Although not classified FullHouse new virus in Indonesia, but can not be denied if the spread of this virus is quite knowledgeable. The virus is made using Visual Basic programming language that in the action will make the drive in the Desktop, My computer and Control Panel is open if the image will show "Han Ji Eun" beautiful artist in the series Full House.
Norman Security Suite detects virus Full House as AutoRun.GUB (see picture 1)
Figure 1. Norman Security Suite detects virus FullHouse as AutoRun.GUB
FullHouse have the characteristics of which are as follows:
- Have a file size of "168 kb" with the "Date Modified" 07-08-2009
- File type "File Folder" which is actually the "Application" with a technique to manipulate registry
- File extension. "Exe" is not visible because the virus is to add the string "NeverShowExt" in the registry so the file is not displayed extesions
- Using the folder icon
- Create additional drive with the name "FullHouse Drive" on the Desktop, My Computer and Control panel (see picture 2)
Figure 2. AutoRun.GUB make the drive with the name FullHouse Drive
- If you click on the drive will show the beautiful images of the artist in the serial Fullhouse (see figure 3)
Figure 3. Photo of Han Ji Eun will be displayed when clicking on the Drive FullHouse
1. If it works on the virus will create a master file in the directory C: \ RECYCLER (see figure 4)
Figure 4. Master file is created by the virus Fullhouse
2. Hide any folder on the Removable Disk (flash, external hdd, etc.) Virus is a duplicate folder name according to the folder that has been hidden with the goal lead on the user to activate the virus. (see picture 5)
Figure 5. Make a duplicate folder to deceive the user
1. In order to keep the process running in the unwitting victims of viruses is to block regedit and Task Manager with a technique that is unique enough to run a second application in the background first so that if a user function error message will appear (see figure 6)
Figure 6. Blocking the function registry windows
2. To be able to run automatically when the computer is turned on, insert the string in the virus so that the registry will be active when entering the windows
- HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run, Task Manager
- HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run, Task Manager
String registry file is called that is on a parent directory (see figure 7)
= C: \ RECYCLER \ S-1-5-21-1202660629-412668190-725345543-500 \ smss.exe
Figure 7. File parent who is active at the time of entry windows
The technique Virus
Make duplicate file viruses on removable media disks (flash, external disk) with the (hidden) folder and replace original file with the virus that has a folder icon so that users will think to open the folder but the file is actually a virus.
How Overcoming Virus
1. Virus scan file is located in the directory C: \ RECYCLER with antivirus that can detect this virus with both. Vaksincom use Norman Security Suite. (see figure 8)
Figure 8, Use Norman Security Suite to detect and eradicate the virus FullHouse.
2. After the scan has finished there is a virus file delete the file status (defered) means the file will be removed when the windows restart
3. Click the Close button Clean ago at the time of the Norman Security Suite also will ask to restart the computer (see figure 9)
Figure 9. Deffered Delete Norman is a feature to eradicate the virus and difficult to be naughty in the delete.
4. Normal re-registry has been created by the virus open Notepad then copy the script below
HKCR, batfile\shell\open\command,,,"""%1"" %*"
HKCR, comfile\shell\open\command,,,"""%1"" %*"
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, piffile\shell\open\command,,,"""%1"" %*"
HKCR, lnkfile\shell\open\command,,,"""%1"" %*"
HKCR, scrfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, Task Manager
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, Manager Task
HKCR, exefile, NeverShowExt
5. Save with the name "repair.inf" select Save As Type to be All Files
6. Repair.inf run with the right-click and select install
7. Delete the file created by the virus with the following characteristics:
8. File type "application"
9. Extension "exe"
10. Size 168 kb
11. To simplify the process of searching the files of virus use "Windows Search" with the filter *. exe files that have a size of 168 KB and the date modified date 7/8/2008 (see figure 10)
Figure 10. Remove virus file using windows search
12. Then remove "FullHouse Drive" on the Desktop, My Computer and Contol Panel
Figure 10. Remove fullhouse drive on the Desktop, My Computer and Contol Panel
Recovery folder on the Flash Disk in the Hidden Past
To show hidden folders back on the flash. Use the command "attrib" in the command prompt.
1. Click "Start"
2. Click "Run"
3. Type "CMD", then press the "Enter"
4. Move the directory to position Flash Disk drive, eg E command then type E: and press "enter"
5. Then type the command attrib-s-h-r / s / d and press the "enter (see figure 11)
Figure 11. Showing a hidden file
Congratulations to try and hopefully useful, keep blogging, thank you for the magazine chip.co.id