Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- October 18, 2004
- Updated:
- February 13, 2007 12:28:47 PM
- Also Known As:
- W32.HLLW.Darby, Worm.P2P.Darby.o [Kaspersky], WORM_DARBY.O [Trend Micro], W32/Darby.gen [McAfee]
- Type:
- Worm
- Systems Affected:
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Darby.B is a worm that uses file-sharing networks, email, network file sharing, and Internet Relay Chat (IRC) to spread. The worm may also attempt to disable antivirus and firewall software.
Note: Virus Definitions dated prior to October 18, 2004 may detect this threat as W32.HLLW.Darby.
Manually reversing the changes that were made to the registry
Because the worm modified the registry so that you cannot (or should not) run any .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run that file.
- Do one of the following, depending on the version of Windows you are running:
- Windows 95/98 users:
- Click Start.
- Point to Programs.
- Click the MS-DOS Prompt. (A DOS window opens at the C:\Windows prompt.) Proceed with step B of this section.
- Windows Me users:
- Click Start.
- Point to Programs.
- Point to Accessories.
- Click the MS-DOS Prompt. (A DOS window opens at the C:\Windows prompt.) Proceed with step B of this section.
- Windows NT/2000 users:
- Click Start > Run.
- Type command, and then press Enter. (A DOS window opens.)
- Type cd \winnt, and then press Enter.
- Proceed with step B of this section.
- Windows XP users:
- Click Start > Run.
- Type command, and then press Enter. (A DOS window opens.)
- Type the following:
cd\
cd \windows
Press Enter after typing each one.
- Proceed with step B of this section.
- Windows 95/98 users:
- Type copy regedit.exe regedit.com
and then press Enter.
- Type start regedit.com
and then press Enter. (The Registry Editor opens in front of the DOS window.)
After you finish editing the registry, exit the Registry Editor, and then exit the DOS window as well.
- Before continuing, Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. For instructions, read the document, "How to make a backup of the Windows registry."
- Navigate to and select the key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
NOTE: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure that you completely browse through this path until you reach the \command subkey.
Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, shown in the following figure:
<<=== NOTE: Modify this key.
- In the right pane, double-click the (Default) value.
- Delete the current value data, and then type:
"%1" %*
That is, type the characters: quote-percent-one-quote-space-percent-asterisk.
NOTES- Under Windows 95/98/Me/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:
""%1" %*"
- Under Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:
"%1" %*
- Make sure that you completely delete all the value data in the command key before typing the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this occurs, restart the entire process from the beginning of this documentand make sure that you completely remove the current value data.
- Under Windows 95/98/Me/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:
- Exit the Registry Editor.
Antivirus Protection Dates
- Initial Rapid Release version October 18, 2004
- Latest Rapid Release version August 20, 2008 revision 017
- Initial Daily Certified version October 18, 2004
- Latest Daily Certified version August 20, 2008 revision 016
- Initial Weekly Certified release date October 20, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Difficult
Damage
- Damage Level: Medium
Distribution
- Distribution Level: High
Writeup By: Candid Wueest
