Berikut ini adalah hasil analisa dari worm swisyn.algm
Worm swisyn.algm menyebar dengan cara sebagai berikut :
- Fungsi autorun
- E-Mail
Sistem operasi target :
- Windows XP
- Windows 2003
- Windows Vista
- Windows Server 2008
- Windows 7
Efek samping dari worm :
- Menurunkan pengaturan keamanan
- Menonaktifkan aplikasi keamanan
- Mengunduh file mencurigakan
- Modifikasi registry
Worm ini menduplikasi dirinya sendiri ke folder-folder berikut :
- %WINDIR%\csrss.exe
- %SYSDIR%\updates.exe
Kemudian worm ini juga mencoba untuk mendownload beberapa file :
- http://**********/tryme.iq
- http://**********/ff.iq
- http://**********/gc.iq
- http://**********/ie.iq
- http://**********/im.iq
- http://**********/op.iq
- http://**********/m.iq
- http://**********/rd.iq
- http://**********/pspv.iq
- http://**********/SendEmail.iq
- http://**********/hst.iq
Mengubah registry key berikut :
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] > "Shell"="Explorer.exe %WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
New value:
• "EnableLUA"=dword:00000000
• "PromptOnSecureDesktop"=dword:00000000
• "EnableVirtualization"=dword:00000000
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.com]
Old value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avguard.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avgupsvc.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avnotify.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\system.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\drwebwcl.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\drwreg.exe]
New value:
• "Debugger"="%WINDIR%\csrss.exe"
Isi dari E-mail yang disebarkan oleh worm :
Hello:
This is The Document I told you about,you can find it
Here.http://**********.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr
Please check it and reply as soon as possible.
Worm ini juga mematikan proses yang memiliki nama file berikut :
- USB Disk Security; AntiVir WebService; WinDefend; Avast! Antivir; AVG
Security Toolbar Service; Panda Software Controller; wuauserv;
McNaiAnn; aswUpdSv; avast! Mail Scanner; avast! Web Scanner;
AntiVirService; AntiVirSchedulerService; AntiVirFirewallService; NIS;
MSK80Service; mfefire; McNASvc; Mc0obeSv; McMPFSvc; McProxy; Mc0DS;
mcmscsvc; mfevtp; Avgfws9; avg9wd; AVGIDSAgent; PAVFNSVR; Gwmsrv;
PSHost; PSIMSVC; PAVSRV; PavPrSrv; PskSvcRetail; TPSrv; SfCtlCom;
TmProxy; TMBMServer; Arrakis3; LIVESRV; VSSERV; sdAuxService;
sdCoreService
Worm ini dibuat dengan bahasa pemrograman Visual Basic
0 komentar:
Posting Komentar