Registry Cleaner Geeks

June 11, 2009 8:41:47 AM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

• %SystemDrive%\I Love You.exe
• %SystemDrive%\New Text Document.exe
• %SystemDrive%\Read Me.exe
• %SystemDrive%\Read This Please.exe
• %SystemDrive%\Read This.exe
• %SystemDrive%\ReadMe.exe
• %SystemDrive%\[REMOVED] Rules.exe
• %Windir%\W32dllcache\ReadMe.exe

It then creates the following files:

• %Windir%\W32dllcache\ccIsass.exe
• %Windir%\W32dllcache\ccsrss.exe

It then creates the following registry entries so that it runs every time Windows

starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”winlogin” = “%Windir%\W32dllcache\ReadMe.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”winlogon_user” = “%Windir%\W32dllcache\ccIsass.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”winprotection” = “%Windir%\W32dllcache\ccsrss.exe”
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\”Firewall config” = “%Windir%\W32dllcache\ReadMe.exe”

It then creates the following registry entries to disable certain system software:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableTaskMgr” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore\”DisableConfig” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore\”DisableSR” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\”DisableMSI” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\”LimitSystemRestoreCheckpointing” = “1″
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1″

Next, the worm creates the following registry entries to alter Internet Explorer settings:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Show_URLToolBar” = “yes”
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Show_URLinStatusBar” = “yes”
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title” = “Computer hacked by the [REMOVED]“

It then creates the following registry entries in order to hide its presence:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “1″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\”HideFileExt” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\”DefaultValue” = “2″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\”Text” = “Do not

  Display System path and commands”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\”WarningIfNot

  Default” = “[REMOVED] rules the world”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\”Text” = “Do not display

  full path in System Information”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\”Type” = “radio”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\”CheckedValue” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\”Text” = “Hide system

  hidden files(Recommended) hacked by [REMOVED]“

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\”WarningIfNotDefault”

  = “[REMOVED] is in the system!”

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “0″
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″

It then creates the following registry entries to alter Explorer settings:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\”Order” = “[BINARY DATA]“
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\”PastIconsStream” = “[BINARY DATA]“
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\”NoFolderOptions” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\”Text” = “System path and

  command settings”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\”CheckedValue”

  = “2″

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\”Text” = “Display

  System path and commands”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\”WarningIfNot

  Default” = “[REMOVED] Rules”

It then creates the following registry entries to alter behavior when certain files are

accessed or executed:

• HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\”(Default)” =”%SystemRoot%\System32\WScript.exe \”%1\” %*”
• HKEY_CLASSES_ROOT\WMVFile\shell\open\command\”(Default)” =”\”%ProgramFiles%\Windows Media Player\wmplayer.exe\” \prefetch:7

  \Open \”%L\”"

• HKEY_CLASSES_ROOT\batfile\shell\open\command\”(Default)” = “\”%1\” %*”
• HKEY_CLASSES_ROOT\cmdfile\shell\open\command\”(Default)” = “\”%1\” %*”
• HKEY_CLASSES_ROOT\mp3file\shell\open\command\”(Default)” = “\”%ProgramFiles%\Windows Media Player\wmplayer.exe\” \prefetch:6 \

  Open \”%L\”"

• HKEY_CLASSES_ROOT\scrfile\shell\open\command\”(Default)” = “\”%1\” \S”
• HKEY_CLASSES_ROOT\wmafile\shell\open\command\”(Default)” = “\”%ProgramFiles%\Windows Media Player\wmplayer.exe\” \prefetch:5 \

  Open \”%L\”"

The worm creates the following registry entries:

• HKEY_CLASSES_ROOT\Folder\shell\[REMOVED]\command\”(Default)” = “%Windir%\W32dllcache\ReadMe.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsScript Host\Settings\”Enabled” = “0″
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\”DiasableMSI” = “1″

It then modifies the following registry entries:

• HKEY_CLASSES_ROOT\AVIFile\shell\play\command\”(Default)”= “\”%ProgramFiles%\Windows Media Player\wmplayer.exe\” \prefetch:

  8 \Play \”%L\”"

• HKEY_CLASSES_ROOT\batfile\DefaultIcon\”(Default)” = “%SystemRoot%\System32\shell32.dll,-153″
• HKEY_CLASSES_ROOT\batfile\shell\edit\command\”(Default)” = “%SystemRoot%\System32\NOTEPAD.EXE %1″
• HKEY_CLASSES_ROOT\batfile\shell\print\command\”(Default)” = “%SystemRoot%\System32\NOTEPAD.EXE \p %1″
• HKEY_CLASSES_ROOT\regfile\DefaultIcon\”(Default)” = “%SystemRoot%\regedit.exe,1″
• HKEY_CLASSES_ROOT\regfile\shell\edit\command\”(Default)” =”%SystemRoot%\system32\NOTEPAD.EXE %1″
• HKEY_CLASSES_ROOT\regfile\shell\print\command\”(Default)” =”%SystemRoot%\system32\NOTEPAD.EXE \p %1″

It may then display the following message:

Title: Fool Confirmation

Body: You are a fool. Press OK if you are!

Next, the worm copies itself to all network drives as the following files:

• %DriveLetter%\I Love You.exe
• %DriveLetter%\New Text Document.exe
• %DriveLetter%\Read Me.exe
• %DriveLetter%\Read This Please.exe
• %DriveLetter%\Read This.exe
• %DriveLetter%\ReadMe.exe
• %DriveLetter%\[REMOVED] Rules.exe

It then copies itself to all removable drives as the following files:

• %DriveLetter%\I Love You.exe
• %DriveLetter%\New Text Document.exe
• %DriveLetter%\Read Me.exe
• %DriveLetter%\Read This Please.exe
• %DriveLetter%\Read This.exe
• %DriveLetter%\ReadMe.exe
• %DriveLetter%\[REMOVED] Rules.exe

It then creates the following file so that it runs when the above drives are

accessed:

%DriveLetter%\autorun.inf

FREE SCAN:

Please click here for manual removal instructions.