Virus VBS/Repulik.A injection MS.Word and MS.Excel

Selasa, 06 Mei 2008

if yesterday ever appear virus that inspired by song ari lasso, today we want to introduce you in one new virus menyinyalir fan group music repvblik and remind in famous brand branded bvlgari.

we are sure still to remember with virus case kespo (kspoold) sempat booming with file principal target ms office especially ms. word and ms. excel with several database programs. this virus copes to menginjeksi file permanently use original icon from file at hypodermic so that enough effective to mengelabui user, although antivirus success “clean” virus but unfortunately not yet can to return icon and file extension (file at clean still berekstensi exe and icon application) so that user of opinion that file broken, eventually appear lah several tools alternative to split file that virus infection like chanal splitter (yayat_dhn), doc/xls recovery (husni), pcmedia antivirus “mengaku” as antivirus best at world. besides kespo gultung/stubble kawung also come along to enliven illusion world with principal target wipes off contents from file at infection and replaced it with country test exercise, so that although virus success at clean but contents from file at change with file contents other.

not want to lose with the pioneer, recently appear virus of a kind kespo where does this virus also will cope to menginjeksi file office (ms word and excel). even though this virus will still to belong to “baik” because he only menginjeksi file office exist in flash menyk.

actually is not too difficult to detect file that this virus infection, that is “hanya” with see icon and file extension tesebut. usually file that this virus infection has icon vbs with extension. doc. vbs, like seen in picture 1 hereunder.

Picture 1, File induk VBS/Repulik.A

with newest update norman can detect this virus by the name of vbs/repulik. A (see picture 2)

Picture 2, result scan norman virus control detect worm: VBS/Repulik.A

Feature VBS/Repulik.A

Next several features from VBS/Repulik.A

  • Icon VBS

  • Ekstensi VBS

  • Size 5 KB

  • Type file “VBScript script file”

  • File hypodermic exe/doc with add file size as big as 5 kb and have extension. doc. vbs. file at this hypodermic has icon vb

At the (time) of this virus is mobile, he will make mother file that be run each time computer booting. differ from another local virus, he will not make string in registry editor so that not too suspicious looking, this virus also will not windows function block and software security so that easier to cleaned.

Next mother file that at will deliver by vbs/republik. A
  • C:\Documents and Settings\%user%\Start Menu\Programs\Startup\Repvblik.vbs

besides make mother file, vbs/repulik. a also will keep hypodermic file that run by user and file repvblik. txt to folder c: \repvblik, like seen in picture 3 under this:

Picture 3, File drop VBS/Repulik.A

Message from the VM

Akan muncul di akhir umatku, wanita-wanita yang berpakaian namun pada hakikatnya bertelanjang.

Diatas mereka terdapat suatu penaka punuk unta.

Mereka tidak akan memasuki surga dan tidak juga akan mencium aroma surga.

Padahal bau surga itu dapat dicium dari jarak sekian dan sekian (H.R. Muslim)

By Repvblik

if you open file repvblik. txt that reside in directory c: \repvblik, so will appear latent message that is made by the vm. (see picture 4)

Picture 4, latent message the VM

Change volume (name) flash disk

vbs/repulik. a also will try to will change volume (name) flash menyk will be repvblik. (see picture 5)

Picture 5, VBS/Repulik.A Change volume (name) flash disk

injection ms. word and ms. excel

principal target vbs/repulik. a bone other than data especially ms. word and ms. excel by menginjeksi with add code virus in header file. file that at hypodermic will increase 5 kb from size at first. file that at this hypodermic actually not too difficult to been identified because he permanent will use icon vbs with extension. doc. vbs other the things of if icon use icon ms. word or ms. excel with file extension hidden, so that for certain user easy will be deceived to run file.

this virus the good news only aims data exist in removable disk (flash disk).

next file feature that at hypodermic by vbs/repulik. a (see picture 6)
  • Icon VBS

  • size “berbeda-beda” (happen file size increasing sebensar 5 kb from size at first)

  • Extension .DOC.VBS

Picture 6, file at hypodermic by VBS/Repulik.A

if file that injeksi at run so in folder same will make file temporary of the size 6 kb and use icon vbs, look at picture 7 under this:

Picture 7, temporary file that made by Repulik.A

scattered to pass flash disk

to simplify menyebara, he will use diskette / flash disk by will deliver virus file with hypodermic all files ms. word and ms. excel existing, next several files that at will make by vbs/repulik. a
  • I am So Sorry.txt.vbs

  • Indonesian and their corruption!!.txt.vbs

  • Make U lofty.txt.vbs

  • NenekSihir and her Secrets.txt.vbs

  • Never be touched!!.txt.vbs

  • SMS Gratis via GPRS.txt.vbs

  • Thank U Ly.txt.vbs

way to overcome VBS/Repulik.A

  1. Deactivate “sytem restore” during cleaning process (if use windows me/xp)

  2. kill virus process that has file name wscript. exe. for lethal this process is your can use tools currproses.

  3. file erase that made by virus

    • C:\Documents and Settings\%user%\Start Menu\Programs\Startup\Repvblik.vbs

    • C:\Repvblik

also file that deliverred at flash disk

    • I am So Sorry.txt.vbs

    • Indonesian and their corruption!!.txt.vbs

    • Make U lofty.txt.vbs

    • NenekSihir and her Secrets.txt.vbs

    • Never be touched!!.txt.vbs

    • SMS Gratis via GPRS.txt.vbs

    • Thank U Ly.txt.vbs

  1. change volume/name flash disk according to manual by:

    1. click right flash disk

    2. click rename

    3. change name “repvblik” by the name of you want

  1. for anticipation and prevent infection repeats, please install and scan with antivirus that can detect this virus well.

  1. if antivirus you are install not success “repair” file that at hypodermic by vbs/repulik. a. you can use tools “spliter vbs2doc/xls”. please download tools at address next


spliter vbs2doc/xls this be development from tools chanal splitter yav (yayat_dhn). chanal spliter yav tools that used to repair file that at hypodermic by kespo (kspoold), please download tools chanal spitter yav at address next: http: /chanal. biz/blog/? p=17


eXTReMe Tracker