Badday worm rages on clipboard

Badday.A worm spreads primarily on removable as well as network drives and performs a number of annoying actions on infected computers.

Badday.A worm creates a lot of files on selected computers and creates or modifies at least that many entries in the registry. These changes make Windows Task Manager and the Registry Editor inaccessible, among other things.

In some cases, the worm closes windows and constantly changes the contents of the clipboard, which can cause no annoyance to the infected PC user.

When Badday.A worm starts, it performs the following actions:

1. Create the following files:
% Windir% \ Media \ StartUp \ scvhost.exe
% System% \ hostdll.exe
% System% \ taskfile.exe
% Windir% \ spool32.exe
% SystemDrive% \ HaveaBadDay.sys

2. Copy the following files to the CK drive:
% drive is% \ New_Folder.exe
% drive letter% \ autorun.inf
% drive letter is% \ cool data.exe
% drive letter% \ New Folder (4) .exe
% drive is% \ dataku.exe
% drive letter% \ data kuliah.exe
% drive letter% \ New Folder (5) .exe
% drive is% \ system.exe
% drive letter% \ funny doc.exe

3. Make copies of yourself as follows:
% current directory% \ jangan dihapus .exe
% current directory% \ my sweety .exe
% current directory% \ foto cewek .exe
% current directory% \ kekasishku .exe
% current directory% \ data penting .exe
% current directory% \ downlodan .exe
% current directory% \ update antivir .exe
% current directory% \ kumulan program .exe
% current directory% \ movie bkp .exe
% current directory% \\\ itip .exe
% current directory% \ folder option .exe

4. Add the following entries to the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile”NeverShow Ext” = “”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\App Paths\WindowsProfile.EXE”(default)” = “%Windir%\Media\StartUp\scvhost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\policies\system”NoFolderOptions” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Run”WindowsProfile” = “WindowsProfile Rundll32.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Run”Printer Cpl” = “%Windir%\spool32.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Curren tVersion\SystemRestore”DisableConfig” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows \Installer”DisableMSI” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main”Window Title” = “>> Have A Bad Day <<“
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Explorer\User Shell Folders”Startup” = “%Windir%\Media\StartUp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoFind” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoFolderOptions” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoRun” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableCMD” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”Microsoft Word” = “%System%\hostdll.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\policies\system”DisableRegistryTools” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableRegistryTools” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\policies\system”DisableTaskMgr” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableTaskMgr” = “1”

5. Modify the following values ​​in the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile”(default) ” = “File Folder”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile”TileInfo” = “prop:DocComments”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile”InfoTip” = “prop:DocComments”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\\egfile\shell\open \command”(default)” = “cmd.exe /c del “%1″”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion”RegisteredOrganization” = “your system is mine”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion”RegisteredOwner” = “your system is mine”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”Shell” = “Explorer.exe, C:\WINDOWS\system32\taskfile.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “2”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Explorer \ Advanced ”HideFileExt” = 1 ″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ClassicViewState” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Policies\Explorer”NoDriveTypeAutoRun” = “5B”

6. Find files with the following extensions:
.doc
. Mpg
.3pg
.wmv
.rar
.jpg
.txt

It makes a copy of these by adding an .exe extension to the file names.

7. Close windows that have one of the following words in the title bar:
kill
hijack
reg
to process

8. Keep copying the text “Have a Bad Day” onto the clipboard.