Friday, March 28, 2008

A Virus made by local students here in our Country

Recently before I've posted this topic. My computer infected by this virus called Black Pegasus this was made by a STI student in Agusan del Sur and made my computer acting weird, there are several side effects made by this virus:

1. the virus is hidden in the Task Manager/Process
2. Disables Task Manager, Safe Mode, Folder Option(might be), Run
3. It kills the process of your anti-virus
4. can't detect by known anti-virus
5. etc. or other effects

friendster: click here
blog: click here
Note: be sure nakalogin ang account nyo sa friendster. NakaOverlay kasi ang profile nya kaya di nyo maview kapag hindi kayo nakalogin.

Virus includes these files: svchost.exe, transmit.exe, isetup.exe, autorun.inf, diffuse.dat, p3g4sus.dat


Virus Directories:
- X: (X is the letter of the drives) - isetup.exe,autorun.inf,pegasus.txt,transmit.exe
- C:\WINDOWS\Systen32 - a fake svchost.exe can be found here
- C:\WINDOWS\System32 - isetup.exe,transmit.exe,diffuse.dat and p3g4sus.dat can be found here

Procedure on how to stop the virus:

1. Disable/Turn off System Restore.
- virus will back up by windows every time you boot up your computer
2. Download these utilities:
- TuneUp Utilities 2008 - http://www.tune-up.com
- RRT (Remove Restriction Tool) - http://www.sergiwa.com
- PRT (Perlovga Removal Tool) - http://www.sergiwa.com
- this tools will help you a lot, PRT tool may help you remove autorun.inf in you drives
3. Run RRT.exe, Check All then Remove All, minimize it on the systray then Enable AutoRemove and AutoStart.
- RRT.exe or Remove Restriction Tool this program may help you by removing restrictions in your computer for example, Hidden Files, Disable TaskManager, Run, Folder Options, Registry Tool, etc.
4. Once TuneUp Utilities installed in your computer, Run TuneUp Process Manager and kill
SVCHOST.exe (be sure the location of it is in C:\WINDOWS\Systen32).

- Windows TaskManager shows only visible normal processes, TuneUp Process Manager shows all the processes running in your computer including virus process.
5. Delete the virus files name : autorun.inf, transmit.exe, isetup.exe, autorun.inf, svchost.exe. Found in these directories - C:\WINDOWS\Systen32,C:,D:(if you have partition drives), Flash USB Storage Disk,iPod,etc.
- Now the virus process were killed by TuneUp and RRT removes restrictions, it's the time to remove the viruses left manually or if you want automatic follow the next step
6. Or can be removed by Updated AVG AntiVirus.
- I recommend to use AVG AntiVirus to scan your computer or you might use other anti-virus.
7. Check everything if the virus comes back in the directories I've mention or run TuneUp 1-step Maintenance or any Registry cleaner tools.
- After cleaning the virus. In the registry might have changed left by the virus, to clean it use TuneUp 1-step Maintenance it will allow you to automate the task to scan, repair the registry or you will use other registry cleaner tools.
- After wiping out the virus double check if the virus still there by manually look out in the virus directories I've mentioned above. And use PRT tool to remove autorun.inf in your infected drives.
8. Celebra8 you've kick out the virus in your computer.
- Cheers. Mission Accomplished.

Note: If not succeeded by this steps, go to this link

Tips:

1. Avoid inserting your USB drive in not trusted internet cafe or computers don't have any antivirus programs or any internet security programs.
2. If you feel that your USB drive is infected and inserted in your computer, Just don't click directly the drive of your USB in your My Computer this might the virus will run automatically and spread infections in your computer. There are many ways to access your drive, might give it a try:
- in the My Computer, right-click your USB drive then Open.
- click Start>Run, type command.exe or cmd.exe or cmd, then on the command prompt window type "start " (ex. start E:).
- in your Windows Explorer, click on the Address Bar then type the drive letter or your USB drive or your drive and press Enter OR click the drop-down arrow to pull-down the drop-down box.
3. Use the command attrib in the Windows Command Prompt:
- command: attrib +/- S H A R
+ Sets an attribute
- Clears an attribute
S System Hide Attribute
H Hidden Attribute
A Archive Attribute
R Read-only Attribute
- usage:
attrib -s -h autorun.inf
definition:
it will allow you to see the file autorun.inf in the drive. removes the systemhide attribute and hidden attribute

I added tips for some of you guys to avoid infection in your computer.

No comments: