How To Clean New Virus W32/VBWorm.PEC



W32/VBWorm.PEC           2
Agustus 2008



Be carefull with Doraeman, Sin Chan dan
Tom & Jerry new virus came from indonesian



 



*THE ROAD TO SYUHADA*



--------------------------------------



*WAHAI DIRI...*



*JIKA KAU TIDAK GUGUR DI MEDAN JUANG...*



*KAU TETAP AKAN MATI...*



*WALAU DI ATAS RANJANG...

 



 



This virus detect by
Norman Security Suite with name W32/VBWorm.PEC
.



This sample image for the virus detect by norman.



 



Norman Security Suite detected
like  W32/VBWorm.PEC (image
1).







Image1,
Norman Security Suite detect “Pilem Lutchu” name W32/VBWorm.PEC



 





Traits
File Virus



Traits this file virus like image : (see
image 2)





  • Employ icon Real
    Player
     (software media player
    made in Real Media)




  • Have size “129” kb




  • Type file “application”




  • Extention “exe”






Image 2, Contoh file virus
W32/VBWorm.PEC



 



Trend / Efect Virus



If the computer infected by virus W32/VBWorm.PEC, the
virus will block some function windows like System Configuration Utility /
MSConfig, Folder Options, and System Restore.



 





See image 3









Image
3, Script virus destroy program task manager and function windows



 





To manipulate
user, virus make a folder with name “pilem lutchu” (see image 4), to My
Documents and flashdisk / removable drive / external harddisk. The Folder
contain 3 file virus like sample image 3 file virus (contain Doraemon-Pistol
Perubah Tubuh Sebagian.rm.exe
, Sinchan-Menginap
Di Sekolah.rm.exe
, TOM
& JERRY 2.rm.exe
).


 







Image
4, Folder make by virus for My Documents and flashdisk



 



W32/VBWorm.PEC leave
message to My Computer, with change “support information” from system
properties My Computer. Than Drive C, with make file “ THE
ROAD TO SYUHADA
” , contain file virus (see image 5).







Image
5, Make message by virus W32/VBWorm.PEC



 



File Virus and Distribution



Beyon infection, the virus W32/VBWorm.PEC will
be make some file virus, like this :





  • C:\antiZionisme.rm.exe




  • C:\WINDOWS\Help\explorer.exe




  • C:\WINDOWS\system32\300403.exe





  • C:\WINDOWS\system32\aparaparsaparyangparipircapar.exe




  • C:\WINDOWS\system32\HacKid's.exe




File virus to  My Documents, with
folder “pilem lutchu





  • Doraemon-Pistol change Tubuh
    Sebagian.rm.exe




  • Sinchan-Menginap Di Sekolah.rm.exe




  • TOM & Jerry 2.rm.exe




The virus distribution file like :





  • C:\WINDOWS\system32\060785.bat




  • C:\WINDOWS\system32\050587.vbs




  • C:\WINDOWS\system32\appdata.vbs




  • C:\WINDOWS\system32\run4.bat




  • C:\THE ROAD TO SYUHADA.ini




  • C:\WINDOWS\system32\oeminfo.ini




(see image 6).







Image

6, 3 name file virus “Pilem Lutchu”



 





Manipulate
Registri



The virus make string registry to
startup windows :






  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run




noboe = C:\WINDOWS\Help\explorer.exe






  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon




Shell = Explorer.exe
%SystemRoot%\system32\060785.bat



 





  • HKEY_CURRENT_USER\Control
    Panel\Desktop




SCRNSAVE.EXE =
%SystemRoot%\system32\300403.exe



ScreenSaveActive = 1



ScreenSaveTimeOut = 60



 





  • HKEY_LOCAL_MACHINE\
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ system




NoDispScrSavPage = 1



 






  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer




NoFolderOptions = 1






  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\ SystemRestore




DisableConfig = 1



DisableSR = 1






  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
    \MSCONFIG.EXE




(Default) =
%SystemRoot%\system32\appdata.vbs






  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced




Hidden = 0



HideFileExt = 1





  • HKEY_LOCAL_MACHINE\
    SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer
    \Advanced\Folder\SuperHidden




UncheckedValue = 0





  • HKEY_LOCAL_MACHINE\
    SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer
    \Advanced\Folder\Hidden\SHOWALL




DefaultValue = 1

 





  • HKEY_LOCAL_MACHINE\
    SOFTWARE\Classes\.txt\shell\Open\command




(Default) = c:\Program Files\Internet
Explorer\IEXPLORE.EXE





  • HKEY_LOCAL_MACHINE\
    SOFTWARE\Classes\.reg\shell\Merge\command




(Default) =



 





  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot




AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat






  • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot




AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat






  • HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot




AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat






  • HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot




AlternateShell = Explorer.exe
%SystemRoot%\system32\060785.bat



 




How clean this virus :





  1. Login safe
    mode
    .




  2. Employ tools task manager, like Itty
    Bitty Process Manager






recomen :
http://majorgeeks.com/Itty_Bitty_Process_Manager_d4690.html



 



kill process, ( see image 7)





  • C:\WINDOWS\Help\explorer.exe




  • C:\WINDOWS\system32\300403.exe





  • C:\WINDOWS\system32\aparaparsaparyangparipircapar.exe




  • C:\WINDOWS\system32\HacKid's.exe








Image
7, employ Itty Bitty Process Manager for kill virus active





  1. Del string registry or employ this
    script to save as like repair.inf




[Version]



Signature="$Chicago$"



Provider=Vaksincom Oyee



 



[DefaultInstall]



AddReg=UnhookRegKey



DelReg=del



 



[UnhookRegKey]



HKLM,
SOFTWARE\Classes\batfile\shell\open\command,,,"""%1"" %*"



HKLM,
SOFTWARE\Classes\comfile\shell\open\command,,,"""%1"" %*"



HKLM,
SOFTWARE\Classes\exefile\shell\open\command,,,"""%1"" %*"



HKLM,
SOFTWARE\Classes\piffile\shell\open\command,,,"""%1"" %*"



HKLM,
SOFTWARE\Classes\regfile\shell\open\command,,,"regedit.exe "%1""



HKLM,
SOFTWARE\Classes\scrfile\shell\open\command,,,"""%1"" %*"



HKLM, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"



HKLM,
SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"



HKLM,
SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"



HKLM,
SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell,0, "cmd.exe"



HKLM,
SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"



HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden,0x00010001,1



HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HideFileExt,0x00010001,0



HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
UncheckedValue,0x00010001,1




SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,
DefaultValue,0x00010001,0



 



[del]



HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, noboe



HKCU, Control Panel\Desktop,
SCRNSAVE.EXE



HKCU,
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions



HKLM, SOFTWARE\Classes\.reg\shell



HKLM, SOFTWARE\Classes\.txt\shell



HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE



HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, NoDispScrSavPage



HKLM,
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR



HKLM,
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig



 





  1. Then virus file virus like :






  • Icon “Real Player




  • Extension *.exe




  • Size 129 kb



11 comments:

free download lagu indonesia dan lyric lagu Indonesia said...

ma'af aku ndak ngerti maksudnya....

Narutopedia Manga Chapter - Full Preview Naruto Series said...

Read Online Manga Naruto complete series along with updated chapters each week and downloaded freely to determine the plot of the exciting

Narutopedia Layout - Excellent Blogger Templates said...

Read Online Manga Naruto complete series along with updated chapters each week and downloaded freely to determine the plot of the exciting

Narutopedia Manga Chapter - Full Preview Naruto Series said...

Read Online Manga Naruto complete series along with updated chapters each week and downloaded freely to determine the plot of the exciting

Narutopedia Manga Chapter - Full Preview Naruto Series said...

Read Online Manga Naruto complete series along with updated chapters each week and downloaded freely to determine the plot of the exciting

Tutorial, Tips, Trick, Info. said...

ini nih yang nyangsang di pc

dani said...

sip penjelasan ama gambarnya lebih ngerti trims

Cara Shalat Nabi said...

Waduh puyaeng aku ngeliatnya..

obat luka bakar said...

maksih gan infonya,, kau akan segera bali novelnya

Artikel Islami said...

Info yang bagus, terima kasih

raidid said...

to long, please more short explain...