Warning : Infectious Virus in the Computer Folder Love

Now present a new virus identified as Norman Virus Control Autorun.QBP. Virus using virus-shaped icon folder called "Folder Love" and have an empty file "khq" in it. Virus Autorun.QBP created using Autoit script and in-kompress using UPX Unpacker.

Following characteristics according to the virus Autorun.QBP Vaksin.com:


1. Using the icon "Cinta.exe Folder", type Application with the size of 793KB
2. Show the file name [namaacak]. Exe in every folder and the network share, also in the flash
3. There is an empty file system called "khq" on each drive also, in the network or in the flash
4. Show the file name "csrcs.exe" in memory, which can be seen in the task manager's Process tab.
5. Show the name of the file "C: \ WINDOWS \ system32 \ csrcs.exe" in memory size of 793KB
6. Show the name of the file "C: \ WINDOWS \ system32 \ Autorun.inf"
7. Can not display the file that has been hidden, even though the "Folder Options" already appear many times
8. Make changes in the registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Window s \ CurrentVersion \ policies \ Explorer \ Run
csrcs = C: \ WINDOWS \ system32 \ csrcs.exe

9. To protect and remain active on the windows, will make in the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Shell = Explorer.exe csrcs.exe

How to clean the virus:
1. Disconnect the computer from the network, turn off System Restore
2. Open the "Task Manager" with CTR + Alt + Del to kill the process [End Process] on the virus "csrsc.exe" active
3. Delete the file Autorun.QBP virus, which is in C: \ WINDOWS \ system32, the name csrsc.exe the size of 793 KB and Autorun.inf sized 1 KB.
4. Use search to find the virus file size 793 KB, and berextension exe file type and application khq in the drive.
5. Delete the registry string is created by the virus. To facilitate the registry can use the script below.
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKLM, SOFTWARE \ Classes \ batfile \ shell \ open \ command,,, "" "% 1"% * "
HKLM, SOFTWARE \ Classes \ comfile \ shell \ open \ command,,, "" "% 1"% * "
HKLM, SOFTWARE \ Classes \ exefile \ shell \ open \ command,,, "" "% 1"% * "
HKLM, SOFTWARE \ Classes \ scrfile \ shell \ open \ command,,, "" "% 1"% * "
HKLM, SOFTWARE \ Classes \ piffile \ shell \ open \ command,,, "" "% 1"% * "
HKLM, SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, Explorer.exe

[del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Expl orer \ Run


6. Use the notepad, then save with the name "repair.inf" (use the Save As Type option to be All Files so that the error does not occur). Repair.inf run with the right click, then select [install].
7. Users can use the Norman Malware Cleaner (normanasa.vo.llnwd.net/o29/public/Norman_Malware_C leaner.exe), Norman Security Suite or Norman Endpoint Protection (Corporate User) to eradicate this virus.

>