Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
DisaCKT.B carries out the following actions:
- It makes the following changes in the Start menu:
- It replaces the name of the Start button with NUM.
- It adds a copy of itself with the name Microsoft Office Word 2003.exe.
In the following image both modifications can be seen:
- It prevents the following items from being run:
- Windows Registry Editor.
- Task Manager, which would prevent the user from viewing the processes that are being run.
- Folder options from the Windows Explorer, which prevents the user from accessing the configuration menu of the folders.
- the option Search from the Start menu, which allows files to be searched in a fast and straight way.
- the option Run from the Start menu, which allows files to be run in a fast and straight way.
- the command shell.
- the Microsoft Management Console.
- the Group Policy Editor.
- the msconfig, which allows the system configuration to be modified.
Infection strategy
DisaCKT.B creates the following files, which are copies of itself:
- MY CV.EXE, in the root directory of the C: drive and in the Windows directory.
- MICROSOFT OFFICE WORD 2003.EXE, in the Start menu.
DisaCKT.B creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Mswinword = %windir%\My CV.exe
where %windir% is the Windows directory.
By creating this entry, DisaCKT.B ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableRegistryTools = 1
It disables the Windows Registry Editor. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 1
It disables the Task Manager. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 1
It does not display the option Search in the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoRun = 1
It does not display the option Run in the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions = 1
It does not display the option Folder options of the Windows Explorer. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ App Paths\ MSCONFIG.EXE
Path = %windir%\My CV.exe
By creating this entry, whenever the msconfig is run, the worm is run.
Additionally, DisaCKT.B creates the following entries in the Windows Registry in order to prevent the user from running certain programs:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ DisallowRun
1 = Regedit.exe
It prevents the Windows Registry Editor from being run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ DisallowRun
2 = MSConfig.exe
It prevents the MSConfig from being run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ DisallowRun
3 = taskmgr.exe
It prevents the Task Manager from being run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ DisallowRun
4 = MMC.exe
It prevents the Microsoft Management Console from being run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ DisallowRun
5 = gpedit.msc
It prevents the Group Policy Editor from being run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ DisallowRun
6 = Cmd.exe
It prevents the command shell from being run.
Means of transmission
DisaCKT.B reaches the computer in a file passing itself off as a Word document in a file with the following icon:
Additionally, it spreads through the removable, shared and mapped drives, making copies of itself in them.
Further Details
DisaCKT.B is written in the programming language Visual Basic v6.0. This worm 139,264 bytes in size.