Assalaamu'alaykum Warahmatullaahi wa Barakaatuh
Maha Suci Allah Subhanahu wa Ta'ala yang telah menciptakan. Shalawat dan
salam bagi Nabi Muhammad Sallallaahu 'Alahy wa Sallam beserta seluruh
ummatnya hingga akhir zaman. Keselamatan bagi mereka yang mengikuti
petunjuk.
mr_coolface... ancen cooolllll!!!!
lek jare paribasa, 'Di Atas Langit Ada Langit', ta' acungi jempol gawe arek
sing nggawe virus mr_coolface, rupane wes pengalaman puol gawe perilakune
windows sing bolong ngalor ngidul. Mister Kulfes iki varian tekan virus
flukunam sing 'sopan' soale ga pati ngrusak tapi super ngrepoti. Paling
parah yo ngrusak butinge windows, dadi windows buting ae terus-terusan (khas
flukunam). Mister Kulfes iki ndek memory modele multi layer, minimal 2 file
sing di simpen ndek memory (explorer.exe, svchost.exe) dadi lek dibusek
siji, sithuke ngover. Istimewane flukunam varian Mister Kulfes sing liyane
ya iku ngemanfaatno fasilitas autorun. Dadi lek disket utowo piringan optik
utowo flesdis sing wis ketulasan flukunam iki, gebitu diencepno langsung
nulari. Flukunam varian Mister Kulfes ngeke'i 'pesan' gawe sing ditulari
nggawe cara nulis ndek direktory temporary jenenge fluburung.txt (ta'
lampirno)
Aku biasane ngresiki manual, soale ya ngunu, virus-virus ikiy ngeblokir
program-program antivirus, malah ngebusek.
Carane:
1. Buting nggawe sef mot
2. Bua'en program-program sing kiro-kiro viruse tekan memory, ati-ati soale
a. biasane ga siji loro program koyok fluburung.b (mr_coolface)
b. biasane nggawe jeneng file sing koyok file-e windows (svchost.exe,
services.exe lan liyo-liyane)
c. sing mesti windows task manager diblokir, dadi kudu nggawe pengintip
program liyane task manager (aku nggawe we'e visual studio: program viewer),
monggo gogling program pengintip liyane, akeh kok
d. onok program-program sing ancene aseli we'e windows, dadi yo nyobak
siji-siji, gak popo, paling apes komputer hang, restat maneng
3. golekono file-file sing dicurigai viruse:
a. pertama-tama delo'en rut (C:\, D:\) onok file-file sing zip-zipan ndek
kono, ekstensine biasane .exe utowo .scr utowo .zip utowo .cab, buseken (
fluburung.b / mr_coolface ukurane sekitar 78Kb, tanggale podo ambek tanggal
infeksi, C:\explorer.exe)
b. golekono file liyane sing tanggale podo ukurane sekitar 210Kb - 230Kb,
biasane file ekstrakane, sing mesti ndek direktori system32 ambek my
documents, buseken, golekono ndek nggon liyane, buseken pisan
4. Resikono registrine Windows, ta' lampirno skrip-e ndek nisor, simpenen
nggawe ekstensi .reg, luwih apik langkah iki gawe sing pertama. Registri iki
yo sing diserang ambek virus-virus liyane, dadi cocok pisan gawe golongane
flukunam, loren lan liya-liyane
5. Selamat capek
oh, yo, lek mbok delok skrip registri onok daftar program sing diblok ambek
mr_coolface, dadi PCMAV normale ga mempan. Dadi lek kepingin njalakno
program-program iku (koyok PCMAV, REGEDIT, MSCONFIG) copy ae programe utowo
gantien jenenge, beres wes.
cara sing paling aman sa' jane jabuten hardise, pasangen ndek kompiyuter
liyo, trus resikono nggawe antivirus (MekAfi, PCMAV), trus ojo lali mbalekno
registrine nggawe sekrip ndek nisor iki. tapi yo ati-ati hardise ojok
diakses blas sampek sesik tenanan, soale koyok flukunam sing versi mister
kulfes yo nggawe file autorun.
ng... tips gawe 'korban':
- ojok diinstall nang direktori standar, soale dicireni ambek virus
- apdet antivirusmu sing gelek
- sken disket utowo flesdisk sak durunge digawe
- patenono fasilitas autorun
TANTANGAN gawe sing doyan nggawe virus:
- OJOK NGERUSAK DATANE WONG! jebolen ae sekuritine program-program koyok
dipfris, tembok geni, antipirus, folderlock lan liya-liyane. BE A REAL
HACKER!
- lek program antiviruse ga diinstall ndek direktori standard, golekono ndek
registry.
- ojo ngidentifikasi program sing diblok tekok jenenge, tapi tekan CRCne
utowo headere, ce'e tetep tembus masio file programe diganti jenenge
- ta' enteni virusmu, masio aku ga iso ndebuk, ta' goleki watekmu, ta'
jebole! :-p
Wassalaamu'alaykum Warahmatullaahi wa Barakaatuh
/* Lampiran fluburung.txt */
==========================
======= FLU BURUNG =======
| |
= Oleh-oleh dari AMBON =
| Katong pung jua bisa |
==========================
==========================
Stamp: 02 July 2006, dan.....
"SELAMAT ULTAH KE-20 Agnes Monica!"
Bugs Bunny say "What's up doc?"
Duffy Duck say "I'm infected doc"
So at the end of story they save the screen.
PAJAK? Semua hal kena pajak!
Barang mewah kena pajak, nabung di bank tiap bulan potong pajak,
penghasilan kena pajak, sampai makanan pun kena pajak.
Indonesia penuh dengan pajak! Tidak heran penuh pembajak.
Orang bijak bayar pajak, takut pajak jadi pembajak.
Cuma udara yang dihirup yang tidak kena pajak, namun sudah tercemar
dengan asap dan polutan. "Tanya kenapa?"
(Raven codename DIP "05062705056127019455")
MSG (Monosodium Glutamat) merupakan penyebab kebodohan yang berakibat
kemalasan.
Pantas bangsa Indonesia tidak bisa maju karena bangsanya bodoh.
Hampir semua produk makanan Indonesia menggunakan MSG.
Pemerintah harus segera menghapuskan penggunaan MSG dipasaran!
Mungkin karena para pejabat dan wakil rakyat otaknya juga sudah penuh
dengan MSG,
jadi tidak dapat berpikir dengan benar!
Atau mereka terpilih karena terpintar diantara yang terbodoh,
ataukah memang sengaja membodohkan bangsa agar dapat korupsi dangan
leluasa?
(Raven codename DIP "05062705056127019455")
Flu burung, masa sich burungnya bisa flu? Tanya kenapa?
Awas bahaya flu burung, bahaya lo? Bisa RIP tau?
(RIP "Rest in Peace"/Constantine)
Rupiah kebanyakan angka! (Okinawa)
Dimana sebenarnya pemerintah ??????
Pemerintah sekarang ini lebih memilih uang uang dan uang.
Malahan sekarang lebih lebih untuk masalah pilkada pilkada dan pilkada.
Kita sebagai mahasiswa dan masyarakat merasa terasingkan dari perhatian
pemerintah.
Tanya kenapa ????
Lihat saja pengangguran banyak sekali!!!
Sebenarnya siapa yang bisa ngomongin dengan pemerintah ?????
Aku????? Ga mungin lagi.
Tapi mudah-mudahan pemerintah sadar sendiri aja yaaa!!!
Slamat Muaaach!!! (Dino Gitchu)
Idiiih....! (Trader)
/* Lampiran Registry yang dirusak */
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"SuperHidden"=dword:00000001
"Start_ShowControlPanel"=dword:00000001
"Start_EnableDragDrop"=dword:00000001
"StartMenuFavorites"=dword:00000001
"Start_ShowHelp"=dword:00000001
"Start_ShowMyComputer"=dword:00000001
"Start_ShowMyDocs"=dword:00000001
"Start_ShowMyMusic"=dword:00000001
"Start_ShowMyPics"=dword:00000001
"Start_ShowPrinters"=dword:00000001
"Start_ShowRun"=dword:00000001
"Start_ShowSearch"=dword:00000001
"Start_ShowRecentDocs"=dword:00000001
"Start_AutoCascade"=dword:00000001
"Start_NotifyNewApps"=dword:00000000
"Start_AdminToolsRoot"=dword:00000001
"StartMenuAdminTools"="YES"
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"WebViewBarricade"=dword:00000001
"DisableThumbnailCache"=dword:00000001
"ShowSuperHidden"=dword:00000001
"ClassicViewState"=dword:00000000
"PersistBrowsers"=dword:00000001
"Start_ShowNetPlaces_ShouldShow"=dword:00000041
"StartMenuRun"=dword:00000001
"StartMenuChange"=dword:00000001
"CascadeControlPanel"="YES"
"CascadeMyDocuments"="YES"
"CascadeMyPictures"="YES"
"CascadeNetworkConnections"="YES"
"CascadePrinters"="YES"
"StartMenuScrollPrograms"="YES"
"IntelliMenus"="YES"
"Start_ShowNetConn"=dword:00000001
"EnableBalloonTips"=dword:00000000
"StartMenuLogoff"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"DisableCurrentUserRun"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"DisableCurrentUserRun"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder]
"Type"="group"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ClassicViewState]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DisableThumbCache]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FriendlyTree]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Type"="group"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"Type"="radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"Type"="radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\PersistBrowsers]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowCompColor]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowInfoTip]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SimpleSharing]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets]
"Type"="group"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\AUTO]
"Type"="radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NOHIDE]
"Type"="radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NONE]
"Type"="radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\WebViewBarricade]
"Type"="checkbox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUp"=""
"RsWin"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="1"
"Shell"="Explorer.exe"
"System"=""
"Userinit"="C:\\windows\\system32\\userinit.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
"AlternateShell"=""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]
"AlternateShell"=""
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\ANSAV.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\ANSAV32.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\calc.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\ccapp.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\CClaw.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\cmd.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\freecell.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\mshearts.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Nip.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Nipsvc.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Niu.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Njeeves.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\notepad.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Nvccf.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Nvcoas.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Nvcod.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Nvcsched.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\PCMAV.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\regedit.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\sol.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\spider.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\taskkill.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\tasklist.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\taskmgr.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\URemovalCRC32.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\winamp.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\winmine.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Your Image File Name Here without a path]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Zanda.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Zlh.exe]
"Debugger"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\msconfig.exe]
"Debugger"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
--
-----------------------------------------
El Harun Affandy
Jl. Ade Irma Suryani II / 509
Malang 65119
0341.70.90.256
http://friendster.com/elharun
-----------------------------------------
Cuma udara yang dihirup yang tidak kena pajak, namun sudah tercemar dengan
asap dan polutan. "Tanya kenapa?"
.:mr_coolface:.
[Non-text portions of this message have been removed]
================> HAPUS IKLAN DIATAS DAN FOOTER INI JIKA ME-REPLY
<================
Posting : [email protected]
Archive : http://www.mail-archive.com/[email protected]/
www.mitek.unibraw.ac.id || himamitek.brawijaya.ac.id
************************************************************************************
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/mitek/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/mitek/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
