Is not only men who want to become a member of the police. Trojan BAT / Troj.Polsesi - a name so that we are given suitable for malware on this one - also become very obsessed police. Unfortunately, if the police mission to maintain security and ketentraman, BAT / Troj.Polsesi and thus destroy menebar fear. As inikah negative impact of an obsession?
Okay, we are not discussing about the psychiatric problems. That we are a wicked program that is different this time. A trojan that is made using a simple batch scripting with the extraordinary effect.
Characteristic
Trojan is created using batch scripting is usually used by the admin to make Windows work the way write a batch file ready for execution. Batch file usually has its own ending. Bat, for example "autoexec.bat". The weakness of the evil that created the program using batch scripting is jahatnya code can be easily read by anyone. Nah, this is to deceive the creator of the trojan tries to hide a dodgy way to change the batch file into an executable file (. Exe) using the program or tool called Quick Batch File Compiler http://www.abyssmedia.com made. Nah, this is one tool which is the trojan for him.
Physically, trojan Polsesi have the body size 15.345 bytes contain 226 lines of code. While the size of a body after the exe is 209.174 bytes, or 13 times greater from the original. Typically, this file is called data_Polri.exe.
Action undertaken
Unlike viruses or worms, trojan capability is very limited and can not be menginfeksi other applications. Deployment task only trojan or suppliers used by the malicious program to be able to go to a system. If called menginfeksi virus, trojan called inject more suitable. Although not as worms and viruses, trojan Polsesi this can not be considered trivial, because he will run the commands that can make the evil computer crash!
When the first trojan Polsesi active, in succession he will display the message obsesinya to become a police. This message appeared in succession on the sidelines of the process injeksinya. Next messages that try to submit him, and together let us measure how high the obsession with this trojan messages disampaikannya:
First message: mister president ... I made the police
Message two: I beg your pardon ya, go to your computer
Message three: I know the president says yes so I know the police
Message four: makasi ya buddy
Message fifth temporary files to my server
Sixth message: Drive is full prison
Message seventh report completed
Messages appear on the process between the injection and manipulation (payload). Run the following process:
When the first message appears, trojan Polsesi try to reproduce itself:
d:-data_Polri.exe
c:-jadikan_aku_polisi.exe
c:-WINDOWS-sys.exe
c:-WINDOWS-SYSTEM-sys.exe
Then run service messenger with the command:
net start messenger
Attempting to disable the task manager in a way to manipulate the value in the registry entry:
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-system-DisableTaskMgr
Try to make himself always active when the computer is run in a way to add info on the startup registry address:
HKCU-Software-Microsoft-Windows-CurrentVersion-Run-sys c:-WINDOWS-sys.exe / f
HKCU-Software-Microsoft-Windows-CurrentVersion-Run-date c:-WINDOWS-sys.exe / f
HKCU-Software-Microsoft-Windows-CurrentVersion-Run-var c:-jadikan_aku_polisi.exe / f
When the second message appears, trojan Polsesi try disable some antivirus service with the command:
net stop mcshield
net stop norton antivirus auto protect service
Not only to there. Polsesi also trying to remove the components McAfee and Norton antivirus and tried to stop some of the anti-virus, security updater, and other security applications.
When the message appears a third, Polsesi try to disable some functions adminsitrasi Windows, change the name of the computer owner, and the manipulation-manipulation of others. Following registry entry is changed:
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoFind
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoRun
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoRecentDocsMenu
HKCU-SOFTWARE-Microsoft-Windows-CurrentVersion-Policies-System-DisableRegistryTools
HKCU-Software-Microsoft-Windows Scripting Host-Settings-Timeout
HKCU-Software-Microsoft-Windows Scripting Host-Settings-Timeout
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoSMHelp
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoSetTaskbar
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoFolderOptions
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoControlPanel
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoViewContextMenu
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoTrayContextMenu
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoPrinters
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoNetSetup
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoClose
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoPropertiesMyComputer
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoDesktop
HKEY_CLASSES_ROOT-CLSID-(645FF040-5081-101B-9F08-00AA002F954E)--InProcServer32 (Default)
HKEY_CLASSES_ROOT-CLSID-(21EC2020-3AEA-1069-A2DD-08002B30309D)--InProcServer32 (Default)
HKCU-Software-Microsoft-Windows-CurrentVersion-explorer-SmallIcons-SmallIcons
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-System-NoSecCPL
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoDrives
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoDrives
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-Explorer-NoNetHood
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-WinOldApp-Disabled
HKCU-SOFTWARE-Microsoft-Windows-CurrentVersion-NT v RegisteredOwner
HKCU-SOFTWARE-Microsoft-Windows-CurrentVersion-NT RegisteredOrganization
HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-System-NoDispCPL
HKEY_CLASSES_ROOT-Directory-Shell-Send-ndut
HKEY_CLASSES_ROOT-Directory-Shell-Send-Command
HKEY_CLASSES_ROOT-Drive-Shell-Copi-end
HKEY_CLASSES_ROOT-Drive-Shell-Command-Copi
HKEY_CLASSES_ROOT-Folder-Shell-Send-rendut
HKEY_CLASSES_ROOT-Folder-Shell-Send-Command
HKEY_CLASSES_ROOT-Directory-Shell-Sent-bendut
HKEY_CLASSES_ROOT-Directory-Shell-Command-Sent
HKEY_CLASSES_ROOT-Drive-Shell-Coopy-endutz
HKEY_CLASSES_ROOT-Drive-Shell-Command-Coopy
HKEY_CLASSES_ROOT-Folder-Shell-Sent-ndutss
HKEY_CLASSES_ROOT-Folder-Shell-Command-Sent
HKEY_CLASSES_ROOT-Directory-Shell-jadi_polisi-endutsz
HKEY_CLASSES_ROOT-Directory-Shell-Command-jadi_polisi
HKEY_CLASSES_ROOT-Drive-Shell-police-enddut
HKEY_CLASSES_ROOT-Drive-Shell-Command-police
HKEY_CLASSES_ROOT-Folder-Shell-officer-endud
HKEY_CLASSES_ROOT-Folder-Shell-Command-officer
Create a directory with the name "new" and reproduce themselves in each drive.
Moving the mouse button is a function of the left-right and vice versa.
And when the fifth message appears that says "temporary file for my seizure," most likely an infected computer has lost some of the files with the following types:
doc, txt, excel, pdf, rtf, jpg, html, zip, rar, ppt, mp3, 3gp, avi, wmv, flv, odt, gif, CDR, png, ICO, mp4, bmp, mpg, mpeg, wma, dat.
The file is not deleted, but hidden in a way to change set atributnya.
Finally, Polsesi trojan will disable some functions in the control panel, turn off the safe mode feature, and display the final message containing the text "the report is finished."
But actually everything is not finished, because the trojan Polsesi akan launch activities jahatnya from the beginning again, and run so on.
Cleaning and Prevention
For cleaning this trojan is very easy, just run the last update AVI that you can get in http://www.infokomputer.com/avi/avi-beta.zip. To prevent the trojan does not return, attach as an AVI real-time protector, then your computer will never again left out by this trojan.
(MF Muqorrobien - Constructor AntiVirus InfoKomputer)
0 komentar:
Post a Comment