You people may have already received an application from your friend (or will receive it in the next few days). If you run that application on your system, you will no longer be able to run any application on your system thereafter. You will certainly try to logoff/logon, restart, shutdown your system but with no success in running any application. Another point which I should mention here is that it will not stop you from running applications that are associated with file type, e.g. txt file double clicking that file will open Notepad.
When you click any shortcut or type the .exe name in start/run, you will see a Message Box with greetings. That also adds an icon in your system tray.
Some sharp guys want to see the Registry for curing the system, but oops!, you can't run Regedit.exe because it is an application too.
Now I would like to discuss what that application actually does with our system. It does two things:
- Force the .exe file to be open with its own file (possibly WinTask.exe). If you try to run .exe files, system looks for that application. And that application just displays a message box.
- Every time when user will login/restart system, it run its own .exe file to make sure it is the first step. Just by making its own string value name "
Win32BaseServiceMOD" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
The second step is straight forward. But I would like to discuss the first step in more detail.
The terms file association and file class essentially mean the same thing. A file association or file class consists of all the files that have the same filename extension. File classes are created with the registry. Once a file class has been created, you can customize the behavior of its files. For instance, you can specify the application used to open the file when it is double-clicked, you can replace the standard file icon with a custom icon or add items to the context menu. For more details, look for topic "Creating a File Association" in MSDN.
This virus like application changes the application associated with the EXE files by changing the default value of the key, HKEY_CLASSES_ROOT\exefile\shell\open with its application name.
Now the simple solution is to change that value to "%1"%*. But how? You can't run the Regeidt.exe. Don't worry, another solution is there, make a new .reg file with text:
Then double click this file to make changes in the Windows Registry.
Run Regedit.exe and look for the key mentioned in the second step. Delete value name "
Now you are in the same position as you were before running that virus like application.
- 14th January, 2001: Initial post