Virus yang diklasifikasikan sebagai Wurm ini merebak melalui Yahoo! Messenger. Mungkin dah ada di kalangan anda yg dah terkena penangan wurm ni(macam abang aku semalam). Bahayanya wurm ni, mesej yang mengandungi virus/wurm tu akan datang dari buddy/members list kita sendiri..padahal mesej tu dihantar sendiri secara automatik oleh wurm berkenaan..Ini contoh mesej yang dihantar :

Do you realize who is in this image:
http://{BLOCKED}coolpics.net/who.jpg .
Just think for a moment and tell me soon
;)) who is beside you in this pic
http://thecoolpics.net/friendpic1.jpg so good-looking
the page cannot be displayed
http://{BLOCKED}coolpics.net/error.jpg
Something was wrong !!! Check it again and tell me later.
THanks Images shot in Iraq _ The war will never end
http://{BLOCKED}coolpics.net/Iraqwar.jpg
< < :( Miss World 2006: http:// {BLOCKED}coolpics.net/ MissWorld.jpg

Jadi kalau dapat mesej camtu, jangan p klik pulak! Antara payload atau kesan wurm ni ialah dia akan ‘disable’kan task manager dan registry editor..selain tu, dia akan hantar mesej yg sama kepada members/buddy anda..huhu..

Di bawah ialah penerangan untuk buang wurm + ‘enable’kan balik task manager dan registry editor..(minta maaf, dalam bahasa inggeris, tak sempat nak translate)

—————————————————————————————————-

Sohanad.AE is a worm that enters as a downloaded file through Yahoo Messenger, infects windows. Upon execution it disables the Windows Task Manager and Registry Editor and copies itself as SVCHOST32.EXE and SVHOST.EXE in the Windows folder which is different than the windows system file SVCHOST.EXE

The worm modifies registry and loads itself during each startup.

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

It also creates the following registry keys to modify the settings of Yahoo Messenger

HKEY_CURRENT_USER\ Software\ Yahoo\ pager\ View\ YMSGR_buzz HKEY_CURRENT_USER\ Software\ Yahoo\ pager\ View\ YMSGR_Launchcast

It changes the Internet Explorer (IE) home page to coolpics.net

This worm spreads through Yahoo Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients’ system.

(Below are removal instructions. You may print this page for easy reference)

Enable Task Manager and Registry Editor

Open Notepad and copy and paste the following:

On Error Resume Next
Set shl = CreateObject(”WScript.Shell”)
Set fso = CreateObject(”scripting.FileSystemObject”)
shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableRegistryTools”
shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableTaskMgr”

Save this file with .VBS extension.
While saving enter the name in double quotes and select all files from the save as type in notepad.
For the ease of use, save the file on desktop.
for example “filename.vbs”
When the file is saved as a vbs file then the file icon changes as a VBScript script file.
Execute the file. Double click on the file name to execute.

Click Yes at the prompt of the message box.
Click Ok.

Disable system restore

disable System Restore in Windows ME and xp.

Click on start > all programs > Accessories > System Tools > System Restore
Click on System Restore settings.
Check the box to Turn off system restore on all drives.
press apply. press ok.

Delete svhost.exe and svchost32.exe

search and delete files named svhost.exe and svchost32.exe
Your windows system file is svchost.exe, do not delete it.
Observe the difference and the missing c.
The worm creates svhost.exe and svchost32.exe
whereas windows system file is svchost.exe

Remove Autostart Entries from Registry

(If the worm has not executed yet then the entries below will be absent.)

Open Registry Editor. start > run. Type regedit. Press ok.

In the left panel double click on the following entries

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run

In the right panel, locate and delete the following entries

Task Manager = “%Windows%\system\svchost32.exe”
Svchost = “%Windows%\system\svhost.exe”

(%Windows% is the Windows folder, C:\Windows or C:\WINNT

Be careful not to remove svchost.exe which is a windows system file)

Remove Keys and Entries

In the left panel double click on the following entries
HKEY_CURRENT_USER>Software>Yahoo>pager>View

in the left panel locate and delete the following keys:
YMSGR_buzz
YMSGR_Launchcast

In the left panel double click on the following entry

HKEY_CURRENT_USER>Software>Policies>Microsoft>
Internet Explorer>Control Panel

In the right panel locate and delete the entry
Homepage = “1″

In the left panel double click on the following entries
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Policies>Explorer

In the right panel locate and delete the entry
NoRun = “1″

Close Registry Editor.

Reset IE Home Page and Search Page

Close all browser (IE) windows.
Click Start>Settings>Control Panel.
Double click on Internet Options.
In the Internet Properties window click the Programs tab.
Click the Reset Web Settings button.
Select “Also reset my home page”.
Click Yes.
Click OK.