How to Solve Alice Virus

First Of all, the discussion below was taken from here

Guess what , i just knew that there is a suck virus -____-. Fortunately, that’s not me who got caught by the virus, but my friend was. LOL. And i got to take care this matter until the problem solved.

I’m gonna tell you what’s this stingy thing a.k.a Alice Virus .

it’s a suck virus which has :

  • an .vbe Extension  (change the name of document into document.vbe) size 8 kb
  • alice.alc
  • autorun.inf
  • alice.sys : located in C:\Windows\System32\Drivers\

It goes through : USB flashdisk, Harddisk Drive.

How This Virus Works !?

by opening a file with .vbe extension that has size of 8 kb. Execute the spread process of virus by making alice.sys & autorun.inf file in USB flashdisk.

What’s the Content of Autorun.inf  ?

on every drive in hardisk (ex. C:\)  contains of alice.alc, autorun.inf, *.vbe as a cause of the spread of that virus, plus on C:\Windows\System32\Drivers contains of alice.sys. Every time you open one of the drive on harddisk, autorun.inf will work and execute the virus. To make sure that the virus’s been executed is when you double-click then there will appear a windows explorer.

Through Process Explorer application, where a process named wscript.exe appears and refers to C:\Windows\System32\drivers\alice.sys. Alice.sys can be said as a core virus.

note : this virus can cause a crash when you open a browser.

using RegAlyzer application, the virus has changed and added some keys :

– HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer

* NoFileAssociate, value: 1

* NoFind, value: 1

* NoFolderOptions, value: 1

* NoRun, value: 1

– HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

* DisableRegistryTools, value: 1

* DisableTaskMgr, value: 1

– HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System

* DisableCMD, value: 1

– HKEY_LOCAL_MACHINE\Software\Classes\VBEFile\

* [Default], value: Microsoft Word Document

* FriendlyTypeName, value: Microsoft Word Document

* NeverShowExt

– HKEY_LOCAL_MACHINE\Software\Classes\VBEFile\Defaul tIcon

* [Default], value: C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe,1

– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

* RegisteredOwner, value: ALICE

– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

* DisableSR, value: 1

– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,

* Userinit, value: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system 32\wscript.exe //e:vbscript.encode C:\WINDOWS\system32\drivers\alice.sys

Aplikasi RegAlyzer

Registry key yang dihapus oleh virus ini:

– HKEY_LOCAL_MACHINE\Software\Classes\inffile\shell\ Install

* [Default], value: &Install

– HKEY_LOCAL_MACHINE\Software\Classes\inffile\shell\ Install\command

* [Default], value: %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1

How to Clean Alice Virus !
1. Turn off wscript.exe using Process Explorer application , just kill it.

2. Remove registy keys that was made by that stupid virus -__-, there they are :

– HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer

* NoFileAssociate, value: 1

* NoFind, value: 1

* NoFolderOptions, value: 1

* NoRun, value: 1

– HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

* DisableRegistryTools, value: 1

* DisableTaskMgr, value: 1

– HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System

* DisableCMD, value: 1

– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

* DisableSR, value: 1

– HKEY_LOCAL_MACHINE\Software\Classes\VBEFile\

* NeverShowExt

3. Edit the registry key that has been changed by that bloody hell virus, -___- :

– HKEY_LOCAL_MACHINE\Software\Classes\VBEFile\

* [Default], value: VBScript Encoded Script File

* FriendlyTypeName, value: @%SystemRoot%\System32\wshext.dll,-4803

– HKEY_LOCAL_MACHINE\Software\Classes\VBEFile\Defaul tIcon

* [Default], value: %SystemRoot%\System32\WScript.exe,2

– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

* RegisteredOwner, value: [ganti dengan nama anda atau nama apa saja]

– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

* Userinit, value: C:\WINDOWS\system32\userinit.exe,

4. add some registy keys :

– HKEY_LOCAL_MACHINE\Software\Classes\inffile\shell\ Install

* [Default], value: &Install

– HKEY_LOCAL_MACHINE\Software\Classes\inffile\shell\ Install\command

* [Default], value: %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1

5. Remove all files that has been infected by that bastard virus -___- :

  • all of  *.vbe extension with size of 8 kb.
  • alice.alc on every harddisk
  • autorun.inf on every harddisk
  • alice.sys located on C:\Windows\System32\Drivers\

note : to show the hidden virus, you know what to do. Just open the Folder Options and bla bla bla 😀

Last Step, Hopefully all will get back to normal. Actually, there is something or valuable thing of all on this last step. You have to type attrib -s -h c:\*.doc /s on command prompt then type Enter. That is the way to recover the lost .doc document. 😀

that’s all for now guys. Let’s just settle every virus so that virus is nothing to us ! hell yeah 😀

Best Regard,

Black Lotus

Owner of This Blog

Advertisements