WORM_SKYTWI.B

October 21, 2015

Analysis by: Francis Xavier Antazo

ALIASES:

Worm:Win32/Pykspa.C (Microsoft); W32/Pykse.worm (Mcafee)

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

Infection Channel: Dropped by other malware, Via social networking sites

This worm arrives by accessing affected shared networks.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

TECHNICAL DETAILS

File Size: 659456 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 08 May 2015

Payload: Connects to URLs/IPs

Arrival Details

This worm arrives by accessing affected shared networks.

Installation

This worm drops the following copies of itself into the affected system:

%User Temp%\{random}.exe
%System%\{random}.exe
%Windows%\{random}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = {random}.exe .

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = %User Temp%\{random}.exe .

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = {random}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = %User Temp%\{random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = {random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = %User Temp%\{random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = {random}.exe .

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = %User Temp%\{random}.exe .

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random} = {random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random} = %User Temp%\{random}.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableRegistryTools = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorUser = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableInstallerDetection = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableSecureUIAPaths = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableVirtualization = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
PromptOnSecureDesktop = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ValidateAdminCodeSignatures = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
FilterAdministratorToken = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
AntiVirusDisableNotify = 1

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = 91

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 1

(Note: The default value data of the said registry entry is 91.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer
NoDriveTypeAutoRun = ff

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

Propagation

This worm creates the following folder in all physical and removable drives:

{random}.bat

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage}
[AutoRun]
{garbage}
open={garbage}.bat
{garbage}
shell\open\Command={garbage}.bat _
{garbage}
shell\open\Default=1
shell\explore\Default=2
{garbage}
shell\explore\Command={random}.bat _
{garbage}

Process Termination

This worm terminates the following services if found on the affected system:

SharedAccess
WinDefend
Wuauserv
MpsSvc
BITS
WerSvc
wscsvc

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

http://whatismyipaddress.com/
http://www.showmyipaddress.com/
http://whatismyip.ca/
http://whatismyip.everdot.org/

NOTES:

It terminates and uninstalls the following files related to anti-virus software using its component DLL file:

ashserv.exe
avgcsrvx.exe
avgrsx.exe
avgtray.exe
avguard.exe
avp.exe
bdagent.exe
ccsvchst.exe
ekrn.exe
fsgk32st.exe
gdscan.exe
mcmscsvc.exe
PsCtrlS.exe
pshost.exe
vsserv.exe
zlclient.exe

It drops the following component file when it finds any of the following processes related to AV products:

%User Temp%\{random file name}.dll - DLL component that uninstalls antivirus software (detected as WORM_SKYTWI.B)

Upon execution, it opens the %User Temp% folder and subsequently opens it every time a user closes the folder.

It drops encrypted components at the following directories:

%Application Data%
%User Temp%
%Program Files%
%Windows%
%System%

The dropped files have random filenames and file extensions.

It searches for files having the following file extensions in the My Documents folder:

.gif
.ppt
.xls
.jpg
.jpeg
.bmp
.3gp
.doc
.rtf
.txt

It then archives the files it finds including a copy of itself using WinRAR. The created archive is dropped to available network shares.

It closes windows with the following strings in its title:

Antivir
Eset
Firewall
Hiajck
Hijack
IceSword
NetTools
Process Ex
Process Ha
Procexp
Procmon
Regedit
Registry
Regmon
Restauration du sy
Rstrui
Sistemos atk
Spyware
Sysclean
Sysinternals
Zonealarm
antianti
antivirus
avg
computer management
dr. web
dr.web
esetsmart
internet security
security center
soft security e
system configuration
system restore
trend micro
virus
worm

It blocks access to sites that contains the following strings in the address bar:

Kaspersky
Malware
Virus
Wilderssecurity
ahnlab
arcabit
avast
avg.
avira
avp.
bit9.
castlecops
centralcommand
cert.
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset –
etrust
ewido
f-prot
f-secure
fortinet
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
mcafee
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
sans.
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
tcpview
threatexpert
trendmicro
vet.
windowsupdate

It is capable of propagating via Skype by sending the following pre-defined messages along with a link where a copy of itself may be downloaded:

hello
how are you
hello again
you skype version is old
what are you?
from where are you?
what are you doing in my contacts?
as I said %s
so %s
%s :D
look %s
here %s
so what do you think?
what is in that link on your skype?
do you have camera on skype?
is it really your web site?
what do you think about that?
what is there?
pudge women ;)
piece of shit
now everyone know ;)
idiot
what are you doing
crazy bitch
why dont you speak
I saw you photo. I would like to speak with you
I saw you last week. I would like to speak with you
I watching you long time. I would like to speak with you
%s
I know what you did
191:%s :D :D :D
idiot name
i lost my job..
i am idiot..
i want to die..
(beer)
nice ass :*
muhahahaaahaha
little boy :]]]]
I know about your little problem :D
gay
what new?
what the fuck is that ?
bad news
dude
bitch
niger
impotent

It can also send these messages using native languages of specific countries in Europe.

This worm connacts to any of the following sites to get the current date and time:

www.ebay.com
www.baidu.com
www.imdb.com
www.bbc.co.uk
www.adobe.com
www.blogger.com
www.wikipedia.org
www.yahoo.com
www.youtube.com
www.myspace.com
www.facebook.com
www.google.com

It is capable of deleting System Restore points by deleting the contents of the %System Root%\System Volume Information folder.

It reads the affected user's Skype configuration in order to steal personal information from the user as well as his/her Skype contacts.

This malware generates random domains using an algorithm in order to connect to its C&C server. It is capable of executing the following commands:

Download and execute possibly malicious files
Execute a file
Steal information
Terminate processes
Terminate Itself
Delete files
Modify registries
Modify clipboard data
Shut down the system
Sleep
Modify Windows hosts file
Propagate via mapped drives
Propagate via network shares
Propagate via Skype
Propagate via Twitter

SOLUTION

Minimum Scan Engine: 9.750

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Identify and delete files detected as WORM_SKYTWI.B using either the Startup Disk or Recovery Console

[ Learn More ]

To identify and delete the malware/grayware file:

• On Windows XP and Server 2003 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Click Start>Run. In the Open input box, type secpol.msc and press Enter.
In the left panel, double-click Local Policies>Security Options.
In the right panel, double-click Recovery Console: Allow floppy copy and access to all drives and folders.
Select Enabled and click OK.
Insert the Windows Installation CD into the CD drive, then restart your computer.
When prompted, press any key to boot from the CD.
On the main menu, type r to go to the Recovery Console.
Type the number that corresponds to the drive and directory that contains Windows (usually C:\WINDOWS) and press Enter.
Type the Administrator password and press Enter.
In the input box, type the following then press Enter:
SET AllowAllPaths = TRUE
del "{malware/grayware path and file name}"
Type exit and press Enter to restart the system normally.

• On Windows Vista, 7, and Server 2008 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
When prompted, press any key to boot from the CD.
Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
If the Startup Repair window appears, click Cancel, Yes, then Finish.
In the System Recovery Options window, click Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}"
Type exit and press Enter to close the Command Prompt window.
Click Restart to restart the system normally.

• On Windows 8, 8.1, and Server 2012 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Insert your Windows Installation DVD in the DVD drive, then restart your computer.
When prompted, press any key to boot from the DVD.
Depending on your Windows Installation DVD, you might be required to select the keyboard layout. Then on the Windows Setup window, choose your language, locale, and input method. Click Next, then click Repair your computer.
Click Troubleshoot>Advanced Options>Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}"
Type exit and press Enter to close the Command Prompt window.
Click Continue to restart the system normally.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- {random} = {random}.exe .
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- {random} = %User Temp%\{random}.exe .
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {random} = {random}.exe .
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {random} = %User Temp%\{random}.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- {random} = {random}.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- {random} = %User Temp%\{random}.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- {random} = {random}.exe .
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- {random} = %User Temp%\{random}.exe .
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- {random} = {random}.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- {random} = %User Temp%\{random}.exe
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- AntiVirusOverride = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- FirewallOverride = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- UacDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- AntiVirusDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- FirewallDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- UpdatesDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- DisableRegistryTools = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- ConsentPromptBehaviorAdmin = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- ConsentPromptBehaviorUser = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableInstallerDetection = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableSecureUIAPaths = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableVirtualization = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- PromptOnSecureDesktop = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- ValidateAdminCodeSignatures = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- FilterAdministratorToken = 0

To delete the registry value this malware created:

Open Registry Editor. To do this:
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on the lower left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry:
{random} = {random}.exe .
Again In the right panel, locate and delete the entry:
{random} = %User Temp%\{random}.exe .
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
{random} = {random}.exe .
Again In the right panel, locate and delete the entry:
{random} = %User Temp%\{random}.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
{random} = {random}.exe
Again In the right panel, locate and delete the entry:
{random} = %User Temp%\{random}.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry:
{random} = {random}.exe .
Again In the right panel, locate and delete the entry:
{random} = %User Temp%\{random}.exe .
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>Explorer>Run
In the right panel, locate and delete the entry:
{random} = {random}.exe
Again In the right panel, locate and delete the entry:
{random} = %User Temp%\{random}.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>System
In the right panel, locate and delete the entry:
DisableRegistryTools = 1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>Security Center
In the right panel, locate and delete the entry:
AntiVirusOverride = 1
Again In the right panel, locate and delete the entry:
FirewallOverride = 1
Again In the right panel, locate and delete the entry:
UacDisableNotify = 1
Again In the right panel, locate and delete the entry:
AntiVirusDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirewallDisableNotify = 1
Again In the right panel, locate and delete the entry:
UpdatesDisableNotify = 1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>system
In the right panel, locate and delete the entry:
EnableLUA = 0
Again In the right panel, locate and delete the entry:
DisableRegistryTools = 1
Again In the right panel, locate and delete the entry:
ConsentPromptBehaviorAdmin = 0
Again In the right panel, locate and delete the entry:
ConsentPromptBehaviorUser = 0
Again In the right panel, locate and delete the entry:
EnableInstallerDetection = 0
Again In the right panel, locate and delete the entry:
EnableSecureUIAPaths = 0
Again In the right panel, locate and delete the entry:
EnableVirtualization = 0
Again In the right panel, locate and delete the entry:
PromptOnSecureDesktop = 0
Again In the right panel, locate and delete the entry:
ValidateAdminCodeSignatures = 0
Again In the right panel, locate and delete the entry:
FilterAdministratorToken = 0
Close Registry Editor.

Step 5

Restore this modified registry value

[ Learn More ]

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- From: NoDriveTypeAutoRun = 91
  To: NoDriveTypeAutoRun = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- From: CheckedValue = 91
  To: CheckedValue = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- From: NoDriveTypeAutoRun = ff
  To: NoDriveTypeAutoRun = 1

Step 6

Search and delete AUTORUN.INF files created by WORM_SKYTWI.B that contain these strings

[ Learn More ]

Step 7

Scan your computer with your Trend Micro product to delete files detected as WORM_SKYTWI.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:
Restoring the deleted Safe Mode Registry Key

Open a text editor like Notepad.
Copy and paste the following and save it as restore.vbs.

const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = ".";

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer &"\root\default:StdRegProv")

strMainKeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal"

oReg.CreateKey HKEY_LOCAL_MACHINE,strMainKeyPath

Dim arrKeyPath(44)
dim arrValue(44)

arrKeyPath(0) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}"
arrKeyPath(1) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(2) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(3) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(4) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(5) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(6) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(7) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(8) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(9) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(10) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}"
arrKeyPath(11) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}"
arrKeyPath(12) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}"
arrKeyPath(13) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}"
arrKeyPath(14) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt"
arrKeyPath(15) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base"
arrKeyPath(16) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender"
arrKeyPath(17) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system"
arrKeyPath(18) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc"
arrKeyPath(19) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch"
arrKeyPath(20) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin"
arrKeyPath(21) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys"
arrKeyPath(22) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys"
arrKeyPath(23) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys"
arrKeyPath(24) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver"
arrKeyPath(25) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog"
arrKeyPath(26) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system"
arrKeyPath(27) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter"
arrKeyPath(28) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc"
arrKeyPath(29) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon"
arrKeyPath(30) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration"
arrKeyPath(31) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay"
arrKeyPath(32) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter"
arrKeyPath(33) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk"
arrKeyPath(34) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs"
arrKeyPath(35) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class"
arrKeyPath(36) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys"
arrKeyPath(37) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys"
arrKeyPath(38) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService"
arrKeyPath(39) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender"
arrKeyPath(40) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds"
arrKeyPath(41) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys"
arrKeyPath(42) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys"
arrKeyPath(43) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt"

arrValue(0) = "Universal Serial Bus controllers"
arrValue(1) = "CD-ROM Drive"
arrValue(2) = "DiskDrive"
arrValue(3) = "Standard floppy disk controller"
arrValue(4) = "Hdc"
arrValue(5) = "Keyboard"
arrValue(6) = "Mouse"
arrValue(7) = "PCMCIA Adapters"
arrValue(8) = "SCSIAdapter"
arrValue(9) = "System"
arrValue(10) = "Floppy disk drive"
arrValue(11) = "Volume shadow copy"
arrValue(12) = "Volume"
arrValue(13) = "Human Interface Devices"
arrValue(14) = "Service"
arrValue(15) = "Driver Group"
arrValue(16) = "Driver Group"
arrValue(17) = "Driver Group"
arrValue(18) = "Service"
arrValue(19) = "Service"
arrValue(20) = "Service"
arrValue(21) = "Driver"
arrValue(22) = "Driver"
arrValue(23) = "Driver"
arrValue(24) = "Service"
arrValue(25) = "Service"
arrValue(26) = "Driver Group"
arrValue(27) = "Driver Group"
arrValue(28) = "Service"
arrValue(29) = "Service"
arrValue(30) = "Driver Group"
arrValue(31) = "Service"
arrValue(32) = "Driver Group"
arrValue(33) = "Driver Group"
arrValue(34) = "Service"
arrValue(35) = "Driver Group"
arrValue(36) = "Driver"
arrValue(37) = "FSFilter System Recovery"
arrValue(38) = "Service"
arrValue(39) = "Driver Group"
arrValue(40) = "Service"
arrValue(41) = "Driver"
arrValue(42) = "Driver"
arrValue(43) = "Service"

strValueName = ""
For i = 0 to 43
  oReog.CreateKey HKEY_LOCAL_MACHINE,arrKeyPath(i)
  oReg.SetStringValue HKEY_LOCAL_MACHINE, arrKeyPath(i), StrValueName, arrValue(i)
Next

strMainKeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network"

oReg.CreateKey HKEY_LOCAL_MACHINE,strMainKeyPath

Dim arrNKeyPath(80)
dim arrNValue(80)

arrNKeyPath(0) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}"
arrNKeyPath(1) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(2) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(3) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(4) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(5) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(6) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(7) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(8) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(9) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(10) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(11) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(12) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(13) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(14) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}"
arrNKeyPath(15) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}"
arrNKeyPath(16) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}"
arrNKeyPath(17) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD"
arrNKeyPath(18) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt"
arrNKeyPath(19) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base"
arrNKeyPath(20) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender"
arrNKeyPath(21) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system"
arrNKeyPath(22) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser"
arrNKeyPath(23) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc"
arrNKeyPath(24) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch"
arrNKeyPath(25) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp"
arrNKeyPath(26) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin"
arrNKeyPath(27) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys"
arrNKeyPath(28) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys"
arrNKeyPath(29) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys"
arrNKeyPath(30) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver"
arrNKeyPath(31) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache"
arrNKeyPath(32) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog"
arrNKeyPath(33) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system"
arrNKeyPath(34) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter"
arrNKeyPath(35) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc"
arrNKeyPath(36) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys"
arrNKeyPath(37) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys"
arrNKeyPath(38) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer"
arrNKeyPath(39) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation"
arrNKeyPath(40) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts"
arrNKeyPath(41) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger"
arrNKeyPath(42) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS"
arrNKeyPath(43) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper"
arrNKeyPath(44) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio"
arrNKeyPath(45) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS"
arrNKeyPath(46) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup"
arrNKeyPath(47) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT"
arrNKeyPath(48) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup"
arrNKeyPath(49) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon"
arrNKeyPath(50) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan"
arrNKeyPath(51) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network"
arrNKeyPath(52) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider"
arrNKeyPath(53) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp"
arrNKeyPath(54) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration"
arrNKeyPath(55) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay"
arrNKeyPath(56) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter"
arrNKeyPath(57) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI"
arrNKeyPath(58) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk"
arrNKeyPath(59) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys"
arrNKeyPath(60) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys"
arrNKeyPath(61) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys"
arrNKeyPath(62) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr"
arrNKeyPath(63) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs"
arrNKeyPath(64) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class"
arrNKeyPath(65) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys"
arrNKeyPath(66) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess"
arrNKeyPath(67) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys"
arrNKeyPath(68) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService"
arrNKeyPath(69) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers"
arrNKeyPath(70) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender"
arrNKeyPath(71) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip"
arrNKeyPath(72) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI"
arrNKeyPath(73) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys"
arrNKeyPath(74) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys"
arrNKeyPath(75) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice"
arrNKeyPath(76) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys"
arrNKeyPath(77) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys"
arrNKeyPath(78) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt"
arrNKeyPath(79) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC"

arrNValue(0) = "Universal Serial Bus controllers"
arrNValue(1) = "CD-ROM Drive"
arrNValue(2) = "DiskDrive"
arrNValue(3) = "Standard floppy disk controller"
arrNValue(4) = "Hdc"
arrNValue(5) = "Keyboard"
arrNValue(6) = "Mouse"
arrNValue(7) = "Net"
arrNValue(8) = "NetClient"
arrNValue(9) = "NetService"
arrNValue(10)= "NetTrans"
arrNValue(11)= "PCMCIA Adapters"
arrNValue(12)= "SCSIAdapter"
arrNValue(13)= "System"
arrNValue(14)= "Floppy disk drive"
arrNValue(15)= "Volume"
arrNValue(16)= "Human Interface Devices"
arrNValue(17)= "Service"
arrNValue(18)= "Service"
arrNValue(19)= "Driver Group"
arrNValue(20)= "Driver Group"
arrNValue(21)= "Driver Group"
arrNValue(22)= "Service"
arrNValue(23)= "Service"
arrNValue(24)= "Service"
arrNValue(25)= "Service"
arrNValue(26)= "Service"
arrNValue(27)= "Driver"
arrNValue(28)= "Driver"
arrNValue(29)= "Driver"
arrNValue(30)= "Service"
arrNValue(31)= "Service"
arrNValue(32)= "Service"
arrNValue(33)= "Driver Group"
arrNValue(34)= "Driver Group"
arrNValue(35)= "Service"
arrNValue(36)= "Driver"
arrNValue(37)= "Driver"
arrNValue(38)= "Service"
arrNValue(39)= "Service"
arrNValue(40)= "Service"
arrNValue(41)= "Service"
arrNValue(42)= "Driver Group"
arrNValue(43)= "Driver Group"
arrNValue(44)= "Service"
arrNValue(45)= "Service"
arrNValue(46)= "Driver Group"
arrNValue(47)= "Service"
arrNValue(48)= "Driver Group"
arrNValue(49)= "Service"
arrNValue(50)= "Service"
arrNValue(51)= "Driver Group"
arrNValue(52)= "Driver Group"
arrNValue(53)= "Service"
arrNValue(54)= "Driver Group"
arrNValue(55)= "Service"
arrNValue(56)= "Driver Group"
arrNValue(57)= "Driver Group"
arrNValue(58)= "Driver Group"
arrNValue(59)= "Driver"
arrNValue(60)= "Driver"
arrNValue(61)= "Driver"
arrNValue(62)= "Service"
arrNValue(63)= "Service"
arrNValue(64)= "Driver Group"
arrNValue(65)= "Driver"
arrNValue(66)= "Service"
arrNValue(67)= "FSFilter System Recovery"
arrNValue(68)= "Service"
arrNValue(69)= "Driver Group"
arrNValue(70)= "Driver Group"
arrNValue(71)= "Service"
arrNValue(72)= "Driver Group"
arrNValue(73)= "Driver"
arrNValue(74)= "Driver"
arrNValue(75)= "Service"
arrNValue(76)= "Driver"
arrNValue(77)= "Driver"
arrNValue(78)= "Service"
arrNValue(79)= "Service"

strValueName = ""
For i = 0 to 79
  oReg.CreateKey HKEY_LOCAL_MACHINE,arrNKeyPath(i)
  oReg.SetStringValue HKEY_LOCAL_MACHINE, arrNKeyPath(i), StrValueName, arrNValue(i)
Next
Execute restore.vbs by double clicking the file.

Did this description help? Tell us how we did.

WORM_SKYTWI.B

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

WORM_SKYTWI.B

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific