The virus is always ranks 10 most popular of the virus, even in the big 3 a few months back. How new variants in action? Follow this following discription
Virus-like folder icon with the standard Windows default this is the older players in the world of viruses. Variannya very much, and comes with a variety of sizes. Of the first characteristics that never change is the use of a folder icon with the aim to deceive users. Antivirus others have to recognize that Autoit virus with a lmaut, Sohaned, or YahLover, known as our own Autoit.EE
What Is Autoit ?
Alleged that the author himself called Nhatquanglan the most likely came from Thailand. But we are not sure whether the new variants also come from the same manufacturer. For those of you who have never know what it is to Autoit. Autoit or full Autoit Script, is also the name of the applications that use automation to create a script, exactly automation, hotkeys, and scripting, as written in the site. In short, the script will be in autoit to compile into an executable file
Technically, each pogram made using Autoit Script, there will be a sign pengenalnya. A header or autoit script is usually found in the section final executable file, or sometimes also as an overlay, in hexadecimal 0xA3, 0x48, 0xBE, 0x98, 0x6C, 0x4A, 0xA9, 0x99, 0x4C, 0x53, 0x86, 0xD6, 0x48, 0x7D
Func Main()
After the decompile, we will be able to see the original script virus. Not difficult to learn the script, almost similar to VBScript. Script virus itself from a lot of function such as INSTALL, CREATEINI, UPDATE, and so forth. To make it easier to function main() entrypoint which is a virus
Func Install()
When executed the virus, before it will check the existence of the self in memory. If there is, he will immediately exit. If the victim adalahWindows Vista OS, the virus will copy itself to the Desktop, but if not, the virus will copy the Windows and System32 directory with the name gphone.exe. If the file name already exists, the old file will be delete and replace with a new file. This enables the virus to keep up to date. In the System32 directory it also places a file with the name autorun.ini,. which later was to be placed on removable disk devices such as flash. Do not forget mother is given a file system and hidden attributes.
Action for the next virus DISABLEWINAPPS this function call () which disable Folder Options, Task Manager and regedit. Then meregistrasikan himself on WinLogon shell and the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run with the name "Yahoo Messengger" To be able to start running automatically when Windows. Here, he also tried to change the properties that are owned AtTaskMasHours Schedule Task to be 0, try to delete all tasks in the Task Schedule, and create a new task to 09:00 every day. Finally, call the command SETBROWSERHOMEPAGE () virus is changing the default home page from Internet Explorer into http://googleinindia.blogspot.com
Func Update()
Interestingly, this virus has regular automatic updates. Initially he tries to connect to the address http://gototalgo.googlepages.com/setting.ini, http://scienceandemotion.googlepages.com/setting.ini, http://seeprivatecam.googlepages.com/setting.ini, or http://ageoldyoga.googlepages.com/setting.ini. If successful will download a virus file settings.ini. Save this and the parent directory where the files reside. If the file has been set up. This, the old file will be rename in the setting. ini.old. Settings file ini. saves the configuration file to download the core and are given attributes readonly, hidden, and system. From the download link provided by the file settings.ini., this virus will attempt to download a virus file and replace the old with the new. But until now, update all the links are not accessible anymore.
There is one thing that is unique, programmers have the ability to kill virus in bulk from each of the infected computer. Because, in the settings file .ini. There are variables "deactive" if the value is "YES" means that the virus will self-terminate by itself.
Yahoo! Messenger and Gtalk
Furthermore, this virus will check whether the application Yahoo! Messenger (Y! M) is active, if not he will run it themselves, and if not installed, it will download, and install it yourself akan. After a successful run Y! M, followed with the Sign in process. Sign in the process can be successful if the user saves the username and password through the "Remember my ID & password" So be careful using this option, because even if your computer is using, any case can occur. Then, the virus will add the ID Y! Its M "rnd009" to the list, contact list Y! M victims of course without the user concerned.
Then the virus will make setting the status of Y! M to "View my webcam (private) download_link_virus%%" in that if akan click url address to the virus file. And now the time to spread itself via Y! M, by sending a message that is selected randomly from the database to each contact. All the above can be done not only on the Y! M, but also on Gtalk, Google messenger application.
CopyInDisk ("ALL")
Routinely ordered this virus to copy itself to every drive that is found, including a removable drive. At the root of the drive infected, akan found virus files, such as New Folder.exe, gphone.exe, and Autorun.inf. Next, will continue to pervade every subdirectory, using the undercover name of the directory. Not only that, he also tries to spread itself through the local network sharing a folder that he found. In addition, the virus is also taking action with destruktif trying to remove the directory "System Volume Information" which store data about System Restore.
Debug Mode
Unique, there is a virus in the script function Debug () is used by the author to ensure ease in work flow virusnya. In addition, there is also a function called SAIFTYCHECK () which is also called by almost all the functions that aim to make verivikasi before running a command. Verivikasi he do is check whether there is a file c: \ god.txt, if any, he will not menginfeksi computer. Or if you have the file c: disk.txt he will not be spread on each mapun network drive, and if there is a file c: \ install.txt it will not install itself on the victim machine.
In addition, this virus will also check the name of the computer concerned, whether ALLADIN, tarang, or Param, or whether there is a file c: \ debug.txt. If one met, the virus will require a password before they do aksinya, password is "amonia007" After that, the virus will be running in debug mode. And you can find all the log made by the virus in the temp directory with the name "timestamp log_%%" It is unique that made this virus, usually made for this purpose terinfeksinya avoid computer viruses by a virus that he created himself.
Virus-like folder icon with the standard Windows default this is the older players in the world of viruses. Variannya very much, and comes with a variety of sizes. Of the first characteristics that never change is the use of a folder icon with the aim to deceive users. Antivirus others have to recognize that Autoit virus with a lmaut, Sohaned, or YahLover, known as our own Autoit.EE
What Is Autoit ?
Alleged that the author himself called Nhatquanglan the most likely came from Thailand. But we are not sure whether the new variants also come from the same manufacturer. For those of you who have never know what it is to Autoit. Autoit or full Autoit Script, is also the name of the applications that use automation to create a script, exactly automation, hotkeys, and scripting, as written in the site. In short, the script will be in autoit to compile into an executable file
Technically, each pogram made using Autoit Script, there will be a sign pengenalnya. A header or autoit script is usually found in the section final executable file, or sometimes also as an overlay, in hexadecimal 0xA3, 0x48, 0xBE, 0x98, 0x6C, 0x4A, 0xA9, 0x99, 0x4C, 0x53, 0x86, 0xD6, 0x48, 0x7D
Func Main()
After the decompile, we will be able to see the original script virus. Not difficult to learn the script, almost similar to VBScript. Script virus itself from a lot of function such as INSTALL, CREATEINI, UPDATE, and so forth. To make it easier to function main() entrypoint which is a virus
Func Install()
When executed the virus, before it will check the existence of the self in memory. If there is, he will immediately exit. If the victim adalahWindows Vista OS, the virus will copy itself to the Desktop, but if not, the virus will copy the Windows and System32 directory with the name gphone.exe. If the file name already exists, the old file will be delete and replace with a new file. This enables the virus to keep up to date. In the System32 directory it also places a file with the name autorun.ini,. which later was to be placed on removable disk devices such as flash. Do not forget mother is given a file system and hidden attributes.
Action for the next virus DISABLEWINAPPS this function call () which disable Folder Options, Task Manager and regedit. Then meregistrasikan himself on WinLogon shell and the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run with the name "Yahoo Messengger" To be able to start running automatically when Windows. Here, he also tried to change the properties that are owned AtTaskMasHours Schedule Task to be 0, try to delete all tasks in the Task Schedule, and create a new task to 09:00 every day. Finally, call the command SETBROWSERHOMEPAGE () virus is changing the default home page from Internet Explorer into http://googleinindia.blogspot.com
Func Update()
Interestingly, this virus has regular automatic updates. Initially he tries to connect to the address http://gototalgo.googlepages.com/setting.ini, http://scienceandemotion.googlepages.com/setting.ini, http://seeprivatecam.googlepages.com/setting.ini, or http://ageoldyoga.googlepages.com/setting.ini. If successful will download a virus file settings.ini. Save this and the parent directory where the files reside. If the file has been set up. This, the old file will be rename in the setting. ini.old. Settings file ini. saves the configuration file to download the core and are given attributes readonly, hidden, and system. From the download link provided by the file settings.ini., this virus will attempt to download a virus file and replace the old with the new. But until now, update all the links are not accessible anymore.
There is one thing that is unique, programmers have the ability to kill virus in bulk from each of the infected computer. Because, in the settings file .ini. There are variables "deactive" if the value is "YES" means that the virus will self-terminate by itself.
Yahoo! Messenger and Gtalk
Furthermore, this virus will check whether the application Yahoo! Messenger (Y! M) is active, if not he will run it themselves, and if not installed, it will download, and install it yourself akan. After a successful run Y! M, followed with the Sign in process. Sign in the process can be successful if the user saves the username and password through the "Remember my ID & password" So be careful using this option, because even if your computer is using, any case can occur. Then, the virus will add the ID Y! Its M "rnd009" to the list, contact list Y! M victims of course without the user concerned.
Then the virus will make setting the status of Y! M to "View my webcam (private) download_link_virus%%" in that if akan click url address to the virus file. And now the time to spread itself via Y! M, by sending a message that is selected randomly from the database to each contact. All the above can be done not only on the Y! M, but also on Gtalk, Google messenger application.
CopyInDisk ("ALL")
Routinely ordered this virus to copy itself to every drive that is found, including a removable drive. At the root of the drive infected, akan found virus files, such as New Folder.exe, gphone.exe, and Autorun.inf. Next, will continue to pervade every subdirectory, using the undercover name of the directory. Not only that, he also tries to spread itself through the local network sharing a folder that he found. In addition, the virus is also taking action with destruktif trying to remove the directory "System Volume Information" which store data about System Restore.
Debug Mode
Unique, there is a virus in the script function Debug () is used by the author to ensure ease in work flow virusnya. In addition, there is also a function called SAIFTYCHECK () which is also called by almost all the functions that aim to make verivikasi before running a command. Verivikasi he do is check whether there is a file c: \ god.txt, if any, he will not menginfeksi computer. Or if you have the file c: disk.txt he will not be spread on each mapun network drive, and if there is a file c: \ install.txt it will not install itself on the victim machine.
In addition, this virus will also check the name of the computer concerned, whether ALLADIN, tarang, or Param, or whether there is a file c: \ debug.txt. If one met, the virus will require a password before they do aksinya, password is "amonia007" After that, the virus will be running in debug mode. And you can find all the log made by the virus in the temp directory with the name "timestamp log_%%" It is unique that made this virus, usually made for this purpose terinfeksinya avoid computer viruses by a virus that he created himself.
Comments
Post a Comment