one of the VBScript viruses diversified

Closer trends of VBScript is not yet finished, no hent the virus to make local aksinya. This time we will try to discuss one of the VBScript viruses diversified, which use other techniques in penginfeksiannya. Media PC be shot by drowning, as Repvblik.vbs. Indeed dike tahui virus is likely the virus is not the latest release, the TAP technology diusung other than the virus usually VBScript and there are still some readers who complained about the virus. This virus has the original file size of 5,915 bytes. Small enough, huh? This is one of the advantages possessed by the virus types VBScript, because the size of the file the virus is a relatively small feed for value-added rate can accelerate the spread of this virus.



The virus can run smoothly on the Windows XP operating system that we test cobakan. Glance, if seen in the visual use Notepad, type of virus that has the extension. Vbs in this present condition encrypted. Can diketahu when opened, because the only characters that appear strange, however, if more circumspect, at the top of the string, there are "RPVBLK = True" or "RPVBLK = False", and at the bottom there is a normal routine as the decryptor which can be read .



Encryption

Not difficult to do in the body of the description of the virus. Because any encryption, which also apply it, the past can be disclosed because the body is actually in there decryptor routine, which will translate to byte-per-byte in its original form. Encryption that he do is just play the game characters, only the progress or reverse the characters are, usually known as the Caesar Cipher. The camp only do insert some routine that will make dumping in the text that has terdekripsi camp and can easily learn gestures from the virus source code.



When the whole body of the virus successfully in-Decrypt, right at the top of the script source, the visible string some comments that marked as "Repvblik Ver 2.0 ^_^!", and also some messages to it.



Virus in the startup

The first is, of course, he did create the master file. So, when the virus executed on a clean computer, it will create an original master file that he placed in the directory of your startup, which can be found in the Start Menu> startup by the name Repvblik.vbs. How does he identify himself, whether the file is the master file or files that have been infected? He has a part in all ling of the source script it, namely, "RPVBLK" that can be valuable True or False. File parent virus will also be running automatically when Windows starts.



Messages

Along with the addition, it will create a new directory on drive C: \ with the name Repvblik. In the directory or folder, you will find a text file with the name Repvblik.txt which is a message from the creator of the virus. Not only are there, because in each of the first directory level, he certainly will not find the file there Repvblik.txt.



And while active in memory, if viewed using Task Manager, users will not be able to see the process with the name of the virus resembles vbs file name, because when a file is accessed or vbs clicked, Windows will automatically run a program that can be wscript.exe as a translator from the script is. So when the virus is active, the process of viruses that appear in the Task Manager is wscript.exe process. Quite difficult to specify whether the wscript.exe vbs file to run a virus or not, as some users can still utilize the VBScript language to create a small script that can ease the work. However, if you use the more advanced programs, such as Process Explorer, you can track every detail that process. Only by clicking on the desired process right, and then click Properties, you will find information on what the script is run by wscript.exe on the editbox Command Line in the Process Explorer.



Documents infection!

After the master file is created successfully, he immediately launched Pamungkas moment, namely, menginfeksi your documents found on the My Documents directory. Files that will diinfeksi by this virus is files with the extensions DOC, XLS, PPT, PPS, and that RTF is not foreign in your eyes. Penginfeksiannya groove can be all learned to read with a clear routine functions that give it a name explore_folder_and_infect_file found on the body. How they actually do is very simple, he will find in the My Documents directory of files with the extensions included in the subdirectory, if he find it with a sprightly, he will menginfeksinya. With previous he had to delete the contents of the folder that contains Recent data file that was last opened.



Menginfeksi how is the way to append files document that will diinfeksi at the bottom of the body of the virus. So if you have files with names such as Projects. doc, the virus will read the entire contents of the file, then ditaruhnya contents of the document file is in the bottom of the body of the virus, and give a sign of the string "RPVBLK = False" in the early part of the body of the virus, which means the virus has already menginfeksi files. This is also done by other viruses that have the ability injection, so the file diinfeksi not diinfeksi again. Diinfeksi the file name will be Skripsi.doc.vbs. And file the original document will be dihapusnya. Of course, now have your document file into a file VBScript, which of course can not be opened with Microsoft Word. However, you do not need to confusing, let PCMAV do its work to restore the document to your circumstances such as when semula.Nanti infected file is run, the virus will be first to extract the files contained documents on his body in the current directory, then run again himself, and as if Coolest nothing happens.



Registry manipulation

Repvblik virus, it will be a canny attempt to change the default icon of each file vbs to use Microsoft Word icon. And change the file type is a "Microsoft Word Document," and the extension of the display. Vbs in Windows Explorer by adding items NeverShowExt on key VBSFile in the Windows Registry. Of course, if this is the case, the user public will not be able to distinguish between the original files are files with the virus.



Rename MP3

Not only menginfeksi documents, he began mengerjai music files to your MP3 collection. Each MP3 file that he will be found in the rename-by. That he do is add the string "Repvblik_" in front of the name of the MP3 file that he will kerjai.



Flash Disk

Behati careful if you find files with names such as "I am So Sorry.txt.vbs", "Free SMS via GPRS.txt. vbs "," English and their corruption! . txt.vbs "," Never be touched! . txt.vbs "," U Make lofty.txt.vbs, "" Thank U Ly.txt. vbs "," The Power of Midwife.txt.vbs ", or" NenekSihir and her Secrets.txt.vbs "device on your removable disk, it is the name of the file that he normally use to spread.



Use PCMAV!

For your computer is infected and your important documents or have been damaged by the virus Repvblik.vbs, please use the latest PCMAV that this has been enhanced.