Virus Brontok VB Made in the latter this time you may have heard the name I ?...... virus Brontok correct that the virus menduplikatkan himself and adjust the name of the virus based on the new folder or a file window epxlorer on the active. Characteristic of the virus is using the folder icon, so someone who can outwit view.
Why the virus this discusses ?,... I m. ... ... actually I was not too interested in discussing this, I think what I'm interested membahasnya ... I definitely think I caused some of this ..... many frenzied days ago about the virus and brontok was menginfeksi some computer teman2ku.
Ok to shorten the time it's direct
After the file structure visible from the virus was making virusnya using visual basic 6.0 ops .... it made in hell Coy .... But this is added to make interesting.
This virus consists of 1 and 1 Module form, with the name
Form -> BrontokForm
Module -> API
With the following details:
Begin VB.Form BrontokForm
Caption = "Brontok.A"
ForeColor = & & H8000000F
ScaleMode = 1
BeginProperty Fonts
Name = ""
Size = 195323.4944
Charset = 29
Weight = 774
EndProperty
Begin VB.Timer TmrBrontok
Enabled = 0 'False
Interval = 2000
Left = 2160
Top = 0
Width = 57352
Height = 1
End
End
With the name Project: Brontok.vbp, which are stored in the directory:
F: \ VPROJECT \ REHAB \ Re-1 \ BRONTOK.A
Clear that the virus was made by Maggie local programs, which have the skill Secondary Keatas.
There are few & Function procedure used by the name:
Form_QueryUnload (Cancel As interested, UnloadMode As interested)
TmrBrontok_Timer ()
Subr_004 ()
CekKoneksiInternet ()
ManipulasiExec ()
Subr_007 ()
KeluarDong ()
BronReg ()
CopyAppData ()
DownloadVir ()
StartDong ()
Startup ()
DecTeks ()
MutMutex ()
MutCr ()
DownloadFile ()
CekUpdate ()
InfekNetwork ()
Title ()
CekRemDisk ()
BikinFile ()
GetEmailFile ()
CekValidMail ()
GetTeks ()
CekKar ()
ListMail ()
GetTargetMBhs ()
GavMailer ()
BrontokMail ()
Subr_031 ()
DataEmail ()
DownMIME ()
FindFilesAPI ()
ListFileGav ()
InfekFile ()
SmallAttack ()
MinggirLoe ()
GetHostByNameAlias ()
StripNulls ()
BikinKredit ()
Fireworks and some of the functions that used anatara others:
Read Write a function to register:
Declare Function RegOpenKeyExA lib "advapi32.dll" ()
Declare Function RegSetValueExA lib "advapi32.dll" ()
Declare Function RegCloseKey lib "advapi32.dll" ()
Declare Function RegCreateKeyExA lib "advapi32.dll" ()
Declare Function Sleep lib "KERNEL32" ()
Getting Special Folder:
Declare Function SHGetPathFromIDList lib "shell32.dll" ()
Declare Function SHGetSpecialFolderLocation lib "shell32.dll" ()
Reading Contents Page Site:
Declare Function InternetOpenA lib "wininet.dll" ()
Declare Function InternetOpenUrlA lib "wininet.dll" ()
Declare Function InternetReadFile lib "wininet.dll" ()
Declare Function InternetCloseHandle lib "wininet.dll" ()
Getting From A Window Caption:
Declare Function GetWindowTextA lib "user32" ()
Declare Function GetWindowTextLengthA lib "user32" ()
Get active HWND Window:
Declare Function GetForegroundWindow lib "user32" ()
Shutdown, Reboot, LogOff Windows:
Declare Function ExitWindowsEx lib "user32" ()
Declare Function GetCurrentProcess lib "KERNEL32" ()
Declare Function OpenProcessToken lib "advapi32" ()
Declare Function LookupPrivilegeValueA lib "advapi32" ()
Declare Function AdjustTokenPrivileges lib "advapi32" ()
Media get the type of good Removable Disk, CD-Rom, etc.:
Declare Function GetDriveTypeA lib "KERNEL32" ()
Declare Function ShellExecuteA lib "shell32.dll" ()
Declare Function RtlMoveMemory lib "KERNEL32" ()
Winsock API:
Declare Function Closesocket lib "wsock32.dll" ()
Declare Function connect lib "wsock32.dll" ()
Declare Function htons lib "wsock32.dll" ()
Declare Function inet_addr lib "wsock32.dll" ()
Declare Function recv lib "wsock32.dll" ()
Declare Function send lib "wsock32.dll" ()
Declare Function socket lib "wsock32.dll" ()
Declare Function gethostbyname lib "wsock32.dll" ()
Declare Function WSAStartup lib "wsock32.dll" ()
Declare Function WSACleanup lib "wsock32.dll" ()
Declare Function WSAAsyncSelect lib "wsock32.dll" ()
Function associated with the file:
Declare Function FindFirstFileA lib "KERNEL32" ()
Declare Function FindNextFileA lib "KERNEL32" ()
Declare Function GetFileAttributesA lib "KERNEL32" ()
Declare Function FindClose lib "KERNEL32" ()
Etc. ...
Clearly visible on the functions of the fire that is used is that the transmission of the virus brontok use several ways. such as sending email, search the name of the computer that is connected with kejaringan copy itself to the folder in which the sharing and copying himself on the window explorer active. I think one of the creators of viruses have their own SMTP (whew ati-ati gold Grammy ketangkep)
If the views of the structure at the back there are some words that the Encrypt, a possibility exploit code or name gnomes. only the gods and creator of the virus that bad.
This virus has the function of the ExitWindowsEx files imported from user32.dll, this function is usually used to shut the windows.
And sipembuat create viruses that contain the triger off / restart the computer.
In addition, the structure of the file, there are words like this:
FOLDER.HTT
RORO
. HTT
. DOC
. CSV
. EML
. Cfm
. PHP
. WAB
. EML
. TXT
. HTML
. Htm
MY DATA SOURCES
California EBOOKS
MY MUSIC
MY SHAPES
My Videos
MY DOCUMENT
And address some of the sites attacked, what DDOS yes ... I'll be there .. .. I'll be there though. In addition, the virus include the manufacturer's name: - JowoBot # VM Community --
Then try to see the fire following three functions:
Declare Function GetWindowTextA lib "user32" ()
Declare Function GetWindowTextLengthA lib "user32" ()
Declare Function GetForegroundWindow lib "user32" ()
It seems the manufacturer utilize windowexplorer virus to multiply the file to another folder. Caption with how to read are active in the windows directory that contains the name / path. By using the above 2 (GetWindowTextA & GetWindowTextLengthA), while the function GetForegroundWindow used to get the Window Handle (HWND) that are active.
Marketing is not a virus can copy itself was not windowExplorer Caption in the form of Directory / path. To disable the creator of the virus in the Folder Options settings.
Then a more unique virus again read the contents page of this site, which opens on a InternetExplorer using function:
Declare Function InternetOpenA lib "wininet.dll" ()
Declare Function InternetOpenUrlA lib "wininet.dll" ()
Declare Function InternetReadFile lib "wininet.dll" ()
Declare Function InternetCloseHandle lib "wininet.dll" ()
I guess I, creator of the virus seems to find the email address on sites that are open and send the virus is based on the email address found on the pages with keywords such as mailto: ataupun@xxxx.com etc. ...
To clean up .... please read more at other sites AntiVirus ... um ... .. he's sorry that I only discuss this.
But this suitcase off the virus quickly, try entering safemode then rename the file MSVBVM60.dll become MSVBVM60.dl_
because this virus requires VB runtime. So I think it is active, we can remove some registry entry and file viruses brontoknya.
Unfortunately this virus does not use the program Compressor, making it easier for people to recognize them.
v
No comments:
Post a Comment