Home > Analisa Virus, Antivirus, Pengumuman > AryaN:Trojan with Flooding Attack

AryaN:Trojan with Flooding Attack

October 16th, 2011

AryaN. Flooding dalam istilah IT adalah membebani sebuah server dengan cara mengirim paket yang besar secara terus menerus (DDoS / Denial of Service Attacks). AryaN bukan hanya menyebar melalui flash disk dengan shortcut tipe barunya, akan tetapi mendownload varian NgrBot dan melakukan Flooding Attack. Tentu saja, trojan akan berusaha agar aksi ini tidak disadari oleh user yang komputernya terinfeksi. Maka dari itu, trojan pun bersembunyi dibalik proses lain sambil melancarkan serangannya.

A. Info File

Nama Worm : AryaN
Asal : ~
Ukuran File : 95.5 KB (97,792 bytes)
Packer : ~
Pemrograman : C++
Icon : Exe / Application
Tipe : Trojan, Worm

B. About Malware

Gambar di atas adalah simulasi kejadian secara umum AryaN menyebar juga melalui yahoo messenger. Awalnya kami mendapat laporan dari forum virus Indonesia mengenai adanya malware yang menyebar lewat Facebook. Setelah kami cek, sekilas seperti variant NgrBot. Terlebih lagi setelah di jalankan, memang mendownload variant baru dari NgrBot. Kemudian ada lagi laporan mengenai malware yang sama dengan pola yang sama juga. Setelah di cek ulang, rupanya ini bukanlah variant atau companion dari NgrBot, melaikan worm yang dikhususkan untuk melakukan sebuah tugas tertentu.

1. Mendownload companion dan dijalankan bersamaan dengan hostnya
2. Mendownload Variant NgrBot
3. Melakukan DDoS terhadap salah satu website dengan metode SYN flooding attack.

Nama “AryaN” di ambil dari salah satu baris yang terdapat pada threads yang dibuatnya.

Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot

Dalam tubuh AryaN tidak terdapat string yang bisa menunjukan apa saja yang akan dilakukannya. Akan tetapi berbeda jika kita melihat string yang terdapat pada threadsnya. Berikut ini adalah hasil dump yang kami dapatkan.


File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000004D   000002DA004D      0   !This program cannot be run in DOS mode.
0000000001C8   000002DA01C8      0   .data
0000000001F0   000002DA01F0      0   .idata
000000000218   000002DA0218      0   .rsrc
00000000023F   000002DA023F      0   @.reloc
000000001368   000002DA1F68      0   Botkiller
000000001374   000002DA1F74      0   Successfully Killed And Removed Malicious File: "%s"
000000001400   000002DA2000      0   Usage: %s IP PORT DELAY LENGTH
000000001428   000002DA2028      0   Failed To Start Thread: "%d"
00000000144C   000002DA204C      0   Failed: Mis Parameter
000000001468   000002DA2068      0   WinINet
000000001474   000002DA2074      0   Failed: "%d"
000000001484   000002DA2084      0   Visit
00000000148C   000002DA208C      0   Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0000000014D4   000002DA20D4      0   Filed To Visit: "%s"
0000000014F0   000002DA20F0      0   Successfully Visited: "%s"
000000001520   000002DA2120      0   %s #%s
00000000152C   000002DA212C      0   %s %s
000000001540   000002DA2140      0   Terminated WGet Thread
000000001564   000002DA2164      0   Running From: "%s"
00000000157C   000002DA217C      0   [%s][%s] - "%s"
000000001590   000002DA2190      0   hh':'mm':'ss
0000000015E8   000002DA21E8      0   {%s}: %s
000000001618   000002DA2218      0   Update Complete, Uninstalling
00000000163C   000002DA223C      0   Successfully Executed Process: "%s"
000000001668   000002DA2268      0   Failed To Create Process: "%s", Reason: "%d"
0000000016A0   000002DA22A0      0   Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
000000001748   000002DA2348      0   Successfully Downloaded File To: "%s"
000000001778   000002DA2378      0   Downloading File: "%s"
000000001794   000002DA2394      0   Download
000000001840   000002DA2440      0   IsWow64Process
000000001884   000002DA2484      0   http://api.wipmania.com/
000000001FD4   000002DA2BD4      0   PRIVMSG
00000000205C   000002DA2C5C      0   Config
000000002064   000002DA2C64      0   Failed to load config
00000000212C   000002DA2D2C      0   AryaN{%s-%s-x%d}%s
000000002144   000002DA2D44      0   New{%s-%s-x%d}%s
000000002158   000002DA2D58      0   %s "" "%s" :%s
00000000216C   000002DA2D6C      0   %s %s
000000002174   000002DA2D74      0   %s %s :[AryaN]: %s
000000002190   000002DA2D90      0   %s %s %s
0000000021A4   000002DA2DA4      0   Finished Flooding "%s:%d"
0000000021C4   000002DA2DC4      0   Terminated UDP Flood Thread
0000000021E8   000002DA2DE8      0   %d%d%d%d%d%d%d%d
000000002200   000002DA2E00      0   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0000000023A4   000002DA2FA4      0   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0000000025B4   000002DA31B4      0   AutoRun Infected Removable Device: "%s\"
000000002857   000002DA3457      0   4 RAS_e
000000002877   000002DA3477      0   4 RAS
000000002AC9   000002DA36C9      0   z)ze'
000000002D7D   000002DA397D      0   /4*&{
000000002D9D   000002DA399D      0   O(hHj
000000003BBB   000002DA47BB      0   OWShX
000000003E13   000002DA4A13      0   D$0Pht
0000000044DA   000002DA50DA      0   SSPhZ
000000004BB9   000002DA57B9      0   j[YPSSh
000000004C26   000002DA5826      0   SSSSh
000000004C5F   000002DA585F      0   t)SSj
000000005209   000002DA5E09      0   Yt3Pj
000000005302   000002DA5F02      0   QQSVj

File pos       Mem pos          ID   Text
========       =======          ==   ====

0000000055C9   000002DA61C9      0   Yt}Vh
0000000055FA   000002DA61FA      0   tF@Pj
000000005720   000002DA6320      0   SUVWh
000000005822   000002DA6422      0   VVVVh
00000000583C   000002DA643C      0   SVVVVh
000000005927   000002DA6527      0   tDVWWh$
000000005AF9   000002DA66F9      0   tUWSV
000000005B31   000002DA6731      0   WWWPWW
000000005C33   000002DA6833      0   +Y4;YPw2
000000005CB0   000002DA68B0      0   Yt8Pj
000000005F14   000002DA6B14      0   SUVWh
000000006098   000002DA6C98      0   QSUVWj
0000000063A7   000002DA6FA7      0   YYVVVhx
000000006499   000002DA7099      0   VVVhF
000000006650   000002DA7250      0   UUUVUU
00000000670F   000002DA730F      0   PVVj(WVVV
000000006920   000002DA7520      0   VPVh?
000000006A30   000002DA7630      0   VPVh?
000000006B14   000002DA7714      0   QSVW3
000000006C20   000002DA7820      0   YtPhL
000000006D31   000002DA7931      0   VVVhY
000000006E35   000002DA7A35      0   QQSVWj,
000000006EF7   000002DA7AF7      0   VSSSh
00000000735A   000002DA7F5A      0   PWhD!
000000007370   000002DA7F70      0   PWh,!
000000007414   000002DA8014      0   YPhX!
0000000075A2   000002DA81A2      0   trSWh,
000000007DB2   000002DAA1B2      0   PVVh%
00000000877C   000002DAAB7C      0   0866031
000000008950   000002DAAD50      0   udp.stop
0000000089B4   000002DAADB4      0   #newbitch
000000008A1C   000002DAAE1C      0   #newbitch1
000000008A80   000002DAAE80      0   6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
000000008AE4   000002DAAEE4      0   unsort
000000008B48   000002DAAF48      0   download.stop
000000008BAC   000002DAAFAC      0   remove
000000009564   000002DAD564      0   botkill
00000000962C   000002DAD62C      0   haso.dukatlgg.com
0000000096F4   000002DAD6F4      0   reconnect
000000009820   000002DAD820      0   HeavenOnEarth
0000000098E8   000002DAD8E8      0   visit
0000000099B0   000002DAD9B0      0   download
00000000A856   000002DAA856      0   PwS*Pw
00000000A88A   000002DAA88A      0   wcsstr
00000000A894   000002DAA894      0   memset
00000000A89E   000002DAA89E      0   _snwprintf
00000000A8AC   000002DAA8AC      0   wcscmp
00000000A8BE   000002DAA8BE      0   strncmp
00000000A8C8   000002DAA8C8      0   strstr
00000000A8D2   000002DAA8D2      0   _snprintf
00000000A8DE   000002DAA8DE      0   strcmp
00000000A8E8   000002DAA8E8      0   strncpy
00000000A8FA   000002DAA8FA      0   printf
00000000A904   000002DAA904      0   _vsnprintf
00000000A912   000002DAA912      0   wprintf
00000000A91C   000002DAA91C      0   _vsnwprintf
00000000A92A   000002DAA92A      0   srand
00000000A932   000002DAA932      0   strlen
00000000A93C   000002DAA93C      0   wcstombs
00000000A948   000002DAA948      0   mbstowcs

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000A954   000002DAA954      0   strcpy
00000000A95E   000002DAA95E      0   memcpy
00000000A968   000002DAA968      0   _wcsicmp
00000000A974   000002DAA974      0   malloc
00000000A986   000002DAA986      0   wcscpy
00000000A990   000002DAA990      0   realloc
00000000A99A   000002DAA99A      0   strtok
00000000A9A4   000002DAA9A4      0   fclose
00000000A9AE   000002DAA9AE      0   fwprintf
00000000A9BA   000002DAA9BA      0   _wfopen
00000000A9C2   000002DAA9C2      0   MSVCRT.dll
00000000A9D0   000002DAA9D0      0   HeapFree
00000000A9DC   000002DAA9DC      0   ExpandEnvironmentStringsW
00000000A9F8   000002DAA9F8      0   HeapAlloc
00000000AA04   000002DAAA04      0   CloseHandle
00000000AA12   000002DAAA12      0   Process32NextW
00000000AA24   000002DAAA24      0   DeleteFileW
00000000AA32   000002DAAA32      0   MoveFileW
00000000AA3E   000002DAAA3E      0   SetFileAttributesW
00000000AA54   000002DAAA54      0   Sleep
00000000AA5C   000002DAAA5C      0   Process32FirstW
00000000AA6E   000002DAAA6E      0   CreateToolhelp32Snapshot
00000000AA8A   000002DAAA8A      0   lstrlenA
00000000AA96   000002DAAA96      0   SetThreadPriority
00000000AAAA   000002DAAAAA      0   GetLastError
00000000AABA   000002DAAABA      0   CreateThread
00000000AACA   000002DAAACA      0   GetLocaleInfoA
00000000AADC   000002DAAADC      0   TerminateThread
00000000AAEE   000002DAAAEE      0   GetModuleFileNameA
00000000AB04   000002DAAB04      0   GetModuleHandleA
00000000AB18   000002DAAB18      0   GetTimeFormatA
00000000AB2A   000002DAAB2A      0   GetTimeFormatW
00000000AB3C   000002DAAB3C      0   OutputDebugStringA
00000000AB52   000002DAAB52      0   OutputDebugStringW
00000000AB68   000002DAAB68      0   ReleaseMutex
00000000AB78   000002DAAB78      0   WaitForSingleObject
00000000AB8E   000002DAAB8E      0   WriteFile
00000000AB9A   000002DAAB9A      0   CreateFileW
00000000ABA8   000002DAABA8      0   GetTickCount
00000000ABB8   000002DAABB8      0   SetLastError
00000000ABC8   000002DAABC8      0   FindNextFileW
00000000ABD8   000002DAABD8      0   FindNextFileA
00000000ABE8   000002DAABE8      0   OpenProcess
00000000ABF6   000002DAABF6      0   GetProcAddress
00000000AC08   000002DAAC08      0   LoadLibraryW
00000000AC18   000002DAAC18      0   GetFileAttributesW
00000000AC2E   000002DAAC2E      0   GetVersionExA
00000000AC3E   000002DAAC3E      0   ReadFile
00000000AC4A   000002DAAC4A      0   GetFileSize
00000000AC58   000002DAAC58      0   CreateMutexW
00000000AC68   000002DAAC68      0   OpenMutexW
00000000AC76   000002DAAC76      0   GetProcessHeap
00000000AC88   000002DAAC88      0   CreateRemoteThread
00000000AC9E   000002DAAC9E      0   WriteProcessMemory
00000000ACB4   000002DAACB4      0   VirtualProtectEx
00000000ACC8   000002DAACC8      0   VirtualAllocEx
00000000ACDA   000002DAACDA      0   ReadProcessMemory
00000000ACEE   000002DAACEE      0   GetCurrentProcess
00000000AD02   000002DAAD02      0   VirtualAlloc
00000000AD12   000002DAAD12      0   GetCurrentProcessId

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000AD28   000002DAAD28      0   LockResource
00000000AD38   000002DAAD38      0   LoadResource
00000000AD48   000002DAAD48      0   SizeofResource
00000000AD5A   000002DAAD5A      0   FindResourceW
00000000AD6A   000002DAAD6A      0   ExitProcess
00000000AD78   000002DAAD78      0   ExitThread
00000000AD86   000002DAAD86      0   GetDriveTypeW
00000000AD96   000002DAAD96      0   GetModuleFileNameW
00000000ADAC   000002DAADAC      0   GetModuleHandleW
00000000ADC0   000002DAADC0      0   SetErrorMode
00000000ADD0   000002DAADD0      0   CreateProcessW
00000000ADE2   000002DAADE2      0   TerminateProcess
00000000ADF6   000002DAADF6      0   lstrlenW
00000000AE02   000002DAAE02      0   CreateEventW
00000000AE12   000002DAAE12      0   CreateDirectoryW
00000000AE26   000002DAAE26      0   CopyFileW
00000000AE32   000002DAAE32      0   FindFirstFileW
00000000AE44   000002DAAE44      0   GetLogicalDriveStringsW
00000000AE5C   000002DAAE5C      0   KERNEL32.dll
00000000AE6A   000002DAAE6A      0   WS2_32.dll
00000000AE78   000002DAAE78      0   PathAppendW
00000000AE84   000002DAAE84      0   SHLWAPI.dll
00000000AE92   000002DAAE92      0   InternetReadFile
00000000AEA6   000002DAAEA6      0   InternetOpenUrlA
00000000AEBA   000002DAAEBA      0   InternetCloseHandle
00000000AED0   000002DAAED0      0   InternetOpenW
00000000AEDE   000002DAAEDE      0   WININET.dll
00000000AEEC   000002DAAEEC      0   CoCreateInstance
00000000AF00   000002DAAF00      0   CoUninitialize
00000000AF12   000002DAAF12      0   CoInitialize
00000000AF20   000002DAAF20      0   ole32.dll
00000000AF2C   000002DAAF2C      0   GetModuleFileNameExW
00000000AF42   000002DAAF42      0   PSAPI.DLL
00000000AF4E   000002DAAF4E      0   ShellExecuteA
00000000AF5E   000002DAAF5E      0   SHGetFolderPathW
00000000AF70   000002DAAF70      0   SHELL32.dll
00000000AF7E   000002DAAF7E      0   RegCloseKey
00000000AF8C   000002DAAF8C      0   RegDeleteValueW
00000000AF9E   000002DAAF9E      0   RegCreateKeyExW
00000000AFB0   000002DAAFB0      0   RegQueryValueExW
00000000AFC4   000002DAAFC4      0   RegOpenKeyExW
00000000AFD4   000002DAAFD4      0   RegSetValueExW
00000000AFE6   000002DAAFE6      0   RegNotifyChangeKeyValue
00000000B000   000002DAB000      0   GetUserNameW
00000000B00E   000002DAB00E      0   ADVAPI32.dll
00000000C088   000002DAC088      0   1Al8deESCWJQjKrniRIiz5Ofdzfi1h
00000000C0A7   000002DAC0A7      0   A6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
00000000C112   000002DAC112      0   egregregerfwde
00000000C121   000002DAC121      0   svhost.exe
00000000C18B   000002DAC18B      0   APADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
00000000D01D   000002DAD01D      0   00000000D029   000002DAD029      0   ">P>d>j>
00000000D051   000002DAD051      0   ?#?h?
00000000D06B   000002DAD06B      0   0=0C0g0n0{0
00000000D081   000002DAD081      0   0c1t1z1
00000000D091   000002DAD091      0   2'2.2:2?2I2\2l2q2w2|2
00000000D0B7   000002DAD0B7      0   3.333H3e3
00000000D0D1   000002DAD0D1      0   45400000000D0F3   000002DAD0F3      0   5%5Y5e5p5w5

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000D129   000002DAD129      0   7n8~8
00000000D135   000002DAD135      0   819F9N9
00000000D149   000002DAD149      0   :):4:?:J:U:
00000000D155   000002DAD155      0   :k:y:
00000000D183   000002DAD183      0   4>:>@>F>L>c>p>
00000000D1F0   000002DAD1F0      0   -070>0O0
00000000D1FF   000002DAD1FF      0   031:1h1
00000000D209   000002DAD209      0   202;2]2b2h2o2
00000000D21F   000002DAD21F      0   3'3.3=3C3R3a3
00000000D237   000002DAD237      0   4)4@4i4w4~4
00000000D25F   000002DAD25F      0   6$6-696E6J6W6]6
00000000D27B   000002DAD27B      0   62777G7M7S7b7n7
00000000D295   000002DAD295      0   7'8-8B8I8a8o8z8
00000000D2B1   000002DAD2B1      0   949>9J9c9i9
00000000D2D5   000002DAD2D5      0   9	:.:P:c:i:p:
00000000D2F3   000002DAD2F3      0   ;%;00000000D2FF   000002DAD2FF      0   _>m>s>x>
00000000D329   000002DAD329      0   >&?+?;?A?G?
00000000D35B   000002DAD35B      0   1*1V1d1q1~1
00000000D379   000002DAD379      0   2,292F2S2
00000000D383   000002DAD383      0   2m2z2
00000000D393   000002DAD393      0   2l3v3
00000000D3B5   000002DAD3B5      0   4 4-42494?4D4J4W4_4g4p4v4
00000000D3E5   000002DAD3E5      0   4]5c5j5
00000000D401   000002DAD401      0   6&6:6@6X6
00000000D40B   000002DAD40B      0   6q6w6~6
00000000D413   000002DAD413      0   7$757
00000000D41D   000002DAD41D      0   778G8R8]8
00000000D42F   000002DAD42F      0   839C9L9
00000000D441   000002DAD441      0   :C:T:o:x:
00000000D44F   000002DAD44F      0   :3;00000000D459   000002DAD459      0   ;g;~;
00000000D467   000002DAD467      0   E>N>
00000000D4AD   000002DAD4AD      0   ?=?Y?y?
00000000D4C7   000002DAD4C7      0   0E0Z0_0v0
00000000D4DF   000002DAD4DF      0   1=1C1L1R1\1b1
00000000D4EF   000002DAD4EF      0   2 2+2C2
00000000D501   000002DAD501      0   3!3]3s3|3
00000000D517   000002DAD517      0   4 4A4M4b4h4z4
00000000D52F   000002DAD52F      0   4(5755D5J5P5V5\5b5h5n5t5z5
00000000D719   000002DAD719      0   6"6(6.646:6@6F6L6R6X6
00000000D72F   000002DAD72F      0   6d6j6p6v6|6

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000D76F   000002DAD76F      0   7$7*7076700000000131D   000002DA1F1D      0   %userprofile%
000000001340   000002DA1F40      0   %appdata%
000000001358   000002DA1F58      0   %temp%
0000000013B4   000002DA1FB4      0   %s\removethis_%d%d%d.exe
0000000015C8   000002DA21C8      0   hh':'mm':'ss
0000000015F4   000002DA21F4      0   {%s}: %s
000000001718   000002DA2318      0   %temp%\oldfile.exe
0000000017A0   000002DA23A0      0   Mozilla/5.0 (compatible)
0000000017DC   000002DA23DC      0   %s\%d%d%d.exe
000000001800   000002DA2400      0   explorer.exe
000000001820   000002DA2420      0   Kernel32.dll
000000001860   000002DA2460      0   %s-deadlock
0000000018A4   000002DA24A4      0   %s\SysWOW64
000000001D70   000002DA2970      0   advapi32.dll
000000001D90   000002DA2990      0   comsupp.dll
000000001DAC   000002DA29AC      0   shell32.dll
000000001DC8   000002DA29C8      0   wininet.dll
000000001DE4   000002DA29E4      0   shlwapi.dll
000000001E00   000002DA2A00      0   dnsapi.dll
000000001E1C   000002DA2A1C      0   user32.dll
000000001E38   000002DA2A38      0   ws2_32.dll
000000001E54   000002DA2A54      0   psapi.dll
000000001E6C   000002DA2A6C      0   Ole32.dll
000000001E84   000002DA2A84      0   kernel32.dll
000000001EA4   000002DA2AA4      0   msvcrt.dll
000000001EC0   000002DA2AC0      0   dwm.exe
000000001ED4   000002DA2AD4      0   alg.exe
000000001EE8   000002DA2AE8      0   csrss.exe
000000001F00   000002DA2B00      0   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
000000001F70   000002DA2B70      0   %s-readfile
000000002048   000002DA2C48      0   cmd.exe
0000000020BC   000002DA2CBC      0   Software\Microsoft\Windows\CurrentVersion\Run
000000002240   000002DA2E40      0   %temp%\deletethis.exe
000000002274   000002DA2E74      0   Removable_Drive.exe
0000000022BC   000002DA2EBC      0   %s\{%s-%s}
0000000022D8   000002DA2ED8      0   /k "%s" Open %s
000000002300   000002DA2F00      0   %windir%\System32\cmd.exe
000000002340   000002DA2F40      0   %s\Removable_Drive.exe
000000002378   000002DA2F78      0   %s\%s
000000002388   000002DA2F88      0   %s\%s.lnk
000000002590   000002DA3190      0   %s\autorun.inf
0000000087C0   000002DAABC0      0   svhost.exe
000000008CDC   000002DAB0DC      0   C:\Documents and Settings\Administrator\Application Data\svhost.exe
0000000090EC   000002DAD0EC      0   C:\Documents and Settings\Administrator\Application Data\svhost.exe
000000009758   000002DAD758      0   egregregerfwde
00000000004D   000002DA004D      0   !This program cannot be run in DOS mode.
0000000001C8   000002DA01C8      0   .data
0000000001F0   000002DA01F0      0   .idata
000000000218   000002DA0218      0   .rsrc
00000000023F   000002DA023F      0   @.reloc
000000001368   000002DA1F68      0   Botkiller
000000001374   000002DA1F74      0   Successfully Killed And Removed Malicious File: "%s"
000000001400   000002DA2000      0   Usage: %s IP PORT DELAY LENGTH
000000001428   000002DA2028      0   Failed To Start Thread: "%d"
00000000144C   000002DA204C      0   Failed: Mis Parameter
000000001468   000002DA2068      0   WinINet
000000001474   000002DA2074      0   Failed: "%d"
000000001484   000002DA2084      0   Visit
00000000148C   000002DA208C      0   Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]

File pos       Mem pos          ID   Text
========       =======          ==   ====

0000000014D4   000002DA20D4      0   Filed To Visit: "%s"
0000000014F0   000002DA20F0      0   Successfully Visited: "%s"
000000001520   000002DA2120      0   %s #%s
00000000152C   000002DA212C      0   %s %s
000000001540   000002DA2140      0   Terminated WGet Thread
000000001564   000002DA2164      0   Running From: "%s"
00000000157C   000002DA217C      0   [%s][%s] - "%s"
000000001590   000002DA2190      0   hh':'mm':'ss
0000000015E8   000002DA21E8      0   {%s}: %s
000000001618   000002DA2218      0   Update Complete, Uninstalling
00000000163C   000002DA223C      0   Successfully Executed Process: "%s"
000000001668   000002DA2268      0   Failed To Create Process: "%s", Reason: "%d"
0000000016A0   000002DA22A0      0   Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
000000001748   000002DA2348      0   Successfully Downloaded File To: "%s"
000000001778   000002DA2378      0   Downloading File: "%s"
000000001794   000002DA2394      0   Download
000000001840   000002DA2440      0   IsWow64Process
000000001884   000002DA2484      0   http://api.wipmania.com/
000000001FD4   000002DA2BD4      0   PRIVMSG
00000000205C   000002DA2C5C      0   Config
000000002064   000002DA2C64      0   Failed to load config
00000000212C   000002DA2D2C      0   AryaN{%s-%s-x%d}%s
000000002144   000002DA2D44      0   New{%s-%s-x%d}%s
000000002158   000002DA2D58      0   %s "" "%s" :%s
00000000216C   000002DA2D6C      0   %s %s
000000002174   000002DA2D74      0   %s %s :[AryaN]: %s
000000002190   000002DA2D90      0   %s %s %s
0000000021A4   000002DA2DA4      0   Finished Flooding "%s:%d"
0000000021C4   000002DA2DC4      0   Terminated UDP Flood Thread
0000000021E8   000002DA2DE8      0   %d%d%d%d%d%d%d%d
000000002200   000002DA2E00      0   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0000000023A4   000002DA2FA4      0   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0000000025B4   000002DA31B4      0   AutoRun Infected Removable Device: "%s\"
000000002857   000002DA3457      0   4 RAS_e
000000002877   000002DA3477      0   4 RAS
000000002AC9   000002DA36C9      0   z)ze'
000000002D7D   000002DA397D      0   /4*&{
000000002D9D   000002DA399D      0   O(hHj
000000003BBB   000002DA47BB      0   OWShX
000000003E13   000002DA4A13      0   D$0Pht
0000000044DA   000002DA50DA      0   SSPhZ
000000004BB9   000002DA57B9      0   j[YPSSh
000000004C26   000002DA5826      0   SSSSh
000000004C5F   000002DA585F      0   t)SSj
000000005209   000002DA5E09      0   Yt3Pj
000000005302   000002DA5F02      0   QQSVj
0000000055C9   000002DA61C9      0   Yt}Vh
0000000055FA   000002DA61FA      0   tF@Pj
000000005720   000002DA6320      0   SUVWh
000000005822   000002DA6422      0   VVVVh
00000000583C   000002DA643C      0   SVVVVh
000000005927   000002DA6527      0   tDVWWh$
000000005AF9   000002DA66F9      0   tUWSV
000000005B31   000002DA6731      0   WWWPWW
000000005C33   000002DA6833      0   +Y4;YPw2
000000005CB0   000002DA68B0      0   Yt8Pj
000000005F14   000002DA6B14      0   SUVWh
000000006098   000002DA6C98      0   QSUVWj
0000000063A7   000002DA6FA7      0   YYVVVhx
000000006499   000002DA7099      0   VVVhF

File pos       Mem pos          ID   Text
========       =======          ==   ====

000000006650   000002DA7250      0   UUUVUU
00000000670F   000002DA730F      0   PVVj(WVVV
000000006920   000002DA7520      0   VPVh?
000000006A30   000002DA7630      0   VPVh?
000000006B14   000002DA7714      0   QSVW3
000000006C20   000002DA7820      0   YtPhL
000000006D31   000002DA7931      0   VVVhY
000000006E35   000002DA7A35      0   QQSVWj,
000000006EF7   000002DA7AF7      0   VSSSh
00000000735A   000002DA7F5A      0   PWhD!
000000007370   000002DA7F70      0   PWh,!
000000007414   000002DA8014      0   YPhX!
0000000075A2   000002DA81A2      0   trSWh,
000000007DB2   000002DAA1B2      0   PVVh%
00000000877C   000002DAAB7C      0   0866031
000000008950   000002DAAD50      0   udp.stop
0000000089B4   000002DAADB4      0   #newbitch
000000008A1C   000002DAAE1C      0   #newbitch1
000000008A80   000002DAAE80      0   6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
000000008AE4   000002DAAEE4      0   unsort
000000008B48   000002DAAF48      0   download.stop
000000008BAC   000002DAAFAC      0   remove
000000009564   000002DAD564      0   botkill
00000000962C   000002DAD62C      0   haso.dukatlgg.com
0000000096F4   000002DAD6F4      0   reconnect
000000009820   000002DAD820      0   HeavenOnEarth
0000000098E8   000002DAD8E8      0   visit
0000000099B0   000002DAD9B0      0   download
00000000A856   000002DAA856      0   PwS*Pw
00000000A88A   000002DAA88A      0   wcsstr
00000000A894   000002DAA894      0   memset
00000000A89E   000002DAA89E      0   _snwprintf
00000000A8AC   000002DAA8AC      0   wcscmp
00000000A8BE   000002DAA8BE      0   strncmp
00000000A8C8   000002DAA8C8      0   strstr
00000000A8D2   000002DAA8D2      0   _snprintf
00000000A8DE   000002DAA8DE      0   strcmp
00000000A8E8   000002DAA8E8      0   strncpy
00000000A8FA   000002DAA8FA      0   printf
00000000A904   000002DAA904      0   _vsnprintf
00000000A912   000002DAA912      0   wprintf
00000000A91C   000002DAA91C      0   _vsnwprintf
00000000A92A   000002DAA92A      0   srand
00000000A932   000002DAA932      0   strlen
00000000A93C   000002DAA93C      0   wcstombs
00000000A948   000002DAA948      0   mbstowcs
00000000A954   000002DAA954      0   strcpy
00000000A95E   000002DAA95E      0   memcpy
00000000A968   000002DAA968      0   _wcsicmp
00000000A974   000002DAA974      0   malloc
00000000A986   000002DAA986      0   wcscpy
00000000A990   000002DAA990      0   realloc
00000000A99A   000002DAA99A      0   strtok
00000000A9A4   000002DAA9A4      0   fclose
00000000A9AE   000002DAA9AE      0   fwprintf
00000000A9BA   000002DAA9BA      0   _wfopen
00000000A9C2   000002DAA9C2      0   MSVCRT.dll
00000000A9D0   000002DAA9D0      0   HeapFree
00000000A9DC   000002DAA9DC      0   ExpandEnvironmentStringsW
00000000A9F8   000002DAA9F8      0   HeapAlloc

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000AA04   000002DAAA04      0   CloseHandle
00000000AA12   000002DAAA12      0   Process32NextW
00000000AA24   000002DAAA24      0   DeleteFileW
00000000AA32   000002DAAA32      0   MoveFileW
00000000AA3E   000002DAAA3E      0   SetFileAttributesW
00000000AA54   000002DAAA54      0   Sleep
00000000AA5C   000002DAAA5C      0   Process32FirstW
00000000AA6E   000002DAAA6E      0   CreateToolhelp32Snapshot
00000000AA8A   000002DAAA8A      0   lstrlenA
00000000AA96   000002DAAA96      0   SetThreadPriority
00000000AAAA   000002DAAAAA      0   GetLastError
00000000AABA   000002DAAABA      0   CreateThread
00000000AACA   000002DAAACA      0   GetLocaleInfoA
00000000AADC   000002DAAADC      0   TerminateThread
00000000AAEE   000002DAAAEE      0   GetModuleFileNameA
00000000AB04   000002DAAB04      0   GetModuleHandleA
00000000AB18   000002DAAB18      0   GetTimeFormatA
00000000AB2A   000002DAAB2A      0   GetTimeFormatW
00000000AB3C   000002DAAB3C      0   OutputDebugStringA
00000000AB52   000002DAAB52      0   OutputDebugStringW
00000000AB68   000002DAAB68      0   ReleaseMutex
00000000AB78   000002DAAB78      0   WaitForSingleObject
00000000AB8E   000002DAAB8E      0   WriteFile
00000000AB9A   000002DAAB9A      0   CreateFileW
00000000ABA8   000002DAABA8      0   GetTickCount
00000000ABB8   000002DAABB8      0   SetLastError
00000000ABC8   000002DAABC8      0   FindNextFileW
00000000ABD8   000002DAABD8      0   FindNextFileA
00000000ABE8   000002DAABE8      0   OpenProcess
00000000ABF6   000002DAABF6      0   GetProcAddress
00000000AC08   000002DAAC08      0   LoadLibraryW
00000000AC18   000002DAAC18      0   GetFileAttributesW
00000000AC2E   000002DAAC2E      0   GetVersionExA
00000000AC3E   000002DAAC3E      0   ReadFile
00000000AC4A   000002DAAC4A      0   GetFileSize
00000000AC58   000002DAAC58      0   CreateMutexW
00000000AC68   000002DAAC68      0   OpenMutexW
00000000AC76   000002DAAC76      0   GetProcessHeap
00000000AC88   000002DAAC88      0   CreateRemoteThread
00000000AC9E   000002DAAC9E      0   WriteProcessMemory
00000000ACB4   000002DAACB4      0   VirtualProtectEx
00000000ACC8   000002DAACC8      0   VirtualAllocEx
00000000ACDA   000002DAACDA      0   ReadProcessMemory
00000000ACEE   000002DAACEE      0   GetCurrentProcess
00000000AD02   000002DAAD02      0   VirtualAlloc
00000000AD12   000002DAAD12      0   GetCurrentProcessId
00000000AD28   000002DAAD28      0   LockResource
00000000AD38   000002DAAD38      0   LoadResource
00000000AD48   000002DAAD48      0   SizeofResource
00000000AD5A   000002DAAD5A      0   FindResourceW
00000000AD6A   000002DAAD6A      0   ExitProcess
00000000AD78   000002DAAD78      0   ExitThread
00000000AD86   000002DAAD86      0   GetDriveTypeW
00000000AD96   000002DAAD96      0   GetModuleFileNameW
00000000ADAC   000002DAADAC      0   GetModuleHandleW
00000000ADC0   000002DAADC0      0   SetErrorMode
00000000ADD0   000002DAADD0      0   CreateProcessW
00000000ADE2   000002DAADE2      0   TerminateProcess
00000000ADF6   000002DAADF6      0   lstrlenW
00000000AE02   000002DAAE02      0   CreateEventW

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000AE12   000002DAAE12      0   CreateDirectoryW
00000000AE26   000002DAAE26      0   CopyFileW
00000000AE32   000002DAAE32      0   FindFirstFileW
00000000AE44   000002DAAE44      0   GetLogicalDriveStringsW
00000000AE5C   000002DAAE5C      0   KERNEL32.dll
00000000AE6A   000002DAAE6A      0   WS2_32.dll
00000000AE78   000002DAAE78      0   PathAppendW
00000000AE84   000002DAAE84      0   SHLWAPI.dll
00000000AE92   000002DAAE92      0   InternetReadFile
00000000AEA6   000002DAAEA6      0   InternetOpenUrlA
00000000AEBA   000002DAAEBA      0   InternetCloseHandle
00000000AED0   000002DAAED0      0   InternetOpenW
00000000AEDE   000002DAAEDE      0   WININET.dll
00000000AEEC   000002DAAEEC      0   CoCreateInstance
00000000AF00   000002DAAF00      0   CoUninitialize
00000000AF12   000002DAAF12      0   CoInitialize
00000000AF20   000002DAAF20      0   ole32.dll
00000000AF2C   000002DAAF2C      0   GetModuleFileNameExW
00000000AF42   000002DAAF42      0   PSAPI.DLL
00000000AF4E   000002DAAF4E      0   ShellExecuteA
00000000AF5E   000002DAAF5E      0   SHGetFolderPathW
00000000AF70   000002DAAF70      0   SHELL32.dll
00000000AF7E   000002DAAF7E      0   RegCloseKey
00000000AF8C   000002DAAF8C      0   RegDeleteValueW
00000000AF9E   000002DAAF9E      0   RegCreateKeyExW
00000000AFB0   000002DAAFB0      0   RegQueryValueExW
00000000AFC4   000002DAAFC4      0   RegOpenKeyExW
00000000AFD4   000002DAAFD4      0   RegSetValueExW
00000000AFE6   000002DAAFE6      0   RegNotifyChangeKeyValue
00000000B000   000002DAB000      0   GetUserNameW
00000000B00E   000002DAB00E      0   ADVAPI32.dll
00000000C088   000002DAC088      0   1Al8deESCWJQjKrniRIiz5Ofdzfi1h
00000000C0A7   000002DAC0A7      0   A6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
00000000C112   000002DAC112      0   egregregerfwde
00000000C121   000002DAC121      0   svhost.exe
00000000C18B   000002DAC18B      0   APADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
00000000D01D   000002DAD01D      0   00000000D029   000002DAD029      0   ">P>d>j>
00000000D051   000002DAD051      0   ?#?h?
00000000D06B   000002DAD06B      0   0=0C0g0n0{0
00000000D081   000002DAD081      0   0c1t1z1
00000000D091   000002DAD091      0   2'2.2:2?2I2\2l2q2w2|2
00000000D0B7   000002DAD0B7      0   3.333H3e3
00000000D0D1   000002DAD0D1      0   45400000000D0F3   000002DAD0F3      0   5%5Y5e5p5w5
00000000D129   000002DAD129      0   7n8~8
00000000D135   000002DAD135      0   819F9N9
00000000D149   000002DAD149      0   :):4:?:J:U:
00000000D155   000002DAD155      0   :k:y:
00000000D183   000002DAD183      0   4>:>@>F>L>c>p>
00000000D1F0   000002DAD1F0      0   -070>0O0
00000000D1FF   000002DAD1FF      0   031:1h1
00000000D209   000002DAD209      0   202;2]2b2h2o2
00000000D21F   000002DAD21F      0   3'3.3=3C3R3a3
00000000D237   000002DAD237      0   4)4@4i4w4~4
00000000D25F   000002DAD25F      0   6$6-696E6J6W6]6
00000000D27B   000002DAD27B      0   62777G7M7S7b7n7

File pos       Mem pos          ID   Text
========       =======          ==   ====

00000000D295   000002DAD295      0   7'8-8B8I8a8o8z8
00000000D2B1   000002DAD2B1      0   949>9J9c9i9
00000000D2D5   000002DAD2D5      0   9	:.:P:c:i:p:
00000000D2F3   000002DAD2F3      0   ;%;00000000D2FF   000002DAD2FF      0   _>m>s>x>
00000000D329   000002DAD329      0   >&?+?;?A?G?
00000000D35B   000002DAD35B      0   1*1V1d1q1~1
00000000D379   000002DAD379      0   2,292F2S2
00000000D383   000002DAD383      0   2m2z2
00000000D393   000002DAD393      0   2l3v3
00000000D3B5   000002DAD3B5      0   4 4-42494?4D4J4W4_4g4p4v4
00000000D3E5   000002DAD3E5      0   4]5c5j5
00000000D401   000002DAD401      0   6&6:6@6X6
00000000D40B   000002DAD40B      0   6q6w6~6
00000000D413   000002DAD413      0   7$757
00000000D41D   000002DAD41D      0   778G8R8]8
00000000D42F   000002DAD42F      0   839C9L9
00000000D441   000002DAD441      0   :C:T:o:x:
00000000D44F   000002DAD44F      0   :3;00000000D459   000002DAD459      0   ;g;~;
00000000D467   000002DAD467      0   E>N>
00000000D4AD   000002DAD4AD      0   ?=?Y?y?
00000000D4C7   000002DAD4C7      0   0E0Z0_0v0
00000000D4DF   000002DAD4DF      0   1=1C1L1R1\1b1
00000000D4EF   000002DAD4EF      0   2 2+2C2
00000000D501   000002DAD501      0   3!3]3s3|3
00000000D517   000002DAD517      0   4 4A4M4b4h4z4
00000000D52F   000002DAD52F      0   4(5755D5J5P5V5\5b5h5n5t5z5
00000000D719   000002DAD719      0   6"6(6.646:6@6F6L6R6X6
00000000D72F   000002DAD72F      0   6d6j6p6v6|6
00000000D76F   000002DAD76F      0   7$7*7076700000000131D   000002DA1F1D      0   %userprofile%
000000001340   000002DA1F40      0   %appdata%
000000001358   000002DA1F58      0   %temp%
0000000013B4   000002DA1FB4      0   %s\removethis_%d%d%d.exe
0000000015C8   000002DA21C8      0   hh':'mm':'ss
0000000015F4   000002DA21F4      0   {%s}: %s
000000001718   000002DA2318      0   %temp%\oldfile.exe
0000000017A0   000002DA23A0      0   Mozilla/5.0 (compatible)
0000000017DC   000002DA23DC      0   %s\%d%d%d.exe
000000001800   000002DA2400      0   explorer.exe
000000001820   000002DA2420      0   Kernel32.dll
000000001860   000002DA2460      0   %s-deadlock
0000000018A4   000002DA24A4      0   %s\SysWOW64

File pos       Mem pos          ID   Text
========       =======          ==   ====

000000001D70   000002DA2970      0   advapi32.dll
000000001D90   000002DA2990      0   comsupp.dll
000000001DAC   000002DA29AC      0   shell32.dll
000000001DC8   000002DA29C8      0   wininet.dll
000000001DE4   000002DA29E4      0   shlwapi.dll
000000001E00   000002DA2A00      0   dnsapi.dll
000000001E1C   000002DA2A1C      0   user32.dll
000000001E38   000002DA2A38      0   ws2_32.dll
000000001E54   000002DA2A54      0   psapi.dll
000000001E6C   000002DA2A6C      0   Ole32.dll
000000001E84   000002DA2A84      0   kernel32.dll
000000001EA4   000002DA2AA4      0   msvcrt.dll
000000001EC0   000002DA2AC0      0   dwm.exe
000000001ED4   000002DA2AD4      0   alg.exe
000000001EE8   000002DA2AE8      0   csrss.exe
000000001F00   000002DA2B00      0   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
000000001F70   000002DA2B70      0   %s-readfile
000000002048   000002DA2C48      0   cmd.exe
0000000020BC   000002DA2CBC      0   Software\Microsoft\Windows\CurrentVersion\Run
000000002240   000002DA2E40      0   %temp%\deletethis.exe
000000002274   000002DA2E74      0   Removable_Drive.exe
0000000022BC   000002DA2EBC      0   %s\{%s-%s}
0000000022D8   000002DA2ED8      0   /k "%s" Open %s
000000002300   000002DA2F00      0   %windir%\System32\cmd.exe
000000002340   000002DA2F40      0   %s\Removable_Drive.exe
000000002378   000002DA2F78      0   %s\%s
000000002388   000002DA2F88      0   %s\%s.lnk
000000002590   000002DA3190      0   %s\autorun.inf
0000000087C0   000002DAABC0      0   svhost.exe
000000008CDC   000002DAB0DC      0   C:\Documents and Settings\Administrator\Application Data\svhost.exe
0000000090EC   000002DAD0EC      0   C:\Documents and Settings\Administrator\Application Data\svhost.exe
000000009758   000002DAD758      0   egregregerfwde

C. Companion/File yang dibuat
1. Autorun.inf
Autorun.inf sepertinya adalah perangkat wajib bagi malware yang menyebarkan companionya di flash disk. Memang bisa dikatakan bahwa AryaN berbeda dengan malware sebelumnya dalam source code autourun. Berikut ini adalah contohnya.

Umumnya, pada perintah untuk memanggil host malware yang terdapat didalam folder di flash disk seperti Open, Shell Open / Shell Explore tidaklah mendeskripsikan lokasi drive tersebut. Karena apabila pada komputer yang bersih drive letter removable disknya adalah tidak sama seperti perintah pada autorun, maka kemungkinan besar malware tersebut tidak akan bisa dieksekusi.

2. Shortcut dan Foder Backup

Gambar di atas menunjukan file yang ada di flash disk dirubah menjadi shortcut. sebenarnya, file aslinya dipindahkan kedalam folder {[nama user]-nama acak}. Selain itu, target pada shortcutnya juga sedikit berbeda.

C:\WINDOWS\system32\cmd.exe /k "F:\svhost.exe" Open F:\{Administrator-egregregerfwde}\rku37300509.exe

Untuk penjelasan lebih jauh mengenai parameter tersebut, bisa dengan cara buka command prompt / cmd.exe kemudian ketika perintah “cmd.exe /?”.

D. Hasil Infeksi
Malware ini termasuk salah satu malware yang unik. Payload yang dilakukan oleh malware diluar perkiraan. Baik itu membackup file yang terdapat di flash disk kemudian digantikan dengan shortcut yang memiliki icon sama seperti file aslinya, atau melakukan koneksi ke beberapa IP seperti:
- 199.15.234.7
– 91.217.153.113
– 92.234.27.178

Menambahkan value key pada startup agar bisa berjalaan saat proses startup.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"svhost.exe"="C:\Documents and Settings\Administrator\Application Data\svhost.exe"
"egregregerfwde"="C:\Documents and Settings\Administrator\Application Data\svhost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"svhost.exe"="C:\Documents and Settings\Administrator\Application Data\svhost.exe"

Untuk menandai bahwa dirinya sudah aktif di memory, AryaN membuat mutex dengan nama “HGFSMUTEX000000000000f53a

E. Pembersihan
PAda PCMAV 5.5 Update Build4 ini, trojan AryaN dapat dibersihkan sampai tuntas.

PCMAV 5.5 Update Build4

Untuk membasmi virus ini ataupun varian virus lainnya, PCMAV 5.5 Update Build4 telah hadir dengan penambahan 104 pengenal varian virus baru. Bagi Anda pengguna PCMAV 5.5, sangat disarankan segera melakukan update, agar PCMAV Anda dapat mengenali dan membasmi virus lebih banyak lagi.

Untuk mendapatkan dan menggunakan update PCMAV ini, Anda cukup menjalankan PCMAV.exe, komputer harus dalam keadaan aktif terhubung ke Internet. Jika koneksi Internet menggunakan proxy, tentukan konfigurasi proxy pada file proxy.txt . Fitur Automatic Updates dari PCMAV akan secara otomatis men-download dan meng-update database dari PCMAV. Anda juga dapat mengupdate kapan saja dengan klik kanan icon PCMAV pada system tray dan pilih Update.

Bagi Anda yang ingin mendapatkan file update tersebut secara manual, Anda bisa men-download file-nya melalui beberapa link ini:

SendSpace.com

ZippyShare.com (mirror)

RapidShare.com (mirror)

Letakkan file hasil download tersebut (update.vdb) ke dalam folder \vdb. Jika sebelumnya telah terdapat file update yang lama, Anda cukup menimpanya. Pastikan sekali lagi, bahwa nama file update adalah update.vdb, jika berbeda, cukup ubah namanya. Dan nanti saat Anda kembali menjalankan PCMAV, ia sudah dalam keadaan kondisi ter-update.

Daftar tambahan virus hingga PCMAV 5.5 Update Build4:

AryaN
AryaN.inf
AryaN.lnk
Autoit-ReplaceIcon.L
Autoit-ReplaceIcon.M
Autoit-ReplaceIcon.N
BanB
Chu
Craft3
Craft3.tmp
Elize.B
ErrorLove.vbs
ErrorLove.vbs.inf
ErrorLove.vbs.txt
FBSurprise
FBSurprise.drp
FBSurprise.exe.A
FBSurprise.exe.B
FBSurprise.job.A
FBSurprise.job.B
FBSurprise.jpg
FBSurprise.tmp.A
FBSurprise.tmp.B
FBSurprise.tmp.C
FluX
FluX.DLL
Flw
FontPorn.B
FontPorn.B.exe.A
FontPorn.B.exe.B
FontPorn.B.lnk
FontPorn.B.tmp
FontPorn.C
FontPorn.C.ini
Gen.VirVBS-BSoft
GooDown
Gphone
HelloPhilippines
HelloPhilippines.inf
HelloPhilippines.ini
HelloPhilippines.txt.A
HelloPhilippines.txt.B
IntreNat
LegendMir
LegendMir.dll
Maximus-GmbH.A
Mbzuchi
NgrBot.A.dat.variant
NgrBot.A.drp.A.variant
NgrBot.A.drp.B.variant
NgrBot.A.drp.C.variant
NgrBot.A.exe.A.variant
NgrBot.A.exe.B.variant
NgrBot.A.inf.variant
NgrBot.A.lnk.variant
NgrBot.A.variant
NgrBot.B.inf.variant
NgrBot.B.variant
NgrBot.C.variant
NgrBot.D.variant
NgrBot.E.variant
NgrBot.F.variant
NgrBot.G.variant
NgrBot.H.variant
Noa
Noa.inf
None
Retfig
Ric0.A
Ric0.B
Ric0.B.inf
Ric0.C
Romantic
Romantic.inf
Rose-Loren.F
SevenTech
SevenTech.host
Shared-Ptr
ShellExecuteA
ShellExecuteA.dat
ShellExecuteA.exe
SmallSmile.vbs
SmallSmile.vbs.inf
Sopian
Sopian.htm
TODO
TODO.drp
TroSystem
TroSystem.dat
TroSystem.inf
UltraSurf.A
UltraSurf.A.bat
UltraSurf.B
UltraSurf.C
UltraSurf.D
UltraSurf.D.bat
UrFace
VLyc
VLyc.ico
VLyc.url
X-Sample.vbs.C
X-Sample.vbs.C.inf
X-Sample.vbs.C.ini
X-Sample.vbs.C.mp3

facebooktwittergoogle_plusredditpinterestlinkedinmail
Categories: Analisa Virus, Antivirus, Pengumuman Tags:
  1. CyberElite
    October 16th, 2011 at 20:45 | #1

    Akhirnya Pertamax juga.

    Virus Chat Facebook tak berhenti untuk menyerang…
    itu membuktikan bahwa facebook punya celah keamanan!!!

  2. dody
    October 16th, 2011 at 22:02 | #2

    Keduax!! yah gw keduluan sama cyberlite, padahal khan gw orang IT .

    @cyberlite: agan bisa ambil kesimpulan itu asumsinya darimana? buktinya mana? menurut gw ngga juga gan

  3. efka
    October 16th, 2011 at 23:39 | #3

    bravo pcmav!!! keep good job..
    ijin sedot gan..

  4. CyberElite
    October 17th, 2011 at 07:17 | #4

    Buktinya Facebookada BOT Comment dan BOT Like, walaupun Maintance dan BOT tersebut hilang… BOT semacam itu akan muncul lagi…

  5. Niko X7
    October 18th, 2011 at 14:19 | #5

    salah satu Ip yang tadi disebutkan berasal dari Filipina (sudah kucari dengan Google Maps)

  6. October 19th, 2011 at 08:35 | #6

    Kenapa ya PCmav kalau digabung sama Clamav 0.97.2 terjadi Crash? mohon Pencerahannya. terima kasih

  7. prayitno
    October 20th, 2011 at 23:32 | #7

    ClamAV 0.97.2 na pasti bukan dari http://oss.netfarm.it/clamav/ tapi dari http://sourceforge.net/projects/clamav/files/clamav/ jadi wajar aza kalu Crash soalnya bukan rekomendari dari team PCMAV, baca aza dulu readme.txt yg ada di dalam folder PCMAV dikau dengan sebaik-bainya engkau membaca…. OK’s!

  8. A.RAHMAN
    October 25th, 2011 at 13:44 | #8

    Tim Pcmav,Antivirus Pcmedia koq biasanya tidak bisa jalan bila di klik kanan saat aktif di sistem tray, kemudian pcmav tiba-tiba hilang saat di klik kanan di sistem tray. kasus ini terjadi di windows 7 ultimate. sehingga kita tidak dapat menggunakan fitur yang ada karena pcmav yang kurang stabil… tlng donk di versi 6.1 masalah ini diperbaiki. supaya penggunanya lebih tenang pakai pcmav.

  9. Rizal
    October 25th, 2011 at 13:48 | #9

    Iya benar tuh tim pc media, saat di klik kanan icon pcmav di sistem tray pcmavnya tidak berfungsi/ tidak merespon, dan hilang tiba-tiba pdhal sudah dipasang password. tlng masalah ini di tindak lanjuti karena maslah ini sudah lama tidak di respon sama tim Pc media. jadi skrng tlng dong puaskan pelanggan setia majalah pc media.

  10. CyberElite
    October 26th, 2011 at 21:01 | #10

    @All: bagi yang PCMAVnya bermasalah, silahkan baca yang saya beri tanda kutip “Silahkan ganti RTPak.dll di folder lib dengan RTPak.dll dari PCMAV 5.3 atau bisa di download dari sendspace.com/file/roi1k8
    Permasalahan ini mungkin terjadi di sistem operasi Windows XP. Pada PCMAV 6.1 diharapkan tidak ada lagi permasalahan serupa. Mohon maaf atas ketidaknyamanannya.”

Comments are closed.