Darkside of Oktavianus

Making virus and all of them as our friends

Penjelasan Virus Nita.worm by Morphic

Posted by oktavianus pada Agustus 31, 2008

Kali ini saya menulis tutorial mengenai hasil analisa Nita.Worm di MorphostLab. Lebih kurang analisanya adalah sebagai berikut.
(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa
Nama Malware : Nita.Worm [Morphost], Trojan.Win32.VB.cmn [Kaspersky], Generic.dx [McAfee], TROJ_VB.GFW [Trend Micro]
Ukuran : 110,592 bytes
Pengirim Virus : Unknown (Maaf saya lupa siapa yang mengirim ke My4shared saya)
Icon : Icon Folder
CRC32 : B315CC41 (berdasarkan file yang dikirim)
MD5 : 407EBDB02C92EAE9ECA53FEC10167290 (berdasarkan file yang dikirim)
Dibuat dengan : Visual Basic

Direktori file vbp virus:
G:\Project1.vbp Code\Visual Basic Virus Code\Source Code(WORM)\WSar.9\WSar.vbp

Membuat registry key berikut:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dxdiag.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.EXE

Membuat Registry Value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes]
sysfile = “NITA_WORM”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile]
FriendlyTypeName = “NITA_WORM”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
ShowDriveLettersFirst = 0x00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
HideFileExt = 0x00000001
Hidden = 0x00000000
ShowSuperHidden = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
loader = “\WinSys.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dxdiag.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe]
debugger = “explorer.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.EXE]
debugger = “explorer.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Window Title = ” (^_^)NITA_WORM ==> Infected Your PC ..again..!!!”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoViewContextMenu = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
loader = “\shell.exe”

Menghapus registry value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile]
FriendlyTypeName = “@%SystemRoot%\System32\setupapi.dll,-2000”

Memodifikasi registry value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
InfoTip = “Folder is Empty”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
ProgramFilesDir = “NITA_WORM was here.exe”
[HKEY_CURRENT_USER\Control Panel\Desktop]
CursorBlinkRate = “50”
=============================================================================

Lebih kurang demikian hasil analisa mengenai Nita.Worm.
Signature worm ini sudah saya masukkan ke dalam database Morphost. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Nita.Worm.
Kalo Nita.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:
-Pilih tab settings
-Pilih options ”let users make their database themselves” pada frames “database”
-Lalu masukkan satu saja sampel Nita.Worm
-Dan langsung scan!

By: Morphic
http://www.morphic.co.nr (Comment me here)
http://www.friendster.com/morphic (friendster)
http://morphians.wordpress.com (my blog)
karta_morphic@yahoo.co.id (my email)
http://morphic.4shared.com (download Morphost and Morphost database here!)
and don’t forget to join with MorphostLab (FriendsterGroup)
My thanks go to ThreatExpert, Virologi, SoulHacker, Axer, FireboltDave, Smansa Medan, MorphostLab!

8 Tanggapan to “Penjelasan Virus Nita.worm by Morphic”

  1. putras said

    Thanks atas informasinya… kalo manual setelah kena virus nita__buka notepad nya gmana?? tolong penjelasan…hulf

  2. rizkiandrian said

    Ya mas,,
    Hbs itu gmn munculin Program2 pntingnya,,
    kaya Task Manager,,Notepad,,sama Regedit??
    Balez ke e-mail saya ya!!

  3. Jokam juga nieh said

    Mas,sy dah coba berbagai cara nieh cara hapus virus nit_worm punya solusi yg mudah ga / jitu,
    tunggu blsan nya.

    Thanks

  4. homi_suck said

    iye gue juga kena neh …tapi gue pake fixregestry balik tuh fungsi run dan taskmgr…..setelah itu gue pke removal ….. tetap aja masih duduk manis virusna…..gimana dong….bantuin gue ….kebelet pipis neh …thx

  5. servo said

    sama nih.. memang pake morphost udah ke detect di komp gw sampe 419 virus… tapi tetep aja… task manager, ga kebuka. Install ccleaner ga bisa jg…….
    tetep aja masih ada jg si Nita….

    mohon solusinya…

    cara untuk mengambil sampel nita.worm untuk dimasukkan kedalam folder setting bgimana caranya?
    mohon penjelasan detail… karena saya awam…

    terima kasih sblmnya.

    regards.

  6. Bayu said

    Hello Rekans,

    Untuk membasmi virus ini bisa digunakan PCMAV v.1.92 atau Norman_Malware_Cleaner.
    Disarankan untuk masuk dengan SAFE MODE di windows (tekan F8 sebelum masuk ke windowsnya),
    Jangan lupa buat dl user administrator localnya ya…🙂

    Semoga bermanfaat!!!

  7. Conficker said

    Pke Smadav aj beres…

  8. mokaters said

    Nggak bisa pake Smacav tuh

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: