MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

«
»

Analisa Susanti.Worm

Ditulis oleh Morphic di/pada Oktober 24, 2008

Kali ini saya akan membahas Susanti.Worm. Thanks special khusus buat D3mon

(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa

Nama Malware : Susanti.Worm [Morphost], sampai sejauh belum ada antivirus yang saya coba yang bisa mendeteksi virus ini.

Ukuran : 2,062,848 bytes

Pengirim Virus : D3mon

Icon : kira-kira seperti love.

CRC32 : 63446DAC (berdasarkan file yang dikirim)

MD5 : 8CFEAE2DF9A6B81DF10DB2E52D2926C2 (berdasarkan file yang dikirim)

Company Name : susanti software home, inc.

Virus ini membuat direktori:

%AppData%\Microsoft\Speech

%AppData%\Microsoft\Speech\Files

%AppData%\Microsoft\Speech\Files\UserLexicons

Virus ini menghapus folder/direktori:

%AllUsersProfile%\Desktop

%CommonDocuments%\My Music\My Playlists

Virus ini menghapus file:

c:\AUTOEXEC.BAT

c:\CONFIG.SYS

c:\contacts.html

%CommonDocuments%\My Music\Sample Music\Beethoven’s Symphony No. 9 (Scherzo).wma

%CommonDocuments%\My Music\Sample Music\New Stories (Highway Blues).wma

%MyDocuments%\My Music\Sample Music.lnk

%MyDocuments%\My Pictures\Sample Pictures.lnk

c:\main.wab

%Windir%\explorer.exe

Note: “%CommonDocuments%” maksudnya C:\Documents and Settings\All Users\Documents.

Membuat registry key berikut:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\service\CLSID]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\E\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\G\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\H\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\I\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\J\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\K\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\L\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\M\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\N\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\O\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\P\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\Q\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\R\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\S\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\T\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\V\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\W\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\X\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\Y\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\Z\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

botcfg = “”%System%\Susanti.exe”"

LadyKiller = “”%Windir%\system\LadyKiller.bmp”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoTrayContextMenu = 0×00000001

ClearRecentDocsOnExit = 0×00000001

NoSetTaskbar = 0×00000001

NoRecentDocsHistory = 0×00000001

NoTaskGrouping = 0×00000001

NoStartMenuPinnedList = 0×00000001

NoStartMenuMFUprogramsList = 0×00000001

HideClock = 0×00000001

NoToolbarsOnTaskbar = 0×00000001

NoSMConfigurePrograms = 0×00000001

NoWinKeys = 0×00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0×00000001

DisableRegistryTools = 0×00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

ServiceOption = “”%Windir%\WinDonJuan.dll.exe”"

AUTOEXEC = “”%Windir%\system\Susanti.exe”"


[HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files]

Datafile = “%1a%\Microsoft\Speech\Files\UserLexicons\SP_C773A75EA96642BC8B71654F5470E5F8.dat”

[HKEY_CURRENT_USER\Software\Microsoft\Speech\Voices]

DefaultTokenId = “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Voices\Tokens\MSSam”

[HKEY_CURRENT_USER\Software\Microsoft\Speech\PhoneConverters]

DefaultTokenId = “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\PhoneConverters\Tokens\English”

[HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon]

CLSID = “{C9E37C15-DF92-4727-85D6-72E5EEB6995A}”

(Default) = “Current User Lexicon”

FlushRate = “10″

Menghapus registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command]

(Default) = “%SystemRoot%\System32\WScript.exe “%1″ %*”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]

(Default) = “%SystemRoot%\System32\WScript.exe “%1″ %*”

Memodifikasi registry value:

*

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mp3file\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Common Desktop = “”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]

RegisteredOrganization = “SOLO MEMORI 2-12-2″

RegisteredOwner = “FOR : SUSANTI”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0×0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0×0000000C

[HKEY_CURRENT_USER\Control Panel\International]

sTimeFormat = “SUSANTI HH:mm:ss”

=============================================================================

Kalau ada penyerangan lainnya silakan beritahu saya.

Signature worm ini sudah saya masukkan ke dalam database Morphost yang ke-14. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Susanti.Worm.

Ingat! Karena ukuran file virus ini tergolong ukuran file yang besar, jadi sebelum kamu menscan komputermu, kamu harus mengganti setting scanning ukuran filenya ya…

Untuk mengubah scaning ukuran file nya, dengan cara:

-pilih tab settings

-lalu pilih option “big size”

[Kalo kamu tidak memilih option “big size” maka sia-sialah usaha scanningmu…]

Kalo Susanti.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:

-Pilih tab settings

-Pilih options ”let users make their database themselves” pada frames “database”

-Lalu masukkan satu saja sampel Susanti.Worm

-Dan langsung scan!

Message to D3mon:

Mudah-mudahan virus yang ada dikomputermu bisa bersih yaaa….

By: Morphic

http://www.morphic.co.nr (Comment me here)

http://www.friendster.com/morphic (friendster)

http://morphians.wordpress.com (my blog)

karta_morphic@yahoo.co.id (my email)

http://morphic.4shared.com (download Morphost and Morphost database here!)

and don’t forget to join with MorphostLab (FriendsterGroup)

My Thanks go to D3mon and Gonzhack!

Entri ini dituliskan pada Oktober 24, 2008 pada 5:42 am dan disimpan dalam Uncategorized. Anda bisa mengikuti setiap tanggapan atas artikel ini melalui RSS 2.0 pengumpan. Anda bisa tinggalkan tanggapan, atau lacak tautan dari situsmu sendiri.

Tinggalkan Balasan

XHTML: Anda dapat gunakan tag ini: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»