What is W32/VBWorm.QXE Bluebebek and how to remove it
Remove W32/VBWorm.QXE (bulubebek)Bulubebek virus has been made using visual basic with size 53kb. Bulubebek Virus very easy to removed using some manual technique. Once virus active it will created master files:
\Windows\Script.exe
\Windows\LSASS.exe
\Documents and Settings\%user%\autorun.inf
\Documents and Settings\%user%\bulubebek.ini
\bulubebek.ini
\autorun.inf
When virus is active, it will block some windows functions such as task manager, folder option, command prompt and more… This virus spreading (usually because it was designed) using flashdisk media by creating autorun.inf files.
Hidden folder and duplicate folder
Bulubebek is designed and working almost same with older brontox varian, it will hidden your real folder and make duplicate .exe files with folder icon to tricky some newbie out there.
Step to cleaning bulubebek virus
1. I recommended to unplug your computers from your network, not really necessary but I think it’s gonna be safe.
2. Disable “System Restore” when in cleaning process.
3. Kill active virus process using 3rd party tools such as process explorer, kill virus process with icon folder.
4. Repair registry has been changed by virus, save this code as any name with .inf extension and install it.
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1?”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1?” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
5. Find and deleted duplicate folder has been made by virus using search function. find any folders or files with rules:
Using folder icon.
Size 53 KB.
.exe extension
File type Application.
6. Shown your hidden files back, You can use your 3rd favorite tool or you can do it manually using attrib command by typing:
ATTRIB –s –h –r /s /d
NOTE: Should typing in drive root.
7. To make sure it was totally clean you can scan your computers with your best antivirus program.
Remove W32/VBWorm.QXE (bulubebek)Bulubebek virus has been made using visual basic with size 53kb. Bulubebek Virus very easy to removed using some manual technique. Once virus active it will created master files:
\Windows\Script.exe
\Windows\LSASS.exe
\Documents and Settings\%user%\autorun.inf
\Documents and Settings\%user%\bulubebek.ini
\bulubebek.ini
\autorun.inf
When virus is active, it will block some windows functions such as task manager, folder option, command prompt and more… This virus spreading (usually because it was designed) using flashdisk media by creating autorun.inf files.
Hidden folder and duplicate folder
Bulubebek is designed and working almost same with older brontox varian, it will hidden your real folder and make duplicate .exe files with folder icon to tricky some newbie out there.
Step to cleaning bulubebek virus
1. I recommended to unplug your computers from your network, not really necessary but I think it’s gonna be safe.
2. Disable “System Restore” when in cleaning process.
3. Kill active virus process using 3rd party tools such as process explorer, kill virus process with icon folder.
4. Repair registry has been changed by virus, save this code as any name with .inf extension and install it.
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1?”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1?” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
5. Find and deleted duplicate folder has been made by virus using search function. find any folders or files with rules:
Using folder icon.
Size 53 KB.
.exe extension
File type Application.
6. Shown your hidden files back, You can use your 3rd favorite tool or you can do it manually using attrib command by typing:
ATTRIB –s –h –r /s /d
NOTE: Should typing in drive root.
7. To make sure it was totally clean you can scan your computers with your best antivirus program.
No comments:
Post a Comment