Variant: BKDR_BADEY.A
Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Microsoft has recently issued a security advisory to its Internet Explorer versions 6, 7 and 8 users. BKDR_BADEY.A is a backdoor malware that takes advantage of Internet Explorer Zer0-day exploit. How to get infected by this malware? Just by visiting a website that has script “HTML_BADEY.A” which in turn automatically downloads numerous encrypted files, opens and connects to specific ports in the Windows Operating System without the user’s knowledge. If you decrypt the files, it will show you concealed backdoor commands to be performed in your computer. Internet Explorer 9 and Internet Explorer 10 beta users need not worry as it’s not affected by this vulnerability. If you’re not using the latest IE version then it’s highly advised to upgrade to be protected from this IE zer0-day exploit.
Steps for manual removal of BKDR_BADEY.A :
• Disable System Restore (Windows ME and XP users) Right click My Computer → Properties → System Restore tab → Put a checkmark on Turn off system restore on all drives → Restart Computer)
• Boot to Safe Mode (Press the F8 key before the Windows logo appears on boot up)
• Show hidden Files and Folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)
• Delete the infected files:
%System%\msnetacsvc.dll
%User Startup%\ctfmon.exe
• Delete the infected registry value: (Start → run → type regedit → click OK → Navigate to the listed registry addresses and delete the infected registry values)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation
{Caution: Backup the registry before editing/ deleting registry values!}
• Restart the Computer