MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

Analisa Maxtrox.Worm

Posted by Morphic pada November 11, 2008


morphostlab3
(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa

Nama Malware : NovemberGen.Scvhost.Worm [Morphost], Trojan-Downloader.Win32.VB.inz [Kaspersky Lab]

Ukuran : 337,466 bytes

Pengirim Virus : D3mon

Icon : regedit.

CRC32 : A369C91A (berdasarkan file yang dikirim)

MD5 : DD7132C1F4F317115C4979607B37EC4A (berdasarkan file yang dikirim)

Dibuat dengan : Visual Basic

Lokasi Project Virus:

D:\Microsoft\Microsoft\windows\System.vbp

Di dalam tubuh virus terdapat resource yang berupa gambar seperti dibawah ini:

image003

===============================================================

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]

NeverShowExt = “”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command]

(Default) = “%1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon]

(Default) = “%System%\rasphone.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd]

(Default) = “Microsoft System Direct”

NeverShowExt = “”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command]

(Default) = “%1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon]

(Default) = “%System%\netsetup.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm]

(Default) = “System Mechanic”

NeverShowExt = “”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

VisualStyle = “%System%\Desktop.sysm”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

regtweak = “regtweak.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath]

DefaultValue = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]

CheckedValue = 0x00000001

DefaultValue = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]

AlternateShell = “%System%\CommandPrompt.Sysm”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]

AlternateShell = “%System%\CommandPrompt.Sysm”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]

AlternateShell = “%System%\CommandPrompt.Sysm”

Kalau ada penyerangan lainnya silakan beritahu saya.

Signature worm ini sudah saya masukkan ke dalam database Morphost yang ke 17.

By: Morphic

http://www.friendster.com/morphic (friendster)

http://www.morphostlab.co.nr (my blog)

karta_morphic@yahoo.co.id (my email)

http://morphic.4shared.com (download Morphost and Morphost database here!)

and don’t forget to join with MorphostLab (FriendsterGroup)

My thanks go to Mas Aat Shadewa, Kholis, Virologi, and Others.

3 Tanggapan to “Analisa Maxtrox.Worm”

  1. Otoy say.zzz said

    mas morpick kasta……….tau cara bersihinnya kaga……..
    kasih tua ya ama si matiran ini…….
    kirim k email ato friendster aja yaw………..
    nama email ma friendster sma kok……
    TQ sebelumnya

  2. Morphic said

    okey, thankss ya poet,
    dah ngasih tahu nama virusnya…

  3. poet_freak said

    boss itu maxtrox….

    huuu…. salah nama tuhh…. ganti..!!!!

    ni link buat sanbox

    http://www.4shared.com/file/70887920/272c2374/Sandboxie_328.html

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: