Softorial

Virus Tutorial – Weapons that need to kill virus

War, in this case war to fighting virus that make peevish need a weapon. Although some people or user that long dominate about computer system can kill the virus with empty hand or with manual manner, u but how about the new user destiny? Must wait the expert user to kill the virus? While the virus temporary self spatially multiply at computer? Bot the mention if there work that congest and the work must be finished in a short time, while the computer do restart again and again every one minute because of the virus.

Weapons that used among others :

  1. exe
  2. exe or vbs script
  3. Virus finger print application ( Checksum CRC32 value ), in this article using WAV ( Wedash Anti Virus ) 2005

 

ShowKillProcess

That application useful to stop the running process. Here we use it to stop the running process. Why must stop the process? Because we want to delete the virus. And the file that you want to delete must be stoped. Looak the example, Brontok Virus. Brontok Virus run the process :

 

lsass.exe
smss.exe
eksplorasi.exe
csrss.exe
bronstab.exe
services.exe
winlogon.exe

 

Download howkillprocess.exe on http://www.virologi.info/download/
Showed on showkillprocess.exe application, the running process by Brontok Virus same as Windows System process. The different is Base Priority ( BP ) and Num. Threads ( NT ). For example, lsass.exe process that Windows system have, have a “9” BP and “18” NT. While lsass.exe Virus have “8” BP and “1” NT. Such as another virus process, services.exe and csrss.exe can you look at Picture 3.

To stop the process,  choose the virus application that you want to non-activate. Then click “Kill” button.

 

Be careful, don’t stop the Windows process, like kernell32.dll or another system process. It can freeze your computer or HANG.

 

Hijack

Hijack is program to activate the registry that has blocked by the virus. The sign if the virus has “Freezing” the regedit or Windows Registry Program is by shown the dialog box like on Picture 5 when we wan to run regedit.

 

With hijack program, we can open that regedit with steps as follows :

  1. Run the hijack program so it will show that application.
  2. Then click the ‘Do System Scan’ button to break the registry address that use to lock the registry.
  3. Can you see that the locked registry on the address :

HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/System/DisableRegistryTools

With the Value is “1”

  1. Then click or mark on the registry address that found by Hijack, and click “Fix Checked” button.
  2. If the dialog box appear just click “Yes”. And try to run the regedit.

 

VBS (Visual Basic Script)

 

Visual Basic Script is a part of WSH ( Windows Scripting Host ). That is a scripting language that a Web Programmer use to access the Windows scripts. Since the HTML Programming become popular, the scripts spring up also to support access function on Visual Programming Language to Browser ( Internet Explore, Mozilla, etc.) One of the them is VBscript (VBS ). Here we will use VBS to break into locked registry. The way? Follow this steps :

 

  1. Open the Notepad.
  2. Then copy or type the code below :

dim wau
set wau = createObject (“WScript.Shell”)
ss = “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\”
dv2 =”REG_SZ”
wau.Regdelete ss & “DisableRegistryTools”

  1. Save as delreg.vbs
  2. Then run that delreg.vbs file.
  3. Open the locked registry. Can you?

 

Maybe for VBS I will explain a little bit, because to discuss VBS it need a long time and spend  a book.

 

dim wau
Define wau as a variable.

 

et wau = createObject (“WScript.Shell”)

Fill the wau variable with wscript.shell object or Windows script.

 

ss = “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\”

Fill the ss variable with registry address :

“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\”

dv2 =”REG_SZ”
Fill the dv2 variable with REG_ SZ or registry value string kind.

 

wau.Regdelete ss & “DisableRegistryTools”

Delete the registry address on ss variable with value name DisableRegistryTools that use to lock the regedit.

 

The manner to catch the virus finger print can you read on the previous tutorial. Thank You.

 

Related posts

Virus Tutorial – Show The Process On Windows XP With Visual Basic ( Source Code Showkillprocess )

adminviro

Virus Tutorial – VIRUS SIMULATION AND THE RELATION WITH DOS COMMAND

adminviro

Virus Definition

adminviro

Leave a Comment