PCMAV 2.2c Update Build3 (EvolutionMp3)

Update PCMAV 2.2c Build3 been present with the addition of 15 new virus variant identification. For those users PCMAV 2.2c, it is strongly recommended to update immediately, so that your PCMAV can recognize and eradicate the virus even more.

EvolutionMp3. The virus is created with Visual Basic programming language, with a size of about 44 KB. Berekstensi *. mp3 files in which he discovered will be removed and replaced with virus files. Configuring the click of a mouse-click will be confused between right and left click. For example, if you're used to run an application by double-clicking the left mouse button, then when the virus is active, you can just run the application by double-clicking the right mouse button. Each will enter Windows, the virus displays the following message:

STOP PIRACY!!!!

Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!

List of virus addition to 2.2c Update PCMAV Build3:
Albim
Autoit.ES
Autoit.ES.inf
Autorunme.G
Avt-Net
Avt-Net.dll
CintaKampus
Cobax.exe
Cuakep.G
EvolutionMp3
Gambar
Gambar.bat.A
Gambar.bat.B
Geografi.B
IFunU
Istig.C
Lucu.C
Malingsi.J
Malingsi.J.dll.A
Malingsi.J.dll.B
Malingsi.J.dll.C
Malingsi.J.dll.D
Malingsi.J.dll.E
Malingsi.J.exe
Malingsi.J.ini.A
Malingsi.J.ini.B
Malingsi.J.mrc
Mobird
Mobird.inf
Msa
Mshearts.htm
Mshearts.inf
Mshearts.vbs
Random8
Serviks
Serviks.inf
Serviks.vbs
Shuriken.J
SlowButSure.vbs.G
SlowButSure.vbs.G.inf
Zhola
Zhola.inf

Download PCMAV 2.2c Update Build3 (EvolutionMp3)

Read full story

Virus Analysis Wmplayerc

Wmplayerc a local worm has been known since Update PCMAV 2.2a Build3 and reportedly widespread in Indonesia. This time will be shown more complete analysis. Adverse effects of this virus is to delete the multimedia files that are recognized from the list of file extensions that are stored in the body of the virus. Multimedia files found will be replaced with a virus file that is ready to run and spread.

File Extension List
Here is a list of multimedia file extensions that can be a victim of this virus are:
.AVI
.3GP
.MP4
.FLV
.ASF
.M4V
.MPE
.VMV
.M1V
.M2V
.VOB
.MOV
.WVX
.MKV
.MPA
.MPV
.DIV
.M2P
.3G2
.DAT
.MPEG
.DIVX
.REAL

Folder Manipulation
In an attempt to hide ourselves and re-active (if you managed to kill the process in memory), the virus makes copies of folders on the root drive in the form of shortcuts / links, and hide the original folder with attributes System / superhidden.

As a result, your computer quick look fine, except when noted through Windows Explorer, you will see a folder on the root drive (eg Windows, Program Files) has size 2 KB. Meanwhile, the actual folder does not
include the size in Windows Explorer. To see the actual condition, set the configuration of Windows Explorer by selecting Tools menu - Folder Options, pililh "Show hidden files and folders" and uncheck the option "Hide extensions for known file types" and "Hide protected operating system files (Recommended) ".

What happens when you click on the folder that lies? Which is run the following command:

%WINDIR%\system32\rundll32.exe Shell32.dll,ShellExec_RunDLL “RÊCYCLÊR\ .com” “NamaFolder”

"Foldername" is the actual folder. Open the folder, but before the virus has been executed, the virus shows that the parent is stored with the name ". Com" (without quotes) in the RÊCYCLÊR folder.

Surgery Virus
This virus has some "gallant list" of URLs pornographic websites locally, so when the infected computer browsing to pornographic websites, the computer will shutdown itself.

The virus also checks for running programs, by detecting the caption contained in the program. Back a few words connote porn banned by the virus. In addition, string Norman Malware Cleaner, PROCEXPL, PeiD v0.95, PeiD v0.94, and OLLYDBG also includes a list of strings that will make the virus to shutdown the computer.

Computers can be infected with this virus through a flash disk that has been infected, ie when the user clicks the folder lies on a flash disk or storage media that the caller is actually a viral link. In addition, ketidakwaspadaan also can make you click on a virus file disguised as multimedia files, complete with a media player icon to trick users.

In addition to creating a master file which is about 66 KB in RÊCYCLÊR folders, files parent folder is also created in Program Files \ Windows Media Player with Wmplayerc.exe or Xvidshow.exe name (if your computer installed the XviD codec). Retrieving string with dissected and mapped back to the body of the virus visualized in the following figure.

In the body there are also viruses command shutdown.exe-r-f-t 00, which likely is the command to be executed when detecting a virus accessing pornographic websites or specific caption. -R parameter to instruct shutdown and restart, the parameter-f to force other applications closed, and 00-t parameter is a timeout for shutdown process, in this case is set 0 seconds.

When active, the virus load the file into memory dropper with the name of svchost.exe, which is used to monitor traffic is TCP / IP so that it can detect when you run the URL included in the list of pornographic web saved by a dropper. Dropper file is created with VisualBasic and measured about 9 KB. In addition, the string reads “Tak gendong kemana-mana.. Enak Tau !!! Ha Ha Ha Ha” also appear in the body of this file.

Use the latest PCMAV for cleaning the virus completely Wmplayerc. Notice if there are files that you believe is the name of your multimedia files - but Wmplayerc detected as a virus - so the file was not the original video file again, but the virus file disguised (please check the size and the file extension if you are still in doubt ), while the original video file has vanished removed by the virus. Recovery do best if you are already experiencing this.

Read full story

False Alarm ClamAV: Trojan.Rootkit-1835

PCMAV 2.2c user that the computer detected "Trojan.Rootkit-1835" that infects atapi.sys file (usually located in the folder Windows \ System32 \ drivers). The virus is detected by ClamAV engine is integrated with PCMAV.

At each release PCMAV, we always perform strict quality control and continued to improvised from time to time, to ensure that PCMAV going well when you are in your hands. With this complaint, we initiated an investigation and check again. The conclusion we get is Trojan.Rootkit-1835 is detected by ClamAV on atapi.sys file is a false alarm. The solution is to update the latest ClamAV database.

The following steps ClamAV database update manually, with a consideration if you can update automatically, should not be having this false alarm because you have ClamAV database was updated. We've got feedback that this step to solve the reported false alarms concerned readers.

1. Prepare PCMAV 2.2c already integrated with ClamAV 0.95.3.
2. Download the latest database (daily.cvd) in http://www.clamav.net/download/cvd/
3. PCMAV folder, save it in the folder daily.cvd plugins \ clamav \ (old daily.cvd overwritten).
4. With this condition, PCMAV 2.2c + ClamAV 0.95.3 plus the latest database is ready.
5. Run PCMAV-CLN and PCMAV-RTP as usual.

After running these steps, false alarms should not occur again.

Read full story

PCMAV 2.2c Update Build2 (SlowButSure.vbs.G)

Update PCMAV 2.2c Build2 been present with the addition of 7 new virus variant identification. For those users PCMAV 2.2c, it is strongly recommended to update immediately, so that your PCMAV can recognize and eradicate the virus even more.

SlowButSure.vbs.G. Created with VBScript and measured about 8 KB, in his written
"My name is Slow but sure V1.08". Do not be fooled if the virus actually fix the registry, such as Task Manager shows if it disabled, return the Folder Options menu in Windows Explorer if it was hidden, and repair registry registry-Another common modified virus.Tapi what's the point if he himself spread and make displays annoying? One of them is to change the system properties in My Computer as a picture, writing:

Registered To:

amaze
I’m Not Panic, Virus anda sudah kami lumpuhkan !

List of virus addition to 2.2c Update PCMAV Build2:
Albim
Autorunme.G
Avt-Net
Avt-Net.dll
CintaKampus
Cobax.exe
Cuakep.G
Gambar
Gambar.bat.A
Gambar.bat.B
Geografi.B
Lucu.C
Mobird
Mobird.inf
Msa
Mshearts.htm
Mshearts.inf
Mshearts.vbs
Random8
Serviks
Serviks.inf
Serviks.vbs
Shuriken.J
SlowButSure.vbs.G
SlowButSure.vbs.G.inf
Zhola
Zhola.inf

Download PCMAV 2.2c Update Build2 (SlowButSure.vbs.G)

Read full story

PCMAV 2.2c Update Build1 (Zhola)

PCMAV 2.2c Update Build1 been present with the addition of 20 new virus variant identification. For those users PCMAV 2.2c, it is strongly recommended to update immediately, so that your PCMAV can recognize and eradicate the virus even more.

Zhola. Created with Visual Basic programming language without in-pack, measuring approximately 672 KB, Zhola viruses including the virus that has a payload malignant. Owned icon resembling icons of local software. He will find a variety of documents and multimedia files, and then delete it and replace it with a virus file disguised by the name of the file. In the body, the virus stores the following file extensions: *. doc, *. jpg, *. mp3, *. avi, *. mpeg, *. 3gp, *. flv, *. mpg, *. mov, *. wmv, *. wav, *. 3GP2. Any files with these extensions will be sought after the virus. In addition to any drive root met, the virus also creates files with names windows.exe, Love Letter 4 Zhola.exe, and autorun.inf as shown in screenshots.

List of virus addition to 2.2c Update PCMAV Build1:
Albim
Avt-Net
Avt-Net.dll
CintaKampus
Cuakep.G
Gambar
Gambar.bat.A
Gambar.bat.B
Geografi.B
Msa
Mshearts.htm
Mshearts.inf
Mshearts.vbs
Random8
Serviks
Serviks.inf
Serviks.vbs
Shuriken.J
Zhola
Zhola.inf

Download PCMAV 2.2c Update Build1 (Zhola)

Read full story

PCMAV 2.2c Release

Magazine has attended the latest edition of PC Media 02/2010. Of course, also include antivirus pride Indonesia, which has reached PCMAV release 2.2c. Currently, PCMAV is the only one capable of recognizing antivirus 3107 virus and its variants are reported more widespread in Indonesia.
WHAT'S NEW?
a. UPDATED! Added database identifier and cleaning viruses 12 local / foreign / new variants spread in Indonesia reported. Total 3107 virus and its variants.

b. Improved! Change some names to follow new variant viruses found.

Immediately get PCMAV 2.2c Valkyrie improved only from a PC Media magazine 02/2010 which had been published. Soon the message and get in the stall / nearest dealer.

Download PCMAV 2.2c Release

Read full story

PCMAV 2.2b Update Build4 (Mshearts.vbs)

PCMAV 2.2b Update Build4 been present with the addition of 6 new virus variant identification. For those users PCMAV 2.2b, it is strongly recommended to update immediately, so that your PCMAV can recognize and eradicate the virus even more.

Mshearts. Created with VB Script and measured about 32 KB, it attacks the root drive, including a removable disk drive letter until it reaches the O, with mengcopykan files and mshearts.vbs name autorun.inf. The presence of this virus is relatively easy to known that the virus will put a file named'M here.htm on the desktop. Messages on the HTML file contains:

.vbs LOLA 666.

– Pesan Negara –

Coba lihatlah keadaan pedidikan di negeri kami..

Apakah pemerintah sudah memberikan yang terbaik..

Masih ada yang jauh di sana..

Yang tidak menerima pendidikan..

Pemerintah tidak bertanggung jawab..

Memajukan pendidikan umum..

Ini merupakan janji kalian untuk kami..
(¯`•.¸¸.»[I’M Back]«.¸¸.•´¯)
-= Sorong papua 17-06-08 =-

List of virus addition to 2.2b Update PCMAV Build4:

Albim
Autoit.ER
Avt-Net
Avt-Net.dll
Busur.C
CintaKampus
Gambar
Gambar.bat.A
Gambar.bat.B
Geografi.B
JunJun
JunJun.bmp
JunJun.inf
JunJun.ini
Kelor
Kemben_Melorot
Meme.E
Msa
Mshearts.htm
Mshearts.inf
Mshearts.vbs
Pangeran_Cinta.inf
Pangeran_Cinta.txt
Pangeran_Cinta.vbs
Random8
Serviks
Serviks.inf
Serviks.vbs

Download PCMAV 2.2b Update Build4 (Mshearts.vbs)

Read full story