Tutorial Batch File Programing 2

Setelah kita belajar menggunakan perintah dasar batch file menggunakan "echo" sekarang waktu nya kita melakukan penggabungan dengan perintah-perintah internal. Dalam tutorial ini kita hanya perlu memasukkan perintah-perintah apa saja yang akan kita gunakan nantinya.

Yuuk, kita langsung pada tutorial nya.

1. Pada file yang telah kita buat dalam Perintah Batch file yang lalu bernama Coba1.bat coba anda tambahkan perintah "dir > latihan.txt" tepat diatas perintah "pause". Perintah ini berfungsi untuk membuat sebuah file baru bernama "latihan.txt" dan kemudian mengisinya dengan hasil dari perintah "dir" pada folder yang aktif saat itu sehingga script pada file Coba1.bat anda akan menjadi seperti ini.

Echo off

cls

Echo halo semuaa....

Dir > latihan.txt

Pause

2. Anda simpan hasil tersebut dengan nama yang sama dan coba anda jalankan.

3. Coba anda perhatikan pada jendela Command Prompt yang muncul. Tidak akan terlihat adanya efek yang berpengaruh dengan ditambahkan nya perintah "dir > latihan.txt". Di jendela Command Prompt memang tidak akan terlihat efek yang terjadi, tapi coba anda buka Windows Explorer kemudian anda perhatikan di folder tempat anda menyimpan file Coba1.bat disimpan. Pada folder tersebut akan muncul sebuah file bernama "latihan.txt". Anda klik pada file tersebut untuk melihat isi nya. Jika dilihat isi file tersebut adalah daftar nama file dan folder serta informasi lain seputar direktori anda. Ketemu kan efek nya dari penambahan perintah
"dir > latihan.txt".

4. Selain anda menggunakan perintah "dir" sekarang cobalah menambahkan perintah "copy" untuk menyalin file "laporan.txt" ke Drive C.

5. Anda hapus file "latihan.txt" pada folder yang pertama. Setelah melakukan kedua perintah tersebut maka listing program yang anda buat akan tampak seperti ini.

Echo off

cls

Echo halo semuaa....

Dir > latihan.txt

Copy latihan.txt C:\

Del laporan.txt

Pause

6. Anda simpan perubahan tersebut dengan nama yang sama dan anda coba jalankan.

7. Pada jendela Command Prompt yang muncul akan terlihat penjelasan "1 file(s) copied". Penjelasan tersebut menandakan bahwa telah dilakukan nya penyalinan sebanyak 1 file. Kemudian anda periksa pada drive C anda apakah ada file hasil salinan dari "latihan.txt" dan anda lakukan juga pengechekan pada folder penyimpanan pertama file Coba1.bat anda. Apabila berhasil akan tampak file "latihan.txt" pada drive C anda dan akan hilang file "latihan.txt" pada folder penyimpanan pertama anda.

Nah dengan beberapa langkah tersebut anda dapat membuat sebuah virus kecil-kecilan, ya seperti memindahkan file tanpa diketahui. Jika belum berhasil coba anda check ulang kembali isi file Coba1.bat dan ikuti langkah-langkah mulai dari atas.

Semoga Tutorial Batch File Programing 2 ini berguna bagi anda. Next kita akan membahas tutorial batch file menggunakan perintah eksternal. Regards.

Sumber Buku Belajar Membuat Virus.

Conficker.C

We've been tracking the Conficker worm since it launched itself into the wild last November; despite the best efforts of security officials worldwide, the worm still hasn't been completely crushed. The original flavor and its nastier follow-up (Conficker.A and Conficker.B) have been locked down, but the worm's creators have a third version (Conficker.C, naturally) prepared to hit the tubes come April 1. The new "C" twist won't have all of the tools "B" used to replicate, but it will be able to detect and kill certain system processes designed to find and remove it.

Ars spoke with Don DeBolt, CA's Director of Threat Research, to get some additional information on Conficker.C, its threat profile, and why the gosh-darned thing isn't dead yet. CA (formerly Computer Associates) has published an extensive guide to Conficker.C, which includes information on its attack vectors, behavioral analysis, and how to tell if the "C" variant of Conficker is running on your system. This last part could pose a challenge—unlike previous versions, C adopts what DeBolt refers to as a "defensive stance" and throws up a number of roadblocks, all of which are aimed at hindering user detection of the worm.

The security industry was collectively able to put the brakes on Conficker.B's expansion when they managed to reverse-engineer the virus and determine which domains it would attempt to register and dial home to on particular dates. With Conficker.A and B, the worm chose to contact 32 addresses out of a possible 250 on any given attempt. With their algorithm broken, the malware authors went a step beyond updating their randomization/selection code—they also vastly increased both the number of domains the worm could generate as well as the number it will randomly select. Conficker.C will select 500 domains out of a randomized pool of 50,000 instead of the previous 32/250.

This will drive up the cost of operating the botnet (we've previously covered how vulnerable malware networks can be to changes in their cost structure) but will also significantly increase the cost of attempting to monitor and prevent botnet registrations, even once the randomizing algorithm has been broken.

Once installed, Conficker.C implements a variety of nasty behaviors. The worm will attempt to disable Windows Automatic Update and stop access to the Windows Security Center, can detect and kill SysInternals' Process Explorer program, and will interfere with the operation of a number of other search-and-destroy programs including WireShark and SysClean.

It will also reset and delete system restore points, disable various services (including WinDefend, BITS (Background Intelligent Transfer Service) ERSvc (Error Reporting Service) and WerSvc (Windows Error Reporting Service, Vista-only). In a final fit of pique, Conficker.C will prevent any attempt to connect to a variety of antivirus software services or websites. This behavior is nothing new to malware in general, but it's the first time we've seen it from our Conf(l)ickt-causing little friend.

The security industry's battle against Conficker is unlikely to resolve this go-round—we'll probably see at least a "D" variant before this is done—but DeBolt believes the coordinated response and organized counter-attack from Team White Hat has dramatically retarded the virus' ability to infect new systems. In the meantime, Romanian researchers from BitDefender have released a tool that should remove Conficker, though it's not clear if this will clean versions A, B, and C, or just the first two.

From : ars technica

Fake Windows Support Spam

This is probably the type of support one wouldn’t want to have.

Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware.


Figure 1. Spammed messages purporting to come from Windows Support

These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT.


Figure 2. User is prompted to download a malicious file

TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information.

Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages.

Trend Micro users are protected from this attack by the Smart Protection Network, as the related files, spam, and URL are already detected and blocked.

Read more: "Fake Windows Support Spam Brings Forth an Info-Stealer | Malware Blog | Trend Micro"

Malware Info: February 2009

Two Top Twenties have been compiled from data generated by the Kaspersky Security Network (KSN) throughout February 2009.

The first Top Twenty is based on data collected by Kaspersky Lab’s version 2009 antivirus product. The ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers.

Posisition............
1. Virus.Win32.Sality.aa
2. Net-Worm.Win32.Kido.ih
3. Packed.Win32.Krap.b
4. Packed.Win32.Black.a
5. Trojan.Win32.Autoit.ci
6. Worm.Win32.AutoRun.dui
7. Packed.Win32.Krap.g
8. Trojan-Downloader.Win32.VB.eql
9. Packed.Win32.Klone.bj
10. Virus.Win32.Alman.b
11. Trojan-Downloader.WMA.GetCodec.c
12. Worm.Win32.Mabezat.b
13. Trojan-Downloader.JS.SWFlash.ak
14. Worm.Win32.AutoIt.ar
15. Virus.Win32.Sality.z
16. Trojan-Downloader.JS.SWFlash.aj
17. Email-Worm.Win32.Brontok.q
18. Packed.Win32.Tdss.c
19. Worm.Win32.AutoIt.i
20. Trojan-Downloader.WMA.GetCodec.u

February’s Top Twenty features a number of important changes compared to our previous rankings.

First of all, the network worm Kido, which caused an epidemic that started in January and is still going strong, has gained impressive ground. Detection routines for this worm were added to antivirus databases in mid-January, and therefore the bulk of infected files were detected in February.

Secondly, there are three interesting newcomers to the ranking: Packed.Win32.Krap.g, Packed.Win32.Klone.bj and Packed.Win32.Tdss.c. These are associated, respectively, with detections for:

* a variant of a compression utility (packer) for Magania Trojans – a very common family which steals passwords to online games.
* a certain type of obfuscation for AutoIt scripts. Notably, the functionality of the original scripts is limited only by the constraints of the script language itself.
* an entire class of programs encrypted using the new malicious packer TDSS.

The last of the three pieces of malware is interesting in that the original, unencrypted malicious programs can be of any type, including but not limited to Trojans, worms and rootkits.

Trojan-Downloader.WMA.GetCodec.r, which gained 10 positions in January, was replaced in February by a similar multimedia downloader, GetCodec.u, while last month’s newcomer, Exploit.JS.Agent.aak, was superseded by two script downloaders, SWFlash.aj и SWFlash.ak, which take advantage of various Flash Player vulnerabilities.



All malicious, advertising and potentially unwanted programs in the first Top Twenty can be grouped according to the main classes of threats which we detect. There has been almost no shift in the balance between these classes since January. Statistics for the past several months show that the number of self-replicating programs has remained uniformly high.

In total, 45396 unique malicious, advertising, and potentially unwanted programs were detected on users’ computers in February. This is not significantly different from last month’s figure.

The second Top Twenty presents data on which malicious programs most commonly infected objects detected on users’ computers. Malicious programs capable of infecting files make up the majority of this ranking.

Position....
1. Virus.Win32.Sality.aa
2. Worm.Win32.Mabezat.b
3. Net-Worm.Win32.Nimda
4. Virus.Win32.Virut.ce
5. Virus.Win32.Xorer.du
6. Virus.Win32.Sality.z
7. Virus.Win32.Alman.b
8. Virus.Win32.Parite.b
9. Trojan-Clicker.HTML.IFrame.acy
10. Trojan-Downloader.HTML.Agent.ml
11. Virus.Win32.Virut.n
12. Virus.Win32.Virut.q
13. Virus.Win32.Parite.a
14. Email-Worm.Win32.Runouce.b
15. P2P-Worm.Win32.Bacteraloh.h
16. Virus.Win32.Hidrag.a
17. Worm.Win32.Fujack.k
18. Virus.Win32.Neshta.a
19. Virus.Win32.Small.l
20. P2P-Worm.Win32.Deecee.a

The second Top Twenty includes an important newcomer – Virus.Win32.Virut.ce, a new variant of the sophisticated polymorphic virus Virut. This modification features, among other things, infection of HTML files on the user’s computer with a malicious iframe block. Such pages are detected by our antivirus product as Trojan-Clicker.HTML.IFrame.acy. In February, the number of files infected using this method was quite large. The symbiosis between Virus.Win32.Virut.ce and Trojan-Clicker.HTML.IFrame.acy has resulted in the two malicious programs ranking 4th and 9th respectively.

It should also be noted that, although the Sality family is still prominent in the ranking, no new variants of this dangerous malicious program have been detected. This, of course, is not the case with the Virut family mentioned above.

From : www.kaspersky.com

Koobface Worm Attack Facebook

I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure

What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”.

Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.

Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well. It first searches for cookies created by the following sites:

* facebook.com
* hi5.com
* friendster.com
* myyearbook.com
* myspace.com
* bebo.com
* tagged.com
* netlog.com
* fubar.com
* livejournal.com

The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.

Users of the Trend Micro Smart Protection Network are protected from this threat, as both URL and malicious file are blocked and detected, respectively. Other users are advised to ignore such messages, and refrain from clicking links in unsolicited messages, even out of curiosity.

Read more: "Koobface Worm Spreading on Facebook | Malware Blog | Trend Micro"

EAV Antivirus Suite

Saat ini mungkin di komputer Anda telah terpasang software antivirus yang
banyak dijumpai secara umum.

Tapi apakah Anda yakin software antivirus
tersebut dapat mendeteksi virus yang ada di komputer Anda ?

Untuk dapat meyakinkan, Anda dapat menggunakan software EAV Antivirus Suite
untuk mendeteksi dan menghapus virus seperti trojan, spywares, adware, dan
virus macro di dalam komputer Anda.

Software antivirus tersebut menginisialisasikan sistem yang diberi nama Guard Ghost
yang mengawasi dan memonitor semua proses yang berjalan di dalam
sistem memory, file Windows, dan port yang terbuka.

Sistem Guard Ghost ini bekerja di latar belakang untuk
mencari serangan worm dan trojan pada saat–saat tertentu.

Bila virus atau trojan terdeteksi, biarpun tersembunyi di dalam program lain, maka
EAV Antivirus Suite akan menampilkan sinyal peringatan dan akan menghapusnya.

Serta software tersebut akan membersihkan semua sistem virus
yang terhubung dengan mata rantai file yang terdeteksi virus.

Situs Web
www.your-soft.com

Perintah Batch file

Perintah Batch File merupakan perintah dasar yang ada pada sistem operasi Windows, tentunya anda semua sudah faham akan beberapa perintah dasar Batch yang ada di komputer anda. Dengan mempelajari beberapa perintah batch pada komputer nantinya anda
akan bisa membuat sebuah program penolong ataupun program penghancur(red=Virus)yang tidak kalah keren dengan VBscript.

Saya disini mencoba membuat perintah batch menggunakan echo, tahu kan kan cara bikinnya bagaimana?

Sekarang coba buka notepad nya semua, saya sarankan anda memakai Notepad++ agar lebih keren gitu dan lebih kumplit lagi sintaks nya, :D
sudah kan, Pertama coba anda ketikkan perintah seperti ini :

Echo halo semua...


Perintah Echo ini berfungsi untuk menampilkan pesan, komentar atau keterangan dan lain-lain yang diberikan oleh user ketika berada dalam kondisi tertentu.

Yang kedua anda simpan perintah tadi yang sudah diketik dengan nama Coba1.bat.

Ketiga coba anda jalankan file Coba1.bat...
jreng...jreng ada hasilnya kan??

Pasti ada dong, jendela command prompt muncul sebentar terus
eh hilang lagi deh ya kan??

Bingung tidak bisa melihat apa isi dari command prompt tadi, okeh deh saya akan sedikit berbagi tips nya agar jendela command prompt tadi tidak tertutup dengan cepat, caranya..

Edit file Coba1.bat yang tadi,
tambahkan kata Pause dibawah tulisan echo halo.....
seperti ini.


Echo halo semua...

Pause


Sudah belum? kalau sudah anda simpan lagi dengan nama
yang sama dan coba jalankan.

Terulang lagi seperti yang tadi?

Tapi ada sedikit perbedaan pasti, jendela command prompt tidak langsung hilang, coba sekarang anda tekan sembarang tombol hilang deh.hehehhe

Sekarang dapat kita ketahui bahwa perintah Pause di batch file tadi berfungsi untuk menghentikan proses sementara waktu, dan akan berjalan kembali setelah ada perintah
masukan(Penekanan Tombol).

Lanjut, sekarang kita buat agar tampilan command prompt nya lebih berbeda, coba anda tambahkan perintah "Echo Off" tanpa tanda kutip loh seperti ini :


Echo off

Echo halo semua...

Pause


Perlu anda ingat tulis di file Coba1.bat yang tadi. anda simpan file Coba1.bat yang telah di edit dan jalankan.... Nah kan tampilan nya berubah lebih enak dilihat.

Sekarang kita belajar membuat lebih rapih lagi, hanya dengan menambahkan perintah "CLS" pada file Coba1.bat seperti ini contohnya..


Echo off

cls

Echo halo semua...

Pause


Coba anda save dan jalankan deh, berbeda kan tampilan command prompt
nya.

Oke deh sampai disini dulu belajar perintah batch file nya, semoga saja anda bisa paham penggunaan batch file sederhana ini.

Next time saya akan coba berbagi yang lebih ekstrim lagi(halah) :D dengan menambahkan beberapa perintah internal maupun eksternal dari DOS.


Semoga Berguna.

Sumber dari Buku Belajar Membuat Virus Komputer.

Meta tags malware websites

An indexing robot is a program which tracks websites,
storing their content in databases and following the
links which point to other websites.

Rogue antimalware creators don’t usually add tags to
the code of their websites or they add them so that the
websites are indexed by the robots of the searchers.

This way, they are more accessible and malware can be
widely spread.

Lately we have found several cases that prove quite the
opposite: tags are added to go unnoticed.

Let’s take the following URL as an example:
http://akedpics.blogspot.com

When clicking the video to view it, we are redirected to
the following URL http://pomp.com/index.php?q=Adrienne-
Bailon-Naked-Pics, which in turn redirect us to
http://crack-.com

(*) and finally to http://fast.com/xplays.php?id=40004
from which we will download the file viewtubesoftware.40004.exe,
detected as Adware/MSAntiSpyware2009



(*) This URL redirects us to different malware hosting websites
randomly, depending on the time.

If we look at the source code of the URL
http://fast.com/xplays.php?id=40004, we can find the
following tag:

1. The noindex tag doesn’t allow the search engines to index a website.
2. The nofollow tag doesn’t allow the search engines to scan the links
of the document.
3. The noarchive tag prevents the website from being cached.

It seems that these techniques are aimed at making malware analysts’ and
antivirus companies’ job more difficult.

They are also used to prevent the proactivity, in the sense of
preventing the infection with techniques such as URL blocking,
which consists in making queries of specific parameters in the
search engines.

From : Pandalabs