HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer
§ NoFolderOptions = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avscan.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWinPortable.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.com
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\\debugger
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ViRemoval.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winamp.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winrar.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winzip.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antv-md5-pattern.exe
§ Debugger = “”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
§ CheckedValue = 2
§ DefaultValue = 2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
§ CheckedValue = 1
§ DefaultValue = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
o NoClose
o NoFInd
o NoFolderOptions
o NoRun
o NoTrayContextMenu
o NoViewContextMenu
o NoWinLeys
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
o DisableRegistryTools
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
o DisableCMD
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
o DisableMSI
o NoClose
o NoFolderOptions
o NoViewContextMenu
o NoWinKeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command
o Default = cmd.exe /c del “%1″
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
o NeverShowExt [menyembunyikan ext. exe]
- HKEY_CLASSES_ROOT\exefile
o NeverShowExt [menyembunyikan ext. exe]
Untuk menyamarkan tipe file ia membuat string registry :
o HKCR\exefile
(default) ===> icon
Nevershowext ===>
o HKLM\SOFTWARE\Classes\exefile
(default) ===> icon
Nevershowext ===>
Seperti kita ketahui virus ini tidak memblok fungsi windows seperti folder options, tetapi akan mencoba melakukan perubahan terhadap setting folder options. Untuk itu ia akan membuat string registry (lihat gambar 4) :
o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden ===> 0
o HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
CheckedValue ===> 1
DefaultValue ===> 1
Sebagai penunjang, ia akan membuat string registry pada :
o HKLM\SOFTWARE\Microsoft\Windows|CurrentVersion\Run
def ===> C:\WINDOWS\Temp\Vel.exe
SysRestore ===> c:\windows\system32\restoration.msd
o HKCU\Control Panel\Desktop
SCRNSAVE.exe ===> C:\WINDOWS\Temp\%fileduplikat%.exe
Aktif pada Safe Mode & Safe Mode with Command Prompt
Selain aktif pada mode “normal”, virus ini pun aktif pada mode “safe mode” dan “safe mode with command prompt”. Untuk itu ia membuat string registry pada :
o HKLM\SYSTEM\ControlSet001\Control\SafeBoot
AlternateShell ===> c:\windows\system32\CommandPrompt.Sysm
o HKLM\SYSTEM\ControlSet002\Control\SafeBoot
AlternateShell ===> c:\windows\system32\CommandPrompt.Sysm
o HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell ===> c:\windows\system32\CommandPrompt.Sysm
Mengganti Task Manager, Regedit dan Solitaire dengan game FreeCel
Untuk menjaga eksistensinya, VBWorm.NUJ akan mencoba untuk blok beberapa fungsi Windows seperti Folder Option/regedit/maupun Task Manager dengan menggantinya dengan program game seperti yang pernah dilakukan oleh varian FaceCool, untuk melakukan hal tersebut VBWorm.NUJ akan mencoba untuk membuat string pada registry berikut :
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
- debugger = C:\WINDOWS\system32\freecell.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
- debugger = C:\WINDOWS\system32\sol.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
- debuger = C:\WINDOWS\system32\spider.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
- DisableMSI =1
- LimitSystemRestoreCheckpointing = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- DisableConfig
- DisableSR
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
- DisableCOnfig = 1
- DisableSR = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- NoFolderOptions
- NORun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- DisableRegistryTools
- DisableTaskMgr
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFolderOption
- NoRun
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools
- DisabletaskMgr
· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden = 0
- HideFileExt = 1
- ShowSuperHidden = 0
· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
- text = @shell32.dll,-30501
· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- text = @shell32.dll,-30500 esan dari pembuat virus
Salah satu aksi yang aka dilakukan oleh VBWorm.NUJ adalah akan menampilkan sebuah kendela Internet Explorer setiap kali komputer dinyalakan dengan menjalankan file C:\Message From Indonesia.htm yang diiringingi dengan lagu kebangsaan Indonesia Raya.
Berikut petikan pesan yang akan ditampilkan dari Internet Explorer
Untuk melakukan hal ini, VBWorm.NUJ akan mencoba untuk membuat string pada registry berikut:
· HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
o Start Page = C:\Message From Indonesia.htm
VBWorm.NUJ juga akan mencoba untuk merubah nama perusahaan dan nama pemilik Windows dengan membuat string pada registry berikut:
· HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor
o ProcessorNameString = Core 2 Duo Extreme
· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
o RegisteredOrganization = Paraysutki #VM Community
o RegisteredOwner = W32.Moontox.Bro [B-2]
o ProductId = Hacker@Cracker@Indonesia
File Exe berubah menjadi File Folder
Untuk melakukan hal tersebut, VBWorm.NUJ akan membuat string pada registry berikut:
· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
- Default = file folder
- InfoTip = file folder
- NeverShowExt
- TileInfo = file folder
· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DefaultIcon
- Default = %SystemRoot%\System32\shell32.dll,4
· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory
- AlwaysShowExt = FIle Folder
- InfoTip = File Folder
- NeverShowExt = File Folder
VBWorm.NUJ juga akan membut string pada registry berikut:
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer
- Description = !!! Sory ya Ngk boleh buka Aplication Microsoft (.msi) Kecuali buka Executable (.exe) !!!
- imagePath = Go To Vagina
- ObjectPath = Dasar Buaya Darat
- DisplayName = WIndows Installer
- start = 4
- type = 4
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
- description = !!! Maaf yee Fitur Security Center gue Non aktifkan dulu…biar aman !!!
- imagepath= Go To Mak Erot
- objectpath = LocalMoontox
- DisplayName =Security Center
- start = 4
- type = 4
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter
- description = !!! Hi..hi..hi biar ngak ketauan gue non aktif aja fitur ini (:-p) wee !!!
- imagepath = Mulutmu Harimaumu
- objectpath = Mulutmu Harimaumu
- DisplayName = Alerter
- DependOnService = LanmanWorkstation
- start = 4
- type = 4
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
- Start = 4
- Type = 4
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ansavgd
- Description = !!! ANSAV kga Mempan sama Moontox Bro (>_<)
- Imagepath = Go To Mak Erot
- ObjectName = !!! Kasian Dech lo, Cape dech !!!
- start = 4
- type = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice
- Description = !!! Tak akan kubiarkan kau mengembalikan keadaan !!!
- Display name = System Restore Service
- imagepath = %SystemRoot%\System32\svchost.exe -k netsvcs (ok)
- start = 4
- stop = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\Parameters
- ServiceDll = C:\WINDOWS\service.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- EnableRemoteConnect = N
Logoff jika akses Regedit / VBS file
Dalam rangka melindungi dirinya dari pembasmian, virus ini menambahkan blok akses file INF/VBS dan Registry file sehingga jika user menjalankan file yang mempunyai ekstensi tersebut maka komputer akan langsung logoff. Untuk melakukan hal tersebut ia akan membuat string pada registry berikut:
· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command
§ Default = logoff.exe
· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\Shell\Install\Command
§ Default = logoff.exe
· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\Shell\open\Command
§ Default = logoff.exe
· HKCR\inffile\shell\Install\command
§ Default = logoff.exe
· HKCR\regfile\shell\open\command
§ Default = logoff.exe
· HKCR\VBSFile\Shell\Edit\Command
§ Default = logoff.exe
Ø HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
· Userinit = C:\windows\system32\userinit.exe, c:\documents and settings\localservice\local settings\spoolsv.exe
· Shell = explorer.exe C:\documents and settings\localservice\local settings\svchost.exe
· System = C:\Documents and Settings\LocalService\Local Settings\mencerdaskan_Bangsa.exe
Ø HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
· Load = c:\documents and settings\%user%\local settings\application data\csrss.exe
Ø HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AEDebug
· Debugger = C:\Documents and Settings\LocalService\Local Settings\Application Data\lsass.exe
Ø HKEY_CURRENT_USER\Software\Microsoft\Command Processor
· Autorun
