Home > Analisa Virus, Antivirus, Pengumuman > Pikir: “Sepupu” Worm Angel2

Pikir: “Sepupu” Worm Angel2

February 16th, 2012 Leave a comment Go to comments


Pikir. Bukan hanya worm Stuxnet yang memiliki “sepupu” yaitu worm Duqu, namun malware yang beberapa waktu yang lalu pernah di bahas juga memilikinya. Bisa dikatakan Angel2 adalah “sepupu” dari worm Pikir dengan pola hasil penyerangan yang sama. Salah satu perbedaanya adalah pada company name-nya yang bertuliskan “Surabaya”.

A. Info File
Nama Worm : Pikir
Asal : Bogor
Ukuran File : 340 KB (348,160 bytes)
Packer : ~
Pemrograman : Microsoft Visual Basic 5.0 -6.x
Icon : Malware Icon
Tipe : Worm

B. About Malware
Sama seperti worm Angel2 yang membuat banyak file duplikat dengan nama yang sama seperti folder aslinya, payload yang juga akan mengakibatkan komputer akan terasa semakin lambat dalam memproses data.

Berikut ini adalah string yang terlihat jelas menunjukkan apa saja yang akan dilakukan worm Pikir pada registry dan payload apa saja yang akan dibuat.

00000000004D   00000040004D      0   !This program cannot be run in DOS mode.
0000000001B0   0000004001B0      0   .text
0000000001D8   0000004001D8      0   .data
000000000200   000000400200      0   .rsrc
000000000228   000000400228      0   .sdata
000000000260   000000400260      0   MSVBVM60.DLL
00000000101E   00000040101E      0   RsNbQs
00000000102D   00000040102D      0   hQs'TDs
000000001036   000000401036      0   Rs$sOs
000000001041   000000401041      0   bQs,EDs
00000000107E   00000040107E      0   Qs|gOs[NDs
00000000108D   00000040108D      0   fQsNcQsG
0000000010A2   0000004010A2      0   Ps|iPsibPs
0000000010C9   0000004010C9      0   cQs=]Qs>
0000000010E6   0000004010E6      0   CsSHDsE
000000001518   000000401518      0   Project1
000000001590   000000401590      0   Form1
00000000159A   00000040159A      0   Form1
000000001651   000000401651      0   wwwwwwwwwwp
0000000016D2   0000004016D2      0   ;{{{{{{0
000000001792   000000401792      0   ;33;33;0
000000001931   000000401931      0   wwwww
0000000019EB   0000004019EB      0   Form1
000000001ADC   000000401ADC      0   Project1
000000001AE5   000000401AE5      0   Project1
000000001AEF   000000401AEF      0   Project1
000000001F80   000000401F80      0   Project1
000000001F8C   000000401F8C      0   Form1
000000001FD1   000000401FD1      0   *=8:O
000000001FFC   000000401FFC      0   C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
000000002064   000000402064      0   kernel32
000000002074   000000402074      0   AmbilDirektoriWindowA
0000000020C0   0000004020C0      0   InfeksiFolder
000000002B5C   000000402B5C      0   __vbaForEachVar
000000002CC0   000000402CC0      0   __vbaVarLateMemCallLd
000000002CD8   000000402CD8      0   __vbaVarZero
000000002E74   000000402E74      0   __vbaStrVarVal
000000002FE8   000000402FE8      0   VBA6.DLL
000000002FF4   000000402FF4      0   __vbaAryUnlock
000000003004   000000403004      0   __vbaNextEachVar
000000003018   000000403018      0   __vbaNextEachCollAd
00000000302C   00000040302C      0   __vbaVarAdd
000000003038   000000403038      0   __vbaStrCompVar
000000003048   000000403048      0   __vbaBoolVarNull
00000000305C   00000040305C      0   __vbaVarTstNe
00000000306C   00000040306C      0   __vbaVarTstEq
00000000307C   00000040307C      0   __vbaVarMove
00000000308C   00000040308C      0   __vbaForEachCollAd
0000000030A0   0000004030A0      0   __vbaLateMemCallLd
0000000030B4   0000004030B4      0   __vbaStrCopy
0000000030C4   0000004030C4      0   __vbaLateMemCall
0000000030D8   0000004030D8      0   __vbaFreeObjList
0000000030EC   0000004030EC      0   __vbaStrToAnsi
0000000030FC   0000004030FC      0   __vbaFreeStrList
000000003110   000000403110      0   __vbaStrCat
00000000311C   00000040311C      0   __vbaFreeStr
00000000312C   00000040312C      0   __vbaStrToUnicode
000000003140   000000403140      0   __vbaSetSystemError
000000003154   000000403154      0   __vbaLenBstr
000000003164   000000403164      0   __vbaFreeVarList
000000003178   000000403178      0   __vbaStrVarMove
000000003188   000000403188      0   __vbaStrMove
000000003198   000000403198      0   __vbaFreeVar
0000000031A8   0000004031A8      0   __vbaObjVar
0000000031B4   0000004031B4      0   __vbaObjSetAddref
0000000031C8   0000004031C8      0   __vbaVarSetVar
0000000031D8   0000004031D8      0   __vbaEnd
0000000031E4   0000004031E4      0   __vbaFreeObj
0000000031F8   0000004031F8      0   __vbaNew2
00000000320C   00000040320C      0   __vbaHresultCheckObj
000000003224   000000403224      0   __vbaOnError
000000003495   000000403495      0   }#j|h
0000000035EA   0000004035EA      0   }#jhh
00000000382B   00000040382B      0   }#jPh
000000003919   000000403919      0   }#jXh
00000000394B   00000040394B      0   Qh|!@
00000000397D   00000040397D      0   Rh|!@
000000003A26   000000403A26      0   Qh|!@
000000003A3D   000000403A3D      0   PhH"@
000000003B15   000000403B15      0   Qh|!@
000000003B2C   000000403B2C      0   PhH"@
0000000043B2   0000004043B2      0   PQh|!@
000000004707   000000404707      0   }#jPh
0000000047F5   0000004047F5      0   }#jXh
0000000048DD   0000004048DD      0   Qh|!@
000000004A3E   000000404A3E      0   }#jPh
000000004B2C   000000404B2C      0   }#jXh
000000004C14   000000404C14      0   Ph|!@
000000004D75   000000404D75      0   }#jPh
000000004E63   000000404E63      0   }#jXh
000000004F4B   000000404F4B      0   Rh|!@
0000000050AC   0000004050AC      0   }#jPh
00000000519A   00000040519A      0   }#jXh
000000005282   000000405282      0   Qh|!@
000000005D29   000000405D29      0   0000000060B4   0000004060B4      0   }#jPh
0000000061A2   0000004061A2      0   }#jXh
000000006244   000000406244      0   Qh|!@
0000000065CC   0000004065CC      0   MSVBVM60.DLL
0000000065DC   0000004065DC      0   _CIcos
0000000065E6   0000004065E6      0   _adj_fptan
0000000065F4   0000004065F4      0   __vbaVarMove
000000006604   000000406604      0   __vbaFreeVar
000000006614   000000406614      0   __vbaStrVarMove
000000006626   000000406626      0   __vbaLenBstr
000000006636   000000406636      0   __vbaEnd
000000006642   000000406642      0   __vbaFreeVarList
000000006656   000000406656      0   _adj_fdiv_m64
000000006666   000000406666      0   __vbaNextEachVar
00000000667A   00000040667A      0   __vbaFreeObjList
00000000668E   00000040668E      0   _adj_fprem1
00000000669C   00000040669C      0   __vbaStrCat
0000000066AA   0000004066AA      0   __vbaForEachCollAd
0000000066C0   0000004066C0      0   __vbaSetSystemError
0000000066D6   0000004066D6      0   __vbaHresultCheckObj
0000000066EE   0000004066EE      0   _adj_fdiv_m32
0000000066FE   0000004066FE      0   __vbaOnError
00000000670E   00000040670E      0   _adj_fdiv_m16i
000000006720   000000406720      0   __vbaObjSetAddref
000000006734   000000406734      0   _adj_fdivr_m16i
000000006746   000000406746      0   __vbaBoolVarNull
00000000675A   00000040675A      0   _CIsin
000000006764   000000406764      0   __vbaVarZero
000000006774   000000406774      0   __vbaChkstk
000000006782   000000406782      0   EVENT_SINK_AddRef
000000006796   000000406796      0   __vbaVarTstEq
0000000067A6   0000004067A6      0   __vbaObjVar
0000000067B4   0000004067B4      0   DllFunctionCall
0000000067C6   0000004067C6      0   _adj_fpatan
0000000067D4   0000004067D4      0   EVENT_SINK_Release
0000000067EA   0000004067EA      0   _CIsqrt
0000000067F4   0000004067F4      0   EVENT_SINK_QueryInterface
000000006810   000000406810      0   __vbaExceptHandler
000000006826   000000406826      0   __vbaStrToUnicode
00000000683A   00000040683A      0   _adj_fprem
000000006848   000000406848      0   _adj_fdivr_m64
00000000685A   00000040685A      0   __vbaFPException
00000000686E   00000040686E      0   __vbaStrCompVar
000000006880   000000406880      0   __vbaStrVarVal
000000006892   000000406892      0   _CIlog
00000000689C   00000040689C      0   __vbaNew2
0000000068A8   0000004068A8      0   _adj_fdiv_m32i
0000000068BA   0000004068BA      0   _adj_fdivr_m32i
0000000068CC   0000004068CC      0   __vbaStrCopy
0000000068DC   0000004068DC      0   __vbaFreeStrList
0000000068F0   0000004068F0      0   _adj_fdivr_m32
000000006902   000000406902      0   _adj_fdiv_r
000000006910   000000406910      0   __vbaVarTstNe
000000006920   000000406920      0   __vbaVarSetVar
000000006932   000000406932      0   __vbaLateMemCall
000000006946   000000406946      0   __vbaVarAdd
000000006954   000000406954      0   __vbaStrToAnsi
000000006966   000000406966      0   __vbaVarLateMemCallLd
00000000697E   00000040697E      0   __vbaLateMemCallLd
000000006994   000000406994      0   _CIatan
00000000699E   00000040699E      0   __vbaStrMove
0000000069AE   0000004069AE      0   __vbaForEachVar
0000000069C0   0000004069C0      0   _allmul
0000000069CA   0000004069CA      0   _CItan
0000000069D4   0000004069D4      0   __vbaNextEachCollAd
0000000069EA   0000004069EA      0   __vbaAryUnlock
0000000069FC   0000004069FC      0   _CIexp
000000006A06   000000406A06      0   __vbaFreeObj
000000006A16   000000406A16      0   __vbaFreeStr
0000000083CD   0000004083CD      0   wwwww
0000000084FD   0000004084FD      0   wwwwwwwwwwp
00000000857E   00000040857E      0   ;{{{{{{0
00000000863E   00000040863E      0   ;33;33;0
0000000130CC   0000004130CC      0   -o~bQ
0000000130D5   0000004130D5      0   (ca'A
00000001326C   00000041326C      0   PhG8p
0000000138CC   0000004138CC      0   =OG#0
000000013A84   000000413A84      0   =~!STQ
00000001408B   00000041408B      0   OC6sy
0000000140A2   0000004140A2      0   :6ep$
0000000140BC   0000004140BC      0   xaxDW
000000001CC3   000000401CC3      0   @*\AProject1
000000002120   000000402120      0   WScript.Shell
000000002140   000000402140      0   Scripting.FileSystemObject
000000002194   000000402194      0   window.exe
0000000021B0   0000004021B0      0   HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
000000002238   000000402238      0   gpmce
000000002248   000000402248      0   pikirrr
000000002258   000000402258      0   regwrite
000000002270   000000402270      0   Favorites
000000002288   000000402288      0   Fonts.exe
0000000022A4   0000004022A4      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
000000002328   000000402328      0   drives
000000002338   000000402338      0   DriveType
00000000234C   00000040234C      0   IsReady
00000000235C   00000040235C      0   AvailableSpace
000000002384   000000402384      0   DriveLetter
0000000023A8   0000004023A8      0   GetFolder
0000000023BC   0000004023BC      0   subfolders
0000000023F0   0000004023F0      0   MyDocuments
000000002408   000000402408      0   SpecialFolders
00000000242C   00000040242C      0   MyDocuments.exe
000000002450   000000402450      0   Recent
000000002464   000000402464      0   Recycle Bin.exe
000000002488   000000402488      0   startup
00000000249C   00000040249C      0   pikirrr.exe
0000000024B8   0000004024B8      0   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start page
00000000254C   00000040254C      0   www.google.com
000000002570   000000402570      0   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\search page
000000002604   000000402604      0   www.yahoo.com
000000002624   000000402624      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoFolderOptions
0000000026E4   0000004026E4      0   REG_DWORD
0000000026FC   0000004026FC      0   HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString
0000000027A0   0000004027A0      0   @%SystemRoot%\system32\SHELL32.dll,-8964
0000000027F8   0000004027F8      0   HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString
00000000289C   00000040289C      0   @%SystemRoot%\system32\shell32.dll,-9216
0000000028F4   0000004028F4      0   HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon\
000000002990   000000402990      0   %SystemRoot%\System32\shell32.dll,31
0000000029E0   0000004029E0      0   HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\
000000002A7C   000000402A7C      0   %SystemRoot%\Explorer.exe,0
000000002AB8   000000402AB8      0   HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\empty
000000002B70   000000402B70      0   HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\full
000000002C14   000000402C14      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
000000002CF0   000000402CF0      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DisableThumbnailCache
000000002DBC   000000402DBC      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr
000000002E88   000000402E88      0   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
000000002F50   000000402F50      0   HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\disableCMD
000000008126   000000408126      0   VS_VERSION_INFO
000000008182   000000408182      0   VarFileInfo
0000000081A2   0000004081A2      0   Translation
0000000081C6   0000004081C6      0   StringFileInfo
0000000081EA   0000004081EA      0   040904B0
000000008202   000000408202      0   CompanyName
00000000821C   00000040821C      0   Surabaya
000000008236   000000408236      0   ProductName
000000008250   000000408250      0   Project1
00000000826A   00000040826A      0   FileVersion
000000008296   000000408296      0   ProductVersion
0000000082C6   0000004082C6      0   InternalName
0000000082E0   0000004082E0      0   Project1
0000000082FA   0000004082FA      0   OriginalFilename
00000000831C   00000040831C      0   Project1.exe

C. Companion/File yang dibuat

Worm pikir akan membuat file dengan nama folder di mana dia berada. Khusus untuk removable disk, dia membuat file dengan nama window.exe dan pikirrr.exe serta pada folder My Documents akan terdapat 2 buah file dengan nama MyDocuments.exe dan My Documents.exe.

D. Hasil Infeksi

Pada folder startup, terdapat 2 buah host dengan nama startup, hal ini dibuat karena memang payload worm Pikir membuat file dengan nama folder di mana worm itu berada. Ditambah lagi dengan hostnya dengan nama Pikirrr.exe yang membuat proses saat startup menjadi semakin lambat. Beberapa registry yang dimodifikasi terlihat jelas pada dump string worm Pikir di atas. Baik itu Folder Options dan Command Prompt juga di-disable.

E. Pembersihan
Cara Manual:
1. Download aplikasi pengganti task manager seperti Process Explorer atau Process Hacker.
2. Contoh berikut ini adalah menggunakan aplikasi Process Hacker yang berfungsi untuk menghentikan proses worm. Lakukan seperti gambar di bawah ini.

3. Gunakan Search pada Explorer untuk mencari seluruh file dengan pengaturan search seperti gambar di bawah ini, kemudian hapus file worm Pikir yang sudah ditemukan.

4. Untuk memperbaiki registry yang dimodifikasi oleh worm pikir, Copy source code di bawah ini ke notepad, kemudian simpan dengan nama Repair.vbs (harus menggunakan extensi.vbs). Jalankan file repair.vbs tersebut.

On Error Resume Next
Dim Repair_Pikir
Set Repair_Pikir = CreateObject("WScript.Shell")

Rem Delete Key or Value
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
Repair_Pikir.RegDelete "HKCU\Software\Policies\Microsoft\Windows\System\"
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gpmce"
Repair_Pikir.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpmce"

Rem Fix Wrong Value
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString", "@%SystemRoot%\system32\shell32.dll,-9216"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InfoTip", "@%SystemRoot%\system32\shell32.dll,-22913"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon\", "%SystemRoot%\Explorer.exe,0"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString", "@%SystemRoot%\system32\shell32.dll,-8964"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InfoTip", "@%SystemRoot%\system32\shell32.dll,-22915"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\", "%SystemRoot%\system32\shell32.dll,31"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty", "%SystemRoot%\system32\shell32.dll,31"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full", "%SystemRoot%\system32\shell32.dll,32"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","2","REG_DWORD"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DisableThumbnailCache","0","REG_DWORD"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "about:blank"

MgsBox "Done...", 64, "Reg Repair for Worm Pikir"

Cara lainnya dengan menggunakan PCMAV 6.3 yang dilengkapi minimal update build1 di bawah ini.

PCMAV 6.3 Update Build1

Untuk membasmi virus ini ataupun varian virus lainnya, PCMAV 6.3 Update Build1 telah hadir dengan penambahan 119 pengenal varian virus baru. Bagi Anda pengguna PCMAV 6.3, sangat disarankan segera melakukan update, agar PCMAV Anda dapat mengenali dan membasmi virus lebih banyak lagi.

Untuk mendapatkan dan menggunakan update PCMAV ini, Anda cukup menjalankan PCMAV.exe, komputer harus dalam keadaan aktif terhubung ke Internet. Jika koneksi Internet menggunakan proxy, tentukan konfigurasi proxy pada file proxy.txt. Fitur Automatic Updates dari PCMAV akan secara otomatis men-download dan meng-update database dari PCMAV. Anda juga dapat mengupdate kapan saja dengan klik kanan icon PCMAV pada system tray dan pilih Update.

Bagi Anda yang ingin mendapatkan file update tersebut secara manual, Anda bisa men-download file-nya melalui beberapa link ini:

SendSpace.com

ZippyShare.com (mirror)

Letakkan file hasil download tersebut (update.vdb) ke dalam folder \vdb. Jika sebelumnya telah terdapat file update yang lama, Anda cukup menimpanya. Pastikan sekali lagi, bahwa nama file update adalah update.vdb, jika berbeda, cukup ubah namanya. Dan nanti saat Anda kembali menjalankan PCMAV, ia sudah dalam keadaan kondisi ter-update.

Daftar tambahan virus hingga PCMAV 6.3 Update Build1:
Alice.html
Alice.inf
Angel2
BlackN.B
BlackN.C
ErrorReport
FakeAV-Downloader.AH
FakeAV-Downloader.AH.lnk.A
FakeAV-Downloader.AH.lnk.B
FakeAV-Downloader.AI
FakeAV-Downloader.AI.dll
FakeAV-Downloader.AJ
FakeAV-Downloader.AK
FakeAV-Downloader.AL
FakeAV-Downloader.AL.exe
FakeAV-Downloader.AL.lnk
FakeAV-Downloader.AM
FakeAV-Downloader.AN
FakeAV-Downloader.AO
FakeAV-Downloader.AP
FakeAV-Downloader.AP.dll
FakeAV-Downloader.AP.lnk.A
FakeAV-Downloader.AP.lnk.B
FakeAV-Downloader.AQ
FakeAV-Downloader.AQ.mht
FakeAV-Downloader.AR
FakeAV-Downloader.AR.tlb
FakeAV-Downloader.AS
FakeAV-Downloader.AS.dat
FakeAV-Downloader.AS.tmp
FakeAV-Downloader.AT
FakeAV-Downloader.AT.tmp
FakeAV-Downloader.AU
FakeAV-Downloader.AV
FakeAV-Downloader.AV.dat
FakeAV-Downloader.AW
NgrBot.AA
NgrBot.AB
NgrBot.AC
NgrBot.AD
NgrBot.AD.exe.A
NgrBot.AD.exe.B
NgrBot.AE
NgrBot.AE.exe
NgrBot.AE.inf
NgrBot.AF
NgrBot.AF.exe.A
NgrBot.AF.exe.B
NgrBot.AF.exe.C
NgrBot.AF.exe.D
NgrBot.AF.exe.E
NgrBot.AG
NgrBot.AG.exe
NgrBot.AH
NgrBot.AI
NgrBot.AI.exe
NgrBot.AJ
NgrBot.AJ.exe
NgrBot.AK
NgrBot.AL
NgrBot.AL.exe
NgrBot.AM
NgrBot.AM.exe
NgrBot.AN
NgrBot.AN.exe
NgrBot.X
NgrBot.Y
NgrBot.Y.drp
NgrBot.Z
Persist
Pikir
Serviks.vbs.D
Serviks.vbs.D.doc
Serviks.vbs.D.tmp
Serviks.vbs.D.vbe
Vobfus
Vobfus.com.A
Vobfus.com.B
Vobfus.drp.A
Vobfus.drp.B
Vobfus.exe.A
Vobfus.exe.AA
Vobfus.exe.AB
Vobfus.exe.AC
Vobfus.exe.AD
Vobfus.exe.AE
Vobfus.exe.B
Vobfus.exe.C
Vobfus.exe.cb8
Vobfus.exe.D
Vobfus.exe.E
Vobfus.exe.F
Vobfus.exe.G
Vobfus.exe.H
Vobfus.exe.I
Vobfus.exe.J
Vobfus.exe.K
Vobfus.exe.L
Vobfus.exe.M
Vobfus.exe.N
Vobfus.exe.O
Vobfus.exe.P
Vobfus.exe.Q
Vobfus.exe.R
Vobfus.exe.S
Vobfus.exe.T
Vobfus.exe.U
Vobfus.exe.V
Vobfus.exe.W
Vobfus.exe.X
Vobfus.exe.Z
Vobfus.html.A
Vobfus.html.B
Vobfus.html.C
Vobfus.tmp.A
Vobfus.tmp.B
Vobfus.tmp.C
Vobfus.tmp.D
Vobfus.tmp.E

Categories: Analisa Virus, Antivirus, Pengumuman Tags:
  1. Alvin Sutanto
    February 16th, 2012 at 18:34 | #1

    MAJU TERUS PCMedia.

  2. February 17th, 2012 at 12:57 | #2

    wah pcmav ide bagus untuk membersihkan virus maju terus