Wmplayerc a local worm has been known since Update PCMAV 2.2a Build3 and reportedly widespread in Indonesia. This time will be shown more complete analysis. Adverse effects of this virus is to delete the multimedia files that are recognized from the list of file extensions that are stored in the body of the virus. Multimedia files found will be replaced with a virus file that is ready to run and spread.File Extension List
Here is a list of multimedia file extensions that can be a victim of this virus are:
.AVI
.3GP
.MP4
.FLV
.ASF
.M4V
.MPE
.VMV
.M1V
.M2V
.VOB
.MOV
.WVX
.MKV
.MPA
.MPV
.DIV
.M2P
.3G2
.DAT
.MPEG
.DIVX
.REAL
Folder Manipulation
In an attempt to hide ourselves and re-active (if you managed to kill the process in memory), the virus makes copies of folders on the root drive in the form of shortcuts / links, and hide the original folder with attributes System / superhidden.
As a result, your computer quick look fine, except when noted through Windows Explorer, you will see a folder on the root drive (eg Windows, Program Files) has size 2 KB. Meanwhile, the actual folder does not
include the size in Windows Explorer. To see the actual condition, set the configuration of Windows Explorer by selecting Tools menu - Folder Options, pililh "Show hidden files and folders" and uncheck the option "Hide extensions for known file types" and "Hide protected operating system files (Recommended) ".
What happens when you click on the folder that lies? Which is run the following command:
%WINDIR%\system32\rundll32.exe Shell32.dll,ShellExec_RunDLL “RÊCYCLÊR\ .com” “NamaFolder”
"Foldername" is the actual folder. Open the folder, but before the virus has been executed, the virus shows that the parent is stored with the name ". Com" (without quotes) in the RÊCYCLÊR folder.
Surgery Virus
This virus has some "gallant list" of URLs pornographic websites locally, so when the infected computer browsing to pornographic websites, the computer will shutdown itself.
The virus also checks for running programs, by detecting the caption contained in the program. Back a few words connote porn banned by the virus. In addition, string Norman Malware Cleaner, PROCEXPL, PeiD v0.95, PeiD v0.94, and OLLYDBG also includes a list of strings that will make the virus to shutdown the computer.
Computers can be infected with this virus through a flash disk that has been infected, ie when the user clicks the folder lies on a flash disk or storage media that the caller is actually a viral link. In addition, ketidakwaspadaan also can make you click on a virus file disguised as multimedia files, complete with a media player icon to trick users.
In addition to creating a master file which is about 66 KB in RÊCYCLÊR folders, files parent folder is also created in Program Files \ Windows Media Player with Wmplayerc.exe or Xvidshow.exe name (if your computer installed the XviD codec). Retrieving string with dissected and mapped back to the body of the virus visualized in the following figure.
In the body there are also viruses command shutdown.exe-r-f-t 00, which likely is the command to be executed when detecting a virus accessing pornographic websites or specific caption. -R parameter to instruct shutdown and restart, the parameter-f to force other applications closed, and 00-t parameter is a timeout for shutdown process, in this case is set 0 seconds.
When active, the virus load the file into memory dropper with the name of svchost.exe, which is used to monitor traffic is TCP / IP so that it can detect when you run the URL included in the list of pornographic web saved by a dropper. Dropper file is created with VisualBasic and measured about 9 KB. In addition, the string reads “Tak gendong kemana-mana.. Enak Tau !!! Ha Ha Ha Ha” also appear in the body of this file.
Use the latest PCMAV for cleaning the virus completely Wmplayerc. Notice if there are files that you believe is the name of your multimedia files - but Wmplayerc detected as a virus - so the file was not the original video file again, but the virus file disguised (please check the size and the file extension if you are still in doubt ), while the original video file has vanished removed by the virus. Recovery do best if you are already experiencing this.
