Darkside of Oktavianus

Making virus and all of them as our friends

Analisis Amburadul.Worm by MORPHIC

Posted by oktavianus pada September 12, 2008

Analisis virus berikutnya adalah virus Amburadul. Ini hanyalah analisis sederhana saja. Kalau ada yang salah mohon maaf!.

(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa

Nama Malware : Amburadul.Worm [Morphost], Virus.Win32.VB.ki [Kaspersky], W32/Autorun.worm.e [McAfee], WORM_AUTORUN.AYV [Trend Micro]

Ukuran : 128,000 bytes

Pengirim Virus : Eky

Icon : kira-kira seperti gambar.

CRC32 : C8824FD2 (berdasarkan file yang dikirim)

MD5 : 8E813F2C4003EA6233DDC7621864CE11 (berdasarkan file yang dikirim)

Dibuat dengan : Diduga Visual Basic

Company Name : JPEG Image

File Description : 1024 x 768

Virus ini akan membuat direktorinya sendiri di:

“C:\windows\system32\~A~m~B~u~R~a~D~u~L~\”

Membuat registry key berikut:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]

NeverShowExt = “”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

EnableLUA = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

AVManager = “%System%\~A~m~B~u~R~a~D~u~L~\csrss.exe”

NarmonVirusAnti = “%System%\~A~m~B~u~R~a~D~u~L~\smss.exe”

NviDiaGT = “%System%\~A~m~B~u~R~a~D~u~L~\lsass.exe”

ConfigVir = “%System%\~A~m~B~u~R~a~D~u~L~\services.exe”

PaRaY_VM = “%System%\~A~m~B~u~R~a~D~u~L~\winlogon.exe”

File-file di atas akan aktif bila Windows diaktifkan

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe]

Debugger = “cmd.exe /c del”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe]

Debugger = “rundll32.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]

LimitSystemRestoreCheckpointing = 0x00000001

DisableMSI = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

DisableConfig = 0x00000001

DisableSR = 0x00000001

mendisable System Restore

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Window Title = “++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoFind = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableRegistryTools = 0x00000001

Menghapus registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = “DiskDrive”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

(Default) = “System”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

(Default) = “Volume”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

(Default) = “Human Interface Devices”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = “DiskDrive”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

(Default) = “System”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

(Default) = “Volume”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

(Default) = “Human Interface Devices”

Memodifikasi registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]

UncheckedValue = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]

Type = “checkbok”

UncheckedValue = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell = “Explorer.exe, %System%\~A~m~B~u~R~a~D~u~L~\winlogon.exe”

=============================================================================

Kalau ada penyerangan lainnya silakan beritahu saya.

Signature worm ini sudah saya masukkan ke dalam database Morphost. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Amburadul.Worm.

Kalo Amburadul.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:

-Pilih tab settings

-Pilih options ”let users make their database themselves” pada frames “database”

-Lalu masukkan satu saja sampel Amburadul.Worm

-Dan langsung scan!

By: Morphic

http://www.morphic.co.nr (Comment me here)

http://www.friendster.com/morphic (friendster)

http://morphians.wordpress.com (my blog)

karta_morphic@yahoo.co.id (my email)

http://morphic.4shared.com (download Morphost and Morphost database here!)

and don’t forget to join with MorphostLab (FriendsterGroup)

My thanks go to Mas Aat Shadewa, Virologi, and Others.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: