Pikir. Bukan hanya worm Stuxnet yang memiliki “sepupu” yaitu worm Duqu, namun malware yang beberapa waktu yang lalu pernah di bahas juga memilikinya. Bisa dikatakan Angel2 adalah “sepupu” dari worm Pikir dengan pola hasil penyerangan yang sama. Salah satu perbedaanya adalah pada company name-nya yang bertuliskan “Surabaya”.
A. Info File
Nama Worm : Pikir
Asal : Bogor
Ukuran File : 340 KB (348,160 bytes)
Packer : ~
Pemrograman : Microsoft Visual Basic 5.0 -6.x
Icon : Malware Icon
Tipe : Worm
B. About Malware
Sama seperti worm Angel2 yang membuat banyak file duplikat dengan nama yang sama seperti folder aslinya, payload yang juga akan mengakibatkan komputer akan terasa semakin lambat dalam memproses data.
Berikut ini adalah string yang terlihat jelas menunjukkan apa saja yang akan dilakukan worm Pikir pada registry dan payload apa saja yang akan dibuat.
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.C. Companion/File yang dibuat
0000000001B0 0000004001B0 0 .text
0000000001D8 0000004001D8 0 .data
000000000200 000000400200 0 .rsrc
000000000228 000000400228 0 .sdata
000000000260 000000400260 0 MSVBVM60.DLL
00000000101E 00000040101E 0 RsNbQs
00000000102D 00000040102D 0 hQs'TDs
000000001036 000000401036 0 Rs$sOs
000000001041 000000401041 0 bQs,EDs
00000000107E 00000040107E 0 Qs|gOs[NDs
00000000108D 00000040108D 0 fQsNcQsG
0000000010A2 0000004010A2 0 Ps|iPsibPs
0000000010C9 0000004010C9 0 cQs=]Qs>
0000000010E6 0000004010E6 0 CsSHDsE
000000001518 000000401518 0 Project1
000000001590 000000401590 0 Form1
00000000159A 00000040159A 0 Form1
000000001651 000000401651 0 wwwwwwwwwwp
0000000016D2 0000004016D2 0 ;{{{{{{0
000000001792 000000401792 0 ;33;33;0
000000001931 000000401931 0 wwwww
0000000019EB 0000004019EB 0 Form1
000000001ADC 000000401ADC 0 Project1
000000001AE5 000000401AE5 0 Project1
000000001AEF 000000401AEF 0 Project1
000000001F80 000000401F80 0 Project1
000000001F8C 000000401F8C 0 Form1
000000001FD1 000000401FD1 0 *=8:O
000000001FFC 000000401FFC 0 C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
000000002064 000000402064 0 kernel32
000000002074 000000402074 0 AmbilDirektoriWindowA
0000000020C0 0000004020C0 0 InfeksiFolder
000000002B5C 000000402B5C 0 __vbaForEachVar
000000002CC0 000000402CC0 0 __vbaVarLateMemCallLd
000000002CD8 000000402CD8 0 __vbaVarZero
000000002E74 000000402E74 0 __vbaStrVarVal
000000002FE8 000000402FE8 0 VBA6.DLL
000000002FF4 000000402FF4 0 __vbaAryUnlock
000000003004 000000403004 0 __vbaNextEachVar
000000003018 000000403018 0 __vbaNextEachCollAd
00000000302C 00000040302C 0 __vbaVarAdd
000000003038 000000403038 0 __vbaStrCompVar
000000003048 000000403048 0 __vbaBoolVarNull
00000000305C 00000040305C 0 __vbaVarTstNe
00000000306C 00000040306C 0 __vbaVarTstEq
00000000307C 00000040307C 0 __vbaVarMove
00000000308C 00000040308C 0 __vbaForEachCollAd
0000000030A0 0000004030A0 0 __vbaLateMemCallLd
0000000030B4 0000004030B4 0 __vbaStrCopy
0000000030C4 0000004030C4 0 __vbaLateMemCall
0000000030D8 0000004030D8 0 __vbaFreeObjList
0000000030EC 0000004030EC 0 __vbaStrToAnsi
0000000030FC 0000004030FC 0 __vbaFreeStrList
000000003110 000000403110 0 __vbaStrCat
00000000311C 00000040311C 0 __vbaFreeStr
00000000312C 00000040312C 0 __vbaStrToUnicode
000000003140 000000403140 0 __vbaSetSystemError
000000003154 000000403154 0 __vbaLenBstr
000000003164 000000403164 0 __vbaFreeVarList
000000003178 000000403178 0 __vbaStrVarMove
000000003188 000000403188 0 __vbaStrMove
000000003198 000000403198 0 __vbaFreeVar
0000000031A8 0000004031A8 0 __vbaObjVar
0000000031B4 0000004031B4 0 __vbaObjSetAddref
0000000031C8 0000004031C8 0 __vbaVarSetVar
0000000031D8 0000004031D8 0 __vbaEnd
0000000031E4 0000004031E4 0 __vbaFreeObj
0000000031F8 0000004031F8 0 __vbaNew2
00000000320C 00000040320C 0 __vbaHresultCheckObj
000000003224 000000403224 0 __vbaOnError
000000003495 000000403495 0 }#j|h
0000000035EA 0000004035EA 0 }#jhh
00000000382B 00000040382B 0 }#jPh
000000003919 000000403919 0 }#jXh
00000000394B 00000040394B 0 Qh|!@
00000000397D 00000040397D 0 Rh|!@
000000003A26 000000403A26 0 Qh|!@
000000003A3D 000000403A3D 0 PhH"@
000000003B15 000000403B15 0 Qh|!@
000000003B2C 000000403B2C 0 PhH"@
0000000043B2 0000004043B2 0 PQh|!@
000000004707 000000404707 0 }#jPh
0000000047F5 0000004047F5 0 }#jXh
0000000048DD 0000004048DD 0 Qh|!@
000000004A3E 000000404A3E 0 }#jPh
000000004B2C 000000404B2C 0 }#jXh
000000004C14 000000404C14 0 Ph|!@
000000004D75 000000404D75 0 }#jPh
000000004E63 000000404E63 0 }#jXh
000000004F4B 000000404F4B 0 Rh|!@
0000000050AC 0000004050AC 0 }#jPh
00000000519A 00000040519A 0 }#jXh
000000005282 000000405282 0 Qh|!@
000000005D29 000000405D29 0 0000000060B4 0000004060B4 0 }#jPh
0000000061A2 0000004061A2 0 }#jXh
000000006244 000000406244 0 Qh|!@
0000000065CC 0000004065CC 0 MSVBVM60.DLL
0000000065DC 0000004065DC 0 _CIcos
0000000065E6 0000004065E6 0 _adj_fptan
0000000065F4 0000004065F4 0 __vbaVarMove
000000006604 000000406604 0 __vbaFreeVar
000000006614 000000406614 0 __vbaStrVarMove
000000006626 000000406626 0 __vbaLenBstr
000000006636 000000406636 0 __vbaEnd
000000006642 000000406642 0 __vbaFreeVarList
000000006656 000000406656 0 _adj_fdiv_m64
000000006666 000000406666 0 __vbaNextEachVar
00000000667A 00000040667A 0 __vbaFreeObjList
00000000668E 00000040668E 0 _adj_fprem1
00000000669C 00000040669C 0 __vbaStrCat
0000000066AA 0000004066AA 0 __vbaForEachCollAd
0000000066C0 0000004066C0 0 __vbaSetSystemError
0000000066D6 0000004066D6 0 __vbaHresultCheckObj
0000000066EE 0000004066EE 0 _adj_fdiv_m32
0000000066FE 0000004066FE 0 __vbaOnError
00000000670E 00000040670E 0 _adj_fdiv_m16i
000000006720 000000406720 0 __vbaObjSetAddref
000000006734 000000406734 0 _adj_fdivr_m16i
000000006746 000000406746 0 __vbaBoolVarNull
00000000675A 00000040675A 0 _CIsin
000000006764 000000406764 0 __vbaVarZero
000000006774 000000406774 0 __vbaChkstk
000000006782 000000406782 0 EVENT_SINK_AddRef
000000006796 000000406796 0 __vbaVarTstEq
0000000067A6 0000004067A6 0 __vbaObjVar
0000000067B4 0000004067B4 0 DllFunctionCall
0000000067C6 0000004067C6 0 _adj_fpatan
0000000067D4 0000004067D4 0 EVENT_SINK_Release
0000000067EA 0000004067EA 0 _CIsqrt
0000000067F4 0000004067F4 0 EVENT_SINK_QueryInterface
000000006810 000000406810 0 __vbaExceptHandler
000000006826 000000406826 0 __vbaStrToUnicode
00000000683A 00000040683A 0 _adj_fprem
000000006848 000000406848 0 _adj_fdivr_m64
00000000685A 00000040685A 0 __vbaFPException
00000000686E 00000040686E 0 __vbaStrCompVar
000000006880 000000406880 0 __vbaStrVarVal
000000006892 000000406892 0 _CIlog
00000000689C 00000040689C 0 __vbaNew2
0000000068A8 0000004068A8 0 _adj_fdiv_m32i
0000000068BA 0000004068BA 0 _adj_fdivr_m32i
0000000068CC 0000004068CC 0 __vbaStrCopy
0000000068DC 0000004068DC 0 __vbaFreeStrList
0000000068F0 0000004068F0 0 _adj_fdivr_m32
000000006902 000000406902 0 _adj_fdiv_r
000000006910 000000406910 0 __vbaVarTstNe
000000006920 000000406920 0 __vbaVarSetVar
000000006932 000000406932 0 __vbaLateMemCall
000000006946 000000406946 0 __vbaVarAdd
000000006954 000000406954 0 __vbaStrToAnsi
000000006966 000000406966 0 __vbaVarLateMemCallLd
00000000697E 00000040697E 0 __vbaLateMemCallLd
000000006994 000000406994 0 _CIatan
00000000699E 00000040699E 0 __vbaStrMove
0000000069AE 0000004069AE 0 __vbaForEachVar
0000000069C0 0000004069C0 0 _allmul
0000000069CA 0000004069CA 0 _CItan
0000000069D4 0000004069D4 0 __vbaNextEachCollAd
0000000069EA 0000004069EA 0 __vbaAryUnlock
0000000069FC 0000004069FC 0 _CIexp
000000006A06 000000406A06 0 __vbaFreeObj
000000006A16 000000406A16 0 __vbaFreeStr
0000000083CD 0000004083CD 0 wwwww
0000000084FD 0000004084FD 0 wwwwwwwwwwp
00000000857E 00000040857E 0 ;{{{{{{0
00000000863E 00000040863E 0 ;33;33;0
0000000130CC 0000004130CC 0 -o~bQ
0000000130D5 0000004130D5 0 (ca'A
00000001326C 00000041326C 0 PhG8p
0000000138CC 0000004138CC 0 =OG#0
000000013A84 000000413A84 0 =~!STQ
00000001408B 00000041408B 0 OC6sy
0000000140A2 0000004140A2 0 :6ep$
0000000140BC 0000004140BC 0 xaxDW
000000001CC3 000000401CC3 0 @*\AProject1
000000002120 000000402120 0 WScript.Shell
000000002140 000000402140 0 Scripting.FileSystemObject
000000002194 000000402194 0 window.exe
0000000021B0 0000004021B0 0 HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
000000002238 000000402238 0 gpmce
000000002248 000000402248 0 pikirrr
000000002258 000000402258 0 regwrite
000000002270 000000402270 0 Favorites
000000002288 000000402288 0 Fonts.exe
0000000022A4 0000004022A4 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
000000002328 000000402328 0 drives
000000002338 000000402338 0 DriveType
00000000234C 00000040234C 0 IsReady
00000000235C 00000040235C 0 AvailableSpace
000000002384 000000402384 0 DriveLetter
0000000023A8 0000004023A8 0 GetFolder
0000000023BC 0000004023BC 0 subfolders
0000000023F0 0000004023F0 0 MyDocuments
000000002408 000000402408 0 SpecialFolders
00000000242C 00000040242C 0 MyDocuments.exe
000000002450 000000402450 0 Recent
000000002464 000000402464 0 Recycle Bin.exe
000000002488 000000402488 0 startup
00000000249C 00000040249C 0 pikirrr.exe
0000000024B8 0000004024B8 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start page
00000000254C 00000040254C 0 www.google.com
000000002570 000000402570 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\search page
000000002604 000000402604 0 www.yahoo.com
000000002624 000000402624 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoFolderOptions
0000000026E4 0000004026E4 0 REG_DWORD
0000000026FC 0000004026FC 0 HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString
0000000027A0 0000004027A0 0 @%SystemRoot%\system32\SHELL32.dll,-8964
0000000027F8 0000004027F8 0 HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString
00000000289C 00000040289C 0 @%SystemRoot%\system32\shell32.dll,-9216
0000000028F4 0000004028F4 0 HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon\
000000002990 000000402990 0 %SystemRoot%\System32\shell32.dll,31
0000000029E0 0000004029E0 0 HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\
000000002A7C 000000402A7C 0 %SystemRoot%\Explorer.exe,0
000000002AB8 000000402AB8 0 HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\empty
000000002B70 000000402B70 0 HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\full
000000002C14 000000402C14 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
000000002CF0 000000402CF0 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DisableThumbnailCache
000000002DBC 000000402DBC 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr
000000002E88 000000402E88 0 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
000000002F50 000000402F50 0 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\disableCMD
000000008126 000000408126 0 VS_VERSION_INFO
000000008182 000000408182 0 VarFileInfo
0000000081A2 0000004081A2 0 Translation
0000000081C6 0000004081C6 0 StringFileInfo
0000000081EA 0000004081EA 0 040904B0
000000008202 000000408202 0 CompanyName
00000000821C 00000040821C 0 Surabaya
000000008236 000000408236 0 ProductName
000000008250 000000408250 0 Project1
00000000826A 00000040826A 0 FileVersion
000000008296 000000408296 0 ProductVersion
0000000082C6 0000004082C6 0 InternalName
0000000082E0 0000004082E0 0 Project1
0000000082FA 0000004082FA 0 OriginalFilename
00000000831C 00000040831C 0 Project1.exe
Worm pikir akan membuat file dengan nama folder di mana dia berada. Khusus untuk removable disk, dia membuat file dengan nama window.exe dan pikirrr.exe serta pada folder My Documents akan terdapat 2 buah file dengan nama MyDocuments.exe dan My Documents.exe.D. Hasil Infeksi
Pada folder startup, terdapat 2 buah host dengan nama startup, hal ini dibuat karena memang payload worm Pikir membuat file dengan nama folder di mana worm itu berada. Ditambah lagi dengan hostnya dengan nama Pikirrr.exe yang membuat proses saat startup menjadi semakin lambat. Beberapa registry yang dimodifikasi terlihat jelas pada dump string worm Pikir di atas. Baik itu Folder Options dan Command Prompt juga di-disable.
E. Pembersihan
Cara Manual:
1. Download aplikasi pengganti task manager seperti Process Explorer atau Process Hacker.
2. Contoh berikut ini adalah menggunakan aplikasi Process Hacker yang berfungsi untuk menghentikan proses worm. Lakukan seperti gambar di bawah ini.
4. Untuk memperbaiki registry yang dimodifikasi oleh worm pikir, Copy source code di bawah ini ke notepad, kemudian simpan dengan nama Repair.vbs (harus menggunakan extensi.vbs). Jalankan file repair.vbs tersebut.On Error Resume Next
Dim Repair_Pikir
Set Repair_Pikir = CreateObject("WScript.Shell")
Rem Delete Key or Value
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
Repair_Pikir.RegDelete "HKCU\Software\Policies\Microsoft\Windows\System\"
Repair_Pikir.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gpmce"
Repair_Pikir.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpmce"
Rem Fix Wrong Value
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString", "@%SystemRoot%\system32\shell32.dll,-9216"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InfoTip", "@%SystemRoot%\system32\shell32.dll,-22913"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon\", "%SystemRoot%\Explorer.exe,0"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString", "@%SystemRoot%\system32\shell32.dll,-8964"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InfoTip", "@%SystemRoot%\system32\shell32.dll,-22915"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\", "%SystemRoot%\system32\shell32.dll,31"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty", "%SystemRoot%\system32\shell32.dll,31"
Repair_Pikir.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full", "%SystemRoot%\system32\shell32.dll,32"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","2","REG_DWORD"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DisableThumbnailCache","0","REG_DWORD"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
Repair_Pikir.Regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "about:blank"
MgsBox "Done...", 64, "Reg Repair for Worm Pikir"
Comments
Post a Comment