Dianmbil dari sini:
http://www.pandasoftware.com/com/virus_inf...da=particularesLihat videonya:
http://www.pandasoftware.com/img/enc/ShotO...da=particulares----------------------------------------------------------------------
Common name: ShotOne.A
Technical name: Trj/ShotOne.A
Threat level: Medium
Alias: W32/Trojan.YCW,W32/KillAV-DN,
Type: Trojan
Effects:
It restarts the affected computer when it is run and is programmed to restart it every three hours as well. It disables several functions from the Windows Explorer, and prevents certain programs from being run, such as the Windows Registry Editor and the Task Manager, among other actions. It does not spread automatically by its own means.
Affected platforms: Windows 2003/XP/2000/NT/ME/98/95
First detected on: March 5, 2007
Detection updated on: March 6, 2007
In circulation? No
Proactive protection: Yes, using TruPrevent Technologies
Brief Description
ShotOne.A is a Trojan that restarts the affected computer when it is run and is programmed to restart it every three hours as well.
On the one hand, it disables several functions from the Windows Explorer, the Start button and the context menus, among others. It prevents Windows updates from being carried out and the system configuration from being saved.
On the other, it prevents certain programs from being run, such as the Windows Registry Editor and the Task Manager, among others.
ShotOne.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Visible Symptoms
ShotOne.A is easy to recognize once it has affected the computer, as when it is run, it carries out the following process:
- It displays several screens belonging to a fake antivirus program.
- It runs Pinball.
- It opens several Internet Explorer and Firefox websites.
- It opens several MS-DOS windows.
- It displays a message warning that the computer is going to be restarted with a countdown.
- It restarts the computer.
In order to understand better the process ShotOne.A follows, an explanatory video is at your disposal.
Last updated: March 6, 2007
-------------------------------------------------------
Effects
ShotOne.A carries out the following actions:
When it is run, it carries out the following process:
- It displays several screens belonging to a fake antivirus program.
- It runs Pinball.
- It opens several Internet Explorer and Firefox websites.
- It opens several MS-DOS windows.
- It displays a message warning that the computer is going to be restarted with a countdown.
- It restarts the computer.
In order to understand better the process ShotOne.A follows, an explanatory video is at your disposal.
It is programmed to restart the computer every three hours.
It disables the following functions:
- the Start button.
- the option Run and Search of the Start menu.
- the Quick launch of the toolbar.
- the context menus.
It disables the following functions from the Windows Explorer:
- Find.
- Folder Options.
It hides the icons of the Notification area and the Windows clock.
It prevents users from modifying the toolbar of the Desktop.
It prevents users from moving the toolbar.
It prevents the menu File from being accessed in the Windows Explorer and Internet Explorer.
It prevents the properties of My Computer and My documents from being viewed.
It modifies the Start menu and changes it to the Classic Start menu.
It prevents the system configuration from being saved when the computer is turned off.
It prevents Windows updates from being carried out.
It prevents the following programs from being run:
- Windows Registry Editor.
- Task Manager.
- Control panel.
Infection strategy
ShotOne.A creates the following files:
AUTORUN.INF, in the root directory of the C: drive, in the subfolder ONE-SHOT of the Program files directory and in the subfolder WINDOW, created by ShotOne.A, in the root directory of the C: drive.
This file runs the file EXPLORER.EXE from the subfolder WINDOW of the root directory of the C: drive.
EXPLORER.EXE, in the subfolder ONE-SHOT of the Program files directory and in the subfolder WINDOW of the root directory of the C: drive.
This file drops the file SVCCHOST.EXE.
SVCCHOST.EXE, in the subfolder ONE-SHOT of the Program files directory, in the subfolder WINDOW of the root directory of the C: drive and in the Windows directory.
This file drops the file MSG.EXE and restarts the computer.
MSG.EXE, in the subfolder ONE-SHOT of the Program files directory, in the subfolder WINDOW of the root directory of the C: drive and in the Windows directory.
This file runs PINBALL.EXE.
AT?.JOB, in the subfolder TASKS of the Windows directory.
where ? is a random number.
By creating this file, the file SVCCHOST.EXE of the Windows directory is run everyday and every three hours.
LITTLEREDRIDINGHOOD.TXT and MAILTMPL.TXT, in the subfolder ONE-SHOT of the Program files directory and in the subfolder WINDOW of the root directory of the C: drive.
These are text files whose content could be used in order to send email messages.
BASE64.DLL and TEMPFILE.BAT, in the Temporary files directory.
ShotOne.A creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
msg = %windir%\msg.exe
where %windir% is the Windows directory.
By creating this entry, the file MSG.EXE is run whenever Windows is started.
HKEY_CLASSES_ROOT\ CLSID\ {5b4dae26-b807-11d0-9815-00c04fd91972}
By creating this entry, it disables the Start button.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\Explorer
HideClock
This way, ShotOne.A hides the Windows clock.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoTrayItemsDisplay
This way, it hides all the icons of the Notification area.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoCloseDragDropBands
By creating this entry, it prevents users from modifying the toolbars of the Desktop.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoControlPanel
This way, it disables the Control panel.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoDevMgrUpdate
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoWindowsUpdate
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ Explorer
NoWindowsUpdate
HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows\ WindowsUpdate\ AU
AUOptions
HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows\ WindowsUpdate\ AU
NoAutoUpdate
By creating these five entries, it prevents Windows updates from being carried out.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFileMenu
This way, it prevents the menu Files from being accessed in the Windows Explorer and Internet Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind
It disables the function Search of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions
It disables the function Folder options of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoMovingBands
This way, it prevents the toolbar from being moved.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoPropertiesMycomputer
By creating this entry, it prevents the properties of My computer from being viewed.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoPropertiesMyDocuments
By creating this entry, it prevents the properties of My documents from being viewed.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoRun
It disables the function Run of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoSaveSettings
By creating this entry, it prevents the system configuration from being saved when the computer is turned off.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoShellSearchButton
This way, it deletes the Search button of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoSimpleStartMenu
This way, it disables the Start menu and changes it to the Classic Start menu.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoToolBarsOnTaskBar
It disables Quick launch option in the toolbar.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoTrayContextMenu
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ system
NoViewContextMenu
By creating these two entries, it disables the context menus.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableRegistryTools
It disables the Windows Registry Editor.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ system
DisableTaskMgr
By creating these two entries, it disables the Task Manager.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ Explorer
NoControlPanel
It disables the Control panel.
Means of transmission
ShotOne.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
ShotOne.A is written in the programming language Visual C++. This Trojan is 387,650 bytes in size.
Last updated: March 6, 2007
---------------------------------------------------
Is my computer infected by ShotOne.A?
In order to make absolutely sure that ShotOne.A has not affected your computer, you have the following options:
Carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Software client, update it by clicking here.
Check the computer with Panda ActiveScan, Panda Software's free, online scanner, which will quickly detect any possible viruses.
How to remove ShotOne.A?
If Panda Antivirus or Panda ActiveScan detects ShotOne.A during the scan, it will automatically offer you the option of deleting it. Do this by following the program's instructions.
Additional notes:
After deleting this malware by following the specified steps, if your computer runs Windows Millenium, click here to find out how to eliminate it from the _Restore folder.
After deleting this malware by following the specified steps, if your computer runs Windows XP, click here to find out how to eliminate it from the _Restore folder.
How can I protect my computer from ShotOne.A?
In order to keep your computer protected, bear the following tips in mind:
Panda Software's TruPreventTM Technologies detected and successfully blocked ShotOne.A, without prior knowledge of the malicious code.
Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
Keep your permanent antivirus protection enabled at all times.
For more detailed information about how to protect your computer against viruses and other threats, click here.
Last updated: March 6, 2007
Mar 9 2007, 10:56 AM, updated 19y ago
Quote
Malaysia Boleh, Boleh Buat Nasty Malware. Haha. Joking only.
0.0175sec
0.55
5 queries
GZIP Disabled