Trojan.Billrus.Texto

SUMMARY

This is a memory-resident Trojan horse. It has an icon that makes it look like an ordinary text file. Every 10 minutes, it checks for a disk in drive A. If it finds one, it deletes as many files as is necessary to ensure enough space on the disk to copy both itself and another necessary, larger file to the disk.

The Trojan deletes the following files, and replaces them with copies of itself: Attrib.exe, Edit.com, Format.com, Deltree.exe, Ed.cab, Mscdex.exe, Appwiz.cpl, Attrib.com, and Deltree.com.

The Trojan can also change its file name to one of 18 different names, such as Readme.exe, Texto.exe, and so on. The first time that it is run, it starts Notepad and displays the email address of the Trojan author. The Trojan adds a value to the registry so that it is run when Windows starts. The 30th time that the Trojan is activated, it deletes all files on the drive C, and displays a message box titled Uruguay that contains the text Billrus.

Protection

• Virus Definitions (Intelligent Updater) June 29, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Difficult

Damage

• Damage Level: High
• Payload Trigger: The 30th time the Trojan is run.
• Deletes Files: Deletes all files on hard disk C:
• Modifies Files: Deletes certain system files and replaces them with copies of itself.

Distribution

• Distribution Level: Low
• Target of Infection: Floppy Disk in A: drive

TECHNICAL DETAILS

The Trojan Horse is written in Visual Basic. When executed, it does the following:

1. It copies itself to any floppy disk that is in drive A, along with a copy of a VB runtime .dll file that it needs to run. The Trojan sets the attributes of the .dll file to System, Hidden, and Read-Only so that it cannot be easily deleted.
2. It copies itself as the WindowsSystemRundii32.exe file.
3. It accesses the Regedit.exe file. While the Registry Editor does not actually open, the access by the Trojan prevents you from starting the Registry Editor as long as the Trojan is running.
4. It adds the value
   
   Shell   WindowssystemRundii32.exe
   
   to the registry key
   
   HKEY_LOCAL_MACHINESoftwareMicrosoft
   WindowsCurrentVersionRun

The Trojan can rename itself to any of the following 18 file names:
Readme.exe, Gratis.exe, Leeme.exe, Trucos.exe, Texto.exe, Notas.exe, Free.exe, Aviso.exe, Demo.exe, Software.exe, Shareware.exe, Chistes.exe, Leer.exe, Datos.exe, Documento.exe, Freeware.exe, Password.exe, or Clave.exe.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as infected by Trojan.Billrus.Texto, click Delete.

NOTE: If the Trojan has already run, you may no longer be able to start Windows or the computer. You will need to reinstall Windows. In some cases, you may need to reformat the hard drive, reinstall Windows and all programs, and restore your data from a clean backup.