Kyrent virus information and remover

Not much is know about the KyrEnt Virus , except that most of its source code are similar to previous Brontox variant viruses, which originated from Indonesia. Even the executables that this KyrEnt Virus created use “My Documents” icons, similar to Brontox variant viruses. The KyrEnt Virus is known as KyRent due to fact that they are various “KyRent”string inside the virus.

The KyrEnt Virus will copy these files into the following directories:

c:\text.exe
c:\windows\windows.exe
c:\windows\WinSystem.exe
c:\windows\Win System.exe
c:\windows\windows.exe
c:\windows\WinSys32.exe
c:\windows\runrunrun.exe
c:\windows\SystemMonitor64.exe
c:\windows\MonitorSetup.exe
c:\windows\MonitorMission.run
c:\bootex.exe
d:\bootex.exe
c:\windows\system32\WindowsProtection.exe
c:\log.exe
c:\windows\winsystem.exe
c:\windows\explorer.exe
c:\windows\sysa.exe
c:\windows\sysb.exe

And will create the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_CLASSES_ROOT\folder\defaulticon
HKEY_CLASSES_ROOT\.run
HKEY_CLASSES_ROOT\*\shell\Run As\Command
HKEY_CLASSES_ROOT\Folder\shell\Scan for Virus\Command
HKEY_CLASSES_ROOT\Folder\shell\Search\Command
HKEY_CLASSES_ROOT\*\shell\Scan for Virus\Command
HKEY_CLASSES_ROOT\.doc\shell\new\command
HKEY_CLASSES_ROOT\.dot
HKEY_CLASSES_ROOT\.exed
HKEY_CLASSES_ROOT\exedfile
HKEY_CLASSES_ROOT\exedfile\DefaultIcon
HKEY_CLASSES_ROOT\exedfile\Shell\Open\Command
HKEY_CLASSES_ROOT\exedfile\Shell\Open
HKEY_CLASSES_ROOT\.ppa
HKEY_CLASSES_ROOT\.xlt
HKEY_CLASSES_ROOT\.mdb
HKEY_CLASSES_ROOT\.ldb
HKEY_CLASSES_ROOT\.db
HKEY_CLASSES_ROOT\.dbf
HKEY_CLASSES_ROOT\.dbl
HKEY_CLASSES_ROOT\.ttf
HKEY_CLASSES_ROOT\.fon
HKEY_CLASSES_ROOT\.cfg
HKEY_CLASSES_ROOT\cfgfile\shell\Open\command
HKEY_CLASSES_ROOT\cfgfile
HKEY_CLASSES_ROOT\cfgfile\shell\open\command
HKEY_CLASSES_ROOT\.bin
HKEY_CLASSES_ROOT\.cvd
HKEY_CLASSES_ROOT\.dat
HKEY_CLASSES_ROOT\.com
HKEY_CLASSES_ROOT\.exc
HKEY_CLASSES_ROOT\excfile\shell\open\command
HKEY_CLASSES_ROOT\excfile
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\excfile\DefaultIcon
HKEY_CLASSES_ROOT\htmlfile

The KyrEnt Virus will also modified your Microsoft Windows OEM informations, sound familliar? You guessed right, another Brontox Virus copycat.

The KyrEnt Virus will block programs or processes containing these texts:

Updatex, Updatingx, upgradex, pcmav, system restore, registry, Task Manager, System Configuration, Process Manager, hijack, process xp, Process View, Process Control, Process Explorer, Process Patrol, cmd xxxx, raypc, ntfs4dos, ntfs for dos, ntfs 4 dos, Confirm File Delete, Confirm Key Delete, Registry, Edit String, cleaner, Confirm Value Delete, Folder Option, control panel error, antivir, avast, clamav, nod32, norton, norman, mcafee, kaspersky, remover, curr proces, defender.

Whenever active, this KyrEnt Virus will display this text:

“Gita, gimana kabarmu?, kemana kamu pergi ?, aku merindukanmu, aku mohon kembalilah. By: Ir. Pluto“

With a black background on your screen. The text “Gita, gimana kabarmu?, kemana kamu pergi ?, aku merindukanmu, aku mohon kembalilah. By: Ir. Pluto” have been set to be always on top of your screen.

KyrEnt Remover

You can remove KyrEnt Virus using PCMAV antivirus developed by PC Media Indonesia. The current version is 1.1.

Download PCMAV 1.1 package

The password for the zip file is “badxp.com”