The presence of virus W32/VBWorm.BEUA or better known as viruses that exploit security holes shortcut is quite disturbing. Because, although labeled a local virus, it can benefit not only the user carelessness. But has been ‘first class’ to break through Windows security holes.
Check out eight practical steps to expel the virus capable of transforming an existing folder in a USB flash disk into the shortcut, according to Taufik Adang Jauhar, an analyst with Vaksincom:
1. Turn off ‘System Restore’ for a while during the cleaning process.
2. Decide which computer will be cleaned from the network.
3. Turn off the active virus process in memory by using the tools ‘Ice Sword’. After the tools are installed, select the files that have a icon ‘Microsoft Visual Basic Project’ and click ‘Terminate Process’. Please download these tools at http://icesword.en.softonic.com/
4. Delete the registry that has been made by the virus by:
-. Click [Start]
-. Click [Run]
-. RegEdit.exe type, then click the [OK]
-. In the Registry Editor application, browse the key [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
-. Then delete the key that has the data [C:Documents and Settings % user%].
5. Disable the autoplay/autorun Windows. Copy the script below on notepad then save with name repair.inf, install the files in the following manner: repair.inf Right Click -> INSTALL
[Version]
Signature = “$ Chicago $”
Provider = Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SoftwareCLASSESbatfileshellopencommand,,,”"”%1″” %*”
HKLM, SoftwareCLASSEScomfileshellopencommand,,,”"”%1″” %*”
HKLM, SoftwareCLASSESexefileshellopencommand,,,”"”%1″” %*”
HKLM, SoftwareCLASSESpiffileshellopencommand,,,”"”%1″” %*”
HKLM, SoftwareCLASSESregfileshellopencommand,,,”regedit.exe “%1″”
HKLM, SoftwareCLASSESscrfileshellopencommand,,,”"”%1″” %*”
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer, NoDriveTypeAutoRun,0x000000ff,255
6. Delete Files parent and duplicate files are created by the virus included in the flash disk. To accelerate the search process, you can use the ‘Search’. Before conducting the search should show all hidden files by changing the Folder Options settings.
Do not get an error when deleting files on the parent and duplicate files that have been made by the virus. Then delete the files parent virus that has the characteristics:
-. Icon ‘Microsoft Visual Basic Project’.
-. File Size 128 KB (for other variants will have varying sizes).
-. Ekstesi files ‘. EXE’ or ‘. SCR’.
-. File type ‘Application’ or ‘Screen Saver’.
Then delete the shortcut that has a duplicate file characteristics:
>. Folder icon or the icon
>. Extension. LNK
>. File Type ‘Shortcut’
>. 1 KB file size
Delete the file also. DLLs (example: ert.dll) and Autorun.inf file on flash disk or folder to share. Meanwhile, to avoid the virus is active again, delete the files that have a parent EXE or SCR extensions first and then remove Shortcut file (. LNK).
7. Unhide the folder that had been hidden by the virus. To expedite the process, please download the tools Unhide Files and Folders in http://www.flashshare.com/bfu/download.html.
Once installed, select the directory [C:Documents and Settings] and folders that exist on the flash disk by shifting to a column that is already available. On the menu [Attributes] empty of all choices, then click the [Change Attributes].
8. Install security patches ‘Microsoft Windows Shell shortcut remote code execution vulnerability handling-MS10-046′. Please download the security patch at http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx
As usual, for an optimal cleaning and prevent reinfection, should install and scan with antivirus software up-to-date and has been able to detect this virus very well.
