Antivirus - Windows without safe mode

The sonorous Sigougou worm makes many changes to Windows, making it much harder to antivirus.

A Sigougou a worm called sbsb.exe can be placed on systems. As soon as it starts, it will modify the registration database. Creates, changes, and deletes keys and values ​​in it. This will prevent, among other things, Windows Task Manager from starting, turning off Windows Update, and not accidentally starting the operating system in safe mode, and possibly attempting antivirus protection.

Sigougou distributes primarily through network drives and shares. You try predefined passwords to connect to remote computers. Another important feature of the worm is that it regularly downloads malicious files from the Internet.

When the Sigougou worm starts, it performs the following actions:

1. Create the following files:
   % System% \ sbsb.exe
   % SystemDrive% \ sbsb.exe
2. Create the following entry in the registration database:
   HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \
   “sbsb” = “%System%\sbsb.exe”
3. Modify the following values ​​in the registration database:
   HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \
   System”DisableTaskMgr” = “01, 00, 00, 00”
   HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \
   System”DisableWindowsUpdateAccess” = “01, 00, 00, 00”
   This makes Windows Task Manager inaccessible and disables Windows Update.
4. You make a number of changes to the following registry key:
   HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \
   Image File Execution Options \
5. The following entries are deleted from the registration database:
   HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Minimal \
   {4D36E967-E325-11CE-BFC1-08002BE10318}”(default)” = “DiskDrive”
   HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Network \
   {4D36E967-E325-11CE-BFC1-08002BE10318}”(default)” = “DiskDrive”
   HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \
   {4D36E967-E325-11CE-BFC1-08002BE10318}”(default)” = “DiskDrive”
   HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \
   {4D36E967-E325-11CE-BFC1-08002BE10318}”(default)” = “DiskDrive”
   This prevents Windows from starting in safe mode.
6. It copies its own files to each local and network drive. You try to connect to network shares by trying predefined passwords.
7. Copies a file named AutoRun.inf to the root directory of each drive.
8. It downloads various files over the Internet.