100% Bicara Teknikal Komputer Teknologi Dulu & Kini

| Soal-Jawab iT | www.mycetc.blogspot.com |

< Bicara Teknikal \ Masalah Perisian \ Perkakasan \ Teknologi Dulu & Kini \ Sejarah >

Info Terbaru ICT






Pada 19 Disember 2012, salah sebuah komputer di pejabat saya telah dijangkiti virus. Simtom awal yang berlaku pada PC ini seperti berikut : 

i - Laman web tidak boleh dibuka menggunakan Firefox.
ii - Firefox tidak boleh digunakan walaupun telah di install ke versi baru.
iii - Semua fail yang mempunyai extension fail ( .exe ) secara otomatik akan terpadam.
iv -  PC sangat slow, kadangkala stuck.
v - Rangkaian internet kerap loss connection. 
vi - Segala fail.exe Installer dalam Pendrive akan terpadam.
vii - Windows XP tidak boleh log-in ke Desktop. 

# Virus ini berpunca dari emel dan attachment atau zip fail

# Menyalin dirinya dengan nama sama pada fail atau folder kepada .exe ( copy itself ) contoh nama; Gambar baru perpustakaan ditukarkan kepada Gambar baru perpustakaan.exe....tetapi .exe tidak dapat dilihat...

# Sekali sahaja fail ini di klik, seluruh sistem akan lumpuh dan Windows tidak boleh log-in !!!


 VIRUS 1 ( runouce.exe )

Name : Email-Worm:W32/Runouce
Detection Names :Win32.Runouce.B@mm
Win32/Chir
Email-Worm.Win32.Runouce
Aliases :W32.Chir.B@mm (Symantec)
Category:Malware
Type:Email-Worm
Platform:W32 

 
 
Summary
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Email-Worm:W32/Runouce is distributed in infectious executable e-mail attachments.


Installation

 When run it copies itself to the System Directory as Runouce.exe and modifies Windows Registry so that the copy in the direcorty is run each time Windows starts.


Propagation

 Searches for HTML files in the users' hard drive and modifies them to launch the file README.EML, created in the same directory where the HTML is found.

To propagate itself, Runouce creates e-mail messages with the following format:
        -Subject: [text, followed by "is comming!"]
        -From: [The sender address pretends to be one from yahoo.com]

The worm spreads itself as an attachment named pp.exe with MIME type audio/x-wav.

 It uses a static server to send messages through its own SMTP engine.


Detection

 Detection in F-Secure Anti-Virus was published on July 31st, 2002:

Source : http://www.f-secure.com/v-descs/runouce.shtml





VIRUS 2 ( nimda.exe )
   
Name :     Net-Worm:W32/Nimda
Detection Names :     W32/Nimda@mm W32/Nimda.A@mm
Category:    Malware
Type:    Net-Worm
Platform:    W32


Summary
A type of worm that replicates by sending complete, independent copies of itself over a network.


Disinfection

Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.

Manual Disinfection

Caution: Manual disinfection is a risky process; it is recommended only for advanced users.

        MMC.EXE (in Windows directory)
        LOAD.EXE (in Windows' system directory)
        ADMIN.DLL (in root folder of all local hard drives)
       RICHED20.DLL (in all folders on all local hard drives)     
         


ABOUT INFECTED WEB SITES

A web site can get infected in two ways:

    Infected htmls are copied the secure site. This can happen even if you're using a patched version of IIS or something else entirely (such as Apache or Netscape). If there are infected computers in your organization, their local html files get infected. Users might then later copy or upload such infected pages to your www server. Alternatively, if your www files are accessible via file sharing the worm might infect them directly from a workstation. To clean your site, locate all html pages which refer to "README.EML" and remove the extra Javascript code from the end of the pages.
    Direct web worm infection. If your web site is running an unsafe version of IIS, the worm can infect your site by accessing it through http. After this it will restart spreading from your server. In this case, it is not enough to just clean the virus - your web server is unsafe and has been so for a while. It's likely there have been previous illegimate accesses to your site as well and it should be considered compromised. We recommend rebuilding the web server and applying latest patches before restoring clean copies of the html pages.


The first variant in the Net-Worm:W32/Nimda family was found on September 18th, 2001, and quickly spread around the world.

Nimda is a complex virus with a mass mailing worm component which spreads itself in e-mail attachments named README.EXE.It affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users.

Nimda also uses the Unicode exploit to infect IIS web servers. This hole can be closed with a Microsoft patch, downloadable from: http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. The MIME exploit used by the worm can be fixed with this patch: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Nimda is the first worm to modify existing web sites to start offering infected files for download. Also it is the first worm to use normal end user machines to scan for vulnerable web sites. This technique enables Nimda to easily reach intranet web sites located behind firewalls - something worms such as Code Red couldn't directly do.
 http://www.f-secure.com/v-descs/nimda.shtml

 SOURCE : http://www.europe.f-secure.com/v-descs/bady.htm



 




 VIRUS 3 (virut.exe )
   
Name :     Virus:W32/Virut
Detection Names :     Virus.Win32.Virut
Win32.Virtob
Category:    Malware
Type:    Virus
Type:    Backdoor
Platform:    W32


Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Disinfection


Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Additional Details
This is the Virus:W32/Virut family description.

Variants in the Virut family are polymorphic, memory-resident, appending file infectors that have Entry Point Obscuring (EPO) capabilities.

Viruses belonging to this family infect files with .EXE and .SCR extensions. All viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

Some Virut variants contain the following text strings:

    " O noon of life! O time to celebrate!
    O summer garden!
    Relentlessly happy and expectant, standing: -
    Watching all day and night, for friends I wait:
    Where are you, friends? Come! It is time! It's late! "



Entry Point Obscuring

Virut is a polymorphic appending file infector with EPO (Entry Point Obscuring) capabilities. The virus uses several infection methods:

Method 1:
The virus relocates a certain amount of bytes from the entry point of the original file and writes its initial decryptor there. So when an infected file is run, the virus code gets control first. The initial decryptor then decrypts a small part of the virus's body that is appended to the end of the infected file and passes control to it.

Method 2:
The virus appends its code to the end of the file and changes the entry point address of the original program so it points to the start of the appended viral code, where the decryptor is located. This is the most common way of infecting files for appending parasitic infectors.

Method 3:

The virus writes its initial code into a gap (empty space) in the end of the original file's code section and redirects the entry point address to that code. The initial code decrypts a small part of the virus body and passes control to it. Then the main decryptor takes control and decrypts the rest of the virus body.

Once the file is infected, the virus patches the first found API call (from the entry point address) in the original program so that instead of the API, it calls the initial virus decryptor. That decryptor may be located in the end of the code section as said above.


Activity


The virus checks whether or not it is already active. If it is, then depending on the infection method used, the virus does one of the following:

     Relocates the original file's data back to its place and passes control to it
    Returns control to the original file's entry point address
    Calls the replaced API itself and then passes control to the original program.


If the virus is not yet active, the second decryptor decrypts the rest of the virus body and initiates installation cycle.

During the installation cycle, the virus injects its code into a system process, hooks a few low-level Windows API calls and stays resident in memory. When a file with .EXE or .SCR extension is opened or run, the virus tries to infect it with one of its four methods.


SOURCE :http://www.f-secure.com/v-descs/virus_w32_virut.shtml




2 comments:

  1. En.Shah, cmner tips/langkah trbaik utk mengatasi virus trsebut & kalau dh diserang apa prlu dibuat?
    T.Kasih

    ReplyDelete
  2. pastikan sentiasa update antivirus...
    sentiasa alert dengan popup message dari antivirus..
    terus scan fail selepas dimuaturun...
    delete fail yang dicurigai..

    ReplyDelete



Sila komen, soal atau pendapat. Gunakan Anonymous jika tiada akaun google!

- Hakcipta Terpelihara Mycetc | Dikuasakan oleh Pemproses AMD FX 8cores | 2008 - 2019 -