MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

Analisa Susanti.Worm

Posted by Morphic pada Oktober 24, 2008


Kali ini saya akan membahas Susanti.Worm. Thanks special khusus buat D3mon

(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa

Nama Malware : Susanti.Worm [Morphost], sampai sejauh belum ada antivirus yang saya coba yang bisa mendeteksi virus ini.

Ukuran : 2,062,848 bytes

Pengirim Virus : D3mon

Icon : kira-kira seperti love.

CRC32 : 63446DAC (berdasarkan file yang dikirim)

MD5 : 8CFEAE2DF9A6B81DF10DB2E52D2926C2 (berdasarkan file yang dikirim)

Company Name : susanti software home, inc.

Virus ini membuat direktori:

%AppData%\Microsoft\Speech

%AppData%\Microsoft\Speech\Files

%AppData%\Microsoft\Speech\Files\UserLexicons

Virus ini menghapus folder/direktori:

%AllUsersProfile%\Desktop

%CommonDocuments%\My Music\My Playlists

Virus ini menghapus file:

c:\AUTOEXEC.BAT

c:\CONFIG.SYS

c:\contacts.html

%CommonDocuments%\My Music\Sample Music\Beethoven’s Symphony No. 9 (Scherzo).wma

%CommonDocuments%\My Music\Sample Music\New Stories (Highway Blues).wma

%MyDocuments%\My Music\Sample Music.lnk

%MyDocuments%\My Pictures\Sample Pictures.lnk

c:\main.wab

%Windir%\explorer.exe

Note: “%CommonDocuments%” maksudnya C:\Documents and Settings\All Users\Documents.

Membuat registry key berikut:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\service\CLSID]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\E\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\G\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\H\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\I\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\J\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\K\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\L\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\M\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\N\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\O\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\P\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\Q\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\R\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\S\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\T\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\V\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\W\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\X\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\Y\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\Z\DefaultLabel]

(Default) = “IKA-IKO”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

botcfg = “”%System%\Susanti.exe””

LadyKiller = “”%Windir%\system\LadyKiller.bmp””

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoTrayContextMenu = 0x00000001

ClearRecentDocsOnExit = 0x00000001

NoSetTaskbar = 0x00000001

NoRecentDocsHistory = 0x00000001

NoTaskGrouping = 0x00000001

NoStartMenuPinnedList = 0x00000001

NoStartMenuMFUprogramsList = 0x00000001

HideClock = 0x00000001

NoToolbarsOnTaskbar = 0x00000001

NoSMConfigurePrograms = 0x00000001

NoWinKeys = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001

DisableRegistryTools = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

ServiceOption = “”%Windir%\WinDonJuan.dll.exe””

AUTOEXEC = “”%Windir%\system\Susanti.exe””


[HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files]

Datafile = “%1a%\Microsoft\Speech\Files\UserLexicons\SP_C773A75EA96642BC8B71654F5470E5F8.dat”

[HKEY_CURRENT_USER\Software\Microsoft\Speech\Voices]

DefaultTokenId = “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Voices\Tokens\MSSam”

[HKEY_CURRENT_USER\Software\Microsoft\Speech\PhoneConverters]

DefaultTokenId = “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\PhoneConverters\Tokens\English”

[HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon]

CLSID = “{C9E37C15-DF92-4727-85D6-72E5EEB6995A}”

(Default) = “Current User Lexicon”

FlushRate = “10”

Menghapus registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command]

(Default) = “%SystemRoot%\System32\WScript.exe “%1″ %*”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]

(Default) = “%SystemRoot%\System32\WScript.exe “%1″ %*”

Memodifikasi registry value:

*

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mp3file\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command]

(Default) = “:: Win32\Hira.A – eCORE[GEDZAC] – I AlwAyS WilL LoVE YoU BeA ::”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Common Desktop = “”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]

RegisteredOrganization = “SOLO MEMORI 2-12-2”

RegisteredOwner = “FOR : SUSANTI”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_CURRENT_USER\Control Panel\International]

sTimeFormat = “SUSANTI HH:mm:ss”

=============================================================================

Kalau ada penyerangan lainnya silakan beritahu saya.

Signature worm ini sudah saya masukkan ke dalam database Morphost yang ke-14. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Susanti.Worm.

Ingat! Karena ukuran file virus ini tergolong ukuran file yang besar, jadi sebelum kamu menscan komputermu, kamu harus mengganti setting scanning ukuran filenya ya…

Untuk mengubah scaning ukuran file nya, dengan cara:

-pilih tab settings

-lalu pilih option “big size”

[Kalo kamu tidak memilih option “big size” maka sia-sialah usaha scanningmu…]

Kalo Susanti.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:

-Pilih tab settings

-Pilih options ”let users make their database themselves” pada frames “database”

-Lalu masukkan satu saja sampel Susanti.Worm

-Dan langsung scan!

Message to D3mon:

Mudah-mudahan virus yang ada dikomputermu bisa bersih yaaa….

By: Morphic

http://www.morphic.co.nr (Comment me here)

http://www.friendster.com/morphic (friendster)

https://morphians.wordpress.com (my blog)

karta_morphic@yahoo.co.id (my email)

http://morphic.4shared.com (download Morphost and Morphost database here!)

and don’t forget to join with MorphostLab (FriendsterGroup)

My Thanks go to D3mon and Gonzhack!

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: