What you find your computer suddenly heavy and a lot of trash found a shortcut with names such as Mocrosoft.lnk, SuratQ.lnk, New Harry Potter and .lnk other? If the answer is yes, it means that your computer has been infected with worms vbs / Yuyun.A or worm, also known as shortcut.
Worm that call themselves vbs / Yuyun.A this is one of the malware that are actively spreading and has been widespread in Indonesia. Vbs / Yuyun.A akan menginfeksi computer itself with the way in each drive, the media is inserted, and in each directory for the use (shared directory). This worm will also create a user's computer hard drives filled with shortcuts and the message payload in each drive and subdirectories.
Infection technique used is quite unique and not worm-like worm vbs another local in general. Vbs / Yuyun.A canny disguise the vbs file with the file name resembles a thumbnail image cache to its Windows' Thumb.db 'so it does not appear suspicious. However, the disguise does not mean this with no consequences, because this causes the vbs file can not be executed directly so that it will complicate the process of infection and spreading.
Then how vxer-creator of the virus for a / worm-this is the case?
Expediently vxer create a shortcut trigger that will execute each line of code in the worm 'Thumb.db'. Shortcut will call wscript.exe which is the application to run the application file with the vbs program memparse or mengintepretasi line per line commands vbs. When we observe the direction of the goal shortcut, we will know the tricks behind the evil Yuyun sweet!. Example shortcut towards the goal that I take a sample from one of vbs / Yuyun.A is:
C:-WINDOWS-system32-wscript.exe / / E: VBScript thumb.db "Microsoft"
To make the analysis, this worm hides malicious code with the original encryption. Encryption algorithms used are home made bit XOR cipher. Because this worm is created using the vbs, then we can easily see the source code using the editor program such as notepad.
We can see the decryptor from encrypt
For v = 1 To Len (isiQ)
t = asc (Mid (isiQ, v, 1))
hsl = hsl + Chr (t Xor 7)
Next
Sample data is encrypted:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::
'J~'ifjb'='^r~ri'Qbu'6)7
'N'mrts'pfiif'tbb'bqbu~'`nuk'khhlt'indb+'ebssbu+'lnict'btwbdnfkk~'f'jhtkbj'`nuk'
e~='Fihi~jhrtb'ni'Mfsnj+'Ihqbjebu'577?
'Pobi'N'ahric'ihsoni`'ebfrs~'bktb)))'fic'sobi'N'puhsb'sont'tdunws'ahu'fkk
:::::::::::::::::::::::::::::::::::::::::::::::::::::::
And after description to be:
'=======================================================
' My name : Yuyun Ver 1.0
' I just wanna see every girl looks nice, better, kinds especially a moslem girl
' by: Anonymouse in Jatim, November 2008
' When I found nothing beauty else... and then I wrote this script for all
'=======================================================
This worm will create a payload with a message showing how to use notepad contains poems on the 1st of each month other than March. When up to date, vbs / Yuyun.A akan create garbage files en masse in the drive and each subdirectory contains messages poems with the name 'AQ.rtf Read' and 'My name is yuyun.rtf'.
This step will also trigger the shortcut on each drive with the names of the following:
"New Harry Potter and...", "New Folder", "SuratQ", "Rahasia", "Game", "Zvnita",
"Download", "DataQ","DataQ"
haha, i love ur review :)
ReplyDelete