¿½ÉÈ÷ ¶Ç´Â â ¿øº» ÁÖÀÎÀ» °¡Áø USB ¼¶±¤ ¿ ¼ö ¾ø½À´Ï´Ù µå¶óÀ̺ê´Â ¿øº» ÆÄÀÏ autorun.vbs °ú½ÇÀ» ã¾Æ³¾ ¼ö ¾ø´Ù
¾î¶² »óȲ¿¡¼´Â ƯÈ÷ Ç×¹ÙÀÌ·¯½º ÇÁ·Î±×·¥ÀÌ ÄÄÇ»ÅÍ¿¡¼ ¹ú·¹, Æ®·ÎÀÌÀÇ ¸ñ¸¶ ¶Ç´Â ¹ÙÀÌ·¯½ºÀ̶ó°í Á¦°ÅÇϰųª, Ä¡À¯Çϰųª, ¼Òµ¶Çϰųª Á¦°ÅÇÒ, »ç¿ëÀÚ°¡ µå¶óÀ̺êÀÇ Æú´õ¿¡ µé¾î°¡´Â °ÍÀ» ½ÃµµÇÒ °ÍÀ̴٠ŽÇè°¡ ³» ÄÄÇ»ÅÍ Ã¢¿¡ ÀÖ´Â µð½ºÅ© µå¶óÀÌºê ¾ÆÀÌÄÜ¿¡ µÎ ¹è¿¡°Ô ´©¸£±â¿¡ ÀÇÇÏ¿© µå¶óÀ̺긦 ¿°Å³ª Á¢±ÙÇÏ´Â °ÍÀ» ½ÃµµÇÑ´Ù ¾ðÁ¦µçÁö ÀϾ´Â °ú½ÇÀÌ ÀÖÀ»Áöµµ ¸ð¸¥´Ù. ¹®Á¦ ¶Ç´Â ÁõÈÄ´Â ÇÏµå µð½ºÅ© µå¶óÀ̺ê, ÈÞ´ë¿ë ÇÏµå µð½ºÅ© µå¶óÀÌºê ¶Ç´Â USB ¼¶±¤¿¡¼ µå¶óÀ̺ê ÀϾ°í, âÀº µÚ¿¡ ¿À´Â ¸Þ½ÃÁö¸¦ °¡Áø ´ëÈ »óÀÚ¸¦ ÀÚ±ØÇÒ °ÍÀÌ´Ù:
âÀº ÁÖÀÎÀ» ´ëº»À» ¾´´Ù
¿øº» ÆÄÀÏ autorun.vbs¸¦ ã¾Æ³¾ ¼ö ¾ø´Ù.
¶§¶§·Î ´ç½ÅÀº 800A041FÀÇ ¿À·ù ÄÚµå - ÀÇ¿Ü `¸¦ °¡Áø VBScript¸¦' ´ÙÀ½ Á¦ÃæÇϵµ·Ï ¿äû¹ÞÀ» °ÍÀÌ´Ù.
¶Ç´Â
´ç½ÅÀÌ ÀÌ ÆÄÀÏÀ»À» °¡Áø ¿©´Â °ÍÀ» ÀÌ¿ëÇÏ°í ½ÍÀº ÇÁ·Î±×·¥À» ¼±ÅÃÇϽʽÿÀ:
ÀÌ °æ¿ì¿¡´Â, "Ç×»ó ÆÄÀÏÀÇ ÀÌ Á¾·ù¸¦" ¿©´Â »ç¿ëÀº ¼±Á¤ÇÑ ÇÁ·Î±×·¥ ¼±ÅÃ±Ç ¹ÛÀ¸·Î ȸ»ö ÀÌ´Ù.
Çö»óÀº autorun.vbs°¡ Æ®·ÎÀÌÀÇ ¸ñ¸¶ ¶Ç´Â ¹ÙÀÌ·¯½º¿¡ ÀÇÇØ Ã¢Á¶µÉ ¶§ ¶§¹®¿¡ ¹ß»ýÇÑ´Ù. ¹ÙÀÌ·¯½º´Â ÀϹÝÀûÀ¸·Î ü°è°¡ ½ÃÀÛÇÒ ¶§ autorun.inf ¸ðµç Çϵåµå¶óÀ̺ê USB µå¶óÀ̺êÀÇ Æú´õ¸¦ »Ñ¸®¹Ú±â À§ÇÏ¿© ÆÄÀÏÀ» ÀûÀçÇÏ°í, ¹ÙÀÌ·¯½º°¡ ÀûÀçµÈ¤¤´Ù´Â °ÍÀ» º¸ÁõÇϱâ À§ÇÏ¿© ±× ÈÄ¿¡ ±âÀÔÀ¸·Î autorun.reg¸¦ Àû¿ëÇÏ°í ÇÕº´Çϱâ À§ÇÏ¿© ¿øº»À» Æ÷ÇÔÇÏ´Â µÚ¿¡ ¿À´Â ±âÀÔ ¿¼è¿¡ °¡´ÉÇÑ º¯È¿Í ´õºÒ¾î autorun.bat ÆÄÀÏÀ» ¼öÇàÇÑ´Ù:
[HKEY_LOCAL_MACHINE \ ¼ÒÇÁÆ®¿þ¾î \ ¸¶ÀÌÅ©·Î¼ÒÇÁÆ® \ Windows NT \ CurrentVersion \ Winlogon]
Userinit=userinit.exe, autorun.exe
¸¶Áö¸·À¸·Î, autorun.bat´Â autorun.vbs¸¦ ´Þ¸®±â À§ÇÏ¿© wscript.exe¸¦ ºÎ¸¦ °ÍÀÌ´Ù.
Ç× ¹ÙÀÌ·¯½º ¶Ç´Â ¾ÈÀü ¼ÒÇÁÆ®¿þ¾î°¡ °¨¿°µÉ °Í°ú °°ÀÌ autorun.vbs ÆÄÀÏÀ» °ËÃâÇÒ ¶§, ÆÄÀÏÀº »èÁ¦µÇ°Å³ª Á¦°ÅµÇ°Å³ª °Ý¸®µÉ °ÍÀÌ´Ù. ±×·¯³ª, ´Ù¸¥ ÆÄÀÏ (autorun.*) ¹× ¾ÆÁ÷µµ autorun.vbs ¹× ÀÌ ¹®¼¸¦ ¾ð±ÞÇÏ´Â ±âÀÔ °¡Ä¡´Â ´õ ÀÌ»ó, ±×·¯¹Ç·Î °ú½Ç ¶§ »ç¿ëÀÚ µÎ ¹è ´©¸£±â µå¶óÀ̺ê Æú´õ¸¦ ¿±â À§ÇÏ¿© Á¸ÀçÇÏÁö ¾Ê´Â´Ù.
ÀÌ °ú½ÇÀ» Á¤Á¤ÇÏ°í ÇØ°áÇϱâ À§ÇÏ¿©, ÀÌ°ÍÀ» Á·´äÇÑ´Ù µû¸£½Ê½Ã¿À:
- ¶Ù±â ¾÷¹« ¸Å´ÏÀú (Ctrl Alt Del ¶Ç´Â ±Ç¸®´Â Taskbar¸¦ Ŭ¸¯ÇÑ´Ù)
- ¸¸¾à¿¡ °¡°ø À̸§À» °Á¶ÇÏ°í ³¡ °úÁ¤À» ´·¯¼ À¯È¿Çϸé Á¤Áö wscript.exe °úÁ¤.
- ±× ¶§ explorer.exe °úÁ¤À» Á¾°áÇϽʽÿÀ.
- ¾÷¹« ¸Å´ÏÀú¿¡¼´Â, ÆÄÀÏÀ» - > »õ·Î¿î ¾÷¹« (¶Ù±â¡¦) Ŭ¸¯ÇϽʽÿÀ.
- ¿·ÁÀÖ´Â ÅؽºÆ® ¹Ú½º¿Í ´©¸£±â OK·Î À¯Çü "cmd" (µû¿ÈÇ¥ ¾øÀÌ).
- ¸íÁß¿¡ ¼±ÇàµÈ µÚ¿¡ ¿À´Â ¸í·ÉÀ» Çϳª¾¿ Â÷·Ê·Î ¿£ÅÍ Å°¸¦ ŸÀÚ¸¦ Ä¡½Ê½Ã¿À:
del c:\autorun. * /f /s /q /a
del d:\autorun. * /f /s /q /a
del e:\autorun. * /f /s /q /ac´Â, d, e °¢°¢ â ü°è¿¡ µå¶óÀÌºê ¹®ÀÚ¸¦ ´ëÇ¥ÇÑ´Ù. ¸¸¾à¿¡ À¯È¿ÇÑ µå¶óÀÌºê ¶Ç´Â ºÐÇÒÀÌ ´õ ÀÖÀ¸¸é, ´Ù¸¥ µå¶óÀÌºê ¹®ÀÚ¿¡ ¹Ù²ã¼ ¸í·ÉÇÏ´Â °ÍÀ» °è¼ÓÇϽʽÿÀ. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.
- In Task Manager, click on File -> New Task (Run¡¦).
- Type ¡°regedit¡± (without quotes) into the Open text box and click OK.
- Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):
¡°Userinit¡±=¡±C:\WINDOWS\system32\userinit.exe,¡±
If the value is incorrent, modify it to the valid value data.
IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.
Share and contribute or get technical support and help at My Digital Life Forums.
Related Articles
- Virus Infections via USB Drive
- PHP 5 Unable to Open HTTP Request Stream with fopen or fsockopen Functions
- Fix Windows XP and 2003 Require Activation on Every Boot Even After Activated Error
- Script to Backup Current Start State (Startup Type) of Windows Services
- Firefox Unresponsive Script: Increase JavaScript Execution Waiting Time
- Block, Hide and Remove Windows Live Mail Ads
- PHP Allowed Memory Size Exchausted Fatal Error
- Recover and Reclaim ¡®Lost¡¯ Disk Space After Installing Windows Vista Service Pack 1 (SP1)
- Windows XP Setup Could Not Detect and Find Any SATA Hard Disk Drive on AHCI Mode
- Change IE Title Bar or TitleBar Text Description (including IE7)
Entries (RSS)
July 21st, 2008 06:16
I find this blog very interesting, i will be here everyday till now. Greetings
July 8th, 2008 17:09
Fantastic solution it worked like a charm
I am ecstatic, and grateful that I came across this article thank you
was reluctant to edit the registry esp because the machine in question was our company server so tried it on a client machine first and it worked gave me confidence to go apply it on our server and it worked first time
and keep up the good work
July 1st, 2008 22:42
fuck you i run the first commands and it deleted all my files stored on my c drive every thing everything ¡¦ i lost all of my pictures and word files and everything stroed on the c drive beaware of this command i will sue the comapany that made such solution to make lose all my data fuck you¡¦
June 28th, 2008 13:23
Brilliant and impressive solution shared guys. I am all sorted.
June 22nd, 2008 23:13
This worked like a charm! Thanks for the help. Step 2 was not available so I went to step 3. I copied and pasted the del c: command into the cmd and that worked. Followed next few steps and everything was correct. Rebooted and presto! I was not able to open my hard drive due to malicious software that was trying to run when I double clicked it. My antivirus program kept telling me no, blocking ddkyir.com or something like that. I ran the new 2008 MSWR tool from microsoft. A full scan caught 20+ bugs. I always use my firewall and routinely scan for viruses but these slipped by. After the clean was over, I was being prompted to choose a program to open my E drive. Thanks again!
June 6th, 2008 16:11
hello ,
i need your help to remove the autorun file from my external hard drive, when i right click on it , it shows me autorun at the first( above ) , so , how can i remove it ?
could you please help me to code a file with the name of autorun-eater.inf ?
Waiting for your kindly respond.
April 28th, 2008 02:16
hey guys!
thank you for your posts.
I think the following will help you better understand the problem and maybe it will help you in some cases.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process.
Open Windows Task Manager.
• On Windows 98 and ME, press
CTRL+ALT+DELETE
• On Windows NT, 2000, XP, and Server 2003, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
SOUNDMIX.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
——————————————————————————–
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.
On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.
Addressing Registry Shell Spawning
This procedure prevents the malware from executing whenever a user opens files with certain extension names. It should restore the registry to its original settings.
Click Start>Run.
In the Open input box, type:
command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
Press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>exefile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its value is the path and file name of the malware file.
If the value is the malware file, right-click Default and select Modify to change its value.
In the value data input box, delete the existing value and type the default value:
¡°%1¡È %*
Close Registry Editor.
Click Start>Run, then type:
command /c del regedit.com
Press Enter.
Editing the Registry
This malware modifies the computer¡¯s registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:
HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entry from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Soundmix = ¡°%System%\soundmix.exe¡±
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
Restoring Modified Registry Entry
Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
CurrentVersion>Explorer>Advanced>Folder>Hidden>SHOWALL
In the right panel, locate the entry:
CheckedValue = ¡°0¡È
Right-click on the value name and choose Modify. Change the value data of this entry to:
1
Close Registry Editor.
Restoring AUTORUN.INF
Right-click Start then click Search¡¦ or Find¡¦, depending on the version of Windows you are running.
In the Named input box, type:
AUTORUN.INF
In the Look In drop-down list, select a drive, then press Enter.
Select the file, then open using Notepad.
Check if the following lines are present in the file:
[autorun]
open=
shell\open=¢¥ò¢¯¨£(&O)
shell\open\Command=RECYCLER\autorun.exe -OpenCurDir
shell\open\Default=1
shell\explore=¡¿ÊÔ¢¥©öÜÀí¨¡¡À(&X)
shell\explore\Command=RECYCLER\autorun.exe –ExploreCurDir
If the lines are present, delete the file.
Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
Close Search Results.
(Note: The folder not addressed in this section may be used by a legitimate application. Thus, it is best that the said folder is left on the system.)
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as WORM_AGENT.PGV. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.
sourse: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAGENT%2EPGV&VSect=Sn