Mahadewa Virus

JAKARTA, KOMPAS.com - It's strange that out of the computer virus that began to show at this time because the super jumbo size. How not, a file carry big enough and not reasonable for the size of a virus that is around 30.426 KB aka 30 MB, so if it's worth identifying themselves with the name Mahadewa.

You can imagine if the virus has the size of 1 MB more than the need for a long time mengkopikan itself into the computer system that becomes the target. Distribution process will be hampered. Usually the computer virus has the slim size of approximately 22 kb to 1 MB. The small size of the file the virus, the virus that are required by small to menginfeksi time and more quickly so that the distribution of automatically spreading akan easier and widespread.



Therefore, it requires people who have thought "quite" different and dare to infiltrate grip than usual in which to apply the same grip that small is wonderful. Creator is a virus that prefers big is beautiful.

However, the terrible, according to the observation Vaksincom, a local security company in Jakarta, the virus had spread Mahadewa to the level of infection is quite high although not yet to become Top 10 virus in Indonesia. Norman Security Suite, which is used Vaksincom, detects the virus as Mahadewa VBS.Autorun.AM

Although made from the language at the simple VBScript (vbs], virus attack has a power that is not lost with the virus that is made with Visual Basic. Sinyalir in this virus is made by one of the students from UBL (Universitas Budi Luhur) or if not at least see if simpatisannya from the script and the impression left by the virus.

The same as the file is created using the Visual Basic language program, so that in itself can activate it requires the support of the file wscript.exe. At the time he himself will be actively trying to create some of the following files as a parent to be run first when the computer is switched on. Individual C:-Windows-system32-WinXp.vbs and C:-MaHaDeWa.dll.vbs and in each drive.

To ensure that the self can be activated automatically every time you start the computer, it will create a string in the registry. In addition to the registry to create the string, so that itself can be activated automatically when the user access or Flash Disk Drive in another computer, it will also take advantage of Windows autoplay feature by creating the file autorun.inf file which will automatically run the file MaHaDeWa.dll.vbs without the need to run the file. This autorun.inf file will be created in every drive, including the Flash Disk.

In fact what the purpose of the virus to make this VM if we are unloading the contents of the script file MaHaDeWa.dll.vbs very clear that he (vbs / Autorun.AM) has a goal that both will try to restore the registry that has been in the random-random by a similar virus that is Nita.dll.vbs. Or between MaHaDeWa and Nita has a special relationship because if we see the string that is created will form the words N Love You Forever, only they both know that.

Vbs / Autorun.AM akan do not block the functions of the Windows security or vice versa, but it will try to restore the function, such as Windows regedit / Task Manager / Folder Options. Unfortunately there are some strings that would make the "System Restore" will not work.

So that what has been done by the VM continues dikenang, he akan menorehkan some impression on the target computer, such as Internet Explorer Header change / alter the main Internet Explorer / rename the target computer or display the messages from the VM before the user logged in Windows.

Flash Disk is still used as an alternative to be used by vbs / Autorun.AM to spread itself by creating 2 pieces yaknis autorun.inf file and MaHaDeWa.dll.vbs. File autourun.inf is also meant to be active itself automatically when the user access to the Flash Disk is.

The feature-Mahadewa include:
Title 1.Merubah Internet Explorer becomes MaHaDeWa Labkom UBL
2. Changing the Internet Explorer start page to be http://webkom
3. Changing the computer name and the name of the owner of Windows
a. RegisteredOrganization = Your computer has been clean from Viruses by Nita
MaHaDeWa
b. RegisteredOwner = MaHaDeWa
4. Walpaper Windows Update.

Source: Vaksincom that quote from kompas.com