SCIENCE AND TECHNOLOGY

Senin, 19 Maret 2012

Diposting oleh VIROLOGI (CLOSER) di 10.39 0 komentar

kill the hokage virus

One way is wrong in promoting tourism is to make the virus. This is done by the virus Hokage Killer who use popular names like Bridge Kahayan id Palangkaraya, Palma is very potential to trigger a war that ultimately harm the virus Indonesian IT community, especially the IT community Palangkaraya. It is clear that the virus makers are young programmers are smart and great curiosity, but has one big problem that is sorely lacking maturity and does not care (not conscious) will result of his actions create and spread the virus can cause harm to other computer users. Ambush ability of the virus can be said to be adequate, but the ability of English was still rich as the name implies, Ambush. If you want a challenge to the Hokage menyamaikan should:Hey, Hokage, This is my place, Want to Start a War?(Hey Hokage, this cave house, would dig up the battle ax?)But perhaps because of too much to learn coding so seldom learn English as well as:Hey, Hokage, Is this My places, Wanna start a war **(Hey Hokage, Is this my house? Want to dig a battle ax?)Hopefully ** shambles virus makers are not issued specific new variant fix grammar errors.For those of you who frequent the Central Kalimantan, most likely out with Kahayan Bridge, the bridge which divides Kahajan in Palangkaraya, Central Kalimantan, Indonesia. This bridge has a length of 640 meters and 9 meters wide, consists of 12 spans with a special 150-meter span on river cruise line. The bridge was first built in 1995 and was completed in 2001, and inaugurated by President Megawati Sukarnoputri on January 13, 2002. Palangkaraya Kahayan bridge connecting with the South Barito districts and counties through the North Barito. So what to do?Having previously appeared VBWorm.NUJ virus (http://vaksin.com/2007/1107/moontox-bro.htm), has recently been discovered a virus modified VM Palangkaraya (possible) can be seen from the script and the file parent to be in the stretcher by this virus.For now there are three variants in which for each of these variants have the same characteristics, the virus is more commonly known by the name W32/Amburadul.For the first variant detected as W32/Agent.XQXM Norman (54 KB)For the second variant has a name as W32/Agent.ETOR (56 KB)For all three variants have the name as W32/Autorun.CQJ (52 KB)For the fourth variant has a name as W32/Autorun.CIA (51 KB) (see figure 1)
Broadly speaking this virus with most of the local virus spread. Creating duplicate files, block some windows functions like Regedit / Msconfig / Search / Folder Option or Task Manager even block particular local antivirus security software such as PC MAV, junior and ANSAV. He also will try to kill the virus Hokage/VBWorm.gen16 who both came from Central Kalimantan Sampit precisely in the area, this can be seen from an existing script, where the script is trying to block the master file from virus Hokage / VBWorm. This Gen16.Here are some of the characteristics of the files that will be on stretcher by Ambush and its variants:

    *
      Icon: Image (JPG)
    *
      File size: Varies according to the variant (51 KB, 52 KB, 54 KB and 56 KB)
    *
      File Extension: EXE
    *
      File Type: Application (see figure 2)

At the time the virus is active, it will create some master file below which will run every time the computer is turned on (this file will also be made in all media including Flash drives Disk)

    *
      C: \ Windows \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~

          o
            csrcc.exe
          o
            smss.exe
          o
            lsass.exe
          o
            services.exe
          o
            winlogon.exe
          o
            Paraysutki_VM_Community.sys
          o
            msvbvm60.dll

    *
      C: \ Autorun.inf
    *
      C: \ My Photos xx-x-xxx.exe, where x indicates the date virus proficiency level in the switch (for example: a picture of me-2008.exe 14-3)
    *
      C: \ Friendster Community.exe
    *
      C: \ J3MbataN K4HaYan.exe
    *
      C: \ MyImages.exe (hidden file)
    *
      C: \ PaLMa.exe
    *
      C: \ Images

          o
            Ce_Pen9God4.exe
          o
            J34ñNy_Mö3tZ_CuTE.exe
          o
            M0D3L_P4ray_ 2008.exe
          o
            Night MinGGuan.exe
          o
            NonKroNG DJem8ataN K4H4yan.exe
          o
            Ph0to Ber5ama.exe
          o
            Picnic dT4ngKilin9.exe
          o
            King Nge5ex.exe
          o
            Trend 9aya RAm8ut 2008.exe

    *
      C: \ Images \ _PAlbTN

          o
            (V.4.9) _D053n ^ 908L0K.exe
          o
            ~ ~ G0YanG bed. Exe
          o
            GePaCar4an Neh!. Exe
          o
            I ... BGT!. Exe
          o
            To .. N90C0k.exe monitoring view
          o
            Ma5tURbas1 XL1M4xs.exe
          o
            PraPtih G4diEs PuJAAnku.exe
          o
            SmunZa.exe Bali Circuit
What do the Ambush and its variants?Auto start-VirusIn order for this virus can be activated automatically every time the computer is on, it will create some strings to the registry berkut:

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ PaRaY_VM
          o
            C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ winlogon.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ ConfigVir
          o
            C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ services.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ NviDiaGT
          o
            C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ lsass.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ NarmonVirusAnti
          o
            C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ smss.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ AVManager
          o
            C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ csrss.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
          o
            shell = Explorer.exe,
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ winlogon.exeFunction block Windows and security software (Antivirus)To defend himself he will also conduct a block of some windows functions such as Task Manager / Regedit / Msconfig / Folder Options / System Restore or Search, and several other security software which enables to shorten the life of the virus, with some strings in the registry makes the following:

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
          o
            EnableLUA = 0
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore
          o
            DisableConfig
          o
            DisableSR

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Installer

          o
            DisableMSI
          o
            LimitSystemRestoreCheckpointing

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msconfig.exe

          o
            Debugger = rundll32.exe

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ rstrui.exe

          o
            Debugger = rundll32.exe

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wscript.exe

          o
            Debugger = crundll32.exe

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ mmc.exe

          o
            Debugger = rundll32.exe

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Setup.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Instal.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ install.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ procexp.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msiexec.exe

          o
            Debugger = rundll32.exe

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskmgr.exe

          o
            Debuger = rundll32.exe

    *
      HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System

          o
            DisableRegistryTools

    *
      HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer

          o
            NoFind

    *
      HKEY_CLASSES_ROOT \ exefile

          o
            NeverShowExt

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt

          o
            UncheckedValue = 1

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt

          o
            DefaultValue = 1

    *


          o
            CheckedValue = 0

    *


          o
            DefaultValue = 0

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden

          o
            UncheckedValue = 0

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden

          o
            Type = checkbok

    *
      HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced

          o
            ShowSuperHidden = 0

    *
      HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced

          o
            SuperHidden = 0

    *
      HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced

          o
            HideFileExt = 1
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wscript.exe
          o
            debugger = rundll32.ex
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskkill.exe
          o
            debugger = rundll32.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ cmd.exe
          o
            debugger = rundll32.exe
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ tasklist.exe
          o
            debugger = rundll32.exe
W32/Agent.EQXM (and its variants) also will try to block some of the local antivirus (including the likes amit-amit as the best antivirus in the world) as PCMAV, junior or ANSAV to create a string in the registry the following:

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-CLN.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-RTP.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansav.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspoold.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspool.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ boot.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansavgd.exe

          o
            Debuger = cmd.exe / c del
    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ SMP.exe
          o
            debugger = cmd.exe / c del
To block the function of Windows and antivirus software in addition to making the above string in the registry, he will also use the taskkill command.These applications will be turned off by Agent.EQXM (and variants):taskkill / f / im winamp.exetaskkill / f / im winampa.exetaskkill / f / im firefox.exetaskkill / f / im iexplorer.exetaskkill / f / im wmplayer.exetaskkill / f / im PCMAVtaskkill / f / im CLN.exetaskkill / f / im Ansav.exetaskkill / f / im ansavgd.exetaskkill / f / im explorer.exeEradicate mission HokageShambles and its variants have a mission to eradicate family Hokage (VBWorm.Gen16) to block the virus file that can not be executed. This is confirmed by changing the title on the application of Internet Explorer (see the picture below). To do this he will make some string in the registry the following:

    *
      HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main

          o
            Window Title = + + + + Hey, Hokage / baboon (Anbu * Team * Sampit), Is this My places, Wanna start a War + + + + (see figure 3)

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HokageFile.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Rin.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Obito.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KakashiHatake.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HOKAGE4.exe

          o
            Debugger = cmd.exe / c del

    *
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HOKAGE4.exe

          o
            Debugger = cmd.exe / c del
DDos web siteAgent.EQXM will also try to perform DDos to the number of website addresses which have been determined by doing a Ping request to the following website:

    *
      www.duniasex.com
    *
      www.data0.net
    *
      www.rasasayang.com.my
Hiding the image fileFiles that become the target of this virus is an image file (JPG / BMP / PNG / TIFF / GIF), but it will only hide the image file in the Flash Disk. To trick the user it will create a duplicate file that has the same name as the file name of the hidden features:

    *
      Icon JPG
    *
      The size of the "random" (depending on the variant -> 51 KB / 52 KB / 54 KB / 56 KB)
    *
      Extension. Xx `. Exe, where xx indicates the extension of the original image file. For example if the original image file has a name data.bmp the virus will create a duplicate file with the name `data.bmp. Exe. (See figure 4)

    *
      File type "Application"
Every time hide files, it simply "good heart" will register her logs in file C: \ Windows \ Amburadul_List.txt, drawing attention to 5 below:

Spread through the Flash DiskTo spread itself, it will use the media "Flash Disk" or "floppy" to create multiple master files and multiple file support so that he can be activated automatically each time the user access to the Flash Disk.
Here are some of the files to be created on the Flash Disk or diskette media:

    *
      C: \ Autorun.inf
    *
      C: \ My Photos xx-x-xxx.exe, where x indicates the date virus proficiency level in the switch (for example: a picture of me-2008.exe 14-3)
    *
      C: \ Friendster Community.exe
    *
      C: \ J3MbataN K4HaYan.exe
    *
      C: \ MyImages.exe (hidden)
    *
      C: \ PaLMa.exe
    *
      C: \ Images

          o
            Ce_Pen9God4.exe
          o
            J34ñNy_Mö3tZ_CuTE.exe
          o
            M0D3L_P4ray_ 2008.exe
          o
            Night MinGGuan.exe
          o
            NonKroNG DJem8ataN K4H4yan.exe
          o
            Ph0to Ber5ama.exe
          o
            Picnic dT4ngKilin9.exe
          o
            King Nge5ex.exe
          o
            Trend 9aya RAm8ut 2008.exe

    *
      C: \ Images \ _PAlbTN

          o
            (V.4.9) _D053n ^ 908L0K.exe
          o
            ~ ~ G0YanG bed. Exe
          o
            GePaCar4an Neh!. Exe
          o
            I ... BGT!. Exe
          o
            To .. N90C0k.exe monitoring view
          o
            Ma5tURbas1 XL1M4xs.exe
          o
            PraPtih G4diEs PuJAAnku.exe
          o
            SmunZa.exe Bali Circuit
So that the virus can be activated automatically each time the user access or Flash Disk Drive it will use the Windows Autorun feature by creating autorun.inf file in the root Flash Disk or Drive. This will run the Autorun file MyImage.exe file, where files will be hidden so as not to be easily removed by the user. (See figure 6)

How to Clean W32/Agent.EQXM (and variants)

   A.
      Disconnect the computer that will be cleared from the network
   2.
      Turn off the virus active in memory resident. To kill the process using tools "currprocess" (http://www.nirsoft.net/utils/cprocess.zip). Then turn off the virus that has a JPG with extension EXE icon. (See figure 7)

   3.
      Repair the registry has been changed by W32/Agent.EQXM (and variants). To expedite the repair process please copy the script below on the notepad and save it as repair.inf.
Execute the following ways:

    *
      Right click repair.inf
    *
      Click Install
[Version]Signature = "$ Chicago $"Provider = Vaksincom
[DefaultInstall]AddReg = UnhookRegKeyDelReg = del[UnhookRegKey]HKLM, Software \ CLASSES \ batfile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ comfile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ exefile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ piffile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, UncheckedValue, 0x00010001, 0HKLM,HKLM,HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0x00010001, 1HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0x00010001, 0HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, defaultValue, 0x00010001, 0HKCU, Software \ Microsoft \ Internet Explorer \ Main, Start Page, 0, "about: blank"HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, type, 0, "checkbox"HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, type, 0, "checkbox"HKCU, Control Panel \ International, s1159, 0, "AM"HKCU, Control Panel \ International, s2359, 0, "PM"HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden, 0x00010001, 1HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, SuperHidden, 0x00010001, 1HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0x00010001, 0
[Del]HKCU, Software \ Microsoft \ Internet Explorer \ Main, Window TitleHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspoold.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspool.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msconfig.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ rstrui.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wscript.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ mmc.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HokageFile.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Rin.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ cmd.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ SMP.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskkill.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ tasklist.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Obito.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KakashiHatake.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-CLN.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-RTP.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ boot.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HOKAGE4.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAVHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAVHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansav.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Setup.exe, debuggerHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Instal.exe, debuggerHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ install.exe, debuggerHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ procexp.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msiexec.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskmgr.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansavgd.exeHKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryToolsHKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFindHKLM, SOFTWARE \ Policies \ Microsoft \ Windows \ Installer, DisableMSIHKLM, SOFTWARE \ Policies \ Microsoft \ Windows \ Installer, LimitSystemRestoreCheckpointingHKCR, exefile, NeverShowExtHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, PaRaY_VMHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ConfigVirHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, NviDiaGTHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, NarmonVirusAntiHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, AVManagerHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, EnableLUAHKLM, SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore

   4.
      Disable "System Restore" during the cleanup process
   5.
      Delete files W32/Agent parent virus. EQXM (and variants). Before deleting file should show hidden files do:
         A.
            Open Windows Explorer
         2.
            Click the menu "Tools"
         3.
            Click "Folder Options"
         4.
            Click the View Tab
         5.
            In the "Advanced settings"
                *
                  Select the option "Show hidden files and folders"
                *
                  Unchek "Hide extensions for known file types"
                *
                  Uncheck "Hide protected operating system files (Recommended) (see figure 8)

Then delete the following files (in all, including Flash Disk Drive except for the files in the directory C: \ Windows \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~)

    *
      C: \ Windows \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~
                      +
                        csrcc.exe
                      +
                        smss.exe
                      +
                        lsass.exe
                      +
                        services.exe
                      +
                        winlogon.exe
                      +
                        Paraysutki_VM_Community.sys
                      +
                        msvbvm60.dll
    *
      C: \ Autorun.inf
    *
      C: \ My Photos xx-x-xxx.exe, where x indicates the date virus proficiency level in the switch (for example: a picture of me-2008.exe 14-3)
    *
      C: \ Friendster Community.exe
    *
      C: \ J3MbataN K4HaYan.exe
    *
      C: \ MyImages.exe
    *
      C: \ PaLMa.exe
    *
      C: \ Images

   6.
      Show images that have been disembbunyikan file in Flash Disk in a way:

          *
            Click "Start" menu
          *
            Click "Run"
          *
            Type "CMD"
          *
            At the Dos Prompt, move the cursor to the location of the Flash Disk and then type the command attrib-s-h / s / d

   7.
      For optimal cleaning and prevent re-infection with a virus scan is up-to-date and was able to identify this virus as well. script type="text/javascript">

Diposting oleh VIROLOGI (CLOSER) di 10.19 0 komentar

Basmi Virus Amburadul, Hokage Killer

Salah satu cara yang salah dalam mempromosikan wisata adalah dengan membuat virus. Hal ini dilakukan oleh pembuat virus Hokage Killer yang menggunakan nama-nama populer id Palangkaraya seperti Jembatan Kahayan, Palma yang sangat berpotensi memicu perang virus yang akhirnya merugikan komunitas IT Indonesia, khususnya komunitas IT Palangkaraya. Memang jelas bahwa pembuat virus adalah programmer-programmer muda yang cerdas dan rasa ingin tahunya besar, tetapi memiliki satu masalah besar yaitu kedewasaan sangat kurang dan tidak perduli (tidak sadar) akan akibat perbuatannya membuat dan menyebarkan virus dapat menyebabkan kerugian bagi pengguna komputer lain. Kemampuan pembuat virus Amburadul dapat dikatakan memadai, tetapi kemampuan Bahasa Inggrisnya sih kayanya sesuai namanya, Amburadul. Kalau ingin menyamaikan tantangan ke Hokage harusnya :

Hey, Hokage, This is my place, Wanna Start a War ??

(Hey Hokage, ini rumah gua, mau menggali kapak peperangan ?)

Tetapi mungkin karena terlalu banyak belajar coding sehingga jarang belajar Inggris dengan baik menjadi :

Hey, Hokage, Is this My places, Wanna start a war**

(Hey Hokage, Apakah ini rumah saya ? Mau menggali kapak peperangan ?)

** Moga-moga pembuat virus amburadul ini tidak mengeluarkan varian baru khusus memperbaiki kesalahan grammar.

Bagi anda yang sering ke Kalimantan Tengah, kemungkinan besar tahu dengan Jembatan Kahayan, yaitu jembatan yang membelah Sungai Kahayan di Kota Palangkaraya, Kalimantan Tengah, Indonesia. Jembatan ini memiliki panjang 640 meter dan lebar 9 meter, terdiri dari 12 bentang dengan bentang khusus sepanjang 150 meter pada alur pelayaran sungai. Jembatan ini pertama kali dibangun pada tahun 1995 dan selesai dibangun pada tahun 2001, serta diresmikan oleh Presiden Megawati Soekarnoputri pada tanggal 13 Januari 2002. Jembatan Kahayan menghubungkan Palangkaraya dengan dengan kabupaten Barito Selatan dan tembus ke kabupaten Barito Utara. Lalu apa hubungannya?

Setelah sebelumnya muncul virus VBWorm.NUJ (http://vaksin.com/2007/1107/moontox-bro.htm), baru-baru ini telah ditemukan salah satu virus hasil modifikasi VM Palangkaraya (kemungkinan) ini dapat dilihat dari script dan file induk yang akan di usung oleh virus ini.

Untuk saat ini sudah ada 3 varian dimana untuk masing-masing varian tersebut mempunyai ciri-ciri yang sama, virus ini lebih dikenal dengan nama W32/Amburadul.

Untuk varian pertama Norman mendeteksi sebagai W32/Agent.XQXM (54 KB)

Untuk varian ke dua mempunyai nama sebagai W32/Agent.ETOR (56 KB)

Untuk varian ke tiga mempunyai nama sebagai W32/Autorun.CQJ (52 KB)

Untuk varian ke empat mempunyai nama sebagai W32/Autorun.CIA (51 KB) (lihat gambar 1)

Secara garis besar virus ini sama dengan kebanyakan virus lokal yang menyebar. Membuat file duplikat, blok beberapa fungsi windows seperti Regedit/MSconfig/Search/Folder Option atau Task Manager bahkan blok software security khususnya antivirus lokal seperti PC MAV, SMP dan ANSAV. Ia juga akan mencoba untuk mematikan proses virus Hokage/VBWorm.gen16 yang sama-sama berasal dari Kalimantan Tengah tepatnya di daerah Sampit, hal ini dapat dilihat dari script yang ada, dimana script ini berusaha untuk blok file induk yang dari virus Hokage/VBWorm.Gen16 ini.

Berikut beberapa ciri-ciri file yang yang akan di usung oleh Amburadul beserta variannya:

Icon : Image (JPG)
Ukuran file : Bervariasi sesuai dengan varian (51 KB, 52 KB, 54 KB dan 56 KB)
Ekstensi file : EXE
Type File : Application (lihat gambar 2)

Pada saat virus aktif, ia akan membuat beberapa file induk dibawah ini yang akan dijalankan setiap kali komputer dinyalakan (file ini juga akan dibuat di semua drive termasuk di media Flash Disk)

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~

csrcc.exe
smss.exe
lsass.exe
services.exe
winlogon.exe
Paraysutki_VM_Community.sys
msvbvm60.dll

C:\Autorun.inf
C:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)
C:\Friendster Community.exe
C:\J3MbataN K4HaYan.exe
C:\MyImages.exe (hidden file)
C:\PaLMa.exe
C:\Images

Ce_Pen9God4.exe
J34ñNy_Mö3tZ_CuTE.exe
M0D3L_P4ray_ 2008.exe
MalAm MinGGuan.exe
NonKroNG DJem8ataN K4H4yan.exe
Ph0to Ber5ama.exe
PiKnIk dT4ngKilin9.exe
RAja Nge5ex.exe
TrenD 9aya RAm8ut 2008.exe

C:\Images\_PAlbTN

(V.4.9)_D053n^908L0K.exe
~ G0YanG Ranjang ~.exe
GePaCar4an Neh!!!.exe
GuE... BgT!.exe
Ke.. TaUan N90C0k.exe
Ma5tURbas1 XL1M4xs.exe
PraPtih G4diEs PuJAAnku.exe
SirKuit BaLi SmunZa.exe

Apa yang dilakukan oleh Amburadul dan variannya?

Auto start Virus

Agar virus ini dapat aktif secara otomatis setiap kali komputer aktif, ia akan membuat beberapa string pada registry berkut:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM
- C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ConfigVir
- C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NviDiaGT
- C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\lsass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti
- C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\smss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVManager
- C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\csrss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- shell = Explorer.exe,

C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Blok Fungsi Windows dan software security (Antivirus)

Untuk mempertahankan dirinya ia juga akan melakukan blok terhadap beberapa fungsi windows seperti Task Manager/Regedit/MSconfig/Folder Option/System Restore atau Search serta beberapa software security lainnya yang memungkinan dapat memperpendek umur virus tersebut, dengan membuat beberapa string pada registry berikut:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA =0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- DisableConfig
- DisableSR

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

DisableMSI
LimitSystemRestoreCheckpointing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe

Debugger = rundll32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe

Debugger = rundll32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe

Debugger = crundll32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe

Debugger = rundll32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe

Debugger = rundll32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

Debuger = rundll32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableRegistryTools

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoFind

HKEY_CLASSES_ROOT\exefile

NeverShowExt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt

UncheckedValue = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt

DefaultValue = 1

(no)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden

CheckedValue = 0

(no)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden

DefaultValue = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden

UncheckedValue = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden

Type = checkbok

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

ShowSuperHidden = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

SuperHidden = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HideFileExt = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
- debugger = rundll32.ex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
- debugger = rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
- debugger = rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
- debugger = rundll32.exe

W32/Agent.EQXM (serta varian nya) juga akan mencoba untuk blok beberapa antivirus lokal (termasuk yang suka ngaku-ngaku sebagai antivirus terbaik di dunia) seperti PCMAV, SMP atau ANSAV dengan membuat string pada registry berikut:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe

Debuger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe
- debugger = cmd.exe /c del

Untuk blok fungsi Windows dan software antivirus selain dengan membuat string pada registry di atas, ia juga akan mengunakan perintah taskkill.

Berikut aplikasi yang akan dimatikan oleh Agent.EQXM (dan varian) :

taskkill /f /im winamp.exe

taskkill /f /im winampa.exe

taskkill /f /im firefox.exe

taskkill /f /im iexplorer.exe

taskkill /f /im wmplayer.exe

taskkill /f /im PCMAV

taskkill /f /im CLN.exe

taskkill /f /im Ansav.exe

taskkill /f /im ansavgd.exe

taskkill /f /im explorer.exe

Misi Membasmi Hokage

Amburadul dan variannya mempunyai misi untuk membasmi keluarga Hokage (VBWorm.Gen16) dengan blok file virus tersebut agar tidak dapat dijalankan. Hal ini dipertegas dengan merubah judul pada aplikasi Internet Explorer (perhatikan gambar dibawah). Untuk melakukan hal tersebut ia akan membuat beberapa string pada registry berikut:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Window Title = ++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++ (lihat gambar 3)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe

Debugger = cmd.exe /c del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe

Debugger = cmd.exe /c del

Ddos web site

Agent.EQXM juga akan mencoba untuk melakukan Ddos ke sejumlah alamat website yang sudah ditentukan dengan melakukan Ping request terhadap web berikut:

www.duniasex.com
www.data0.net
www.rasasayang.com.my

Menyembunyikan file gambar

File yang menjadi target virus ini adalah file gambar (JPG/BMP/PNG/TIFF/GIF), tetapi ia hanya akan menyembunyikan file gambar yang ada di Flash Disk. Untuk mengelabui user ia akan membuat file duplikat yang mempunyai nama yang sama dengan nama file yang disembunyikan dengan ciri-ciri:

Icon JPG
Ukuran “acak” (tergantung varian -> 51 KB / 52 KB / 54 KB / 56 KB)
Ekstensi .xx`.exe, dimana xx menunjukan ekstensi dari file gambar aslinya. Contohnya jika file gambar asli mempunyai nama data.bmp maka virus ini akan membuat file duplikat dengan nama data.bmp`.exe. (lihat gambar 4)

Type File “Application”

Setiap kali menyembunyikan file, ia cukup “baik hati” akan mencatatkan lognya dalam file C:\Windows\ Amburadul_List.txt, perhatian gambar 5 dibawah ini:

Menyebar melalui Flash Disk

Untuk menyebarkan dirinya, ia akan menggunakan media “Flash Disk” ataupun “Disket” dengan membuat beberapa file induk dan beberapa file pendukung agar dirinya dapat aktif secara otomatis setiap kali user akses ke Flash Disk tersebut.

Berikut beberapa file yang akan dibuat pada media Flash Disk atau Disket:

C:\Autorun.inf
C:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)
C:\Friendster Community.exe
C:\J3MbataN K4HaYan.exe
C:\MyImages.exe (hidden)
C:\PaLMa.exe
C:\Images

Ce_Pen9God4.exe
J34ñNy_Mö3tZ_CuTE.exe
M0D3L_P4ray_ 2008.exe
MalAm MinGGuan.exe
NonKroNG DJem8ataN K4H4yan.exe
Ph0to Ber5ama.exe
PiKnIk dT4ngKilin9.exe
RAja Nge5ex.exe
TrenD 9aya RAm8ut 2008.exe

C:\Images\_PAlbTN

(V.4.9)_D053n^908L0K.exe
~ G0YanG Ranjang ~.exe
GePaCar4an Neh!!!.exe
GuE... BgT!.exe
Ke.. TaUan N90C0k.exe
Ma5tURbas1 XL1M4xs.exe
PraPtih G4diEs PuJAAnku.exe
SirKuit BaLi SmunZa.exe

Agar virus tersebut dapat aktif secara otomatis setiap kali user akses Drive atau Flash Disk ia akan menggunakan fitur Autorun windows dengan membuat file autorun.inf pada root Flash Disk atau Drive. File Autorun ini akan menjalankan file MyImage.exe, dimana file ini akan disembunyikan agar tidak mudah dihapus oleh user. (lihat gambar 6)

Cara membersihkan W32/Agent.EQXM (dan Varian)

Putuskan hubungan komputer yang akan dibersihkan dari jaringan
Matikan proses virus yang aktif di memory resident. Untuk mematikan proses tersebut gunakan tools “currprocess” (http://www.nirsoft.net/utils/cprocess.zip). Kemudian matikan proses virus yang mempunyai icon JPG dengan ekstensi EXE. (lihat gambar 7)

Repair registry yang sudah di ubah oleh W32/Agent.EQXM (dan varian). Untuk mempercepat proses perbaikan silahkan salin script dibawah ini pada program notepad kemudian simpan dengan nama repair.inf.

Jalankan file tersebut dengan cara:

Klik kanan repair.inf
Klik Install

[Version]

Signature="$Chicago$"

Provider=Vaksincom

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0x00010001,0

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0x00010001,0

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue,0x00010001,0

HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "about:blank"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, "checkbox"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, type,0, "checkbox"

HKCU, Control Panel\International, s1159,0, "AM"

HKCU, Control Panel\International, s2359,0, "PM"

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0x00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0x00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0x00010001,0

[del]

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckpointing

HKCR, exefile, NeverShowExt

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

Disable “System Restore” selama proses pembersihan
Hapus file induk virus W32/Agent. EQXM (dan varian). Sebelum menghapus file tersebut sebaiknya tampilkan file yang tersembunyi caranya :
1. Buka Windows Explorer
2. Klik menu “Tools”
3. Klik “Folder Options”
4. Klik Tabulasi View
5. Pada kolom “Advanced settings”
  - Pilih opsi “Show hidden files and folders”
  - Unchek “Hide extensions for known file types”
  - Uncheck “Hide protected operating system files (Recommended) (lihat gambar 8)

Kemudian hapus file berikut (di semua Drive termasuk Flash Disk kecuali untuk file yang ada di direktori C:\Windows\system32\~A~m~B~u~R~a~D~u~L~)

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~
C:\Autorun.inf
C:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)
C:\Friendster Community.exe
C:\J3MbataN K4HaYan.exe
C:\MyImages.exe
C:\PaLMa.exe
C:\Images

Tampilkan file gambar yang telah disembbunyikan di Flash Disk dengan cara:

Klik “Start” menu
Klik “Run”
Ketik “CMD”
Pada Dos Prompt, pindahkan posisi kursor ke lokasi Flash Disk kemudian ketik perintah ATTRIB –s –h /s /d

Untuk pembersihan optimal dan mencegah infeksi ulang scan dengan antivirus yang up-to-date dan sudah dapat mengenali virus ini dengan baik.

SCIENCE AND TECHNOLOGY

About me

Senin, 19 Maret 2012

Basmi Virus Amburadul, Hokage Killer

shoutmix

Facebook Badge

Archive

complicated