VBWorm.BEUA The presence of
virus, better known as a shortcut
virus that exploits the security hole
is quite disturbing. For, although
labeled local virus, he not only take
advantage of user negligence. But
has 'first class' to break through
Windows security holes.
Consider the 8 practical steps to
kick the virus is able to change the
folder that is in the USB flash disk
into the shortcut, according to
Jauhar Adang Taufik, an analyst
with Vaksincom:
1. Disable 'System Restore' for a
while during the cleaning process.
2. Decide who will clean your
computer from the network.
3. Turn off the virus active in
memory by using the tools 'Ice
Sword'. Once the tools are
installed, select the file that has the
icon 'Microsoft Visual Basic Project'
and click 'Terminate Process'.
Please download these tools at
http://icesword.en.softonic.com/
4. Delete the registry that has been
created by the virus by:
-. Click the [Start]
-. Click [Run]
-. Type Regedit.exe, and click the
[OK]
-. In the Registry Editor application,
browse the key
[HKEY_CURRENT_USER \ Software \
Microsoft \ Windows \
CurrentVersion \ Run]
-. Then delete the key that has the
data [C: \ Documents and Settings \
% username%].
5. Disable the autoplay / autorun
Windows. Copy the script below in
notepad and then save it as
repair.inf, install the files in the
following manner: Right-click
repair.inf ->
INSTALL
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile
\ shell \ open \ command ,,,"""% 1
""% * "
HKLM, Software \ CLASSES \
comfile \ shell \ open \
command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile
\ shell \ open \ command ,,,"""% 1
""% * "
HKLM, Software \ CLASSES \ piffile
\ shell \ open \ command ,,,"""% 1
""% * "
HKLM, Software \ CLASSES \ regfile
\ shell \ open \ command,,,
"regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile
\ shell \ open \ command ,,,"""% 1
""% * "
HKCU, Software \ Microsoft \
Windows \ CurrentVersion \
Policies \ Explorer
NoDriveTypeAutoRun, 0x000000ff,
255
HKLM, SOFTWARE \ Microsoft \
Windows \ CurrentVersion \
Policies \ Explorer
NoDriveTypeAutoRun, 0x000000ff,
255
6. Delete Files parent and duplicate
files are created by the virus
included in the flash disk. To
expedite the search process, you
can use the 'Search'. Before
conducting the search should
show all hidden files by changing
the Folder Options settings.
Do not let an error occurs when
deleting a master file and duplicate
files that have been created by the
virus. Then delete the master files
that have virus characteristics:
-. Icon 'Microsoft Visual Basic
Project'.
-. File Size 128 KB (for other
variants will have varying sizes).
-. Ekstesi file '. EXE' or '. SCR'.
-. File type 'Application' or 'Screen
Saver'.
Then delete the duplicate shortcut
files that have the characteristics:
>. Folder Icon or icons
>. Extension. LNK
>. File Type 'Shortcut'
>. 1 KB file size
Delete the file.
DLL (example: ert.dll)
and Autorun.inf file on flash disk or
a shared folder. Meanwhile, to
avoid the virus is active again,
delete the master file that has an
EXE or SCR extensions first and
then remove Shortcut file (. LNK).
7. Show re-folders have been
hidden by the virus. To speed up
the process, please download the
tools Unhide Files and Folders in
http://www.flashshare.com/bfu/
download.html.
Once installed, select the directory
[C: \ Documents and Settings] and
folders that exist on the flash disk
by moving into fields that are
already available. In the [Attributes]
clear all the options, then click the
[Change Attributes].
8. Install security patches 'Microsoft
Windows Shell shortcut handling
remote code execution
vulnerability, MS10-046'. Please
download the security patch at
http://www.microsoft.com/
technet/security/Bulletin/
MS10-046.mspx
As usual, for an optimal cleaning
and Prevent re-infection, should
install and scan with antivirus
software up-to-date and was able
to detect this virus very well.
No comments:
Post a Comment