Mungkin anda diluar sana yang merupakan penguna Yahoo Messenger pernah menerima pesanan yang menyuruh anda mendownload daripada profile ID rakan anda sedangkan itu sebenarnya bukanlah rakan anda dan itu adalah virus yang mengakses Yahoo Messenger rakan anda .
Contoh serangan di Yahoo Messenger.
Pernah terjadi suatu ketika dahulu pada pengeRindu dimana saya bergaduh dengan rakan YM saya atas atau sebab saya tidak mengetahui Virus tersebut dan memarah rakan saya dengan mengatakan " aper ni bro , hantar benda bukan - bukan " dan dia terus jawap " mana ada aku hantar".
Cara - cara untuk mengelak daripada Virus Sohanad.AE
Sohanad.AE is a worm that enters as a downloaded file through Yahoo Messenger, infects windows. Upon execution it disables the Windows Task Manager and Registry Editor and copies itself as SVCHOST32.EXE and SVHOST.EXE in the Windows folder which is different than the windows system file SVCHOST.EXE
The worm modifies registry and loads itself during each startup.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
It also creates the following registry keys to modify the settings of Yahoo Messenger
It changes the Internet Explorer (IE) home page to coolpics.net
This worm spreads through Yahoo Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients’ system.
(Below are removal instructions. You may print this page for easy reference)
Enable Task Manager and Registry Editor
Open Notepad and copy and paste the following:
On Error Resume Next
Set shl = CreateObject(”WScript.Shell”)
Set fso = CreateObject(”scripting.FileSystemObject”)
shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableRegistryTools”
shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableTaskMgr”
Save this file with .VBS extension.
While saving enter the name in double quotes and select all files from the save as type in notepad.
For the ease of use, save the file on desktop.
for example “filename.vbs”
When the file is saved as a vbs file then the file icon changes as a VBScript script file.
Execute the file. Double click on the file name to execute.
Click Yes at the prompt of the message box.
Click Ok.
Disable system restore
disable System Restore in Windows ME and xp.
Click on start > all programs > Accessories > System Tools > System Restore
Click on System Restore settings.
Check the box to Turn off system restore on all drives.
press apply. press ok.
Delete svhost.exe and svchost32.exe
search and delete files named svhost.exe and svchost32.exe
Your windows system file is svchost.exe, do not delete it.
Observe the difference and the missing c.
The worm creates svhost.exe and svchost32.exe
whereas windows system file is svchost.exe
Remove Autostart Entries from Registry
(If the worm has not executed yet then the entries below will be absent.)
Open Registry Editor. start > run. Type regedit. Press ok.
In the left panel double click on the following entries
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the following entries
Task Manager = “%Windows%\system\svchost32.exe”
Svchost = “%Windows%\system\svhost.exe”
(%Windows% is the Windows folder, C:\Windows or C:\WINNT
Be careful not to remove svchost.exe which is a windows system file)
Remove Keys and Entries
In the left panel double click on the following entries
HKEY_CURRENT_USER>Software>Yahoo>pager>View
in the left panel locate and delete the following keys:
YMSGR_buzz
YMSGR_Launchcast
In the left panel double click on the following entry
HKEY_CURRENT_USER>Software>Policies>Microsoft>
Internet Explorer>Control Panel
In the right panel locate and delete the entry
Homepage = “1″
In the left panel double click on the following entries
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Policies>Explorer
In the right panel locate and delete the entry
NoRun = “1″
Close Registry Editor.
Reset IE Home Page and Search Page
Close all browser (IE) windows.
Click Start>Settings>Control Panel.
Double click on Internet Options.
In the Internet Properties window click the Programs tab.
Click the Reset Web Settings button.
Select “Also reset my home page”.
Click Yes.
Click OK.
soucre : hackers-diary
The worm modifies registry and loads itself during each startup.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
It also creates the following registry keys to modify the settings of Yahoo Messenger
HKEY_CURRENT_USER\ Software\ Yahoo\ pager\ View\ YMSGR_buzz HKEY_CURRENT_USER\ Software\ Yahoo\ pager\ View\ YMSGR_Launchcast
It changes the Internet Explorer (IE) home page to coolpics.net
This worm spreads through Yahoo Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients’ system.
(Below are removal instructions. You may print this page for easy reference)
Enable Task Manager and Registry Editor
Open Notepad and copy and paste the following:
On Error Resume Next
Set shl = CreateObject(”WScript.Shell”)
Set fso = CreateObject(”scripting.FileSystemObject”)
shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableRegistryTools”
shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableTaskMgr”
Save this file with .VBS extension.
While saving enter the name in double quotes and select all files from the save as type in notepad.
For the ease of use, save the file on desktop.
for example “filename.vbs”
When the file is saved as a vbs file then the file icon changes as a VBScript script file.
Execute the file. Double click on the file name to execute.
Click Yes at the prompt of the message box.
Click Ok.
Disable system restore
disable System Restore in Windows ME and xp.
Click on start > all programs > Accessories > System Tools > System Restore
Click on System Restore settings.
Check the box to Turn off system restore on all drives.
press apply. press ok.
Delete svhost.exe and svchost32.exe
search and delete files named svhost.exe and svchost32.exe
Your windows system file is svchost.exe, do not delete it.
Observe the difference and the missing c.
The worm creates svhost.exe and svchost32.exe
whereas windows system file is svchost.exe
Remove Autostart Entries from Registry
(If the worm has not executed yet then the entries below will be absent.)
Open Registry Editor. start > run. Type regedit. Press ok.
In the left panel double click on the following entries
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the following entries
Task Manager = “%Windows%\system\svchost32.exe”
Svchost = “%Windows%\system\svhost.exe”
(%Windows% is the Windows folder, C:\Windows or C:\WINNT
Be careful not to remove svchost.exe which is a windows system file)
Remove Keys and Entries
In the left panel double click on the following entries
HKEY_CURRENT_USER>Software>Yahoo>pager>View
in the left panel locate and delete the following keys:
YMSGR_buzz
YMSGR_Launchcast
In the left panel double click on the following entry
HKEY_CURRENT_USER>Software>Policies>Microsoft>
Internet Explorer>Control Panel
In the right panel locate and delete the entry
Homepage = “1″
In the left panel double click on the following entries
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Policies>Explorer
In the right panel locate and delete the entry
NoRun = “1″
Close Registry Editor.
Reset IE Home Page and Search Page
Close all browser (IE) windows.
Click Start>Settings>Control Panel.
Double click on Internet Options.
In the Internet Properties window click the Programs tab.
Click the Reset Web Settings button.
Select “Also reset my home page”.
Click Yes.
Click OK.
soucre : hackers-diary
Salam ceria ,
Mr. J
http://www.pengerindu.com/
http://jacky.pengerindu.com/ (Blog Bahasa Iban)
Subscribe untuk mendapatkan 10 ebook Percuma.
Jom! Tonton Tv Online: [Tv1] [Tv2] [Tv3] @ Belajar Bahasa Iban?
0 comments:
Catat Ulasan