Home > Virus > Virus Induc.a | Virus Baru 18 Agustus 2009

Virus Induc.a | Virus Baru 18 Agustus 2009

Sebuah laporan dari vendor security,Kaspersky mengungkap bahwa telah ada sebuah virus yang pertama kali khusus melakukan infeksi ke sebuah lingkungan bahasa pemrograman. Yang menjadi korban adalah IDE Delphi dari Borland.

Teknik dari virus ini adalah memindai keberadaan aplikasi Delphi, kemudian melekatkan diri ke dalam compiler dan menginfeksi semua program yang dihasilkan Delphi pasca infeksi compiler itu. Sangat bahaya bukan?

Menurut Denis Nazarov, seorang peneliti virus dari Lab Kaspersky seperti dikutip Softpedia, “It doesn’t currently have a malicious payload, and it doesn’t directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine […] The result – any Delphi program compiled on the computer gets infected.”

Virus yang diidentifikasi oleh Kaspersky, F-Secure dan Ikarus sebagai Virus.Win32.Induc.a atau Win32/Induc menurut McAfee dan Sophos akan menginfeksi semua platform Delphi dengan versi 4.0, 5.0, 6.0, dan 7.0 serta memungkinkan terjadi dihampir semua mesin prosesor.

Hasil riset dari sample virus yang dianalisis membuktikan bahwa Induc.a ini akan mencari platform Delphi dan jika berhasil akan menyalin file SysConst.pas ke folder \Lib dan menulis beberapa baris kode disana. Setelah itu Induc.a akan menyalin SysConst.dcu dan membackup kemudian mengkompilasi SysConst.pas tersebut dan menghasilkan SysConst.dcu yang terinfeksi. Setelah kompilasi tersebut, file .pas yang ada akan dihapus dari semua jejak infeksi.

Setelah proses awal infeksi itu, compiler Delphi yang terlekati virus akan menularkan virus yang ada ke program-program yang akan dicompile dengannya. Meskipun beberapa ahli masih menyatakan bahwa Induc.A ini tak terlampau berbahaya,tapi menurut saya Induc.A berpotensi menjadi salah satu dinasti baru dan menjadi sebuah “super-virus”.

Update 1: Sampai sekarang, software berbasis Delphi seperti Any TV Free 2.41 dan Tidy Favorites 4.1 telah terinfeksi virus ini. Hati-hati, Update antivirus anda segera, khususnya bagi yang menggunakan beberapa vendor diatas.

Update 2: File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %CommonPrograms%\save2pc\save2pc Light.lnk 739 bytes MD5: 0x65FA49B2CF76F68D1E1450553A06C000
SHA-1: 0x48384B5F7D3489670CC07355EED9F26D26295C18 (not available)
2 %CommonPrograms%\save2pc\Uninstall save2pc Light.lnk 714 bytes MD5: 0xDA5C1A52E7C064C7450437E54D41D5A4
SHA-1: 0xDBE9BC74FCC49B095E8B127F38C4865F0CE0DD24 (not available)
3 %CommonPrograms%\Xvid\Configure Decoder.lnk 1,389 bytes MD5: 0x7EE3BD1E349A107A9BDA9BE70179B9E6
SHA-1: 0xA85835E2BC038A0DA024B1B8CA8AF858099A1E31 (not available)
4 %CommonPrograms%\Xvid\Configure Encoder.lnk 1,399 bytes MD5: 0x82347B5B8BEAB260B1E31841DF74070B
SHA-1: 0x6D1584F20F004CEEE035C9C6F5B7C8DE0358449C (not available)
5 %CommonPrograms%\Xvid\INet-Doom9’s Xvid Forum.lnk 684 bytes MD5: 0xEB8111D5F62CA14DC6D03DC5185967F4
SHA-1: 0x421A5301A3FA9DB518D87AB588C8FF66FB98789D (not available)
6 %CommonPrograms%\Xvid\INet-Koepi’s Homepage (Updates).lnk 758 bytes MD5: 0xEC19BF7509F6F2F62F7E0B5D7F433FF8
SHA-1: 0x8EFDE01B77A798E1C972D092A679E0AEEEDB56C4 (not available)
7 %CommonPrograms%\Xvid\INet-Xvid Homepage.lnk 688 bytes MD5: 0xB0680CB0B5825B44B4335D428630335B
SHA-1: 0xE4B084DED8FD3D24B74B3507F12719514A272DBB (not available)
8 %CommonPrograms%\Xvid\Koepi’s OGMCalc.lnk 717 bytes MD5: 0x0FEB01FC5AAEFB5C39D0304AEFB6E5DA
SHA-1: 0x2DCF1219818EBDEE394F6B72B29F36A2FF2ECF02 (not available)
9 %CommonPrograms%\Xvid\Nic’s FourCC changer.lnk 668 bytes MD5: 0xFD84D06972A0B633647085F120690752
SHA-1: 0x1212BF9DB7112DE30551C4EE4E723F03D84C973D (not available)
10 %CommonPrograms%\Xvid\Nic’s MiniCalc.lnk 672 bytes MD5: 0x96F9E65EC1740D58D873B36E48C31F3B
SHA-1: 0xE59C111F7FE9C67E1892864B40380EE456E58D52 (not available)
11 %CommonPrograms%\Xvid\Release Notes.lnk 726 bytes MD5: 0xB974F468AEFDFEAE2D97AC027113F751
SHA-1: 0xDFBB2AEC829ECC583EA60D39ABB09F7F45B87D82 (not available)
12 %CommonPrograms%\Xvid\Some quantization matrices.lnk 749 bytes MD5: 0x1DBF5CA8420DA36FF7922B357561F66F
SHA-1: 0xD58E6F6783271F073D5CEBD2DB990CDCA06735BA (not available)
13 %CommonPrograms%\Xvid\StatsReader 2.1.lnk 705 bytes MD5: 0x646247D9A510C333B3BAFC807AF5B36B
SHA-1: 0x2250475EF7DFDAC28937C84A26C301CE9DE12365 (not available)
14 %CommonPrograms%\Xvid\StatsReader Notes.lnk 703 bytes MD5: 0xD73EB9DAF86C7B0EF4FC6390C89629E5
SHA-1: 0x6AA349835D6DAF261E2695D7E6E43459641A38E9 (not available)
15 %CommonPrograms%\Xvid\Uninstall Xvid.lnk 1,522 bytes MD5: 0x4C24835D5CC8AE5EB18B0F4DB8FFC381
SHA-1: 0xCCBE5B24AF9DF493FC889F5E87AD7DD9D4533B06 (not available)
16 %CommonPrograms%\Xvid\Vidc.Cleaner.lnk 1,623 bytes MD5: 0xAE69313431C3ACACA57CE434FD86CC2A
SHA-1: 0xD45CDB6636EE8F178F0E37AE3C0C8637C99F6933 (not available)
17 %DesktopDir%\save2pc Light.lnk 727 bytes MD5: 0xA824D35CE277C977A530990412B5D1E3
SHA-1: 0x2B10DCCE6104AB08651B5608369F4BC145AAFC89 (not available)
18 %ProgramFiles%\FDRLab\save2pc\save2pc_light.exe 4,927,488 bytes MD5: 0x5D51C0E457925ADD6822F6644779F495
SHA-1: 0x64353104FAFB41FDA150A228A737B5304E8F74BE W32.Induc.A [Symantec]
Virus.Win32.Induc.a [Kaspersky Lab]
W32/Induc [McAfee]
W32/Induc-A [Sophos]
Virus:Win32/Induc.A [Microsoft]
Virus.Win32.Induc [Ikarus]
19 %ProgramFiles%\FDRLab\save2pc\unins000.dat 2,398 bytes MD5: 0x438185552A84C1F74FFBB485062B1D34
SHA-1: 0x48B7A5C3A513B96126A00D98F48DA5D91122F543 (not available)
20 %ProgramFiles%\FDRLab\save2pc\unins000.exe 691,481 bytes MD5: 0x7FF4E285EFBA90134F8EE1C54A910749
SHA-1: 0x1EF4BAB85BE4A6A1F467995119F85278F80FA8D2 (not available)
21 %ProgramFiles%\FDRLab\save2pc\xvid.exe 652,333 bytes MD5: 0x388A80E1467A0FA0BB3812F41A53D27C
SHA-1: 0x82738D5733AFB028B83BE1C6D8F829D387434D3E (not available)
22 %ProgramFiles%\Xvid\AviC.exe 6,144 bytes MD5: 0xC39AD6299E0E1F7AA3F5B51AC9B5CD0E
SHA-1: 0x468E27F8A20C07AC8100E8223B326909095DD6D6 (not available)
23 %ProgramFiles%\Xvid\doom9forum.url 79 bytes MD5: 0xDC45662BDF8CAD91226BA35461E5E645
SHA-1: 0x7419E01DD36CF99D20CCE57E8067ABD40E1765BA (not available)
24 %ProgramFiles%\Xvid\koepishomepage.url 121 bytes MD5: 0x2C6D2BF6124CF5ABEAB023541722DE8C
SHA-1: 0x9DA65E876702EB24D01A4BB8AB1AEC82D5F7EB60 (not available)
25 %ProgramFiles%\Xvid\LICENSE 18,327 bytes MD5: 0x9E865F6174E00936D7BE7B816B3FF188
SHA-1: 0xE64C9C36E85D2022A45A3D4CB0F196C01F216072 (not available)
26 %ProgramFiles%\Xvid\MiniCalc.exe 23,040 bytes MD5: 0x7CE40A557359849EA374E0E4DDE52E26
SHA-1: 0xD865E7EF9C41D8C622EC87577685F3E1868F420E packed with UPX [Kaspersky Lab]
27 %ProgramFiles%\Xvid\OGMCalc.exe 9,216 bytes MD5: 0x95CAEF9DA6E9AEE1ECD627527CFA0F38
SHA-1: 0xF0CE07A0C7DA2F0239EBFE3CA37CD03332D80F0B packed with UPX [Kaspersky Lab]
28 %ProgramFiles%\Xvid\plugins_lumimasking.c-diff.txt 5,021 bytes MD5: 0x193362D99E0BB3BFA64D6E57D4C339D2
SHA-1: 0x8EDDCF87C0D5FD8E3B1D054B955347B94556DA4A (not available)
29 %ProgramFiles%\Xvid\releasenotes.txt 1,521 bytes MD5: 0x0EE012046EAA892E7AC050DB94419E5D
SHA-1: 0x1B7C3CBA7FBB710546948639A96A525D3256E21C (not available)
30 %ProgramFiles%\Xvid\StatsReader.exe 13,824 bytes MD5: 0x487AF46145B81C5BC54873E764F93636
SHA-1: 0xF948B0544C59127E8845EEF915F2EC3B6B1C3508 packed with UPX [Kaspersky Lab]
31 %ProgramFiles%\Xvid\statsreader.txt 1,496 bytes MD5: 0x01221F7D49384F1EA1FB6967A2D11C20
SHA-1: 0x89F7BD49C109D5109A71FD24A092338FFB0BD76B (not available)
32 %ProgramFiles%\Xvid\unins000.dat 11,343 bytes MD5: 0xC6D760911873458886A8E0382DE6AF6D
SHA-1: 0x174D372CB1F1C185D9BD23C76BE7E9401FEFCF16 (not available)
33 %ProgramFiles%\Xvid\unins000.exe 673,610 bytes MD5: 0x4BFD4F1E61C5C1A7D4158952AE2A2AD6
SHA-1: 0x8D38D0D38ED2FFA7F5559A382D16AE82EF99A08E (not available)
34 %ProgramFiles%\Xvid\vidccleaner.exe 8,704 bytes MD5: 0x6B5E418A9C02AB0C3F3DD50B0E3CD3A6
SHA-1: 0xD7E976B79DE0E822F41845F45C6311D11D2179D0 packed with UPX [Kaspersky Lab]
35 %ProgramFiles%\Xvid\xvid.ico 766 bytes MD5: 0x4D0DBF39F00A21CF520E172EF37145D2
SHA-1: 0x8E0F324F43D30EF9535CEDD3CDE46CCCB6B8A21D (not available)
36 %ProgramFiles%\Xvid\xvidhomepage.url 44 bytes MD5: 0xDFD74226477506DCACF1FD7698DC7C00
SHA-1: 0xE7F1CA16188CD26FA29E8A53C64A8D9D7E3DBC85 (not available)
37 %ProgramFiles%\Xvid\Xvid_Quant_Matrices.zip 2,967 bytes MD5: 0xF0176ACEBF968B6F6DF8743C26258D0F
SHA-1: 0x021881D09DDFB398D65A0ABE367274553D926329 (not available)
38 [file and pathname of the sample #1] 2,429,919 bytes MD5: 0x66BE71D6D63467F99CC4A67C943220FF
SHA-1: 0xDDA7293F16A86D6DA5C29D27010F962BD111D550 Virus.Win32.Induc.a [Kaspersky Lab]
Virus.Win32.Induc [Ikarus]
39 %System%\xvid.ax 77,824 bytes MD5: 0x214BF440424F4B02151D977223008E4B
SHA-1: 0x2725A2E42D349E8DE537D715D0AB986D9FF4FE7D (not available)
40 %System%\xvidcore.dll 815,104 bytes MD5: 0x2448E711931D8827B53F891CCC845C57
SHA-1: 0x3D1193C60F601F0DAD4D1F7F52108AC5044ED939 (not available)
41 %System%\xvidvfw.dll 180,224 bytes MD5: 0x37F6747C36BE24A9BFE63F6F041095C8
SHA-1: 0x551739F87233DE6F5A1518D9072B3237606E4516 (not available)

* Notes:
o %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
o %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

* The following directories were created:
o %CommonPrograms%\save2pc
o %CommonPrograms%\Xvid
o %ProgramFiles%\FDRLab
o %ProgramFiles%\FDRLab\save2pc
o %ProgramFiles%\Xvid

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
is-4FSB5.tmp %Temp%\is-UJV03.tmp\is-4FSB5.tmp 720,896 bytes
vidccleaner.exe %ProgramFiles%\Xvid\vidccleaner.exe 45,056 bytes
[filename of the sample #1 without extension].tmp %Temp%\is-ENBBC.tmp\[filename of the sample #1 without extension].tmp 741,376 bytes
xvid.exe %ProgramFiles%\FDRLab\save2pc\xvid.exe 77,824 bytes
_RegDLL.tmp %Temp%\is-U7TO9.tmp\_isetup\_RegDLL.tmp 12,288 bytes
minicalc.exe %ProgramFiles%\xvid\minicalc.exe 65,536 bytes
avic.exe %ProgramFiles%\xvid\avic.exe 12,288 bytes
is-NJT94.tmp %Temp%\is-AIBPR.tmp\is-NJT94.tmp 720,896 bytes
_RegDLL.tmp %Temp%\is-IP350.tmp\_isetup\_RegDLL.tmp 12,288 bytes
[filename of the sample #1] [file and pathname of the sample #1] 81,920 bytes
ogmcalc.exe %ProgramFiles%\xvid\ogmcalc.exe 40,960 bytes

* Notes:
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\save2pc Light_is1
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvid_is1
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\icm
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\icm\vidc.XVID
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\icm
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\icm\vidc.XVID
o HKEY_CURRENT_USER\Software\GNU
o HKEY_CURRENT_USER\Software\GNU\Xvid

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}]
+ FriendlyName = “Xvid MPEG-4 Video Decoder”
+ CLSID = “{64697678-0000-0010-8000-00AA00389B71}”
+ FilterData = 02 00 00 00 00 00 80 00 02 00 00 00 00 00 00 00 30 70 69 33 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 D0 00 00 00 E0 00 00 00 31 74 79 33 00 00 00 00 D0 00 00 00 F0 00 00 00 32 74 79 33 00 00 00 00 D0 00 00 0
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32]
+ (Default) = “%System%\xvid.ax”
+ ThreadingModel = “Both”
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}]
+ (Default) = “Xvid MPEG-4 Video DecoderAbout”
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32]
+ (Default) = “%System%\xvid.ax”
+ ThreadingModel = “Both”
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}]
+ (Default) = “Xvid MPEG-4 Video Decoder”
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\save2pc Light_is1]
+ Inno Setup: Setup Version = “5.2.2”
+ Inno Setup: App Path = “%ProgramFiles%\FDRLab\save2pc”
+ InstallLocation = “%ProgramFiles%\FDRLab\save2pc\”
+ Inno Setup: Icon Group = “save2pc”
+ Inno Setup: User = “%UserName%”
+ Inno Setup: Selected Tasks = “desktopicon”
+ Inno Setup: Deselected Tasks = “”
+ DisplayName = “save2pc Light 3.55”
+ UninstallString = “”%ProgramFiles%\FDRLab\save2pc\unins000.exe””
+ QuietUninstallString = “”%ProgramFiles%\FDRLab\save2pc\unins000.exe” /SILENT”
+ Publisher = “FDRLab”
+ URLInfoAbout = “http://www.save2pc.com/
+ HelpLink = “http://www.save2pc.com/
+ URLUpdateInfo = “http://www.save2pc.com/
+ NoModify = 0x00000001
+ NoRepair = 0x00000001
+ InstallDate = “20090819”
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvid_is1]
+ Inno Setup: Setup Version = “5.1.6”
+ Inno Setup: App Path = “%ProgramFiles%\Xvid”
+ InstallLocation = “%ProgramFiles%\Xvid\”
+ Inno Setup: Icon Group = “Xvid”
+ Inno Setup: User = “%UserName%”
+ Inno Setup: Selected Tasks = “DecodeAll”
+ Inno Setup: Deselected Tasks = “”
+ DisplayName = “Xvid 1.2.1 final uninstall”
+ DisplayIcon = “%ProgramFiles%\Xvid\xvid.ico”
+ UninstallString = “”%ProgramFiles%\Xvid\unins000.exe””
+ QuietUninstallString = “”%ProgramFiles%\Xvid\unins000.exe” /SILENT”
+ DisplayVersion = “1.2”
+ Publisher = “Xvid team (Koepi)”
+ URLInfoAbout = “http://www.xvid.org/
+ HelpLink = “http://forum.doom9.org/forumdisplay.php?f=52
+ URLUpdateInfo = “http://www.koepi.info/
+ NoModify = 0x00000001
+ NoRepair = 0x00000001
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\drivers.desc]
+ xvidvfw.dll = “Xvid MPEG-4 Video Codec”
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
+ vidc.XVID = “xvidvfw.dll”
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\icm\vidc.XVID]
+ Description = “Xvid MPEG-4 Video Codec”
+ Driver = “xvidvfw.dll”
+ FriendlyName = “Xvid”
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\icm\vidc.XVID]
+ Description = “Xvid MPEG-4 Video Codec”
+ Driver = “xvidvfw.dll”
+ FriendlyName = “Xvid”
o [HKEY_CURRENT_USER\Software\GNU\Xvid]
+ Supported_4CC = 0x00000007

Other details

* To mark the presence in the system, the following Mutex objects were created:
o AMResourceMutex2
o VideoRenderer

Sumber : emka.web.id | www.threatexpert.com | www.kaspersky.com | www.sophos.com | www.viruslist.com

Categories: Virus
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: