Nah,, Kali Ini saya akan ngebaHas tentang :
The virus is created using VB and have the size of 76 KB and use the MS Word
icon. With the view that resembles MS Word document, the virus will spread
easily, especially for general computer users that are less careful. If the
virus is executed it will appear an MS Word file with any posts EMPTY-headed.
After that Leena will make some parent are:
- C: \ Documents and Settings \% username%\Local Settings\Application Data \%
user%. Task \ services.exe
- C: \ Documents and Settings \% username% \ Local Settings \ Temp \ lsass.exe
- C: \ Documents and Settings \ all users\ application data \ normal.exe
- C: \ Documents and Settings\All Users \Application Data \ leena.%% Running on
infection
- C: \ Windows
- ExeServ.exe
- Leena.ini
- C: \ WIndoss \ system32 \ 3D Soccer.exe
- C: \ WIndoss \ system32 \ Av-Prev.exe
- C: \ WIndoss \ system32 \ controls.exe
- C: \ WIndoss \ system32 \ ex-plorer.exe
- C: \ WINDOWS \ System32 \ exerun.exe
As Leena support will make a string of registry,including:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonshell
= Explorer.exe C:\WINDOWS\ExeServ.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Default = C: \
WINDOWS \ System32 \ ExeRun "% 1"% *
In addition Leena will also create a schedule [Schedule Task] with the name of
the directory Leena [C: \ Windows \ tasks \ leena] schedule task is made to run
the master file that is located in the directory [C: \ WINDOWS \ System32 \
controls.exe ], where the schedule will be run every 08.15 hours each week.
Block the function of Windows and restart the computer. Leena to defend himself
will try to shut some windows functions such as:
- Regedit
- Msconfig
- Folder option
The protection is made Leena will kill [restart] if the computer functions on
the run. On the mode Safe Mode and Safe Mode with Command Prompt Leena will also
remain active even though the computer booting mode safe mode or safe mode with
command prompt, this is done to prevent the user to clean this virus.
The technique is realized with the following string in the registry:
- HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \
SafeBoot\AlternateShell = C: \ WINDOWS \ System32 \ Av-Prev.exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \
Winlogon shell = Explorer.exe C: \ WINDOWS \ ExeServ.exe
Manipulate files. Exe to activate the virus
Be careful if your computer is infected with the virus, we recommend to
immediately clean up with the antivirus program can mendeteksinya. Because Leena
will try to switch every executable file to run itself (in background), and the
application of the call will still be able to run as usual.
To do this, Leena will create the following string in the registry:
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command
Default = C: \ WINDOWS \ System32 \ ExeRun "% 1"% *
Hide file MS.Word As done by the virus River, Leena will also try to hide the MS
Word file and instead Leena will create duplicate files in accordance with the
name of the file that is hidden, the virus file by Leena will have the
characteristics:
- File Size 76 KB
- Extensi. EXE
- File Type "Application".
If you try to run the file that is infected with the Leena MS.Word program will
appear with any posts EMPTY-headed.
0 komentar