Friday, November 6, 2009

Membasmi Worm VBS/Cryf.A, Shemale by CRY (Album Bokep)

Posted on 3:48 PM by janoko menebar cinta

VBS/Cryf.A was created using visual basic scripting (not visual basic), first case happen on my cyber cafe on date 18 July 2009 it spreading from user flash disk and try to infected all PC in my network.

I’m not sure why so much Indonesian virus maker using lot of this VBS technique (maybe they know without msvbvm.dll VBS can executed on a lot target), Since I write about VBS article long long time ago (I forget maybe around year 2003-2005) in jasakom website with title “VBS sederhana yang berbahaya” many people has try to manipulate that simple code to become advanced code. Now I’m fell really stupid by share that Article to public…

How to know if you’re infected by this worm VBS/Cryf.A:

1.First time your computer turned on it will open web browser and show this pictures.
















2. VBS/Cryf.A will change your web browser start page become:


3. There is folder “album bokep” (in Indonesian language this mean porn) in all folder.

4. VBS/Cryf.A will change your system properties become like this:





















5. Change file type .lnk become “movie clip”





6. It will control your DVD/CD-rom by make it open and close to make you panic.

VBS/Cryf.A Master file:

VBS/Cryf.A has a master file called “drconfig.drv” with file size 218 KB, it already encrypted and little hard to read the code inside it.






On first time active it will called “svchost.vbs” then this vbs will executed this “drconfig.drv”. Then it will started created file list:

* %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
o svchost.vbs
o desktop.ini
o drvconfg.drv
o SHELL32.dll
* %Systemroot%\windows
o appsys.exe
o Winupdt.scx
o appopen.scx
o Windowsopen.mht
o Windows.html
o Regedit.exe.lnk
o Help.htm
* %Systemroot%\Windows\system\svchost.exe
* %Systemroot%\WINDOWS\system32
o Svchost.dls
o Corelsetup.scx
o Appsys.dls
o Kernel32.dls
o Taskmgr.exe.lnk
* %Systemroot%\WINDOWS\system32\
o Winupdtsys.exe
o ssmarque.scr
* %Systemroot%\Program Files\FarStone\qbtask.exe
* %Systemroot%\Program Files\ACDsee\Launcher.exe
* %Systemroot%\Program Files\Common Files\NeroChkup.exe
* %Systemroot%\Program Files\ExeLauncher
* %ProgramFiles%\drivers\VGA\VGAdrv.lnk
* %Systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls

This virus will make some action to keep him stay in computers target:

* Disable Task Manager
* Disable Regedit
* Disable CMD (Command Prompt)
* Disable MSConfig
* Can’t change wallpapers

It will change your screensaver like this:













Spreading Technique and Social Technique:

VBS/Cryf.A spreading using 2 technique, One of them as like in my first Article using autorun.inf files, beside that this virus maker know how to using social technique to tricky mostly people out there using porn movie that actually virus.



















This virus maker try to manipulate people with his another social technique, he will try to tell people their computers infected and give the removal tools, actually don’t open that website (www.dinamikasolusi.co.nr) thisvirus maker maybe using some technique as I write a long time ago by insert some virus into computer target using html code.

Enough, let’s started to remove this stupid Worm VBS/Cryf.A

HOW TO REMOVE WORM VBS/Cryf.A:

1. Kill active virus process in your background memory using currprocess, then kill all process with product name “Microsoft (r) Windows Script Host“













2. Block virus so it can not run for a while when we are in cleaning progress by:

Start -> Run -> Type “SECPOL.MSC” -> Click “software restriction policies” -> Click “additional rules” -> Right click on “additional rules” and choose “New Hash Rules”

In “File Hash” Click on Browse and choose which file you want to block (WSScript.exe) on “Security level” choose Disalllowed then click OK.































3. Fix registry by using this 3rd tools, download it from HERE…












* Shell Windows = explorer.exe
* UserInit Windows
o Windows NT/2000 = C:\WinNT\System32\userinit.exe,
o Windows XP/2003/Vista = C:\Windows\System32\userinit.exe,

4. Deleted Virus Master files and all files he’s created. To help you deleted it in easy way I recommended to use this tools ExplorerXP, Then deleted all files list bellow:

* %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
o svchost.vbs
o desktop.ini
o drvconfg.drv
o SHELL32.dll
* %Drive%\Album BOKEP\Naughty America
* %systemroot%\windows
o appsys.exe
o Winupdt.scx
o appopen.scx
o Windowsopen.mht
o Windows.html
o Regedit.exe.lnk
o Help.htm
* %systemroot%\Windows\system\svchost.exe
* %systemroot%\WINDOWS\system32
o Taskmgr.exe.lnk
o CMD.exe.lnk
o Svchost.dls
o Corelsetup.scx
o Appsys.dls
o Kernel32.dls
o Winupdtsys.exe
o ssmarque.scr
* %systemroot%\Program Files\FarStone\qbtask.exe
* %systemroot%\Program Files\ACDsee\Launcher.exe
* %systemroot%\Program Files\Common Files\NeroChkup.exe
* %systemroot%\Program Files\ExeLauncher
* %ProgramFiles%\drivers\VGA\VGAdrv.lnk
* %systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls
* %Flash Disk%\Dataku Penting Jangan Dihapus.lnk

5. Showing back your files TaskMgr.exe, Regedt32.exe, Regedit.exe, CMD.exe, and Logoff.exe that hidden by virus:













*repeated on all files you want to shown back.

6. For maximum cleaning I recommended to scan using your best antivirus programs, in my case Norman antivirus can deleted all of thisvirus part.

7. When all step done and no virus found, deleted blocking rules we made:

Start -> Run -> Type SECPOL.MSC -> Click “Software Restriction Policies” -> Click “Additional Rules” -> Then Deleted Rules we have made.
















8. Restart your computer then re-scanned again to make sure there is no left part of worm VBS/Cryf.A, then use updated antivirus to prevent it coming back again.

Have a nice day, GBU :D

4 Response to "Membasmi Worm VBS/Cryf.A, Shemale by CRY (Album Bokep)"

.
gravatar
janoko menebar cinta Says....

hehe,, aku juga pernah ngalami, waktu itu semua komputer di jaringan LAN ku kena. Setiap drive G, D E F... ada folder album bokep/naughty america, aku sudah scan pake kaspersky 7 + smadav, tapi masih tetap saja muncul ketika komputer direstart

ternyata virus ini sudah terinstal di drive C salah 1 komputer di jaringan, pokoknya kalo sudah tahap stadium parah, virus ini memunculkan gambar Wajah hantu, padahal sudah dipasangi deepfreeze lho.. trus aku cabut kabel LAN nya, dan auku coba cara di atas.. Kalo anda sudah coba Langkah-langkah di atas, anda akan menemukan file2 virus terhidden berekstensi .vbs sangat banyak tersebar di drive C. File fil tersebut harus di celete manual. untu mencarinya bisa pake Search.

Selamat berjuang, its 100% working! ^_^

.
gravatar
suhud Says....

Thank you brother. Kemarin sampe setengah hari saya mau basmi ini virus di laptop, yang belum saya tau apa namanya, dan ga bisa2. udah segala macam cara, mulai dari munculin regedit, pake processxp, saya matiin process2 yg aneh2, masih ga bisa juga. Saya install antivirus ga bisa, trus saya cabut hardisknya dan discan pake avg dari kompie laen, ke detect sebagian dari virus itu, tapi masih muncul "setannya" dan masih ag bisa install, command prompt juga masih ga jalan. Terakhir, saya mau install ulang, tapi cdrom laptop rusak, ga bisa boot dari usb, (maklum laptop jadul :D). Trus udah saya copy file setup ke drive D, saya jalanin setupnya ga jalan gara2 virus itu. Parah. T_T

Tapi sekarang udah bersih virusnya bro, makasih banyak nih ilmunya.

Leave A Reply

A Place For Sharing, Is Here

MyFriends Blogs

  • Hur man laddar ner Snutliv hela filmer *Bedste sted at se Snutliv Putlocker (2005) fuld streaming film Danish 1080p HD|udsigt * -------...
  • *BEST PTC and TOP PTC SITE* Selamat datang di mellygreen.blogspot.com - BEST PTC site-, blog yang selalu memantau perkembangan PTC baik lokal maupun luar. ...
  • *Tips to Build or Create 100 Redirect Backlinks High Pagerank Dofollow Backlinks 2015.* Today, I share how to build or create *100 High Pagerank Dofollow Ba...
  • Persamaan matematika yang bikin ngakak ya ini.. Buat para wanita jangan tersinggung yah,, Kidding nih.. Thanks buat si professor penemu Rumusnya.. hay...
  • Ada yang kenal Dedi Pramono? tentu tidak semua blogger mengenal beliau, agar sedikit mengenal sosok Dedi Pramono yuk kita intip Profile nya : [image: Ded...
  • Kumpulan cerita lucu, Humor, foto lucu, video lucu dan berbagai hal yang lucu-lucu hanya disini: http://lucu-x.blogspot.com/ Kumpulan cerita lucu, Humor,...
  • *How to Build 100 Redirect Backlinks High Pagerank Dofollow 2015 ?* Today, I share how to build *100 High Pagerank Dofollow Backlinks 2015*. In List url bel...
  • Kemarin di salah satu group FB milik dblogger ada diskusi soal fungsi plugin all in one seo pack. Mereka yang menggunakan blogdetik pasti akrab dengan ta...
  • The songs got released today in Malaysia. The fans are expecting a lot out of this film. A.R.Rahman had composed music for this film. All the songs are exp...
  • Apple's first big iOS 17 point update for iPhone just came out, and it includes some of the features initially planned for the iOS 17.0 release last Sept...