|
——————-
Note: This is a personal note that was written on my blog. I’ve passed it to facebook just as a PRECAUTION measure.
——————-
All who are reading this, please take note of the following trojan that may be quite destructive:
Trojan.Rensom.B
Do take note of the following highlighted:
Almost all the files from the computer will be encrypted, after which they would be appended the .xnc extension.
Multiple windows prompting the user for decryption ransom.
Win32/Bogoj.B is a worm that spreads via removable media. The file is run-time compressed using Astrum SFX.
Spreading on removable media
The worm creates the following folders:
* %drive%\tg_root
The following file is dropped in the same folder:
* uninstall.exe
The worm creates the following file:
* %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Currently, there is no information on recovering the encrypted files. However, as it has been suggested on the site, the trojan encrypts the file and deletes the original file after encryption.
Via what method? I’m not sure.
However, a certain solution might be to remove the trojan first, and then locate a file recovery tool to see if you are able to undelete anything from it.
—————-
As the trojan has been suspected to spread via email too, in the form of a file called “skype.exe” attachment, or whatever else it might be, do take note of the following most common virus prevention method:
- DO NOT OPEN ANY EMAIL ATTACHMENTS THAT CONTAIN EXECUTABLES, ie. you double click them to run
—————-
Additional note:
If you’re truly worried about it, here’s a method to fully disable Autorun on all devices. This will not affect your system from booting up or running normally, but removable media such as portable hard disks and thumb drives will NOT autorun anything if plugged in.
However, although I have tested and ascertained that it works on my system, it does not mean that it will work on every other system.
I hold NO responsibilities should you choose to modify and yet still get infected from an autorun virus because it is not under my responsibility in the first place to ensure it works for YOUR system although it works for mine.
Also, modifiying the Registry is not for the inexperienced user. Anyone will tell you, be VERY careful.
————
A REMINDER:
WHATEVER YOU DO FROM THIS POINT ONWARDS IS AT YOUR OWN RISK, AND I, NOR THE PEOPLE WHO ARE PASSING ON THIS NOTE HOLD ANY RESPONSIBILITY FOR YOUR ACTIONS SHOULD YOU SCREW UP OR WHATSOEVER.
DO NOT PROCEED SHOULD YOU FIND IT TOO DANGEROUS FOR YOUR LIKING.
THANK YOU.
————
If you’re in agreement with what I’ve said, let’s proceed:
1. Click START > Run
2. Enter “regedit” without the quotation marks into the box and hit [ENTER]
3. Navigate to:
- HKEY_CURRENT_USER
- Software
- Microsoft
- Windows
- CurrentVersion
- Policies
- Explorer
and look for a key called “NoDriveTypeAutoRun”
4. It should be of type REG_BINARY
5. Right click on the key and select “MODIFY”
6. Change the first byte to “FF” without the quotation marks
7. Click “OK” and you should be safe from autorunning devices
To confirm, take any thumb drive or portable hard disk, and create a text file in the root directory of the drive.
Enter the following into it:
[autorun]
open=test.txt
Save it as an “All Types File” with filename “autorun.inf”, with quotation marks if applicable.
Next, create a text file “test.txt” in the same root directory and enter anything into it. Save it and then remove the drive.
Plug it in again, and if you suddenly see the text file open up automatically, it is not working. How to solve it? I’m not sure, google’s your best friend.
Permalink
|