MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

Analisa Nita.Worm

Posted by Morphic pada Agustus 16, 2008



Kali ini saya menulis tutorial mengenai hasil analisa Nita.Worm di MorphostLab. Lebih kurang analisanya adalah sebagai berikut.
(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa
Nama Malware : Nita.Worm [Morphost], Trojan.Win32.VB.cmn [Kaspersky], Generic.dx [McAfee], TROJ_VB.GFW [Trend Micro]
Ukuran : 110,592 bytes
Pengirim Virus : Unknown (Maaf saya lupa siapa yang mengirim ke My4shared saya)
Icon : Icon Folder
CRC32 : B315CC41 (berdasarkan file yang dikirim)
MD5 : 407EBDB02C92EAE9ECA53FEC10167290 (berdasarkan file yang dikirim)
Dibuat dengan : Visual Basic

Direktori file vbp virus:
G:\Project1.vbp Code\Visual Basic Virus Code\Source Code(WORM)\WSar.9\WSar.vbp

Membuat registry key berikut:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dxdiag.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.EXE

Membuat Registry Value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes]
sysfile = “NITA_WORM”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile]
FriendlyTypeName = “NITA_WORM”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
ShowDriveLettersFirst = 0x00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
HideFileExt = 0x00000001
Hidden = 0x00000000
ShowSuperHidden = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
loader = “\WinSys.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dxdiag.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.EXE]
debugger = “explorer.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Window Title = ” (^_^)NITA_WORM ==> Infected Your PC ..again..!!!”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoViewContextMenu = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
loader = “\shell.exe”

Menghapus registry value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile]
FriendlyTypeName = “@%SystemRoot%\System32\setupapi.dll,-2000”

Memodifikasi registry value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
InfoTip = “Folder is Empty”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
ProgramFilesDir = “NITA_WORM was here.exe”
[HKEY_CURRENT_USER\Control Panel\Desktop]
CursorBlinkRate = “50”
=============================================================================

Lebih kurang demikian hasil analisa mengenai Nita.Worm.
Signature worm ini sudah saya masukkan ke dalam database Morphost. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Nita.Worm.
Kalo Nita.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:
-Pilih tab settings
-Pilih options ”let users make their database themselves” pada frames “database”
-Lalu masukkan satu saja sampel Nita.Worm
-Dan langsung scan!

By: Morphic
http://www.morphic.co.nr (Comment me here)
http://www.friendster.com/morphic (friendster)
https://morphians.wordpress.com (my blog)
karta_morphic@yahoo.co.id (my email)
http://morphic.4shared.com (download Morphost and Morphost database here!)
and don’t forget to join with MorphostLab (FriendsterGroup)
My thanks go to ThreatExpert, Virologi, SoulHacker, Axer, FireboltDave, Smansa Medan, MorphostLab!

6 Tanggapan to “Analisa Nita.Worm”

  1. aris wikradani said

    thank you banget……

  2. aagun2006 said

    bantu jawab.

    coba masuk safe mode(F8), dan ikuti langkah yang ditulis ama penulis.

    terutama yang diregistri. kenapa pilih safe mode karena dalam posisi biasa, kita tidak dapat menghapusnya karena si virus sedang jalan.

    cek juga start->start up, matikan semua folder yang ada disana.

    masih di safe mode, masuk ke explorer. Set terlebih dahulu agar extension file bisa dilihat, termasuk yang di hidden. Caranya dari
    Tools->View
    — Show hiden file dan folder di cek
    — Hide Extension di uncek

    Dari sana keliatan file virus menggunakan samaran folder, yang Folder.exe hapus aja semua folder gadungan tersebut.

    Ingat Folder Tidak Memiliki Nilai.

    Setelah dirasa beres coba jalan dari normal, jika seandainya dirasa takut ada yang kelewat, install antivirus Avira atau yang anda suka.

  3. rizal said

    thx bgt kompie ku kena virus ini udah di scan pake PCMAV+Clamav yang terdeteksi Virus trojan.VB707 (kl ga salah). kirain udah bersih ternyata setiap install atau uninstall selalu muncul Nita_worm washere.exe bukan program files

  4. rasyid ridlo said

    komputer saya sudah terinfeksi NITA_WORM, dan saya dah coba scan dengan morpost, tapi tidak terdeteksi, regedit, notepad, tidak bisa dibuka. mohon penjelasan lebih lanjut.

  5. morphians said

    kalo mau pake software analisa virus, pake software InstallWrite,

    susah tuh nyarinya, kalo nanti kamu dah dapat bagi-bagi ke aku yah tuh software.

  6. vbnozzer said

    Om, boleh juga .. analisanya mpe detail ..

    mke sopwer apah tuh ???

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: