Computer times article is about the Virus Generator. This article is published only for education only. Please do not abuse it. Please deh ...
Remember the Aksika virus? Virus "open source" is one that does have a lot of variants. No wonder because the source code is freely available on the Internet, so anyone can easily modify and compile the source code and be a new variant.
Starting from the ease of that, many viruses maker or a beginner programmers trying to make a virus without the need to bother. Most needed is knowledge about the operating system and programming.
But convenience is not how, when compared to using the program Virus Generator. From the name alone, we can expect the use of the program. Yes, Virus Generator is a program to be able to make the virus easily and instantly.
Starting from a sample of a virus that pretty much sent by readers to us. PC Media Antivirus Gen.FFE know her name, Dawn, but other antivirus which is also called by the name Brontok.D. With a simple investigation finally note that the virus was made using a Virus Generator.
Fast Firus Engine (FFE)
Generator makers are calling the program with a homemade Firus Fast Engine. As seen in the program or site creators, he told me that this program is only for learning purposes and not for destructive actions. Still, if this program had fallen into the wrong hands, would be used for destruction.
Generator virus was created using Visual Basic language and in-compress using tELock packer. In the package there are two files, namely Fast Firus Engine.exe and data.ex_. Fast Firus Engine. exe is the main program in the making of the virus and temporary files are actually data.ex_ virus body is not in the original modification.
When Firus Engine.exe Fast file is run, the user will be confronted with an interface. You just told to fill in the name of the virus, the name of manufacturer, and his message. Then by pressing the Generate button, it will be your virus.
The workings of the generator is actually very simple. He just added the data you enter this file to the end of the original virus (data.ex_). Later this information is used by the virus in the process of infection.
How virus infect?
Virus creation FFE does look simple. Just as the generator, he also created using the Visual Basic language to be compiled with Native-Code method. Then the tELock to compress using the smaller size. This virus has the original size of 55,296 bytes.
When the virus is executed first time, he will make some master files in several locations. Like in the directory \% WINDOWS% \, will have a file with nama.exe, Win32 exe, activex.exe, and% virusname% (the name of the virus according to the manufacturer filled by the Generator). In \% WINDOWS% \% system32% \ will have copy.pif files, _default.pif, and surif.bin. In addition, he also alter or create a Oeminfo.ini file that is part of the System Properties. So if your computer is infected by the virus results generated from FFE, then the System Properties will have the words "Generated by Fast Firus Engine".
In the directory \% WINDOWS% \% System% \'ll have some more master files that use the same name as the file system of Windows, such as csrss.exe, winlogon.exe, lsass.exe, smss.exe, svchost. exe, and winlogon.exe.
And do not forget, the root drive will have a file named "read euy.txt" which contains the messages from the creator of the virus. So when creating a virus using the generator, then the manufacturer will be served some input boxes, such as the Author of the virus, Name of the virus, and Messages. Now, the contents of this message box that will appear in the file "read euy.txt" it.
After the virus managed to copy a file to their parent in the system, he will run the main file before, so that the memory process will have some viruses, such as csrss.exe, winlogon.exe, LSASS. exe, smss.exe, svchost.exe, and winlogon.exe. Process names similar to the process / services of Windows is probably on purpose to deceive users. To distinguish them, you can see the path or the location of the executed process. Process virus usually run on System directory as the process / services are running Windows property usually comes from System32 directory.
Changing Registry
This virus adds a startup item on the registry so when he can start running Windows automatically or to change the settings of Windows to suit his desires. Information about the registry that the reversal will not be able to easily see that the encrypted condition.
What he changed was the way the value of Userinit items by adding parameters to the parent file. In the key HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ Load item will also be changed to point to a file with the name of the parent Activex.exe. In the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ will have a new item with a present. Key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ will have new items as well with the default name and% username%, username here is the name of the current user at the time.
Virus generated from the FFE results also change the shell extension for the file. Exe, namely by changing the type of information from the Application to File Folder. Setting the Options folder is also modified to not show the extension and each fi le with hidden attributes. And that can be active at the safe-mode, he also changed the value of the item SafeBoot.
By using the help of registry Image File Execution Options, the virus also adds a new item on the section with the name of cmd.exe, msconfi g.exe, regedit.exe and taskmgr.exe. The point is that every user who accesses the program with the file name like that, it will be bypassed by Windows and transferred to the main file of the virus.
How Viruses Spread?
This virus can spread through the data storage media such as flash disk. When you plug the flash disk on the infected computer, then the flash disk will have some new files, like explorer.exe,% virusname%. Exe, and msvbvm60.dll. Also some support files such as desktop.ini, autorun.inf running so that he could automatically when accessing the flash disk.
Another virus files were stored in a new directory in the flash disk with the name of the file containing the Recycled Firus.pif and Folder.htt. All of these virus files hidden in conditions that are not visible.
How to Virus Action
To survive, the virus will try to block any program that he did not want such tools or programs, including antivirus PCMAV. Just as the modified registry data, data about what programs are blocked by it is also present in the body in a state encrypted.
So, when the virus was stay in memory, he will monitor each program accessed by the user, ie by reading the file name and window caption. Some of the files are tested for antiviral dibloknya is nav.exe, avgcc.exe, njeeves.exe, ccapps.exe, ccapp.exe, kav.exe, nvcoas.exe, avp32.exe, and many others. Including some or installer setup program can not run on the infected computer.
Prevention and Control
PC Media Antivirus RC19 was able to clean infected computer completely and accurately 100% of each virus that is made by using Firus Fast Generator. To avoid action by the virus to block PCMAV, please rename the file first instance PCMAV PCMAV-CLN.EXE be MERDEKA.EXE.
0 comments:
Post a Comment