Virus Windows Media Player Making Computers' sigh '

Golden Ghost virus or virus that is W32/Agent.GYMR fraudulent and sigh, and then access playboy.com. Following characteristics of viruses is:



1. The emergence of an error message "16 bit MS-DOS Subsystem" when the computer switched on.
Golden Ghost

2. Changing the name of the owner and the name of the organization into the computer:

* RegisteredOrganization = GoldenGhost.Inc
* RegisteredOwner = GoldenGhost

Golden Ghost

3. Adding a string GoldenGhost -= =- Was Here on the file C: Boot.ini so at the time of booting a Windows menu will appear with the name of additional GoldenGhost Was Here =-

Golden Ghost

The virus is made using the program language Visual Basic and compressed using UPX, the size of this virus is quite large around 1.312 KB. To trick the user it will use the icon "Windows media player."
At the time of the file in the virus run it will create some files that will be run by parent every time the computer is turned on / restart in the following locations:
• C: Windows folder%%% file%. Exe (random)
• C: folder Windowssystem32%%% file%. Exe (random)

Here are some of the file name that will be in a (random)
• devil.ocx
• pluto.ocx
• capiw.exe
• dusiw.exe
• gexuw.exe
• GoldenGhost.exe
• mamuv.exe
• ridec.exe
• msvbvm60.dll
• heluh.exe
• muxim.exe
• quniw.exe
• gutum.exe
• helef.exe
• kabuh.exe
• mideg.exe
• tixec.exe
• vuvey.exe

So that the file can be run automatically, it will create a string in the registry below:
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCur rentVersionrun
o GoldenGhost = C:% SystemRoot%%%% File Folder%. exe or C:% windir% folder%%% Files. exe
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
o Shell = Explorer.exe C:% SystemRoot%%%% File Folder%. exe or C:% windir% folder%%% Files. exe

To defend himself virus akan windows to block some functions such as:
• Disable function "paste"
• Disable run
• Disable Searh
• Disable FolderOptions
• Disable Recent Documents menu
• Right-click Disble
• Disable CMD
• Disable RegistryTools
• Disable TaskMgr
• Not able to display the hidden files

To do this it will create a string in the registry below:
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurr entVersionExplorerAdvanced
o Hidden = 2
o HideFileExt = 1
o ShowSuperHidden = 0
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentV ersionPolicies
o = NoClose Explorer
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentV ersionPoliciesexplorer
• NoFInd
o NoFOlderOption
o NoRecentDocsMenu
o NoRUn
o NoSaveSettings
o NoSetFolders
o NoTrayContextMenu
o NoViewContextMenu
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentV ersionPoliciesSystem
o DisableCMD
o DisableRegistryTools
o DisableTaskMgr
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionExplorerAdvancedFolderHidden
type o = --
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionExplorerAdvancedFolderHideFileExt
type o = --
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionExplorerAdvancedFolderSuperHidden
type o = --

This virus will also create a string in the registry below:
HKEY_LOCAL_MACHINESOFTWAREGoldenGhost.A
- AppAll = tupin.exe (random)
- AppMirc = heluh.exe (random)
- AppOther = quniw.exe (random)
- AppSetan = gutum.exe (random)
- AppUtama = muxim.exe (random)
- Location = C: WINDOWSSystem32config (random)

In addition to the function block on Windows, it will also be trying to block security tools such as proceexp, curr preoces, pocket killbox, security task manager and other tools. Besides changing the name of the owner of Windows, it will also change the primary address into Internet Explorer with http://www.playboy.com/ first create a string in the registry below:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
- Start Page = http://www.playboy.com/

Hosts file windows also do not escape from the attack of this virus manghapus with the contents of the file "C: WindowsSystem32Driversetchost", then add string @ echo off on the file "C: autoexec.bat", then add the string "-= =- GoldenGhost Was Here" on the file "C: boot.ini" so that every time the computer booting a menu will appear with the name GoldenGhost =- Was Here, and if this menu is selected then the computer will restart.

This virus will also alter the results copy and paste the text into notepad desahan, with display text "Oohhh ... Aughhhh ... yess ... babbby ...!!" each time the user copy and paste the contents of text files. In addition to creating a duplicate file, the virus will also try to inject a file that has the extension EXE, the size of the file that was successful in this injection will be approximately 1312 KB of size at first, so if the user runs the file it will automatically run itself. Each time the computer is switched virus akan bring the message "error 16 bit MS-DOS Subsystem" error message will also appear how many minutes each time in accordance with the specified file and create a duplicate (random) in the directory "C: Windows", which was then file that is created will be removed again.

Golden Ghost

Golden Ghost

Here are some messages to be sent:
• nick, indonesia free sex picture double click on the url
• nick have ne new info Marshanda, Agnes Monica, Dian Sastro, Dah Bunga.C Which Bugil, liat Fotonya To double-click the url
• artis indonesia nude, double click on the url
• nick, indo artist magazine playboy double click on the url
• nick mo liat artis indo playboy magazine
• nick indonesia free porn, double click on the url
• ce indo nation, double click
W32/Agent.GYMR this virus will also use the flash disk as a medium itself with the spread of duplicates to create a file with the characteristics:
o Windows Media Player Icon
o Size 1312 KB
o Extension EXE
o File Type "Application"

Twitter Delicious Digg Facebook Stumbleupon RSS