Whatever the most popular applications will attract attention, whether of good or bad intentioned. Take for example the majority of PC virus mengganas in the Windows OS because the OS is the most popular. Another example is the mobile phone virus which in fact is currently the best mobile phone viruses are the target of phone with Symbian OS, the reason is clear, because the mobile phone with Symbian OS is the market leader in the mobile world. If now asked, in addition to the OS on top, what the most popular thing in this virtual universe?

Surely you would agree to say Facebook. Apparently it's not just us who know that Facebook is the most popular applications, virus makers are also known. Therefore, viruses that use Facebook's popularity began to emerge.

Call it Koobface that although their distribution is not too high is an indication that Facebook started "calculated" by the criminals on the Internet to be a means of achieving goals. In the future, estimating Vaksincom malicious applications that exploit Facebook will increasingly widespread, so if you are Facebook users, it's good to be more careful. Currently, emerging trojan distributed supply utilizing social engineering seemed to come from administrators Facebook and if enabled it will download a fake antivirus, or more commonly known by the term scareware. For further information please refer to the article below Vaksincom.

The number penguna Facebook makes a new opening for virus makers to spread the virus by taking advantage of social engineering, if we are not aware of this virus is certainly going to spread successfully in the virtual world of Facebook, especially in communities, such as virus samples that were spreading at the moment. We call it a virus or Norman Facebook detect as W32/Obfuscated.D2! Genes. Why Facebook is a virus? Because it has this feature where the virus will target victims of Internet users, especially for those who have a Facebook account, with security as a pretext for Facebook to fun they (the virus makers) send an email that will come as if from the "Admin Facebook" is attachment to reset your password existing Facebook before, since the advent of the Facebook admin then they would certainly believe that email (rather than the block Facebooknya account: p), as a result instead of Facebook are secure but your computer will be used as a server to distribute spam zombies to address that he can and spread itself by sending an email that seems to come from the "Admin Facebook" to include an attachment that contains a virus. So please be careful, keep monitor developments and keep the virus was fun ... facebook. origin does not interfere with the job J.

Is enough until there??, It did not .. maxim like "falling down the stairs already ... .... in dog bite again ", he was also going to download scareware / fake antivirus that disguise themselves as antispyware with the name" Security Tools "which will be automatically installed into the computer system has been infected. Fake Antispyware will display fake warning was also as if your system is infected by displaying a series of names virus / trojan serem successfully detected (but actually the file / virus does not exist), if the user tries to perform the cleaning action by using the software is false then it will display the screen to allow users to purchase the software, if this appears you should ignore it because you will not receive these antispyware software. (see Figure 1)

Figure 1, the Security Tools, spyware masquerading as Antispyware programs

Email sent by the virus this Facebook will have the following characteristics: (see Figure 2)

Figure 2, example email will be sent by the virus

Files are in included in that email has a size of 24 KB (ZIP) or 30 KB (exe), in the form of exe files will have to type MS.Excel icon file as "Application" (see Figure 3)

Figure 3, File parent virus

With the latest update Norman Security Suite detects the virus as W32/Obfuscated.D2! Genr while for file [reader_s.exe] recognized as W32/Pandex.YE. box Norman Security Suite juga mengenali varian baru dari virus ini [possible new, unknown virus] seperti yang terlihat pada gambar 4 dibawah ini With technology Boxes San d Norman Security Suite also recognize new variants of these viruses [possible new, unknown viruses] as shown in the figure below 4 :

Figure 4, the detection results of Norman Security Suite

If the file is on the run he would create some master files that will run the first time at the computer turned on:

• C: \ Documents and Settings \% user% \ reader_s.exe
• C: \ Documents and Settings \% user% \ Start Menu \ Programs \ Startup \ isqsys32.exe
• C: \ WINDOWS \ system32 \ reader_s.exe
• C: \ Windows \ system32 \ wbem \ proquota.exe
• C: \ windows \ system32 \ sdra64.exe
• C: \ Windows \ system32 \ lowsec
  - Local.ds
  - User.ds
  - User.ds.lll
• C: \ Documents and Settings \ Elvina \ Application Data \ wiaservg.log

Registry

The virus is not much to play with the registry because the aim is to download scareware that "if it" works segambreng regisrti will change, although he will still try to make changes to the registry, especially for files created can be run when the computer first time in the light, namely:

• HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
  - Reader_s = C: \ Documents and Settings \ Elvina \ reader_s.exe

• HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
  - Reader_s = C: \ Wincdows \ system32 \ reader_s.exe

• HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
  - C: \ WINDOWS \ System32 \ userinit.exe, C: \ WINDOWS \ system32 \ sdra64.exe,

• HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
  - EnableProfileQuota = 1

• HKEY_LOCAL_MACHINE \ SOFTWARE \ AGProtect

• HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ (43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6)

• HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ (8FFA689D-2C2B-2B2E-D865-74C04CA4EF06)

Download Trojan / spyware

This virus will try to connect to a predetermined address in order to download a trojan / spyware the other will then run automatically, the file is successfully downloaded will be stored in the following directory:

• C: \ Windows \ temp
  • Wp% xxx%. Exe (xxx is different, for example wpv271256600826.exe)
  • _ex-08.exe
• C: \ Documents and Settings \ Elvina \ Local Settings \ Temp \ *. tmp
• C: \ Documents and Settings \ All Users \ Application Data \ 47543326 \ 47543326.exe

Here are some server addresses that will be addressed by the virus

• 202.39.17.53
• 217.23.7.162
• 95.211.27.211
• 202.169.46.56

He also will try to connect to some web server follows:
- Http://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045
- Http://hostvegass.ru/cman/receiver/online
- Http://wapdodoit.ru/mn/base.cfg
- Http://www.whatsmyipaddress.com

He also will perform DNS queries domain kesejumlah MX address specified as shown in figure 5 below:

G amber 5, Action for Facebook virus MX Server

Media distribution (Email)

To spread her she will email all of the email address has diperolahnya by attaching a file in a ZIP. For those of you who have a Facebook account please be careful if you receive an email that you received as if it came from Facebook because of the possibility Admin email that you received is an email that contains a virus.

If we telurusi with network monitoring tools like wireshark or netstat command from a DOS prompt, it can be seen clearly that the computer has been infected with the virus trying to send an email to some addresses which have been found to include a file attachment that contains a virus, look at the picture below 6 :

Figure 6, the virus sends itself Action

In addition to sending emails as if coming from the Admin Facebook, it will also make the infected computer as a server by sending an email spam kesejumlah email address in the can (see Figure 7)

Figure 7, email delivery activity undertaken by the virus

Antispyware invite false "Security Tools"

Another action that will be done by the virus Facebook is going to download and install a fake antispyware program called "Security Tools". This fake antispyware will provide false information by displaying a row of a virus / trojan is successful in detection, false information usually will be displayed continuously at a given time. (see figure 8 and 9)

Figure 8, the false warning displayed by antiwpyware "Security Tools"

Figure 9, which is installed Scareware will continually provide a false warning (Tool Security Warning)

If a user tries to perform the cleaning action using fake software then it will display the screen to allow users to purchase the software, if it appears that you should ignore it because you will not receive these antispyware software.

File antyspyware "security tool" has a size of about 1103 MB to the file type as "application" (see figure 10)

Figure 10, File parent antispyware "security tools"

Antispyware will be made following files to make himself stay active:
- C: \ Documents and Settings \ All Users \ Application Data \ 47543326
- C: \ Documents and Settings \ Elvina \ Desktop \ security tools.lnk
- C: \ Windows \ temp \ _ex-08.exe
- C: \ Documents and Settings \ Elvina \ Start Menu \ Programs \ Security tools.lnk

Security antispayware Registry Tools

As a supporter for him to remain active, he will make a few strings in the following registry:
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
+ 47543326 = C: \ DOCUME ~ 1 \ ALLUSE ~ 1 \ APPLIC ~ 1 \ 47543326 \ 47543326.exe
+ PromoReg = C: \ WINDOWS \ Temp \ _ex-08.exe

- HKEY_LOCAL_MACHINE \ SOFTWARE \ 47543326

- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Network
+ UID =% user% _00127065

- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion
+ Rlist

Action by antispyware "Security Tools"
· Displays a message notification that the computer has been infected with a virus / spyware (see figure 11 and 12)

Figure 11, messages pop up constantly displayed by scareware in order to intimidate the victim

Figure 12, a warning message from the Security Antispyware Tools

· Displaying confirmation to update the database Antispyware Security Tools (see figure 13)

Figure 13, Confirm Security updates Antispyware Tools

· Restart the computer in time Yeah ditetukan by displaying screen "Blue Sreen" as if there was an error in the system / computer hardware that have been infected.

· Changing Wallpapers / Windows desktop (see figure 14)

Figure 14, Desktop windows are changed by the antispyware "security tools"

How to clean W32/Obfuscated.D2! Genr and Antispyware Security Tools

1. Disable system restore during the cleaning process
2. Disconect the computer from the network / internet
3. Should do the cleaning on the mode "safe mode"
4. Install the software "Unlocker" [http://www.filehippo.com/download_unlocker/]
5. Turn off the active virus process dimemory, use the tools "Security Task Manager", please download these tools at the address http://www.neuber.com/taskmanager/download.html (see figure 15)



Figure 15, Deadly virus process with "security task manager"

6. Fix registry, to accelerate the process of repair registry please copy this script in notepad and save it with the name [repair.inf]. Execute the following manner:

Right-click the [repair.inf]
Click the [install]

[Version]
Signature = "$ Chicago $"
Provider = Vaksincom

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKCU, Software \ Microsoft \ Internet Explorer \ Main, tart Page, 0, 'about: blank "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, userinit, 0, "userinit.exe"

[del]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, reader_s
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, 47543326
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, PromoReg
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, reader_s
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, EnableProfileQuota
HKEY_LOCAL_MACHINE \ SOFTWARE \ AGProtect
HKEY_LOCAL_MACHINE \ SOFTWARE \ 47543326
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Network, UID
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion, Rlist
HKU,. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ (43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6)
HKU,. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ (8FFA689D-2C2B-2B2E-D865-74C04CA4EF06)

7. Remove files created by the virus by first showing tersebunyi file (see figure 16)



See picture 16, Show hidden files

Then delete the following files::
§ C: \ Documents and Settings \ All Users \ Application Data \ 47543326
§ C: \ Documents and Settings \ Elvina \ Start Menu \ Programs \ Security Tools.lnk
§ C: \ Documents and Settings \ Elvina \ Desktop \ Security Tools.lnk
§ C: \ Documents and Settings \ Elvina \ Application Data \ wiaservg.log
§ C: \ Documents and Settings \ Elvina \ Local Settings \ Temp \ *. tmp
§ C: \ WINDOWS \ Temp \ wpv311256600826.exe
§ C: \ WINDOWS \ Temp \ wpv411256806849.exe
§ C: \ Documents and Settings \% user% \ reader_s.exe
§ C: \ Documents and Settings \% user% \ Start Menu \ Programs \ Startup \ isqsys32.exe
§ C: \ WINDOWS \ system32 \ reader_s.exe
§ C: \ Windows \ system32 \ wbem \ proquota.exe
§ C: \ windows \ system32 \ sdra64.exe
§ C: \ Windows \ system32 \ lowsec
o local.ds
o user.ds
o user.ds.lll

Note:
To remove the folder [C: \ Windows \ system32 \ lowsec] and [C: \ windows \ system32 \ sdra64.exe], use the tools "Unlocker" to separate the process system process windows (explorer.exe and svchost.exe), because the file will inject file [explorer.exe and svchost.exe] how:
o Right click on the file [C: \ windows \ system32 \ sdra64.exe] or the [C: \ Windows \ system32 \ lowsec]
o Then click menu "Unlocker"
o In Unlocker screen, select the option [delete]
o Then click the [OK]
o If the error message, in disregard it (click ok)

8. Delete temporary files and temporary interet files, use the tools ATF-Cleaner [http://majorgeeks.com/download.php?det=4949] (see figure 17)





































Figure 17, Delete temporary Internet files and temporary files

9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date. You can also use tools to clean with Norman Malware Cleaner [http://www.norman.com/support/support_tools/58732/en-us] or Malwarebytes Anti Malware (www.malwarebytes.org) (see figure 18 and 19)

Figure 18, Results Malwarebytes Anti-Malware detection

Figure 19, Results Norman Malware Cleaner detection

Source: VaksinCOM

No related posts.