Eko The Dark Angel

AryaN. Flooding dalam istilah IT adalah membebani sebuah server dengan cara mengirim paket yang besar secara terus menerus (DDoS / Denial of Service Attacks). AryaN bukan hanya menyebar melalui flash disk dengan shortcut tipe barunya, akan tetapi mendownload varian NgrBot dan melakukan Flooding Attack. Tentu saja, trojan akan berusaha agar aksi ini tidak disadari oleh user yang komputernya terinfeksi. Maka dari itu, trojan pun bersembunyi dibalik proses lain sambil melancarkan serangannya.

A. Info File

Nama Worm : AryaN
Asal : ~
Ukuran File : 95.5 KB (97,792 bytes)
Packer : ~
Pemrograman : C++
Icon : Exe / Application
Tipe : Trojan, Worm

B. About Malware

Gambar di atas adalah simulasi kejadian secara umum AryaN menyebar juga melalui yahoo messenger. Awalnya kami mendapat laporan dari forum virus Indonesia mengenai adanya malware yang menyebar lewat Facebook. Setelah kami cek, sekilas seperti variant NgrBot. Terlebih lagi setelah di jalankan, memang mendownload variant baru dari NgrBot. Kemudian ada lagi laporan mengenai malware yang sama dengan pola yang sama juga. Setelah di cek ulang, rupanya ini bukanlah variant atau companion dari NgrBot, melaikan worm yang dikhususkan untuk melakukan sebuah tugas tertentu.

1. Mendownload companion dan dijalankan bersamaan dengan hostnya
2. Mendownload Variant NgrBot
3. Melakukan DDoS terhadap salah satu website dengan metode SYN flooding attack.

Nama “AryaN” di ambil dari salah satu baris yang terdapat pada threads yang dibuatnya.

Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot

Dalam tubuh AryaN tidak terdapat string yang bisa menunjukan apa saja yang akan dilakukannya. Akan tetapi berbeda jika kita melihat string yang terdapat pada threadsnya. Berikut ini adalah hasil dump yang kami dapatkan.

File pos Mem pos ID Text
======== ======= == ====
00000000004D 000002DA004D 0 !This program cannot be run in DOS mode.
0000000001C8 000002DA01C8 0 .data
0000000001F0 000002DA01F0 0 .idata
000000000218 000002DA0218 0 .rsrc
00000000023F 000002DA023F 0 @.reloc
000000001368 000002DA1F68 0 Botkiller
000000001374 000002DA1F74 0 Successfully Killed And Removed Malicious File: "%s"
000000001400 000002DA2000 0 Usage: %s IP PORT DELAY LENGTH
000000001428 000002DA2028 0 Failed To Start Thread: "%d"
00000000144C 000002DA204C 0 Failed: Mis Parameter
000000001468 000002DA2068 0 WinINet
000000001474 000002DA2074 0 Failed: "%d"
000000001484 000002DA2084 0 Visit
00000000148C 000002DA208C 0 Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0000000014D4 000002DA20D4 0 Filed To Visit: "%s"
0000000014F0 000002DA20F0 0 Successfully Visited: "%s"
000000001520 000002DA2120 0 %s #%s
00000000152C 000002DA212C 0 %s %s
000000001540 000002DA2140 0 Terminated WGet Thread
000000001564 000002DA2164 0 Running From: "%s"
00000000157C 000002DA217C 0 [%s][%s] - "%s"
000000001590 000002DA2190 0 hh':'mm':'ss
0000000015E8 000002DA21E8 0 {%s}: %s
000000001618 000002DA2218 0 Update Complete, Uninstalling
00000000163C 000002DA223C 0 Successfully Executed Process: "%s"
000000001668 000002DA2268 0 Failed To Create Process: "%s", Reason: "%d"
0000000016A0 000002DA22A0 0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
000000001748 000002DA2348 0 Successfully Downloaded File To: "%s"
000000001778 000002DA2378 0 Downloading File: "%s"
000000001794 000002DA2394 0 Download
000000001840 000002DA2440 0 IsWow64Process
000000001884 000002DA2484 0 http://api.wipmania.com/
000000001FD4 000002DA2BD4 0 PRIVMSG
00000000205C 000002DA2C5C 0 Config
000000002064 000002DA2C64 0 Failed to load config
00000000212C 000002DA2D2C 0 AryaN{%s-%s-x%d}%s
000000002144 000002DA2D44 0 New{%s-%s-x%d}%s
000000002158 000002DA2D58 0 %s "" "%s" :%s
00000000216C 000002DA2D6C 0 %s %s
000000002174 000002DA2D74 0 %s %s :[AryaN]: %s
000000002190 000002DA2D90 0 %s %s %s
0000000021A4 000002DA2DA4 0 Finished Flooding "%s:%d"
0000000021C4 000002DA2DC4 0 Terminated UDP Flood Thread
0000000021E8 000002DA2DE8 0 %d%d%d%d%d%d%d%d
000000002200 000002DA2E00 0 Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0000000023A4 000002DA2FA4 0 LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0000000025B4 000002DA31B4 0 AutoRun Infected Removable Device: "%s\"
000000002857 000002DA3457 0 4 RAS_e
000000002877 000002DA3477 0 4 RAS
000000002AC9 000002DA36C9 0 z)ze'
000000002D7D 000002DA397D 0 /4*&{
000000002D9D 000002DA399D 0 O(hHj
000000003BBB 000002DA47BB 0 OWShX
000000003E13 000002DA4A13 0 D$0Pht
0000000044DA 000002DA50DA 0 SSPhZ
000000004BB9 000002DA57B9 0 j[YPSSh
000000004C26 000002DA5826 0 SSSSh
000000004C5F 000002DA585F 0 t)SSj
000000005209 000002DA5E09 0 Yt3Pj
000000005302 000002DA5F02 0 QQSVj
File pos Mem pos ID Text
======== ======= == ====
0000000055C9 000002DA61C9 0 Yt}Vh
0000000055FA 000002DA61FA 0 tF@Pj
000000005720 000002DA6320 0 SUVWh
000000005822 000002DA6422 0 VVVVh
00000000583C 000002DA643C 0 SVVVVh
000000005927 000002DA6527 0 tDVWWh$
000000005AF9 000002DA66F9 0 tUWSV
000000005B31 000002DA6731 0 WWWPWW
000000005C33 000002DA6833 0 +Y4;YPw2
000000005CB0 000002DA68B0 0 Yt8Pj
000000005F14 000002DA6B14 0 SUVWh
000000006098 000002DA6C98 0 QSUVWj
0000000063A7 000002DA6FA7 0 YYVVVhx
000000006499 000002DA7099 0 VVVhF
000000006650 000002DA7250 0 UUUVUU
00000000670F 000002DA730F 0 PVVj(WVVV
000000006920 000002DA7520 0 VPVh?
000000006A30 000002DA7630 0 VPVh?
000000006B14 000002DA7714 0 QSVW3
000000006C20 000002DA7820 0 YtPhL
000000006D31 000002DA7931 0 VVVhY
000000006E35 000002DA7A35 0 QQSVWj,
000000006EF7 000002DA7AF7 0 VSSSh
00000000735A 000002DA7F5A 0 PWhD!
000000007370 000002DA7F70 0 PWh,!
000000007414 000002DA8014 0 YPhX!
0000000075A2 000002DA81A2 0 trSWh,
000000007DB2 000002DAA1B2 0 PVVh%
00000000877C 000002DAAB7C 0 0866031
000000008950 000002DAAD50 0 udp.stop
0000000089B4 000002DAADB4 0 #newbitch
000000008A1C 000002DAAE1C 0 #newbitch1
000000008A80 000002DAAE80 0 6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
000000008AE4 000002DAAEE4 0 unsort
000000008B48 000002DAAF48 0 download.stop
000000008BAC 000002DAAFAC 0 remove
000000009564 000002DAD564 0 botkill
00000000962C 000002DAD62C 0 haso.dukatlgg.com
0000000096F4 000002DAD6F4 0 reconnect
000000009820 000002DAD820 0 HeavenOnEarth
0000000098E8 000002DAD8E8 0 visit
0000000099B0 000002DAD9B0 0 download
00000000A856 000002DAA856 0 PwS*Pw
00000000A88A 000002DAA88A 0 wcsstr
00000000A894 000002DAA894 0 memset
00000000A89E 000002DAA89E 0 _snwprintf
00000000A8AC 000002DAA8AC 0 wcscmp
00000000A8BE 000002DAA8BE 0 strncmp
00000000A8C8 000002DAA8C8 0 strstr
00000000A8D2 000002DAA8D2 0 _snprintf
00000000A8DE 000002DAA8DE 0 strcmp
00000000A8E8 000002DAA8E8 0 strncpy
00000000A8FA 000002DAA8FA 0 printf
00000000A904 000002DAA904 0 _vsnprintf
00000000A912 000002DAA912 0 wprintf
00000000A91C 000002DAA91C 0 _vsnwprintf
00000000A92A 000002DAA92A 0 srand
00000000A932 000002DAA932 0 strlen
00000000A93C 000002DAA93C 0 wcstombs
00000000A948 000002DAA948 0 mbstowcs
File pos Mem pos ID Text
======== ======= == ====
00000000A954 000002DAA954 0 strcpy
00000000A95E 000002DAA95E 0 memcpy
00000000A968 000002DAA968 0 _wcsicmp
00000000A974 000002DAA974 0 malloc
00000000A986 000002DAA986 0 wcscpy
00000000A990 000002DAA990 0 realloc
00000000A99A 000002DAA99A 0 strtok
00000000A9A4 000002DAA9A4 0 fclose
00000000A9AE 000002DAA9AE 0 fwprintf
00000000A9BA 000002DAA9BA 0 _wfopen
00000000A9C2 000002DAA9C2 0 MSVCRT.dll
00000000A9D0 000002DAA9D0 0 HeapFree
00000000A9DC 000002DAA9DC 0 ExpandEnvironmentStringsW
00000000A9F8 000002DAA9F8 0 HeapAlloc
00000000AA04 000002DAAA04 0 CloseHandle
00000000AA12 000002DAAA12 0 Process32NextW
00000000AA24 000002DAAA24 0 DeleteFileW
00000000AA32 000002DAAA32 0 MoveFileW
00000000AA3E 000002DAAA3E 0 SetFileAttributesW
00000000AA54 000002DAAA54 0 Sleep
00000000AA5C 000002DAAA5C 0 Process32FirstW
00000000AA6E 000002DAAA6E 0 CreateToolhelp32Snapshot
00000000AA8A 000002DAAA8A 0 lstrlenA
00000000AA96 000002DAAA96 0 SetThreadPriority
00000000AAAA 000002DAAAAA 0 GetLastError
00000000AABA 000002DAAABA 0 CreateThread
00000000AACA 000002DAAACA 0 GetLocaleInfoA
00000000AADC 000002DAAADC 0 TerminateThread
00000000AAEE 000002DAAAEE 0 GetModuleFileNameA
00000000AB04 000002DAAB04 0 GetModuleHandleA
00000000AB18 000002DAAB18 0 GetTimeFormatA
00000000AB2A 000002DAAB2A 0 GetTimeFormatW
00000000AB3C 000002DAAB3C 0 OutputDebugStringA
00000000AB52 000002DAAB52 0 OutputDebugStringW
00000000AB68 000002DAAB68 0 ReleaseMutex
00000000AB78 000002DAAB78 0 WaitForSingleObject
00000000AB8E 000002DAAB8E 0 WriteFile
00000000AB9A 000002DAAB9A 0 CreateFileW
00000000ABA8 000002DAABA8 0 GetTickCount
00000000ABB8 000002DAABB8 0 SetLastError
00000000ABC8 000002DAABC8 0 FindNextFileW
00000000ABD8 000002DAABD8 0 FindNextFileA
00000000ABE8 000002DAABE8 0 OpenProcess
00000000ABF6 000002DAABF6 0 GetProcAddress
00000000AC08 000002DAAC08 0 LoadLibraryW
00000000AC18 000002DAAC18 0 GetFileAttributesW
00000000AC2E 000002DAAC2E 0 GetVersionExA
00000000AC3E 000002DAAC3E 0 ReadFile
00000000AC4A 000002DAAC4A 0 GetFileSize
00000000AC58 000002DAAC58 0 CreateMutexW
00000000AC68 000002DAAC68 0 OpenMutexW
00000000AC76 000002DAAC76 0 GetProcessHeap
00000000AC88 000002DAAC88 0 CreateRemoteThread
00000000AC9E 000002DAAC9E 0 WriteProcessMemory
00000000ACB4 000002DAACB4 0 VirtualProtectEx
00000000ACC8 000002DAACC8 0 VirtualAllocEx
00000000ACDA 000002DAACDA 0 ReadProcessMemory
00000000ACEE 000002DAACEE 0 GetCurrentProcess
00000000AD02 000002DAAD02 0 VirtualAlloc
00000000AD12 000002DAAD12 0 GetCurrentProcessId
File pos Mem pos ID Text
======== ======= == ====
00000000AD28 000002DAAD28 0 LockResource
00000000AD38 000002DAAD38 0 LoadResource
00000000AD48 000002DAAD48 0 SizeofResource
00000000AD5A 000002DAAD5A 0 FindResourceW
00000000AD6A 000002DAAD6A 0 ExitProcess
00000000AD78 000002DAAD78 0 ExitThread
00000000AD86 000002DAAD86 0 GetDriveTypeW
00000000AD96 000002DAAD96 0 GetModuleFileNameW
00000000ADAC 000002DAADAC 0 GetModuleHandleW
00000000ADC0 000002DAADC0 0 SetErrorMode
00000000ADD0 000002DAADD0 0 CreateProcessW
00000000ADE2 000002DAADE2 0 TerminateProcess
00000000ADF6 000002DAADF6 0 lstrlenW
00000000AE02 000002DAAE02 0 CreateEventW
00000000AE12 000002DAAE12 0 CreateDirectoryW
00000000AE26 000002DAAE26 0 CopyFileW
00000000AE32 000002DAAE32 0 FindFirstFileW
00000000AE44 000002DAAE44 0 GetLogicalDriveStringsW
00000000AE5C 000002DAAE5C 0 KERNEL32.dll
00000000AE6A 000002DAAE6A 0 WS2_32.dll
00000000AE78 000002DAAE78 0 PathAppendW
00000000AE84 000002DAAE84 0 SHLWAPI.dll
00000000AE92 000002DAAE92 0 InternetReadFile
00000000AEA6 000002DAAEA6 0 InternetOpenUrlA
00000000AEBA 000002DAAEBA 0 InternetCloseHandle
00000000AED0 000002DAAED0 0 InternetOpenW
00000000AEDE 000002DAAEDE 0 WININET.dll
00000000AEEC 000002DAAEEC 0 CoCreateInstance
00000000AF00 000002DAAF00 0 CoUninitialize
00000000AF12 000002DAAF12 0 CoInitialize
00000000AF20 000002DAAF20 0 ole32.dll
00000000AF2C 000002DAAF2C 0 GetModuleFileNameExW
00000000AF42 000002DAAF42 0 PSAPI.DLL
00000000AF4E 000002DAAF4E 0 ShellExecuteA
00000000AF5E 000002DAAF5E 0 SHGetFolderPathW
00000000AF70 000002DAAF70 0 SHELL32.dll
00000000AF7E 000002DAAF7E 0 RegCloseKey
00000000AF8C 000002DAAF8C 0 RegDeleteValueW
00000000AF9E 000002DAAF9E 0 RegCreateKeyExW
00000000AFB0 000002DAAFB0 0 RegQueryValueExW
00000000AFC4 000002DAAFC4 0 RegOpenKeyExW
00000000AFD4 000002DAAFD4 0 RegSetValueExW
00000000AFE6 000002DAAFE6 0 RegNotifyChangeKeyValue
00000000B000 000002DAB000 0 GetUserNameW
00000000B00E 000002DAB00E 0 ADVAPI32.dll
00000000C088 000002DAC088 0 1Al8deESCWJQjKrniRIiz5Ofdzfi1h
00000000C0A7 000002DAC0A7 0 A6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
00000000C112 000002DAC112 0 egregregerfwde
00000000C121 000002DAC121 0 svhost.exe
00000000C18B 000002DAC18B 0 APADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
00000000D01D 000002DAD01D 0 00000000D029 000002DAD029 0 ">P>d>j>
00000000D051 000002DAD051 0 ?#?h?
00000000D06B 000002DAD06B 0 0=0C0g0n0{0
00000000D081 000002DAD081 0 0c1t1z1
00000000D091 000002DAD091 0 2'2.2:2?2I2\2l2q2w2|2
00000000D0B7 000002DAD0B7 0 3.333H3e3
00000000D0D1 000002DAD0D1 0 45400000000D0F3 000002DAD0F3 0 5%5Y5e5p5w5
File pos Mem pos ID Text
======== ======= == ====
00000000D129 000002DAD129 0 7n8~8
00000000D135 000002DAD135 0 819F9N9
00000000D149 000002DAD149 0 :4:?:J:U:
00000000D155 000002DAD155 0 :k:y:
00000000D183 000002DAD183 0 4>:>@>F>L>c>p>
00000000D1F0 000002DAD1F0 0 -070>0O0
00000000D1FF 000002DAD1FF 0 031:1h1
00000000D209 000002DAD209 0 202;2]2b2h2o2
00000000D21F 000002DAD21F 0 3'3.3=3C3R3a3
00000000D237 000002DAD237 0 4)4@4i4w4~4
00000000D25F 000002DAD25F 0 6$6-696E6J6W6]6
00000000D27B 000002DAD27B 0 62777G7M7S7b7n7
00000000D295 000002DAD295 0 7'8-8B8I8a8o8z8
00000000D2B1 000002DAD2B1 0 949>9J9c9i9
00000000D2D5 000002DAD2D5 0 9 :.:P:c:i:p:
00000000D2F3 000002DAD2F3 0 ;%;00000000D2FF 000002DAD2FF 0 _>m>s>x>
00000000D329 000002DAD329 0 >&?+?;?A?G?
00000000D35B 000002DAD35B 0 1*1V1d1q1~1
00000000D379 000002DAD379 0 2,292F2S2
00000000D383 000002DAD383 0 2m2z2
00000000D393 000002DAD393 0 2l3v3
00000000D3B5 000002DAD3B5 0 4 4-42494?4D4J4W4_4g4p4v4
00000000D3E5 000002DAD3E5 0 4]5c5j5
00000000D401 000002DAD401 0 6&6:6@6X6
00000000D40B 000002DAD40B 0 6q6w6~6
00000000D413 000002DAD413 0 7$757
00000000D41D 000002DAD41D 0 778G8R8]8
00000000D42F 000002DAD42F 0 839C9L9
00000000D441 000002DAD441 0 :C:T:o:x:
00000000D44F 000002DAD44F 0 :3;00000000D459 000002DAD459 0 ;g;~;
00000000D467 000002DAD467 0 E>N>
00000000D4AD 000002DAD4AD 0 ?=?Y?y?
00000000D4C7 000002DAD4C7 0 0E0Z0_0v0
00000000D4DF 000002DAD4DF 0 1=1C1L1R1\1b1
00000000D4EF 000002DAD4EF 0 2 2+2C2
00000000D501 000002DAD501 0 3!3]3s3|3
00000000D517 000002DAD517 0 4 4A4M4b4h4z4
00000000D52F 000002DAD52F 0 4(5755D5J5P5V5\5b5h5n5t5z5
00000000D719 000002DAD719 0 6"6(6.646:6@6F6L6R6X6
00000000D72F 000002DAD72F 0 6d6j6p6v6|6
File pos Mem pos ID Text
======== ======= == ====
00000000D76F 000002DAD76F 0 7$7*7076700000000131D 000002DA1F1D 0 %userprofile%
000000001340 000002DA1F40 0 %appdata%
000000001358 000002DA1F58 0 %temp%
0000000013B4 000002DA1FB4 0 %s\removethis_%d%d%d.exe
0000000015C8 000002DA21C8 0 hh':'mm':'ss
0000000015F4 000002DA21F4 0 {%s}: %s
000000001718 000002DA2318 0 %temp%\oldfile.exe
0000000017A0 000002DA23A0 0 Mozilla/5.0 (compatible)
0000000017DC 000002DA23DC 0 %s\%d%d%d.exe
000000001800 000002DA2400 0 explorer.exe
000000001820 000002DA2420 0 Kernel32.dll
000000001860 000002DA2460 0 %s-deadlock
0000000018A4 000002DA24A4 0 %s\SysWOW64
000000001D70 000002DA2970 0 advapi32.dll
000000001D90 000002DA2990 0 comsupp.dll
000000001DAC 000002DA29AC 0 shell32.dll
000000001DC8 000002DA29C8 0 wininet.dll
000000001DE4 000002DA29E4 0 shlwapi.dll
000000001E00 000002DA2A00 0 dnsapi.dll
000000001E1C 000002DA2A1C 0 user32.dll
000000001E38 000002DA2A38 0 ws2_32.dll
000000001E54 000002DA2A54 0 psapi.dll
000000001E6C 000002DA2A6C 0 Ole32.dll
000000001E84 000002DA2A84 0 kernel32.dll
000000001EA4 000002DA2AA4 0 msvcrt.dll
000000001EC0 000002DA2AC0 0 dwm.exe
000000001ED4 000002DA2AD4 0 alg.exe
000000001EE8 000002DA2AE8 0 csrss.exe
000000001F00 000002DA2B00 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
000000001F70 000002DA2B70 0 %s-readfile
000000002048 000002DA2C48 0 cmd.exe
0000000020BC 000002DA2CBC 0 Software\Microsoft\Windows\CurrentVersion\Run
000000002240 000002DA2E40 0 %temp%\deletethis.exe
000000002274 000002DA2E74 0 Removable_Drive.exe
0000000022BC 000002DA2EBC 0 %s\{%s-%s}
0000000022D8 000002DA2ED8 0 /k "%s" Open %s
000000002300 000002DA2F00 0 %windir%\System32\cmd.exe
000000002340 000002DA2F40 0 %s\Removable_Drive.exe
000000002378 000002DA2F78 0 %s\%s
000000002388 000002DA2F88 0 %s\%s.lnk
000000002590 000002DA3190 0 %s\autorun.inf
0000000087C0 000002DAABC0 0 svhost.exe
000000008CDC 000002DAB0DC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe
0000000090EC 000002DAD0EC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe
000000009758 000002DAD758 0 egregregerfwde
00000000004D 000002DA004D 0 !This program cannot be run in DOS mode.
0000000001C8 000002DA01C8 0 .data
0000000001F0 000002DA01F0 0 .idata
000000000218 000002DA0218 0 .rsrc
00000000023F 000002DA023F 0 @.reloc
000000001368 000002DA1F68 0 Botkiller
000000001374 000002DA1F74 0 Successfully Killed And Removed Malicious File: "%s"
000000001400 000002DA2000 0 Usage: %s IP PORT DELAY LENGTH
000000001428 000002DA2028 0 Failed To Start Thread: "%d"
00000000144C 000002DA204C 0 Failed: Mis Parameter
000000001468 000002DA2068 0 WinINet
000000001474 000002DA2074 0 Failed: "%d"
000000001484 000002DA2084 0 Visit
00000000148C 000002DA208C 0 Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
File pos Mem pos ID Text
======== ======= == ====
0000000014D4 000002DA20D4 0 Filed To Visit: "%s"
0000000014F0 000002DA20F0 0 Successfully Visited: "%s"
000000001520 000002DA2120 0 %s #%s
00000000152C 000002DA212C 0 %s %s
000000001540 000002DA2140 0 Terminated WGet Thread
000000001564 000002DA2164 0 Running From: "%s"
00000000157C 000002DA217C 0 [%s][%s] - "%s"
000000001590 000002DA2190 0 hh':'mm':'ss
0000000015E8 000002DA21E8 0 {%s}: %s
000000001618 000002DA2218 0 Update Complete, Uninstalling
00000000163C 000002DA223C 0 Successfully Executed Process: "%s"
000000001668 000002DA2268 0 Failed To Create Process: "%s", Reason: "%d"
0000000016A0 000002DA22A0 0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
000000001748 000002DA2348 0 Successfully Downloaded File To: "%s"
000000001778 000002DA2378 0 Downloading File: "%s"
000000001794 000002DA2394 0 Download
000000001840 000002DA2440 0 IsWow64Process
000000001884 000002DA2484 0 http://api.wipmania.com/
000000001FD4 000002DA2BD4 0 PRIVMSG
00000000205C 000002DA2C5C 0 Config
000000002064 000002DA2C64 0 Failed to load config
00000000212C 000002DA2D2C 0 AryaN{%s-%s-x%d}%s
000000002144 000002DA2D44 0 New{%s-%s-x%d}%s
000000002158 000002DA2D58 0 %s "" "%s" :%s
00000000216C 000002DA2D6C 0 %s %s
000000002174 000002DA2D74 0 %s %s :[AryaN]: %s
000000002190 000002DA2D90 0 %s %s %s
0000000021A4 000002DA2DA4 0 Finished Flooding "%s:%d"
0000000021C4 000002DA2DC4 0 Terminated UDP Flood Thread
0000000021E8 000002DA2DE8 0 %d%d%d%d%d%d%d%d
000000002200 000002DA2E00 0 Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0000000023A4 000002DA2FA4 0 LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0000000025B4 000002DA31B4 0 AutoRun Infected Removable Device: "%s\"
000000002857 000002DA3457 0 4 RAS_e
000000002877 000002DA3477 0 4 RAS
000000002AC9 000002DA36C9 0 z)ze'
000000002D7D 000002DA397D 0 /4*&{
000000002D9D 000002DA399D 0 O(hHj
000000003BBB 000002DA47BB 0 OWShX
000000003E13 000002DA4A13 0 D$0Pht
0000000044DA 000002DA50DA 0 SSPhZ
000000004BB9 000002DA57B9 0 j[YPSSh
000000004C26 000002DA5826 0 SSSSh
000000004C5F 000002DA585F 0 t)SSj
000000005209 000002DA5E09 0 Yt3Pj
000000005302 000002DA5F02 0 QQSVj
0000000055C9 000002DA61C9 0 Yt}Vh
0000000055FA 000002DA61FA 0 tF@Pj
000000005720 000002DA6320 0 SUVWh
000000005822 000002DA6422 0 VVVVh
00000000583C 000002DA643C 0 SVVVVh
000000005927 000002DA6527 0 tDVWWh$
000000005AF9 000002DA66F9 0 tUWSV
000000005B31 000002DA6731 0 WWWPWW
000000005C33 000002DA6833 0 +Y4;YPw2
000000005CB0 000002DA68B0 0 Yt8Pj
000000005F14 000002DA6B14 0 SUVWh
000000006098 000002DA6C98 0 QSUVWj
0000000063A7 000002DA6FA7 0 YYVVVhx
000000006499 000002DA7099 0 VVVhF
File pos Mem pos ID Text
======== ======= == ====
000000006650 000002DA7250 0 UUUVUU
00000000670F 000002DA730F 0 PVVj(WVVV
000000006920 000002DA7520 0 VPVh?
000000006A30 000002DA7630 0 VPVh?
000000006B14 000002DA7714 0 QSVW3
000000006C20 000002DA7820 0 YtPhL
000000006D31 000002DA7931 0 VVVhY
000000006E35 000002DA7A35 0 QQSVWj,
000000006EF7 000002DA7AF7 0 VSSSh
00000000735A 000002DA7F5A 0 PWhD!
000000007370 000002DA7F70 0 PWh,!
000000007414 000002DA8014 0 YPhX!
0000000075A2 000002DA81A2 0 trSWh,
000000007DB2 000002DAA1B2 0 PVVh%
00000000877C 000002DAAB7C 0 0866031
000000008950 000002DAAD50 0 udp.stop
0000000089B4 000002DAADB4 0 #newbitch
000000008A1C 000002DAAE1C 0 #newbitch1
000000008A80 000002DAAE80 0 6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
000000008AE4 000002DAAEE4 0 unsort
000000008B48 000002DAAF48 0 download.stop
000000008BAC 000002DAAFAC 0 remove
000000009564 000002DAD564 0 botkill
00000000962C 000002DAD62C 0 haso.dukatlgg.com
0000000096F4 000002DAD6F4 0 reconnect
000000009820 000002DAD820 0 HeavenOnEarth
0000000098E8 000002DAD8E8 0 visit
0000000099B0 000002DAD9B0 0 download
00000000A856 000002DAA856 0 PwS*Pw
00000000A88A 000002DAA88A 0 wcsstr
00000000A894 000002DAA894 0 memset
00000000A89E 000002DAA89E 0 _snwprintf
00000000A8AC 000002DAA8AC 0 wcscmp
00000000A8BE 000002DAA8BE 0 strncmp
00000000A8C8 000002DAA8C8 0 strstr
00000000A8D2 000002DAA8D2 0 _snprintf
00000000A8DE 000002DAA8DE 0 strcmp
00000000A8E8 000002DAA8E8 0 strncpy
00000000A8FA 000002DAA8FA 0 printf
00000000A904 000002DAA904 0 _vsnprintf
00000000A912 000002DAA912 0 wprintf
00000000A91C 000002DAA91C 0 _vsnwprintf
00000000A92A 000002DAA92A 0 srand
00000000A932 000002DAA932 0 strlen
00000000A93C 000002DAA93C 0 wcstombs
00000000A948 000002DAA948 0 mbstowcs
00000000A954 000002DAA954 0 strcpy
00000000A95E 000002DAA95E 0 memcpy
00000000A968 000002DAA968 0 _wcsicmp
00000000A974 000002DAA974 0 malloc
00000000A986 000002DAA986 0 wcscpy
00000000A990 000002DAA990 0 realloc
00000000A99A 000002DAA99A 0 strtok
00000000A9A4 000002DAA9A4 0 fclose
00000000A9AE 000002DAA9AE 0 fwprintf
00000000A9BA 000002DAA9BA 0 _wfopen
00000000A9C2 000002DAA9C2 0 MSVCRT.dll
00000000A9D0 000002DAA9D0 0 HeapFree
00000000A9DC 000002DAA9DC 0 ExpandEnvironmentStringsW
00000000A9F8 000002DAA9F8 0 HeapAlloc
File pos Mem pos ID Text
======== ======= == ====
00000000AA04 000002DAAA04 0 CloseHandle
00000000AA12 000002DAAA12 0 Process32NextW
00000000AA24 000002DAAA24 0 DeleteFileW
00000000AA32 000002DAAA32 0 MoveFileW
00000000AA3E 000002DAAA3E 0 SetFileAttributesW
00000000AA54 000002DAAA54 0 Sleep
00000000AA5C 000002DAAA5C 0 Process32FirstW
00000000AA6E 000002DAAA6E 0 CreateToolhelp32Snapshot
00000000AA8A 000002DAAA8A 0 lstrlenA
00000000AA96 000002DAAA96 0 SetThreadPriority
00000000AAAA 000002DAAAAA 0 GetLastError
00000000AABA 000002DAAABA 0 CreateThread
00000000AACA 000002DAAACA 0 GetLocaleInfoA
00000000AADC 000002DAAADC 0 TerminateThread
00000000AAEE 000002DAAAEE 0 GetModuleFileNameA
00000000AB04 000002DAAB04 0 GetModuleHandleA
00000000AB18 000002DAAB18 0 GetTimeFormatA
00000000AB2A 000002DAAB2A 0 GetTimeFormatW
00000000AB3C 000002DAAB3C 0 OutputDebugStringA
00000000AB52 000002DAAB52 0 OutputDebugStringW
00000000AB68 000002DAAB68 0 ReleaseMutex
00000000AB78 000002DAAB78 0 WaitForSingleObject
00000000AB8E 000002DAAB8E 0 WriteFile
00000000AB9A 000002DAAB9A 0 CreateFileW
00000000ABA8 000002DAABA8 0 GetTickCount
00000000ABB8 000002DAABB8 0 SetLastError
00000000ABC8 000002DAABC8 0 FindNextFileW
00000000ABD8 000002DAABD8 0 FindNextFileA
00000000ABE8 000002DAABE8 0 OpenProcess
00000000ABF6 000002DAABF6 0 GetProcAddress
00000000AC08 000002DAAC08 0 LoadLibraryW
00000000AC18 000002DAAC18 0 GetFileAttributesW
00000000AC2E 000002DAAC2E 0 GetVersionExA
00000000AC3E 000002DAAC3E 0 ReadFile
00000000AC4A 000002DAAC4A 0 GetFileSize
00000000AC58 000002DAAC58 0 CreateMutexW
00000000AC68 000002DAAC68 0 OpenMutexW
00000000AC76 000002DAAC76 0 GetProcessHeap
00000000AC88 000002DAAC88 0 CreateRemoteThread
00000000AC9E 000002DAAC9E 0 WriteProcessMemory
00000000ACB4 000002DAACB4 0 VirtualProtectEx
00000000ACC8 000002DAACC8 0 VirtualAllocEx
00000000ACDA 000002DAACDA 0 ReadProcessMemory
00000000ACEE 000002DAACEE 0 GetCurrentProcess
00000000AD02 000002DAAD02 0 VirtualAlloc
00000000AD12 000002DAAD12 0 GetCurrentProcessId
00000000AD28 000002DAAD28 0 LockResource
00000000AD38 000002DAAD38 0 LoadResource
00000000AD48 000002DAAD48 0 SizeofResource
00000000AD5A 000002DAAD5A 0 FindResourceW
00000000AD6A 000002DAAD6A 0 ExitProcess
00000000AD78 000002DAAD78 0 ExitThread
00000000AD86 000002DAAD86 0 GetDriveTypeW
00000000AD96 000002DAAD96 0 GetModuleFileNameW
00000000ADAC 000002DAADAC 0 GetModuleHandleW
00000000ADC0 000002DAADC0 0 SetErrorMode
00000000ADD0 000002DAADD0 0 CreateProcessW
00000000ADE2 000002DAADE2 0 TerminateProcess
00000000ADF6 000002DAADF6 0 lstrlenW
00000000AE02 000002DAAE02 0 CreateEventW
File pos Mem pos ID Text
======== ======= == ====
00000000AE12 000002DAAE12 0 CreateDirectoryW
00000000AE26 000002DAAE26 0 CopyFileW
00000000AE32 000002DAAE32 0 FindFirstFileW
00000000AE44 000002DAAE44 0 GetLogicalDriveStringsW
00000000AE5C 000002DAAE5C 0 KERNEL32.dll
00000000AE6A 000002DAAE6A 0 WS2_32.dll
00000000AE78 000002DAAE78 0 PathAppendW
00000000AE84 000002DAAE84 0 SHLWAPI.dll
00000000AE92 000002DAAE92 0 InternetReadFile
00000000AEA6 000002DAAEA6 0 InternetOpenUrlA
00000000AEBA 000002DAAEBA 0 InternetCloseHandle
00000000AED0 000002DAAED0 0 InternetOpenW
00000000AEDE 000002DAAEDE 0 WININET.dll
00000000AEEC 000002DAAEEC 0 CoCreateInstance
00000000AF00 000002DAAF00 0 CoUninitialize
00000000AF12 000002DAAF12 0 CoInitialize
00000000AF20 000002DAAF20 0 ole32.dll
00000000AF2C 000002DAAF2C 0 GetModuleFileNameExW
00000000AF42 000002DAAF42 0 PSAPI.DLL
00000000AF4E 000002DAAF4E 0 ShellExecuteA
00000000AF5E 000002DAAF5E 0 SHGetFolderPathW
00000000AF70 000002DAAF70 0 SHELL32.dll
00000000AF7E 000002DAAF7E 0 RegCloseKey
00000000AF8C 000002DAAF8C 0 RegDeleteValueW
00000000AF9E 000002DAAF9E 0 RegCreateKeyExW
00000000AFB0 000002DAAFB0 0 RegQueryValueExW
00000000AFC4 000002DAAFC4 0 RegOpenKeyExW
00000000AFD4 000002DAAFD4 0 RegSetValueExW
00000000AFE6 000002DAAFE6 0 RegNotifyChangeKeyValue
00000000B000 000002DAB000 0 GetUserNameW
00000000B00E 000002DAB00E 0 ADVAPI32.dll
00000000C088 000002DAC088 0 1Al8deESCWJQjKrniRIiz5Ofdzfi1h
00000000C0A7 000002DAC0A7 0 A6RnRPKMb77qvsg5RiVNXdu6D9mgzE8
00000000C112 000002DAC112 0 egregregerfwde
00000000C121 000002DAC121 0 svhost.exe
00000000C18B 000002DAC18B 0 APADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
00000000D01D 000002DAD01D 0 00000000D029 000002DAD029 0 ">P>d>j>
00000000D051 000002DAD051 0 ?#?h?
00000000D06B 000002DAD06B 0 0=0C0g0n0{0
00000000D081 000002DAD081 0 0c1t1z1
00000000D091 000002DAD091 0 2'2.2:2?2I2\2l2q2w2|2
00000000D0B7 000002DAD0B7 0 3.333H3e3
00000000D0D1 000002DAD0D1 0 45400000000D0F3 000002DAD0F3 0 5%5Y5e5p5w5
00000000D129 000002DAD129 0 7n8~8
00000000D135 000002DAD135 0 819F9N9
00000000D149 000002DAD149 0 :4:?:J:U:
00000000D155 000002DAD155 0 :k:y:
00000000D183 000002DAD183 0 4>:>@>F>L>c>p>
00000000D1F0 000002DAD1F0 0 -070>0O0
00000000D1FF 000002DAD1FF 0 031:1h1
00000000D209 000002DAD209 0 202;2]2b2h2o2
00000000D21F 000002DAD21F 0 3'3.3=3C3R3a3
00000000D237 000002DAD237 0 4)4@4i4w4~4
00000000D25F 000002DAD25F 0 6$6-696E6J6W6]6
00000000D27B 000002DAD27B 0 62777G7M7S7b7n7
File pos Mem pos ID Text
======== ======= == ====
00000000D295 000002DAD295 0 7'8-8B8I8a8o8z8
00000000D2B1 000002DAD2B1 0 949>9J9c9i9
00000000D2D5 000002DAD2D5 0 9 :.:P:c:i:p:
00000000D2F3 000002DAD2F3 0 ;%;00000000D2FF 000002DAD2FF 0 _>m>s>x>
00000000D329 000002DAD329 0 >&?+?;?A?G?
00000000D35B 000002DAD35B 0 1*1V1d1q1~1
00000000D379 000002DAD379 0 2,292F2S2
00000000D383 000002DAD383 0 2m2z2
00000000D393 000002DAD393 0 2l3v3
00000000D3B5 000002DAD3B5 0 4 4-42494?4D4J4W4_4g4p4v4
00000000D3E5 000002DAD3E5 0 4]5c5j5
00000000D401 000002DAD401 0 6&6:6@6X6
00000000D40B 000002DAD40B 0 6q6w6~6
00000000D413 000002DAD413 0 7$757
00000000D41D 000002DAD41D 0 778G8R8]8
00000000D42F 000002DAD42F 0 839C9L9
00000000D441 000002DAD441 0 :C:T:o:x:
00000000D44F 000002DAD44F 0 :3;00000000D459 000002DAD459 0 ;g;~;
00000000D467 000002DAD467 0 E>N>
00000000D4AD 000002DAD4AD 0 ?=?Y?y?
00000000D4C7 000002DAD4C7 0 0E0Z0_0v0
00000000D4DF 000002DAD4DF 0 1=1C1L1R1\1b1
00000000D4EF 000002DAD4EF 0 2 2+2C2
00000000D501 000002DAD501 0 3!3]3s3|3
00000000D517 000002DAD517 0 4 4A4M4b4h4z4
00000000D52F 000002DAD52F 0 4(5755D5J5P5V5\5b5h5n5t5z5
00000000D719 000002DAD719 0 6"6(6.646:6@6F6L6R6X6
00000000D72F 000002DAD72F 0 6d6j6p6v6|6
00000000D76F 000002DAD76F 0 7$7*7076700000000131D 000002DA1F1D 0 %userprofile%
000000001340 000002DA1F40 0 %appdata%
000000001358 000002DA1F58 0 %temp%
0000000013B4 000002DA1FB4 0 %s\removethis_%d%d%d.exe
0000000015C8 000002DA21C8 0 hh':'mm':'ss
0000000015F4 000002DA21F4 0 {%s}: %s
000000001718 000002DA2318 0 %temp%\oldfile.exe
0000000017A0 000002DA23A0 0 Mozilla/5.0 (compatible)
0000000017DC 000002DA23DC 0 %s\%d%d%d.exe
000000001800 000002DA2400 0 explorer.exe
000000001820 000002DA2420 0 Kernel32.dll
000000001860 000002DA2460 0 %s-deadlock
0000000018A4 000002DA24A4 0 %s\SysWOW64
File pos Mem pos ID Text
======== ======= == ====
000000001D70 000002DA2970 0 advapi32.dll
000000001D90 000002DA2990 0 comsupp.dll
000000001DAC 000002DA29AC 0 shell32.dll
000000001DC8 000002DA29C8 0 wininet.dll
000000001DE4 000002DA29E4 0 shlwapi.dll
000000001E00 000002DA2A00 0 dnsapi.dll
000000001E1C 000002DA2A1C 0 user32.dll
000000001E38 000002DA2A38 0 ws2_32.dll
000000001E54 000002DA2A54 0 psapi.dll
000000001E6C 000002DA2A6C 0 Ole32.dll
000000001E84 000002DA2A84 0 kernel32.dll
000000001EA4 000002DA2AA4 0 msvcrt.dll
000000001EC0 000002DA2AC0 0 dwm.exe
000000001ED4 000002DA2AD4 0 alg.exe
000000001EE8 000002DA2AE8 0 csrss.exe
000000001F00 000002DA2B00 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
000000001F70 000002DA2B70 0 %s-readfile
000000002048 000002DA2C48 0 cmd.exe
0000000020BC 000002DA2CBC 0 Software\Microsoft\Windows\CurrentVersion\Run
000000002240 000002DA2E40 0 %temp%\deletethis.exe
000000002274 000002DA2E74 0 Removable_Drive.exe
0000000022BC 000002DA2EBC 0 %s\{%s-%s}
0000000022D8 000002DA2ED8 0 /k "%s" Open %s
000000002300 000002DA2F00 0 %windir%\System32\cmd.exe
000000002340 000002DA2F40 0 %s\Removable_Drive.exe
000000002378 000002DA2F78 0 %s\%s
000000002388 000002DA2F88 0 %s\%s.lnk
000000002590 000002DA3190 0 %s\autorun.inf
0000000087C0 000002DAABC0 0 svhost.exe
000000008CDC 000002DAB0DC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe
0000000090EC 000002DAD0EC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe
000000009758 000002DAD758 0 egregregerfwde

C. Companion/File yang dibuat
1. Autorun.inf
Autorun.inf sepertinya adalah perangkat wajib bagi malware yang menyebarkan companionya di flash disk. Memang bisa dikatakan bahwa AryaN berbeda dengan malware sebelumnya dalam source code autourun. Berikut ini adalah contohnya.

Umumnya, pada perintah untuk memanggil host malware yang terdapat didalam folder di flash disk seperti Open, Shell Open / Shell Explore tidaklah mendeskripsikan lokasi drive tersebut. Karena apabila pada komputer yang bersih drive letter removable disknya adalah tidak sama seperti perintah pada autorun, maka kemungkinan besar malware tersebut tidak akan bisa dieksekusi.

2. Shortcut dan Foder Backup

Gambar di atas menunjukan file yang ada di flash disk dirubah menjadi shortcut. sebenarnya, file aslinya dipindahkan kedalam folder {[nama user]-nama acak}. Selain itu, target pada shortcutnya juga sedikit berbeda.

C:\WINDOWS\system32\cmd.exe /k "F:\svhost.exe" Open F:\{Administrator-egregregerfwde}\rku37300509.exe

Untuk penjelasan lebih jauh mengenai parameter tersebut, bisa dengan cara buka command prompt / cmd.exe kemudian ketika perintah “cmd.exe /?”.

D. Hasil Infeksi
Malware ini termasuk salah satu malware yang unik. Payload yang dilakukan oleh malware diluar perkiraan. Baik itu membackup file yang terdapat di flash disk kemudian digantikan dengan shortcut yang memiliki icon sama seperti file aslinya, atau melakukan koneksi ke beberapa IP seperti:
- 199.15.234.7
- 91.217.153.113
- 92.234.27.178

Menambahkan value key pada startup agar bisa berjalaan saat proses startup.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"svhost.exe"="C:\Documents and Settings\Administrator\Application Data\svhost.exe"
"egregregerfwde"="C:\Documents and Settings\Administrator\Application Data\svhost.exe"
     
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"svhost.exe"="C:\Documents and Settings\Administrator\Application Data\svhost.exe"

Untuk menandai bahwa dirinya sudah aktif di memory, AryaN membuat mutex dengan nama “HGFSMUTEX000000000000f53a”

E. Pembersihan
Pada PCMAV 5.5 Update Build4 ini, trojan AryaN dapat dibersihkan sampai tuntas.

PCMAV 5.5 Update Build4
Untuk membasmi virus ini ataupun varian virus lainnya, PCMAV 5.5 Update Build4 telah hadir dengan penambahan 104 pengenal varian virus baru. Bagi Anda pengguna PCMAV 5.5, sangat disarankan segera melakukan update, agar PCMAV Anda dapat mengenali dan membasmi virus lebih banyak lagi.

Untuk mendapatkan dan menggunakan update PCMAV ini, Anda cukup menjalankan PCMAV.exe, komputer harus dalam keadaan aktif terhubung ke Internet. Jika koneksi Internet menggunakan proxy, tentukan konfigurasi proxy pada file proxy.txt . Fitur Automatic Updates dari PCMAV akan secara otomatis men-download dan meng-update database dari PCMAV. Anda juga dapat mengupdate kapan saja dengan klik kanan icon PCMAV pada system tray dan pilih Update.

Bagi Anda yang ingin mendapatkan file update tersebut secara manual, Anda bisa men-download file-nya melalui beberapa link dibawah ini:

Letakkan file hasil download tersebut (update.vdb) ke dalam folder \vdb. Jika sebelumnya telah terdapat file update yang lama, Anda cukup menimpanya. Pastikan sekali lagi, bahwa nama file update adalah update.vdb, jika berbeda, cukup ubah namanya. Dan nanti saat Anda kembali menjalankan PCMAV, ia sudah dalam keadaan kondisi ter-update.

Daftar tambahan virus hingga PCMAV 5.5 Update Build4:
AryaN
AryaN.inf
AryaN.lnk
Autoit-ReplaceIcon.L
Autoit-ReplaceIcon.M
Autoit-ReplaceIcon.N
BanB
Chu
Craft3
Craft3.tmp
Elize.B
ErrorLove.vbs
ErrorLove.vbs.inf
ErrorLove.vbs.txt
FBSurprise
FBSurprise.drp
FBSurprise.exe.A
FBSurprise.exe.B
FBSurprise.job.A
FBSurprise.job.B
FBSurprise.jpg
FBSurprise.tmp.A
FBSurprise.tmp.B
FBSurprise.tmp.C
FluX
FluX.DLL
Flw
FontPorn.B
FontPorn.B.exe.A
FontPorn.B.exe.B
FontPorn.B.lnk
FontPorn.B.tmp
FontPorn.C
FontPorn.C.ini
Gen.VirVBS-BSoft
GooDown
Gphone
HelloPhilippines
HelloPhilippines.inf
HelloPhilippines.ini
HelloPhilippines.txt.A
HelloPhilippines.txt.B
IntreNat
LegendMir
LegendMir.dll
Maximus-GmbH.A
Mbzuchi
NgrBot.A.dat.variant
NgrBot.A.drp.A.variant
NgrBot.A.drp.B.variant
NgrBot.A.drp.C.variant
NgrBot.A.exe.A.variant
NgrBot.A.exe.B.variant
NgrBot.A.inf.variant
NgrBot.A.lnk.variant
NgrBot.A.variant
NgrBot.B.inf.variant
NgrBot.B.variant
NgrBot.C.variant
NgrBot.D.variant
NgrBot.E.variant
NgrBot.F.variant
NgrBot.G.variant
NgrBot.H.variant
Noa
Noa.inf
None
Retfig
Ric0.A
Ric0.B
Ric0.B.inf
Ric0.C
Romantic
Romantic.inf
Rose-Loren.F
SevenTech
SevenTech.host
Shared-Ptr
ShellExecuteA
ShellExecuteA.dat
ShellExecuteA.exe
SmallSmile.vbs
SmallSmile.vbs.inf
Sopian
Sopian.htm
TODO
TODO.drp
TroSystem
TroSystem.dat
TroSystem.inf
UltraSurf.A
UltraSurf.A.bat
UltraSurf.B
UltraSurf.C
UltraSurf.D
UltraSurf.D.bat
UrFace
VLyc
VLyc.ico
VLyc.url
X-Sample.vbs.C
X-Sample.vbs.C.inf
X-Sample.vbs.C.ini
X-Sample.vbs.C.mp3

PCMAV 5.5 Update Build4 telah tersedia dengan penambahan 104 database virus baru yang telah berhasil ditambahkan pada update build kali ini. Berarti ada penambahan 23 database virus dari build3 yang hanya 81 database. Update PCMAV dapat dilakukan secara otomatis dengan memilih “Update” pada menu klik kanan icon PCMAV di system tray, ini salah satu fitur yang telah berhasil ditambahkan pada rilis PCMAV 5.5 Jika Anda ingin mendownload update build secara manual dapat melalui link dibawah ini.

(Keterangan Lengkap Lihat Gambar Di Bawah) .........

Note (Penting) :

Setelah Download PCMAV 5.5 Valhalla extraks terlebih dahulu kemudian copy/cut seluruh Isi Yang Terdapat Dalam Folder ekstrakan tersebut kedalam folder PCMAV sebelumnya (PCMAV 5.4 Valhalla), jika belum memiliki PCMAV 5.4 Valhalla silahkan Download disini PCMAV 5.4

no.2 (Hanya update (.vdb) Build4) di Extract dahulu setelah itu dimasukan dalam folder PCMAV 5.5 Valhalla/vdb

Download Here

1. Hanya Download PCMAV 5.5 Valhalla :

PCMAV 5.5 (idws)

Mirror Link :

PCMAV 5.5 (4shared)

PCMAV 5.5 (ziddu)

2. Hanya Download update (.vdb) Build3 :

Update Build 4 (idws)

Mirror Link :

Update Build 4 (4shared)

Update Build 4 (ziddu)