Virus y hardware

[AGROMAX]

Puede un virus afectar un mouse y dejarlo inactivo??. Ya que ningún ratón (ni de puerto ni de la otra conexión) funciona en mi pc, solo teclados y sospecho que fue un virus el causante
Gracias
Agromax

[msc hotline sat]

Sí que pueden desactivar el mouse. Diganos el que tuvo y veremos si es de los que lo hace y testauraremos la clave que modifica al efecto



saludos



ms, 30-10-2006

[AGROMAX]

Brontok o algo así s ellama el virus que eliminé un par de días antes de ke el mouse dejara de hacer su trabajo. Ojala me puedan ayudar,

gracias
saludos.

[msc hotline sat]

Buena memoria !

Es un virus que se propaga masivamente por e.mail y modifica una serie de claves que deben restaurarse, como la edicion de registro y demas, entre las que pueden afectar al mouse en Office y el acceso a DOS:

United States Andean Region - Spanish
Asia Pacific - English
Australia & New Zealand
Austria
Belgium - Dutch
Brazil
Canada - English
Canada - French
Central America & Caribbean - Spanish
China - Simplified Chinese
Czech Republic
Denmark
Finland
France
Germany
Greece
Hong Kong - English
Hungary
India - English
Indonesia - English
Israel
Italy
Japan
Korea
Luxembourg - French
Malaysia - English
Mexico
Middle East - English
The Netherlands
Norway
Philippines - English
Poland
Russia
Singapore - English
South Africa - English
Southern Latin America - Spanish
Spain
Sri Lanka - English
Sweden
Switzerland - German
Taiwan - Traditional Chinese
Thailand - English
Turkey
United Kingdom & Ireland
United States
Vietnam - English
Symantec.com Home & Home Office Small Business Enterprise VERITAS.com Products Solutions Services Support Architect Network Partners Locate a Partner Become a Partner Log In to PartnerNet About Symantec Corporate Profile Management Team Investor Relations News Careers Cart
WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec Search All of Symantec All of Symantec
Support
Viruses & Risks
Home & Home Office
Small Business
Enterprise
Partners

Symantec.com > Security Response > W32.Rontokbro@mm
W32.Rontokbro@mmRisk Level 2: LowPrinter Friendly Page
SUMMARY TECHNICAL DETAILS REMOVAL Discovered: September 23, 2005
Updated: October 3, 2005 03:48:13 PM PDT
Type: Worm
Infection Length: 102,400 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Rontokbro@mm is executed, it performs the following actions:

Copies itself as the following files:


C:\Windows\PIF\CVT.exe
%UserProfile%\APPDATA\IDTemplate.exe
%UserProfile%\APPDATA\services.exe
%UserProfile%\APPDATA\lsass.exe
%UserProfile%\APPDATA\inetinfo.exe
%UserProfile%\APPDATA\csrss.exe
%UserProfile%\APPDATA\winlogon.exe
%UserProfile%\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
%System%\3D Animation.scr

Note:
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).


Creates the folder:

%UserProfile%\Local Settings\Application Data\Bron.tok-24


Overwrites C:\Autoexec.bat with the following text:

"pause"


Adds the value:

"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Adds the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.


Modifies the value:

"DisableRegistryTools" = "1"
"DisableCMD" = "2"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System


Modifies the value:

"NoFolderOptions" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\


Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

%UserProfile%\Templates\A.kotnorB.com


Reboots the computer when it detects a window whose title contains one of the following strings:


..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE


May also launch a ping flood attack on the following sites:


israel.gov.il
playboy.com


Gathers email addresses from files with the following extensions on all local drives from C to Y:


.asp
.cfm
.csv
.doc
.eml
.html
.php
.txt
.wab


Avoids sending itself to email addresses that contain any of the following strings in the domain name:


PLASA
TELKOM
INDO
.CO.ID
.GO.ID
.MIL.ID
.SCH.ID
.NET.ID
.OR.ID
.AC.ID
.WEB.ID
.WAR.NET.ID
ASTAGA
GAUL
BOLEH
EMAILKU
SATU


May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:


smtp.
mail.
ns1.


Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

Attachment:

Kangen.exe



RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Writeup By: Paul Mangan
Removal Summary PRINT THIS PAGE
RATE THIS PAGE
TOP THINGS TO DO
See all Viruses & Risks
Secure your email
Browse the web safely
Read the Security Response Weblogs
Scan your computer for malware
Search Threats
Search by name
Example: W32.Beagle.AG@mm

Site Index · Legal Notices · Privacy Policy · Site Feedback · Contact Us · Global Sites · License Agreements
©1995 - 2006 Symantec Corporation

Esta tarde implementaremos en el ELITRIIP la restauración de las claves al respecto para los casos que el antivirus haya eliminado ficheros sin limpiar las claves (a medias, vamos)

Baja esta noche la nueva versión del ELITRIIP, la pruebas y tras reiniciar nos comentas el resultado, gracias

saludos

ms, 30-10-2006
301006ET

[msc hotline sat]

Subidas nuevas versiones a esta web, ELITRIIP

Probarlas y contarnos el resultado, gracias

saludos
ms, 30-10-2006