Pernahkah anda mengalami komputer/laptop kesayangan anda terinveksi virus yang menginveksi file file berextensi exe, pif dan Scr dan benar2 bandel karena susah untuk dibersihkan, tanda tanda nya adalah taskmanager disable, regedit disable, dan kita tidak bisa memunculkan file hidden di explorer karena tiap kalo kita klik folder option untuk show hidden file ketika klik OK/Apply ternyata tidak berfungsi?
Virus ini mengubah registry kita di alamat :
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ system
DisableRegistryTools = 01, 00, 00, 00
Menonaktivekan Windows Registry Editor. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ system
DisableTaskMgr = 01, 00, 00, 00
Menonaktivekan Task Manager.
Kemudian mematikan warning display dari security center windows :
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center
UacDisableNotify = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ Svc
AntiVirusDisableNotify = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ Svc
AntiVirusOverride = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ Svc
FirewallDisableNotify = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ Svc
FirewallOverride = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ Svc
UacDisableNotify = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ Svc
UpdatesDisableNotify = 01, 00, 00, 00
Meskipun kita sudah menscan dengan bermacam anti virus selain sality killer, yang terdeteksi cuma file file yang terinfeksi saja tanpa mematikan aplikasi yang dijalankan oleh virus ini sehingga percuma saja, bahkan meski kita format drive instalasi windows dan meng clean install ulang windows kita, karena dia sudah tersebar di hardisk, maka windows baru itu juga akan terinveksi kembali.
Dari https://en.wikipedia.org/wiki/Sality
Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code.
Sality is a family of polymorphic file infectors, which target Windows executable files with the extensions .EXE or .SCR.[1] Sality utilizes polymorphic and entry-point obscuring (EPO) techniques to infect files using the following methods: not changing the entry point address of the host, and replacing the original host code at the entry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file;[2][3] the stub decrypts and executes a secondary region, known as the loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality payload.[2]
Sality infects files in the affected computer. Most variants use a DLL that is dropped once in each computer. The DLL file is written to disk in two forms, for example:
- %SYSTEM%\wmdrtc32.dll
- %SYSTEM%\wmdrtc32.dl_
driver with a random file name in the folder %SYSTEM%\drivers. Other malware may also drop Sality in the computer. For example, a Sality variant detected as Virus:Win32-Sality.AU is dropped by Worm:Win32-Sality.AU.[1] Some variants of Sality, may also include a rootkit by creating a device with the name Device\amsint32 or \DosDevices\amsint32.[6]
File infection
Sality usually targets all files in drive C: that have .SCR or .EXE file extensions, beginning with the root folder. Infected files increase in size by a varying amount.The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys:
- HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run[1]
- Files protected by System File Checker (SFC)
- Files under the %SystemRoot% folder
- Executables of several antivirus/firewall products by ignoring files that contain certain substrings
Some variants of Sality can infect legitimate files, which are then moved to available removable drives and network shares by enumerating all network share folders and resources of the local computer and all files in drive C: (beginning with the root folder). It infects the files it finds by adding a new code section to the host and inserting its malicious code into the newly added section. If a legitimate file exists, the malware will copy the file to the Temporary Files folder and then infect the file. The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:
- \
.pif - \
.exe - \
.cmd
Solusi :
karena virus ini juga menginveksi bootloader, driver, aplikasi, root system windows dan lainya, maka diperlukan sality killer untuk membersihkan virus ini, jd bukan cuma sekedar anti virus.
Sality Killer bisa di download di SINI, juga bisa dicoba aplikasi dari AVG khusus untuk membunuh virus sality ini di SINI.
Untuk lebih jelasnya tentang sality ini bisa di baca di :
http://www.viruslokal.com/2012/01/basmi-tuntas-virus-sality/
Trima kasih
