1.Win32/Daonol
malware ini merupakan varian dari trojan yang mampu mengambil alih network traffic, mencuri file di FTP, mencegah akses ke situs2 keamanan, menutup akses ke Sistem Windows, dan mengarahkan mesin pencari untuk masuk ke situs2 porno dan bervirus. (Klo situs porno aja sich, ya gapapa..hihihih).
Daonol bekerja lumayan jenius, karena trojan ini mendaftarkan file “tpqnh.hmq” di registry windows dan memperbanyak diri kedalam folder sistem windows. File ini terdaftar sebagai Windows NT-Dynamic-link Library dengan rincian registry sebagai berikut:
Adds value: "aux"
With data: "
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Efeknya adalah kita tidak bisa mengutak-atik registry windows. Semuanya diambil alih oleh file “tpqnh.hmq”
Otomatis mesin yang terinfeksi tidak bisa apa2. Yang lebih berbahaya adalah mesin anda tidak bisa terkoneksi ke internet secara benar, melainkan akan diarahkan ke situs2 porno yang berisi virus. Dan virus itu langsung masuk tanpa henti ke mesin kita, kecuali koneksi internet terputus.
2.Win32/Daurso
blum diisi, datanya masih kurang...!!!
3.Koobface
VirTool:WinNT/Koobface.E is a detection of a kernel-mode device driver component used by other malware to intercept and manipulate DNS queries, TCP connections, and other traffic. The malware can redirect DNS results and block network connections and traffic.
VirTool:WinNT/Koobface.E may be dropped and installed by other malware. In the wild we observed VirTool:WinNT/Koobface.E being dropped to
VirTool:WinNT/Koobface.E attaches itself to the IPv4/IPv6 TCP and UDP protocol driver to make interceptions. VirTool:WinNT/Koobface.E intercepts all TCP/UDP traffic, including connection attempts, and data sent and received.
VirTool:WinNT/Koobface.E receives configuration from other malware components, which is used to redirect and block specific DNS queries and network traffic. In the wild, we observed TrojanProxy:Win32/Koobface.gen!G utilizing VirTool:WinNT/Koobface.E for this purpose.
Note: The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, or queries to the DNS servers are intercepted (as in this case), an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
Prepared by ihsan.dwinanda
So,, apa yang mesti kita lakukan? Tidur aja gitu..ya ngga lah. Inilah pemaparan dari my lovely one:
*Recovery for Daonol's infections (only for Windows XP, For Vista User go to hell)
1.Navigate to Start, click Run, type the following instructions:
explorer.exe c:\
then click "OK" or press the
2.Create a folder named "cleanup" - from the File menu, select New and then Folder and type "cleanup". Press the
3.Navigate to Start, click Run, type the following instructions:
explorer.exe %windir%\system32
then click OK or press the
4.Type cmd to highlight the command prompt executable "cmd.exe" and right-click the icon and select copy, or press Ctrl-C to copy the program to the Windows clipboard.
5.Paste the copied executable into the "cleanup" folder - press Alt-Tab to toggle the active window to the "cleanup" folder and press Ctrl-V to paste the "cmd.exe" executable into this folder.
6.Rename the copied "cmd.exe" executable to "c.exe" - right-click the copied file icon and select rename, and type c.exe.
7.Double-click "c.exe" to open the copied command prompt and type the following instructions in order:
copy %windir%\system32\reg.exe r.exe
r.exe save "HKLM\Software\Microsoft\Windows NT\CurrentVersion" temp.dat
r.exe load HKLM\TempCleanup temp.dat
r.exe query HKLM\TempCleanup\Drivers32
8.The last instruction should result in the display of registry values. Malicious registry values will have the following common properties:
a.The file name has the extension ".bak", ".tmp", ".old" or ".dat"
b.The file path will include the full path including drive letter
c.The file path will include "\..\"
d.The value data may include some random strings such as "0yAAAAAAA"
Note that in this case, the last entry in the below example is the malicious registry value:
midimapper REG_SZ midimap.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
midi9 REG_SZ C:\Windows\..\kft.bak 0yAAAAAAAA
9.Write down the malicious registry value and data details on paper, as in the following example:
value = midi9
file = C:\Windows\..\kft.bak
10.Type the following instructions to delete the malicious registry key:
r.exe delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion” /v midi9
11.Delete the Win32/Daonol file by typing the following instruction:
delete "C:\Windows\..\kft.bak"
12.Restart your computer.
*tested by Ihsan.dwinanda
UNTUK KOOBFACE
silakan dibersihin pake Antivirus masing2, Kaspersky bisa, Avira bisa, AVG bisa, Bitdefender bisa, Avast oke,,
Tapi lebih aman kalo pake Online scanner, silakan buka situs Kaspersky atau follow this link:
http://onecare.live.com/site/en-us/default.htm/
Windows Live Onecare Safety Scanner.
Smoga bermanfaat and tetap aware ya!!!
Thanks to read this blog. Jangan lupa tinggalin komen buat evaluasi.
Destiya Prabowo n Ihsan Dwinanda, 2009
*Nantikan, analisis selanjutnya mengenai malware: Win32/FakeScanti yang kurang ajar.
