Anti Virus Update

Monday, November 06, 2006

Brontok

W32.Rontokbro@mm – Symantec, W32/Brontok-N – Sophos, Win32/Brontokbro.A.A – Eset, Win32/Robknot!Variant!Worm – CA eTrust, Worm.Win32.Brontok.a – Kaspersky, W32/Rontokbro.gen@MM - McAfee

infection method by email attachment.

Subject:

Film Terbaru Dian Satro dan Tora Sudiro

Body:

Salam
Hangat,

Bagi
Anda yang mengidolakan artis Dian Sastro atau Tora Sudiro, maka Anda akan segera terpuaskan, karena sebuah film komedi romantis terbaru mereka (judul film masih dirahasiakan) telah siap beredar. Untuk menambah koleksi foto idola Anda, berikut adalah salah satu potongan gambar film ketika mereka beradegan romantis di sebuah danau, (terlampir pada file "Sample Picture.zip").

Menurut sutradaranya, film tersebut akan beredar dua bulan mendatang dan diperkirakan akan melebihi kesuksesan film-film terdahulu mereka.

Terima
kasih,

Attachment:
Sample Picture.Zip

varian of virus brontok :

Sophos :

W32/Brontok-AJ W32/Brontok-W W32/Brontok-AI W32/Brontok-E W32/Brontok-Zs W32/Brontok-D W32/Brontok-S W32/Brontok-AE W32/Brontok-C W32/Brontok-B W32/Brontok-AZ	W32/Brontok-AQ W32/Brontok-J W32/Brontok-V W32/Brontok-X W32/Brontok-AK W32/Brontok-A W32/Brontok-L W32/Brontok-K W32/Brontok-N W32/Brontok-F W32/Brontok-G	W32/Brontok-I W32/Brontok-BBW32/Brontok-R W32/Brontok-M W32/Brontok-Fam W32/Brontok-H W32/Rontokbr-A W32/Korbo-B W32/Bobandy-A

symantec:

W32.Rontokbro@mm
W32.Rontokbro.AN@mm
W32.Rontokbro.B@mm
W32.Rontokbro.D@mm
W32.Rontokbro.K@mm
W32.Rontokbro.U@mm
W32.Rontokbro.X@mm
W32.Rontokbro.Z@mm
W32/Rontokbro.gen@MM

Kaspersky:

Email-Worm.Win32.Brontok.K Email-Worm.Win32.Brontok.a Email-Worm.Win32.Brontok.b Email-Worm.Win32.Brontok.c Email-Worm.Win32.Brontok.d Email-Worm.Win32.Brontok.e Email-Worm.Win32.Brontok.f Email-Worm.Win32.Brontok.g Email-Worm.Win32.Brontok.h Email-Worm.Win32.Brontok.i Email-Worm.Win32.Brontok.l	Email-Worm.Win32.Brontok.m Email-Worm.Win32.Brontok.n Email-Worm.Win32.Brontok.o Email-Worm.Win32.Brontok.p Email-Worm.Win32.Brontok.q Email-Worm.Win32.Brontok.r Email-Worm.Win32.Brontok.s Email-Worm.Win32.Brontok.t Trojan-Downloader.Win32.Brontok.a Worm.Win32.Brontok.a

Eset:

Win32/Brontok Win32/Brontok.A Win32/Brontok.B Win32/Brontok.C Win32/Brontok.D Win32/Brontok.E Win32/Brontok.F Win32/Brontok.G Win32/Brontok.H Win32/Brontok.I Win32/Brontok.J Win32/Brontok.K Win32/Brontok.L Win32/Brontok.M Win32/Brontok.N Win32/Brontok.O Win32/Brontok.P Win32/Brontok.Q Win32/Brontok.R Win32/Brontok.S Win32/Brontok.T Win32/Brontok.U Win32/Brontok.V Win32/Brontok.W Win32/Brontok.X Win32/Brontok.Y Win32/Brontok.Z	Win32/Brontok.AA Win32/Brontok.AB Win32/Brontok.AC Win32/Brontok.AD Win32/Brontok.AE Win32/Brontok.AF Win32/Brontok.AG Win32/Brontok.AH Win32/Brontok.AI Win32/Brontok.AJ Win32/Brontok.AK Win32/Brontok.AL Win32/Brontok.AM Win32/Brontok.AN Win32/Brontok.AO Win32/Brontok.AP Win32/Brontok.AQ Win32/Brontok.AR Win32/Brontok.AS Win32/Brontok.AT Win32/Brontok.AU Win32/Brontok.AX Win32/Brontok.AZ Win32/Brontok.BA Win32/Brontok.BB Win32/Brontok.BC Win32/Brontok.BD Win32/Brontok.BE	Win32/Brontok.BF Win32/Brontok.BG Win32/Brontok.BH Win32/Brontok.BI Win32/Brontok.BJ Win32/Brontok.BK Win32/Brontok.BL Win32/Brontok.BM Win32/Brontok.BN Win32/Brontok.BO Win32/Brontok.BP Win32/Brontok.BQ Win32/Brontok.BR Win32/Brontok.BS Win32/Brontok.BU Win32/Brontok.BV Win32/Brontok.BW Win32/Brontok.BX Win32/Brontok.BY Win32/Brontok.BZ Win32/Brontok.CA Win32/Brontok.CB Win32/Brontok.CC Win32/Brontok.CD Win32/Brontok.CE Win32/Brontok.CF Win32/Brontok.CG Win32/Brontok.CH

Friday, August 25, 2006

Latest Kaspersky Virus Watch

P2P-Worm.Win32.VB.el
Trojan-Downloader.Win32.Agent.auv
Trojan-Downloader.Win32.Small.dow
Trojan-Downloader.Win32.VB.alg
Trojan-Spy.Win32.Bancos.wy
SpamTool.Win32.Bagle.m
Trojan-Downloader.Win32.Banload.bgq
Trojan-Clicker.Win32.VB.ox
Virus.Win32.Lanc.a
Trojan-Downloader.Win32.Zlob.agp
Trojan.Win32.KillFiles.lb
HackTool.Win32.VB.ik
Trojan-PSW.Win32.Delf.ow
Trojan-PSW.Win32.Delf.ov
Trojan.Win32.Delf.wt
Trojan-PSW.Win32.Delf.ou
Trojan-Downloader.Win32.Agent.auu
Trojan-PSW.Win32.Delf.ot
Backdoor.Win32.Hupigon.cea
Trojan-Downloader.Win32.Agent.aut
Trojan-Downloader.Win32.Small.dov
Trojan-PSW.Win32.Lineage.ahb
Trojan-Downloader.Win32.Small.dou
Backdoor.Win32.Small.mr
Trojan-PSW.Win32.Delf.os
Trojan-Spy.Win32.Agent.or
Backdoor.Win32.Hupigon.cdz
not-a-virus:Monitor.Win32.SpyAgent.n
Trojan.Win32.FlyStudio.s
Backdoor.Win32.Hupigon.cdy
Trojan-Spy.Win32.Bancos.wx
Backdoor.Win32.Hupigon.cdx
Trojan-Downloader.Win32.Small.dot
Trojan.Win32.VB.ary
Trojan-Downloader.Win32.Small.dos
Trojan-Spy.Win32.Banker.bvv
Trojan-PSW.Win32.Lmir.bab
Trojan.Win32.Opnis.u
Trojan-Downloader.Win32.Small.dor
Trojan-Downloader.Win32.Agent.aus
Trojan-PSW.Win32.Lineage.wd
Trojan-Spy.Win32.Banker.bvu
Backdoor.Win32.Rbot.bhj
Trojan-Spy.Win32.Banbra.is
Trojan.Win32.Qhost.ht
Trojan-Downloader.BAT.Ftp.cn
Backdoor.Win32.Agent.agf
Trojan-Downloader.Win32.Banload.bgp
Trojan-Downloader.Win32.Banload.bgg
Trojan-Downloader.Win32.Delf.avj
Backdoor.Win32.Rbot.bhi
Trojan-Downloader.Win32.Delf.avi
Backdoor.Win32.ServU-based.br
Trojan-Downloader.Win32.Banload.bgf
not-a-virus:Porn-Dialer.Win32.PluginAccess.p
Trojan-Downloader.Win32.Banload.bge
not-a-virus:AdWare.Win32.Softomate.s
not-a-virus:AdWare.Win32.Softomate.r
Virus.Lua.LuaDef.d
Virus.Lua.LuaDef.c
Virus.Lua.LuaDef.b
Virus.Lua.LuaDef.a
Trojan-Downloader.Win32.Zlob.ago
not-a-virus:PSWTool.Win32.PassView.d
Trojan-PSW.Win32.Delf.or
Trojan-Downloader.Win32.Small.doq
Trojan-Dropper.Win32.Small.asd
Trojan-Proxy.Win32.Dlena.u
Trojan-Spy.Win32.BZub.cr
Trojan.Win32.Agent.rm
Trojan-Dropper.Win32.Agent.avb
Trojan-Downloader.Win32.Small.dop
Packed.Win32.PePatch.ef
IM-Worm.Win32.Small.i
Backdoor.Win32.Hupigon.cdw
Trojan.Win32.Haradong.n
Trojan-PSW.Win32.QQPass.kj
Trojan-Downloader.Win32.Delf.avh
Backdoor.Win32.Rukap.ca
Trojan-Downloader.Win32.PurityScan.dg
Backdoor.Win32.Rukap.bz
Trojan-Downloader.Win32.Zlob.agn
Trojan-Downloader.Win32.Zlob.agm
Trojan-Downloader.Win32.Agent.aur
not-a-virus:AdWare.Win32.NaviPromo.ab
Worm.Win32.Agent.k
Trojan-Spy.Win32.Bancos.ww
Trojan-Dropper.Win32.Agent.ava
Backdoor.Win32.DSNX.05.e
Backdoor.Win32.Protux.j
Backdoor.Win32.Hupigon.cdv
Trojan.Win32.BHO.e
Backdoor.Win32.IRCBot.vj
Backdoor.Win32.Cakl.l
Backdoor.Win32.SdBot.avb
not-a-virus:AdWare.Win32.Virtumonde.dk
Backdoor.Win32.Rbot.bhh
Backdoor.Win32.IRCBot.vi
Backdoor.Win32.Prorat.fe
Trojan.Win32.Disabler.o
Trojan-Spy.Win32.Bancos.wv
not-a-virus:AdWare.Win32.NaviPromo.aa
Trojan-Spy.Win32.Bancos.wu
Trojan-PSW.Win32.Lineage.aha
Backdoor.Win32.Prorat.fd
Trojan-Downloader.Win32.Agent.auq
Trojan-PSW.Win32.Lineage.agz
Trojan-Proxy.Win32.Dlena.t
Trojan-Spy.Win32.Bancos.wt
Backdoor.Win32.Hupigon.cdu
Backdoor.Win32.Bifrose.yu
Exploit.Win32.Agent.ad
Trojan-Dropper.Win32.VB.dn
not-a-virus:Joke.Win32.Lemmirc
Trojan-Downloader.Win32.Zlob.agl

Tuesday, July 25, 2006

Nyxem.E

Malware type: Worm

Alias:
W32.Blackmal.E@mm, Kama Sutra, W32/MyWife.d@MM, Email-Worm.Win32.Nyxem.e, JS/Blackmal.F, W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife

Additional Aliases:
Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.VB.bi, I-Worm.VB.bi, Kama Sutra, Nyxem.E, Small.KI@mm, W32/Grew.A!wm, W32/Kapser.A@mm, W32/MyWife.d@MM!M24, W32/Nyxem-D, W32/Small.KI, W32/Tearec.A.worm, W32/Tearec.A.worm!CME-24, Win32.Blackmal.e, Win32.Nyxem.F@mm, Win32.VB.bi, Win32/Blackmal.F!Worm, Win32/Blackmal.F, Win32/VB.NEI worm, Win32:VB-CD [Wrm], Worm.P2P.VB.CIL!CME-24, Worm.VB-8, Worm.VB.bi, Worm/KillAV.GR

Also Known As:
CME-24, Win32.Blackmal.F [Computer Associates], Email-Worm.Win32.Nyxem.e [F-Secure], Email-Worm.Win32.Nyxem.e [Kaspersky], W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], Win32/Mywife.E@mm [Microsoft], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro]

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Size: 95744

Thursday, July 20, 2006

Worm/Levona.A

File size: 43.008 Bytes

Aliases:
• Mcafee: W32/Avon@MM
• Kaspersky: Email-Worm.Win32.Levona.a
• TrendMicro: WORM_LEVONA.A
• VirusBuster: iworm I-Worm.Levona.A
• Eset: Win32/Levona.A worm
• Bitdefender: Win32.Worm.Levona.A

Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

effects:
• Disable security applications
• Lowers security settings
• Registry modification

It copies itself to the following locations:
• %SYSDIR%\Emma.exe
• %SYSDIR%\Nova.exe
• %SYSDIR%\Alisa.exe
• %WINDIR%\Mstry.exe

• C:\Program Files\Common Files\Renova.exe
• D:\Program Files\Common Files\Renova.exe
• E:\Program Files\Common Files\Renova.exe
• F:\Program Files\Common Files\Renova.exe
• G:\Program Files\Common Files\Renova.exe

• c:\\winnt\regedit.exe
• c:\windows\regedit.exe
• c:\winnt\system32\regedit.exe
• c:\windows\system32\regedit.exe
• D:\winnt\regedit.exe
• D:\windows\regedit.exe
• D:\winnt\system32\regedit.exe
• D:\windows\system32\regedit.exe
• E:\winnt\regedit.exe
• E:\windows\regedit.exe
• E:\winnt\system32\regedit.exe
• E:\WINDOWS\system32\regedit.exe
• F:\WINNT\regedit.exe
• F:\WINDOWS\regedit.exe
• F:\WINNT\system32\regedit.exe
• F:\WINDOWS\system32\regedit.exe
• G:\WINNT\regedit.exe
• G:\WINDOWS\regedit.exe
• G:\WINNT\system32\regedit.exe
• G:\WINDOWS\system32\regedit.exe

• c:\windows\System\msconfig.exe
• c:\windows\system32\msconfig.exe
• c:\winnt\system32\msconfig.exe

It tries to executes the following files:

– Filenames:
• %SYSDIR%\Emma.exe
• %SYSDIR%\Alisa.exe

The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Renova = Nova.exe

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Shell = %PROGRAM FILES%\Common Files \Renova.exe

The following registry keys are added:

– [HKCU\Software\Policies\Microsoft\Windows\System]
• DisableCMD = 0

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
• DisableConfig = 1
• DisableSR = 1

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
Old value:
• ProductName = %user defined settings%
• RegisteredOrganization = %user defined settings%
• RegisteredOwner = %user defined settings%
• ProductId = %user defined settings%
New value:
• ProductName = RENOVA
• RegisteredOrganization = XENOVA
• RegisteredOwner = RENOVA
• ProductId = RENOVA

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
Old value:
• RegisteredOrganization = %user defined settings%
• RegisteredOwner = %user defined settings%
• ProductId = %user defined settings%
• ProductName = %user defined settings%
New value:
• RegisteredOrganization = XENOVA
• RegisteredOwner = RENOVA
• ProductId = RENOVA
• ProductName = RENOVA

– [HKCU\Control Panel\Desktop]
Old value:
• AutoEndTasks = 0
New value:
• AutoEndTasks = 1

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
Old value:
• AlternateShell = cmd.exe
New value:
• AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe

– [HKLM\SYSTEM\ControlSet%number%\Control \SafeBoot]
Old value:
• AlternateShell = cmd.exe
New value:
• AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• Shell = explorer.exe
• Userinit = explorer.exe
New value:
• Shell = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe
• Userinit = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableRegistryTools = 1
• DisabletaskMgr = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersionGroup Policy Objects\LocalUser\Software\Microsoft\ WindowsCurrentVersion\Policies\System]
New value:
• DisableRegistryTools = 1

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\HideFileExt]
Old value:
• Type = checked
New value:
• Type =

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\NOHIDDEN]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 2
• DefaultValue = 2

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\Hidden\SHOWALL]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 1
• DefaultValue = 2

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\HideFileExt]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 1
• DefaultValue = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explore\Advanced]
Old value:
• Hidden = %user defined settings%
• HideFileExt = %user defined settings%
New value:
• Hidden = 2
• HideFileExt = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NoDriveTypeAutoRun = 91
• NoSaveSettings = 0
• NoFolderOptions = 0
• NoFind = 1
• NoRun = 0
• NoControlPanel = 0

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
New value:
• NoFolderOptions = 0
• NoControlPanel = 0
• NoFind = 1
• NoRun = 0

It uses the Messaging Application Programming Interface (MAPI) in order to send a reply to emails stored in the inbox. The characteristics are further described:

From:
The sender address is the user's Outlook account.

Email design:

To: %original sender%
Subject: Re: %original subject%
Body:
• Sorry, Saya lupa nih :)
Attachment:
• Nova.scr

The attachment is a copy of the malware itself.
The email looks like the following:

In order to infect other systems in the Peer to Peer network community the following action is performed: It retrieves the shared folder by querying the following registry key:
• \Software\Kazaa\Transfer\DlDir0

List of processes that are terminated:
• GUNBLADE.EXE
• CAV.EXE

Processes with one of the following strings are terminated:
RABIAH; RABI'AH; MANTIK; PLATO; KINDI; IMAMAH; MATURID; HARUN NAS; IZUTSU; TEOLOGI; SUFI; PARTAI; HASAN ALBANA; IKHWANUL MUSLIMIN; TAHRIR; ARISTOTELES; GIBRAN; GHAZALI; IHYA; GENDER; PLURALISME; SYIAH; SYI'AH; DEMOCRA; DEMOKRA; LIBERAL; TASAWUF; SAMIR; YUNAN; QUTH; EMANSIP; PHILOSOP; MUTAZILAH; MU'TAZILAH; FILOSOF; FILSAFAT; REALPLAYER; CLEANER; MOVZX; REMOVER; ZANDA; MACHINE; CILLIN; CILIN; AVAST; GRISOFT; PROCEXP; NORTON; EARTHLINK PROTECTION; WASHER; ERTANTO; COMPACTBYTEAV; ADVANCED REGISTRY TRACER; KILL; CASTLECOPS; SOPHOS; F-SECURE; REGISTRYFIX; PANDA; SECUNIA; TREND; SYMANTEC; KASPERSKY; AVG; MCAFEE; NVC; NORMAN; VAKSIN; HACKER; COMMAND PROMPT; PROCESS EXPLORER - SYSINTERNALS; SYSTEM32; PCMAV; HIJACK; KILLBOX; FOLDER OPTION; CMD; WORM; TROJAN; VIRUS; ANTI; COMMAND BRO!!!; COMMAND BRO !!!; JOWOBOT; FAJAR; SATRIO; KANTUK; KANGEN; CUEX; EVANTA; BORAX; TITTA; CODE-X; MONTELLA; MONTELA; FERDINAND; CAMPBEL; CRUZ; ADRIANO; KAHN; RECOBA; FIGO; RAUL; GONZALES; CISSE; GERRAD; LAMPARD; TERRY; RIVALDO; GATUSO; GATTUSO; VAN DE; SHEARER; AIMAR; CLAUDIO; LOPEZ; TOLDO; CANNAVARO; NESTA; UMIT; HAKAN; LARSON; LARSSON; ETO O; ETO'O; MOVIC; MIDO; FABREGAS; HENRY; BARTHEZ; MANCINI; GILARD; BATIGOL; BATISTUA; TOTTI; COLE; OWEN; DIDA; RONALDINHO; TREZEG; ROBINHO; CARLOS; ROBERTO; RONALDO; MARADONA; PELE; VIDUKA; SALAS; KEWEL; PERUZZI; HOWARD; ZANETI; ZANETTI; GIGGS; ROONEY; BUFFON; VIERI; PIRLO; KAKA; ZLATAN; DECO; SHEVA; SHEVCHENKO; INZAGHI; PIERO; BECKHAM; BOCA J; BORDEUX; MONACO; MUNICH; MUNCHEN; DORTMUND; LEVERKUSEN; SEVILLA; VALENCIA; BARCA; BARCEL; MADRID; PARMA; LAZIO; ROMA; INTER; MILAN; JUVE; NEWCASTLE; LIVERPOOL; ARSENAL; CHELSEA; MANCHESTER; CUMBU; KISS; CIUM; RAYU; JULIET; ROMEO; VALENTINE; HENTAI; MANGA; ANIM; SUCK; FUCK; NAKE; NUDE; TEEN; GIRL; PORN; SEKS; SEX; THOMAS; JEREM; MAYANG S; NIA R; ZAYANT; DEWI; ANJASMARA; DIAN S; DIAN N; SOPIA; SOPHIA; MAYANG SARI; CUT KEKE; FEBIOLA; FEBY; JIHAN; CUT TARI; RIKE DIAH; WIBOWO; SARAH; AZAHRI; AZHARI; RIRIN; RATNASARI; TAMARA; ZUBIR; PRIMUS; REVALDO; ENNO LERIAN; ENO LERIAN; DIAH; KADIR; DOYOK; ULFA; KOMENG; JENIFER; JENNIFER; DICAPRIO; KRISTIN; ANGELLI; LEONARDO; KATE WIN; EMMA WATSON; HARY POTTER; HARRY POTTER; GOSSIP; GOSIP; SASTRA; SENI; ARTIS; BOLYWOOD; HOLYWOOD; SINETRON; VAGANZA; CELEBRI; SELEB; TSUBASA; SLAM DUNK; SAMURAI-X; SAMURAI X; HATTORI; HATORI; KABUTO; SHIZUKA; DORAEMON; NOBITA; INUYASHA; KENSHIN HIMURA; KOTARO MINAMI; KYOKO; EMIKO SHIRATORI; FAYE WONG; UEMATSU; NUOBUO; NOUBUO; NOBUO; NUBUO; MADONNA; MADONA; BENNINGTON; BENINGTON; GUN AND ROSE; GUN N ROSE; BLUR; SAMMY; PEARL; NAZARE; FRENTE; CRANBER; RADIOHEAD; RADIO HEAD; STING; SAYBIA; KEANE; GROBAN; ALTER; STEFAN; GWEN; MAROON; ANTHEM; GROOVE COVARAGE; PRODIGY; AGUILERA; BEDING; METALLICA; GUN N'ROSES; ALICIA KEYS; TATA YOUNG; BOY ZONE; MICHEL; MICHAEL; MICHEAL; MLTR; MARTYN; MARTIN; SCORPION; LINKIN PARK; LINKINPARK; GREEN DAY; GREENDAY; HOOBASTANK; PETER; WEST; SPICE; BRITNEY; DEDI DOR; NIA DANIAT; DAHLIA; NIKE ARD; BAGASKARA; KATON; NAFF; TITIK PUSPA; TITIEK PUSPA; DELON; SNADA; JOSHUA; SHERINA; SERIEUS; SERIUES; SEURIUS; 10 2 5; TENTOFIVE; TEN2FIVE; 10 TO 5; TEN TO FIVE; TEN 2 FIVE; CHRISYE; SO7; SHEILA; GLENN; AURIL; AVRIL; OPICK; AGNES; ANANG; NUGIE; HADAD; HADDAD; AB THREE; REZA; CAFEIN; CAFFEIN; RATU; RADJA; LALUNA; THE RAIN; UTOPIA; SPARK; BASEJAM; ENDANK; JAVA JIVE; MARCEL; BUNGLON; ANDRE HEHANU; FLANELA; BAIM; CANDIL; KOES P; MINORU; NUNO; YOVI; AUDY; TERE; WAYANG; BASE JAM; JIKUSTIK; SAMSON; PAS BAND; BOOMERANG; NAIF; COKELAT; KAPTEN BAND; TIC BAND; JAMRUD; KOTAK BAND; AMERICAN IDOL; INDONESIAN IDOL; TEAM LO; BUNGA; TIPE-X; TIPE X; ELEMENT; EMINEM; RAIHAN; RAYHAN; MELY; MELLY; UNGU; STINGKY; SLANK; INUL; PADI; IWAN FAL; ADABAND; ADA BAND; ROSA; KRISDAYANTI; NURHALIZA; DEWA; ARY LASO; ARY LASSO; ARI LASO; ARI LASSO; GIGI; THE 0THERS; CHEER; DANCE; SING; SONG; MP 3; MP3; MARAWIS; NASYID; DANGDUT; MELODI; MELODY; SENANDUNG; IRAMA; GITAR; GUITAR; NYANYI; LAGU; WINAMP; MUSIK; MUSIC; DANIAT; PHILOSO; FUNNY; MALAS; SOUND; JPG; JPEG; RAGNAROK; FANTASY; IKHWANUL; ARISTO; PLURAL; GAME; DEMOC; DEMOK; FAKE; NORWE; REMOVE; PROTECT; COMPACT; REGISTRY; CASTLE; SOPH; SECUR; MCAFE; DEEP; HIJA; VIR; CRACK; HACK; ACT; BECK; GAMB; FOTO; PHOTO; KASIH; TUNANG; PACAR; CINTA; LOVE; JULIE; ROME; VALENT; LEONARD; KATE W; EMMA WAT; HARY; POTTER; HARRY; ART; BOLY; HOLY; SINE; EMIKO; WONG; FAYE; UEMA; NUO; NOB; NUB; MADO; BENING; BENNING; ROSE; GUN; ZONE; BOY; MICH; MART; SCORP; LINKIN; GREEN; HOOB; RIF; DEDI D; NIKE; PUSPA; JOSH; SHERIN; TEN TO; TEN 2; CHRIS; POTRET; NUGI; AUDI; AMERICA; ELEMEN; DANG

The active processes memory is searched for the following strings. If successful the processes become terminated.:
XMPLAYER.EXE; REALPLAY.EXE; ACDSEE.EXE; ALOGSERV.EXE; CM GRDIAN.EXE; CMGRDIAN.EXE; RULAUNCH.EXE; VSMAIN.EXE; AVPCC.EXE; AVPM.EXE; AVP32.EXE; AVWUPSRV.EXE; AVGNT.EXE; AVWIN.EXE; AVGEMC.EXE; AVGWB.DAT; AVGCC.EXE; TROJAN GUARDER.EXE; ASHSIMPL.EXE; ASHQUICK.EXE; OPERA.EXE; FIREFOX.EXE; IEXPLORE.EXE; TASKMGR.EXE; EMUSICCLIENT.EXE; ART.EXE; NAVW32.EXE; CCLAW.EXE; NVCOD.EXE; WINAMP.EXE

Processes containing one of the following window titles are terminated:
CompactbyteAV; Advanced Registry Tracer; Setup - iKnowPS; iKnowPS; RamCleaner; System Cleaner; TuneUp RegistryCleaner; Antivirus Scanner; Zanda's little helper; Norman Generic Fix; NVC v5.81 Setup; Norman Virus Control - InstallShield Wizard; Process Explorer - Sysinternals: www.sysinternals.com; Pocket Killbox; RegCleaner 4.1 by Jouni Vuorio; Security Task Manager Versi shareware tanpa registrasi; Security Task Manager; Installation; EULA; PowerDVD; Windows Media Player; Microsoft Configuration Utility; System Restore; System Configuration Utility; Restrictions; Registry Editor; Close Programs; Close Program; Task Manager; Windows Script Host; HijackThis; HijackThis - v1.99.1; Getting Started with Windows 2000; Folder Options

Mutex:
It creates the following Mutexes:
• Renova Aliciana
• Renova Emira

Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Thursday, July 13, 2006

List of Virus 2005 - 2006

Bagle.CP, Bagle-CP.msg, BACKDOOR, w32/Brontok-1, w32.Brontok-3, Brontok-4, Brontok-5.A, Brontok-5.B, Brontok-10.A, Brontok-10.B, Brontok-12.A, Brontok-12.B, Brontok-12.C, Brontok-14.A, Brontok-14.B, Brontok-14.C, Brontok-15, Brontok-16.A, Brontok-16.B, Brontok-16.C, Brontok-17.A, Brontok-17.B, Brontok-17.C, Brontok-17.D, Brontok-17.E, Brontok-18R.A, Brontok-18R.B, Brontok-22.MyBro, Brontok-22.MyBro.msg, Brontok.Downloader, Brontok-Sensasi.A, Brontok-Sensasi.B, Brontok-Sensasi.C, Brontok-Laknats, brontok.z BlueFantasy, BlueFantasy-msg, brontok.gn/rontokbro.gn, brontok.go/rontokbro.go, Borax, Win32/Bagle.EH, Win32/Bagle.EF, Win32/Bagle.EG, Win32.Mydoom.N, Win32.Netsky.P, Cendrawasih, Decoil.A, Decoil.A-2, Decoil.A-3, w32/Detnat.a, w32.Detnat.b, Detnat.c, Detnat.d, Detnat.e, Detnat.f, Detnat.g, Diary, Dodol, Dodol.msg-A, Dodol.msg-B, Dodol.msg-C, Dodol.msg-D, Dodol.msg-E, Dian sastro, W32.Ecup, W32.Ecup!p2p, FunLove, Hopelessly, Infostealer.Orcu, Jeefo, KamaSutra, KamaSutra.htt, Kantuk, Komodo, W32/Kraze.a, LiveForever, MyTob.AL, MyTob.V, mywife, NeverShow, Patient, Pctattletale, Pinfi.a, Qhosts.B, RomanticDevil, RomanticDevil.pic, RomanticDevil.msg, RomanticDevil.htm, RomanticDevil.vbs, Riani jangkaru, W32.Serwab@mm, Shuriken, SomeFool.P, SomeFool.Z, stenit, Tomero, Tomero.doc, worm/vb.cj, w32/vb.cj, Wukill, W32.Icogon, Trojan.Hlinic.B, W97M.Kukudro.A, Kukudro.A, WM97/Kukudro-A, Backdoor.Beasty.J, Trojan.Exobre, BAT.Antir, W32.Kidala.E@mm, Trojan.Hlinic, Downloader.Booli.B, Perl.Lekbot.B, Backdoor.Pahador, Trojan.Kuserv, Backdoor.Rajump, SymbOS.Commdropper.F, Commdropper.C [F-Secure], W32.Amirecivel.E@mm, SymbOS.Commwarrior.N, Commwarrior.H [F-Secure], SymbOS.Commwarrior.M, Commwarrior.N [F-Secure], SymbOS.Commdropper.G, Commdropper.H [F-Secure], SymbOS.Dropper.A, Trojan.Flemex, W32.Kraze, W32.Beagle.FG@mm, W32/Bagle.fb!pwdzip [McAfee], SymbOS.Romride.H, Romride.H [F-Secure], SymbOS.Romride.G, Romride.G [F-Secure], SymbOS.Romride.F, Romride.F [F-Secure], W32.Beagle.FF@mm, W32/Bagle.fb@MM [McAfee], W32/Bagle-KL [Sophos], W32/Bagle-KM [Sophos], Trojan.Rootserv, Hacktool.Rootkit, Infostealer.Nailmews, Downloader.Centim, Infostealer.Orcu, MSIL.Kolilo, PE_IKOL.A [Trend] W32.Sixem.A@mm,W32/Sixem-A [Sophos], W32/Deza.A [F-Secure], Trojan.Haradong, Infostealer.Wowcraft.D, Trojan.Slapew.C, Trojan.Slapew.B, Trojan.Tooso.R, W32.Beagle.KF [Sophos], W32.Beagle.FD@mm, Backdoor.Ripgof.B, W32.Looked.J, Trojan.Lodear.J, W32.Revolnam, Infostealer.Gamania, W32.Sality.R, Backdoor.Naninf.E, BKDR_BREPBOT.A [Trend], Infostealer.Yohokie, Trojan.Slapew, Backdoor.Haxdoor.M, Infostealer.Sealoln, Downloader.Booli.A, Trojan.Mdropper.J, Trojan.Dropper, Bloodhound.Exploit.74, Bloodhound.Exploit.73, Backdoor.Eterok.C, Bloodhound.Exploit.72, Backdoor.Daserf, JS.Yamanner@m, JS/Yamanner@MM [McAfee], JS_YAMANER.A [Trend Micro], Yamanner.A [F-Secure], JS/Yamann-A [Sophos], Downloader.Swif.B, Trojan.Skowr, TROJ_SKOWR.A [Trend], W32.Detnat.G, Downloader.Bancos, W32.Detnat.F, W32.Nopir.D, W32.Serwab@mm, W32.Timeserv@mm, W32.Fijjy, Downloader.Bancos!gen, Bloodhound.NsAnti, W32.Detnat.E, Trojan.Silm, Backdoor.Ginwui.C, Trojan.Mdropper.I, Bloodhound.Exploit.71, Perl.Lekbot, SB.Starbugs, W97M.Tored.A, W2KM_TORED.A[Trend Micro], Backdoor.Haxdoor.L, Trojan.Emcodec.D, SymbOS.Commdropper.E, Infostealer.Bancos.AB, SymbOS.Commwarrior.J, Commwarrior.K [F-Secure], W32.Beagle.FC, SymbOS.Romride.E, Romride.E [F-Secure], SymbOS.Romride.D, Romride.D [F-Secure], SymbOS.Commdropper.D, Commdropper.F [F-Secure], SymbOS.Romride.C, Romride.C [F-Secure], SymbOS.Commwarrior.L, Commwarrior.M [F-Secure], SymbOS.Commwarrior.K, Commwarrior.L [F-Secure], Trojan.Looksky, SymbOS.Romride.B, Romride.B [F-Secure], SymbOS.Romride.A, Romride.A [F-Secure], Bloodhound.Tibs, Backdoor.Rustock.A, W32.Lecna.A, OSX.Exploit.MetaData, Exploit.OSX.Safari.a [Kaspersky], OSX/Exploit-ZipShell [McAfee], SB.Stardust.A!int, XML_DUSTAR.A [Trend Micro], W32.Wamgin, Trojan.Emcodec.C, Backdoor.Sdbot.AT, W32.Pahatia.A, W32.Looked.I, Trojan.Gobrena, W32.Gaobot.EUX, Trojan.Agentdoc.B, W32.Sejese, BlackAngel.A [Panda], W32.Jesse, W32.Ecup, W32.Ecup!p2p, W32.Banwarum@mm, W97M.Lunedo.B, SymbOS.Commwarrior.I, SymbOS.RommWar.D, RommWar.A [F-Secure], SymbOS.RommWar.C, RommWar.C [F-Secure], SymbOS.RommWar.B, Rommwar.B [F-Secure], Backdoor.Darkmoon.C, SymbOS.Doomboot.T, Doomboot.M [F-Secure], Worm/Kelvir, W97M/Kukudro, Backdoor.Bifrose.F, W32.Dozic, Backdoor.Haxdoor.N, Trojan.PPDropper.B, W32.Looked.P, W32.Looked.O, Infostealer.Corepias, Trojan.Dachri, Trojan.Mdropper.K, Backdoor.Sdbot.AU, Backdoor.Pcclient.B, VBS.Birhip, SymbOS.Mabir.B, W32.Jalabed.B@mm, SymbOS.Doomboot.X, SymbOS.Commdropper.H, W32.Banwarum.G@mm, W32.Yawmo, Bloodhound.Exploit.75, Trojan.Nakani, SymbOS.Cabir.X, SymbOS.Ruhag.E, SymbOS.Ruhag.D, Infostealer.Svcstor, Backdoor.Rustock.B, Trojan.Lodeight.C, Trojan.Hongmosa, W32.Esbot.E, SymbOS.Doomboot.W, SymbOS.Doomboot.V, W32.Audio, W32.Sixem.C@mm, W32.Amirecivel.F@mm, W32.Gatt, SymbOS.Cdropper.Q, Trojan.Deoplive , Trojan.Emcodec.E, SymbOS.Cdropper.S, SymbOS.Cdropper.R, SymbOS.Dampig.D, SymbOS.Cdropper.O , W32.Areses.P@mm, Trojan.Zlob.L, OSX.Exploit.Launchd, Trojan.Clagger, Backdoor.Graybird.S, W32.Sality.T, SymbOS.Cdropper.J, W32.Resik.A, Trojan.Bookmarker.K, SymbOS.Cdropper.K, SymbOS.Cdropper.I, SymbOS.Cdropper.G, SymbOS.Cdropper.F, W32.Sality.S, Infostealer.Jianghu, W32.Banleed.B, W32.Icogon, Trojan.Hlinic.B, W97M.Kukudro.A, Backdoor.Beasty.J, Trojan.Exobre , BAT.Antir, Trojan.Gared, Backdoor.Hacarmy.G, Infostealer.Panobu, Downloader.Browsilla, W32/Gatt, W32/Donak.dr, W32/Donak.worm, Racgen, W97M/Kukudro, W32/Kraze.dr, Downloader-AWX.dr, W32/Bagle.fd@MM, Downloader-AXD, W32/Sdbot.worm!605becc1, W32/Sdbot.worm!b37e4475, W32/Bagle.fc@MM, BackDoor-DIP, Downloader-AXA, Del-507, W32/Bagle.fb!pwdzip, W32/Kraze.a, W32/Bagle.fb@MM,MultiDropper-QU, W32/Sdbot.worm.dr!8aa30865, Exploit-MSExcel.b.gen, W32/Sixem.a@MM, Downloader-AWV.dr, BackDoor-CKB.dr!adeb69f7, BackDoor-CKB!f8984a14, Exploit-MSExcel.gen, Downloader-AWX, Downloader-AWW, Exploit-PPT, Downloader-AWV,W32.Stong.A, Trojan.Gobrena.B, Trojan.Clagger.B, Trojan.Riler.F, Trojan.PPDropper.C, ACTS.Spaceflash, Trojan.Frozzie

Tuesday, May 09, 2006

Bots

What's a Bot?

“Bot” is actually short for robot – not the kind found in science fiction movies or on the production line in a manufacturing business. Bots are one of the most sophisticated types of crimeware facing the Internet today. Bots are similar to worms and Trojans, but earn their unique name by performing a wide variety of automated tasks on behalf of their master (the cybercriminals) who are often safely located somewhere far across the Internet. Tasks that bots can perform run the gamut from sending spam to blasting Web sites off the Internet as part of a coordinated “denial-of-service” attack. Since a bot infected computer does the bidding of its master, many people refer to these victim machines as “zombies.”

Bots sneak onto a person’s computer in many ways. Bots oftentimes spread themselves across the Internet by searching for vulnerable, unprotected computers to infect. When they find an exposed computer, they quickly infect the machine and then report back to their master. Their goal is then to stay hidden until they are awoken by their master to perform a task. Bots are so quiet that sometimes the victims first learn of them when their Internet Service Provider tells them that their computer has been spamming other Internet users. Sometimes a bot will even clean up the infected machine to make sure it does not get bumped off of the victim’s computer by another cybercriminal’s bot. Other ways in which a bot infects a machine include being downloaded by a Trojan, installed by a malicious Web site or being emailed directly to a person from an already infected machine.
Bots do not work alone, but are part of a network of infected machines called a “botnet.” Botnets are created by attackers repeatedly infecting victim computers using one or several of the techniques mentioned above. Each one of the zombie machines is controlled by a master computer called the command and control server. From the command and control server, the cybercriminals manage their botnets and instructs the army of zombie computers to work on their behalf. A botnet is typically composed of large number victim machines that stretch across the globe, from the Far East to the United States. Some botnets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal.

Definitions

Virus?
A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as "Me, nude."

Worm?
Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC).

Trojan Horse?
A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive.

Download Anti Virus Now