Waspadai Varian Virus YM Menyebar Cepat

Pergerakan program-program jahat seperti tak kenal lelah. Virus yang memanfaatkan Yahoo! Messenger (YM) pun dilaporkan telah menyebar dengan cepat. Pesan itu muncul dengan Bahasa Inggris disertai tautan ke sebuah file. Untuk menarik korbannya, tautan tersebut seakan-akan mengarah ke sebuah file gambar yang dikompresi dengan format.zip.
Berikut beberapa bentuk pesan yang dikirim (dalam bahasa inggris).

I just found this pic of you last night,
and I think you might want to save it, looks amazing.
srv034.imageshares.info:88/cache/user2940/DVS-Picture009.JPEG.zip
Would you care if I tagged you in this picture? Or would you get upset at me?
srv057.imageshares.info:88/DisplayPics/user3052/DVT-NewPhoto009.JPG.zip
This picture is creepyand disturbing! You have to check it out.
http://srv034.imageshares.info:88/cache/user2940/DVS-Picture009.JPEG.zip
I was at the mail, and you will never guess who i saw!
http://srv057.imageshares.info:88/DisplayPics/user3052/DVT-NewPhoto009.JPG.zip
I found the perfect wallpaper. You'll love it, what do you think?
http://viewmorepics.facebookgallery.info:88/ImageView&profileID=1390/DVS-MyPhoto14.JPEG.zip
Have you seen my new glasses? I just found out I had to get new ones.
Do they look ok??http://viewmorepics.facebookgallery.info:88/ImageView&profileID=1390/DVS-MyPhoto14.JPEG.zip
Why do I even bother taking pictures when they turn out to be like this.
Don't show it to anyone please. http://img284.dlimageshack.info:88/img284/43930/MVC-NewPhoto12.JPG.zip
I finished editing this picture last night for my facebook profile...
How do you like it? http://img425.dlimageshack.info:88/~ProfileView/user4729/DVS-NewPhoto13.JPG.zip
The pics from my new digital camera keep coming out strange.
Can't you tell it doesn't look right in this one? http://c2ac-b.myspace-pics.info:88/
images03/4986051/DVT-Picture004.JPG.ZIP
If you decide to open this picture you have to promise not to show it to anyone. ok?
http://c2ac-b.myspace-pics.info:88/images03/4986051/DVT-Picture004.JPG.zip

Pengguna layanan YM, yang cukup populer di Indonesia, diminta untuk tidak sekalipun mengklik tautan tersebut. Pasalnya virus itu akan memanfaatkan account YM korbannya untuk menyebarkan dirinya ke teman-teman korban.Berikut adalah beberapa aksi yang akan dilakukan virus itu, Sebaiknya:
Mencoba melakukan koneksi/kontak ke remote server/IRC (Internet Relay Chat) dengan berbagai IP. Mencoba melakukan koneksi ke beberapa website dan mencoba untuk melakukan sinkronisasi waktu. Termasuk Microfot.com, Yahoo.com, Google.com dan Time.Windows.com. Mencoba melakukan koneksi ke beberapa website Mail Exchanger (MX). Termasuk Microsoft.com, Yahoo.com, Google.com dan Mail.Ru (penyedia jasa e-mail gratis terbesar di Rusia)
Mencoba melakukan koneksi ke beberapa website dengan menggunakan berbagai port. Sinkronisasi ke remote server/IRC server dan berkomunikasi. Mendownload file virus dan mendapatkan list pesan yang akan dikirimkan via aplikasi chat. Satu link bisa mendapatkan hingga 50 kalimat pesan berbeda. Mengirim pesan kepada semua contact address yang ada pada aplikasi chat. Mencoba akses jaringan dan menyebarkan virus. Dalam hal ini pun berusaha menembus IPC$.
Nah, giatnya aktivitas virus itu menyebabkan komputer korban akan terasa lambat. Bahkan, tingkat penggunaan CPU bisa mencapai 100 persen.
Penyebaran utama virus ini adalah melalui layanan pesan instan seperti YM. Namun, Adi tidak menutup kemungkinan penyebarannya juga dilakukan melalui Skype, GTalk (Google Talk), Windows Live Messenger dan MRA (Mail.Ru Agent). Selain itu, virus juga akan menyebar melalui jaringan dengan memanfaatkan folder file sharing. File virus yang menyebar ini akan memiliki nama acak, dengan ekstensi .exe dan ukuran 212 kb.

Remove Virus Virut, Sality, Parite, and Alman

Win32/Virut

Download the following two files ( rmvirut.exe, rmvirut.nt ) and run the rmvirut.exe file.

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: "rmvirut C: D:". If the command is used without parameters, it heals all disks (partitions) on computer.

Note:
Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmvirut.nt into the same folder as rmvirut.exe. After the healing process please run the AVG Complete Test to make sure your computer is virus-free


Win32/Sality

Download the following three files ( rmsality.exe, rmsality.nt, rmsality.dos ) and run the rmsality.exe file.

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: "rmsality C: D:". If the command is used without parameters, it heals all disks (partitions) on computer.

Note:
Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmsality.nt and rmsality.dos into the same folder as rmsality.exe. After the healing process please run the AVG Complete Test to make sure your computer is virus-free..

Win32/Parite

Download the following three files ( rmparite.exe, rmparite.nt, rmparite.dos ) and run the rmparite.exe file.

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: "rmparite C: D:". If the command is used without parameters, it heals all disks (partitions) on computer.

Note:
Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmparite.nt and rmparite.dos into the same folder as rmparite.exe. After the healing process please run the AVG Complete Test to make sure your computer is virus-free.

Win32/Alman

Download the following two files ( rmalman.exe, rmalman.nt ) and run the rmalman.exe file.

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: "rmalman C: D:". If the command is used without parameters, it heals all disks (partitions) on computer.

Note:
Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmalman.nt into the same folder as rmalman.exe. After the healing process please run the AVG Complete Test to make sure your computer is virus-free.

About Virus Win32/Tanatos

Names,aliases:

Win32/Kashu (AhnLab-V3), W32/Kashu.A (AntiVir), W32/Sality.AE (Authentium), Win32.Kashu.A (BitDefender), W32.Sality.R (CAT-QuickHeal), Win32.Sector.4 (DrWeb), Win32/Sality.V (eTrust-Vet), W32/Sality.AM@mm (Fortinet), W32/Sality.AE (F-Prot), W32/Kashu.A (F-Secure), Trojan-Dropper.Win32.Microjoin.R (Ikarus), Virus.Win32.Sality.v (Kaspersky), W32/Sality.ad (McAfee), Virus:Win32/Sality.AH (Microsoft), probably a variant of Win32/Sality.AB (NOD32v2), W32/Kashu.A (Norman), W32/Sality-AM (Sophos), W32.Sality.AB (Symantec), Trojan.Win32.KillAV.nh (VBA32), Win32.Sality.AI (VirusBuster), Win32.Kashu.A (Webwasher-Gateway)

Behavior:

PE-file infector. After dissables firewall and antivirus software, it downloads additional components.

Description:

When executed, Win32/Tanatos drops the following files:

[RANDOM] is a random number.

%System%\[RANDOM].dll
%System%\[RANDOM].dl_
%System%\drivers\[RANDOM].sys
%Temp%\[RANDOM].tmp
Adds the following entries to the registry:

HKLM\SYSTEM\CurrentControlSet\Services\MCIDRV_2600_6_0
Type=dword:00000001
Start=dword:00000002
ErrorControl=dword:00000001
ImagePath=\??\C:\WINDOWS\system32\drivers\[RANDOM].sys
DisplayName=MCIDRV_2600_6_0

Alters the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA = "0"

It also enumerates and deletes entries in the following registry subkeys:

HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\System\CurrentControlSet\Control\SafeBoot
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Win32/Tanatos stores it's personal data in the [MCIDRV_VER] section of SYSTEM.INI file.

The Trojan also stops and deletes the following services:

aswUpdSv
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
fshttps
FSMA
InoRPC
InoRT
InoTask
ISSVC
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SmcService
SNDSrvc
SPBBCSvc
Symantec Core LC
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
AVP

Connects to the following URLs from where it downloads and executes additional files:

makemegood24.com
perfectchoice1.com
cash-ddt.net
ddr-cash.net
trn-cash.net
money-frn.net
clr-cash.net
xxxl-cash.net

It deletes files with the following extensions:

*.VDB
*.AVC
*.KEY (but only if first three letters are "drw")

Deletes executable files whose name contains any of the following strings:

_AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALMON.
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
AVZ.
ANTIVIR
ANTS.
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AUPDATE.
AUTODOWN.
AUTOTRACE.
AUTOUPDATE.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
GUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVPUPD.
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BACKWEB-4476822.
BDMCON.
BDNEWS.
BDOESRV.
BDSS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CLAW95CF.
CLEANER.
CLEANER3.
CLISVC.
CMGRDIAN.
CUREIT
DEFWATCH.
DOORS.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FAST.
FCH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
F-PROT95.
FRESHCLAM.
FRW.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSM32.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
KWATCH.
LOCKDOWN2000.
LOGWATNT.
LUALL.
LUCOMSERVER.
LUUPDATE.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NOD32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTXCONFIG.
NUPGRADE.
NVC95.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST.
PAV.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHM32.
QHONLINE.
QHONSVC.
QHPF.
QHWSCSVC.
RAVMON.
RAVTIMER.
REALMON.
REALMON95.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCAN32.
SCANNINGPROCESS.
SCHED.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
TC.
TCA.
TCM.
TDS-3.
TEATIMER.
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VIRUSKEEPER.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRADMIN.
WRCTRL.
XCOMMSVR.
ZATUTOR.
ZAUINST.
ZLCLIENT.
ZONEALARM.

Executables files are infected by appending the code of the virus to the last section. Win32/Tanatos searches for executables on local drives and on the network, however it does not infect files in the following folders:

SYSTEM
AHEAD

Removing:

If you have infected computer connected to a LAN, you need it to unplug from the LAN, and re-connect again in the moment when all computers are clean.

Download the following files rmtanat.exe and rmtanat.nt.

Update AVG and run test of the Windows System folder to schedule the removal of the infected DLL/OCX library on computer restart.

Restart computer, so the DLL/OCX file will be removed.

Thereafter run the removal tool with parameter C:\ to heal the infected files. You can specify more drives (example: rmprepnd C:\ D:\).

Check Firewall and make update of Windows and antivirus software.

About Virus Worm/Brontok

This type of virus spreads across local networks or through internet via shares disks. The virus searches for computers in its "neighborhood" with shared network drives and then copies itself on them.

For prevention as far as possible do not share whole disks, but only selected folders. It is also advisable to use passwords on shared folders.

We recommend you remove binding to "File and printer sharing" in Bindings Tab under TCP/IP Properties for all TCP/IP protocols (the TCP/IP protocol is usually defined for every LAN or Dial-Up adapter).

Peer-to-peer networks

Next most common method of spreading is by "peer-to-peer" networks (like KaZaA), the virus creates a few copies of itself in folders within the P2P shared system. If these files have got alluring names then there is a good chance somebody will download these files and execute them.

I-Worm/Brontok

This is now the most common type of virus. It spreads as an attachment to an e-mail sent from the infected computer. It is also able to spread by other methods - copying itself to shared network disks in local network, sending via IRC or as a file with some alluring name within a folder on a "peer-to-peer" file sharing system.

E-mail content

E-mail message created by the virus is often suspect at first appearance - it normally contains a few sentences in English trying to convince you that you should open the attached file.

However this is not always the case - some viruses use text or parts of text randomly taken from files within the infected computer and some even take existing message from Inbox folder. They put this text within the e-mail and attach the infected file and forward the virus on by e-mail.

Sender address

Latest viruses send e-mails with faked sender message header, so there is no point in replying to it with notice about infection.

Also - if you are unlucky in that an I-worm randomly selects your e-mail address to use in the "sender" header, you start to receive undeliverable messages (that you never sent) or automatic messages from mail servers that your e-mail messages are infected.

Outlook & Outlook Express

Because these mail clients are very popular, they act as a magnet for virus writers to abuse their features or security holes. If you use one of these mail clients it is recommended you keep it updated with security updates and service packs released by Microsoft.