Nadia Spahira is Virus

Posted by Fachrul on May 28, 2009 | 0 comments | Share :

Be careful with the Nadia Saphira. Why? The Nadia Saphira this one is a virus which is the name of the new variants of the virus Bulu Bebek. Based on the script created by the creator of the virus, the virus is suspected to come from North Sulawesi. The number of virus spreading is quite high in May 2009 this appeared to have any intensity, ie, can not be detected by antivirus program (AV), although the claim as the best AV in the world though.

According to the site Vaksin.com, at this time Norman Security Suite is able to detect virus variants Nadia Saphira as W32/VBTroj.AOQB. Then, how to characterize virus-cirri Nadia Saphira?

• Have a file size of 17 KB & 69 KB

• Bertipe file “Application”

• Berekstensi file “& this exe”

• Have a folder icon

• Create a duplicate folder name in accordance with the existing folder, and hide the original folder

• Eliminate the option folder option

• CD Rom will not work

• Command Prompt can not be accessed.

Nadia Saphira virus spread using the system autoplay windows, which use a removable drive / usb as the distribution itself. Some of the files that will be created this virus, namely: Autorun.inf, NadiaSaphira.ini and create a virus file and reproduce itself in every folder that exists. Here is how the virus cleaning Nadia Saphira:

1. Decide on a computer network

2. Turn off “System Restore” during the process of cleaning the virus (for XP / Vista)

3. Turn off the virus active in memory. Use of Bag Manager tools, such as CProses that can be downloaded through http://www.nirsoft.net/utils/index.html

4. Do kill some of the files in the process of active virus

• C: Documents and Settings-All Users-Start Menu-Programs-Startup-lan.exe

• C:-WINDOWS-system32-misconfig.exe

• C:-WINDOWS-taskmgr.exe

5. Delete registry string that has been created by the virus. To facilitate the registry can use the script below.

[Version]

Signature = “$ Chicago $”

Provider = Vaksincom Oyee

[DefaultInstall]

AddReg = UnhookRegKey

DelReg = del

[UnhookRegKey]

HKCR, batfile-shell-open-command ,,,”"”% 1 “”% * ”

HKCR, comfile-shell-open-command ,,,”"”% 1 “”% * ”

HKCR, exefile-shell-open-command ,,,”"”% 1 “”% * ”

HKCR, piffile-shell-open-command ,,,”"”% 1 “”% * ”

HKCR, lnkfile-shell-open-command ,,,”"”% 1 “”% * ”

HKCR, scrfile-shell-open-command ,,,”"”% 1 “”% * ”

HKCU, Software-Microsoft-Windows-CurrentVersion-Explorer-Advanced,

HKLM, SOFTWARE-Classes-exefile-DefaultIcon ,,,”"% 1 “”

HKLM, SOFTWARE-Classes-exefile,,, “Application”

HKLM, SOFTWARE-Classes-exefile, infotip, 0, “prop: FileDescription; Company; FileVersion; Create; Size”

HKLM, SOFTWARE-Classes-exefile, TileInfo, 0, “prop: FileDescription; Company; FileVersion”

HKCU, Software-Microsoft-Command Processor, Autorun, 0,

HKLM, SOFTWARE-Microsoft-Command Processor, Autorun, 0,

HKLM, SOFTWARE-Microsoft-Windows-CurrentVersion-Explorer-Advanced-Folders-Hidden-SHOWALL, CheckedValue, 0×00010001, 1

HKLM, SOFTWARE-Microsoft-Windows-CurrentVersion-Explorer-Advanced-Folders-Hidden-SHOWALL, DefaultValue, 0×00010001, 2 [del]

HKCU, Software-Microsoft-Windows-CurrentVersion-Policies-System, DisableRegistryTools HKCU, Software-Microsoft-Windows-CurrentVersion-Policies-Explorer, NoFolderOptions

HKCU, Software-Microsoft-Windows-CurrentVersion-Policies-Explorer, nofind

HKLM, SOFTWARE-Microsoft-Windows-CurrentVersion-Policies-Explorer, nofind

HKLM, SOFTWARE-Microsoft-Windows-CurrentVersion-NT Image File Execution Options-msiexec.exe

HKLM, SOFTWARE-Microsoft-Windows-CurrentVersion-NT Image File Execution Options sessmgr.exe -

HKLM, SOFTWARE-Microsoft-Windows-CurrentVersion-NT Image File Execution Options-SPYXX.exe

6. Delete the file that the virus has characteristics as follows:

• Icon application / folder • Ext. exe

• Size 69 kb 17 kb & Unhide the hidden folders on the drive or flash. Use the command “attrib” in the command prompt.

• Click “Start”

• Click “Run”

• Type “CMD”, then press the “Enter”

• Move the cursor position to drive Flash Disk

• Then type the command attrib-s-h-r / s / d and press the “enter For optimal cleaning and prevent re-infection, you should use the anti-ter-update and to recognize both the virus. The suggestion Adi Saputra (Senior Technician Vaksincom).(infokomputer)

Popularity: 8% [?]

Tags: how, men, Virus, windows, xp.
Technorati tags : how, men, virus, windows, xp,