Basmi tuntas Virus Sality

Posted in Virus Asing on Jan 31, 2012

Sality merupakan virus berjenis PE Infector (Polymorphic) yang menginfeksi file-file Executabe “exe”. Virus yang memiliki nama asli w32.Hllp.KukuJoker ini banyak dikeluhkan pengguna computer diseluruh dunia, terutama di indonesia banyak sekali pengguna komputer yang melaporkan telah terinfeksi oleh virus ini.

Virus ini masih belum jelas asal usulnya, dugaan sementara virus ini berasal dari cina, selain mempunyai kemampuan untuk menginfeksi file-file executable virus ini juga memilki kemampuan rootkit, sehingga selain sulit untuk dibersihkan dari system, file-file yang terinfeksi juga cukup sulit untuk diperbaiki,  menggunakan  beberapa tools  remover  dan antivirus  juga terkadang  malah  bisa  menimbulkan kerusakan pada file yang terinfeksi bahkan  bisa menghapusnya.

Beberapa Antivirus Luar mendeteksi Virus ini sebagai :

  • Malware.Sality [PCTools]
  • W32.Sality!dr [Symantec]
  • Virus.Win32.Sality.bh [Kaspersky Lab]
  • W32/Sality.dr [McAfee]
  • Troj/SalLoad-C [Sophos]
  • Virus:Win32/Sality.AT [Microsoft]
  • Win32.SuspectCrc [Ikarus]
  • Win32/Kashu.E [AhnLab]

 

Karakteristik Virus 

Jika kita lihat memang tidak terlalu banyak perbedaan antara file yang terinfeksi dengan file yang belum terinfeksi, yang membedakan hanyalah ukuran yang bertambah lebih besar dari ukuran sebelum terinfeksi, biasanya ukuran yang bertambah hanya beberapa KB saja. Bisa dilihat perbedaanya dari gambar dibawah ini.

Jika file terinfeksi tersebut dijalankan, maka file tersebut dapat berjalan seperti biasanya, sehingga user tidak mengira bahwa file yang ia jalankan tersebut telah terinfeksi virus, padahal dibalik itu virus sudah menetap di system.

Teknik yang digunakan virus sality adalah dengan membelokan EntryPoint asli file ke EntryPoint-nya virus, maka saat dijalankan virus yang terlebih dahulu aktif, baru kemudian virus meneruskan nya ke EntryPoint asli file yang terinfeksi, sehingga file yang dijalankan akan aktif seperti biasa nya.

 

Saat aktif virus akan membuat beberapa file induknya di system :

  • %Windir%\system32\drivers\<acak>.sys

Virus akan mengektrak file driver dari dalam tubuhnya dan menaruhnya disystem dengan nama acak, driver ini digunakan untuk bersembunyi di system. Contoh : amsint32.sys dan  iirktn.sys

 

  • %Windir%\System.ini

[MCIDRV_VER]

DEVICEMB=<random number>

 

  • HKCU\Software\<Acak>

Virus akan menambahkan key baru diregistry dengan nama acak contoh “HKCU\Software\Avcgr”, key yang dibuat ini juga mempunyai rutin-rutin tertentu.

 

  • Mutext

Virus akan membuat mutext pada setiap proses yang berjalan ini digunakan untuk menandakan bahwa thread virus sudah aktif pada setiap proses yang berjalan, mutext yang akan dibuatnya menyerupai nama proses yang di tumpangi nya :

<Nama Proses>M_<PID Proses>_

contoh nya : svchost.exeM_2168_

 

  • Firewall

Pada komputer terinfeksi virus menambahkan rule baru dalam daftar port yang di ijinkan, ini digunakan virus agar firewall windows tidak memblok koneksi yang akan dibuat oleh virus

 

  • Download Komponent virus lainya

Jika komputer korban terhubung dengan koenksi internet, virus akan berusaha mendownload komponen-komponen virus lainya, di beberapa situs yang sudah ditentukan oleh pembuatnya

 

Infeksi file Executable & Screen Saver

Virus akan mencari semua file berektensi ”.exe” & ”.scr” yang ada di seluruh drive computer korban  nya, jika virus menemukanya virus akan menginfeksinya dengan membelokan EntryPoint asli ke EntryPoint nya virus.

Sality mempunyai kemampuan untuk mengecek apakah file yang akan diinfeksi dilindungi oleh system atau tidak, jika file tersebut dilindungi oleh system maka sality tidak akan menginfeksinya,  seperti file-file yang dilindungi oleh Windows File Protection (WFP) atau System File Checker (SFC).

 

Infeksi Removeable Drive & Jaringan

Berbeda dengan teknik infeksi variant sebelumnya, variant sality kali ini memanfaatkan fitur Autorun untuk mempercepat penyebaranya. File Autorun yang digunakan virus memiliki nama dan ektensi acak (exe dan pif) . Seperti : xvftea.exe atau xvftea.pif, dan ukuranya sekitar 100 – 101 KB

Di jaringan virus juga akan menginfeksi setiap folder yang memiliki FULL ACCESS Read & Write, dengan membuat sebuah shortcut exploit yang akan langsung aktif apabila user memasuki folder yang sudah terdapat shortcut exploit tersebut.

 

Menghapus File

Sality akan mencari file berektensi “.VDB” dan “.AVC” jika ditemukan akan langsung dihapus. Ektensi file ini biasanya digunakan oleh beberapa antivirus untuk menyimpan database virus.

 

Block Website

Sality akan memblock website atau domain yang mengandung kata seperti :

upload_virus , sality-remov, virusinfo.  cureit. drweb. onlinescan. spywareinfo. ewido. virusscan. windowsecurity.  spywareguide. bitdefender. pandasoftware. agnmitum.  virustotal.sophos.  trendmicro.  etrust.com symantec.  mcafee. f-secure. eset.com, kaspersky. dll

 

Menghapus Registry Key

Untuk mempertahankan dirinya virus menghapus beberapa key di registry yang dianggap mebahayakan kehidupan virus.

  • HKCU\System\CurrentControlSet\Control\SafeBoot
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
  • HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Effek dari beberapa key yang dihapus diatas membuat user tidak dapat memasuki modus SAFE MODE

Blue Screen saat mengakses SAFE MODE

Mensetting registry agar tidak menampilkan file yang dihidden

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 2

Selain itu sality mengunci akses ke Task Manager & Registry Tools

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr =dword:00000001

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools =dword:00000001

Cara Pembersihan

1. Untuk membersihkan virus ini secara tuntas, download tool removal sality dari kaspersky dibawah ini :

Isi dari file download Sality Killer

 2. Kemudian ektrak lah semua file yang ada didalam ZIP tersebut ke dalam folder baru, kemudian jalankan file SalityCure.bat

 

 

3. Setelah dijalankan proses scanning akan langsung tampil, harap diperhatikan SELAMA PROSES PEMBERSIHAN SEDANG BERLANGSUNG, JANGAN PERNAH MENJALANKAN APLIKASI SEBELUM PROSES PEMBERSIHAN SELESAI, untuk mencegah virus kembali aktif, saat menjalankan file terinfeksi yang belum sempat dibersihkan.

Proses pembersihan sedang berjalan

4. Terakhir gunakan Smadav Revisi terbaru untuk memperbaiki Registry yang telah dirusak oleh virus sality.

 

Centang folder dan drive yang akan di scan, dan juga jangan lupa berikan centang pada bagian Syatem Area Deep (Over 1500 registry value), untuk memperbaiki registry yang telah rusak oleh virus, selanjutnya tekan tombol SCAN

Tunggu hingga proses perbaikan selesai, jika dialog pesan seperti diatas muncul tekan tombol OK dan terakhir tekan tombol Bersihkan

 

Kemudian Restart komputer

 

!!! Ok Selamat mencoba !!!

 

 

820 Responses to “Basmi tuntas Virus Sality”


  1. Rae Biddell says:

    That is a really good tip particularly to those new to the blogosphere. Simple but very precise info… Thanks for sharing this one. A must read post!

     
  2. What’s up mates, how is the whole thing, and what you wish for to say regarding this paragraph, in my view its genuinely awesome for me.

     
  3. Amie Mauer says:

    It’s amazing to visit this web page and reading the views of all friends regarding this post, while I am also keen of getting knowledge.

     
  4. At this moment I am going away to do my breakfast, once having my breakfast coming again to read other news.

     
  5. Lupe Walters says:

    Hello it’s me, I am also visiting this web site on a regular basis, this website is actually nice and the viewers are in fact sharing nice thoughts.

     
  6. Excellent way of telling, and pleasant piece of writing to get data about my presentation subject, which i am going to present in school.

     
  7. Hi there to every one, the contents existing at this website are in fact awesome for people experience, well, keep up the nice work fellows.

     
  8. Marta Blythe says:

    Great weblog here! Also your site rather a lot up very fast! What host are you the usage of? Can I am getting your affiliate link to your host? I desire my website loaded up as fast as yours lol

     
  9. This site was… how do I say it? Relevant!! Finally I’ve found something that helped me. Thank you!

     
  10. Kiera South says:

    Excellent post. Keep writing such kind of info on your site. Im really impressed by it.
    Hey there, You’ve done an incredible job. I will definitely digg it and personally suggest to my friends. I’m confident they’ll be benefited from this site.

     
  11. Abbie Angus says:

    Pretty great post. I simply stumbled upon your weblog and wished to mention that I have truly loved surfing around your blog posts. After all I will be subscribing for your rss feed and I’m hoping you write again very soon!

     
  12. Miquel Kaur says:

    We’re a gaggle of volunteers and starting a new scheme in our community. Your web site provided us with useful info to work on. You’ve performed a formidable activity and our entire group can be grateful to you.

     
  13. mygodisone says:

    just wanna say thank you for the great information about virus.
    I bookmark your site.
    keep up the good work.
    😀

     
  14. Shanel Manna says:

    Wow! After all I got a blog from where I be able to actually get useful data regarding my study and knowledge.

     
  15. Hello, everything is going fine here and ofcourse every one is sharing data, that’s really good, keep up writing.

     
  16. I am in fact thankful to the owner of this web site who has shared this fantastic paragraph at at this place.

     
  17. Dusty Kavel says:

    wonderful points altogether, you simply received a emblem new reader. What could you suggest in regards to your post that you made some days ago? Any sure?

     
  18. It is in point of fact a nice and useful piece of info. I am glad that you shared this useful info with us. Please keep us up to date like this. Thank you for sharing.

     
  19. Thankfulness to my father who shared with me regarding this weblog, this web site is in fact awesome.

     
  20. Josette Fine says:

    Hi, i feel that i noticed you visited my site so i got here to go back the prefer?.I’m trying to in finding issues to enhance my web site!I suppose its ok to make use of some of your ideas!!

     
  21. You ought to be a part of a contest for one of the best sites on the internet. I’m going to recommend this website!

     
  22. you are really a just right webmaster. The web site loading pace is incredible. It kind of feels that you are doing any distinctive trick. Furthermore, The contents are masterpiece. you have done a excellent process in this matter!

     
  23. Hi friends, how is everything, and what you desire to say about this piece of writing, in my view its genuinely awesome in favor of me.

     
  24. Hello, I want to subscribe for this web site to take latest updates, so where can i do it please help.

     
  25. This is a great tip particularly to those new to the blogosphere. Short but very precise information… Appreciate your sharing this one. A must read article!

     
  26. Aida Dunkley says:

    Good way of telling, and nice post to take information on the topic of my presentation topic, which i am going to convey in institution of higher education.

     
  27. you are really a just right webmaster. The website loading velocity is amazing. It seems that you’re doing any distinctive trick. Also, The contents are masterwork. you’ve performed a fantastic job in this subject!

     
  28. Nilda Eldred says:

    Excellent beat ! I would like to apprentice while you amend your web site, how could i subscribe for a weblog web site? The account aided me a appropriate deal. I were a little bit acquainted of this your broadcast offered shiny transparent concept

     
  29. Cyril Manuel says:

    My spouse and I stumbled over here from a different web page and thought I might check things out. I like what I see so now i am following you. Look forward to looking over your web page again.

     
  30. May Louis says:

    I think that is among the so much significant info for me. And i’m happy studying your article. However want to observation on few basic things, The website style is great, the articles is in point of fact excellent : D. Just right activity, cheers

     
  31. Sven Pippin says:

    Hello it’s me, I am also visiting this web site daily, this web site is really fastidious and the users are truly sharing nice thoughts.

     
  32. Tressa Boldt says:

    I’ve read a few just right stuff here. Definitely price bookmarking for revisiting. I surprise how much effort you put to create one of these great informative website.

     
  33. Glenna Bello says:

    Hi there it’s me, I am also visiting this site daily, this web page is really good and the viewers are really sharing nice thoughts.

     
  34. After looking at a number of the blog posts on your blog, I truly appreciate your technique of writing a blog. I book marked it to my bookmark website list and will be checking back in the near future. Please check out my website as well and let me know your opinion.

     
  35. Hello to every body, it’s my first visit of this web site; this website consists of amazing and truly good material in favor of readers.

     
  36. I am actually happy to read this web site posts which consists of lots of useful information, thanks for providing these data.

     
  37. Remarkable! Its truly remarkable post, I have got much clear idea about from this paragraph.

     
  38. Hey there, You’ve done an excellent job. I will definitely digg it and personally recommend to my friends. I’m confident they will be benefited from this site.

     
  39. Hello, its pleasant article on the topic of media print, we all be familiar with media is a wonderful source of facts.

     
  40. Quality posts is the key to be a focus for the viewers to visit the web page, that’s what this web page is providing.

     
  41. I must thank you for the efforts you’ve put in penning this blog. I really hope to view the same high-grade blog posts from you in the future as well. In truth, your creative writing abilities has encouraged me to get my very own website now 😉

     
  42. Thanks in favor of sharing such a nice thinking, article is good, thats why i have read it entirely

     
  43. I am genuinely grateful to the holder of this website who has shared this great paragraph at at this place.

     
  44. May Gomes says:

    I was very happy to find this site. I want to to thank you for ones time just for this wonderful read!! I definitely enjoyed every bit of it and I have you book-marked to look at new information in your site.

     
  45. I blog quite often and I really appreciate your content. Your article has truly peaked my interest. I’m going to take a note of your blog and keep checking for new information about once per week. I opted in for your RSS feed as well.

     
  46. Maura Banks says:

    Thanks for your marvelous posting! I genuinely enjoyed reading it, you are a great author. I will remember to bookmark your blog and definitely will come back down the road. I want to encourage you to ultimately continue your great work, have a nice evening!

     
  47. Thank you for every other informative blog. The place else may I am getting that type of info written in such a perfect method? I have a undertaking that I am simply now operating on, and I’ve been on the glance out for such info.

     
  48. you are truly a just right webmaster. The web site loading pace is amazing. It seems that you’re doing any unique trick. Moreover, The contents are masterwork. you have performed a fantastic task on this subject!

     
  49. I read this post completely concerning the resemblance of latest and preceding technologies, it’s remarkable article.

     
  50. What i do not understood is actually how you are no longer really much more neatly-preferred than you may be right now. You’re very intelligent. You already know thus considerably in terms of this matter, made me personally imagine it from a lot of varied angles. Its like women and men aren’t involved except it’s something to do with Lady gaga! Your individual stuffs excellent. Always handle it up!

     


Leave a Reply


  • Search

    Loading
  • Wall

    Previous Next
    Latest on Sat, 06:49 am

    HJ. HANNA: Smadav Antivirus 2019 Amazing

    Yideg Atinkut: smadav is a good antivirus

    Niangoran Séka Yves Alain: Je remercie le concepteur de cet antivirus qui fait son preuve aujourd'hui dans le monde entier. Merci que Dieu vous bénisse.

    habib: good

    Getachew: I likes smadav to protect virus

    yitbarek demlew: protect me from virus

    Asfaw Degefa: Thank you for this best anti virus

    abdalla elnaiem: I want very active effective antivirus

    ermanindratmoko: assalammualaikum

    isaya: good

    » Tuliskan komentar Anda :