W32/Rungbu-A infects Microsoft Word DOC files by copying itself to the same filename but with an SCR extension, appending the DOC file to the SCR copy, and then hiding the original DOC file.
W32/Rungbu-A then sets the computer not to show hidden files (in order to hide the DOC file), to give SCR files a Word icon (so the SCR file looks like a Word file), and to hide file extensions (so the SCR file just displays the filename, not the SCR extension). When the SCR file is run, the Word document is displayed as normal.
W32/Rungbu-A is a companion virus for the Windows platform.
W32/Rungbu-A infects Microsoft Word DOC files by copying itself to the same filename but with an SCR extension, appending the DOC file to the SCR copy, and then hiding the original DOC file.
W32/Rungbu-A then sets the computer not to show hidden files (in order to hide the DOC file), to give SCR files a Word icon (so the SCR file looks like a Word file), and to hide file extensions (so the SCR file just displays the filename, not the SCR extension). When the SCR file is run, the Word document is displayed as normal.
When W32/Rungbu-A is installed the following files are created:
<Current folder>\<Original filename>.doc
<Current folder>\<Original filename>`.!!!
<Temp>\Flu Burung.txt
<Program Files>\Microsoft Office\Office\docicon.exe
C:\Recycled\ctfmon.exe
C:\Recycled\smss.exe
C:\Recycled\spoolsv.exe
C:\Recycled\svchost.exe
The EXE files are all detected as W32/Rungbu-A. All the other files are clean.
The following registry entries are changed to run W32/Rungbu-A on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "C:\recycled\SVCHOST.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows folder>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\recycled\SVCHOST.exe,
(the default value for this registry entry is "<Windows folder>\System32\userinit.exe,").
The following registry entries are set in order to hide file extensions:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
UncheckedValue
1
The following registry entries are set in order to not show hidden files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue
0
The following registry entries are set in order to change the default icon for Microsoft Word documents
HKCR\Word.Document.8\DefaultIcon
(default)
<Program Files>\Microsoft Office\Office\docicon.exe
(the default value for this registry entry is "<Program Files>\Microsoft Office\Office\Winword.exe,1")
Registry entries are modified under HKCR\scrfile, including the following:
HKCR\scrfile
(default)
Microsoft Word Document