MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

Bahas Tuntas X-Fly.Worm

Posted by Morphic pada Februari 21, 2009


Sengaja bikin judul begitu, supaya ada yang mau baca.
He he he….

Biarpun X-Fly tergolong virus lama, gak ada salahnya kalo kita bahas. Paling gak nambah pengetahuan kita. Namanya juga pembelajaran. Iya kan???
Okey, disini aku akan jelaskan bagaimana X-Fly itu sebenarnya???

Satu sample virus ini bisa terdeteksi oleh:
X-Fly.Worm [Morphost], Worm.VB.DRVP [PCTools], W32.SillyFDC [Symantec], Worm.Win32.VB.ml [Kaspersky Lab], New.Malware.iu[McAfee], W32/VB-DYV [Sophos], Worm:Win32/Liajred.A [Microsoft], Worm.Win32.VB.ml [Ikarus] dan lain-lain

Virus ini menyebar dan membuat file di:
%CommonDesktopDir%\x-fly.html
%CommonPrograms%\Startup\rj.html
%CommonPrograms%\Startup\mediaplayer.exe
c:\MSDLF.HHS
c:\MSFLC.FYS
c:\MSNTLR.DYS
c:\soulfly\isass.exe
c:\soulfly\r4m83.exe
c:\soulfly\RCSS.exe
%Windir%\New Folder.exe
%Windir%\NTLS.DYS
%Windir%\r4m83.exe
%Windir%\system\isass.exe
%System%\RCSS.exe
%System%\r
%Windir%\AvgPortable.exe
%Windir%\msvbvm60.dll
%Windir%\system\msvbvm60.dll
%Windir%\system\rambe.dat
%Windir%\soul.dat
%System%\avg.ico
%System%\folder.ico
%System%\jpg.ico
%System%\mp3.ico
%System%\rmb5.ico
%System%\word.ico

Berikut adalah nama-nama proses virus yang hidup:
realplay.exe
r4m83.exe
isass.exe
RCSS.exe (Yang ini yang paling susah dimatikan!!! Waspada!!! He he he)
MSNTLR.DYS
MSFLC.FYS
MSDLF.HHS
NTLS.DYS
AvgPortable.exe
New Folder.exe

Untuk registry yang diubah sangatlah banyak:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command]
(Default) = “%Windir%\r4m83.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.DYS]
(Default) = “exefile”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fly]
(Default) = “exefile”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.FYS]
(Default) = “exefile”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.HHS]
(Default) = “exefile”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoFolderOptions = 0x00000001
NoFind = 0x00000001
NoRun = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
mediaplayer = “%System%\realplay.exe”
real = “C:\soulfly\r4m83.exe”
soul = “C:\soulfly\isass.exe”
DLL = “C:\soulfly\RCSS.exe”
real1 = “D:\soulfly\r4m83.exe”
soul2 = “D:\soulfly\isass.exe”
ETC = “D:\soulfly\RCSS.exe”
NTLR = “C:\MSNTLR.DYS”
ELC = “C:\MSFLC.FYS”
DLF = “C:\MSDLF.HHS”
NTLS = “%Windir%\NTLS.DYS”
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
DisableSR = 0x00000001
LimitSystemRestoreCheckpointing = 0x00000001
DisableMSI = 0x00000001
DisableConfig = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
ExeRun = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
ExeRun = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Window Title = “..:: x-fly ::..”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools = 0x00000001
DisableTaskMgr = 0x00000001
DisableCMD = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
r4m83 = “%Windir%\r4m83.exe”
regscv32 = “%System%\RCSS.exe”
isass = “%Windir%\system\isass.exe”
NTLR = “C:\MSNTLR.DYS”
ELC = “C:\MSFLC.FYS”
DLF = “C:\MSDLF.HHS”
NTLS = “%Windir%\NTLS.DYS”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command]
(Default) = “%Windir%\r4m83.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]
(Default) = “%Windir%\r4m83.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command]
(Default) = “%Windir%\r4m83.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = “Explorer.exe, %System%\RCSS.exe”
System = “%System%\RCSS.exe ”
Userinit = “%System%\userinit.exe,%System%\RCSS.exe”
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
AlternateShell = “%System%\RCSS.exe”
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]
AlternateShell = “%System%\RCSS.exe”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
AlternateShell = “%System%\RCSS.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = “%CommonPrograms%\Startup\rj.html”

Sekian, kurang lebihniya mohon dimaklumi…
He he he

By: Morphic
[jangan lupa update terus database Morphost ya!!!]

thanks to:
-Both of my parents
-both of my sisters
-semua anak-anak kelas XII IPA 10 Smansa Medan 2008/2009

Satu Tanggapan to “Bahas Tuntas X-Fly.Worm”

  1. sapiul said

    😀

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: