Virus Icon PowerPoint

Virus ini dikenal dengan VBS/Agent.T (Norman) memfungsikan autorun dari usb flashdisk, ciri-ciri :

  • Autorun.inf
  • sexy_bo.vbs (icon PowerPoint)
  • permainan_ketangkasan.vbs (icon PowerPoint)
  • skripsi.vbs (icon PowerPoint)
  • Stikom_Bali.vbs (icon PowerPoint)
  • C:\Documents and Settings\%user%\Application Data\svchost.vbs
  • C:\Documents and Settings\%user%\Desktop\STIKOM BALI.vbs
  • C:\Documents and Settings\%user%\Favorites\svchost.lnk

Gejala-gejalanya yaitu :

  • Disable fungsi find, run, folder options
  • Disable System Restore
  • Task Manager, Regedit, MsConfig dirubah ke notepad

Registry yang dirubah :

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svchost = C:\Documents and Settings\%user%\Favorites\svchost.lnk

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFileAssociate=1
NoFind=1
NoFolderOptions=1
NoRun=1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD=1
DisableRegedit=1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden=0
HideFileExt=1
Start_ShowNetPlaces_ShouldShow=0

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr=1

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\SystemRestoreDisableSR=1

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
Debugger = notepad.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
Debugger = notepad.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Debugger = notepad.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Debugger = notepad.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe
Debugger = notepad.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe
Debugger = notepad.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
Debugger = notepad.exe

Registry berikut merubah icon vbs menjadi icon powerpoint :

HKEY_CLASSES_ROOT\VBSFile
(Default)=Microsoft PowerPoint Presentation
FriendlyTypeName = Microsoft PowerPoint Presentation
NeverShowExt = 1

HKEY_CLASSES_ROOT\VBSFile\DefaultIcon
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe,1

mengalihkan fungsi script :

HKEY_CLASSES_ROOT\inffile\shell\install\command
(Default) = logoff.exe

HKEY_CLASSES_ROOT\regfile\shell\open\command
(Default) = logoff.exe

HKEY_CLASSES_ROOT\VBSFile\shell\edit\command
(Default) = logoff.exe

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: