Facing attacks Virus Tips W32/Conficker.DV

If you experience one or more of the symptoms below:
Login username in Active Directory (AD) Windows locked repeatedly. So even if already locked (lock) and opened by the administrator, but it is locked again. Computers get an error Generic Host Process. Computers can not access certain websites such as www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com, and www.avast.com www.eset.com with the message "Address not Found" but if these sites accessible from the IP address can be accessed. And other sites does not mean that there is interference.
Update anti-virus definitions disrupted because access to anti-virus sites on the block. Many applications do not function properly. In particular applications that utilize the network and use port 1024 to port 10000.
Please be careful, because you have been infected with the virus that are handed around the world. You need not be ashamed because your computer is not only the infected, but also the computer department of defense even though France and the UK were infected by this virus.
If you experience one or more of the symptoms below:
Login username in Active Directory (AD) Windows locked repeatedly. So even if already locked (lock) and opened by the administrator, but it is locked again. Computers get an error Generic Host Process. Computers can not access certain websites such as www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com, and www.avast.com www.eset.com with the message "Address not Found" but if these sites accessible from the IP address can be accessed. And other sites does not mean that there is interference.
Update anti-virus definitions disrupted because access to anti-virus sites on the block. Many applications do not function properly. In particular applications that utilize the network and use port 1024 to port 10000.
Please be careful, because you have been infected with the virus that are handed around the world. You need not be ashamed because your computer is not only the infected, but also the computer department of defense even though France and the UK were infected by this virus.
If you are curious about who actually makes this virus, we do not have accurate data. But if viewed from a few sites that have forums and anti-virus is the first time information about this virus infection, it can be said that the virus came from China or Russia.
Norman Security Suit detect new virus variants as W32/Conficker.DV, while other anti-virus to detect as Win32.Kido.CG(Kaspersky),32.Downadup.B(Symantec),W32.Downadup.AL(F-Secure), W32.Conficker.B (Microsoft), W32.Conficker.A(CA,Sophos and McAfee), Worm_Downadup.AD(Trend Micro) and W32/Conficker.C (Panda).
The File Virus
Virus Conficker.DV have the file compressed via UPX. Virus file size 126kb. Viruses that enter the file is an image (gif, jpeg, bmp, png). While the file is generally an active form of "dll" (dynamic link library).
Dll files and this is the active file is in svhost.exe (Windows Server Service) to make back the spread of the virus. The virus will also copy the file "[% random name%].tmp" folder in the% WINDOWS% \ system32 (eg 01.tmp or 06.tmp). After using the file, then delete the virus file.

Symptoms / Virus Effect
If W32/Conficker.DV already infected, the virus will cause symptoms / effects below :
- If the previous variants off the service "Workstation, Server and Windows Firewall / Internet Connection Sharing (ICS)", then this time the virus tries to disable some services and disabled, namely: wscsvc: Security Center, wuauserv: Automatic Updates, Bits: Background Intellegent Transfer Service, ERSvc: Error Reporting Service, WerSvc; Windows Error Reporting Service (Vista, Server 2008), WinDefend: Windows Defender (Vista, Server 2008)
- The virus tries to make changes in the system Windows Vista / Server 2008 using the command: "netsh interface tcp set global autotuning = disabled"
With this command, the windows auto tuning will be disabled. Windows Auto Tuning is one of the features of Windows Vista and Server 2008 which is very useful to improve the performance when trying to access the network.
- The virus tries to download and execute files (bmp, gif, jpeg, png), which was then signed in the temporary internet
- The virus will check for internet connection and download files to adjust the date after January 1, 2009
- The virus will create a firewall rule on the gateway to create a local network from outside attack and get connected address external IP address of infected through a variety of ports (1024 to 10000)
- The virus will create a service with the following characteristics, in order to run automatically at start-up windows

Virus Cleaning :

1. Disconnect the computer that will be cleared from the network or the Internet
2. Turn off system restore (Windows XP or Vista)
3. Turn off the virus is active in the services. Use the removal tool from Norman to clean the virus is active
4. Remove bogus svchost.exe service added virus in the registry. You can search manually in the system registry
5. Delete Task Schedule is created by the virus ( c:\Windows\Task)
6. Remove the registry string is created by the virus. To make it easier you can use a registry script below :

[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00000001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden, 0x00000001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00000001x1
HKLM, SYSTEM\CurrentControlSet\Services\BITS, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\ERSvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wscsvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wuauserv, Start, 0x00000002,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections

7. Use notepad, then save with the name "Repair.inf" (use the Save As Type option to be All Files to avoid an error occurred)
8. Repair.inf run with the right-click and select install
9. For cleaning the virus W32/Conficker.DV optimally and prevent re-infection, you should use anti-virus and update the virus is able to detect and properly patch your computer with http://www.microsoft.com/technet/ security/Bulletin/MS08-067.mspx to prevent re-infection

Source : Komputek,610 Edition