W32/Batzback-B

Category: Viruses and Spyware Protection available since:11 May 2009 05:15:49 (GMT)
Type: Win32 worm Last Updated:13 May 2011 06:22:06 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Batzback-B is a worm for the Windows platform.

When the application is run, the following files are created:

<System>\batibot.exe
<System>\batibot.pif
<System>\batibot.bat
<Windows>\BATibot.ex
<Windows>\batibot.exe
<Current Folder>\My Pictures\Sample Pictures.bat
<Current Folder>\My Pictures\autorun.bat
<Current Folder>\My Pictures\Yahoo.bat
<Current Folder>\My Pictures\autorun.inf
<Current Folder>\My Pictures\Yahoo.txt
<Current Folder>\My Music\Sample Music.bat
<Desktop>\Yahoo.txt
<Root>\batibot.pif
<Root>\BATibot.bat
<Root>\autorun.inf

In addition, the worm also copies itself as batibot.pif to all accessible drives from C: to Z:

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0x00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
0x00000001

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_ShowRun
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_ShowControlPanel
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0x00000080

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy