You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

ShotOne.A
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

ShotOne.A carries out the following actions:

When it is run, it carries out the following process:
- It displays several screens belonging to a fake antivirus program.
- It runs Pinball.
- It opens several Internet Explorer and Firefox websites.
- It opens several MS-DOS windows.
- It displays a message warning that the computer is going to be restarted with a countdown.
- It restarts the computer.
In order to understand better the process ShotOne.A follows, an explanatory video is at your disposal.
It is programmed to restart the computer every three hours.
It disables the following functions:
- the Start button.
- the option Run and Search of the Start menu.
- the Quick launch of the toolbar.
- the context menus.
It disables the following functions from the Windows Explorer:
- Find.
- Folder Options.
It hides the icons of the Notification area and the Windows clock.
It prevents users from modifying the toolbar of the Desktop.
It prevents users from moving the toolbar.
It prevents the menu File from being accessed in the Windows Explorer and Internet Explorer.
It prevents the properties of My Computer and My documents from being viewed.
It modifies the Start menu and changes it to the Classic Start menu.
It prevents the system configuration from being saved when the computer is turned off.
It prevents Windows updates from being carried out.
It prevents the following programs from being run:
- Windows Registry Editor.
- Task Manager.
- Control panel.

Infection strategy

ShotOne.A creates the following files:

AUTORUN.INF, in the root directory of the C: drive, in the subfolder ONE-SHOT of the Program files directory and in the subfolder WINDOW, created by ShotOne.A, in the root directory of the C: drive.
This file runs the file EXPLORER.EXE from the subfolder WINDOW of the root directory of the C: drive.
EXPLORER.EXE, in the subfolder ONE-SHOT of the Program files directory and in the subfolder WINDOW of the root directory of the C: drive.
This file drops the file SVCCHOST.EXE.
SVCCHOST.EXE, in the subfolder ONE-SHOT of the Program files directory, in the subfolder WINDOW of the root directory of the C: drive and in the Windows directory.
This file drops the file MSG.EXE and restarts the computer.
MSG.EXE, in the subfolder ONE-SHOT of the Program files directory, in the subfolder WINDOW of the root directory of the C: drive and in the Windows directory.
This file runs PINBALL.EXE.
AT?.JOB, in the subfolder TASKS of the Windows directory.
where ? is a random number.
By creating this file, the file SVCCHOST.EXE of the Windows directory is run everyday and every three hours.
LITTLEREDRIDINGHOOD.TXT and MAILTMPL.TXT, in the subfolder ONE-SHOT of the Program files directory and in the subfolder WINDOW of the root directory of the C: drive.
These are text files whose content could be used in order to send email messages.
BASE64.DLL and TEMPFILE.BAT, in the Temporary files directory.

ShotOne.A creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
msg = %windir%\msg.exe
where %windir% is the Windows directory.
By creating this entry, the file MSG.EXE is run whenever Windows is started.
HKEY_CLASSES_ROOT\ CLSID\ {5b4dae26-b807-11d0-9815-00c04fd91972}
By creating this entry, it disables the Start button.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\Explorer
HideClock
This way, ShotOne.A hides the Windows clock.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoTrayItemsDisplay
This way, it hides all the icons of the Notification area.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoCloseDragDropBands
By creating this entry, it prevents users from modifying the toolbars of the Desktop.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoControlPanel
This way, it disables the Control panel.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoDevMgrUpdate
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoWindowsUpdate
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ Explorer
NoWindowsUpdate
HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows\ WindowsUpdate\ AU
AUOptions
HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows\ WindowsUpdate\ AU
NoAutoUpdate
By creating these five entries, it prevents Windows updates from being carried out.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFileMenu
This way, it prevents the menu Files from being accessed in the Windows Explorer and Internet Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind
It disables the function Search of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions
It disables the function Folder options of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoMovingBands
This way, it prevents the toolbar from being moved.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoPropertiesMycomputer
By creating this entry, it prevents the properties of My computer from being viewed.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoPropertiesMyDocuments
By creating this entry, it prevents the properties of My documents from being viewed.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoRun
It disables the function Run of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoSaveSettings
By creating this entry, it prevents the system configuration from being saved when the computer is turned off.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoShellSearchButton
This way, it deletes the Search button of the Windows Explorer.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoSimpleStartMenu
This way, it disables the Start menu and changes it to the Classic Start menu.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoToolBarsOnTaskBar
It disables Quick launch option in the toolbar.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoTrayContextMenu
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ system
NoViewContextMenu
By creating these two entries, it disables the context menus.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableRegistryTools
It disables the Windows Registry Editor.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ system
DisableTaskMgr
By creating these two entries, it disables the Task Manager.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ Explorer
NoControlPanel
It disables the Control panel.

Means of transmission

ShotOne.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details

ShotOne.A is written in the programming language Visual C++. This Trojan is 387,650 bytes in size.

Panda Security. New Lineup 2012. Renew now

Antivirus Solutions

Technical Support