BAT_BWG.J

Discussion in 'malware problems & news' started by Technodrome, Dec 8, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    TrendMicro

    Virus type: Batch File

    Destructive: Yes

    Aliases: Bat/BWG.gen.b, I-Worm.BWG.d, Bat/ChinaBoy.Worm, VBS_BWG.J, IRC_BWG.J, REG_BWG.J


    Description:

    This destructive batch file worm spreads through email and Internet Relay Chat (IRC) using Microsoft Outlook and the chat client mIRC.

    It sends email with the following details:

    Subject: Which pub in Singapore is the best in the world?
    Message Body: Read me to find out!!!
    Attachment: reame.TXT.bat

    This batch file worm overwrites .REG, .VBS, .BAT, and .LNK files in the current directory, the parent directory, and the Windows directory. It also drops copies of its components in all directories included in the environment variable PATH.

    This malware deletes known antivirus files and displays the following text:

    ChinaBlack rulez in Singapore!!!


    Solution:

    WINDOWS 9x/ME/2000/XP

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    chinablackblackblack = “%Windows%\china_girls.bat”
    *Where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.
    Close Registry Editor.
    Removing Autostart Entries from System Files


    A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

    Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter.
    Select the SYSTEM.INI window.
    Under the [boot] section, locate the line that begins with:
    Shell=Explorer.exe
    From the same line, delete the malware path and filename:
    %Windows%\china_china_china.bat
    Close System Configuration Editor and click Yes when prompted to save.
    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and DELETE all files detected as BAT_BWG.J, VBS_BWG.J, REG_BWG.J and VBS_BWG.B. CLEAN all files detected as IRC_BWG.J. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Note: Refer to the removal instructions for the component REG_BWG.J to completely clean your computer.

    WINDOWS 3.51

    Scan your system with Trend Micro antivirus and DELETE all files detected as BAT_BWG.J, VBS_BWG.J, REG_BWG.J and VBS_BWG.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    source: http://www.trendmicro.com


    Technodrome
     
Thread Status:
Not open for further replies.