Jumat, 06 Februari 2009

FreE_MiNe

Activists of the anti-virus is like Tom and Jerry, each time the virus issue a new variant, the antivirus issue is how to eradicate the virus and how to prevent it, and vice versa every time the antivirus issue is to prevent the spread of the virus, the virus always find other ways to pass it on. This also happens in the local spread of the virus because the majority is created using Visual Basic (VB), many computer users disable MSVBVM60.dll a file that is needed by all VB programs (including viruses) to be active in the computer. But see this one virus, even though you already mendhapus MSVBVM60.dll from your computer and in theory the virus will not be able to VB menginfeksi your computer, this virus has a backup MSVBVM60.dll placed in the directory so others can keep your computer menginfeksi.

General characteristics that can be identified from this virus is the emergence of duplicate file in every folder / subfolder located MS.Word file with the file size is 68 KB and penyamarannya so successful it will change the file type of duplicate files from the "application" to "Microsoft Word Document" so that the user that the file is the file so that no suspicious MS.Word user opens a file that will activate the virus, while the file will not be opened (because it is hidden) so that the user will think that the file has been corrupted. (see picture 1)

Picture 1, Sample duplicate files created by FreE_MiNe

FreE_MiNe this program is created using the Visual Basic language without compression in the size of 68 KB, the file has the extension EXE file type "Application". (see picture 2)

Picture 2, File parent FreE_MiNe

If the file is run, it will create a file under this parent to be run automatically every time you turn on the computer / restart:

- C:\FreE_MiNe.exe (semua drive)

- C:\WINDOWS\system32\LoLOxz

o smss.exe

o msvbvm60.dll

Msvbvm60.dll file is executed from the directory C: \ Windows \ System32 \ LoLOxz \ above is intended as a backup to anticipate if the victim computer to block MSVBVM60.dll (MSVBVM60 = Microsoft Visual Basic Virtual Machine version 6.0) which is the absolute requirement to run applications Visual Basic in Microsoft OS (including viruses). So even if the victim attempted to prevent computer virus infections with VB msvbvm60.dll block from the directory C: \ Windows \ System32, the virus is still active because it will be able to have a backup msvbvm60.dll.

To ensure that the virus dijalankakn file automatically, FreE_MiNe will make the following string in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

- shell = explorer.exe C:\WINDOWS\system32\LoLOxz\smss.exe

- system = C:\WINDOWS\system32\LoLOxz\smss.exe

- userinit = userinit,C:\WINDOWS\system32\LoLOxz\smss.exe

To trick the user, at the time that has been determined FreE_MiNe this will remove the string C: \ WINDOWS \ system32 \ LoLOxz \ smss.exe to then so that will make it more user thought that the virus will not create a string in the registry is.

To expedite action, FreE_MiNe will also try to block some functions of a Windows virus, but this will only block the function "Find / Search and CMD and Folder Option" only.

To do this it will create the following string in the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced

- HideFileExt

- ShowSuperHidden

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

- NoFind = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

- DisableCMD =1

Although the virus is not active on the mode "safe mode with command prompt" but this virus will attempt to block access to that mode with a block of the file "cmd.exe".

Message from the creator of the virus

Creator of the virus will also leave a message at the store in the body the virus, the following message to be delivered by the VM

FreE_MiNe From Picture Village

Pesan dari Dunia lain

Sunyinya malam yang kian larut

Bagaikan awan putih dilangit

Menambah sesak dadaku yang menahan nafas

Nafas rindu, nafas Cinta dan nafas sepi

Tiap waktu dan tiap saat tak pernah berhenti

Seperti juga darahku yang selalu

Setia pada tubuh

Seperti juga keinginanku

yang semakin ingin ku jangkau

tetapi semua itu NIHIL

Picture Worms Vill

Messange me,, Attention Please ..

Ne Buat temen

temen New Bie TI

Tenang Ulet Ne ga berbahaya buat your PC.

Yang Penting lo ga Macem

Kalo lo mow kasar ntar q juga bisa..wee

Create duplicate files, and hide MS.Word

As the final goal of petualangannya, it will create a duplicate file in every folder / subfolder located MS.Word file with the file size is around 68 KB with the EXE extension in accordance with the original file names to trick the user and he will disguise a file type from "application" to be "Microsoft Word Document" so that the user thought that the file is the original file. If the file is executed it will automatically activate itself while the contents of the original file will not be able to open. And where the original file is deleted? It seems the virus is not beritikad damage / destroy the victim computer file, so the original file is not deleted, but we are in the same folder.

To change the type of file is it will duplicate the string in the registry below: (see picture 3)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile

- [Default] = Microsoft Word Document

Picture 3, Sample FreE_MiNe duplicate files and application files have a similarity in the type file that is Microsoft Word Document

In addition it will also change the string infotip and tileinfo exe file from the registry on the following: (see figure 4 and 5)

HKEY_CLASSES_ROOT\exefile

- infotip = prop:FileDescription;Size

- TileInfo = prop:FileDescription;Size

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile

- infotip = prop:FileDescription;Size

- TileInfo = prop:FileDescription;Size

Picture 4, InfoTip and TileInfo that have been altered by FreE_MiNe

Picture 5, and TileInfo before InfoTip altered by FreE_MiNe

So that it can be automatically activated when the user access or Flash Disk Drive, FreE_MiNe will use the Windows autorun feature to create a file autorun.inf in the root of each drive as drive C: \ or D: \ and on the Flash Disk. The file autorun.inf contains the script file to run FreE_Mine.exe. (see picture 6)

Picture 6, autorun.inf file to automatically run the virus

FreE_MiNe will also add a script @ echo off on the file C: \ autoexec.bat with the goal of a computer that does not display a message on the screen. (see figure 7)

Picture 7, the script has been added by FreE_MiNe

Media Distribution

To spread itself FreE_MiNe Flash Disk using the media to create the following files:

- Autorun.inf (containing the script file to run FreE_MiNe.exe) automatically when the user access to Flash Disk.

- FreE_MiNe.exe

In addition it will also hide files MS.Word every folder / subfolder to trick the user and it will create duplicates of every folder / subfolder that is in accordance with MS.Word file name of the file is hidden.

How do I conquer FreE_MiNe

  1. Disable "System Restore" during the cleaning process
  2. Turn off the virus active in memory. Use the tools "Security task Manager" to shut off the virus. Turn off the virus that have the icon MS.Word ways: (see figure 8 and 9)

    1. Select the virus that will turn off
    2. Right-click on the process
    3. Click “Remove”
    4. On the screen "Remove", select the option "Move files to Quarantine" to delete the file directly.
    5. Click button “Ok”

Picture 8, the process of turning off the virus by using the "Security task Manager”

PIcture 9, Select the option "Move files to Quarantine" to remove the virus

Security Task Manager can be downloaded from:

http://www.neuber.com/taskmanager/download.html

  1. Fix the registry is modified or created by the virus. To speed up the process of repair registry copy this script under this program in notepad and save it with the name repair.inf, run the file with:

    1. Right click repair.inf
    2. Click install

[Version]

Signature="$Chicago$"

Provider=Vaksincom Oyee

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, userinit,0, "userinit.exe,"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, system,0, ""

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255

HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255

HKLM, SOFTWARE\Classes\exefile,,,"Application"

HKLM, SOFTWARE\Classes\exefile,InfoTip,0,"prop:FileDescription;Company;FileVersion;Create;Size"

HKLM, SOFTWARE\Classes\exefile,TileInfo,0,"prop:FileDescription;Company;FileVersion;Create;Size"

[del]

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableCMD

  1. Find and delete the parent file and file with the virus duplicates functions Find / Search. If this function is not active should LogOff computer first. After the Find / Search on this do not forget to show hidden files first from the Folder Options (see image 10)

Picture 10, Display settings file from a hidden folder Options

then locate and delete the files that have characteristics :

    1. Icon MS.Word
    2. Size 68 KB
    3. Type File “Application”

You can also use Norman Malware Cleaner Freemine to eradicate the virus in your computer that can be downloaded for free from http://download.norman.no/public/Norman_Malware_Cleaner.exe

  1. Delete the file "Autorun.inf" disemua drive and file C: \ msvbvm60.dll "
  2. Remove the script @ echo off on the file C: \ Autoexec.bat, with way:
    1. Right click file C:\Autoexec.bat
    2. Click menu “Edit”
    3. Delete script @echo Off
    4. Click menu “File”
    5. Click “save”

  1. Unhide MS.Word files (*. doc) that have been hidden by FreE_MiNe to run the command attrib-s-h-r *. doc / s (only for display on the drive MS.Word file / folder, which is determined) or attrib-s -h-r / s / d (to show all files / folders on the drive / folder, which is determined) at the Dos Prompt. (see picture 11)

Picture 11, Showing MS.Word files (*. doc) that is hidden by FreE_MiNe

  1. For optimal cleaning and prevent re-infection should install antivirus is up-to-date and able to detect and identify virus.

VBS/Autorun.AO (huhuhaha)

Virus can make your Windows Vista to be Windows XP

Who says Windows Vista secure from viruses. At the time of launch may be a Windows Vista-claim in the safe from the virus. But time proved that man-made does not have the perfect and only a waiting time until only one OS in the successful exploration and found a way to mengeksploitasinya. This is evident from the virus Huhuhaha who are currently spread popularity in Indonesia mepumpuhkan the UAC (User Account Control) Windows vista is used to prevent unwanted programs run automatically without the user's computer.

Somehow related to what the global crisis that the world at this time (especially the computer world), the virus is a vbs virus with the theme "HUHUHAHA". Norman Security Suite detects virus variants "huhuhaha" page as vbs / Autorun.AO. (see image 1)

Picture 1, Norman Security Suite detect as VBS/Autorun.AO

Characteristics File Virus

Virus Huhuhaha be made using the VBScript programming language. Virus file size 6 kb, and can be spread so that it will automatically create a file that is facing "autorun.inf" which contains the script to run a virus file.

If the virus menginfeksi successful, it will create some files, the virus among:

· autorun.inf (all root drive)

· huhuhaha.vbs (all root drive)

· C:\WINDOWS\system32\XpWin.vbs

Virus will also copy the file "autorun.inf" and "huhuhaha.vbs" on each usb (flash / drive) that included on the infected computer. All files have virus RHSA file attributes (Read, Hidden, System, Archive), so it does not appear if the user does not display the hidden menu. (see picture 2)

Picture 2, Virus file huhuhaha or VBS/Autorun.AO

Symptoms of virus

· display the text on the virus “run”. (see picture 3)

Picture 3, Virus Text on pada Run’s menu

· Disable system restore. This is done so that the user can not restore the system settings back windows as before this virus infected.

· Adding the header text on the Internet Explorer . (see picture 4)

Picture 4, Header text on Internet Explorer

· Disable UAC (User Account Control) function on Windows Vista. UAC is a feature in Windows Vista that Microsoft claimed to make Vista more secure than Windows XP. The difference is a Windows pop up that impede the program (whether or not the virus program) is run automatically and the user's computer can still approve or deny the program to run. In many cases the virus attacks, users are upset with Vista UAC warning that repeated (because the virus is continuously trying menginfeksikan himself on the system) will tend to ignore the UAC warning and allow the program to run. In the case of the virus Huhuhaha this, the UAC has been considered by the virus so that the local need in order to disable memuluskan distribution. This again proves that in principle there is no OS is safe from virus attacks. The question is not "what the OS is safe from virus attacks? "But" Do you want to attack the virus OS or not? ". (see picture 5)

On Vista, this feature is used so that the user can run the program / command windows that need admin access rights. Next full article http://www.microsoft.com/windows/windows-vista/features/user-account-control.aspx

Picture 5, UAC (User Account Control) the attempt by disabled Huhuhaha

· Changing the name registered with the computer virus text. (see picture 6)

Picture 6, Information “Registered to: attempt by huhuhaha

· Disable “safe mode” function and make windows“blue screen” . When users try to log in through safe mode feature, the blue screen will appear. (see picture 7)

Picture 7, Blue Screen yang diakibatkan Huhuhaha jika user memasuki mode safe mode

· Blue Screen caused Huhuhaha mode if the user enters safe mode Automatic Updates, Firewall and Software Antivirus.

Distribution Method

The same as other local virus, the virus still huhuhaha using USB media (flash / drive) as a distribution. The virus will create the file "autorun.inf" and "huhuhaha.vbs" on each usb (flash / drive) that ditancapkan / dicolokkan on the infected computer. Both files will be automatically activated with only mengkases usb (drive / flash) is.

Modification Registry

To be able to run the current computer, the virus makes the following string :

· HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\CurrentVersion\Run

Ageia = C:\WINDOWS\system32\XpWin.vbs

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Systemdir = C:\WINDOWS\huhuhaha.vbs

To be able to appear on the menu Run, create a string of virus following :

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunMRU

a = huhuhaha

Even if it does not men-disable functions like the windows task manager, folder options, regedit, etc., disabled system restore to create a string with the following :

· HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\SystemRestore

DisableSR = 1

And disabled function UAC (User Account Control) to create the following string :

· HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA = 0x00000000

In addition, the virus add caption text on Internet Explorer with the following string to make :

· HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Window Title = huhuhaha

Then, the virus also makes registration komputerdengan following string:

· HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion

RegisteredOrganization = huhuhaha

RegisteredOwner = huhuhaha

So that text can appear at login windows virus, the virus makes the following string :

· HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion

LegalNoticeCaption = huhuhaha virus

LegalNoticeText = huhuhaha

To disable the function min-safe mode, "delete" the following string :

· HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell

· HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell

· HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell

And deleted key following :

· HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\SafeBoot\Minimal

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

Finally, try turning off the virus function with the Security Center to create the following string:

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

AntivirusDisableNotify = 1

FirewallDisableNotify = 1

UpdatesDisableNotify = 1

Cleaning Virus

· Disconnect the computer that will be cleared from the network / internet.

· Turn off the virus is active in memory. Use the Windows Task Manager to kill the virus, with the name "wscript.exe". (wscript.exe is a windows file that is used to run a VBScript file). (see picture 8)

Picture 8, Turn off process with Windows Task Manager

· Delete the file following virus :

· autorun.inf (all root drive)

· huhuhaha.vbs (all root drive)

· C:\WINDOWS\system32\XpWin.vbs

Note

· We show the hidden files in order to facilitate the search process of the virus file. (file virus has the attributes Hidden, Archive, System, and Read-Only)

· To facilitate the search process should use the facility "Search" filter with the Windows autorun.inf file and *. vbs that have size 6 KB.

· Remove the registry string is created by the virus. To make the script can use the registry under this :

[Version]

Signature="$Chicago$"

Provider=Vaksincom Oyee

[UnhookRegKey]

HKLM, SOFTWARE\Microsoft\Security Center, AntiVirusDisableNotify, 0x00000000,0

HKLM, SOFTWARE\Microsoft\Security Center, FirewallDisableNotify, 0x00000000,0

HKLM, SOFTWARE\Microsoft\Security Center, UpdatesDisableNotify, 0x00000000,0

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization, 0, "Organization"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner, 0, "Owner"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore, DisableSR, 0x00000000,0

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell, 0, "cmd.exe"

HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell, 0, "cmd.exe"

HKLM, SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell, 0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell, 0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}, (default), "Universal Serial Bus controller"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}, (default), "CD-ROM Drive"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}, (default), "DiskDrive"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}, (default), "Standar floppy disk controller"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}, (default), "Hdc"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}, (default), "Keyboard"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}, (default), "Mouse"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}, (default), "PCMCIA Adapters"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}, (default), "SCSIAdapters"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}, (default), "System"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}, (default), "Floppy disk drive"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}, (default), "Volume"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}, (default), "Human Interfaces Devices"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys, (default), "FSFilter System Recovery"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}, (default), "Universal Serial Bus controller"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}, (default), "CD-ROM Drive"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}, (default), "DiskDrive"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}, (default), "Standar floppy disk controller"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}, (default), "Hdc"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}, (default), "Keyboard"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}, (default), "Mouse"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}, (default), "Net"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}, (default), "NetClient"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}, (default), "NetService"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}, (default), "NetTrans"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}, (default), "PCMCIA Adapters"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}, (default), "SCSIAdapters"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}, (default), "System"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}, (default), "Floppy disk drive"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}, (default), "Volume"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}, (default), "Human Interfaces Devices"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys, (default), "FSFilter System Recovery"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI, (default), "Driver Group"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys, (default), "Driver"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt, (default), "Service"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC, (default), "Service"

[del]

HKCU, Software\Microsoft\Windows\CurrentVersion\RunMRU, a

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system, EnableLUA

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon

Use notepad, then save with the name "repair.inf" (use the Save As Type option to be All Files to avoid an error occurred).
Repair.inf run with the right click, then select install.

· For cleaning the virus huhuhaha optimally and prevent re-infection, you should use anti-virus update and identify the virus with both.

VIRUS W32/Conficker.DV

If you experience one or more of the symptoms below:

1. Username Login in Active Directory (AD) Windows locked. So although locked and open with admin, but lock again..
2. Get error message from Generic Host Process.
3. Can’t open site like www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com, www.avast.com and www.eset.com with message “Address not Found”
4. Can’t acces update database antivirus.
5. A lot of application doesn’t work. Especially application utilize network and use port 1024 s/d port 10.000
.
In this article provide commentary on the action this virus and how to remove them.But the virus Conficker quite intelligent and have the ability to update itself and has a very special payload make the antivirus tools to create killing himself
Norman Security Suite detects new virus variants as W32/Conficker.DV page, while other antivirus detects as Win32.Kido.CG (Kaspersky), W32.Downadup.B (Symantec), W32.Downadup.AL (F-Secure), W32 . Conficker.B (Microsoft), W32.Conficker.A (CA, Sophos and McAfee), Worm_Downad.AD (Trend Micro) and W32/Conficker.C (Panda). (see picture 1)

Picture 1, Norman Security Suite detects as W32/Conficker.DV
Characteristics File Virus
Conficker.DV have a virus file in the compressed through UPX. File virus file size 162 kb. File viruses that enter bertipe picture (gif, jpeg, bmp, png). While the file is active generally bertype "dll" (dynamic link library).
File virus that will try to enter the temporary location on the internet:
- %Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\[%random name%].[%gif,jpeg,bmp,png%]
- %Documents and Settings\[%user%]\Local Settings\Temporary Internet Files\[%gif,jpeg,bmp,png%]
If the file that the virus entered successfully executed, the virus will copy itself in one of the following folder location:
- %Documents and Settings%\[%user%]\Application Data\[% random name %].dll
- %Program Files%\Internet Explorer\[% random name %].dll
- %Program Files%\Movie Maker\[% random name %].dll
- %WINDOWS%\system32\[% random name %].dll
- %WINDOWS%\Temp\[% random name %].dll
File "dll" this is an active and participate with svchost.exe (Windows Server Service) to make back the spread of virus.
This virus can copy file “[%random name%].tmp” in folder %WINDOWS%\system32 (example : 01.tmp atau 06.tmp). After using the page file, and the virus file deleted page.

Symptoms / Virus Effect
If W32/Conficker.DV already infected, the virus will cause symptoms / effects following:
- If the previous variants kill service “Workstation, Server dan Windows Firewall / Internet Connection Sharing (ICS)”. But this time the virus tries to shut down and disable some service, namely : (see picture 2)
•wscsvc : Security Center
•wuauserv : Automatic Updates
•BITS : Background Intellegent Transfer Service
•ERSvc : Error Reporting Service
•WerSvc : Windows Error Reporting Service (Vista, Server 2008)
•WinDefend : Windows Defender (Vista, Server 2008)


Picture 2, Action Conficker virus kill many service in Windows

- The virus is able to block the application programs to run when you access the website containing the following string :
Ccert.
sans.
bit9.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
nod32
f'prot
jotti
kaspersky
f'secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus
The virus is able to block the application programs to run when you access the website containing the following string.
- The virus tries to make changes in the system Windows Vista / Server 2008 using the command :
“netsh interface tcp set global autotuning=disabled”

With this command, the windows auto-tuning will be in there. Windows Auto-Tuning is one of the features of Windows Vista and Server 2008 which is very useful to improve the performance when trying to access the network. More info on http://support.microsoft.com/kb/947239
- The virus tries to download and execute files (bmp, gif, jpeg, png) and the temporary entrance on the internet. Virus to download on some website the following :
aaidhe.net
aamkn.cn
abivbwbea.info
aiiflkgcw.cc
alfglesj.info
amcfussyags.net
amzohx.ws
apaix.ws
argvss.info
arolseqnu.ws
asoidakm.cn
atnsoiuf.cc
avweqdcr.cn
axaxmhzndcq.cc
barhkuuu.com
bbuftxpskw.cc
bdykhlnhak.cc
bdzpfiu.biz
bijkyilaugs.cn
bjpmhuk.ws
bmmjbsjidmt.com
bzagbiwes.cc
carse.cn
cauksxf.biz
cfhlglxofyz.biz
cinsns.cc
ciynbjwm.com
cljivsb.biz
cpeadyepcis.biz
cqnxku.ws
ctmchiae.ws
cxjsy.net
czkdu.net
dbffky.cn
dgbdjsb.com
drpifjfxlyl.ws
dtosuhc.org
duahpzq.org
dwrtwgsm.cn
dyjomzyz.com
earuldx.cn
egqoab.net
egxbsppn.cn
ehkvku.cn
elivvks.net
emxmg.info
eobvidij.org
erwojl.org
evqvmwgw.cn
ewioygq.biz
exxkvcz.cc
ffaqk.info
fhlwov.net
fitjg.net
fkhbumne.info
fknacmvowib.cn
fmdsqasqm.net
fmgcjv.cn
fpljpuqp.info
fsrljjeemkr.info
fthil.cc
ftphtsfuv.net
gbgklrka.cc
gbmkghqcqy.net
gbxyu.ws
gezjwr.biz
gjbwolesl.info
glkzckadwu.biz
gmvhjp.ws
gsvrglz.cc
gutvjbektzq.com
gwtqx.cn
hbyzvpeadkb.net
hewdw.ws
hjcxnhtroh.cn
hltowx.com
hqjazhyd.com
hrmirvid.com
hudphigb.org
hvagbqmtxp.info
idvgqlr.ws
ihnvoeprql.biz
iidqkzselpr.com
ijthszjlb.com
iklzskqoz.cn
iqgnqt.org
iqrzamxo.ws
isjjlnv.org
iudqzypn.cn
iyfcmcaj.cn
jayrocykoj.ws
jffhkvhweds.cn
jfxcvnnawk.org
jgrftgunh.org
jguxjs.net
jhanljqti.cc
jhvlfdoiyn.biz
jjhajbfcdmk.net
jkisptknsov.biz
jknxcxyg.net
jlouqrgb.org
jpppffeywn.cc
jradvwa.biz
juqsiucfrmi.net
jvnzbsyhv.org
jxnyyjyo.net
kaonwzkc.info
kdcqtamjhdx.ws
kgeoaxznfms.biz
kihbccvqrz.net
kimonrvh.org
kjsxwpq.ws
kkrxwcjusgu.cn
knqwdcgow.ws
koaqe.cc
kodzhq.org
kqjvmbst.net
kufvkkdtpf.net
kxujboszjnz.ws
lagcrxz.cc
lawwb.com
lbdfwrbz.net
ljizrzxu.cc
lmswntmc.biz
lotvecu.com
lplsebah.cn
lxhmwparzc.ws
lyamwnhh.info
mciuomjrsmn.cn
mdntwxhj.cn
meqyeyggu.cc
mfigu.cn
mimdezm.biz
mkdsine.cn
mmtdsgwfa.net
mouvmlhz.cc
mozsj.biz
mpqzwlsx.ws
msvhmlcmkmh.biz
mtruba.ws
myrmifyuqo.biz
naucgxjtu.ws
ncwjlti.cn
nertthl.net
nnxqqmdl.info
nuxtzd.cn
nxvmztmryie.ws
nybxvgb.net
nzsrgzmhay.net
oadscrk.org
oezepyh.info
ojrswlg.net
olgjkxih.org
omqxqptc.ws
ooudifyw.cn
opkawiqb.cn
oqsfz.ws
orvfkx.cc
otoajxfn.net
oxeeuikd.net
oyezli.com
pfath.info
plsexbnytn.com
poplie.cc
psbdfflh.cn
qfmbqxom.ws
qjvtczqu.com
qpcizvlvio.biz
qslhoks.cn
qtcnfvf.biz
qtsnk.cn
qzktamrsgu.cn
rbhixtifxk.cc
rccoq.net
rgievita.ws
rlrbqpxv.org
rozhtnmoudg.cc
rpsctacalyd.cn
rrmkv.com
rtpuqxp.net
rtztoupc.net
satmxnz.ws
sbtalilx.com
sdjnaeoh.cc
sirkqq.org
sjkkfjcx.biz
sjkxyjqsx.net
stmsoxiguz.net
tdeghkjm.biz
tkhnvhmh.biz
tmdoxfcc.org
torhobdfzit.cc
trdfcxclp.org
tscmbj.net
tuwcuuuj.com
txeixqeh.biz
uazwqaxlpq.info
ubxxtnzdbij.com
ucnfehj.org
uekmqqedtfm.com
uhtmou.ws
uhveiguagm.biz
uoieg.ws
uttcx.net
uyhgoiwswn.cc
uyvtuutxm.cn
vfxifizf.info
vupnwmw.biz
vzqpqlpk.ws
waeqoxlrprp.org
wdrvyudhg.cc
wediscbpi.org
whgtdhqg.net
wkstxvzr.org
wmrgzac.info
wnwqphzao.info
wsajx.com
wskzbakqfvk.org
wtngipaynh.info
wumvjpbbmse.cc
wuzunxevor.info
wwftlwlvm.org
xcncp.info
xeeuat.com
xhazhbir.biz
xjnyfwt.org
xlrqvoqmsxz.info
xqgbn.cn
xwrrxwmo.cc
xxabrkhb.cc
xxmgkcw.cc
xxxxgvtaa.com
xzoycphicpk.com
ybbfrznr.info
ycceqdmm.cc
ydxnochqn.org
ygmwharv.info
ylnytttckyc.com
yuvudlsdop.cc
ywhaunsyez.cc
ywxdggnaaad.org
zindtsqq.ws
zkywmqx.com
zoosmv.info
zqekqyq.cn
zqked.org
zsatn.ws
ztgsd.info
ztioydng.com
zzczpujz.biz
- The virus will check for internet connection and download files to adjust the date after January 1, 2009. To check for the virus in the next few website :
baidu.com
google.com
yahoo.com
msn.com
ask.com
w3.org
aol.com
cnn.com
ebay.com
msn.com
myspace.com
- The virus will create a firewall rule on the gateway to create a local network from outside attack and get connected address external IP Address is infected through a variety of ports (1024 to 10000).
See picture 3 and 4.

Picture 3, Conficker will open access from outside the firewall with a set of Windows.

Picture 4, Conficker to open a random port in order to update itself to the internet
- The virus will create a service with the following characteristics, in order to run automatically at start-up windows : (lihat gambar 5)
Service name: "[%random name%].dll"
Path to executable: %System32%\svchost.exe -k netsvcs
And by using a combination of some of the string that appears in the following description of service (usually a combination of 2 strings example “Security Windows”) :
Boot, Center, Config, Driver, Helper, Image, Installer, Manager, Microsoft, Monitor, Network, Security, Server, Shell, Support, System, Task, Time, Universal, Update, Windows

Picture 5, the Services created a virus that can be run automatically when Windows start.
- Virus makes HTTP Server on a random port:
Http://%ExternalIPAddress%:%Random Port(1024-10000)%
Virus connect to some website to get the address of the external IP Address is infected :
- http://www.getmyip.org
- http://www.whatsmyipaddress.com
- http://getmyip.co.uk
- http://checkip.dyndns.org
- Virus to create a Scheduled task to run a virus file in the copy with the command :
“rundll32.exe .[%random extension%], [%random]”
Distribution Method
Virus Conficker.DV also use the distribution method that is different from preceding, including the following:
1) Network Shares (Brute Force Attack)
The virus tries to access the network using a slit windows "Default Share" (ADMIN $ \ system32) with the administrator password. Virus using the "Dictionary" password with the following string :
000
0000
00000
0000000
00000000
0987654321
111
1111
11111
111111
1111111
11111111
123
123123
12321
123321
1234
12345
123456
1234567
12345678
123456789
1234567890
1234abcd
1234qwer
123abc
123asd
123qwe
1q2w3e
222
2222
22222
222222
2222222
22222222
321
333
3333
33333
333333
3333333
33333333
4321
444
4444
44444
444444
4444444
44444444
54321
555
5555
55555
555555
5555555
55555555
654321
666
6666
66666
666666
6666666
66666666
7654321
777
7777
77777
777777
7777777
77777777
87654321
888
8888
88888
888888
8888888
88888888
987654321
999
9999
99999
999999
9999999
99999999
a1b2c3
aaa
aaaa
aaaaa
abc123
academia
access
account
Admin
admin
admin1
admin12
admin123
adminadmin
administrator
anything
asddsa
asdfgh
asdsa
asdzxc
backup
boss123
business
campus
changeme
cluster
codename
codeword
coffee
computer
controller
cookie
customer
database
default
desktop
domain
example
exchange
explorer
file
files
foo
foobar
foofoo
forever
freedom
fuck
games
home
home123
ihavenopass
Internet
internet
intranet
job
killer
letitbe
letmein
login
Login
lotus
love123
manager
market
money
monitor
mypass
mypassword
mypc123
nimda
nobody
nopass
nopassword
nothing
office
oracle
owner
pass
pass1
pass12
pass123
passwd
password
Password
password1
password12
password123
private
public
pw123
q1w2e3
qazwsx
qazwsxedc
qqq
qqqq
qqqqq
qwe123
qweasd
qweasdzxc
qweewq
qwerty
qwewq
root
root123
rootroot
sample
secret
secure
security
server
shadow
share
sql
student
super
superuser
supervisor
system
temp
temp123
temporary
temptemp
test
test123
testtest
unknown
web
windows
work
work123
xxx
xxxx
xxxxx
zxccxz
zxcvb
zxcvbn
zxcxz
zzz
zzzz
zzzzz
Note: If the domain is done in the settings for the account lock, then the virus in an effort to try to login a few times will cause the user account is lost in the domain account and a lock/locks.
If successful, the virus will copy itself using the name of the following random
\\[%IP or hostname%]\ADMIN$\system32\[%random name%].[%random extension%]

Then create a Scheduled task to run a virus file that is in the page with the copy command :
rundll32.exe .[%random extension%], [%random%]
2) Removable Drives
Virus Conficker.DV also create a file on removable media such as USB (flash, Harddisk, Card Reader, etc.). Save the file the virus hidden in the root drive, ie :
- Autorun.inf
- RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
3) Exploitation slit windows security
Similar to the preceding, the virus tries mengexploitasi MS08-067 (slit windows security, Windows Server Service or SVCHOST.exe). Many users are not infected because of the Automatic Updates feature and do not patch Windows MS08-067.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Modification Registry
To be able to run the current computer, the virus makes the following string :
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe [%locate virus file%], %random name%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe [%locate virus file%], %random name%
In addition, the virus makes the following string :
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets
dl = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets
ds = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
dl = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
ds = 0
A virus can disable some service by creating the following string :
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Start = 4
In addition, the virus makes new service by creating the following string :
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[%Random Name%]
DisplayName = [%Combined 2 String%]
Type = 32
Start = 2
ErrorControl = 0
ImagePath = %SystemRoot%system32\svchost.exe -k netsvcs
ObjectName = LocalSystem
Description = [%Random Description%]
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[%Random Name%]\Parameters
ServiceDll = [%virus location%]
To be able to spread quickly in the network, the virus makes the following string :
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections = 0x00FFFFFE
Finally, the virus tries to hide a virus file to create the following string :
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
SuperHidden = 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0

Cleaning Virus
 Disconnect the computer that will be cleared from the network / internet.
Turn off system restore (Windows XP / Vista).
 Turn off the virus is active in the services. Use the removal tool from Norman to clean the virus is active. (see picture 6)
http://download.norman.no/public/Norman_Malware_Cleaner.exe

Picture 6, Use Norman Malware Cleaner for cleaning active virus

Delete service fake svchost.exe on registry. You can search manual on registry (see picture 7)

Picture 7, Delete active proccess fake svchost.exe
Delete Schedule Task created by the virus. (C:\WINDOWS\Tasks)
 Remove the registry string is created by the virus. To make the script can use the registry under this :
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00000001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden, 0x00000001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00000001,1
HKLM, SYSTEM\CurrentControlSet\Services\BITS, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\ERSvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wscsvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wuauserv, Start, 0x00000002,2

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections
Use notepad, then save with the name "repair.inf" (use the Save As Type option to be All Files to avoid an error occurred).
Repair.inf run with the right-click and select install.
Note : For the active file on startup, you can disable through "msconfig" or can manually delete the string :
“HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run”