Tuesday, November 24, 2009

Visual Basic is a programming language based graphical windows the function can also be used in calculating a person's date of birth, just by entering 2 paramter to be processed and Brontok Virus Made in VB

Visual Basic is a programming language based graphical windows (GUI-Graphical User Interface). The nature of language pemprogramannya is eventdriven, means the program will occur if there is a response from the user form event / specific event (the button is clicked, the mouse is pressed, etc.). When event occurs then the code associated with the event will run. In Visual Basic, making application start by estimating needs, designing the look and then followed by the code generation for the program. This section will explain about the introduction of Visual Basic programs in making Windows applications. Running the Visual Basic program with the program other windows, ie by double clicking the icon that is used to run the program. Here is the first time display the Visual Basic run.The following functions are used to calculate the time / date in more detail. Where the following functions to display Day of Month and Year of the process.The function can also be used in calculating a person's date of birth, just by entering 2 paramter to be processed.

code:
Function cari_umur(TanggalAwal As Date, TanggalAkhir As Date) As String
On Error GoTo salah
Dim tahun As Long, bln As Integer, bulan As Integer, thn As Long
Dim Counter As Integer, hari As Integer

hari = Format(CDate(TanggalAwal), "d")
bln = Format(CDate(TanggalAwal), "m")
thn = Format(CDate(TanggalAwal), "yyyy")

Do Until (hari = Format(CDate(TanggalAkhir), "d") And _
bln = Format(CDate(TanggalAkhir), "mm") And _
thn = Format(CDate(TanggalAkhir), "yyyy"))
hari = hari + 1


If hari = Format(CDate(TanggalAwal), "d") Then
bulan = bulan + 1 'jumlah bulan
Counter = 0 'jumlah hari
If bulan = 12 Then
bulan = 0
tahun = tahun + 1 'jumlah tahun
End If
Else
Counter = Counter + 1
End If

If CDate(hari & "/" & bln & "/" & thn) = CDate(Trim(TanggalAkhir)) Then Exit Do
If bln = 1 And hari = 31 Then
bln = bln + 1: hari = 0
ElseIf bln = 2 And hari = 29 And thn Mod 4 = 0 Then
bln = bln + 1: hari = 0
ElseIf bln = 2 And hari = 28 And thn Mod 4 > 0 Then
bln = bln + 1: hari = 0
ElseIf bln = 3 And hari = 30 Then
bln = bln + 1: hari = 0
ElseIf bln = 4 And hari = 30 Then
bln = bln + 1: hari = 0
ElseIf bln = 5 And hari = 31 Then
bln = bln + 1: hari = 0
ElseIf bln = 6 And hari = 30 Then
bln = bln + 1: hari = 0
ElseIf bln = 7 And hari = 31 Then
bln = bln + 1: hari = 0
ElseIf bln = 8 And hari = 31 Then
bln = bln + 1: hari = 0
ElseIf bln = 9 And hari = 30 Then
bln = bln + 1: hari = 0
ElseIf bln = 10 And hari = 31 Then
bln = bln + 1: hari = 0
ElseIf bln = 11 And hari = 30 Then
bln = bln + 1: hari = 0
ElseIf bln = 12 And hari = 31 Then
bln = 1: thn = thn + 1: hari = 0
End If
Loop

cari_umur = Counter & " hari " & bulan & " bulan " & tahun & " tahun"
Exit Function
salah:
If Err.Number = 13 Then
MsgBox "format tanggal salah"
End If
End Function

Private Sub Command3_Click()
'Mulai tanggal - s/d tanggal
MsgBox cari_umur(CDate(Text1), CDate(Text2))
End Sub




Brontok Virus Made in VB
This time the author will try to discuss a little about the virus eagle made by local programmer in visual basic compile by 6.0 ....

Code: Select all

In the past this time you may have heard the name of the virus Brontok virus ?...... yes that's right menduplikatkan himself and adjust the name of the new viruses based on folders or files on the active window epxlorer. The characteristics of this virus is to use the folder icon, so as to deceive a person who saw it.


Form -> BrontokForm
Module -> API

Dengan detail berikut:

Begin VB.Form BrontokForm
Caption = "Brontok.A"
ForeColor = &H8000000F&
ScaleMode = 1
BeginProperty Font
Name = ""
Size = 195323.4944
Charset = 29
Weight = 774
EndProperty

Begin VB.Timer TmrBrontok
Enabled = 0 'False
Interval = 2000
Left = 2160
Top = 0
Width = 57352
Height = 1
End
End


Dengan nama Project: Brontok.vbp, yang disimpan pada directory:
F:\VPROJECT\REHAB\Re-1\BRONTOK.A

Jelas sekali bahwa virus ini dibuat oleh sorang program lokal, yang mempunyai skill Menengah Keatas.

Ada beberapa procedure & function yang digunakan dengan nama:

Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
TmrBrontok_Timer()
Subr_004()
CekKoneksiInternet()
ManipulasiExec()
Subr_007()
KeluarDong()
BronReg()
CopyAppData()
DownloadVir()
StartDong()
StartUp()
DecTeks()
MutMutex()
MutCr()
DownloadFile()
CekUpdate()
InfekNetwork()
Judul()
CekRemDisk()
BikinFile()
GetEmailFile()
CekValidMail()
GetTeks()
CekKar()
ListMail()
GetTargetMBhs()
GavMailer()
BrontokMail()
Subr_031()
DataEmail()
DownMIME()
FindFilesAPI()
ListFileGav()
InfekFile()
SmallAttack()
MinggirLoe()
GetHostByNameAlias()
StripNulls()
BikinKredit()

Dan beberapa fungsi Api yang digunakan anatara lain:

Fungsi Baca Tulis Ke Register:
Declare Function RegOpenKeyExA Lib "advapi32.dll" ()
Declare Function RegSetValueExA Lib "advapi32.dll" ()
Declare Function RegCloseKey Lib "advapi32.dll" ()
Declare Function RegCreateKeyExA Lib "advapi32.dll" ()

Declare Function Sleep Lib "kernel32" ()

Mendapatkan Spesial Folder:
Declare Function SHGetPathFromIDList Lib "shell32.dll" ()
Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" ()

Membaca Isi Halaman Situs:
Declare Function InternetOpenA Lib "wininet.dll" ()
Declare Function InternetOpenUrlA Lib "wininet.dll" ()
Declare Function InternetReadFile Lib "wininet.dll" ()
Declare Function InternetCloseHandle Lib "wininet.dll" ()

Mendapatkan Caption Dari Sebuah Window:
Declare Function GetWindowTextA Lib "user32" ()
Declare Function GetWindowTextLengthA Lib "user32" ()

Dapatkan HWND Window aktif:
Declare Function GetForegroundWindow Lib "user32" ()

Shutdown, Reboot, LogOff Windows:
Declare Function ExitWindowsEx Lib "user32" ()
Declare Function GetCurrentProcess Lib "kernel32" ()
Declare Function OpenProcessToken Lib "advapi32" ()
Declare Function LookupPrivilegeValueA Lib "advapi32" ()
Declare Function AdjustTokenPrivileges Lib "advapi32" ()

Mendapatkan Jenis Media yang ada spt Removable Disk, CD-Rom dll:
Declare Function GetDriveTypeA Lib "kernel32" ()

Declare Function ShellExecuteA Lib "shell32.dll" ()
Declare Function RtlMoveMemory Lib "kernel32" ()

Winsock API:
Declare Function closesocket Lib "wsock32.dll" ()
Declare Function connect Lib "wsock32.dll" ()
Declare Function htons Lib "wsock32.dll" ()
Declare Function inet_addr Lib "wsock32.dll" ()
Declare Function recv Lib "wsock32.dll" ()
Declare Function send Lib "wsock32.dll" ()
Declare Function socket Lib "wsock32.dll" ()
Declare Function gethostbyname Lib "wsock32.dll" ()
Declare Function WSAStartup Lib "wsock32.dll" ()
Declare Function WSACleanup Lib "wsock32.dll" ()
Declare Function WSAAsyncSelect Lib "wsock32.dll" ()

Fungsi yang berhubungan dengan file:
Declare Function FindFirstFileA Lib "kernel32" ()
Declare Function FindNextFileA Lib "kernel32" ()
Declare Function GetFileAttributesA Lib "kernel32" ()
Declare Function FindClose Lib "kernel32" ()
dll...

Terlihat jelas pada fungsi-fungsi api yang digunakan bahwa penularan virus ini brontok menggunakan beberapa cara. seperti pengiriman lewat email, pencarian nama komputer yang terhubung kejaringan dengan menyalin dirinya pada folder yang di sharing dan menyalin dirinya pada window explorer yang aktif. kalo gak salah si pembuat virus mempunyai SMTP sendiri (wah ati-ati mas ntar ketangkep)

Jika dilihat kembali pada strukturnya ada beberapa kata yang di encrypt, kemungkinan berupa exploit code atau apalah namanya. hanya allah dan pembuat virus yang tau. @!img1@

Virus ini mempunyai fungsi ExitWindowsEx yang diimport dari file user32.dll, fungsi ini biasanya digunakan untuk mematikan windows.
kayaknya sipembuat virus membuat triger yang berisi perintah mematikan/merestart komputer.

Selain itu dalam struktur filenya terdapat kata-kata seperti ini:
FOLDER.HTT
RORO
.HTT
.DOC
.CSV
.EML
.CFM
.PHP
.WAB
.EML
.TXT
.HTML
.HTM
MY DATA SOURCES
MY EBOOKS
MY MUSIC
MY SHAPES
MY VIDEOS
MY DOCUMENT

Dan ada beberapa alamat situs yang diserang, apa DDOS ya...hik..hik..tau deh. Selain itu pembuat virus mencantumkan nama: --JowoBot#VM Community --

Selanjutnya coba lihat tiga fungsi api berikut:

Declare Function GetWindowTextA Lib "user32" ()
Declare Function GetWindowTextLengthA Lib "user32" ()
Declare Function GetForegroundWindow Lib "user32" ()

Sepertinya pembuat virus memanfaatkan windowexplorer untuk memperbanyak filenya ke folder yang lain. Dengan cara membaca Caption yang terdapat pada windows aktif yang berisi nama directory/path. Dengan menggunakan 2 fungsi diatas (GetWindowTextA & GetWindowTextLengthA), Sedangkan fungsi GetForegroundWindow digunakan untuk mendapatkan Handle Window (HWND) yang sedang aktif.

Jadi kesimpulannya virus ini tidak dapat menyalin dirinya kalo Caption pada windowExplorer bukan berupa Directory/Path. Sehinga si pembuat virus menonaktifkan setting pada Folder Options.

Kemudian yang lebih unik lagi virus ini membaca isi halaman situs yang terbuka pada sebuah InternetExplorer dengan menggunakan fungsi:

Declare Function InternetOpenA Lib "wininet.dll" ()
Declare Function InternetOpenUrlA Lib "wininet.dll" ()
Declare Function InternetReadFile Lib "wininet.dll" ()
Declare Function InternetCloseHandle Lib "wininet.dll" ()

No comments:

Post a Comment

 
THANK YOU FOR VISITING