I’m not sure why so much Indonesian virus maker using lot of this  VBS technique (maybe they know without msvbvm.dll VBS can executed on a lot target), Since I write about VBS article long long time ago (I forget maybe around year 2003-2005) in jasakom website with title “VBS sederhana yang berbahaya” many people has try to manipulate that simple code to become advanced code. Now I’m fell really stupid by share that Article to public…

How to know if you’re infected by this worm VBS/Cryf.A:

1.First time your computer turned on it will open web browser and show this pictures.

2. VBS/Cryf.A will change your web browser start page become:

3. There is folder “album bokep” (in Indonesian language this mean porn) in all folder.

4. VBS/Cryf.A will change your system properties become like this:

5. Change file type .lnk become “movie clip”

6. It will control your DVD/CD-rom by make it open and close to make you panic.

VBS/Cryf.A Master file:

VBS/Cryf.A has a master file called “drconfig.drv” with file size 218 KB, it already encrypted and little hard to read the code inside it.

On first time active it will called “svchost.vbs” then this vbs will executed this “drconfig.drv”. Then it will started created file list:

• %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
  • svchost.vbs
  • desktop.ini
  • drvconfg.drv
  • SHELL32.dll
• %Systemroot%\windows
  • appsys.exe
  • Winupdt.scx
  • appopen.scx
  • Windowsopen.mht
  • Windows.html
  • Regedit.exe.lnk
  • Help.htm
• %Systemroot%\Windows\system\svchost.exe
• %Systemroot%\WINDOWS\system32
  • Svchost.dls
  • Corelsetup.scx
  • Appsys.dls
  • Kernel32.dls
  • Taskmgr.exe.lnk
• %Systemroot%\WINDOWS\system32\
  • Winupdtsys.exe
  • ssmarque.scr
• %Systemroot%\Program Files\FarStone\qbtask.exe
• %Systemroot%\Program Files\ACDsee\Launcher.exe
• %Systemroot%\Program Files\Common Files\NeroChkup.exe
• %Systemroot%\Program Files\ExeLauncher
• %ProgramFiles%\drivers\VGA\VGAdrv.lnk
• %Systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls

This virus will make some action to keep him stay in computers target:

• Disable Task Manager
• Disable Regedit
• Disable CMD (Command Prompt)
• Disable MSConfig
• Can’t change wallpapers

It will change your screensaver like this:

Spreading Technique and Social Technique:

VBS/Cryf.A spreading using 2 technique, One of them as like in my first Article using autorun.inf files, beside that this virus maker know how to using social technique to tricky mostly people out there using porn movie that actually virus.

This virus maker try to manipulate people with his another social technique, he will try to tell people their computers infected and give the removal tools, actually don’t open that website (www.dinamikasolusi.co.nr) this virus maker maybe using some technique as I write a long time ago by insert some virus into computer target using html code.

Enough, let’s started to remove this stupid Worm VBS/Cryf.A

HOW TO REMOVE WORM VBS/Cryf.A:

1. Kill active virus process in your background memory using currprocess, then kill all process with product name “Microsoft (r) Windows Script Host“

2. Block virus so it can not run for a while when we are in cleaning progress by:

Start -> Run -> Type “SECPOL.MSC” -> Click “software restriction policies” -> Click “additional rules” -> Right click on “additional rules” and choose “New Hash Rules”

In “File Hash” Click on Browse and choose which file you want to block (WSScript.exe) on “Security level” choose Disalllowed then click OK.

3. Fix registry by using this 3rd tools, download it from HERE…

• Shell Windows = explorer.exe
• UserInit Windows
  • Windows NT/2000 = C:\WinNT\System32\userinit.exe,
  • Windows XP/2003/Vista = C:\Windows\System32\userinit.exe,

4. Deleted Virus Master files and all files he’s created. To help you deleted it in easy way I recommended to use this tools ExplorerXP, Then deleted all files list bellow:

• %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
  • svchost.vbs
  • desktop.ini
  • drvconfg.drv
  • SHELL32.dll
• %Drive%\Album BOKEP\Naughty America
• %systemroot%\windows
  • appsys.exe
  • Winupdt.scx
  • appopen.scx
  • Windowsopen.mht
  • Windows.html
  • Regedit.exe.lnk
  • Help.htm
• %systemroot%\Windows\system\svchost.exe
• %systemroot%\WINDOWS\system32
  • Taskmgr.exe.lnk
  • CMD.exe.lnk
  • Svchost.dls
  • Corelsetup.scx
  • Appsys.dls
  • Kernel32.dls
  • Winupdtsys.exe
  • ssmarque.scr
• %systemroot%\Program Files\FarStone\qbtask.exe
• %systemroot%\Program Files\ACDsee\Launcher.exe
• %systemroot%\Program Files\Common Files\NeroChkup.exe
• %systemroot%\Program Files\ExeLauncher
• %ProgramFiles%\drivers\VGA\VGAdrv.lnk
• %systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls
• %Flash Disk%\Dataku Penting Jangan Dihapus.lnk

5. Showing back your files TaskMgr.exe, Regedt32.exe, Regedit.exe, CMD.exe, and Logoff.exe that hidden by virus:

*repeated on all files you want to shown back.

6. For maximum cleaning I recommended to scan using your best antivirus programs, in my case Norman antivirus can deleted all of this virus part.

7. When all step done and no virus found, deleted blocking rules we made:

Start -> Run -> Type SECPOL.MSC -> Click “Software Restriction Policies” -> Click “Additional Rules” -> Then Deleted Rules we have made.

8. Restart your computer then re-scanned again to make sure there is no left part of worm VBS/Cryf.A, then use updated antivirus to prevent it coming back again.

Have a nice day, GBU

First before we remove this worm, to prevent it’s spreading in networks and infected many computers please follow this step.

• Install Patch from Microsoft for MS08-067, MS08-068, and MS09-001.
• Make sure Administrator password not easy to guess.
• Turn off autoplay on removable devices.

Follow this step to remove Kido

1. Download KKiller_v3.4.3.zip, extract it.

2. Run KKiller.exe program. When scan process completed you might see many command prompt in your desktop, just press any key to close it. If you want to close it automatically please use parameter “-y”

3. Wait untill scan process completed, then restart your computer and scan it again with your trusted AntiVirus.

Good Luck

Now my story…….

Last week my cousins tell me in his office he got strange virus. He said there is lot shortcut in desktop an computers running slow. How actually some newbie out there know exactly which one real programs/folders and which one shortcut? Don’t say you’re not noob! almost many people not take to much attention on this simple different, that’s why with simple social technique virus maker can win beating yourself!

LOOOOOOOOOOOOKKKKKKKK!!!!!!

To know when your computer infected by this virus there is 4 important point:

1. In your “My Documents” folder there is file named “database.mdb“.
2. There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
3. There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
4. Your Registry Editor is disabled.

This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\”"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\”"

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.

Now time for how to clean this virus manually:

1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name  ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf  and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

Deleted only shortcut with size 1kb and using folder icon, this is social  virus spreading technique that mostly tricky newbie out there.

7. Repair your registry using repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer. Now see if this virus coming back or not

Good luck

This virus spreading using social technique and autorun.inf, since it using social technique this virus can spreading easy. Did you ever received message from your TRUSTED friend like this sample?

Listen to me, don’t so easy clicked any link in email or anything! even it come from trusted source. In this case social technique can make you in danger position, Think if virus collecting your financial information :p

When you download this virus it will making 2 random file in %systemroot%\Documents and Settings\%user%\Local Settings\Temp with extension .tmp and .exe then created vshost.exe with size 122kb, file will available on every drive root.

Virus will also make another files:

• %systemroot%\autorun.inf [all drive]
• %systemroot%\RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
• %systemroot%\WINDOWS\system32\sysmgr.exe
• %systemroot%\WINDOWS\TEMP\5755.tmp
• %systemroot%\windows\system32\crypts.dll
• %systemroot%\windows\system32\msvcrt2.dll

It wil also change your registry to automatically started when your computers booting. Beside that, old autorun.inf technique also adopted in this virus spreading:

Virus will change your registry to allowed only 11 maximum active application, it also blocking your maximum port to only port 8000.

Automatic Update:

This virus will try to automatically update himself to this address list:

66.90.103.169:99/a.exe
66.90.103.169:6666/lsass .exe
66.90.103.169:443/crss .exe
TCP:72.249.94.146:7008 Port:27
TCP:127.0.0.1:1092 Port:30
TCP:66.90.103.169:99 Port:29
TCP:66.90.103.169:6666 Port:30
TCP:66.90.103.169:443 Port:30
Port 80 IP:83.133.127.5
Port 80 IP:68.180.151.74
Port 25 IP:127.0.0.1
Port 80 IP:65.55.21.250
TCP:83.133.127.5:443 Port:17
TCP:65.54.186.47:443 Port:17
Port 80 IP:87.248.208.54
TCP:89.149.254.14:443 Port:21
Port 80 IP:64.4.33.7
Port 80 IP:207.46.11.121
Port 80 IP:65.54.186.47
Port 80 IP:88.221.26.64
TCP:65.55.16.123:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:29
TCP:88.221.165.186:443 Port:29
TCP:83.133.127.5:443 Port:18
TCP:89.149.254.14:443 Port:2
TCP:65.55.16.123:443 Port:27
TCP:65.54.186.47:443 Port:27
TCP:92.122.112.124:443 Port:27
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:28
TCP:89.149.254.14:443 Port:21

Simple steps to cleaning Coutsonif.A:

1. Disable “System Restore” when in cleaning process.

2. Disable “autoplay/autorun” function by:

• Start -> Run -> Type “gpedit.msc” -> Computer Configuration -> Administrative Templates -> System -> look on “Turn off autoplay” -> Properties -> Setting tab -> Enabled

3. Kill active virus process in background, You can use any task manager tools such as Security Task Manager, just killed sysmgr.exe, vshost.exe, winservices.exe, *.tmp

*TMP is random.

4. Repair your registry files using code below or download repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, SessionInformation, ProgramCount, 0×00010001,3
HKCU, AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current,,,”C:\WINDOWS\media\Windows XP Pop-up Blocked.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current,,,”C:\Windows\media\Windows XP Recycle.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\Navigating\.Current,,,”C:\Windows\media\Windows XP Start.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\SecurityBand\.current,,,”C:\WINDOWS\media\Windows XP Information Bar.wav”

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft(R) System Manager
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, bMaxUserPortWindows Service help
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, MaxUserPort

5. Deleted this file list, when it hard you can use File Assasin tools:

• \vshost.exe [all drive]
• \autorun.inf [all drive]
• \RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
• \Documents and Settings\%user%\Local Settings\Temp

A415.tmp (random)
034.exe (Random)
Lady_Eats_Her_Shit–www.youtube.com

• \WINDOWS\system32\sysmgr.exe
• \WINDOWS\TEMP\5755.tmp
• \windows\system32\crypts.dll
• \windows\system32\msvcrt2.dll

6. Re-checking your system to make sure it clean using your best antivirus or use Norman Malware Cleaner

Done, Have a good day everyone