Many worms and trojans make changes to the registry to so that it can automatically start whenever you boot up your computer and also to avoid easy detection by disabling Windows Task Manager, Registry Editor and etc... You can easily restore all those tools by using Remove Restriction Tool (RRT).
I just recently found out that a virus can actually make some changes on your registry so that the virus will run automatically whenever you execute a file. Imagine, the virus will be loaded each time you run an executable (EXE) or a batch (BAT) file. Just last week I was cleaning a computer that was infected by Brontok. After finished scanning, cleaning the virus and restoring the changes made by virus, the Symantec Antivirus Corporate Edition still pops up notification stating that Brontok virus is found and automatically deleted. This happens EVERY TIME I run an executable file.
Now I found out how it works and also how to disable the virus from running automatically whenever I run any file.
This happens when a virus change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.
For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this. They may also change a registry value so that you cannot run the Registry Editor at all.
I've done a test by adding Notepad.exe path in \exefile\shell\open\command key. Then I tried running any EXE file, it will launch the EXE file with notepad! For Brontok virus, it loads a backdoor file called "shell.exe". You won't even notice anything abnormal when you run an EXE file.
Thanks to Symantec Security Response for creating a script that is able to easily reset these registry values to their default settings.
What is inside the script:
[Version]
Signature="$Chicago$"
Provider=Symantec
[DefaultInstall]
AddReg=UnhookRegKey
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0
Of all the shell\open\command keys, the exefile key is being used most frequently. When your computer starts, it loads a lot of EXE files. When you start a program, it also loads EXE file. The rest are seldom used unless you're a power user. To be on the safe side, it's better for Symantec to restore all of the shell\open\keys to default values.
Instructions to install the script:
1. Download the script at the end of this post by right-clicking on the link and save it to your desktop.
2. Right-click on the file and select "install"
Install UnHookExec.Inf
A great tool to carry around with me all the time to combat against nasty virus such as Brontok.
Download Symantec Reset Shell Open Command Script
I just recently found out that a virus can actually make some changes on your registry so that the virus will run automatically whenever you execute a file. Imagine, the virus will be loaded each time you run an executable (EXE) or a batch (BAT) file. Just last week I was cleaning a computer that was infected by Brontok. After finished scanning, cleaning the virus and restoring the changes made by virus, the Symantec Antivirus Corporate Edition still pops up notification stating that Brontok virus is found and automatically deleted. This happens EVERY TIME I run an executable file.
Now I found out how it works and also how to disable the virus from running automatically whenever I run any file.
This happens when a virus change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.
For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this. They may also change a registry value so that you cannot run the Registry Editor at all.
I've done a test by adding Notepad.exe path in \exefile\shell\open\command key. Then I tried running any EXE file, it will launch the EXE file with notepad! For Brontok virus, it loads a backdoor file called "shell.exe". You won't even notice anything abnormal when you run an EXE file.
Thanks to Symantec Security Response for creating a script that is able to easily reset these registry values to their default settings.
What is inside the script:
[Version]
Signature="$Chicago$"
Provider=Symantec
[DefaultInstall]
AddReg=UnhookRegKey
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0
Of all the shell\open\command keys, the exefile key is being used most frequently. When your computer starts, it loads a lot of EXE files. When you start a program, it also loads EXE file. The rest are seldom used unless you're a power user. To be on the safe side, it's better for Symantec to restore all of the shell\open\keys to default values.
Instructions to install the script:
1. Download the script at the end of this post by right-clicking on the link and save it to your desktop.
2. Right-click on the file and select "install"
Install UnHookExec.Inf
A great tool to carry around with me all the time to combat against nasty virus such as Brontok.
Download Symantec Reset Shell Open Command Script