Your essential free software toolbox

SHARE
THIS ON

Trojan.VB.DJ

LOW

MEDIUM

81920 bytes

(Virus.Win32.VB.al, TR/VB.DJ, W32/BRONTOK.BN!worm)

Download removal tool

Symptoms

Presence of the virus EXE, with the size of 81920 bytes in one or more of the following places:

%WINDIR%\system32\ISASS.exe
%SYSTEMDRIVE%\WINDOWS\explosex.exe
%SYSTEMDRIVE%\WINDOWS\system32.exe
%WINDIR%\system32\LNETINFO.exe
%HOMEDRIVE%%HOMEPATH%\My Documents\My Pictures\My Pictures.exe

Also, when run, the virus disables (among others) the Task Manager, the Run option from the Start menu and the use of the registry editor (regedit). If the user tries to press Ctrl+Shift+ESC to open the Task Manager, the virus usually restarts the computer. Frequent system restarts in various conditions are also specific for the virus.

The virus runs under a process names ISASS, but as the Task Manager is diabled, you can only see it using another tool (like Process Explorer).

Removal instructions:

Please let BitDefender delete your files. You shall also use the free removal tool for Trojan.VB.DJ from www.bitdefender.com to scan your system, as this tool also restores altered registry keys.

Please note however, that if you use the removal tool on system which had a security policy limitation set up by a system administrator, that is also used by the virus (like denying the use of Task Manager), then the removal tool will set up a default policy value (and so, it might give more priviledges to users than where before).

If you would like to manually restore the specific registry keys, you can use a different registry editor (like Registry Workshop) as the default registry editor (REGEDIT) is blocked by the virus. The keys you shall modify are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt -> set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden -> set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun -> set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions -> set to 0

HKCU\Software\Policies\Microsoft\CurrentVersion\Policies\Explorer\NoFind -> set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools -> set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD -> set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr -> set 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HotKeyCmds -> delete
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell -> set "Explorer.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kiamat Sudah Dekat -> delete

Analyzed By

SАndor LUKаCS, BitDefender virus researcher

Technical Description:

When run, the virus create a copy of itself and places it into many places, like:

%WINDIR%\system32\ISASS.exe (for ex. C:\WINNT\system32\ISASS.exe)
%SYSTEMDRIVE%\WINDOWS\explosex.exe (for ex. C:\WINDOWS\explosex.exe)
%SYSTEMDRIVE%\WINDOWS\PCHEALTH\HELPCTR\hkcmd.bat
%SYSTEMDRIVE%\WINDOWS\security\kernel32.bat
%SYSTEMDRIVE%\WINDOWS\system32.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\Temp.pif (for ex. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Temp.pif)
%WINDIR%\system32\LNETINFO.exe
%HOMEDRIVE%%HOMEPATH%\My Documents\My Pictures\My Pictures.exe (for ex. C:\Documents and Settings\softwin\My Documents\My Pictures\My Pictures.exe)
%HOMEDRIVE%%HOMEPATH%\My Documents\Data VIRTUAL2000.exe

The virus modifies a set of system registry keys to restrict the posibilities of the user to detect its presence. The virus usually does the following steps:

removes the Run and Search options from the Start menu
denies the use of the command shell (CMD.EXE)
denies the use of Task Manager
denies the use of the default registry editor (REGEDIT)
disables the Folder Options under the Explorer | Tools menu
setup several registry keys to enable automatic execution of the virus on system startup

The virus also displays from time-to-time a window with the following message:

"--Hentikan kebobrokan di negeri ini--

1.Penjarakan Koruptor,Penyelundup, Tukang Suap, & Bandar NARKOBA
(Send to: NUSAKAMBANGAN)

... [removed] ...

Babat.A
Terinspirasi oleh:
KIAMAT YANG SUDAH DEKAT

Fatek Unsrat, April'06
By_mr.4'5

ANDA SETUJU?"

If the user responds with YES, the message window closes. If the user answers with NO, then the system is restarted.

The virus will copy itself under many directories under the local drives, using different names. Also, when USB disks are plugged in, the virus quickly copies itself, usually under several names onto the disk.