Observed that after a lot of files scattered in every shortcut that folder existing in the computer, such as Microsoft Ink, and also the shortcut to the file name as the folder name that exists on the computer. Finally, with the immediate complaint directly analyzed further and made the way the virus attacks.
Norman Virus Control to detect this virus as Worm:PIF/Starter.A. The characteristics of the virus is :
1. In the My Documents folder, there is a file called database.mdb, and in fact this is the parent file.
2. There is a file Autorun.inf, Thumb.db, Microsoft.Ink in each driver, the folder and subfolders on the flash to the second.
3. Make a duplicate of each file folder with the extension. Ink, a maximum of 5 the first name of the folder, for example, if the C:\ Windows then there are only 5 will be used first names only. And apply to subfolders in the second.
4. Turn off the function registry file :
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools"=dword:00000001
5. Adding value in the registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer"=Wscript.exe//e:VBScript \"C:\Documents And Settings\Administrator\My Documents\Database.mdb\"
[HKEY_LOKAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinUpdate"="Wscript.exe/e:VBScript\"C:\Windows\:Microsoft Office
6. Update for Windows XP.sys \ ""
For the last script that this is only likely to lead on the script, but in practice we have to delete them. If the computer at the time of logon, it will get the error message. That make us become infuriated many shortcuts are created by the virus. And the terrible virus that is exactly how it does not then the virus will return again and again. Therefore, there are several ways that should be done to combat the virus that causes this :
1. Turn off the proces of WSCRIPT file located in C:\Windows\System32, by using tools such as CProcess, HijackThis or can also use the TaskManager from windows.
2. Previous first turn off System Restore process
3. After turning off the WScript process, the next is to delete or rename the file so it will not be used (temporarily) by the virus again. As a note, if we change the name of the file WScript.exe is, will be automatically copied in the folder, because it must be sought where the other file WScript.exe. There are usually at c:\Windows\ $NtServicePackUninstall$, c:\Windows\ServicePackFiles\i386. Unlike other VBS virus, we can change from VBS file to Notepad using Open with, the virus has an extension MDB which means Microsoft Access files. So Wscript will run the file DATABASE.MDB as though he is a vbs file (smart virus). Wscript.exe //e:VBScript \"c:\Documents and Settings\Administrator\My Documents\database.mdb\"
4. Delete the files in the parent c:\Documents and Settings\
5. Now we will delete the file Autorun.inf, Microsoft.INF and Thumb.db with the click Start, click Run, type CMD, moved to the drive to be cleaned, for example, drive c:\. So who should do is type in c:\del Microsoft.inf /s means that this command will delete all files Microsof.inf in all folder on drive c. If you want to move to another drive, you just only rename the drive to live, for example d:\del Microsoft.inf /s.
6. For Autorun.inf files, type c:\del autorun.inf /s /ah /f which means that this command will delete the file autorun.inf in all the folders on drive c. (syntax /ah /f is used as the file using the attrib RSHA). Similarly to file thumb.db also do the same.
7. To delete a file than 4 file, we must search for it using the Search files with the extension .ink and 1KB size. In the "More Advanced Options", make sure the option "Search system folders" and "Search hidden files and folders" both have been active.
8. Please be careful, not all the shortcut files or file size of 1KB INK is a virus, we can distinguish it from the icon, size and type. To shortcut that was created virus, the icon always use the icon "folder" with a 1KB size of type "Shortcut". While the correct folder should not have "size" and "Type" is "File Folder".
Source : Komputek Edisi 612
No comments:
Post a Comment