W32/Rungbu-C

Category: Viruses and SpywareProtection available since:06 Nov 2006 00:00:00 (GMT)
Type: Win32 executable file virusLast Updated:29 Nov 2007 08:07:02 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rungbu-C is a companion virus for the Windows platform.

W32/Rungbu-C infects Microsoft Word DOC files by copying itself to the same filename but with an SCR extension, appending the DOC file to the SCR copy, and then hiding the original DOC file.

W32/Rungbu-C then sets the computer not to show hidden files (in order to hide the DOC file), to give SCR files a Word icon (so the SCR file looks like a Word file), and to hide file extensions (so the SCR file just displays the filename, not the SCR extension). When the SCR file is run, the Word document is displayed as normal.

When W32/Rungbu-C is installed the following files are created:

<Current folder>\<Original filename>.doc
<Current folder>\<Original filename>`.!!!
<Temp>\Flu Burung.txt
<Program Files>\Microsoft Office\Office\docicon.exe
C:\Recycled\ctfmon.exe
C:\Recycled\smss.exe
C:\Recycled\spoolsv.exe
C:\Recycled\svchost.exe

The EXE files are all detected as W32/Rungbu-C. All the other files are not malicious and can be deleted.

The following registry entries are changed to run W32/Rungbu-C on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "C:\recycled\SVCHOST.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\recycled\SVCHOST.exe,

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The following registry entries are set in order to hide file extensions:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt
UncheckedValue
1

The following registry entries are set in order to not show hidden files:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden
UncheckedValue
0

The following registry entries are set in order to change the default icon for Microsoft Word documents

HKCR\Word.Document.8\DefaultIcon
(default)
<Program Files>\Microsoft Office\Office\docicon.exe

(the default value for this registry entry is "<Program Files>\Microsoft Office\Office\Winword.exe,1")

Registry entries are modified under HKCR\scrfile, including the following:

HKCR\scrfile
(default)
Microsoft Word Document
(the default value for this registry entry is "Screen Saver")


HKCR\scrfile\shell\open
(default)
""
(the default value for this registry entry is: "T&est")


W32/Rungbu-C deletes the following registry entries:

HKCR\scrfile\shell\config
(default)
"C&onfigure"

HKCR\scrfile\shell\config\command
(default)
"\"%1\""

HKCR\scrfile\shell\install
(default)
"&Install"

HKCR\scrfile\shell\install\command
(default)
"rundll32.exe desk.cpl,InstallScreenSaver %l"