Senin, Desember 08, 2008

Analisa NovemberGen.svchost

(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)


Hasil Analisa


Nama Malware : NovemberGen.Scvhost.Worm [Morphost], Trojan-Downloader.Win32.VB.inz [Kaspersky Lab]


Ukuran : 337,466 bytes


Pengirim Virus : D3mon


Icon : regedit.


CRC32 : A369C91A (berdasarkan file yang dikirim)


MD5 : DD7132C1F4F317115C4979607B37EC4A (berdasarkan file yang dikirim)


Dibuat dengan : Visual Basic



Lokasi Project Virus:


D:\Microsoft\Microsoft\windows\System.vbp



Di dalam tubuh virus terdapat resource yang berupa gambar seperti dibawah ini:


image003



===============================================================



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]


NeverShowExt = ""


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command]


(Default) = "%1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon]


(Default) = "%System%\rasphone.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd]


(Default) = "Microsoft System Direct"


NeverShowExt = ""


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command]


(Default) = "%1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon]


(Default) = "%System%\netsetup.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm]


(Default) = "System Mechanic"


NeverShowExt = ""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


VisualStyle = "%System%\Desktop.sysm"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


regtweak = "regtweak.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath]


DefaultValue = 0x00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]


CheckedValue = 0x00000001


DefaultValue = 0x00000001


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]


AlternateShell = "%System%\CommandPrompt.Sysm"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]


AlternateShell = "%System%\CommandPrompt.Sysm"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]


AlternateShell = "%System%\CommandPrompt.Sysm"



Kalau ada penyerangan lainnya silakan beritahu saya.


Signature worm ini sudah saya masukkan ke dalam database Morphost yang ke 17.

diambil dari : www.virologi.info

Posted By at