Thursday, March 22, 2007

Worm/Virus melalui Instant Messenger


Berhati-hatilah, jika saat chatting (saya menggunakan YahooMessenger) ada rekan ngobrol anda mengirimkan pesan seperti gambar ":( the page cannot be displayed http bla bla bla... " bisa jadi, komputer rekan anda tersebut telah terinfeksi virus/worm yang menyebar melalui via Yahoo! Instant Messenger, Microsoft Windows Live Messenger, and AOL Instant Messenger.
Dari informasi yang saya peroleh di internet, sbb:

This is a worm. The worm will infect Windows systems and spreads via Yahoo! Instant Messenger, Microsoft Windows Live Messenger, and AOL Instant Messenger.

Upon execution, it downloads few files. These files are saved as svchost32.exe and svchost.exe in the Windows System folder.

It modifies the registry at the following locations;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm tries to connect to: hxxp://quicknews.info

It also tries to change the security settings of Yahoo! Instant Messenger, Windows Messenger or AOL Instant Messenger.

The worm sends one of the following Instant Messages to the members present in the contacts;

My pics [http://]quicknews.info/mypics[REMOVED] b-( << “ hot pics this week [http://]quicknews.info/hot[REMOVED] :x” Miss World 2006: [http://]quicknews.info/MissWorld[REMOVED] !! “ ;) 1 of my vacation pictures [http://]quicknews.info/vacation1[REMOVED] <:-P” ;) 1 of my vacation pictures [http://]quicknews.info/vacation2[REMOVED] <:-P “ Images shot in Iraq _ The war will never end [http://]quicknews.info/Iraqwar[REMOVED] << :(” oh my god , i’ve won a 20000 usd lottery :O [http://]quicknews.info/mylottery[REMOVED] << “ :D who is beside you in this pic [http://]quicknews.info/friendpic1[REMOVED] so good-looking”
Screenshot of new windows version _ Windows Vista [http://]quicknews.info/vista[REMOVED] so cool :D”
never click into the links like something in this image [http://]quicknews.info/dontclick[REMOVED] #:-S !!! “
Do you realize who is in this image: [http://]quicknews.info/who[REMOVED]. Just think for a moment and tell me soon ;))”
:( the page cannot be displayed [http://]quicknews.info/error[REMOVED] Something was wrong !!! Check it again and tell me later. THanks”

The worm may also terminate few security-related processes.

This worm first appeared on January 7, 2007.

Hal yang perlu diperhatikan bahwa penamaan virus/worm tersebut dapat berbeda menurut vendor antivirus masing.. Berhati-hatilah jika sudah menggunakan jaringan internet.
Situs ini adalah website pribadi. Semua Opini yang ada adalah opini pribadi dan tidak mengekspresikan tempat bekerja.