Virus Surabaya

Posted by Bangketop . 03 April 2009
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks

Virus Surabaya in my birthday - W32/Drowor.worm

Overview -
W32/Drowor.worm may get send around using a deceiving filename Google Earth .scr.

Show this message:Surabaya in my birthday
Don't kill me, i'm just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti......

Symptoms -
Modified autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer"
your folder has file size 40K
Modified PE binary files

How to remove Surabaya Virus

Symptoms -
# Modified autoexec.bat to display a message upon system start: “Surabaya is my birthday”….."Don't kill me, i'm just send message from your computer"…and then some blah - blah in some Thai language I guess.
# Your folder has file size 40K
# All your hard disk partitions become autorun…if you right click on any partition or any drive letter it’ll give the “autorun” option instead “open”.
# All your existing original folders become hidden and are replaced by another dummy folder with same file name but with size of 40KB. If you right click on any file, the menu which opens will show “test”, “configure”….etc options but no “open” option.
Removal Steps:

Step 1:
Press Start -> Run -> cmd (or command) -> press Enter
Type in command box- cd\
Type again in command box- c:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter

Repeat the same with your other hard drive partitions as well…say if you have 3 drive partitions viz. “C”, ”D” & ”E”…for this:

Type again in command box- d:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter
Type again in command box- e:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter

If you have any USB hard drive on pen drive connected, do the above procedure with its drive name. For example if your USB drive name is “G”…

Type again in command box- g:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter
Type again in command box- exit

Step 2:
Press Start -> Run -> regedit ->press Enter
Click on following (in left side window):
“HKEY_LOCAL_MACHINE”->“SOFTWARE” -> “Microsoft” -> “Windows NT” -> “Current Version” -> “WinLogon”.
Now on the right side window (under data) delete “LegalNoticeCaption” & “LegalNoticeText”.

Step 3:
Go to Start menu -> Programs -> Accessories -> System Tools -> System restore
This’ll open a box where you’ll get the option - “Restore my system to an earlier time”... Select any old date on which you think your system was working fine…push on next..next…till the system restore starts…
System restore takes a few minutes to complete depending on your computer speed….so be patient….after system restore completes….Your computer will restart…..the problem should have been solved.

Step 4:
Press Start -> Run -> regedit ->press Enter
Press Ctrl + F
In the find window type Surabaya if at all you find any entries in the registry with this name…”Surabaya”…delete them

Step 5:
This virus makes your system’s show hidden file option in folder menu to get disabled. To make your computer to show Hidden files, and to get your computer again back into normalcy…
Start --- Run --- regedit --- OK
HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows ->
Current Version -> Explorer -> Advanced -> Folder -> Hidden -> Show All
On the right side window, locate this: CheckedValue = "0"
Modify this value to 1. (right click on the Checked value under Name column -> Modify)

Note:
This virus usually reaches to your computer through any USB drive (pen drive or hard disc). Whenever you plug your USB drive into any other computer, infected with this virus, the virus will infect this drive and will infect the next computer, in which the drive is plugged in next time. So its always advisable not to open the pen drive directly. Instead always right click on the drive and select open option. If at all you see the first option as “autorun”, after you right click on the USB drive, this means that the drive is infected.

0 Comments:

Subscribe to: Post Comments (Atom)

Post a Comment