Virus W32/SillyFDC.F

W32/SillyFDC.F 10 January 2008
Chaca the Silly Bonek contentious penetrated

Duhai Cintaku, sayangku, deliver
Perasaanmu, rindumu, all cintamu
And now there is only me and my soul
Moment in eternity

Virus Bonek (Love-Chaca), Virus Creator is a Pengemar Bunga Citra Lestari (BCL), a programmer of the virus appears to many who want to berduet with BCL. The difference, if Ari lasso berduet with BCL produce beautiful song and the creator of the virus berduet with BCL (BCL scalp name) spread the deadly virus. BCL is the name of selling and very much used by the virus to run a virus victims fishing. One is that the virus Bonek better known by the name of love-chaca forge a self-image as a JPEG file with the name "Bikini Bunga Citra Lestari" (see figure 2).

If you frequently watch football rivalry, of course already familiar with the word "Bonek" the abbreviation of "Bondo reckless." Bonek the diidentikkan as a group of supporters (suporter) have capital desperate football (aka tongpes flat bag) from the city of "Heroes" Surabaya.

Now, you need to be careful because the virus has spread bonek love chaca (school is hell). With the latest update Norman Virus Control mendeteksinya as W32/SillyFDC.F. (see image 1)

Figure 1, Norman Virus Control to detect the virus as Chaca Love W32/SillyFDC.F

The virus is difficult to turn off the condition both in the normal, safe mode or safe mode with command prompt. In addition, the virus can delete this file executable (*. exe) that can be considered dangerous to themselves, especially if we are already infected and then try to kill the virus page.

If you do not want the page being infected by the virus, the type of file waspadalah against viruses that use this icon Jpeg image, measuring approximately 122 kb and bertype file application, the distribution system because the virus is so easy to rely on the system autoplay windows so easily spread through USB Flash Media . (see image 2)
 

Figure 2, Sample Love virus Chaca forge a self-image as a JPEG Bikini BCL

If the run (whether consciously or not aware of by users), then the virus will create a file that is "hell.doc school is" in my documents that contain the following:


O God Our Lord
Thee Most Pengasih it again
Give us patience, determination and sincerity is always
To be patient, capacious chest, and believe

On what is said by all people
If schools had to spend a lot of cost
If we have to learn to get the real punishment
If you are willing to be tortured smart

Ya Allah
Indeed, life expectancy should be supported with
But mampukah us not to despair
If the school only bear bondage

Ya Allah
Ajarilah us to believe with the word alim ulama
Who always gave the promise that the poor here is not victory

Give us patience on promises authorities
Which is often said that education will become a priority policy

Anugerahilah our determination not to rebellion
On those cruel and arbitrary

Ya Allah
Establish our hearts is not easy to berhamba on the wealth and fame

Amin

Supporting File Virus
To defend himself, he will create some files that the virus will run each time the computer start / restart the computer. Some of the page file virus among which are:
 C: \ WINDOWS \ W90F87Z70V.exeØ
 C: \ WINDOWS \Ø system32 \ A75H74K65J.exe
 C: \ WINDOWS \ I89W73Y87L.exeØ
 C: \ WINDOWSØ \ system32 \ Y68S82D89R.exe

As a page file support, it will make some string in the registry are:
 HKEY_LOCAL_MACHINE \ Software \ Microsoft \Ø Windows NT \ CurrentVersion \ winlogon
• Userinit = C: \ windows \ system32 \ userinit.exe, c: \ documents and settings \ localservice \ local settings \ spoolsv.exe
• Shell = explorer.exe C: \ documents and settings \ localservice \ local settings \ svchost.exe
• System = C: \ Documents and Settings \ LocalService \ Local Settings \ mencerdaskan_Bangsa.exe
Ø HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows
• Load = c: \ documents and settings \% username% \ local settings \ application data \ csrss.exe
 HKEY_LOCAL_MACHINE \ Software \ Microsoft \Ø Windows NT \ CurrentVersion \ AEDebug
• Debugger = C: \ Documents and Settings \ LocalService \ Local Settings \ Application Data \ lsass.exe
Ø HKEY_CURRENT_USER \ Software \ Microsoft \ Command Processor
• Autorun

On the Service
In addition, he was active in the service with windows to create the following string:
 Black Parade = C: \ WINDOWS \Ø F71B70G66D.exe
 Heroes City = C: \ WINDOWS \ system32 \ S75T69K83E.exe (seeØ figure 3)

Figure 3, the virus with the name Love Chaca Black Parade and City Heroes

Secure File execution
To protect the files from the executable, it makes the string on the registry so that executable files such as *. exe, *. scr, *. bat, *. pif, *. com, run the file it is in fact a virus, among which are:
 HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shellØ \ open \ command
 HKEY_CLASS_ROOT \ exefile \ shell \ open \ commandØ
• (Default) = "C: \ WINDOWS \ system32 \ S75T69K83E.exe" "% 1"% *
Ø HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command
Ø HKEY_CLASS_ROOT \ batfile \ shell \ open \ command
• (Default) = "C: \ WINDOWS \ system32 \ S75T69K83E.exe" "% 1"% *
 HKEY_LOCAL_MACHINE \Ø SOFTWARE \ Classes \ comfile \ shell \ open \ command
 HKEY_CLASS_ROOT \Ø comfile \ shell \ open \ command
• (Default) = "C: \ WINDOWS \ system32 \ S75T69K83E.exe" "% 1"% *
 HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfileØ \ shell \ open \ command
 HKEY_CLASS_ROOT \ scrfile \ shell \ open \Ø command
• (Default) = "C: \ WINDOWS \ system32 \ S75T69K83E.exe" "% 1"% *
 HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ commandØ
 HKEY_CLASS_ROOT \ piffile \ shell \ open \ commandØ
• (Default) = "C: \ WINDOWS \ system32 \ S75T69K83E.exe" "% 1"% *

Active mode in safe mode
He can also be active in normal mode or safe mode, to make it the following string:
 HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \Ø Safeboot
• AlternateShell = C: \ WINDOWS \ Education.exe need -
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ Safeboot
• AlternateShell = C: \ WINDOWS \ Education.exe need -
 HKEY_LOCAL_MACHINE \Ø SYSTEM \ ControlSet002 \ Control \ Safeboot
• AlternateShell = C: \ WINDOWS \ Education.exe need -
 HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \Ø Control \ Safeboot
• AlternateShell = C: \ WINDOWS \ Education.exe need -

Disable Function Windows
As is generally the local virus-virus, as usual will disable some functions of the windows. Some functions of the windows in the block, namely:
- Hidden USB Drive
- Disable I
- Disable Run
- Disable Registry Editor
- Disable Task Manager
- Disable Command Prompt
- Disable Control Panel
- Disable Explorer Context Menu
- Disable Taskbar Context Menu

Switch the function of the program into Notepad
As with any virus, in general, it will shift some functions of the program and application windows, such as:
- Msconfig.exe (System Configuration Utility)
- Mmc.exe (Computer Management)
- Regedit.exe (Registry Editor)
- KillVB.exe (Program to turn Visual Basic applications)
- Rstrui.exe (System Restore)
- Tskmgr.exe (Task Manager)
- Wscript.exe (Windows Scripting Host)

Change the System Properties
One of the virus by a modified page is from the system properties. If infected, the system properties will be added to the image like this: (see picture 4)
 
Figure 4, the System Properties windows are changed by the virus

For this page, it will create a string in the registry:
Ø HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion
• RegisteredOrganization = Source of Scream
• RegisteredOwner = Heroes

And create files on oemlogo.bmp and oeminfo.ini C: \ WINDOWS \ system.

Changing the Folder View Options
Function folder options is not in the block, but it is modified so that it still can not be used properly. (see figure 5)

 
Figure 5, Folder Options also get a turn in the "alter" by Chaca

For this string is created as follows:
 HKLM \ SOFTWARE \Ø Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder
• Text = h3r035 - love Chaca
 HKLM \ Software \ Microsoft \ Windows \ CurrentVersionØ \ Explorer \ Advanced \ Folder
• ClassicViewState, Type =
• ControlPanelInMyComputer, Type =
• DesktopProcess, Type =
• DisableThumbCache, Type =
• FolderSizeTip, Type =
• FriendlyTree, Type =
• Hidden, Type =
• HideFileExt, Type =
• NetCrawler, Type =
• PersistBrowsers, Type =
• ShowCompColor, Type =
• ShowFullPath, Type =
• ShowFullPathAddress, Type =
• ShowInfoTip, Type =
• SimpleSharing, Type =
• SuperHidden, Type =
• Thickets, Type =
• WebViewBarricade, Type =

Block website security
This virus will also try blocking some of the website security, with the way the host file on the computer of the victim. Following results in a host file change:

# Sepurane smack, nunut nyangkruk

127.0.0.1 http://www.vaksin.com
127.0.0.1 vaksin.com
127.0.0.1 http://www.jasakom.com
127.0.0.1 jasakom.com
127.0.0.1 http://www.vb-bego.com
127.0.0.1 vb-bego.com
127.0.0.1 http://www.sysinternals.com
127.0.0.1 sysinternals.com
127.0.0.1 http://www.avast.com
127.0.0.1 avast.com
127.0.0.1 http://www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 http://www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 http://www.symantec.com
127.0.0.1 symantec.com
127.0.0.1 http://www.norman.com
127.0.0.1 norman.com
127.0.0.1 http://www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 http://www.secunia.com
127.0.0.1 secunia.com
127.0.0.1 http://www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 http://www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 http://www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 http://www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 http://www.free-av.com
127.0.0.1 free-av.com
127.0.0.1 http://www.neuber.com
127.0.0.1 neuber.com
127.0.0.1 http://www.bleepingcomputer.com
127.0.0.1 bleepingcomputer.com
127.0.0.1 http://www.iknowprocess.com
127.0.0.1 iknowprocess.com
127.0.0.1 http://www.kaspersky.com
127.0.0.1 kaspersky.com
127.0.0.1 http://www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 http://www.friendster.com
127.0.0.1 friendster.com
127.0.0.1 http://www.yahoo.com
127.0.0.1 yahoo.com
127.0.0.1 http://www.google.com
127.0.0.1 google.com
127.0.0.1 http://www.google.co.id
127.0.0.1 google.co.id

Finally, if we will open the Internet Explorer, then a warning will appear as though we will be in computer format. This virus is created with the string as follows:
 HKCUØ \ Software \ Microsoft \ Internet Explorer \ Main
• Start Page = C: \ Windows \ system32 \ error.htm
• Window Title = i lov u chaca