[A bit SERIOUS]Antivirus crackan?

[Rsync]

Sebenarnya salah satu user, Lik_Pusi menjelaskan bahayanya maenan crackan
cuma gw rasa ini jadi kewajiban gw buat memperjelas hal tersebut.

kalo ada kek ginian di antivirus, pasti ada juga di salah 1 game crackan

GA MUNGKIN CUMA DI ANTIVIRUS! bisa aja ada di crackan lain

--->
http://www.securelist.com/en/descrip...n32.Agent.dvyh


gua sih kurang ngerti jelas
gua cuman tau

cracker/tukang *****--->nyebarin ***** dia--->dia bisa koleksi cd key/registry key/serial number
terus serial number colongan nya dia jual/barter dengan sesama tukang colong diwebsite underground

dengan harga miring bahkan gratis (kek cd key sc 1 loe) kita bisa beli serial number colongan

penjelasan singkat, ga usa buka spoiler 1-1. buka aja yang kelima

Spoiler untuk HUGE SPOILER :

Technical Details

This Trojan installs and launches other programs on the infected computer without the user's knowledge. It is a Windows .Net application (PE EXE file). It is 3 889 352 bytes in size.


Payload

Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:

%Temp%\KasKeygenRevised.exe
This file is 479 232 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.VB.aaen.
%Temp%\1234.exe
This file is 2 196 545 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.dvyg.
The Trojan then launches the extracted files for execution and ceases running. The file "KasKeygenRevised.exe", which is detected as Trojan.Win32.VB.aaen, imitates key generation for Kaspersky Lab products such as: Kaspersky Anti-Virus 2010, Kaspersky Internet Security 2010, Kaspersky Simple Scan 2010. The program's main windows look like this:


[gambar ada di link]

Spoiler untuk 1 :

The file "1234.exe", which is detected as Trojan-Dropper.Win32.Agent.dvyg, has the following payload:

Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:

%Temp%\instant.exe
This file is 1 116 397 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.MSIL.Agent.aor.
%Temp%\server.exe
This file is 289 792 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Llac.gfu.
The Trojan then launches the extracted files for execution and ceases running. The file "instant.exe", which is detected as Trojan.MSIL.Agent.aor, has the following payload:

The Trojan executes a functionality that prevents the demonstration of its payload when launched in the following virtual environments:

VMWare
VirtualPC
VirtualBox
Sandboxie
This Trojan program is designed to steal user registration information for the following software products:
Splinter Cell Pandora Tomorrow
Splinter Cell Chaos Theory
Call of Duty
Call of Duty United Offensive
Call of Duty 2
Call of Duty 4
COD4 Steam Version
Call of Duty WAW
Dawn of War
Dawn of War - Dark Crusade
Medieval II Total War
Adobe Goolive
Nero 7
ACDSystems PicAView
Act of War
Adobe Photoshop 7
Advanced PDF Password Recovery
Advanced PDF Password Recovery Pro
Advanced ZIP Password Recovery
Anno 1701
Ashamopp WinOptimizer Platinum
AV Voice Changer
Battlefield(1942)
Battlefield 1942 Secret Weapons of WWII
Battlefield 1942 The Road to Rome
Battlefield 2
Battlefield(2142)
Battlefield Vietnam
Black and White
Black and White 2
Boulder Dash Rocks
Burnout Paradise
Camtasia Studio 4
Chrome
Codec Tweak Tool
Command and Conquer Generals
Command and Conquer Generals Zero Hour
Red Alert 2
Red Alert
Command and Conquer Tiberian Sun
Command and Conquer 3
Company of Heroes
Counter-Strike
Crysis
PowerDVD
PowerBar
CyberLink PowerProducer
Day of Defeat
The Battle for Middle-earth II
The Sims 2
The Sims 2 University
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 Seasons
The Sims 2 Glamour Life Stuff
The Sims 2 Celebration Stuff
The Sims 2 H M Fashion Stuff
The Sims 2 Family Fun Stuff
DVD Audio Extractor
Empire Earth II
F.E.A.R
F-Secure
FARCRY
FARCRY 2
FIFA 2002
FIFA 2003
FIFA 2004
FIFA 2005
FIFA 07
FIFA 08
Freedom Force
Frontlines Fuel of War Beta
Frontlines Fuel of War
GetRight
Global Operations
Gunman
Half-Life
Hellgate London
Hidden & Dangerous 2
IGI 2 Retail
InCD Serial
IG2
iPod Converter (Registration Code)
iPod Converter (User Name)
James Bond 007 Nightfire
Status Legends of Might and Magic
Macromedia Flash 7
Macromedia Fireworks 7
Macromedia Dreamweaver 7
Madden NFL 07
Matrix Screensave
Medal of Honor Airborne
Medal of Honor Allied Assault
Medal of Honor Allied Assault Breakthrough
Medal of Honor Heroes 2
mIRC
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NBA LIVE 2003
NBA LIVE 2004
NBA LIVE 07
NBA Live 08
Need for Speed Carbon
Need For Speed Hot Pursuit 2
Need for Speed Most Wanted
Need for Speed ProStreet
Need For Speed Underground
Need For Speed Underground 2
Nero - Burning Rom
Nero 7
Nero 8
NHL 2002
NHL 2003
NHL 2004
NHL 2005
NOX
Numega SmartCheck
OnlineTVPlayer
O&O Defrag 8.0
Partition Magic 8.0
Passware Encryption Analyzer
Passware Windows Key
PowerDvD
PowerStrip
Pro Evolution Soccer 2008
Rainbow Six III RavenShield
Shogun Total War Warlord Edition
Sid(Meier) 's Pirates!
Sid(Meier) 's Pirates!
Sim City 4 Deluxe
Sim City 4
Sniffer Pro 4.5
Soldiers Of Anarchy
Soldiers Of Anarchy
Stalker - Shadow of Chernobyl
Star Wars Battlefront II (v1.0)
Star Wars Battlefront II (v1.1)
Steganos Internet Anonym VPN
Splinter Cell Pandora Tomorrow
Surpreme Commander
S.W.A.T 2
S.W.A.T 3
S.W.A.T 4
TechSmith SnagIt
Texas Calculatem 4
The Battle for Middle-earth
The Orange Box
The Orange Box
TMPGEnc DVD Author
TuneUp 2007
TuneUp 2008
TuneUp 2009
Winamp
The Sims 3
Spore
Mirrors Edge
GTA IV
FIFA 2009
Pro Evolution Soccer 2009
FIFA 2008
Nero 9
Mirc
Orange Box

Info game2 ini disteal, worst case = kalo lu own original

Spoiler untuk 2 :

In this case, the registration information consists of the values of the parameters named:
Name
Serial
Registration Code
User Name
Username
Company
License
Owner
Key
Serial Key

ini isi2 yang bakal dicuri, segala info berharga

Spoiler untuk 3 :

The collected data is saved to the following file:
%Temp%\TMP.dat
and sent to the malicious user's email address on the "@gmail.com" server. To determine the infected computer's IP address, the Trojan accesses the following service:
www.whatismyip.com
During its operations, the Trojan extracts from its body the following files:
%WorkDir%\System.Data.SQLite.DLL (886 272 bytes)
%Temp%\melt.tmp (6 bytes)
The file "System.Data.SQLite.DLL" is an ADO.NET provider assembly for working with SQLite. The following string is entered into the file "melt.tmp":
melt
The Trojan modifies the file:
%System%\drivers\etc\hosts
entering the following strings into it:
##Do not touch this file, changing it will cause SERIOUS damage to
your computer
127.0.0.1 www.rsbot.org/vb/
127.0.0.1 rsbot.org/vb/
127.0.0.1 85.25.184.47
127.0.0.1 www.rsbot.com
127.0.0.1 www.rsbot.com
127.0.0.1 www.rsbot.org
127.0.0.1 www.rsbot.org
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.virusscan.jotti.org/
127.0.0.1 www.virusscan.jotti.org/en
127.0.0.1 www.virusscan.jotti.org/en
127.0.0.1 www.rsbots.net
127.0.0.1 rsbots.net
127.0.0.1 www.RSbots.net
127.0.0.1 www.AutoFighter.org
127.0.0.1 www.RSBotting.com
127.0.0.1 www.RSTrainers.com
127.0.0.1 www.CodeSpace.net
127.0.0.1 www.RsAutoCheats.com
127.0.0.1 www.XxBots.net
127.0.0.1 www.AutoFarmer.org
127.0.0.1 www.kMiner.org
Thereby, access to the listed resources is blocked.
The file "server.exe", which is detected as Trojan.Win32.Llac.gfu, has the following payload:
Installation: Once launched, the Trojan creates a copy of its file in the Windows system directory with the name
%System%\install\server.exe
In order to ensure that it is launched automatically each time the system is restarted, the Trojan adds a link to its executable file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\
Explorer\Run]
"Policies" = "%System%\install\server.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\install\server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\
Explorer\Run]
"Policies" = "%System%\install\server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\install\server.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}]
"StubPath" = "%System%\install\server.exe Restart"

di sini segala hasil data curian disimpen di suatu "file" dan filenya selalu dilaunch

Spoiler untuk 5 :

Payload:
When any of the following conditions are fulfilled, the Trojan ceases running:

Detection of the following libraries in its address space:
dbghelp.dll
sbiedll.dll
Launching of the Trojan on a virtual Vmware machine
Presence of the process:
VBoxService.exe
thereby the Trojan prevents its body being launched on a virtual Oracle Corporation machine
If the username on the computer is:
CurrentUser
If the value of the system registry key parameter
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProductId" =
is one of the following:
76487-337-8429955-22614
76487-644-3177037-23510
55274-640-2673064-23950
In addition, the Trojan employs various anti-debugging hooks.
During its execution, it creates unique identifiers with the names:
_x_X_UPDATE_X_x_
_x_X_PASSWORDLIST_X_x_
_x_X_BLOCKMOUSE_X_x_
0BP3RCBQG7BM1V
0BP3RCBQG7BM1V_PERSIST
It creates a file in the current user's Windows temporary directory:
%Temp%\XX—XX--XX.txt — 227744 bytes
This file contains a decrypted configuration file for the Trojan's operations, as well as an executable file, which is injected into the address space of the process:
explorer.exe
The Trojan launches the process for the user's default browser. Information about the browser is obtained from the registry key:
[HKCR\http\shell\open\command]
Malicious code is also injected into the browser process.
A file is injected into the address space of the processes in order to restore the Trojan's malicious file and execute the commands obtained from the malicious user's server:

dc-hac***o-ip.info:3737

well, gw liatnya ini = proses sudah selesai, data kita kalau online bisa diliat dari server dia = yang ngehack

>>>dc-hac***o-ip.info:3737<<< sekedar contoh

lalu data apa aja yang bisa dia liat?

Spoiler untuk oh boy, this is... FYSK :

The malicious user can obtain the following information from the user's computer:

List of files on the user's computer;

List of open windows;

List of launched processes;
List of launched services;

Information about the equipment in the user's computer;
Information about the registry on the user's computer;
Information about installed programs;

List of open ports;
It has a function for browsing the user's desktop;
Web camera display;
Sound from the user's microphone;

Executing a keylogger function to obtain keys pressed on the keyboard and mouse;


Passwords saved in browsers; In addition, it can send commands to execute the following actions:
Launch Socks Proxy and HTTP Proxy servers;
Open various pages in the user's browser;
Download various files to the user's computer and launch them for execution;
Obtain access to the command line;
Execute a search for files on the user's computer;
Obtain access to the clipboard;
Obtain access to chat during use of the application Windows Live Messenger;
Change the malicious user's server address;
Update settings;
Relaunch the malicious file;
Cease its own execution and delete its files.


This malicious file was created using the program "CyberGate RAT v1.04.8", which is a utility for remote administration. The developers' website:
http://website.cybe***-rat.org

see what did i bold'ed?

WEBCAM

MIC SOUNDS

LIST OF FILES

LIST OF OPEN WINDOWS

KEYLOGGER PROGRAM


bayangkan aja apa yang bisa dilakukan kalo hackernya kenal anda dan dendam sama anda
dalam seminggu, yer life ruined
oh kecuali kalo orangnya ngeblackmail di depan loe dan suru ketemuan, you know what to do
there is right to obey / to kill!

bayangkan kalo sampe loe koleksi game ori banyak2 di kompie
money go to waste, apalagi kalo punya id MMO

bayangkan info anda sudah go online [dikenal di internet] lalu kena ginian?
yer internet life ruined

Spoiler untuk removalnya, liat aja di scrollan paling akhir di link :

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

Use Task Manager to terminate the following processes:
explorer.exe
iexplore.exe (or the process for the browser used
on the computer by default)
Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
Delete the following files:
%Temp%\1234.exe
%Temp%\KasKeygenRevised.exe
%Temp%\instant.exe
%Temp%\server.exe
%WorkDir%\System.Data.SQLite.DLL
%Temp%\melt.tmp
%Temp%\TMP.dat
%System%\install\server.exe
%Temp%\XX—XX--XX.txt
Delete the following system registry key parameters:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\
Explorer\Run]
"Policies" = "%System%\install\server.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\install\server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\
Explorer\Run]
"Policies" = "%System%\install\server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\install\server.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}]
"StubPath" = "%System%\install\server.exe Restart"
Empty the Temporary Internet Files directory:
%Temporary Internet Files%
Restore the original content of the file:
%System%\drivers\etc\hosts
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

what can i say?

go original. safe n sound, bedanya juga jauh lebih kerasa dari crackan, i meant it

[-LichKing-]

Ohohohoh Antivirus gw selalu original. =3

[MisaChan]

Antivirus gw Free Edition Lebih aman

[dexdim]

ga rugi gw kluar 500k

[-LichKing-]

Well ada yang mau gw tanya:

Banyak tuh yang jual serial key antivirus original dengan harga miring (misal Rp. 150.000 buat 3 PC), bedanya apa tuh ama yang biasa di jual pake box yang harganya ampe Rp. 400.000-500.000, apakah karena bedanya dengan dijual yang pake box dia dapet CD instalasi antivirusnya dan segala dukungan yang tidak bisa didapat daripada beli serial keynya aja?

[dexdim]

gw sih dapet CD sama key...

yg 500k buat 5pc sih gw

[Lik_Pusi]

perasaan ..
udah dipost sama "matt horner "*****
dithread personal corner gegehare page 23

[deathmarkx]

Antivirus gw Free Edition Lebih aman

wkakwkakwkawka sama kayak gue ini sih

ngeri juga ye sepertinya make yang bajakan

[BnY-teTsuZin]

Sebenarnya, kalau anda geek. Ada 2 opsi bagi anda.

1. Kalau sudah mengenal Registry, buat apa antivirus?
2. Kalau benar benar ga mau disentuh virus. Go Mac, or Linux.

dikarenakan saya sebenarnya adalah tipe no 1. Dan kebetulan, saya ga ada waktu buat checking, dan tiba2 spyware udah masuk duluan di PC saya. Saya memilih untuk aman. Beli Antivirus berbayar yang sampe sekarang tidak mengecewakan saya. Dari maret sih. Hehehe...

[dexdim]

go linux

beng ajarin dikit dong ahahahha

[Rsync]

perasaan ..
udah dipost sama "matt horner "*****
dithread personal corner gegehare page 23

yang gw lakukan ini memperjelas doank.

personal corner itu bukan f317

Well ada yang mau gw tanya:

Banyak tuh yang jual serial key antivirus original dengan harga miring (misal Rp. 150.000 buat 3 PC), bedanya apa tuh ama yang biasa di jual pake box yang harganya ampe Rp. 400.000-500.000, apakah karena bedanya dengan dijual yang pake box dia dapet CD instalasi antivirusnya dan segala dukungan yang tidak bisa didapat daripada beli serial keynya aja?

sebenernya sih buat apa 150k 3 pc TAPI ga lengkap boi :/

basic logic wins

[BnY-teTsuZin]

go linux

beng ajarin dikit dong ahahahha

linux GUI aja kok repot.

[Andy-K]

Sebenarnya, kalau anda geek. Ada 2 opsi bagi anda.

1. Kalau sudah mengenal Registry, buat apa antivirus?
2. Kalau benar benar ga mau disentuh virus. Go Mac, or Linux.

dikarenakan saya sebenarnya adalah tipe no 1. Dan kebetulan, saya ga ada waktu buat checking, dan tiba2 spyware udah masuk duluan di PC saya. Saya memilih untuk aman. Beli Antivirus berbayar yang sampe sekarang tidak mengecewakan saya. Dari maret sih. Hehehe...

loe pake ANVIR apa?

[canoners]

Meningan pake Avast!, MSE ato AVG.

[Lik_Pusi]

kalo bingung
mending pake yang trial dulu aja