Sekilas tentang Virus Worm Blackmal.E
Virus Blackmal.E adalah sebuah virus yang tergolong
tidak terlalu
berbahaya namun
sangat menyebalkan karena virus ini menyebar melalui
email dan
jaringan yang di Sharing.
Spesifikasi Nama Virus Blackmal.E
Virus ini adalah type worm yang mempunyai nama lain
sebagai berikut:
Symantec :
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
, [EMAIL PROTECTED]
McAfee:
Win32/Blackmal.E.Worm, W32/[EMAIL PROTECTED]
Anti Virus Kaspersky:
I-Worm.Nyxem.d
Anti Virus F-Secure:
W32/[EMAIL PROTECTED]
Trend Micro:
Worm-GREW.A
Anti Virus Shopos:
W32/Nyxem-D
Pola penyerangan Virus Balckmal.E
Jika User menerima Email dari Virus tersebut dan
kemudian dibuka (
execute ), maka virus
Blackmal.E ini
akan membuat duplikasi virus sendiri dalam jumlah yang
banyak dan
masuk kedalam security pada lokasi PC
dimana email tersebut di buka(execute).
Ciri-ciri File duplikasi yang dibuat oleh virus
tersebut adalah sebagai
berikut:
* /%Program Files%\INTERNET EXPLORER\Media
Player.exe /
* /%Windows%\Volume\/<Windows File>./exe/ - dimana
<Windows File>
ini adalah nama file yang dipilih dari file .exe
pada PC user yang
terinfeksi terutama %Windows% directory.
Misalnya, jika file yang
ditemukan oleh virus ini adalah/ /regedit.exe di
%Windows%
directory, maka virus tersebut membuat duplikat
file dengan nama
/regedit .exe/. Catatan: Worm tersebut juga
membuat isi (/volume/)
directory bahwa file ini dibuat. File ini
bersifat 'hidden'.
* /%System%\ Connection.exe /
* /%System%\ MOVIE009.PIF /
* /%System%\
movie_05.MP3_________________________________________________________.exe
/
* /%System%\ Old_Password.baT /
* /%System%\
PaltlkRoom.wav_________________________________________________________.exe
/
* /%System%\ REGEDITM.EXE /
* /%System%\
sound_223.mp3_________________________________________________________.exe
/
* /%System%\ The_Members.PIF /
* %System%\<Windows File>/M.EXE /
* /%System%\
Video_live.mpg_________________________________________________________.exe
/
* /%System%\
YAHOO.PIF/
Blackmal.E juga menghapus file : %/System%\OSSMTP.DLL,
/yang merupakan
legitimasi SMTP COM library dari OstroSoft.
Catatan: '%System%' and '%Windows%' adalah variable
locations. Worm
tersebut mematikan lokasi folder-folder tersebut
dengan "querying the operating system". Default lokasi
instalasi untuk
direktori System dari Windows 2000 dan NT
adalah C:\Winnt\System32; untuk windows 95,98 and ME
adalah
C:\Windows\System; dan untuk XP adalah
C:\Windows\System32.
Blackmal.E mengubah registry untuk mengcopy dirinya
sendiri pada
direktori /%Windows%\volume /dan perlu sedikit
waktu untuk menjalankan file berikut:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default)
=
%Windows%\VOLUME\/<Windows File />.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\</Windows
File
/>.exe = %Windows%\VOLUME\</Windows File/>.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Security =
%System%\</Windows
File>/M.EXE
Pola Penyaluran Virus Blackmal.E
Via Network Shares
Blackmal.E menghitung sumber yang terinfeksi pada
jaringan dan setiap
satu user menemukannya maka dia akan
menduplikasikan dirinya dengan berbagai nama seperti
tersebut dibawah ini :
Connection.exe MOVIE009.PIF
movie_05.MP3_________________________________________________________.exe
Old_Password.baT
PaltlkRoom.wav
_________________________________________________________.exe
REGEDITM.EXE
sound_223.mp3_________________________________________________________.exe
The_Members.PIF
UNINSTM.EXE
Video_live.mpg_________________________________________________________.exe
YAHOO.PIF
Solusi Sharing Network:
Configuring shared Windows folders for maximum network
protection
Situation:
New viruses and worms can use weak passwords on shared
network volumes
to spread. You want to know how to
configure your computer to avoid spreading or
receiving one of these
viruses.
Solution:
Before you begin: If you are looking for a tool to
remove a specific
virus, or for more information on viruses,
worms, or Trojans, go to the Symantec Security
Response Web site.
To prevent the spread of these types of viruses,
Symantec suggests
disabling file sharing if you do not need it,
or sharing with strong password protection and
read-only access if
possible. Also, do not share entire drives
(such as your C drive), instead, share specific
folders.
If you are on a network that is connected to the
Internet, you are
strongly advised to install a firewall.
Information on Symantec firewall products is available
at the Symantec Web
site.
Note: The following steps assume that Windows is
installed on drive C.
If you installed Windows to a different
location, then substitute the new drive location in
the following steps.
Hide details for Windows NT/2000 users
Windows NT/2000 users
1. Double-click My Computer on the Windows desktop.
2. Right-click drive C, and click Sharing.
3. Examine the Share name. The drive will likely be
shared as C$.
This is a default hidden share required for
administration.
If you click the Permissions button, you should
see the message
"This has been shared for Administrative
purposes. The
permissions cannot be set."
4. Click the drop-down for Share name. If the drive
is not shared
with any other names, stop here.
5. If the drive is shared with a name other than
C$:
* Select "Do not share this folder."
* If you do not want to remove this shared
resource, click
Permissions and make sure that
only the required users and groups may
write to it.
* For all other shared files or folders,
select permissions
to verify that only required users have write access.
Windows XP users
File sharing is disabled by default in Windows XP. To
check for shared
files or folders:
1. Click Start, and then click My Computer.
2. Right-click drive C, and then click Sharing and
Security.
3. If you see the link "If you understand the risk
but still want
to share . . . ," click the link.
4. In the Network Sharing and Security section,
examine to see if
either of the two check boxes is checked.
To disable sharing uncheck them.
5. Close the Sharing and Security dialog box.
6. With My Computer still open, double-click the
Shared Documents folder.
See if it contains any shortcuts to files or
folders. If it
does, and you do not want them shared, delete them.
Windows 98/Me users
To Disable file and print sharing
Perform these steps if you do not need to share files
or printers on
your network.
1. Right-click the Network Neighborhood or the My
Network Places
icon on the Windows desktop.
2. Click Properties.
3. Click the Configuration tab.
4. Click Client for Microsoft Networks.
5. Click File and Print Sharing.
6. Uncheck both boxes, and then click OK.
If you do not want to disable file and print sharing
These steps are only for users who need to share files
or printers in
a networked environment.
1. Double-click My Computer on the Windows desktop.
2. Right-click drive C, and click Sharing. If you
do not see
Sharing, stop here.
3. Look at Sharing status:
* If Not Shared is checked, stop here.If
Shared As is checked,
we recommend that you disable this option
by selecting Not
Shared.
* If you must share this volume, then under
Access Type,
select either Read-Only or Depends on Password.
* You can create separate passwords for
read-only and full access.
Give the Full Access Password only to
those who need it.
* For all other shared files and folders,
make sure that
Access Type is set appropriately.
Via Email
Blackmal.E akan mengirim dirinya sendiri lewat email.
Email tersebut
mempunyai ciri-ciri variabel dan pada From
address-nya, virus ini menggunakan nama samaran dari
user yang
terinfeksi. Email tersebut mengandung format HTML
dan biasanya mengandung gambar-gambar pornografi.
Catatan: Virus tersebut tidak akan menyerang untuk
menyebarkan dirinya
lewat email sampai Mesin komputer di restart
setelah terinfeksi, atau tidak akan menyerang lewat
email jika user
yang terinfeksi tidak membuka email dari virus
tersebut.
Email yang dikirim oleh worm tersebut mempunyai
karakteristik sebagai
berikut;
Kemungkinan Nama/Address:
Thomas
<//[EMAIL PROTECTED]//>
vip
<//[EMAIL PROTECTED]/ />
Lola Ashton
<//[EMAIL PROTECTED]//>
Bad Love
<//[EMAIL PROTECTED]//
>
<//[EMAIL PROTECTED]//>
Sweet Women
<//[EMAIL PROTECTED]//>
Sara GL
<//hot_woman2362@
freevideos.net//>
The Moon
<//[EMAIL PROTECTED]//>
Binnn MT
<//[EMAIL PROTECTED]//>
Kemungkinan Subjects:
Beethoven's Symphony No
New Stories Highway Blues
Kemungkinan Isi Email:
see the attached how are you?see the file
video
enjoy
see the movie
Kemungkinan Nama Attachments:
<Subject Line/>_DVD_Viedo.Zip.z
<Subject Line/>_Audio_XP.GZ
<Subject Line/>.Xp2002.TGZ
<Subject Line/>_Zipped_File.Z
<Subject Line/>.PIF
<Subject Line/>.XP2002.Zip.scr
<Subject Line/>.DvD_Xp.scr/
<Subject Line/> adalah pilihan dari beberapa
kenugkinan nama subjects.
PayLoad
Perbaiki System Settings lewat Registry
The worm deletes the following values from the
following registry keys
(should they exist):
Keys:
/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Values:
ccApp
defwatch
KasperskyAv
McAfeeVirusScanService
MCAgentExe
McRegWiz
MCUpdateExe
McVsRte
NAV Agent
NPROTECT
PCCClient.exe
pccguide.exe
PCCIOMON.exe
PCClient.exe
PccPfw
rtvscn95
ScriptBlocking
SSDPSRV
Taskmon
VirusScan Online
vptray
VSOCheckTask
Telnet Server
Blackmal.E juga mensets Windows telnet server service
untuk
menjalankan system secara otomatis.
Informasi Lainnya
The worm makes also makes the following modifications
to the registry
and changes the Winzip registration information:
HKCU\Software\......................\WinZip\Caution\NoBetaMessage
= 1
HKCU\Software\......................\WinZip\Winini\Name
= BlackWorm
HKCU\Software\......................\WinZip\Winini\SN
= 2AD00ED6/
Blackmal.E contacts a particular web site, presumably
to notify its
author of a new system compromise.
Pencegahan:
Anti Virus untuk virus Blacmale dapat didownload di
http://www3.ca.com/support/vicdownload/
Untuk menscan PC secara langsung menggunakan IE 4.0 ke
atas, dapat
menggunakan web ini:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Symantec Support:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
Semoga Membantu
Regards,
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------ Yahoo! Groups Sponsor --------------------~-->
Music that listens to you.
LAUNCHcast. What's in your mix?
http://us.click.yahoo.com/8mKGzA/FARHAA/kkyPAA/iPMolB/TM
--------------------------------------------------------------------~->
=================================================================
"Morning greetings doesn't only mean saying 'Good Morning'.
It has silent message saying that I remember you when I wake up.
Wish you have a Great Day!" -- Ida Arimurti
Jangan lupa simak IDA KRISNA SHOW SENIN HINGGA JUMAT di 99,1 DELTA FM
Jam 4 sore hingga 8 malam dan kirim sms di 0818 333 582.
=================================================================
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/idakrisnashow/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
