Worm - Eksplorasi.exe infection

December 2016


Issue

You are unable to open any folder from RUN or by clicking on Folder's shortcut. Earlier, as soon as the folder was opening, you were getting a messagebox,"Cannot find eksplorasi.exe"
So you did the following changes:-
  • 1) from REGEDIT, HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon
  • 2) In the right panel, locate the following entry:
    • On Windows ME, 2000, XP, and Server 2003 :
      Shell = "Explorer.exe "%Windows%\Eksplorasi.exe" 
    • On Windows NT :
      Shell = "Explorer.exe "\eksplorasi.exe"" 
  • Right-click on this registry entry and choose Modify. Change the value to this
  • Shell = "Explorer.exe"

Solution

Eksplorasi.exe is a component of the Worm.Brontok and Worm.Rontokbro.It that is typically transmitted via a Photo.zip email attachment. The standard email contains the following text in addition to the attachment: "Hi, I want to share my photo with you. Wishing you all the best. Regards," Once the zip file is opened, Windows Explorer generates a "My Pictures" folder. The worm disables antivirus software as well as system registry tools and access to the command prompt. It additionally allows hackers to access the infected computer remotely, steals passwords, confidential banking information and other personal data. Typically residing in Windows personal folders, it was discovered on July 2, 2007.

EKSPLORASI.EXE has been seen to perform the following behavior:
  • The Process is packed and/or encrypted using a software packing process
  • Executes a Process
  • This process creates other processes on disk
  • Makes outbound connections to other computers using NETBIOSOUT protocols
  • This Process Deletes Other Processes From Disk
  • Registers a Dynamic Link Library File
  • Reads your outlook address book
  • Can communicate with other computer systems using HTTP protocols
  • Adds a Link in the Start Menu
  • Disables Access to the Windows Registry Editior
  • Modifies Windows Security Policies to restrict/expand User Privileges on the machine
  • Modifies the Logon Screen Saver Settings
  • This Process tampers with Vulnerable System Files and Settings
  • Downloads hidden code from covert web sites
  • Creates new folders in the file system
  • Sets processes to start during user logon
  • Looks at the contents of the autoexec.bat file
  • Reads email address and phone book details
  • Uses DNS to retrieve the IP address for web sites
  • Creates, modifies or schedules batch jobs
  • Terminates Processes
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
  • Executes Processes stored in Temporary Folders
  • Changes to the file command map within the registry
  • Modifies Windows Initialization And System Settings Used On Start up
  • Can communicate with other computers using TCP protocols
  • Creates a TCP port which listens and is available for communication initiated by other computers
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • Creates a new Background Service on the machine
  • Injects code into other processes
  • This Process is a file infector which modifies program files to include a copy of the infection
  • Creates new folders on the system
  • Copies files
  • Injects code into other processes

How to remove?

The Windows Registry contains extensive information about how your computer runs. Because removal of the virus requires extensive changes to the Windows Registry via the Registry Editor, it is important to back up the Registry prior to beginning the virus removal process.

Step 1

For infected Windows Vista computers:
  • Click "Start." Type "systempropertiesprotection" in the "Start Search" box.
  • Press "Enter." Type the password if prompted and click "Allow."
  • Once the most recent restore points display, go to the "System Properties" dialog box on the "System Protection" tab and click "Create."
  • Type the name for this backup and click "Create."
  • Once the backup has been created, click "OK" twice to exit.


For infected Windows XP computers:
  • Click "Start," "Run," type "Windows\system32\restore\rstrui.exe,"
  • Click "OK." Select a restore point on the Welcome page and click "Next."
  • Enter the name for the backup on the Create a Restore Point page and click "Create." Once the backup has been created, click "Close."

For infected Windows 2000 computers:
  • Use the Backup utility to create an Emergency Repair Disk.


For infected Windows 95 computers:
  • Restart the computer in safe mode and log in as an administrator.
  • Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows 95 logo. *Select the first option, to run "Windows in Safe Mode" from the selection menu.
  • Click "Start," "Run," type "cmd" in the text box and press "Enter."


At the command prompt type the following lines, pressing ENTER after each line:
  • cd windows
  • attrib -r -h -s system.dat
  • attrib -r -h -s user.dat
  • copy system.dat *.bu
  • copy user.dat *.bu


For infected Windows 98 and Windows Me computers:
  • Click "Start," "Run," type "scanregw," and click "OK."
  • Click "Yes" when prompted to back up the registry.
  • Click "OK" when notified that the Backup is complete.


For infected Windows NT computers:
  • Click "Start," "Run," type "Ntbackup.exe" and click "OK" to use the NT Backup tool to back up the registry.


Step 2

If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented.
To turn off System Restore within Windows Me,
  • Click "Start," "Settings," "Control Panel."
  • Double-click on the "System" icon and select "File System" from the "Performance" tab.
  • Left-click on the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK."
  • To turn off System Restore within Windows XP, log in as an administrator and click "Start." Right-click on "My Computer," and select "Properties" from the shortcut menu.
  • Check the "Turn off System Restore" option for each drive on the "System Restore" tab.
  • Left-click "apply" and "yes" to confirm when prompted.
  • Click "OK."

Step 3

  • Restart the computer in safe mode and login as an administrator.
  • Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows logo.
  • Select the first option, to run "Windows in Safe Mode" from the selection menu.

Step 4

Remove any program files from the computer.
Go to "Start," "Control Panel," "Add/Remove Programs."
Remove any programs referencing "eksplorasi.exe," "Worm.Brontok" or "Worm.Rontokbro.Y."
If none is listed,
continue to Step 5.

Step 5

  • Use the Windows Search tool to determine if "Eksplorasi.exe" exists on the hard drive.
  • Go to "Start," "Search," "All Files and Folders."
  • Type "eksplorasi.exe" in the "All or Part of the File Name" section.
  • Select "All Local Hard Drives" from the "Look in:" drop down list for the best results.
  • Click "Search."
  • Repeat this process for "bronstab.exe."

Step 6

Use the Windows Task Manager to end any eksplorasi.exe processes that are running.
  • Press "Ctrl+Alt+Del" to open Task Manager.
  • Click "eksplorasi.exe" within the "Processes" tab and click "End Process."
  • Locate and remove any reference to "bronstab.exe" as well.

Step 7

  • Click on "Start", "Run", type "msconfig" and press "Enter."
  • Remove checkmarks next to any "eksplorasi.exe" or "bronstab.exe" entries on the "Startup" tab.
  • Save changes and exit to the desktop.

Step 8

  • Click on "Start," "Run," type "regedit" and press "Enter."
  • Press "Ctrl+F," type "eksplorasi.exe" in the search field and delete all related entries.
  • Repeat the search for "bronstab.exe" and remove all related entries.
  • Then delete the following entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-cirrhatus

Step 9

Use the Windows Search tool to locate and remove all temp files associated with the worm.
  • Go to "Start," "Search," "All Files and Folders." Type "*.tmp" in the "All or Part of the File Name" section.
  • Select "All Local Hard Drives" from the "Look in:" drop down list for the best results.
  • Click "Search." Right click on each occurrence of the file and select "Delete" from the shortcut menu.
  • Repeat the removal process for the following possible additional components:

eksplorasi.exe
bronstab.exe
Tok-Cirrhatus
Tok-Cirrhatus-1761
Tok-Cirrhatus-1860
Delete the following only when located in the Application Data folder as the following share names of legitimate files located in the Windows System directory.
\Documents and Settings\{User Name}\Local Settings\Application Data\winlogon.exe
\Documents and Settings\{User Name}\Local Settings\Application Data\smss.exe
\Documents and Settings\{User Name}\Local Settings\Application Data\services.exe
\Documents and Settings\{User Name}\Local Settings\Application Data\lsass.exe
\Documents and Settings\{User Name}\Local Settings\Application Data\inetinfo.exe
\Documents and Settings\{User Name}\Local Settings\Application Data\csrss.exe
\Documents and Settings\{User Name}\Templates\WowTumpeh.com f7jl
\Documents and Settings\{User Name}\Start Menu\Programs\Startup\empty.pif

Note

Thanks to xpcman for this tip on the forum.

Related :

This document entitled « Worm - Eksplorasi.exe infection » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.