Messenger – nhattruongquang.0catch.com

March 3, 2009 by ariefew
Filed under: Antivirus, Virus
Social Bookmark |  



Beberapa hari ini, pada chat menggunakan Yahoo Messenger, aku sering dapat pesan :

  • Biet tin gi chua, vao day coi di http://nhattruongquang.0catch.com
  • E may, vao day coi co con nho nay ngon lam http://nhattruongquang.0catch.com
  • Vao day nghe bai nay di ban http://nhattruongquang.0catch.com
  • Vao day nghe bai nay di ban http://nhattruongquang.0catch.com
  • Biet tin gi chua, vao day coi di http://nhattruongquang.0catch.com
  • Trang Web nay coi cung hay, vao coi thu di http://nhattruongquang.0catch.com
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau? http://nhattruongquang.0catch.com
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…http://nhattruongquang.0catch.com
    Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon.
  • Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…http://nhattruongquang.0catch.com
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… http://nhattruongquang.0catch.com
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon http://nhattruongquang.0catch.com

Pesan tersebut pemakai YM tidak menyadari kalau mengirim pesan seperti itu. Apakah itu ?

Ini termasuk worm yang mulai muncul akhir 2006 dan mungkin sekarang muncul lagi dengan varian barunya…..

Virus / worm ini dikenal dengan berbagai nama antara lain :

  • Symantec : W32.Imaut.U
  • Avira : Worm/Sohanad.bm
  • Kaspersky: IM-Worm.Win32.Sohanad.bm
  • F-Secure: IM-Worm.Win32.Sohanad.bm
  • Sophos: W32/SillyFDC-G atau W32/Sohana-R
  • Panda: W32/Hakaglan.A.worm
  • Grisoft: I-Worm/Sohanad.J
  • Eset: Win32/Hakaglan.AH
  • Bitdefender: Trojan.AutoIt.TD
  • McAfee : w32/Yahlover.worm.gen.c

Platforms / OS :

  • Windows 95
  • Windows 98
  • Windows 98 SE
  • Windows NT
  • Windows ME
  • Windows 2000
  • Windows XP
  • Windows 2003

Imaut / sohanad / Hakaglan / AutoIt / Yahlover ini, menginfeksi lewat Yahoo! Instant Messenger, Microsoft Windows Live Messenger, dan AOL Instant Messenger. Worm akan download remote files di compromised computer dan disable Windows Task Manager dan Registry tools.

INFECTED

File

Copy di :

  • %SYSDIR%RVHOST.exe
  • %WINDIR%RVHOST.exe

Menulis schedule :

  • %WINDIR%TasksAt1.job File schedule task untuk run malware.

Dan melakukan download di lokasi http://nhatquanglan2.0catch.com/**********
Dan saved ke local hard drive di : %SYSDIR%setting.ini

Registry

Registry keys yg akan ditambahkan pada run the processes setelah reboot :

  • [HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
    •  Yahoo Messengger=”%SYSDIR%RVHOST.exe”
  • [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    •  Shell=”Explorer.exe RVHOST.exe”
..

Registry keys yang di add :

  • [HKLMSYSTEMControlSet001ServicesSchedule]
    •  AtTaskMaxHours=dword:00000000
  • [HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer
    WorkgroupCrawlerShares]
    •  shared=”%all shared folders%New Folder.exe”

Registry keys yang berubah :

Various Explorer settings :

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]

Old value :
•  NofolderOptions=%user defined settings%

New value :
•  NofolderOptions=dword:00000001

Disable Regedit dan Task Manager :

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]

Old value :
•  DisableTaskMgr=%user defined settings%
•  DisableRegistryTools=%user defined settings%

New value :
•  DisableTaskMgr=dword:00000001
•  DisableRegistryTools=dword:00000001

Network

Propaganda malware connect pada PC lain dengan cara :

copy sendiri pada network share :
•  %all shared folders%New Folder.exe

Penyembuhan

  • Disable System Restore
  • Update antivirus
  • Scan dengan anti virus yang ter update.
  • Buat file UnHookExec.inf
  • [Version]
    Signature=”$Chicago$”
    Provider=Symantec
    [DefaultInstall]
    AddReg=UnhookRegKey
    [UnhookRegKey]
    HKLM, SoftwareCLASSESbatfileshellopencommand,,,”””%1?” %*”
    HKLM, SoftwareCLASSEScomfileshellopencommand,,,”””%1?” %*”
    HKLM, SoftwareCLASSESexefileshellopencommand,,,”””%1?” %*”
    HKLM, SoftwareCLASSESpiffileshellopencommand,,,”””%1?” %*”
    HKLM, SoftwareCLASSESregfileshellopencommand,,,”regedit.exe “”%1?””
    HKLM, SoftwareCLASSESscrfileshellopencommand,,,”””%1?” %*”
    HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableRegistryTools,0×00000020,0

    Save file tersebut dan right click – install untuk mengembalikan fungsi regedit

  • Change dan Delete registry Windows yang telah diubah oleh worm.
  • Nilai registry yang dihapus :
    1. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon”Shell” = “Explorer.exe ” RVHOST.exe”
    2. HKCUSoftwareMicrosoftWindowsCurrentVersionRun”Yahoo Messengger” = “%System%RVHOST.exe”
    3. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares”shared” = “[SHARED DRIVE]New Folder.exe”
  • Ubah Registry ke nilai semula :
    1. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem”DisableTaskMgr” = “1?
    2. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem”DisableRegistryTools” = “1?
    3. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer”NofolderOptions” = “1?
    4. HKLMSYSTEMCurrentControlSetServicesSchedule”AtTaskMaxHours” = “0?
    5. HKLMSOFTWAREMicrosoftWindowsCurrentVersion”Run” = “BkavFw”
    6. HKCUSoftwareMicrosoftWindowsCurrentVersion”Run” = “IEProtection”

Exit registry editor / regedit.




Tags: Antivirus, autoit, avira, banned, chat, computer, connections, cuon, download, downloader, http, install, lan, lans, messenger, microsoft, network, setting, sohana, sophos, symantec, tools, update, varian, Virus, virus worm, web, windows, worm, worm sohanad, yahoo



Similiar Post



Popular Post



Random Post











Comments

6 Comments on Messenger – nhattruongquang.0catch.com

  1. SweetNo Gravatar on Wed, 4th Mar 2009 10:24 pm

    2. Ciri-ciri PC yang terinfeksi virus ini bagaimana? apakah dampak terparah dari virus tersebut???????????? Sampai sejauh ini saya belum pernah menjumpai pesan seperti yang telah disampaikan diatas meskipun tiap hari pakai YM

    Reply

    ariefewNo Gravatar Reply:
    March 7th, 2009 at 11:00 am

    aku beberapa kali menemui pesan seperti di atas… terutama dari YM di warnet

    Reply

  2. Top 10 Virus Indonesia <Juli 2009 « Idderiyan tria nadi's Blog on Mon, 3rd Aug 2009 5:27 am

    3. [...] Untuk informasi tentang virus vbs dan cara mengatasinya, lihat di Messenger – nhattruongquang.0catch.com [...]

  3. marjanNo Gravatar on Sun, 20th Dec 2009 9:09 pm

    4. baru kena virus ini nih, makanya lagi browsing mencari solusi
    thx y.
    marjan´s last blog ..75% Bonus Referral buat Anda My ComLuv Profile

    Reply

    ariefewNo Gravatar Reply:
    December 22nd, 2009 at 8:09 am

    aku masih serng menjumpai virus ini waktu YM… padahal virus ini sudah lama munculnya….

    Reply

  4. saljuNo Gravatar on Sun, 28th Feb 2010 3:57 pm

    5. mcmana pula virus y hantar msj begini : view my new haircut!…..dan ada satu link format jpg..

    Reply

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!





CommentLuv Enabled

Comment moderation is enabled. Your comment may take some time to appear.


Subscribe to ariefew rss feed

ariefew feed

  

Enter your email address:

Delivered by FeedBurner