as below:
--------------------------------------------
Creates copies of itself in addresses below by different names (I suppose windows
is installed in C:\):
C:\KHATRA.exe
C:\Windows\K.Backup
C:\Windows\KHATARNAKH.exe
C:\Windows\Xplorer.exe
C:\Windows\inf\Autoplay.inF
C:\Windows\system\gHost.exe
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\System32\KHATRA.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\winxp.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
--------------------------------------------
It adds keys below in registry:
HKEY_CURRENT_USER\Software\Nico Mak Computing
HKEY_LOCAL_MACHINE\SOFTWARE\KHATRA
Makes entries below on registry (for automatic startup any time system starts):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = "%System%\KHATRA.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\R un
G_Host = "%Windows%\system\gHost.exe" /Reproduce"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Xplorer = "%Windows%\Xplorer.exe" /Windows"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
load = "%System%\KHATRA.exe"
--------------------------------------------
And make changes in many places of registry for example:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = "Internet Exploiter"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
AtTaskMaxHours = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fir ewallPolicy\StandardProfile\Author
izedApplications\
List
%System%\KHATRA.exe = "%System%\KHATRA.exe:*:Enabled:System"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun = "dword:000000ff"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerAdvanced\Fo lder\Hidden\SHOWALL
CheckedValue = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
------------------------------------------------
It scans the folders in removable drives, then drop copies of itself using the file names of
the folders located, as {folder name}.exe.
It drops copies of itself in all removable drives.
It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
The said .INF file contains the following strings:
[Autorun]
Open=KHATRA.exe /OpenDrive
ShellExecute=KHATRA.exe /OpenDrive
Shell\Open\Command=KHATRA.exe /OpenDrive
Shell\Open\Default=1
Shell\Explore\Command=KHATRA.exe /ExploreDrive
Shell\Scan for viruses=KHATRA.exe
Shell=Open
----------------------------------------
Cleaning the infected system by user is a litle bit difficult but any way you can do as below:
_ Disable System Restore in your computer.
_ Boot by 3rd party tool and Delete files i said above.
_ Delelet the entries made by worm in registry.
_ Change the changed registry values to difult value.
No comments:
Post a Comment