Cara menghilangkan Virus Sohanad

-
Virus ini berasal dari vietnam, penyebaran menggunakan yahoo messenger. Selain itu, virus ini tersebar melalui  flashdisk dengan file autorun.inf dan new folder.exe. Ciri-ciri virus adalah:
* folder icon

* file type application

* extension .exe

* file size 249 KB



Contoh virus:

Virus Sohanad

Tanda-tanda apabila dijangkiti virus ialah menghantar mesej kepada semua contact dalam Yahoo Messenger menggunakan bahasa vietnam pada sesuatu masa. contohnya:


  • E may, vao day coi co con nho nay ngon lam http://nhatquanglan1.0catch.com

  • Biet tin gi chua, vao day coi di http://nhatquanglan1.0catch.com

  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau? http://nhatquanglan1.0catch.com

  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… http://nhatquanglan1.0catch.com


Virus ini akan masuk ke Yahoo messenger yang digunakan. Jika komputer yang dijangkiti tidak mempunyai Yahoo Messenger, maka ia akan copy dan paste ke program microsoft  office.



Fail utama yang dibuat oleh virus adalah:



* C:\WINDOWS\SSCVIIHOST.exe

* C:\WINDOWS\system32\autorun.ini

* C:\WINDOWS\system32\setting.ini

* C:\WINDOWS\system32\blastclnnn.exe

* C:\WINDOWS\system32\SSCVIIHOST.exe

* \autorun.inf (pada usb/removable drive)

* \New Folder.exe (pada usb/removable drive)



Registry yang dicipta oleh virus:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = C:\WINDOWS\system32\ SSCVIIHOST.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\Shell = Explorer.exe SSCVIIHOST.exe

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = C:\WINDOWS\system32\ SSCVIIHOST.exe

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoFolderOptions = 1

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ System\DisableTaskMgr = 1

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ System\DisableRegistryTools = 1

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHour = 0

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ WorkgroupCrawler\Shares\Shares = \New Folder.exe


Cara menghilangkan virus:



1. Buka " safe mode"

2. Tutup proses virus di memory menggunakan taskmanager:



* C:\WINDOWS\system32\SSCVIIHOST.exe

* C:\WINDOWS\SSCVIIHOST.exe (jika active)

* C:\WINDOWS\system32\blastclnnn.exe (jika active)

* New Folder.exe (jika active)



3. Buang registry yang dibuat oleh virus

4. Buang fail utama  yang dibuat oleh virus



Dibawah adalah Here is a skrip untuk memperbaiki registry.

Buka notepad dan simpan dengan nama  repair.inf kemudian, klik kanan pada fail dan klik install


[Version]

Signature=”$Chicago$”

Provider=Nightmare-066kgi



[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del



[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″”"

HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”



[del]

HKCU, Software\Microsoft\Windows\CurrentVersion\Run, Yahoo Messengger

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares, Shared

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr

HKLM, SYSTEM\CurrentControlSet\Services\Schedule, AtTaskMaskHour

HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, Yahoo Messengger




Comments

Post a Comment

Popular posts from this blog

How to Reset BIOS password

-
Image
Bios password are used to secure your desktop and latop computer by preventing user from changing your bios setting or acessing to your computer while u are away.there is too type of password protection  the first one is bios setup protection:to prevent user from changing bios setting thesecond one  system proetction:to make the system unbootable intel entring the password. but sometime user can forget their password or even wrose they can get infected by bios Backdoor verus.so sending back the unit for reset bios is expensive here is some why how to recover or remove u lost bios password
Read More>>

Cara menghilangkan Virus Hokage

-
Hokage ketua kepada Konoha ninja pada cerita kartun Naruto. Mungkin pembuat virus ini meminati cerita naruto. Ciri-ciri yang paling mudah untuk dikenalpasti adalah menukarkan ikon flash dan fail winamp dengan .exe. Virus ini membuat fail utama adalah:
Read More>>