MsKunti.vbs. At first glance when I hear or read the name "Kunti" it was clear what was going on by many people imagine. However, in contrast with malware that discussed this time. Although not a sinister figure known to man in general, each user would not want this malware on his computer.
Again and again the message has always been a main feature of malware Indonesia. As ever discussed about VBScript in http://virusindonesia.com/2010/09/03/satu-pesan-cinta-ribuan-shortcut/ malware type which inserts a message in the system32 folder, now comes another similar type of malware.
Name: MsKunti.vbs
Origin: Indonesia
File Size: 19.6 KB
Programming: Visual Basic Scripting
Icon: VBS
Type: Worm
What's interesting about this malware is, some things that show the result of infection, always shaped like a message or an ancient incantation. Examples include:
Autorun.inf
With artificial Autorun.inf MsKunti.vbs, there are several menus that are added as shown in the picture above. In addition, he also changed the icon flash disk or hard disk that is already infected with this worm, the Empty Recycle Bin. Usually malware change flash disk into a folder icon like Conficker, Recycler, even VB-Shortcut. In addition, some of the main menu such as Open, Explore, Search and Properties is also in use as a command that can run MsKunti.vbs.
Kala_Malam.ini
Like a poem, this file will automatically open after users go to Windows. Because these files already exist at:
? 1 C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \ Kala_Malam.ini
Di_malam_bulan_purnama.txt
This file is located in Desktop whose contents like an ancient spell in the top malware authors written message:
? 1 In reading until 'he' comes yes ....
LingsirWengi.html
Messages MsKunti.vbs maker also exist on the desktop with the name LingsirWengi.html.
Not only the messages created by this worm, some functions of Windows are also on the disabled. Examples include:
Folder Options
Search
Turn off
File Associate
Hidden File Extension
Task Manager
Disable files with names such as:
cmd.exe
install.exe
msconfig.exe
regedit.exe
Regedt32.exe
RegistryEditor.exe
setup.exe
PCMAV.exe
In addition, this worm also disable the Install command in the Open and Edit a file with extension (. inf), (. reg) and (. vbs).
Create a Startup in the registry editor:
? 1
2
3
4 HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ JalanBuntu
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Devils
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Devil
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ lelembut
Changing home page to "C: \ Documents and Settings \ All Users \ Desktop \ LingsirWengi.html" and Default Name Internet Explorer becomes "Do not make me hurt please ...".
Adding the name of the Properties MsKunti My Computer and delete the Organization name
Adding the name of the Properties MsKunti My Computer and delete the Organization name.
Add a message on the Legal Notice before Logon Screen gambah whose contents such as below:
This worm can already be disabled by PCMAV. And seen the worm is active in memory.
