Many
worms and trojans make changes to the registry to so that it can automatically
start whenever you boot up your computer and also
to avoid easy detection by disabling Windows Task Manager, Registry Editor and etc... You can easily
restore all those tools by using Remove Restriction Tool (RRT).
I just recently found out that a virus can actually
make some changes on your registry so that the virus will run automatically
whenever you execute a file. Imagine, the virus will be loaded each time you
run an executable (EXE) or a batch (BAT) file. Just last week I was cleaning a
computer that was infected by Brontok. After finished scanning, cleaning the virus
and restoring the changes made by virus, the Symantec Antivirus Corporate
Edition still pops up notification stating that
Brontok virus is found and automatically deleted. This happens EVERY TIME I run
an executable file.
Now I found out how it works and also how to
disable the virus from running automatically whenever I run any file.
This happens when a virus change one or more of the
shell\open\command keys. If these keys are changed, the worm
or Trojan will run each time that you run certain files.
For example, if the \exefile\shell\open\command
key is changed, the threat will run each time that you run any .exe file. This
may also stop you from running the Registry Editor to try to fix this. They may
also change a registry value so that you cannot run the Registry Editor at all.
I've done a test by adding Notepad.exe path in
\exefile\shell\open\command key. Then I tried running any EXE file, it will
launch the EXE file with notepad! For Brontok virus, it loads a backdoor file
called "shell.exe". You won't even notice anything abnormal when you
run an EXE file.
Thanks to Symantec Security
Response for creating a script that is able to easily reset these registry
values to their default settings.
What is inside the script:
|
[Version] Signature="$Chicago$" Provider=Symantec [DefaultInstall] AddReg=UnhookRegKey [UnhookRegKey] HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1""" HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*" HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0 |
Of all the shell\open\command keys, the exe file
key is being used most frequently. When your computer starts, it loads a lot of
EXE files. When you start a program, it also loads EXE file. The rest are
seldom used unless you're a power user. To be on the safe side, it's better for
Symantec to
restore all of the shell\open\keys to default values.
Instructions to install the
script:
1. Download the script at the end of this post by right-clicking on the link and save
it to your desktop.
2. Right-click on the file and select "install"
A great tool to carry around
with me all the time to combat against nasty virus such as Brontok.
[ Download
Symantec Reset Shell Open Command Script ]