จริงๆมันไม่ใช่ใวรัสซะทีเดียวหรอกนะครับ ถ้าจัดกลุ่มจริงๆมันอยู่ในกลุ่มของ worm หรือหนอนคอมพิวเตอร์ ส่วนชื่ออย่างเป็นทางการของหนอนตัวนี้คือ Win32/Sohanad worm ครับ
อาการของเครื่องที่ติดเชื้อของเจ้าหนอนตัวนี้คือคอมเครื่องนั้นๆจะพยามสร้างไฟล์ exe ตามชื่อโฟลเดอร์นั้นๆ มักจะพบกันบ่อยๆในเมมโมรี่การ์ดหรือแฟลชไดร์
ส่วนวิธีแก้ใขก็ตามข้อความด้านล่างนี้เลยครับ ขอขอบคุณ ŜŵŏĐńĩŴ สำหรับวิธีแก้ใขด้วยนะครับ
เปิด notepad ขึ้นมา
copy code นี้ลงไปใส่
Option Explicit
Dim WshShell, DocDir, TmpDir, WinDir, SysDir
Dim strComp, strLogs, arrProcs(6), arrFiles(45)
Set WshShell = WScript.CreateObject("WScript.Shell")
DocDir = WshShell.ExpandEnvironmentStrings("%UserProfile%") & chr(92)
TmpDir = WshShell.ExpandEnvironmentStrings("%Temp%") & chr(92)
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%") & chr(92)
SysDir = WinDir & chr(92) & "system32" & chr(92)
strComp = "."
strLogs = ""
arrProcs(0) = "rvhost.exe"
arrProcs(1) = "ssvichosst.exe"
arrProcs(2) = "sscviihost.exe"
arrProcs(3) = "new folder.exe"
arrProcs(4) = "skcvhost.exe"
arrProcs(5) = "svichoost.exe"
arrProcs(6) = "systems.exe"
arrFiles(0) = WinDir & "RVHOST.exe"
arrFiles(1) = WinDir & "SSVICHOSST.exe"
arrFiles(2) = WinDir & "SSCVIIHOST.exe"
arrFiles(3) = WinDir & "Tasks\At1.job"
arrFiles(4) = SysDir & "nhatquanglan9.exe"
arrFiles(5) = SysDir & "nhatquanglan11.exe"
arrFiles(6) = SysDir & "SSVICHOSST.exe"
arrFiles(7) = SysDir & "SSCVIIHOST.exe"
arrFiles(8) = SysDir & "New Folder.exe"
arrFiles(9) = SysDir & "hinhem.scr"
arrFiles(10) = SysDir & "blastclnnn.exe"
arrFiles(11) = SysDir & "autorun.ini"
arrFiles(12) = SysDir & "setting.ini"
arrFiles(13) = SysDir & "setting.xls"
arrFiles(14) = SysDir & "SKCVHOST.exe"
arrFiles(15) = SysDir & "SKCVHOSTr.exe"
arrFiles(16) = SysDir & "SKCVHOSThk.dll"
arrFiles(17) = SysDir & "SCVHSOT.exe"
arrFiles(18) = SysDir & "SYSTEMS.exe"
arrFiles(19) = SysDir & "SYSTEMShk.dll"
arrFiles(20) = SysDir & "SYSTEMShk.dll"
arrFiles(21) = SysDir & "test1.exe"
arrFiles(22) = SysDir & "apps.dat"
arrFiles(23) = SysDir & "bpk.bin"
arrFiles(24) = SysDir & "bpk.dat"
arrFiles(25) = SysDir & "bpk.exe"
arrFiles(26) = SysDir & "bpkch.dat"
arrFiles(27) = SysDir & "bsdhooks.dll"
arrFiles(28) = SysDir & "inst.dat"
arrFiles(29) = SysDir & "inst.tmp"
arrFiles(30) = SysDir & "kw.dat"
arrFiles(31) = SysDir & "mc.dat"
arrFiles(32) = SysDir & "pk.bin"
arrFiles(33) = SysDir & "rinst.dat"
arrFiles(34) = SysDir & "rinst.exe"
arrFiles(35) = SysDir & "titles.dat"
arrFiles(36) = SysDir & "web.dat"
arrFiles(37) = SysDir & "web.dll"
arrFiles(38) = SysDir & "keystrokes.html"
arrFiles(39) = SysDir & "websites.html"
arrFiles(40) = SysDir & "chats.html"
arrFiles(42) = SysDir & "report.txt"
arrFiles(43) = SysDir & "SSVICHOSST.exe"
arrFiles(44) = SysDir & "nhatquanglan18.exe"
arrFiles(45) = SysDir & "nhatquanglan20.exe"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEMS"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SKCVHOST"
setRegVal "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "Explorer.exe", "REG_SZ"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours"
If strLogs <> "" Then
WScript.Echo "Winlogon...Restoration Winlogon value Explorer.exe: " & VBCrLf & VBCrLf & strLogs
strLogs = ""
End If
Sub setRegVal(Target, Value, Reg)
On Error Resume Next
WshShell.RegWrite Target, Value, Reg
If Err = 0 Then
strLogs = strLogs & ".. " & Target & " to " & Value & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub
Sub delRegVal(Target)
On Error Resume Next
WshShell.RegDelete Target
If Err = 0 Then
strLogs = strLogs & "Values deleted: " & Target & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub
Dim objWMI : Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\cimv2")
Dim objFSO : Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
If Err = 0 Then
KillProcs
Set objWMI = Nothing
Set objFSO = Nothing
End If
Err.Clear
Sub KillProcs
' Variables
Dim objProc, objFile
Dim strFile, i
Dim colProc : Set colProc = objWMI.ExecQuery("Select Name from Win32_Process")
For Each objProc in colProc
For i=0 to UBound(arrProcs)
If arrProcs(i) = LCase(CStr(objProc.Name)) Then
objProc.Terminate()
strLogs = strLogs & "Process arrested:" & arrProcs(i) & VBCrLf
Exit For
End If
Next
Next
Set colProc = Nothing
Set objProc = Nothing
For i=0 to UBound(arrFiles)
RemoveFile arrFiles(i)
Next
RemoveTmpFolder TmpDir
If strLogs <> "" Then
WScript.Echo "Scan underway: " & VBCrLf & VBCrLf & strLogs
End If
End Sub
Sub RemoveTmpFolder(Target)
On Error Resume Next
Dim tmpDir : Set tmpDir = objFSO.GetFolder(Target)
Dim tmpFolder, tmpFile
For Each tmpFile In tmpDir.Files
tmpFile.Attributes = 0
tmpFile.Delete
Next
For Each tmpFolder In tmpDir.SubFolders
RemoveTmpFolder tmpFolder.Path
tmpFolder.Attributes = 0
tmpFolder.Delete
Next
Set tmpDir = Nothing
Set tmpFolder = Nothing
Set tmpFile = Nothing
On Error Goto 0
End Sub
Sub RemoveFile(Target)
On Error Resume Next
If objFSO.FileExists(Target) Then
Dim objFile : Set objFile = objFSO.GetFile(Target)
objFile.attributes = 0
objFile.Delete
Set objFile = Nothing
strLogs = strLogs & "File Deleted: " & Target & VBCrLf
End If
On Error Goto 0
End Sub
WScript.Echo "End of cleaning."
WScript.Quit
save ไฟล์เป็น สกุล vbs
All files
Unicode
ปิด system restore
รันใน safe mode
โชคดีครับ
ที่มา
http://www.com-th.net/webboard/index.php?topic=59931.0
หัวข้อ: ไวรัส NewFolder.exe แก้ได้แล้วจ้า....... (อ่าน 15507 ครั้ง)