Pages

Thursday, August 13, 2009

The virus AutoRun.GUB

If the virus is busy local Indonesian artist uses as a means of social engineering to trick potential victims in order to run a virus file, the virus that this is a film series inspired by Korea FullHouse. And information as Han Ji Eun is not branded but the escalator in the main series is. Characteristic of this virus is to create one additional drive with the name FullHouse Drive, if the virus has a goal to help popularize FullHouse film in Indonesia, a clear action to include this action in the less responsible. If you have a high ability programming, Vaksincom encourage you to maintain your integrity, because even if you are a programmer with great integrity who doubt will find very difficult job because integrity is a fixed price in the world of work.
Although not classified FullHouse new virus in Indonesia, but can not be denied if the spread of this virus is quite knowledgeable. The virus is made using Visual Basic programming language that in the action will make the drive in the Desktop, My computer and Control Panel is open if the image will show "Han Ji Eun" beautiful artist in the series Full House.


Norman Security Suite detects virus Full House as AutoRun.GUB (see picture 1)


Figure 1. Norman Security Suite detects virus FullHouse as AutoRun.GUB

FullHouse have the characteristics of which are as follows:
  • Have a file size of "168 kb" with the "Date Modified" 07-08-2009
  • File type "File Folder" which is actually the "Application" with a technique to manipulate registry
  • File extension. "Exe" is not visible because the virus is to add the string "NeverShowExt" in the registry so the file is not displayed extesions
  • Using the folder icon
  • Create additional drive with the name "FullHouse Drive" on the Desktop, My Computer and Control panel (see picture 2)

    Figure 2. AutoRun.GUB make the drive with the name FullHouse Drive
    • If you click on the drive will show the beautiful images of the artist in the serial Fullhouse (see figure 3)

    Figure 3. Photo of Han Ji Eun will be displayed when clicking on the Drive FullHouse

    Infection techniques
    1. If it works on the virus will create a master file in the directory C: \ RECYCLER (see figure 4)


    Figure 4. Master file is created by the virus Fullhouse

    2. Hide any folder on the Removable Disk (flash, external hdd, etc.) Virus is a duplicate folder name according to the folder that has been hidden with the goal lead on the user to activate the virus. (see picture 5)


    Figure 5. Make a duplicate folder to deceive the user

    Defense Engineering

    1. In order to keep the process running in the unwitting victims of viruses is to block regedit and Task Manager with a technique that is unique enough to run a second application in the background first so that if a user function error message will appear (see figure 6)

    Figure 6. Blocking the function registry windows

    2. To be able to run automatically when the computer is turned on, insert the string in the virus so that the registry will be active when entering the windows
            - HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run, Task Manager
            - HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run, Task Manager

    String registry file is called that is on a parent directory (see figure 7)
            = C: \ RECYCLER \ S-1-5-21-1202660629-412668190-725345543-500 \ smss.exe


    Figure 7. File parent who is active at the time of entry windows


    The technique Virus

    Make duplicate file viruses on removable media disks (flash, external disk) with the (hidden) folder and replace original file with the virus that has a folder icon so that users will think to open the folder but the file is actually a virus.

    How Overcoming Virus

    1. Virus scan file is located in the directory C: \ RECYCLER with antivirus that can detect this virus with both. Vaksincom use Norman Security Suite. (see figure 8)

    Figure 8, Use Norman Security Suite to detect and eradicate the virus FullHouse.

    2. After the scan has finished there is a virus file delete the file status (defered) means the file will be removed when the windows restart
    3. Click the Close button Clean ago at the time of the Norman Security Suite also will ask to restart the computer (see figure 9)


    Figure 9. Deffered Delete Norman is a feature to eradicate the virus and difficult to be naughty in the delete.

    4. Normal re-registry has been created by the virus open Notepad then copy the script below

    [Version]
    Signature="$Chicago$"
    Provider=Vaksincom Oyee

    [DefaultInstall]
    AddReg=UnhookRegKey
    DelReg=del

    [UnhookRegKey]
    HKCR, batfile\shell\open\command,,,"""%1"" %*"
    HKCR, comfile\shell\open\command,,,"""%1"" %*"
    HKCR, exefile\shell\open\command,,,"""%1"" %*"
    HKCR, piffile\shell\open\command,,,"""%1"" %*"
    HKCR, lnkfile\shell\open\command,,,"""%1"" %*"
    HKCR, scrfile\shell\open\command,,,"""%1"" %*"
    HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
    HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,""%1""
    HKLM, SOFTWARE\Classes\exefile,,,"Application"
    HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

    [del]
    HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, Task Manager
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, Manager Task
    HKCR, exefile, NeverShowExt
    HKCR, CLSID\{10020D75-0000-0000-C000-000000000000}
    HKLM, SOFTWARE\Classes\CLSID\{10020D75-0000-0000-C000-000000000000}
    5. Save with the name "repair.inf" select Save As Type to be All Files
    6. Repair.inf run with the right-click and select install
    7. Delete the file created by the virus with the following characteristics:
    8. File type "application"
    9. Extension "exe"
    10. Size 168 kb
    11. To simplify the process of searching the files of virus use "Windows Search" with the filter *. exe files that have a size of 168 KB and the date modified date 7/8/2008 (see figure 10)

    Figure 10. Remove virus file using windows search

    12. Then remove "FullHouse Drive" on the Desktop, My Computer and Contol Panel

    Figure 10. Remove fullhouse drive on the Desktop, My Computer and Contol Panel


    Recovery folder on the Flash Disk in the Hidden Past

    To show hidden folders back on the flash. Use the command "attrib" in the command prompt.
    1. Click "Start"
    2. Click "Run"
    3. Type "CMD", then press the "Enter"
    4. Move the directory to position Flash Disk drive, eg E command then type E: and press "enter"
    5. Then type the command attrib-s-h-r / s / d and press the "enter (see figure 11)

    Figure 11. Showing a hidden file 

    Congratulations to try and hopefully useful, keep blogging, thank you for the magazine chip.co.id