~~~~~~~Forum Diskusi Software dan Internet untuk Kristen-Katolik~~~~~~~
Dear Pak Fajar,
Virus itu adalah virus makro :-(
dibawah ini adalah cara ngilanginnya dan juga informasi tentang hal tsb :-)
Marker.BO (Also known as W97M/Marker.BO)
Another variant of this large and common family of Word 97 and later macro
viruses, this one has a distinctive payload.
W97M/Marker.BO implements standard Marker-family replication, but has a
distinctive payload for users of the Active Desktop option in the Windows
versions of Internet Explorer 4.0 and later. Apart from that, its
de-registering of all installed Word Add-Ins and attempts to delete template
and document files from the Word Startup folder could have Word
"inexplicably" working differently from normal.
Marker.BO's Document_Open event handler simply calls the virus'
Document_Close event handler, which contains all the active code.
Document_Close sets some internal variables and a "resume next" error
handler then unloads all currently-loaded Add-Ins (including global user
templates from Word's Startup directory) then attempts to delete all files
matching "*.doc" and "*.dot" in Word's Startup directory. Under Word 98 on
the Macintosh, this file deletion fails to have the apparent intended
effect - deleting all Word template and document files in the Startup
folder. Instead, it may unintentionally delete files from the folder below
Word's Startup folder on the Mac, but the likelihood of any Mac files
matching that mask is very low. On Windows machines, files matching the mask
but with one or more of the read-only, hidden or system attributes will not
be deleted. The Word 97 and Word 98 "macro virus protection" option is then
disabled and the username, initials and address fields of the User
Information options changed to "JonMMx 2000", "MeMeX" and
"[EMAIL PROTECTED]" respectively.
After disabling cancel key processing to prevent the user breaking out of
the macro, the source code of the first VBA component of the active document
and normal template are searched for the virus' "marker" string - "<- this
is a marker! by jonhehehe TheBest-versi212x". If only one of those potential
infection targets is infected and the active document is of either Word
document or template format, infection proceeds. If the active document is
infected, and thus the normal template is the target, the saved status of
the normal template is recorded and the entire source code of the first VBA
component of the active document stored in a string variable. An infection
log entry is appended to the storage string. This entry consists of a blank
line, a comment line with the current time and date, a comment line with the
current username from the User Information options and the address from the
same source. As Marker.BO always replaces the username and address fields of
the User Information options before this part of the code runs, the values
described above will always be present in their respective comment lines in
this infection log. All the source code is then deleted from the normal
template's first VBA component and the modified copy of the virus inserted
from the storage string via the VBA AddFromString method. If the normal
template had no unsaved changes prior to infection, it is saved to restore
that state.
Instead, should the active document be the target of infection, its saved
status is recorded and the normal template's code stored in a string. After
deleting any source code in the active document's first VBA component, the
contents of the storage string are injected into that component of the
active document. The active document's saved state is restored by saving the
document if necessary and the infection process is complete.
Its infection duties finished, Document_Close checks the registry value
"LogData in" at the key "HKEY_CURRENT_USER\Software\Microsoft\MS Setup
(ACME)\User Info". If its value is false (or the key does not exist), the
value is created and set to "True". The Windows installation directory is
then read from another registry value and the file "Jon.html" created there.
This file contains a poem about lost - perhaps unrequited - love. Complete
with errors, that HTML file reads:
a Poet For My Dear Love
Dear Iin
To the very best that happen in mylife
Long ago and in my mind, I can see your face lonely and lost in time
You were gone since yester month But the memories, never would dissapear
I think of you, I THINK OF YOU.
Yes it's true I can pretend. But the paint of blue, keep beat me till the
end.
Yes it's hard to understand. Why you leaving me and all we dreaming on
Dear Iin, I close my eyes and see your face. That's all I have to do to be
with you.
Dear Iin, altough I can not touch your face. I know what I can do to be with
you
Long ago so faraway. But the light of blue, still living with me today.
You were gone since yester month. But the memories never would dissapear.
Speed Hari
In the original the "Dear Iin" line is an Email hyperlink to a Yahoo address
and the lines are double-spaced. That file is then set as the Internet
Explorer desktop wallpaper - a setting that has no effect unless Internet
Explorer 4.0 or later is installed and the Active Desktop option enabled. As
this payload disturbs the user's desktop settings, it is likely to quickly
be reset and the file "Jon.html" removed. Hoping this would not also see the
virus rapidly discovered, the virus' writer included a check for the current
day of the week. The routine that generates "Jon.html" and sets it to be the
Active Desktop wallpaper is run whenever the virus runs on a Sunday.
Marker.BO contains the following comment, which is never displayed:
'Seline, Where are you dear
Under Word 98 on the Macintosh, Marker.BO replicates as described. However,
the HTML file is created or overwritten every time the virus runs because
the registry test always fails. The HTML file obviously cannot be created in
the Windows install directory either - instead, it is created as "\Jon.html"
in the default document folder at the time the virus runs.
This virus has been reported in the wild.
Macro names: Document_Open and Document_Close
------ Hemat Bandwith : Hapus pesan yang tidak perlu sebelum reply ------
SUBSCRIBE---> To: [EMAIL PROTECTED], Isi/Body: kosong
UNSUBSCRIBE---> To: [EMAIL PROTECTED], Isi/Body: kosong
Moderator: Ronny <[EMAIL PROTECTED]>, Alex <[EMAIL PROTECTED]>
Web : http://hub.xc.org/cgi-bin/lyris.pl?enter=i-kan-software
