Virus ini akan menyembunyikan file berekstensi .DOC, dengan cara membuat file duplikat sesuai dengan nama file yang disembunyikan untuk mengelabui user. Bagaimana cara membersihkan virus ini? Ikuti langkah berikut ini:
1. Putuskan komputer yang akan dibersihkan dari jaringan (LAN).
2. Nonaktifkan "System Restore" selama proses pembersihan (Windows XP).
3. Matikan proses virus. Untuk mematikan proses virus ini dapat menggunakan tools pengganti task manager seperti "Process explorer". Silahkan downlod tools tersebut di: http://download.sysinternals.com/Files/ProcessExplorer.zip.
4. Hapus registri yang dibuat oleh virus. Untuk mempermudah proses penghapusan silahkan salin script di bawah ini pada program notepad kemudian simpan dengan nama repair.vbs, kemudiai Jalankan file tersebut (klik 2x).
Dim oWSH: Set oWSH = CreateObject("WScript.Shell")
on error resume Next
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSES atfileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootAlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSafeBootAlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootAlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell","Explorer.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileShellEditCommand","C:WindowsSystem32 otepad.exe %1"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileDefaultIcon","C:WindowsSystem32WScript.exe,2"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesinffileshellInstallcommand","C:windowsSystem32 undll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFind")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRun")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFileAssociate")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDrives")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistriTools")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableCMD")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegedit")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemRunLogonScriptSync")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemHideLegacyLogonScripts")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemHideLogoffScripts")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemHideStartupScripts")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemRunStartupScriptSync")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion unJeNGKoL")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileNeverShowExt")
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFile","VBScript Script File"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileFriendlyTypeName","VBScript Script File"
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistriTools")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegedit")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemRunLogonScriptSync")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNOFind")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNORun")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDrives")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveAutoRun")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesWinOldApp")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMsconfig.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options egedit.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscmd.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscmd.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options egedit32.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options strui.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsattrib.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscommand.com")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsinstall.exedebugger")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssetup.exedebugger")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorerDisallowRun")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorerRun")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesActiveDesktop")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun")
5. Hapus file duplikat yang dibuat oleh virus dengan ciri-ciri:
1. Putuskan komputer yang akan dibersihkan dari jaringan (LAN).
2. Nonaktifkan "System Restore" selama proses pembersihan (Windows XP).
3. Matikan proses virus. Untuk mematikan proses virus ini dapat menggunakan tools pengganti task manager seperti "Process explorer". Silahkan downlod tools tersebut di: http://download.sysinternals.com/Files/ProcessExplorer.zip.
4. Hapus registri yang dibuat oleh virus. Untuk mempermudah proses penghapusan silahkan salin script di bawah ini pada program notepad kemudian simpan dengan nama repair.vbs, kemudiai Jalankan file tersebut (klik 2x).
Dim oWSH: Set oWSH = CreateObject("WScript.Shell")
on error resume Next
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSES atfileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopencommand","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootAlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSafeBootAlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootAlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell","Explorer.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileShellEditCommand","C:WindowsSystem32 otepad.exe %1"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileDefaultIcon","C:WindowsSystem32WScript.exe,2"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesinffileshellInstallcommand","C:windowsSystem32 undll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFind")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRun")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFileAssociate")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDrives")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistriTools")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableCMD")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegedit")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemRunLogonScriptSync")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemHideLegacyLogonScripts")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemHideLogoffScripts")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemHideStartupScripts")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemRunStartupScriptSync")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion unJeNGKoL")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileNeverShowExt")
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFile","VBScript Script File"
oWSH.Regwrite "HKEY_LOCAL_MACHINESOFTWAREClassesVBSFileFriendlyTypeName","VBScript Script File"
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistriTools")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegedit")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemRunLogonScriptSync")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNOFind")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNORun")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDrives")
oWSH.RegDelete("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveAutoRun")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesWinOldApp")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMsconfig.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options egedit.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscmd.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscmd.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options egedit32.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options strui.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsattrib.exe")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscommand.com")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsinstall.exedebugger")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssetup.exedebugger")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorerDisallowRun")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorerRun")
oWSH.RegDelete("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesActiveDesktop")
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun")
5. Hapus file duplikat yang dibuat oleh virus dengan ciri-ciri:
- Menggunakan icon JPEG atau VBS
- Ukuran 14 KB
- Type file JPEG Image atau VbScript Script File
Untuk mempermudah proses pencarian virus, silahkan gunakan fungsi Search windows.
6. Untuk pembersihan optimal dan mencegah infeksi ulang, lindungi komputer Anda dengan anti virus yang sudah dapat mendeteksi dan membasmi virus ini.
Sumber : detikinet
|
Posting Komentar