Virus yang satu ini muncul di awal bulan Nopember lalu. Virus yang gaya penyebarannya meniru worm downadup/ conficker ini belum begitu banyak merebak. virus ini dikenal dengan nama Worm/SdBot.sfj [Avira] dan W32/Sdbot.worm! Ek [McAfee]. Worm yang satu ini hanya meniru dalam penyebarannya dengan menggunakan desktop.ini yang terdapat pada folder Recycler agar folder yang ia buat dapat menyembunyikan file di dalamnya, dimana jika kita buka folder tersebut maka yang akan ditampilkan adalah isi dalam folder Recycler pada drive C:/. Dalam penyebarannya worm ini membuat autorun.inf dan sebuah Folder yang dibuat super hidden pada setiap USB Drive yang dicolokkan. Folder tersebut diberi nama CACHE-49038502 yang didalamnya terdapat file desktop.ini dan core.sys.
Saat file virus core.sys tereksekusi/ dijalakan, maka virus tersebut akan membuat beberapa file virus pada komputer tersebut. Berikut file yang dibuatnya :
%Windows%\inf\netsf.inf % Windows% \ inf \ netsf.inf
%Windows%\inf\netsf_m.inf % Windows% \ inf \ netsf_m.inf
%Windows%\inf\netsf.PNF % Windows% \ inf \ netsf.PNF
%Windows%\inf\netsf_m.PNF % Windows% \ inf \ netsf_m.PNF
%System%\wbem\wmisrsc.exe % System% \ wbem \ wmisrsc.exe
%System%\drivers\minisv32.sys % System% \ drivers \ minisv32.sys
%System%\drivers\ndisvvan.sys % System% \ drivers \ ndisvvan.sys
%System%\drivers\vnnupdjd.sys % System% \ drivers \ vnnupdjd.sys
%Documents and Settings%\LocalService\bxt.exe % Documents and Settings% \ LocalService \ bxt.exe
%Documents and Settings%\LocalService\acwy.exe % Documents and Settings% \ LocalService \ acwy.exe
Isi autorun yang ia buat adalah :
{random charcter} (random charcter)
[autorun [autorun
:nop : nop
;M?Ö??? ; M? Ö??? Â
open=cmd /c start "" "CACHE-49038502\core.sys" terbuka = cmd / c start "" "CACHE-49038502 \ core.sys"
;??Cd ;?? Cd
icon=%SystemRoot%\System32\SHELL32.dll,4 icon =% SystemRoot% \ System32 \ shell32.dll, 4
í?ÈÃÒv í? ÈÃÒv
action=Open folder to view files using Windows Explorer action = Buka folder untuk melihat file menggunakan Windows Explorer
;OOìÁÃ?D ; OOìÁÃ? D
sHELL\\open\\\command=cmd /c start "" "CACHE-49038502\core.sys" shell \ \ open \ \ \ command = cmd / c start "" "CACHE-49038502 \ core.sys"
;ÝìIL?Í?Ã??ÂX?ëòñLL ; ÝìIL? Í? Ã?? AX? ËòñLL
sHELL\\explore\\\command=cmd /c start "" "CACHE-49038502\core.sys" shell \ \ mengeksplorasi \ \ \ command = cmd / c start "" "CACHE-49038502 \ core.sys"
;?ÂX?ëòñLLÝìIL?Í?Ã? ;? AX? ËòñLLÝìIL? Í? Ã?
useautoplay=1 useautoplay = 1
[a UN] [PBB]
Dan virus ini mengubah beberapa registry :
FirewallOverride = "0" FirewallOverride = "0"
AntiVirusOverride = "0" AntiVirusOverride = "0"
FirewallDisableNotify = "0" FirewallDisableNotify = "0"
AntiVirusDisableNotify = "0" AntiVirusDisableNotify = "0"
HKLM\Software\Microsoft\Security Center HKLM \ Software \ Microsoft \ Security Center
Policy = "00" Policy = "00"
HKLM\Software\Microsoft\Driver Signing HKLM \ Software \ Microsoft \ Driver Signing
CheckedValue = "1" CheckedValue = "1"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced\Folder\SuperHidden Advanced \ Folder \ SuperHidden
DisableSR = "1" DisableSR = "1"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \
SystemRestore SystemRestore
Userinit = "%System%\userinit.exe, Userinit = "% System% \ userinit.exe,
%Documents and Settings%\LocalService\xtfb.exe \s" % Documents and Settings% \ LocalService \ xtfb.exe \ s "
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Selain itu worm yang dibuat dengan Delphi ini tidak kalah juga dengan worm.downadup/ conficker dalam hal memblok vendor-vendor antivirus dan yang bermuat kata-kata yang dapat membahayakan kelangsungan hidupnya. Ini adalah sedikit dari beberapa website yang dibloknya berdasarkan quickheal.co.in :
* Msnfix.changelog.fr
* Www.incodesolutions.com
* Virusinfo.prevx.com
* Download.bleepingcomputer.com
* lurker.clamav.net
* www.virusdoctor.jp
* www.elitepvpers.de
* www.superuser.co.kr
* ntfaq.co.kr
* cit.kookmin.ac.kr
* forums.whatthetech.com
* forum.hijackthis.de
* www.huaifai.go.th
* www.mostz.com
* www.krupunmai.com
* www.cddchiangmai.net
* forum.sysinternals.com
* forum.telecharger.01net.com *
* sophos.com
* foros.softonic.com
* avast-home.uptodown.com
* www.f-secure.com
* www.chkrootkit.org
* diamondcs.com.au
* www.rootkit.nl
* www.sysinternals.com
* z-oleg.com *
* espanol.dir.groups.yahoo.com *
* www.castlecrops.com
* www.misec.net
* safecomputing.umn.edu
* www.antirootkit.com
* www.greatis.com
* ar.answers.yahoo.com
* www.rootkit.com
* www.pctools.com
* www.pcsupportadvisor.com
* www.resplendence.com
* www.personal.psu.edu
* foro.ethek.com
* vil.nail.comm
* search.mcafee.com
* wwww.mcafee.com
* download.nai.com
* wwww.experts-exchange.com
* www.bakunos.com
* www.darkclockers.com
* www.Merijn.org
* www.spywareinfo.com
* www.spybot.info
* www.viruslist.com
* www.hijackthis.de
* www.f-secure.com
* forum.kaspersky.com
* majorgeeks.com
* www.avp.com
* www.virustotal.com
* www.sophos.com
* linhadefensiva.uol.com.br
* cmmings.cn
* www.sergiwa.com
* www.avg-antivirus.net
* www.kaspersky-labs.com
* www.kaspersky.com
* www.bleepingcomputer.com
* www.free.grisoft.com
* alerta-antivirus.inteco.es
* securityresponse.symantec.com
* www.analysis.seclab.tuwien.ac.at
* www.symantec.com
* www.kztechs.com
* ad-aware-se.uptodown.com
* liveupdate.symantecliveupdate.com
* liveupdate.symantec.com
* customer.symantec.com
* update.symantec.com
* www.box.net
* www.mcafee.com
* www.free.avg.com
* download.mcafee.com
* mast.mcafee.com
* www.tecno-soft.com
* ladooscuro.es
* ftp.drweb.com
* guru0.grisoft.cz
* guru1.grisoft.cz
* guru2.grisoft.cz
* guru3.grisoft.cz
* download.bleepingcomputer.com
* it.answers.yahoo.com
* guru4.grisoft.cz
* guru5.grisoft.cz
* www.virusspy.com
* www.download.f-secure.com
* www.malwareremoval.com
* forums.cnet.com
* hjt-data.trend-braintree.com
* sosvirus.changelog.fr
* mailcenter.rising.com.cn
* mailcenter.rising.com
* www.rising.com.cn
* www.rising.com
* www.babooforum.com.br
* www.runscanner.net
* sosvirus.changelog.fr
* upload.changelog.fr
* www.raymond.cc
* changelog.fr
* www.pcentraide.com
* www.thinkpad.cn
* www.final4ever.com
* files.filefont.com
* www.infos-du-net.com
* www.trendsecure.com
* forum.hardware.fr
* www.utilidades-utiles.com
* www.geekstogo.com
* forums.maddoktor2.com
* www.smokey-services.eu
* www.clubic.com
* www.linhadefensiva.org
* download.sysinternals.com
* www.pcguide.com
* www.thetechguide.com
* www.ozzu.com
* www.changedetection.com
* espanol.groups.yahoo.com
* community.thaiware.com
* www.avpclub.ddns.info
* www.offensivecomputing.net
* www.grisoft.com
* boardreader.com
* www.guiadohardware.net
* www.msnvirusremoval.com
* www.cisrt.org
* fixmyim.com
* samroeng.hi5.com
* foro.elhacker.net
* www.daboweb.com
* service1.symantec.com
* forums.techguy.org
* www.incodesolutions.com
* hijackthis.download3000.com
* www.cybertechhelp.com
* www.superdicas.com.br
* www.virscan.org
* down.www.kingsoft.com
* www.file.net
* mvps.org
* www.housecall.trendmicro.com
* www.avast.com
* www.free.avg.com
* www.onlinescan.avast.com
* www.ewido.net
* www.trucoswindows.net
* www.futurenow.bitdefender.com
* www.bitdefender.com
* www.f-prot.com
* www.trendsecure.com
* security.symantec.com
* oldtimer.geekstogo.com
* www.avira.com
* www.eset.com
* www.free.avg.com
* www.free-av.com
* kr.ahnlab.com
* www.eset.com
* forospyware.com
* thejokerx.blogspot.com
* www.2-spyware.com
* www.antivir.es
* www.prevx.com
* www.ikarus.net
Untuk membasminya saya sarankan untuk menginstal antivirus buatan luar dan mengupdatenya karena antivirus buatan lokal belum mampu membasmi, bahkan mendeteksi kehadirannya pun belum dapat dilakukannya.
Ingin memilik virus ini silahkan download disini.
Saat file virus core.sys tereksekusi/ dijalakan, maka virus tersebut akan membuat beberapa file virus pada komputer tersebut. Berikut file yang dibuatnya :
%Windows%\inf\netsf.inf % Windows% \ inf \ netsf.inf
%Windows%\inf\netsf_m.inf % Windows% \ inf \ netsf_m.inf
%Windows%\inf\netsf.PNF % Windows% \ inf \ netsf.PNF
%Windows%\inf\netsf_m.PNF % Windows% \ inf \ netsf_m.PNF
%System%\wbem\wmisrsc.exe % System% \ wbem \ wmisrsc.exe
%System%\drivers\minisv32.sys % System% \ drivers \ minisv32.sys
%System%\drivers\ndisvvan.sys % System% \ drivers \ ndisvvan.sys
%System%\drivers\vnnupdjd.sys % System% \ drivers \ vnnupdjd.sys
%Documents and Settings%\LocalService\bxt.exe % Documents and Settings% \ LocalService \ bxt.exe
%Documents and Settings%\LocalService\acwy.exe % Documents and Settings% \ LocalService \ acwy.exe
Isi autorun yang ia buat adalah :
{random charcter} (random charcter)
[autorun [autorun
:nop : nop
;M?Ö??? ; M? Ö??? Â
open=cmd /c start "" "CACHE-49038502\core.sys" terbuka = cmd / c start "" "CACHE-49038502 \ core.sys"
;??Cd ;?? Cd
icon=%SystemRoot%\System32\SHELL32.dll,4 icon =% SystemRoot% \ System32 \ shell32.dll, 4
í?ÈÃÒv í? ÈÃÒv
action=Open folder to view files using Windows Explorer action = Buka folder untuk melihat file menggunakan Windows Explorer
;OOìÁÃ?D ; OOìÁÃ? D
sHELL\\open\\\command=cmd /c start "" "CACHE-49038502\core.sys" shell \ \ open \ \ \ command = cmd / c start "" "CACHE-49038502 \ core.sys"
;ÝìIL?Í?Ã??ÂX?ëòñLL ; ÝìIL? Í? Ã?? AX? ËòñLL
sHELL\\explore\\\command=cmd /c start "" "CACHE-49038502\core.sys" shell \ \ mengeksplorasi \ \ \ command = cmd / c start "" "CACHE-49038502 \ core.sys"
;?ÂX?ëòñLLÝìIL?Í?Ã? ;? AX? ËòñLLÝìIL? Í? Ã?
useautoplay=1 useautoplay = 1
[a UN] [PBB]
Dan virus ini mengubah beberapa registry :
FirewallOverride = "0" FirewallOverride = "0"
AntiVirusOverride = "0" AntiVirusOverride = "0"
FirewallDisableNotify = "0" FirewallDisableNotify = "0"
AntiVirusDisableNotify = "0" AntiVirusDisableNotify = "0"
HKLM\Software\Microsoft\Security Center HKLM \ Software \ Microsoft \ Security Center
Policy = "00" Policy = "00"
HKLM\Software\Microsoft\Driver Signing HKLM \ Software \ Microsoft \ Driver Signing
CheckedValue = "1" CheckedValue = "1"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced\Folder\SuperHidden Advanced \ Folder \ SuperHidden
DisableSR = "1" DisableSR = "1"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \
SystemRestore SystemRestore
Userinit = "%System%\userinit.exe, Userinit = "% System% \ userinit.exe,
%Documents and Settings%\LocalService\xtfb.exe \s" % Documents and Settings% \ LocalService \ xtfb.exe \ s "
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Selain itu worm yang dibuat dengan Delphi ini tidak kalah juga dengan worm.downadup/ conficker dalam hal memblok vendor-vendor antivirus dan yang bermuat kata-kata yang dapat membahayakan kelangsungan hidupnya. Ini adalah sedikit dari beberapa website yang dibloknya berdasarkan quickheal.co.in :
* Msnfix.changelog.fr
* Www.incodesolutions.com
* Virusinfo.prevx.com
* Download.bleepingcomputer.com
* lurker.clamav.net
* www.virusdoctor.jp
* www.elitepvpers.de
* www.superuser.co.kr
* ntfaq.co.kr
* cit.kookmin.ac.kr
* forums.whatthetech.com
* forum.hijackthis.de
* www.huaifai.go.th
* www.mostz.com
* www.krupunmai.com
* www.cddchiangmai.net
* forum.sysinternals.com
* forum.telecharger.01net.com *
* sophos.com
* foros.softonic.com
* avast-home.uptodown.com
* www.f-secure.com
* www.chkrootkit.org
* diamondcs.com.au
* www.rootkit.nl
* www.sysinternals.com
* z-oleg.com *
* espanol.dir.groups.yahoo.com *
* www.castlecrops.com
* www.misec.net
* safecomputing.umn.edu
* www.antirootkit.com
* www.greatis.com
* ar.answers.yahoo.com
* www.rootkit.com
* www.pctools.com
* www.pcsupportadvisor.com
* www.resplendence.com
* www.personal.psu.edu
* foro.ethek.com
* vil.nail.comm
* search.mcafee.com
* wwww.mcafee.com
* download.nai.com
* wwww.experts-exchange.com
* www.bakunos.com
* www.darkclockers.com
* www.Merijn.org
* www.spywareinfo.com
* www.spybot.info
* www.viruslist.com
* www.hijackthis.de
* www.f-secure.com
* forum.kaspersky.com
* majorgeeks.com
* www.avp.com
* www.virustotal.com
* www.sophos.com
* linhadefensiva.uol.com.br
* cmmings.cn
* www.sergiwa.com
* www.avg-antivirus.net
* www.kaspersky-labs.com
* www.kaspersky.com
* www.bleepingcomputer.com
* www.free.grisoft.com
* alerta-antivirus.inteco.es
* securityresponse.symantec.com
* www.analysis.seclab.tuwien.ac.at
* www.symantec.com
* www.kztechs.com
* ad-aware-se.uptodown.com
* liveupdate.symantecliveupdate.com
* liveupdate.symantec.com
* customer.symantec.com
* update.symantec.com
* www.box.net
* www.mcafee.com
* www.free.avg.com
* download.mcafee.com
* mast.mcafee.com
* www.tecno-soft.com
* ladooscuro.es
* ftp.drweb.com
* guru0.grisoft.cz
* guru1.grisoft.cz
* guru2.grisoft.cz
* guru3.grisoft.cz
* download.bleepingcomputer.com
* it.answers.yahoo.com
* guru4.grisoft.cz
* guru5.grisoft.cz
* www.virusspy.com
* www.download.f-secure.com
* www.malwareremoval.com
* forums.cnet.com
* hjt-data.trend-braintree.com
* sosvirus.changelog.fr
* mailcenter.rising.com.cn
* mailcenter.rising.com
* www.rising.com.cn
* www.rising.com
* www.babooforum.com.br
* www.runscanner.net
* sosvirus.changelog.fr
* upload.changelog.fr
* www.raymond.cc
* changelog.fr
* www.pcentraide.com
* www.thinkpad.cn
* www.final4ever.com
* files.filefont.com
* www.infos-du-net.com
* www.trendsecure.com
* forum.hardware.fr
* www.utilidades-utiles.com
* www.geekstogo.com
* forums.maddoktor2.com
* www.smokey-services.eu
* www.clubic.com
* www.linhadefensiva.org
* download.sysinternals.com
* www.pcguide.com
* www.thetechguide.com
* www.ozzu.com
* www.changedetection.com
* espanol.groups.yahoo.com
* community.thaiware.com
* www.avpclub.ddns.info
* www.offensivecomputing.net
* www.grisoft.com
* boardreader.com
* www.guiadohardware.net
* www.msnvirusremoval.com
* www.cisrt.org
* fixmyim.com
* samroeng.hi5.com
* foro.elhacker.net
* www.daboweb.com
* service1.symantec.com
* forums.techguy.org
* www.incodesolutions.com
* hijackthis.download3000.com
* www.cybertechhelp.com
* www.superdicas.com.br
* www.virscan.org
* down.www.kingsoft.com
* www.file.net
* mvps.org
* www.housecall.trendmicro.com
* www.avast.com
* www.free.avg.com
* www.onlinescan.avast.com
* www.ewido.net
* www.trucoswindows.net
* www.futurenow.bitdefender.com
* www.bitdefender.com
* www.f-prot.com
* www.trendsecure.com
* security.symantec.com
* oldtimer.geekstogo.com
* www.avira.com
* www.eset.com
* www.free.avg.com
* www.free-av.com
* kr.ahnlab.com
* www.eset.com
* forospyware.com
* thejokerx.blogspot.com
* www.2-spyware.com
* www.antivir.es
* www.prevx.com
* www.ikarus.net
Untuk membasminya saya sarankan untuk menginstal antivirus buatan luar dan mengupdatenya karena antivirus buatan lokal belum mampu membasmi, bahkan mendeteksi kehadirannya pun belum dapat dilakukannya.
Ingin memilik virus ini silahkan download disini.
0 komentar:
Posting Komentar