispScrSavPage = "1"
    • NoDispBackgroundPage = "1"

Restoring Registry Entries

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CLASSES_ROOT>batfile>shell>open>command
  2. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%1" %*"
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>comfile>shell>open>command
  5. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%1" %*"
  7. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>giffile>shell>open>command
  8. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  9. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%Program Files%>Internet Explorer>iexplore.exe" -nohome"
  10. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>htafile>Shell>Open>Command
  11. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  12. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%System>mshta.exe "%1" %*"
  13. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>htmlfile>shell>open>command
  14. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  15. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%Program Files%>Internet Explorer>iexplore.exe" -nohome"
  16. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>Windows>Installer
  17. In the right panel, locate the entry:
    LimitSystemRestoreCheckpointing = "1"
  18. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>Windows>Installer
  19. In the right panel, locate the entry:
    DisableMSI = "1"
  20. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �0�
  21. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>Windows>Installer
  22. In the right panel, locate the entry:
    EnableAdminTSRemote = "1"
  23. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �0�
  24. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>AVIFile>DefaultIcon
  25. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  26. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%System%>quartz.dll,-100�
  27. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>chm.file>DefaultIcon
  28. In the right panel, locate the entry:
    (Default) = "%WWindows%>word.ico"
  29. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%Windows%>hh.exe,0�
  30. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile>DefaultIcon
  31. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  32. Right-click on the value name and choose Modify. Change the value data of this entry to:
    � %1�
  33. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>Folder>DefaultIcon
  34. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  35. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%SystemRoot%>System32>shell32.dll,3�
  36. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>giffile>DefaultIcon
  37. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  38. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%Program Files%>Internet Explorer>iexplore.exe,9�
  39. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>htmlfile>DefaultIcon
  40. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  41. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%Program Files%>Internet Explorer>iexplore.exe,1�
  42. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>icofile>DefaultIcon
  43. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  44. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%1�
  45. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>txtfile>DefaultIcon
  46. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  47. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%SystemRoot%>system32>shell32.dll,-152�
  48. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>WinRAR>DefaultIcon
  49. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  50. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%Program Files%>WinRAR>WinRAR.exe,0�
  51. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>WinRAR.ZIP>DefaultIcon
  52. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  53. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%Program Files%>WinRAR>WinRAR.exe,0�
  54. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>WMAFile>DefaultIcon
    HKEY_CLASSES_ROOT>WMVFile>DefaultIcon
  55. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  56. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �dxmasf.dll,-500�
  57. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>jpegfile>DefaultIcon
  58. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  59. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%Program Files%>Internet Explorer>iexplore.exe,8�
  60. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>m3ufile>DefaultIcon
  61. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  62. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%System%>quartz.dll,-203�
  63. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>MIDFile>DefaultIcon
  64. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  65. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%System%>quartz.dll,-301�
  66. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>mp3file>DefaultIcon
  67. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  68. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%System%>quartz.dll,-203�
  69. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>mpegfile>DefaultIcon
  70. In the right panel, locate the entry:
    (Default) = "%Windows%>word.ico"
  71. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �%System%>quartz.dll,-103�
  72. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    Current Version>Explorer>Advanced
  73. In the right panel, locate the entry:
    Hidden = "0"
  74. Right-click on the value name and choose Modify. Change the value data of this entry to:
    user-defined. The value data for showing files with the Hidden attribute is 1.
  75. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    Current Version>Explorer>Advanced
  76. In the right panel, locate the entry:
    HideFileExt ="1"
  77. Right-click on the value name and choose Modify. Change the value data of this entry to:
    user-defined. The value data for showing file extension names is 1.
  78. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Windows>
    Current Version>Explorer>Advanced
  79. In the right panel, locate the entry:
    SuperHidden = "0"
  80. Right-click on the value name and choose Modify. Change the value data of this entry to:
    user-defined. The value data for showing files with the System attribute is 1.
  81. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    Current Version>Winlogon
  82. In the right panel, locate the entry:
    SFCDisable = "ffffff9d"
  83. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �0�
  84. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    Current Version>policies>system
  85. In the right panel, locate the entry:
    shutdownwithoutlogon = "0"
  86. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �1�
  87. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Command Processor
  88. In the right panel, locate the entry:
    EnableExtensions = "0"
  89. Right-click on the value name and choose Modify. Change the value data of this entry to:
    � 1�
  90. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Main
  91. In the right panel, locate the entry:
    Search Page = "%Windows%>file.htm"
    Local Page = "%Windows%>file.htm"
    Start Page = "%Windows%>file.htm"
  92. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �user-defined�
  93. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    Current Version
  94. In the right panel, locate the entry:
    RegisteredOrganization = "Bharatayuda"
    RegisteredOwner = "Pandawa"
    ProductName = "Pandawa"
    ProductId = "Bharatayuda"
  95. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �user-defined�
  96. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    Current Version>Winlogon
  97. In the right panel, locate the entry:
    LegalNoticeCaption = "Only God"
    LegalNoticeText = "Don`t ever judge me coz u don`t know me..!! Don`t ever judge me coz u just see me from the outside...!! Don`t ever give a statement for me coz u don`t understand me..!! Only God that knowing who i am..!! Only God that can judge me..!!"
  98. Right-click on the value name and choose Modify. Change the value data of this entry to blank.
  99. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    Current Version>Winlogon
  100. In the right panel, locate the entry:
    ReportBootOk = "0"
  101. Right-click on the value name and choose Modify. Change the value data of this entry to:
    � 1�
  102. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  103. In the right panel, locate the entry:
    s1159 = "F#H Comunity"
  104. Right-click on the value name and choose Modify. Change the value data of this entry to:
    � AM�
  105. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  106. In the right panel, locate the entry:
    s2359 = "F#H Comunity"
  107. Right-click on the value name and choose Modify. Change the value data of this entry to:
    � PM�
  108. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  109. In the right panel, locate the entry:
    sCountry = "Cirebon Indonesia"
  110. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �United States�
  111. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  112. In the right panel, locate the entry:
    sCurrency = "Rupiah"
  113. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �$�
  114. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  115. In the right panel, locate the entry:
    sLongDate = "yyyy, dd MMMM, dddd"
  116. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �dddd, MMMM dd, yyyy�
  117. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  118. In the right panel, locate the entry:
    sShortDate = "yyyy/d/M"
  119. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �M/d/yyyy�
  120. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  121. In the right panel, locate the entry:
    sTime = "*"
  122. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �:�
  123. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>International
  124. In the right panel, locate the entry:
    sTimeFormat = "tt ss:mm:h"
  125. Right-click on the value name and choose Modify. Change the value data of this entry to:
    �h:mm:ss tt�
  126. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>inffile>shell>open>command
  127. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  128. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%SystemRoot%>System32>NOTEPAD.EXE %1"
  129. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>inifile>shell>open>command
  130. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  131. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%SystemRoot%>System32>NOTEPAD.EXE %1"
  132. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>jpegfile>shell>open>command
  133. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  134. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%Program Files%>Internet Explorer>iexplore.exe" -nohome"
  135. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>MIDFile>shell>open>command
  136. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  137. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "user-defined"
  138. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>mp3file>shell>open>command
  139. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  140. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "user-defined"
  141. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>mpegfile>shell>open>command
  142. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  143. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "user-defined"
  144. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>piffile>shell>open>command
  145. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  146. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%1" %*"
  147. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>QuickTime.3gp>shell>open>command
  148. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  149. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "user-defined"
  150. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>regfile>shell>open>command
  151. In the right panel, locate the entry:
    (Default) = "cmd.exe /c del "%1""
  152. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "regedit.exe "%1"
  153. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>rtffile>shell>open>command
  154. In the right panel, locate the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  155. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%Program Files%\Windows NT\Accessories\WORDPAD.EXE "%1"
  156. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>scrfile>shell>open>command
  157. In the right panel, locate the entry:
    (Default) = "%System%\gotohellfrenz.exe%1"
  158. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%1" /S"
  159. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>VBSFile>Shell>Open>Command
  160. In the right panel, locate the entry:
    (Default) = "%System%\gotohellfrenz.exe%1"
  161. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%SystemRoot%\System32\WScript.exe "%1" %*"
  162. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>WMAFile>shell>open>command
  163. In the right panel, locate the entry:
    (Default) = "%System%\gotohellfrenz.exe%1"
  164. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "user-defined"
  165. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>Desktop
  166. In the right panel, locate the entry:
    SCRNSAVE.EXE = "%Windows%\CantiknaCayangquw.scr"
  167. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "(NONE) "
  168. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows NT>
    Current Version>Windows
  169. In the right panel, locate the entry:
    load = "%System%\Kurawas.exe"
  170. Right-click on the value name and choose Modify. Change the value data of this entry to:
    ""
  171. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    Current Version>Winlogon
  172. In the right panel, locate the entry:
    Shell = "explorer.exe %System%\gotohellfrenz.exe"
  173. Right-click on the value name and choose Modify. Change the value data of this entry to:
    " Explorer.exe"
  174. In the right panel, locate the entry:
    System = "%System%\Kurawas.exe"
  175. Right-click on the value name and choose Modify. Change the value data of this entry to:
    ""
  176. In the right panel, locate the entry:
    Userinit = "%System%\userinit.exe,%System%\Pandawas.exe"
  177. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "%System%\userinit.exe,"
  178. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>SafeBoot
  179. In the right panel, locate the entry:
    AlternateShell = "%System%\gotohellfrenz.exe"
  180. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "cmd.exe"

Removing Malware Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Still in Registry Editor,in the left panel, double-click the following:
    HKEY_CLASSES_ROOT>HTTfile>shell>open>command
  2. In the right panel, locate and delete the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  3. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>SOFTWARE>Classes>lnkfile>shell>
  4. open>command
  5. In the right panel, locate and delete the entry:
    (Default) = "%System%>gotohellfrenz.exe%1"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
  7. In the right panel, locate and delete the entry:
    Window Title = "Bharatayuda was here now"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>
  9. Policies>Explorer
  10. In the right panel, locate and delete the entry:
    Bharatayuda = "Bharatayuda"
    Hastina = "Hastina"
    Kurawa = "Kurawa"
    Pandawa = "Pandawa"
  11. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Main
  12. In the right panel, locate and delete the entry:
    Window Title = "Bharatayuda was here now"
  13. Close Registry Editor.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    %System%\OemInfo.ini
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.
  5. Repeat steps 2-4 for the following files:
    • %Windows%\darkness.jpg
    • %Windows%\excel.ico
    • %Windows%\file.htm
    • %System%\oemlogo.bmp
    • %Windows%\word.ico

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_BHARAT.A. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.