W32.Baki.A
W32.Baki.A is a worm that can lower security settings on the infected system by ending security-related process. It can spread by copying itself to local and removable drives. W32.Baki.A will also add on entry on Windows registry to run itself when the system is booted.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Additional Information:
Analysis
W32.Baki.A will disable registry editor by closing any windows containing the classname RegEdit_RegEdit.
It runs a text messages on Windows start up from this registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”LegalNoticeText” = “KIBAKI FOR PRESIDENT VOTE KIBAKI FOR A BETTER FUTURE. We need a person who have thought of tomorrow and willing to salvage our country .Kibaki have done so in the past five years. KIBAKI TOSHA TENA ”
To run the worm when the infected drive is accessed, it will create this file.
%DriveLetter%\AUTORUN.INF
Paul
Nov 26, 2007 @ 14:49:54
You cannot disable System Restore since the virus has hidden that tab on Windows XP and 2000.
rose
Aug 02, 2008 @ 03:23:19
OMG! Thank you guys. The kibaki virus is gone and my clock and search engine too. I love you all. You can disable the system restore by right clicking on my computer then properties.
rose
Aug 02, 2008 @ 03:23:44
I meant my clock and search engine are back.
mootchy
Nov 27, 2008 @ 08:06:14
Isn’t there a shorter version of removing this virus? I am afraid that one wrong step could damage my whole system.