Threat detected as W32/Korbo-B

[Emiliio]

My computer is installed with Windows XP Service Pack 3 with Kaspersky antivirus. Recently, a threat is detected as W32/Korbo-B in my system which was alerted by Kaspersky antivirus. I found out the path where it is residing. But, I do not know if that is the only place that it has infected or if there are other places where the infection must have took place. Is is possible to find out the paths where they must have infected so that I can remove them manually from the system.

[Milton.J]

If there is a threat detected as W32/Korbo-B in your system, then beware that they could attract their aliases into your machine. The aliases are as follows:

• I-Worm.Brontok.n
• WORM_RONTKBR
• W32/Rontokbro
• Email-Worm.Win32.Brontok
• W32/Rontokbro.gen@MM
• W32/Korbo-B
• W32/Brontok.C.worm

I suggest you to format your computer as soon as possible to eradicate the infection of W32/Korbo-B.

[Big Fish]

The threat that is detected as W32/Korbo-B in your system is a worm. W32/Korbo-B uses an EMAIL ATTACHMENT called as photo.zip to enter into the system. So, beware when you open an attachment with that name. When it executes in the system, it copies itself into the Windows folder with the following names:

1. inetinfo.exe
2. lsass.exe
3. services.exe
4. smss.exe
5. norBtok.exe
6. cvt.exe
7. IDTemplate.exe
8. 3D Animation.scr
9. A.kotnorB.com
10. Empty.pif
11. KANGEN.EXE
12. winlogon.exe

It disrupts the working of all the Windows program and can cause the system to crash

[Spyrus]

When W32/Korbo-B enters a computer it causes modification in the registry values. As the threat detected as W32/Korbo-B in your system must have done modification in the registry values, you have to manually delete all the infected registry values:

1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus = "%UserProfile%\Application Data\smss.exe"
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Bron-Spizaetus = "%Windows%\INF\norBtok.exe"
4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions = "dword:00000001"
5. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools = "dword:00000001"

Enable a system restore after deleting the infected registry values. It is recommended that you do this in safe mode.

[Steve123]

The threat detected as W32/Korbo-B in your system can be manually deleted from the following directories:

• %Documents and Settings%\User\Local Settings\Application Data\csrss.exe
• %Documents and Settings%\User\Local Settings\Application Data\inetinfo.exe
• %Documents and Settings%\User\Local Settings\Application Data\lsass.exe
• %Documents and Settings%\User\Local Settings\Application Data\services.exe
• %Documents and Settings%\User\Local Settings\Application Data\smss.exe
• %Documents and Settings%\User\Local Settings\Application Data\winlogon.exe
• %Documents and Settings%\User\Start Menu\Programs\Startup\Empty.pif
• %Documents and Settings%\User\Templates\WowTumpeh.com
• %System%\<user name>'s Setting.scr
• %Windir%\eksplorasi.pif
• %Windir%\ShellNew\bronstab.exe

Run a full system scan after you delete all the infected directories to make make sure that the infection is removed from the system.

[Shen]

Boot scan can remove all types of infection from the computer and I guess that the threat that is detected as W32/Korbo-B can also be eradicated using this method. I can assure you this because the infection remains inactive during such a scan. The infection remains inactive since the scan takes place before the Windows can boot. The antiviruses like Quick Heal and Avast provide this feature of boot scanning. Keep the antivirus updated to avoid such types of threats in the future.