![\"folder](\"http:\/\/sybond.files.wordpress.com\/2008\/06\/infected.gif\")
<\/p>\n
Autorun.inf<\/strong> ini berisi:<\/p>\n [autorun] Sedangkan Setup.pif<\/strong> adalah executable dari worm itu sendiri yang sudah di rename, sehingga menjadi seolah-olah shortcut program MS-DOS.<\/p>\n Langkah-langkah melucuti: <\/strong>*halah bahasanya<\/em> \ud83d\ude1b <\/p>\n Setelah dilucuti, gue jadi pengen tau si worm ini. Kalo gue liat sekilas file executable<\/em>nya dipack dengan menggunakan sebuah tools bernama Upack. Kok tau? iya keliatan kalo pake hex editor, ada sebuah tanda: 00000000 4D 5A 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 MZKERNEL32.DLL Setalah googling akhirnya diketahui memang ada tools PE\/EXE compressor dengan nama Upack. Blom sempet nyari apa ada tools buat balikin code asli setelah di pack (rajin bener nyari ginian \ud83d\ude1b ).<\/p>\n Yaudahlah yang penting PC kantor udah bersih sekarang, mungkin lain kali dicoba membedah worm ini lebih dalam. Mudah-mudahan berguna.<\/p>\n","protected":false},"excerpt":{"rendered":" Udah dari satu bulan yang lalu PC gue di kantor dicurigai terjangkit varian baru dari sebuah worm (varian Win32 \/ TrojanDownloader .Delf. AZM klo si NOD32 bilang). Anehnya si antivirus dikantor yaitu Norton gak mendeteksi sesuatu yang ganjil. Norton udah tua kayaknya ;)) Karena di laptop gue pake NOD32 dan ternyata si worm tadi terdeteksi, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts\/70"}],"collection":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/comments?post=70"}],"version-history":[{"count":0,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts\/70\/revisions"}],"wp:attachment":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/media?parent=70"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/categories?post=70"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/tags?post=70"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n shellexecute=Setup.pif<\/font><\/p>\n\n
![\"TaskMan\"](\"http:\/\/sybond.files.wordpress.com\/2008\/06\/taskmansuspect.gif\")
<\/div>\n<\/li>\n
\n ![\"ServiceName\"](\"http:\/\/sybond.files.wordpress.com\/2008\/06\/servicename.gif\")
\n <\/div>\n<\/li>\n mungkin juga sebuah anagram.<\/s><\/p>\n
\n 00000016 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 LoadLibraryA
\n 00000032 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 GetProcAddress
\n 00000048 55 70 61 63 6B 42 79 44 77 69 6E 67 40 00 00 00 UpackByDwing<\/font><\/strong>@
\n 00000064 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE L
\n 00000080 00 00 00 00 E0 00 8E 81 0B 01 00 36 00 32 00 00 à Ž 6 2
\n 00000096 00 12 00 00 00 00 00 00 6B ED 00 00 00 10 00 00 kí <\/font><\/p>\n