Computer time this article discusses the problem of the most dangerous virus in damage Sistem KomputerVirus Virut is the most dangerous virus than the virus Conficker. Although not spreading as fast as Conficker, but this virus into the level of virus is very dangerous, even today there are no tools that can detect and eradicate the virus completely.
The following characteristics of the virus, according Virut Vaksin.com :
1. Disable Windows File Protection
2. Spread through the HTML-based web pages, ASP and PHP
3. Infection host Windows file, and the remote control to the IRC server, if the computer is connected to the Internet
4. Making a prickly update computer viruses and spam to spread a particular address
5. Making computers into spam servers by using the public IP router owned computer so that the resulting IP-blacklist
6. Paralyze the network due to a network drive directly into, ie changing ndis.sys files, and TCPIP.sys
7. Make contact to a remote IRC server or file sharing
8. Can spread via removable drives such as USB, Card Reader.
9. Injected in the system files and Winlogon.exe and disable Windows File Protection (System File Checker) by changing the file sfc.dll and sfc_os.dll.
10. The file is executed. Exe file type and application. Scr Screen Saver types, each of size 22KB
11. When connected to the Internet, viruses make contact to the remote server / IRC (Internet Relay Chat) to use port 65,520. Some used the IP 91.212.220.156:65520, 91.121.221.157:65520, or domain dns2.zief.pl, nss2.ircgalaxy.pl, proxim.ircgalaxy.pl, proxima.ircgalaxy.pl, sys.zief.pl, gidromash . cn, core.ircgalaxy.pl, jl.chura.pl
How to clean the virus:
1. Disable System Restore (XP / ME) computer
2. Download Norman Malware Cleaner ( http://normanasa.vo.llnwd.net/o29/public/Norman_Malwar e_Cleaner.exe )
to remove the virus from a clean computer, then save the file with the extension. com or cmd, or compress into the zip, then run.
3. After the cleaning process is complete, restart your computer.
4. Remove string registry that was created by the virus. To make it easier to use the following registry script.
[Version]
Signature = "$ Chicago $"
Provider = Articles on Computers | ErhaesCom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Adva nced \ Folder \ Hidden \ SHOWALL, CheckedValue, 0 × 00010001, 1
HKLM, SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Paramete rs \ FirewallPolicy \ StandardProfile, EnableFirewall, 0 × 00010001, 1
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, reader_s
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, servises
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Expl orer \ Run
HKCU, Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows, load
HKCU, Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows, run
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, reader_s
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, servises
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, 22,951
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Regedit32
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Expl orer \ Run
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Adva nced \ Folder \ Hidden \ NOHIDORSYS
HKLM, SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Paramete rs \ FirewallPolicy \ StandarProfile \ AuthorizedApplications \ List, \?? \ C: \ WINDOWS \ system32 \ winlogon.exe
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall
5. Use the notepad, then save with the name "repair.inf" (use the Save As Type option to All Files to avoid mistakes).
6. To anticipate if the drive is not connected to the network, network drive replace file "ndis.sys" (size 179 kb) and "TCPIP.SYS" (size 351 kb) from uninfected computer. Usually the file is located in C: \ WINDOWS \ system32 \ drivers and C: \ WINDOWS \ system32 \ dllcache
7. Return the hosts file is already infected with the replace the file "hosts" (size 1 kb) from uninfected computer. Usually located at C: \ WINDOWS \ system32 \ drivers \ etc.
8. Use antivirus which was updated and can detect and eradicate this virus very well.
0 comments:
Post a Comment