VBScript vicious infection DOCUMENT

They generate an encrypted with the condition. How in the handling of viruses such as this? Follow this discussion more times!


Closer trends of VBScript is not yet finished. Tthe virus to make local action. This time we will try to discuss one of the VBScript viruses diversified, which use other techniques in infection. Indeed dike tahui virus is likely the virus is not the latest release, the TAP technology is carried other than the virus usually VBScript and there are still some readers who complained about the virus. This virus has the original file size of 5,915 bytes. Small enough, huh?This is one of the advantages possessed by the virus types VBScript, because the size of the file the virus is a relatively small feed for value-added rate can accelerate the spread of this virus.

The virus can run smoothly on the Windows XP operating system that we test it. Glance, if seen in the visual use Notepad, type of virus that has extension .Extension. vbs in this present condition encrypted. We can know when opened, because the only characters that appear strange, however, if more circumspect, at the top of there string string “RPVBLK = True” or “RPVBLK = False”, and at the bottom there is a normal routine as the decryptor which can be read.

Enkripsi Encryption

Not difficult to do in the body of the description of the virus.Because any encryption, which also apply it, the past can be disclosed because the body is actually in there decryptor routine, which will translate to byte-per-byte in its original form. Encryption that he do is just play the game characters, only the progress or reverse the characters are, usually known as the Caesar Cipher. The camp only do insert some routine that will make dumping in the text that has indicated camp and can easily learn gestures from the virus source code.

When the whole body of the virus successfully in-Decrypt, right at the top of the script source, the visible string some comments that marked as “Repvblik Ver 2.0 ^_^!”, and also beberapa pesan yang ia sampaikan. some of it to the message.

Virus di StartUp Virus in the startup

The first is, of course, he did create the master file. So, when the virus executed on a clean computer, it will create an original master file that he placed in the directory of your start up, which can be found in the Start Menu> startup by the name Repvblik.vbs. itself, if the file is the master file or files that have been infected? ling over the script’s source, namely, “RPVBLK” that can be valuable True or False. File parent virus will also be running automatically when Windows starts.

Messages

Along with the addition, it will create a new directory on drive C: \ with the name Repvblik. In the directory or folder, you will find a text file with the name Repvblik.txt which is a message from the creator of the virus. Not only are there, because in each of the first directory level, he certainly will not find the file there Repvblik.txt. And while active in memory, if viewed using Task Manager, Task Manager, users will not be able to see the process with the name of the virus resembles vbs file name, because when a file is accessed or vbs clicked, Windows will automatically run a program that can be wscript.exe as a translator from the script. Jadi saat virus ini aktif, process virus yang tampak di Task Manager hanyalah process wscript.exe. So when the virus is active, the process of viruses that appear in the Task Manager is wscript.exe process. Quite difficult to specify whether the wscript.exe vbs file to run a virus or not, as some users can still utilize the VBScript language to create a small script that can ease the work. However, if you use the more advanced programs, such as Process Explorer, You can track every detail of process. Only by clicking on the desired process right, and then click Properties, you will find information on what the script is run by wscript.exe on the editbox Command Line in the Process Explorer.

Documents infection!

After the master file is created successfully, he immediately launched latest moment, namely, Files that will infect  by this virus is files with the extensions DOC, XLS, PPT, PPS, and that RTF is not foreign in your eyes. The infecting groove can be all learned to read with a clear routine functions that give it a name explore_folder_and_infect_file found on the body. How they actually do is very simple, he will find in the My Documents directory of files with the extensions included in the sub directory, if he find it with a sprightly, he will infect its. With previous he had to delete the contents of the folder that contains Recent data file that was last opened.

How infecting is the way to append files infected document that will be at the bottom of the body of the virus. So if you have files with names such as Projects. doc, the virus will read the entire contents of the file, then get the contents of the document file is in the bottom of the body of the virus, and give a sign of the string “RPVBLK = False” in the early part of the body of the virus, which means the virus has already infected files. This is also done by other viruses that have the ability injection, so the file infected is not infected again. And file the original document will be deleted. Of course, now have your document file into a file VBScript, which of course can not be opened with Microsoft Word. However, you do not need to confusing, let PCMAV do its work to restore the document to your circumstances such as when first document.Last time it infected file is run, the virus will be first to extract the files contained documents on his body in the current directory, then run again himself, and as if Coolest nothing happens.

Registry manipulation

Repvblik virus, it will be a canny attempt to change the default icon of each file vbs to use Microsoft Word icon. And change the file type is a “Microsoft Word Document,” and the extension of the display. Vbs in Windows Explorer by adding items NeverShowExt on key VBSFile in the Windows Registry. Of course, if this is the case, the user public will not be able to distinguish between the original files are files with the virus.

Rename MP3 Rename MP3

Not only menginfeksi documents, he began to infect music files to your MP3 collection. Each MP3 file that he will be found in the rename-by. That he do is add the string “Repvblik_” in front of the name of the MP3 file that he will infected.

Flash Disk Flash Disk

Be careful if you find files with names such as “I am So Sorry.txt.vbs”, “Free SMS via GPRS.txt. vbs”,”Indonesian and their corruption!! vbs “,” English and their corruption! .txt.vbs”,”Never be touched!! . txt.vbs “,” Never be touched! .txt.vbs”,”Make U lofty.txt.vbs”,”Thank U Ly.txt. . txt.vbs “,” U Make lofty.txt.vbs, “” Thank U Ly.txt. vbs”,” The Power of Midwife.txt.vbs “, or” NenekSihir and her Secrets.txt.vbs “device on your removable disk, it is the name of the file that he normally use to spread.

Source paper: http://www.pcmedia.co.id by Arief Prabowo Arief Prabowo

2 Balasan ke VBScript vicious infection DOCUMENT

  1. Raditya Wirayoga mengatakan:

    Bagaimana cara membuat virus dari program VB 6.0?

  2. masdjab mengatakan:

    use FDGuard to prevent virus infection from flashdisk, re-enable regedit, taskmanager, command prompt, run menu, find menu, folder options menu, and unhide file in flashdisk:
    http://www.ziddu.com/download/12108094/fdguard_1.21.zip.html

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: