Tuesday, November 8, 2011

Pisang Bakar Virus Removal

Repost from my old site www.junblogs.com

I believe this has been in circulation for a long time as I think I have glimpsed this before on an internet caffe.  But hey, I am only renting it so I cannot properly “touch” that unit.

Today however, one of my IT guys have inserted his flash drive into one newly formatted unit here that does not have any anti-virus yet so presto, PISANG BAKAR infection.  I called one indonesian Manager and asked him what PISANG BAKAR is because I suspected that the word is indonesian and he confirmed it and said that it means banana; what a name for a virus. Well maybe the one who created this is thinking users will go banana over this one, LOL!

Cleaning this, however, is easy but not simple enough because it touches a lot of things.  Let me explain:

a.  Unlike some viruses that totally hides its components, this one is boastful as its show its presence on root drive c: under the filename pisangbakar.exe.  There is a corresponding text file (info.txt) that when opened show a lot of Indonesian words.  Other files follow:

\Windows\control32.ini (internal name is oyaba)
\windows\winampa.exe   (created by control32.ini via copy, the sole purpose is so it can be run later).  Winampa.exe is actually a valid name for Winamp player loader but it is never inside windows folder but in Program Files
\windows\system32\svghost.exe (resides in processes.  Use to infect further, recreates pisangbakar.exe and info.txt plus terminates attempt to run msconfig, regedit and task manager)

The standard way I am teaching here is to kill the virus component that is in the process using Task Manager.  But since this virus detects task manager among the processes and auto-kills it, then we need a 3rd party tool.  You can download DTaskManager here:  http://www.snapfiles.com/get/dtaskmanager.html.  Once you downloaded it, run it and use it to kill SVGHOST.EXE.

After SVGHOST.EXE is killed among the processes, you can then proceed with removing all those files mentioned.

b.  Additionally, it changes exe file association into your default media player.  To restore exe to its normal association, copy the codes below and paste it on a notepad.  Afterwards, rename it to any name with an extension of reg (e.g., FixExe.reg):
Source code   
Windows Registry Editor Version 5.00
"Content Type"="application/x-msdownload"
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

Double-click that newly created registry info so it can restore the exe association back to normal.

c.  This virus creates some more registry entries so it can load itself on boot.  Open regedit and navigate to these entries:

My Computer\HKEY_Local_Machine\SOFTWARE\Microsoft\Shared Tools\MsConfig\Startupreg (delete SVGHOST entry there)

My Computer\HKEY_Local_Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Under Shell, entry is this:

Explorer.exe c:\windows\system32\SVGHOST.EXE

Double-click it and just retain Explorer.exe  Do that also on HKEY_USERS (every user’s own settings).

The number of HKEY_USERS entry depends on the number of users you set in your unit.  So navigate to Winlogon of each HKEY_USERS as shown above.

Tip:  If you are getting lazy, just search SVGHOST.EXE inside registry.  Also look for Winsetup.bat.

and that is it!  Reboot your computer and work normally again.

No comments:

Post a Comment