For those of you Internet users, should be quite cautious when visiting the website address that indicates pornographic content or users who download software crack, because it could have turned out the file is actually a trojan script "Stuxnet".
If you've already run the file, then "Stuxnet" has managed to infect a computer, and will make some files as follows:
ü C: WINDOWSsystem32winsta.exe
ü C: WINDOWSsystem32driversmrxcls.sys
ü C: WINDOWSsystem32driversmrxnet.sys
File "winsta.exe" made to swell for the rest of the existing hard disk space, causing the hard drive becomes full (usually the C drive or system of the OS). While the file mrxcls.sys and mrxnet.sys an active file is used to infect other computers and devices that are connected (like a USB flash / removable drive).
Winsta.exe was actually a native Windows file useful. WinStation Monitor, which is one of the tools from Microsoft that is used on Windows 2000 to monitor Terminal Services client session. Location of these files should also be located in C: Program FilesResourceswinsta.exe.
Further details on the following article: http://support.microsoft.com/kb/320190
Some of the symptoms and effects that occur if you are infected with trojan "Stuxnet" is as follows:
- Harddisk computers on the network full and compact suddenly get a warning "Low Disk Space". File winsta.exe which grew to adjust the remaining hard drive space you have (the C drive or system OS).
File Winsta bigger, adjust the remaining hard drive space available
- Due to an empty hard drive space remaining, will certainly lead to a notification from the windows system which informs you that the remaining hard drive space was empty.
Low Disk Space warning caused by swelling of Winsta so spend the rest of hard drive space.
- Due to an empty hard disk space, then you can not store data or run certain programs that require the remaining hard drive space / use the cache.
- The computer will seem to hang / slow and even if you are connected to the network will be disconnected, this is because "Stuxnet" that infect computers and a file system. Some Windows system files that are victims of infection are:
1. Svchost: files associated with a network connection, by infecting this file then the network will be disconnected.
2. Lsass: make the computer hangs and slow and restarts itself, performed by infecting files.
3. Spoolsv: can not print the data through the printer, this is done by infecting files.
METHOD OF SPREAD OF VIRUS
Trojan "Stuxnet" make the most use usb or network share the full access. Trojans will make the computer automatically infection, because by creating two files that would happen with a good execution, namely:
Ø ~ WTR [angka_acak]. Tmp
Ø ~ WTR [angka_acak]. Tmp
WINDOWS REGISTRY MODIFICATIONS
Some registry modifications made by the virus "Bekol" are as follows:
- Adding a Registry
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxCls
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxNet
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMRxNet
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMRxCls
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MRXCLS
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MRXNET
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MRXCLS
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MRXNET
VIRUS CLEANING
Steps should be taken to conduct clearing the virus "Bekol" is as follows:
- Clean virus removal tools with Dr.Web CureIt. You can download the following link:
www.freedrweb.com/download+ CureIt /
Use Dr. Web CureIt to detect and eradicate Stuxnet
- Fix the windows registry that has been modified by a virus with the following steps:
o Copy the script below using WordPad. Click the [Start] ïƒ [All Programs] ïƒ [Accessoris] ïƒ [Wordpad].
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCU, SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced, ShowSuperHidden, 0x00010001, 1
HKCU, SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced, SuperHidden, 0x00010001, 1
HKCU, SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced, HideFileExt, 0x00010001, 0
HKLM, SOFTWARECLASSESbatfileshellopencommand ,,,"""% 1 ""% * "
HKLM, SOFTWARECLASSEScomfileshellopencommand ,,,"""% 1 ""% * "
HKLM, SOFTWARECLASSESexefileshellopencommand ,,,"""% 1 ""% *
HKLM, SOFTWARECLASSESpiffileshellopencommand ,,,"""% 1 ""% * "
HKLM, SOFTWARECLASSESregfileshellopencommand,,, "regedit.exe"% 1 ""
HKLM, SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon, Shell, 0, "Explorer.exe"
[Del]
HKLM, SYSTEMCurrentControlSetServicesMRxCls
HKLM, SYSTEMCurrentControlSetServicesMRxNet
HKLM, SYSTEMControlSet001ServicesMRxCls
HKLM, SYSTEMControlSet002ServicesMRxNet
HKLM, SYSTEMCurrentControlSetServicesEnumRootLEGACY_MRXClS
HKLM, SYSTEMCurrentControlSetServicesEnumRootLEGACY_MRXNET
HKLM, SYSTEMControlSet001ServicesEnumRootLEGACY_MRXClS
HKLM, SYSTEMControlSet002ServicesEnumRootLEGACY_MRXNET
Save the file with the name "repair.inf". Use the Save as type option to Text Document in order to avoid mistakes.
Right-click the file "repair.inf" then select "Install". Restart the computer.
- Clean temporary files, this in order to prevent the rest of the trojan is trying to be active again. Use tools like "ATF Cleaner" or use the windows feature is "Disk Clean-Up".
Emergency solution to overcome Winsta:
To prevent it from re-infecting, you can use the following script:
@ Echo off
del / f c: windowssystem32winsta.exe
brake rd c: windowssystem32winsta.exe
md c: windowssystem32winsta.exe
del / f c: windowssystem32driversmrxnet.sys
brake rd c: windowssystem32driversmrxnet.sys
md c: windowssystem32driversmrxnet.sys
del / f c: windowssystem32driversmrxcls.sys
brake rd c: windowssystem32driversmrxcls.sys
md c: windowssystem32driversmrxcls.sys
attrib + r + h + s c: windowssystem32winsta.exe
attrib + r + h + sc: windowssystem32driversmrxnet.sys
attrib + r + h + sc: windowssystem32driversmrxnet.sys
Save the file with the name "winsta.bat". Use the Save as type option to Text Document in order to avoid mistakes.
2x click the file.
- For optimal cleaning and prevent re-infection, re-scan using an updated antivirus and recognize this virus very well.
Print this page
Antivirus Protection --->>>>Stuxnet appears to be polymorphic, but it also appears to be a logic bomb as well. It propagates through networks and then when it finds a Siemens PLC it then executes. So in one case it is similar to a logic bomb already, but why would it lie dormant on other systems. By the way the kill date for this worm is June 2012. Strange is it not? What are your thoughts on this virus?
ReplyDeleteThanks For Respose dude,, I think, that's all i know to share.. you can request an others topic? I will definitely make it for you gladly ^_^
ReplyDeleteyou just share on google+ or twitter..