The Phoney.A worm mimics a virus scanner

The Phoney.A worm spreads primarily through network shares and attempts to deceive users through fake antivirus messages.

The Phoney.A worm copies its own files to a shared directory on each network and also ensures that it starts automatically when they are mounted. The worm makes numerous changes to the registry. They significantly weaken the protection of computers and make tools such as Registry Editor or Task Manager inaccessible.

The Phoney.A worm displays a fake yet very deceptive Norton AntiVirus window and then ensures that it can load even if Windows starts in safe mode. Another annoying and inconvenient feature of the malware is that it restarts the infected computer every half hour.

When the Phoney.A worm starts, it performs the following actions:

1. Create the following files:
C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \ Empty.pif
% Windir% \ Autorun.inf
% System% \ web.exe
% Windir% \ winxp.exe
% CurrentFolder% \ [directory name] .exe

2. Create the following files in the root directory of each mounted drive:
AUTORUN.INF
microsoft.exe

3. Add the following entries to the registration database:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV ersion\Run”Bron” = “%Windir%\winxp.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”Rontok” = “Explorer.exe “%Windir%\winxp.exe””
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”Userinit” = “%System%\userinit.exe, %Windir%\winxp.exe”

4. Add the following entries to the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Policies\Explorer”NoFolderOptions” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Policies\System”DisableRegistryTools” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Policies\System”DisableTaskMgr” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “4”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”HideFileExt” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoClose” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoDesktop” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”Nofolderoptions” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network”NoNetSetup” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableCMD” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableRegistryTools” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableTaskMgr” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”NoDispCPL” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp”Disable = “4”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug”Auto” = “”1″”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore”DisableConfig” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore”DisableSR” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows \Installer”DisableMSI” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows \Installer”LimitSystemRestoreCheckpointing” = “1”
HKEY_CLASSES_ROOT\batfile\shell\open\command”(Default Value)” = “”%System%\web.exe” “%1″ %*”
HKEY_CLASSES_ROOT\comfile\shell\open\command”(Default Value)” = “”%System%\web.exe” “%1″ %*”
HKEY_CLASSES_ROOT\exefile”(Default Value)” = “File Folder” = “”%System%\web.exe” “%1″ %*”
HKEY_CLASSES_ROOT\lnkfile\shell\open\command”(Default Value)” = “”%System%\web.exe” “%1″ %*”
HKEY_CLASSES_ROOT\piffile\shell\open\command”(Default Value)” = “”%System%\web.exe” “%1″ %*”

5. Modify the registry so that it loads when you start Windows in safe mode, as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sa feBoot”AlternateShell” = “%System%\web.exe”

6. Restart the computer every half hour.

7. Displays a fake Norton AntiVirus message box.

8. Close windows that contain specific words in their title bar.

Reading: 2 023

Featured

BlitzHome BH-CDW1, the smart, portable, desktop dishwasher, is on sale again

Featured

BLITZWILL BWL-FL-0001 - Showy floor lamp with a 10 discount

Somoreal SM-OLT9 - we add wings to our lamps

Both BlitzWill ceiling lights are on sale this week

BlitzWolf BW-SX31 wireless microphone at a Black Friday price

Featured

Is this a joke? Xiaomi self-emptying robot vacuum cleaner for HUF 93?

Featured

XIAOMI AtuMan DUKA E2 - budget-friendly electric screwdriver

Xiaomi sales for smart homes

Xiaomi Redmi AX5400 - another new WiFi 6 router from Xiaomi

Xiaomi Redmi AX6000 - new WiFi 6 router from Xiaomi

Antivirus is mimicked by the Phoney.A worm

About the Author

Clingers

BuyBestGear

ranvee

G6.hu

Featured

BlitzHome BH-CDW1, the smart, portable, desktop dishwasher, is on sale again

Featured

BLITZWILL BWL-FL-0001 - Showy floor lamp with a 10 discount

Featured

Is this a joke? Xiaomi self-emptying robot vacuum cleaner for HUF 93?

Featured

XIAOMI AtuMan DUKA E2 - budget-friendly electric screwdriver

Antivirus is mimicked by the Phoney.A worm

About the Author

Related posts

BuyBestGear

ranvee