Conficker.DV Virus using the distribution method that is different from preceding. With its sophisticated, the virus tried to access the network using a slit windows 'Default Share'(ADMIN $\system32) with the administrator password.
In addition 'Conficker.DV' also create a file on removable media such as flash, hard drive and card reader to save the file hidden on the root drive.
While the action the same as preceding, that is trying to exploitate MS08-067 or Windows security cleft , Windows Server Service or SVCHOST.exe. Many users are infected because they are not activate the Automatic Updates feature and does not do windows patch MS08-067.
If you are like this, see 7 short steps of the virus analyst from Adi Saputra Vaksincom to eradicate the virus' Conficker.DV '
1. Disconnect the computer that will be cleared from the network / internet.
2. Turn off system restore (Windows XP / Vista).
3. Turn off the active virus process in the services. Use the removal tool from Norman to clean the active virus. If you do not have, can be downloaded at the site norman.
4. Delete the fake service svchost.exe on registry. You can search manually in the registry.
5. Delete Task Schedule which was created by the virus. (C: \ WINDOWS \ Tasks)
6. Remove the registry string which was created by the virus. To facilitate the registry , you can use the script below:
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
Hidden, 0x00000001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
SuperHidden, 0x00000001,1
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,
CheckedValue, 0x00000001,1
HKLM, SYSTEM\CurrentControlSet\Services\BITS, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\ERSvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wscsvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wuauserv, Start, 0x00000002,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections
Use the notepad, then save with the name 'repair.inf', then 'Save As Type' to 'All Files' so that the error does not occur. Repair.inf run with the right click, then select install.
Meanwhile, for the active file on startup, you can disable it through 'msconfig' atau can manually delete the string: 'HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run
7. For cleaning the virus W32/Conficker.DV optimally and prevent re-infection, you should use and update anti-virus that is able to detect this virus with both your computer and the patch with the official patch from Microsoft to prevent re-infection.
.jpg)
Thx Nancy
ReplyDelete