Para IT-ers,
Mohon bantuan sekiranya untuk memberikan informasi mengenai cara meremove virus almanahe dan scan maupun removal tools untuk virus tersebut. Terima kasih sebelumnya atas perhatiannya. Berikut adalah keterangan mengenai virus tersebut : Virus Characteristics W32/Almanahe.c is a polymorphic parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware. Upon execution, it drops the following file(s): * %Windir%\linkinfo.dll (W32/Almanahe.dll) * %Windir%\System32\drivers\nvmini.sys (W32/Almanahe.sys) * %Windir%\System32\drivers\IsDrv118.sys (W32/Almanahe.sys) * C:\boot.exe (W32/Almanahe) (Where %Windir% is the Windows folder; e.g. C:\Windows. A legitimate copy of linkinfo.dll usually resides in %Windir%\system32\linkinfo.dll) These files are hidden by the rootkit component (W32/Almanahe.sys). It follows that the .DLL file is injected into the running process of Windows Explorer (Explorer.exe) and the .SYS file is installed as a service and creating the following registry key(s): * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys" * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RioDrvs\"DisplayName" = "nvmini" * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"ImagePath" = "system32\drivers\nvmini.sys" * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\RioDrvs\"DisplayName" = "nvmini" * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\Co ntrol\"ActiveService" = "nvmini" * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS\0000\"S ervice" = "nvmini" * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000 \Control\"ActiveService" = "nvmini" * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS\0000 \"Service" = "nvmini" It can contact the following site(s) to notify malware owner, receive instructions and download further malware: * kr.sb941.com * k.sb941.com * info.sb941.com * down.91tg.net Other generic characteristics of the W32/Almanahe virus at: * HYPERLINK "http://vil.nai.com/vil/content/v_142021.htm"http://vil.nai.com/vil/content/ v_142021.htm Indications of Infection * Presence of the files and registry keys mentioned. * Increase in file size in existing executable files. * Unexpected network connections to the mentioned site(s). * Unexpected access to network shared folders. Method of Infection W32/Almanahe.c is a polymorphic parasitic worm that propagates by infecting Win32 executable files (*.exe) on local, removable drives and network shares. Best Regards, endang No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM [Non-text portions of this message have been removed] -- www.itcenter.or.id - Komunitas Teknologi Informasi Indonesia Gabung, Keluar, Mode Kirim : [EMAIL PROTECTED] Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/ITCENTER/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/ITCENTER/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
