General characteristics that can be identified from this virus is the emergence of duplicate file in every folder / subfolder located MS.Word file with the file size is 68 KB and penyamarannya so successful it will change the file type of duplicate files from the "application" to "Microsoft Word Document" so that the user that the file is the file so that no suspicious MS.Word user opens a file that will activate the virus, while the file will not be opened (because it is hidden) so that the user will think that the file has been corrupted. (see picture 1)
Picture 1, Sample duplicate files created by FreE_MiNe
FreE_MiNe this program is created using the Visual Basic language without compression in the size of 68 KB, the file has the extension EXE file type "Application". (see picture 2)
Picture 2, File parent FreE_MiNe
If the file is run, it will create a file under this parent to be run automatically every time you turn on the computer / restart:
- C:\FreE_MiNe.exe (semua drive)
- C:\WINDOWS\system32\LoLOxz
o smss.exe
o msvbvm60.dll
Msvbvm60.dll file is executed from the directory C: \ Windows \ System32 \ LoLOxz \ above is intended as a backup to anticipate if the victim computer to block MSVBVM60.dll (MSVBVM60 = Microsoft Visual Basic Virtual Machine version 6.0) which is the absolute requirement to run applications Visual Basic in Microsoft OS (including viruses). So even if the victim attempted to prevent computer virus infections with VB msvbvm60.dll block from the directory C: \ Windows \ System32, the virus is still active because it will be able to have a backup msvbvm60.dll.
To ensure that the virus dijalankakn file automatically, FreE_MiNe will make the following string in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- shell = explorer.exe C:\WINDOWS\system32\LoLOxz\smss.exe
- system = C:\WINDOWS\system32\LoLOxz\smss.exe
- userinit = userinit,C:\WINDOWS\system32\LoLOxz\smss.exe
To trick the user, at the time that has been determined FreE_MiNe this will remove the string C: \ WINDOWS \ system32 \ LoLOxz \ smss.exe to then so that will make it more user thought that the virus will not create a string in the registry is.
To expedite action, FreE_MiNe will also try to block some functions of a Windows virus, but this will only block the function "Find / Search and CMD and Folder Option" only.
To do this it will create the following string in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
- HideFileExt
- ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFind = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableCMD =1
Although the virus is not active on the mode "safe mode with command prompt" but this virus will attempt to block access to that mode with a block of the file "cmd.exe".
Message from the creator of the virus
Creator of the virus will also leave a message at the store in the body the virus, the following message to be delivered by the VM
FreE_MiNe From Picture Village
Pesan dari Dunia lain
Sunyinya malam yang kian larut
Bagaikan awan putih dilangit
Menambah sesak dadaku yang menahan nafas
Nafas rindu, nafas Cinta dan nafas sepi
Tiap waktu dan tiap saat tak pernah berhenti
Seperti juga darahku yang selalu
Setia pada tubuh
Seperti juga keinginanku
yang semakin ingin ku jangkau
tetapi semua itu NIHIL
Picture Worms Vill
Messange me,, Attention Please ..
Ne Buat temen
temen New Bie TI
Tenang Ulet Ne ga berbahaya buat your PC.
Yang Penting lo ga Macem
Kalo lo mow kasar ntar q juga bisa..wee
Create duplicate files, and hide MS.Word
As the final goal of petualangannya, it will create a duplicate file in every folder / subfolder located MS.Word file with the file size is around 68 KB with the EXE extension in accordance with the original file names to trick the user and he will disguise a file type from "application" to be "Microsoft Word Document" so that the user thought that the file is the original file. If the file is executed it will automatically activate itself while the contents of the original file will not be able to open. And where the original file is deleted? It seems the virus is not beritikad damage / destroy the victim computer file, so the original file is not deleted, but we are in the same folder.
To change the type of file is it will duplicate the string in the registry below: (see picture 3)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
- [Default] = Microsoft Word Document
Picture 3, Sample FreE_MiNe duplicate files and application files have a similarity in the type file that is Microsoft Word Document
In addition it will also change the string infotip and tileinfo exe file from the registry on the following: (see figure 4 and 5)
HKEY_CLASSES_ROOT\exefile
- infotip = prop:FileDescription;Size
- TileInfo = prop:FileDescription;Size
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
- infotip = prop:FileDescription;Size
- TileInfo = prop:FileDescription;Size
Picture 4, InfoTip and TileInfo that have been altered by FreE_MiNe
Picture 5, and TileInfo before InfoTip altered by FreE_MiNe
So that it can be automatically activated when the user access or Flash Disk Drive, FreE_MiNe will use the Windows autorun feature to create a file autorun.inf in the root of each drive as drive C: \ or D: \ and on the Flash Disk. The file autorun.inf contains the script file to run FreE_Mine.exe. (see picture 6)
Picture 6, autorun.inf file to automatically run the virus
FreE_MiNe will also add a script @ echo off on the file C: \ autoexec.bat with the goal of a computer that does not display a message on the screen. (see figure 7)
Picture 7, the script has been added by FreE_MiNe
Media Distribution
To spread itself FreE_MiNe Flash Disk using the media to create the following files:
- Autorun.inf (containing the script file to run FreE_MiNe.exe) automatically when the user access to Flash Disk.
- FreE_MiNe.exe
In addition it will also hide files MS.Word every folder / subfolder to trick the user and it will create duplicates of every folder / subfolder that is in accordance with MS.Word file name of the file is hidden.
How do I conquer FreE_MiNe
- Disable "System Restore" during the cleaning process
- Turn off the virus active in memory. Use the tools "Security task Manager" to shut off the virus. Turn off the virus that have the icon MS.Word ways: (see figure 8 and 9)
- Select the virus that will turn off
- Right-click on the process
- Click “Remove”
- On the screen "Remove", select the option "Move files to Quarantine" to delete the file directly.
- Click button “Ok”
Picture 8, the process of turning off the virus by using the "Security task Manager”
PIcture 9, Select the option "Move files to Quarantine" to remove the virus
Security Task Manager can be downloaded from:
http://www.neuber.com/taskmanager/download.html
- Fix the registry is modified or created by the virus. To speed up the process of repair registry copy this script under this program in notepad and save it with the name repair.inf, run the file with:
- Right click repair.inf
- Click install
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, userinit,0, "userinit.exe,"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, system,0, ""
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
HKLM, SOFTWARE\Classes\exefile,,,"Application"
HKLM, SOFTWARE\Classes\exefile,InfoTip,0,"prop:FileDescription;Company;FileVersion;Create;Size"
HKLM, SOFTWARE\Classes\exefile,TileInfo,0,"prop:FileDescription;Company;FileVersion;Create;Size"
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableCMD
- Find and delete the parent file and file with the virus duplicates functions Find / Search. If this function is not active should LogOff computer first. After the Find / Search on this do not forget to show hidden files first from the Folder Options (see image 10)
Picture 10, Display settings file from a hidden folder Options
then locate and delete the files that have characteristics :
- Icon MS.Word
- Size 68 KB
- Type File “Application”
You can also use Norman Malware Cleaner Freemine to eradicate the virus in your computer that can be downloaded for free from http://download.norman.no/public/Norman_Malware_Cleaner.exe
- Delete the file "Autorun.inf" disemua drive and file C: \ msvbvm60.dll "
- Remove the script @ echo off on the file C: \ Autoexec.bat, with way:
- Right click file C:\Autoexec.bat
- Click menu “Edit”
- Delete script @echo Off
- Click menu “File”
- Click “save”
- Unhide MS.Word files (*. doc) that have been hidden by FreE_MiNe to run the command attrib-s-h-r *. doc / s (only for display on the drive MS.Word file / folder, which is determined) or attrib-s -h-r / s / d (to show all files / folders on the drive / folder, which is determined) at the Dos Prompt. (see picture 11)
Picture 11, Showing MS.Word files (*. doc) that is hidden by FreE_MiNe
- For optimal cleaning and prevent re-infection should install antivirus is up-to-date and able to detect and identify virus.
Tidak ada komentar:
Posting Komentar