Untuk database tambahan ClamAV (panahbiruav-dorkbot.hdb) bisa anda unduh dari disini. Sedangkan untuk database tambahan McAfee untuk virus DorkBot (atau Downloader-CMU.d) dapat anda unduh dari sini. Silakan gunakan opsi tambahan -db ./panahbiru-dorkbot.hdb pada command line untuk ClamAV dan copy file extra.dat pada folder database virus milik McAfee (biasanya di C:\Program Files\Common Files\McAfee\Engines\).

Selamat mencoba!  :D

NB. Jika punya sample virus, silakan kirim ke saya. Upload dulu via salah satu layanan sharing file (4Shared, MediaFire, Uploaded dll) kemudian kirim URL-nya ke panahbiru[padadomain]gmail.com

dorkbot virus, membasmi dorkbot bx, memberantas virus dorkbot, virus definition terbaru, virus dorkbot bx

1. CPU 100%

Sama seperti pendahulunya (BitCoinMiner), DorkBot.Bx juga akan membuat CPU menjadi lamban. Penggunaan CPU menunjukkan persentase 100%. Ini karena aktivitas dari trojan yang berusaha menembus kriptografi blok BitCoin dan mencoba aktif terus untuk melakukan pengiriman data.

2. Boros bandwith

Dengan seringnya melakukan aktivitas kriptografi yang menggunakan sumber daya dari komputer, tentunya akan membuat penggunaan CPU menjadi lambat (100%). Tetapi di balik itu perlu diperhatikan dari aktivitas penggunaan bandwith internet, karena akibat dari trojan DorkBot.Bx justru membuat bandwith anda menjadi boros.

3. Menyembunyikan folder pada drive USB atau removable disk

Sama seperti trojan BitCoinMiner, trojan DorkBot.Bx pun juga melakukan hal yang sama yaitu dengan menyembunyikan folder-folder pada USB atau removable disk dan membuat shortcut palsu yang mirip nama folder tersebut. Sepertinya tren shortcut juga menginspirasi trojan DorkBot.Bx

4. Melakukan koneksi ke Server BitCoin

Trojan DorkBot.Bx berusaha melakukan koneksi ke Server BitCoin untuk melakukan pengiriman kriptografi blok-blok BitCoin menggunakan akun pembuat malware pada BitCoin. Dengan cara tersebut, pembuat malware diuntungkan karena dapat dengan cepat dan mudah melakukan kriptografi blok-blok BitCoin melalui bantuan komputer-komputer yang sudah terinfeksi.

5. Melakukan koneksi ke IRC/Remote Server

Trojan DorkBot.Bx juga berusaha melakukan koneksi ke IRC/Remote Server untuk melakukan pengiriman informasi BitCoin pengguna komputer yang dibutuhkan oleh pembuat malware.

6. Mendownload file malware

Agar mempermudah aksinya, trojan DorkBot.Bx juga melakukan download beberapa file malware tertentu dari IRC/Remote Server agar tetap terupdate dan tidak mudah dikenali oleh antivirus. File malware yang berbeda-beda inilah yang kadang membuat antivirus sulit mendeteksi keberadaan trojan DorkBot.Bx.

7. Mendownload file Certificate Authority (CA)

Pada dasarnya, Certificate Authority (CA) digunakan pada transaksi pembayaran online seperti bank, PayPal, dan ribuan situs lain yang menggunakan protokol SSL. Dengan mendownload file CA, pembuat malware ingin memastikan bahwa komputer korban yang terinfeksi sudah memiliki CA yang terupdate sehingga dapat melakukan transaksi BitCoin dengan aman.

8. Melakukan transfer data yang telah didapatkan

Tujuan utama dari trojan DorkBot.Bx adalah mendapatkan informasi dari pengguna komputer yang sudah terinfeksi.

9. Membuka berbagai port

Trojan DorkBot.Bx juga membuka berbagai port pada komputer korban agar dapat dengan mudah terkoneksi oleh IRC/Remote Server, serta melakukan berbagai aksi dengan leluasa.

10. Mengadopsi Facebook Chat

Metode ini yang mungkin paling sering ditemukan pengguna. DorkBot.Bx memberikan link URL yang telah diubah menjadi singkat, sehingga pengguna akan mudah tertipu. Jika link tersebut dibuka, maka pengguna akan mengunduh file yang menggunakan nama file dan icon yang cukup ‘sexy’.

Ciri lainnya adalah memodifikasi registry dan membuat beberapa file agar menginfeksi komputer. Agar dapat langsung aktif saat pengguna menghubungkan USB atau removable drive, trojan DorkBot.Bx memanfaatkan celah keamanan Windows yaitu Windows Icon handler yang membuat file shortcut dari trojan akan aktif begitu mengakses drive tersebut.

Analisis Virus

Sample yang dikirim ke 2 vendor analisis malware menghasilkan hasil uji sebagai berikut:

1. Menurut McAfee Threat Inteligence

This is a Trojan

File Properties	Property Values
McAfee Detection	Downloader-CMU.d
Length	135681 bytes
MD5	62466ae813448aec7621b25e3102e2c2
SHA1	02127b7c97893f9fc76c72a46e5690b259bff7d8

Other Common Detection Aliases

Company Names	Detection Names
avast	Win32:Malware-gen
avira	TR/Dropper.Gen
Kaspersky	Backdoor.Win32.Ruskill.p
BitDefender	Gen:Heur.IPZ.3
Dr.Web	BackDoor.IRC.Bot.835
FortiNet	W32/Ruskill.P!tr.bdr
Microsoft	Worm:Win32/Dorkbot
Eset	Win32/Injector.FTN trojan (probably variant)
norman	W32/Suspicious_Gen2.KZIYM
rising	Trojan.Win32.Generic.128630D2
Trend Micro	BKDR_RUSKILL.AA
vba32	BScope.FakeAV.xd
V-Buster	Backdoor.Ruskill!rVOox3DhmwU (trojan)

Other brands and names may be claimed as the property of others.

Activities	Risk Levels
Attempts to load and execute remote code in explorer process
Attempts to load and execute remote code in a system process.
Attempts to write to a memory location of a protected process.
Attempts to write to a memory location of a Windows system process
Attempts to write to a memory location where winlogon resides
Attempts to load and execute remote code in a previously loaded process
Attempts to write to a memory location of a previously loaded process.
Enumerates many system files and directories.
Enumerates process list
Process attempts to call itself recursively
Attempts to write to a memory location of an unknown process
No digital signature is present

McAfee Scans	Scan Detections
McAfee Beta	Downloader-CMU.d
McAfee Supported	Downloader-CMU.d

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were analyzed:

1dd.tmp

	The following files have been added to the system:
	%APPDATA%\Cdvmvo.exe

	The following files have been changed:
	%WINDIR%\SYSTEM32\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb %WINDIR%\SYSTEM32\catroot2\edb.chk %WINDIR%\SYSTEM32\catroot2\edb.log %WINDIR%\SYSTEM32\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb

	The following files were temporarily written to disk then later removed:
	%WINDIR%\SYSTEM32\catroot2\tmp.edb

	The following registry elements have been changed:
	HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CDVMVO = %APPDATA%\Cdvmvo.exe

	The applications attempted the following network connection(s):
	173.246.103.**:4949 (irc) : NICK n{US|XPa}qqonxsj hxxp://api.wipmania.com/

2. Menurut ThreatExpert

• Submission details:
• Submission received: 30 November 2011, 18:07:02
• Processing time: 14 min 26 sec
• Submitted sample:
• File MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6
• File SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D
• Filesize: 1,903,189 bytes
• Alias:
• Trojan.Gen.2 [Symantec]
• Worm.Win32.Ngrbot.hel [Kaspersky Lab]
• Worm.Win32.Dorkbot [Ikarus]

• Summary of the findings:

What’s been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\1.tmp %AppData%\2.tmp %AppData%\Fbxaxf.exe	282,624 bytes	MD5: 0x4419BA71E46C2B6180D8C5FB5F14EFB0 SHA-1: 0x6187916D3C3511B9AE9874A3868B175659D46EC4	(not available)
2	%AppData%\3.exe	327,680 bytes	MD5: 0xACB887FE28C2D1206B8835935506E6B8 SHA-1: 0x9E0E8218B3BCAC5931CE448EE8FEFF1333813F2E	(not available)
3	%AppData%\5.exe	474,829 bytes	MD5: 0x2D04724F3EACF65CB140B8B3F36C5C97 SHA-1: 0xE195798A6F76010673B457B2D8CEADC29E3E22A5	(not available)
4	%AppData%\6.exe	388,535 bytes	MD5: 0x7781C1145869CDF87CF61D671247E80E SHA-1: 0xE2F76F546D3E4FF3E748FB6D4B1B3D2890C3B1DA	(not available)
5	%AppData%\7.exe	398,081 bytes	MD5: 0x37FBCA12ADFF251A3B0BC75EF81CE752 SHA-1: 0x951C62AB205B7CD0C783273170D1DEF56EA25AFE	Trojan.ADH [PCTools] Trojan.Gen.2 [Symantec] not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab] W32/IRCbot.gen.bc [McAfee] Trojan:Win32/Sisproc [Microsoft] Trojan.BAT.Miner [Ikarus]
6	%AppData%\9.tmp %AppData%\Wcxaxw.exe	294,912 bytes	MD5: 0xDAFF13B10AD87D9F578555B641758FA1 SHA-1: 0x377E0C14DCF65A9B027748775BC7ACD3E06BAB67	(not available)
7	%AppData%\A.exe	137,024 bytes	MD5: 0x7DBB979C1CBCFAEBC9792D47E05A841C SHA-1: 0xC73BB9319146F6AD76FFE143685578E51B097587	(not available)
8	%AppData%\kakao3\fuckHDZSDP.exe %Temp%\fuckHDZSDP.exe	278,528 bytes	MD5: 0xAE9C07D9B2EA9C1F58E32D3C44B0F33E SHA-1: 0xE1E72AE01919BC8F0BD236AA00EED4D029C7CCE7	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan.Win32.FakeAv.irgx [Kaspersky Lab] BackDoor-DOQ.gen.as [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Malagent [Microsoft] Trojan.Win32.Buzus [Ikarus]
9	%AppData%\kakao3\new.exe %Temp%\new.exe	57,344 bytes	MD5: 0xC31027010355FD8F52FE3640048ACD37 SHA-1: 0x5DD50D63D76B8E1CEFBC019CFD414C57FFFEAA72	(not available)
10	%AppData%\PickaVamMaterina2\HDZ.exe	57,344 bytes	MD5: 0x7A8DF56F23106AD0D9D786BAE4ED75BC SHA-1: 0xBD78A2F8FEAA92C5B18BBFFD0EB1399A0644F5BC	(not available)
11	%AppData%\PickaVamMaterina2\Ivo_Sanader.exe	389,120 bytes	MD5: 0x0A4EB0CB242A27AEC20A281F4293FC5E SHA-1: 0x4BA9C00EAC0317346A0AAC3AE8AFB7D4057863EA	(not available)
12	%AppData%\jqycpqe.exe %Temp%\zxjidmw.exe	344,576 bytes	MD5: 0x6D6BD4C8256D75B314BDD644C1240917 SHA-1: 0x1ACCD82D27F6511375F5635BDAAC8B3BAFF0E624	Trojan.FakeAV [PCTools] Trojan.FakeAV!gen64 [Symantec] Trojan.Win32.FakeAV.dvjc [Kaspersky Lab] FakeAlert-SecurityTool.bt [McAfee] Mal/FakeAV-KL [Sophos] Trojan.Win32.FakeAV [Ikarus]
13	%Temp%\about.exe	57,344 bytes	MD5: 0xC52F6C51034FD72CB65483DAB4E51438 SHA-1: 0xB0039E980891438B76419E0CEF9040FA1C413E93	(not available)
14	%Temp%\del.exe	159,232 bytes	MD5: 0x99D3FD2985012D43C3D532CF1F70B342 SHA-1: 0xD0018933F627CD668DFEBC1B3AAD8D4C25D2D82B	Malware.W95-CIH [PCTools] W95.CIH.damaged [Symantec] Generic.dx!xon [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Dynamer!dtc [Microsoft] Virus.Win9x.CIH [Ikarus]
15	%Temp%\hid.exe	44,040 bytes	MD5: 0xC1C769D742F88E441DED76BF57A5A45C SHA-1: 0x06872DABD41E70DC4EF8FD5131B334BE8A17DB3C	Net-Worm.SillyFDC [PCTools] not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab]
16	%Temp%\HRSearchC.exe	287,744 bytes	MD5: 0x5E03A535C8BEF1AB056074D68CE7A5E0 SHA-1: 0x689974AE94DF135E21F5711C06B5DC72DA3F9128	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Generic.dx!banc [McAfee] Trojan.ATRAPS [Ikarus] packed with PE_Patch.PECompact [Kaspersky Lab]
17	%Temp%\Jttetn.exe	139,264 bytes	MD5: 0x585F2F27EF6D87CD4CC9A8501EAAA6FE SHA-1: 0x0AB77FD8C68025F4E579C4C58C05874108F20F5A	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Backdoor.Win32.Ruskill.g [Kaspersky Lab] Downloader-CMU.d [McAfee] Mal/Generic-L [Sophos] Worm:Win32/Dorkbot.A [Microsoft] Worm.Win32.Dorkbot [Ikarus]
18	%Temp%\Mstetq.exe	143,360 bytes	MD5: 0x167F4EF7C1225451EF69DB10D3B16611 SHA-1: 0xE5D356E142ED28AB5A0748CD04BB792C9514192A	Worm.Win32.Ngrbot.hdy [Kaspersky Lab] BackDoor-DOQ.gen.as [McAfee] Mal/EncPk-AAQ [Sophos] Worm:Win32/Dorkbot.A [Microsoft] Worm.Win32.Dorkbot [Ikarus]
19	%Temp%\newmoon17.exe	367,889 bytes	MD5: 0x1CE65C3C14F7F09C08C50FBB6A8C1CC4 SHA-1: 0x46E4FD565736FF96A94F5B762C1F875C32585A1B	Trojan.Win32.FakeAv.irgx [Kaspersky Lab] Generic FakeAlert!tz [McAfee] Mal/Generic-L [Sophos] Trojan.Win32.Buzus [Ikarus]
20	%Temp%\x30811.exe	1,012,224 bytes	MD5: 0x4BC19BC59EC9C4A987079A618CF18C68 SHA-1: 0xC4EC15672E96CEC3411CCE377BFFEAB55BA8C88D	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Generic.tfr!r [McAfee] Trojan:Win32/Orsam!rts [Microsoft] Win32.SuspectCrc [Ikarus]
21	%Temp%\yz.bat	180 bytes	MD5: 0xD6C231471750C153641E292D746814B5 SHA-1: 0x16EC0A913564D18A6D03711415B272FDECC3E867	Trojan.BAT.Miner.i [Kaspersky Lab] Trojan.BAT.Miner [Ikarus]
22	%Programs%\Startup\Demokratska2.exe	418,008 bytes	MD5: 0xCF4C9FA0F9B2AB5CA96C7C2AF8B26C75 SHA-1: 0x6B9F44527B91AD9DAC7AD1D396787496DBE37BEE	(not available)
23	%Programs%\Startup\dxdiag.exe	23,552 bytes	MD5: 0x9EA5BEFAB3FAB1D19D70F8D917463D13 SHA-1: 0xBCABE617AF58EFB8B0E759111044BDBB8F3F6152	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan.Win32.Jorik.Aspxor.y [Kaspersky Lab] Generic Downloader.z [McAfee] Troj/Bredo-IK [Sophos] Trojan.Agent_r [Ikarus]
24	%Programs%\Startup\stepx2.exe	348,530 bytes	MD5: 0x0764BEF5D967DCE3784E18D204BB90E6 SHA-1: 0x896A45B21C554B723503BC5865677733C025FC23	Trojan.ADH [PCTools] Trojan.Gen.2 [Symantec] Trojan.BAT.Miner.i, not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab] Generic.tfr!r [McAfee] Trojan.BAT.Miner [Ikarus]
25	%Programs%\Startup\taskmgr.exe	826,184 bytes	MD5: 0x47CFDF331A80B2028A1B8ACA61BD191B SHA-1: 0xD10BD40A735C6EFBFA4FBFA6C842B4DB5DBA9445	(not available)
26	[file and pathname of the sample #1]	1,903,189 bytes	MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6 SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D	Trojan.Gen.2 [Symantec] Backdoor.Win32.Ruskill.g, Worm.Win32.Ngrbot.hdy, Trojan.Win32.Jorik.Aspxor.y, Trojan.Win32.FakeAv.irgx, Trojan.Win32.FakeAV.dvjc, Worm.Win32.Ngrbot.hel [Kaspersky Lab] Worm.Win32.Dorkbot [Ikarus]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %Programs% is a variable that refers to the file system directory that contains the user’s program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

• The following directories were created:
• %AppData%\kakao3
• %AppData%\PickaVamMaterina2

Memory Modifications

• There was a new process created in the system:

Process Name	Process Filename	Main Module Size
del.exe	%Temp%\del.exe	184,320 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch
• HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch\Data
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah
• HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh
• HKEY_CURRENT_USER\Software\WinRAR SFX

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Scxaxs = “%AppData%\Scxaxs.exe”
• Lcxaxl = “%AppData%\Lcxaxl.exe”
• Wcxaxw = “%AppData%\Wcxaxw.exe”
• Fbxaxf = “%AppData%\Fbxaxf.exe”

so that Wcxaxw.exe runs every time Windows starts
so that Fbxaxf.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah]
• wfdijwaopfddvmieihccsyrbpsbqhy = “”
• [HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh]
• dncirhudbpmysvlqkzovzmfcsemsko = “”
• [HKEY_CURRENT_USER\Software\WinRAR SFX]
• C%%Documents and Settings%%UserName%%Application Data%kakao3 = “%AppData%\kakao3″
• C%%Documents and Settings%%UserName%%Start Menu%Programs%Startup = “%Programs%\Startup”
• C%%Documents and Settings%%UserName%%Application Data%PickaVamMaterina2 = “%AppData%\PickaVamMaterina2″
• C%%DOCUME~1%%UserName%%LOCALS~1%Temp = “%UserProfile%\LOCALS~1\Temp”

Other details

• There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
199.15.234.7	80
70.38.98.239	80
92.243.20.57	3212

• The data identified by the following URLs was then requested from the remote web server:
• http://api.wipmania.com/
• http://img105.herosh.com/2011/11/30/745759013.gif

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 3212:

00000000 | 1703 0000 1DAB E65A 5272 636E 2145 D536 | …….ZRrcn!E.6
00000010 | DE93 29D5 30B1 C61D 332C 9A67 949A BC7A | ..).0…3,.g…z
00000020 | 9E5B 1703 0000 274F ADFB BF5C 4E3A FB4E | .[....'O...\N:.N
00000030 | D8CC C0CA 0050 D50D 9575 5A23 C707 EC0B | .....P...uZ#....
00000040 | 7581 0719 F6AE 5AD5 F944 AE93 A1AA 1703 | u.....Z..D......
00000050 | 0000 2BD7 208A C1F7 256B F9F6 9CDE A553 | ..+. ...%k.....S
00000060 | 9E96 B39D A07E 1DAD B1C6 97A4 3724 EC7E | .....~......7$.~
00000070 | 3C85 F623 B80B 6153 9522 16E0 3A10 1703 | <..#..aS."..:...
00000080 | 0000 2B17 0300 0021 DA71 8326 C5E8 AA2A | ..+....!.q.&...*
00000090 | 9569 1FB6 841A 28FF 3CFD E0B3 CAED 2701 | .i....(.<.....'.
000000A0 | 1E3B 92FF EAA9 C7EA F58C F1E4 D1DA 5265 | .;............Re
000000B0 | 3174 9F17 0300 002B B706 D784 55DF CA99 | 1t.....+....U...
000000C0 | F14D 26E9 7B04 A824 A720 6035 1958 3851 | .M&.{..$. `5.X8Q
000000D0 | 62B7 EF3D D371 4100 05A9 261E 9405 6B9A | b..=.qA...&...k.
000000E0 | 391E C3A9 1497 5C92 EE8B FF97 4DC9 F64B | 9.....\.....M..K
000000F0 | 0686 843D 1503 0000 12C0 9AF5 9FE9 9F49 | ...=...........I
00000100 | D9E3 B6AD 3696 8DE8 80F7 AA16 0300 0041 | ....6..........A
00000110 | 0100 003D 0300 4ED6 E189 B267 390E FDB0 | ...=..N....g9...
00000120 | F1DE 8842 4A95 84E3 FB81 300E 64F0 39B7 | ...BJ.....0.d.9.
00000130 | A36E 5D63 987C 0000 1600 0400 0500 0A00 | .n]c.|……….
00000140 | 0900 6400 6200 0300 0600 1300 1200 6301 | ..d.b………c.
00000150 | 0015 0300 0002 0129 1603 0000 8410 0000 | …….)……..
00000160 | 807F CF33 A19D 39EE 435D ED5D 92EF 7B8E | …3..9.C].]..{.
00000170 | 5BCF AB87 2357 E0F2 1505 1282 6EE9 A547 | […#W……n..G
00000180 | 4E1F 9858 939A 5769 3956 3625 8F42 893B | N..X..Wi9V6%.B.;
00000190 | 1E8B 4CF4 FD81 33EA B29E F34C 60CE 341B | ..L…3….L`.4.
000001A0 | 1C77 896E 6C8B E959 F873 F09A 1E96 DB05 | .w.nl..Y.s……
000001B0 | 9A35 3ABB 0986 976E 5283 1942 1B35 58DC | .5:….nR..B.5X.
000001C0 | 1452 FBA5 76CA FEED 54E9 CD6D 3C4D FA84 | .R..v…T..m 000001D0 | B3F1 6AE7 0CE6 9CA6 DA64 511A C0AE E2EF | ..j......dQ.....
000001E0 | EB14 0300 0001 0116 0300 0038 D6F1 B74A | ...........8...J
000001F0 | 6314 38F3 E899 A02A BF38 5088 2AF8 E066 | c.8....*.8P.*..f
00000200 | 2877 20CA DB84 5C66 E13C 6708 20C9 BD26 | (w ...\f. 00000210 | F737 82A8 5F21 37D8 A7B8 3AF5 7F65 2F82 | .7.._!7...:..e/.
00000220 | D0D9 7802 | ..x.

3. VirusTotal

Berikut hasil sample yang diperiksa dengan VirusTotal dengan 43 antivirusnya.

Sumber: detikINET, ThreatExpert, McAfee ThreatInteligence, dan VirusTotal

menghilangkan virus dorkbot, virus dorkbot, ruskill virus, mengatasi virus dorkbot a, virus who am i, virus membuat prosesor 100%, penggunaan cpu 100% komputer lambat, penangkal virus dorkbot, mengenai virus trojan jorik, menghilangkan virus dorkbot bx, virus x30811, antivirus untuk dorkbot bx, a variant of win32/dorkbot a worm - unable to, antivirus yang mampu mendeteksi dorkbot, backdoor:win32/ircbot gen!k

Untuk menghapus trojan ini, hapuslah beberapa file berikut:

• %WINDIR%\SYSTEM32\lowsec\user.ds

• %WINDIR%\SYSTEM32\lowsec\local.ds

• %WINDIR%\SYSTEM32\sdra64.exe

Hapus file tersebut dengan LiveCD Linux/Windows

Kemudian login Windows dan hapus registry yang terinfeksi dengan Regedit:

• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT = %WINDIR%\SYSTEM32\userinit.exe,%WINDIR%\SYSTEM32\sdra64.exe,

atau kalau tidak mau repot, silakan scan dengan McAfee SDAT terbaru.

NB. Bagi kolektor dan pengembang antivirus, hash MD5 dari virus ini adalah 533564e5fb4cdaf57f9f09032584614cd97ac347, silakan tambahkan pada database antivirus anda!

menghapus trojan, virus analisis, trojan hapus, menghilangkan trojan, hapus trojan, cara membersihkan virus trojan system32, antivirus buat membersihkan trojan virus, penjelasan tentang virus win32 genome, MENGHILANGKAN VIRUS TROJAN PADA SYSTEM32, menghilangkan trojan pada script web, antivirus untuk membersihkan trojan system32, menghapus virus trojan tanpa menghapus file, antivirus utk membersihkan trojan, membersihkan Trojan Win32 Genome, bancos adalah

Nama alias: Malware.Stuxnet [PCTools], W32.Stuxnet [Symantec], Trojan-Dropper.Win32.Stuxnet.e [Kaspersky Lab], Stuxnet [McAfee], Troj/Stuxnet-A [Sophos], TrojanDropper:Win32/Stuxnet.A [Microsoft], Trojan-Dropper.Win32.Stuxnet [Ikarus], Win-Trojan/Stuxnet.517632.F [AhnLab]

Hasil MD5: 0xA2FEB4862A0E30E7AC1EF34505ACD356 (a2feb4862a0e30e7ac1ef34505acd356)
Hasil SHA-1: 0xDC4B68CA78EDECBD94B2CB2501303D849FB605A5
Ukuran: 517,632 bytes

Level: High-risk

Security-risk (Possible):

• Worm yang menyebar ke seluruh bagian jaringan
• Mungkin mengandung metode rootkit-spesifik ke sejumlah versi OS, software dan driver,

Membuat file-file berikut:

• %Windir%\inf\mdmcpq3.PNF
• %Windir%\inf\mdmeric3.PNF
• %Windir%\inf\oem6C.PNF
• %Windir%\inf\oem7A.PNF
• %System%\drivers\mrxcls.sys
• %System%\drivers\mrxnet.sys

Teknik Injeksi modul serupa Rootkit ke Kernel:

• KERNEL32.DLL.ASLR.000241c5 (Process name: services.exe, Process filename: %System%\services.exe, Address space: 0xE50000 – 0xF88000)
• KERNEL32.DLL.ASLR.000247cc (Process name: svchost.exe, Process filename: %System%\svchost.exe, Address space: 0x9D0000 – 0xB08000)
• KERNEL32.DLL.ASLR.0002329f (Process name: svchost.exe, Process filename: %System%\svchost.exe, Address space: 0x24D0000 – 0×2608000)

Membuat key baru di Registry Windows:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\Enum

Solusi membasmi Stuxnet

Silakan update antivirus anda, minimal menggunakan vendor-vendor yang telah mengenali Virus ini (lihat bagian alias).

Koleksi Hash

Bagi yang ingin mengkoleksi hash dari virus ini berikut file yang dibuat (barangkali bermanfaat untuk dimasukkan ke antivirus buatan sendiri atau database ClamAV) ini adalah hash MD5 yang bisa anda tambahkan:

• 9CD03CB160D20B686A0CE7AD2048C52A
• B834EBEB777EA07FB6AAB6BF35CDF07F
• AC64C5A7ED0D8C6C3A10FE584F2DCF90
• AD19FBAA55E8AD585A97BBCDDCDE59D4
• F8153747BAE8B4AE48837EE17172151E
• CC1DB5360109DE3B857654297D262CA1
• A2FEB4862A0E30E7AC1EF34505ACD356

virus stuxnet, anti virus stuxnet, membasmi stuxnet, hilangkan virus dorkbot, membersihkan virus dorkbot, menghapus virus dorkbot, menghapus virus dorkbot bx, nama virus yang menyerang scada, software analisa virus, -inurl: nama virus yang menyerang scada, makalah tentang virus stuxnet, database dorkbot bx untuk avg, cara meremove dorkbot bx, apa nama virus yang menyerang scada ?, antivirus stuxnet