Analisa Virus Jablunt Code 1

namafile = “J4bLUnTz_cL0NE_I.vbs”

isi Autorun = [autorun]
shellexecute=wscript.exe J4bLUnTz_cL0NE_I.vbs

Penempatan Html pada “C:\About Jablunt Clone I.html”
“D:\About Jablunt Clone I.html”
“C:\WINDOWS\System32\About Jablunt Clone I.html”
“C:\Documents and Settings\All Users\Desktop\About Jablunt Clone I.html”

Mengcopy Diri Ke “C:\WINDOWS\msvbvm99.vbs”
FlashPath + “\J4bLUnTz_cL0NE_I.vbs”

Registry Yang Dibuat
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, “1″,”REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”, “1″, “REG_DWORD”
“HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winhelp32, “wscript.exe C:\WINDOWS\ J4bLUnTz_cL0NE_I.vbs”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremoval.exe\Debugger”,” ”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremover.exe\Debugger”,” ”
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind”, “1″, rdw
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”, “1″, rdw
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”, “1″, rdw
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, “0″, rdw
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”, “0″, rdw
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization”, “The Jablunt Clone I”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner”,”Jabluntz_vbs”
“HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title”,” The Jablunt Connection ”
“HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption”, “JabluntClone I Attack!!”
“HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText”, “..,,,,,,,,,..,, .;r3HAH@@@G5:….,:::::::;;;s;;;;;;rrrrrssrr;;;r;;,X@X5XXXHMB@,,,,,,,,,. .i&@@@@@@@@@@@@@@9Sr,.;::::;;;:s;;;;;rrrr;;:;;;;;:;;;::G22X3H@2sAM,,,,,,,,. r@@@@@@@@@@@@###@@Komputer Error,harap pegang stavol anda!!@@@#Sr;::;;;;:rr;rrs;;::::::,,:rGB2r:,r23&B@M2r#@,,,,,,,,..&@@@@@@@@@@#AX5525S5h@@@5::;;;;;;rr;;;:::::,,.:sG@@@@@@HSs2XA##A9rB@,,,,,,,.:@@@@@###AAA95iSS522XB@M5SA;:;rrr;;;::::,,,..:iA@@@@@@@@@@@ASX3HHA&r3&,,,,,,.:@@@@@##Mh225XGM##H&GSX##AS5s:;rr;:::,,,…:5M@@@@@@####@@@@@323AAHAr2HA&,,,,,,.A@@@####B35XH###M##@#92&AhhH#@#A922sr5srSSystem Error,Please Turn Off Your Computer!!9X253HBB####MA92i2#@@Br,..,::::,.,;X#@@@@@”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a”, “Jablunt Clone I”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList”, “a”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys”, “1″, “REG_DWORD”
“HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR”, “1″, “REG_DWORD”
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff”, “1″, “REG_DWORD”
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel”, “1″, “REG_DWORD”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name”, “Jablunt”
“HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName”, “Jablunt”
“HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName”, “Jablunt”
“HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive”, “1″
“HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE”, “C:\WINDOWS\system32\marquee.scr”
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\Attributes”, “00011″
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\BackgroundColor”, “0 0 0″
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\CharSet”, “0″
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\Font”, “Verdana”
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\Mode”, “1″
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\Size”, “24″
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\Speed”, “3″
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\Text”, “YTH. Virus Jabluntz!!”
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”, “C:\WINDOWS\system32\userinit.exe, c:\windows\svchost.exe ” & inti
“HKEY_CURRENT_USER\Control Panel\Desktop\Screen Saver.Marquee\TextColor”, “255 0 0″
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell”, “explorer.exe, c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell”, “explorer.exe, c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ComSpec”, “%SystemRoot%\system32\cmd.exe, c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PugPlay\ImagePath”, “%SystemRoot%\system32\services.exe, c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\ImagePathservice”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPFMntor\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NSCService\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVScan\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPFMntor\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNDSrvc\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPBBCDrv\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPBBCSvc\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McDetect.exe\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McTskshd.exe\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcupdmgr.exe\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\ImagePath”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice\ImagePathservice”, “c:\windows\svchost.exe ” & inti
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\WarningIfNotDefault”, “Windows Security Center has been detected a new kind virus on your machine {codename: jablunt.vbs}. This virus can causes your machine damage! Please tell Microsoft about this or use Microsoft Windows Automatic Update. For further information, contact us at : www.playboy.com”
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\WarningIfNotDefault”, “Windows Security Center has been detected a new kind virus on your machine {codename: jablunt.vbs}. This virus can causes your machine damage! Please tell Microsoft about this or use Microsoft Windows Automatic Update. For further information, contact us at : www.playboy.com”

Mengubah Icon VBS Jd Folder

Itulah akhir dr efek yang dibuat oleh virus tersebut
Blog, Updated at: 5/16/2011 04:41:00 PM

0 comments:

Post a Comment

ROUGER DELUFFY CHANNEL