Tentang Virus DorkBot.Bx

Virus DorkBot.Bx sedang menyebar luas di negeri ini. Berikut ciri-ciri PC yang terinfeksi virus ini:

1. CPU 100%

Sama seperti pendahulunya (BitCoinMiner), DorkBot.Bx juga akan membuat CPU menjadi lamban. Penggunaan CPU menunjukkan persentase 100%. Ini karena aktivitas dari trojan yang berusaha menembus kriptografi blok BitCoin dan mencoba aktif terus untuk melakukan pengiriman data.

2. Boros bandwith

Dengan seringnya melakukan aktivitas kriptografi yang menggunakan sumber daya dari komputer, tentunya akan membuat penggunaan CPU menjadi lambat (100%). Tetapi di balik itu perlu diperhatikan dari aktivitas penggunaan bandwith internet, karena akibat dari trojan DorkBot.Bx justru membuat bandwith anda menjadi boros.

3. Menyembunyikan folder pada drive USB atau removable disk

Sama seperti trojan BitCoinMiner, trojan DorkBot.Bx pun juga melakukan hal yang sama yaitu dengan menyembunyikan folder-folder pada USB atau removable disk dan membuat shortcut palsu yang mirip nama folder tersebut. Sepertinya tren shortcut juga menginspirasi trojan DorkBot.Bx

4. Melakukan koneksi ke Server BitCoin

Trojan DorkBot.Bx berusaha melakukan koneksi ke Server BitCoin untuk melakukan pengiriman kriptografi blok-blok BitCoin menggunakan akun pembuat malware pada BitCoin. Dengan cara tersebut, pembuat malware diuntungkan karena dapat dengan cepat dan mudah melakukan kriptografi blok-blok BitCoin melalui bantuan komputer-komputer yang sudah terinfeksi.

5. Melakukan koneksi ke IRC/Remote Server

Trojan DorkBot.Bx juga berusaha melakukan koneksi ke IRC/Remote Server untuk melakukan pengiriman informasi BitCoin pengguna komputer yang dibutuhkan oleh pembuat malware.

6. Mendownload file malware

Agar mempermudah aksinya, trojan DorkBot.Bx juga melakukan download beberapa file malware tertentu dari IRC/Remote Server agar tetap terupdate dan tidak mudah dikenali oleh antivirus. File malware yang berbeda-beda inilah yang kadang membuat antivirus sulit mendeteksi keberadaan trojan DorkBot.Bx.

7. Mendownload file Certificate Authority (CA)

Pada dasarnya, Certificate Authority (CA) digunakan pada transaksi pembayaran online seperti bank, PayPal, dan ribuan situs lain yang menggunakan protokol SSL. Dengan mendownload file CA, pembuat malware ingin memastikan bahwa komputer korban yang terinfeksi sudah memiliki CA yang terupdate sehingga dapat melakukan transaksi BitCoin dengan aman.

8. Melakukan transfer data yang telah didapatkan

Tujuan utama dari trojan DorkBot.Bx adalah mendapatkan informasi dari pengguna komputer yang sudah terinfeksi.

9. Membuka berbagai port

Trojan DorkBot.Bx juga membuka berbagai port pada komputer korban agar dapat dengan mudah terkoneksi oleh IRC/Remote Server, serta melakukan berbagai aksi dengan leluasa.

10. Mengadopsi Facebook Chat

Metode ini yang mungkin paling sering ditemukan pengguna. DorkBot.Bx memberikan link URL yang telah diubah menjadi singkat, sehingga pengguna akan mudah tertipu. Jika link tersebut dibuka, maka pengguna akan mengunduh file yang menggunakan nama file dan icon yang cukup ‘sexy’.

Ciri lainnya adalah memodifikasi registry dan membuat beberapa file agar menginfeksi komputer. Agar dapat langsung aktif saat pengguna menghubungkan USB atau removable drive, trojan DorkBot.Bx memanfaatkan celah keamanan Windows yaitu Windows Icon handler yang membuat file shortcut dari trojan akan aktif begitu mengakses drive tersebut.

Analisis Virus

Sample yang dikirim ke 2 vendor analisis malware menghasilkan hasil uji sebagai berikut:

1. Menurut McAfee Threat Inteligence

This is a Trojan

File Properties Property Values
McAfee Detection Downloader-CMU.d
Length 135681 bytes
MD5 62466ae813448aec7621b25e3102e2c2
SHA1 02127b7c97893f9fc76c72a46e5690b259bff7d8

Other Common Detection Aliases

Company Names Detection Names
avast Win32:Malware-gen
avira TR/Dropper.Gen
Kaspersky Backdoor.Win32.Ruskill.p
BitDefender Gen:Heur.IPZ.3
Dr.Web BackDoor.IRC.Bot.835
FortiNet W32/Ruskill.P!tr.bdr
Microsoft Worm:Win32/Dorkbot
Eset Win32/Injector.FTN trojan (probably variant)
norman W32/Suspicious_Gen2.KZIYM
rising Trojan.Win32.Generic.128630D2
Trend Micro BKDR_RUSKILL.AA
vba32 BScope.FakeAV.xd
V-Buster Backdoor.Ruskill!rVOox3DhmwU (trojan)

Other brands and names may be claimed as the property of others.

Activities Risk Levels
Attempts to load and execute remote code in explorer process High
Attempts to load and execute remote code in a system process. High
Attempts to write to a memory location of a protected process. High
Attempts to write to a memory location of a Windows system process High
Attempts to write to a memory location where winlogon resides High
Attempts to load and execute remote code in a previously loaded process Medium
Attempts to write to a memory location of a previously loaded process. Medium
Enumerates many system files and directories. Low
Enumerates process list Low
Process attempts to call itself recursively Low
Attempts to write to a memory location of an unknown process Low
No digital signature is present Informational
McAfee Scans Scan Detections
McAfee Beta Downloader-CMU.d
McAfee Supported Downloader-CMU.d

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were analyzed:

1dd.tmp

The following files have been added to the system:
  • %APPDATA%\Cdvmvo.exe
The following files have been changed:
  • %WINDIR%\SYSTEM32\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb
  • %WINDIR%\SYSTEM32\catroot2\edb.chk
  • %WINDIR%\SYSTEM32\catroot2\edb.log
  • %WINDIR%\SYSTEM32\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb
The following files were temporarily written to disk then later removed:
  • %WINDIR%\SYSTEM32\catroot2\tmp.edb
The following registry elements have been changed:
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CDVMVO = %APPDATA%\Cdvmvo.exe
The applications attempted the following network connection(s):
  • 173.246.103.**:4949 (irc) : NICK n{US|XPa}qqonxsj
  • hxxp://api.wipmania.com/

2. Menurut ThreatExpert

  • Submission details:
    • Submission received: 30 November 2011, 18:07:02
    • Processing time: 14 min 26 sec
    • Submitted sample:
      • File MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6
      • File SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D
      • Filesize: 1,903,189 bytes
      • Alias:
        • Trojan.Gen.2 [Symantec]
        • Worm.Win32.Ngrbot.hel [Kaspersky Lab]
        • Worm.Win32.Dorkbot [Ikarus]
  • Summary of the findings:
What’s been found Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

  • The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk
  • Attention! The following threat categories were identified:
Threat Category Description
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A network-aware worm that attempts to replicate across the existing network(s)
File System Modifications
  • The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%\1.tmp
%AppData%\2.tmp
%AppData%\Fbxaxf.exe
282,624 bytes MD5: 0x4419BA71E46C2B6180D8C5FB5F14EFB0
SHA-1: 0x6187916D3C3511B9AE9874A3868B175659D46EC4
(not available)
2 %AppData%\3.exe 327,680 bytes MD5: 0xACB887FE28C2D1206B8835935506E6B8
SHA-1: 0x9E0E8218B3BCAC5931CE448EE8FEFF1333813F2E
(not available)
3 %AppData%\5.exe 474,829 bytes MD5: 0x2D04724F3EACF65CB140B8B3F36C5C97
SHA-1: 0xE195798A6F76010673B457B2D8CEADC29E3E22A5
(not available)
4 %AppData%\6.exe 388,535 bytes MD5: 0x7781C1145869CDF87CF61D671247E80E
SHA-1: 0xE2F76F546D3E4FF3E748FB6D4B1B3D2890C3B1DA
(not available)
5 %AppData%\7.exe 398,081 bytes MD5: 0x37FBCA12ADFF251A3B0BC75EF81CE752
SHA-1: 0x951C62AB205B7CD0C783273170D1DEF56EA25AFE
Trojan.ADH [PCTools]
Trojan.Gen.2 [Symantec]
not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab]
W32/IRCbot.gen.bc [McAfee]
Trojan:Win32/Sisproc [Microsoft]
Trojan.BAT.Miner [Ikarus]
6 %AppData%\9.tmp
%AppData%\Wcxaxw.exe
294,912 bytes MD5: 0xDAFF13B10AD87D9F578555B641758FA1
SHA-1: 0x377E0C14DCF65A9B027748775BC7ACD3E06BAB67
(not available)
7 %AppData%\A.exe 137,024 bytes MD5: 0x7DBB979C1CBCFAEBC9792D47E05A841C
SHA-1: 0xC73BB9319146F6AD76FFE143685578E51B097587
(not available)
8 %AppData%\kakao3\fuckHDZSDP.exe
%Temp%\fuckHDZSDP.exe
278,528 bytes MD5: 0xAE9C07D9B2EA9C1F58E32D3C44B0F33E
SHA-1: 0xE1E72AE01919BC8F0BD236AA00EED4D029C7CCE7
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.Win32.FakeAv.irgx [Kaspersky Lab]
BackDoor-DOQ.gen.as [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/Malagent [Microsoft]
Trojan.Win32.Buzus [Ikarus]
9 %AppData%\kakao3\new.exe
%Temp%\new.exe
57,344 bytes MD5: 0xC31027010355FD8F52FE3640048ACD37
SHA-1: 0x5DD50D63D76B8E1CEFBC019CFD414C57FFFEAA72
(not available)
10 %AppData%\PickaVamMaterina2\HDZ.exe 57,344 bytes MD5: 0x7A8DF56F23106AD0D9D786BAE4ED75BC
SHA-1: 0xBD78A2F8FEAA92C5B18BBFFD0EB1399A0644F5BC
(not available)
11 %AppData%\PickaVamMaterina2\Ivo_Sanader.exe 389,120 bytes MD5: 0x0A4EB0CB242A27AEC20A281F4293FC5E
SHA-1: 0x4BA9C00EAC0317346A0AAC3AE8AFB7D4057863EA
(not available)
12 %AppData%\jqycpqe.exe
%Temp%\zxjidmw.exe
344,576 bytes MD5: 0x6D6BD4C8256D75B314BDD644C1240917
SHA-1: 0x1ACCD82D27F6511375F5635BDAAC8B3BAFF0E624
Trojan.FakeAV [PCTools]
Trojan.FakeAV!gen64 [Symantec]
Trojan.Win32.FakeAV.dvjc [Kaspersky Lab]
FakeAlert-SecurityTool.bt [McAfee]
Mal/FakeAV-KL [Sophos]
Trojan.Win32.FakeAV [Ikarus]
13 %Temp%\about.exe 57,344 bytes MD5: 0xC52F6C51034FD72CB65483DAB4E51438
SHA-1: 0xB0039E980891438B76419E0CEF9040FA1C413E93
(not available)
14 %Temp%\del.exe 159,232 bytes MD5: 0x99D3FD2985012D43C3D532CF1F70B342
SHA-1: 0xD0018933F627CD668DFEBC1B3AAD8D4C25D2D82B
Malware.W95-CIH [PCTools]
W95.CIH.damaged [Symantec]
Generic.dx!xon [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/Dynamer!dtc [Microsoft]
Virus.Win9x.CIH [Ikarus]
15 %Temp%\hid.exe 44,040 bytes MD5: 0xC1C769D742F88E441DED76BF57A5A45C
SHA-1: 0x06872DABD41E70DC4EF8FD5131B334BE8A17DB3C
Net-Worm.SillyFDC [PCTools]
not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab]
16 %Temp%\HRSearchC.exe 287,744 bytes MD5: 0x5E03A535C8BEF1AB056074D68CE7A5E0
SHA-1: 0x689974AE94DF135E21F5711C06B5DC72DA3F9128
Trojan.Gen [PCTools]
Trojan.Gen.2 [Symantec]
Generic.dx!banc [McAfee]
Trojan.ATRAPS [Ikarus]
packed with PE_Patch.PECompact [Kaspersky Lab]
17 %Temp%\Jttetn.exe 139,264 bytes MD5: 0x585F2F27EF6D87CD4CC9A8501EAAA6FE
SHA-1: 0x0AB77FD8C68025F4E579C4C58C05874108F20F5A
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Backdoor.Win32.Ruskill.g [Kaspersky Lab]
Downloader-CMU.d [McAfee]
Mal/Generic-L [Sophos]
Worm:Win32/Dorkbot.A [Microsoft]
Worm.Win32.Dorkbot [Ikarus]
18 %Temp%\Mstetq.exe 143,360 bytes MD5: 0x167F4EF7C1225451EF69DB10D3B16611
SHA-1: 0xE5D356E142ED28AB5A0748CD04BB792C9514192A
Worm.Win32.Ngrbot.hdy [Kaspersky Lab]
BackDoor-DOQ.gen.as [McAfee]
Mal/EncPk-AAQ [Sophos]
Worm:Win32/Dorkbot.A [Microsoft]
Worm.Win32.Dorkbot [Ikarus]
19 %Temp%\newmoon17.exe 367,889 bytes MD5: 0x1CE65C3C14F7F09C08C50FBB6A8C1CC4
SHA-1: 0x46E4FD565736FF96A94F5B762C1F875C32585A1B
Trojan.Win32.FakeAv.irgx [Kaspersky Lab]
Generic FakeAlert!tz [McAfee]
Mal/Generic-L [Sophos]
Trojan.Win32.Buzus [Ikarus]
20 %Temp%\x30811.exe 1,012,224 bytes MD5: 0x4BC19BC59EC9C4A987079A618CF18C68
SHA-1: 0xC4EC15672E96CEC3411CCE377BFFEAB55BA8C88D
Trojan.Gen [PCTools]
Trojan.Gen.2 [Symantec]
Generic.tfr!r [McAfee]
Trojan:Win32/Orsam!rts [Microsoft]
Win32.SuspectCrc [Ikarus]
21 %Temp%\yz.bat 180 bytes MD5: 0xD6C231471750C153641E292D746814B5
SHA-1: 0x16EC0A913564D18A6D03711415B272FDECC3E867
Trojan.BAT.Miner.i [Kaspersky Lab]
Trojan.BAT.Miner [Ikarus]
22 %Programs%\Startup\Demokratska2.exe 418,008 bytes MD5: 0xCF4C9FA0F9B2AB5CA96C7C2AF8B26C75
SHA-1: 0x6B9F44527B91AD9DAC7AD1D396787496DBE37BEE
(not available)
23 %Programs%\Startup\dxdiag.exe 23,552 bytes MD5: 0x9EA5BEFAB3FAB1D19D70F8D917463D13
SHA-1: 0xBCABE617AF58EFB8B0E759111044BDBB8F3F6152
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.Win32.Jorik.Aspxor.y [Kaspersky Lab]
Generic Downloader.z [McAfee]
Troj/Bredo-IK [Sophos]
Trojan.Agent_r [Ikarus]
24 %Programs%\Startup\stepx2.exe 348,530 bytes MD5: 0x0764BEF5D967DCE3784E18D204BB90E6
SHA-1: 0x896A45B21C554B723503BC5865677733C025FC23
Trojan.ADH [PCTools]
Trojan.Gen.2 [Symantec]
Trojan.BAT.Miner.i, not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab]
Generic.tfr!r [McAfee]
Trojan.BAT.Miner [Ikarus]
25 %Programs%\Startup\taskmgr.exe 826,184 bytes MD5: 0x47CFDF331A80B2028A1B8ACA61BD191B
SHA-1: 0xD10BD40A735C6EFBFA4FBFA6C842B4DB5DBA9445
(not available)
26 [file and pathname of the sample #1] 1,903,189 bytes MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6
SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D
Trojan.Gen.2 [Symantec]
Backdoor.Win32.Ruskill.g, Worm.Win32.Ngrbot.hdy, Trojan.Win32.Jorik.Aspxor.y, Trojan.Win32.FakeAv.irgx, Trojan.Win32.FakeAV.dvjc, Worm.Win32.Ngrbot.hel [Kaspersky Lab]
Worm.Win32.Dorkbot [Ikarus]
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Programs% is a variable that refers to the file system directory that contains the user’s program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
  • The following directories were created:
    • %AppData%\kakao3
    • %AppData%\PickaVamMaterina2
Memory Modifications
  • There was a new process created in the system:
Process Name Process Filename Main Module Size
del.exe %Temp%\del.exe 184,320 bytes
Registry Modifications
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch
    • HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah
    • HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh
    • HKEY_CURRENT_USER\Software\WinRAR SFX
    • The newly created Registry Values are:
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • Scxaxs = “%AppData%\Scxaxs.exe”
        • Lcxaxl = “%AppData%\Lcxaxl.exe”
        • Wcxaxw = “%AppData%\Wcxaxw.exe”
        • Fbxaxf = “%AppData%\Fbxaxf.exe”

so that Wcxaxw.exe runs every time Windows starts
so that Fbxaxf.exe runs every time Windows starts

    • [HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah]
      • wfdijwaopfddvmieihccsyrbpsbqhy = “”
    • [HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh]
      • dncirhudbpmysvlqkzovzmfcsemsko = “”
    • [HKEY_CURRENT_USER\Software\WinRAR SFX]
      • C%%Documents and Settings%%UserName%%Application Data%kakao3 = “%AppData%\kakao3″
      • C%%Documents and Settings%%UserName%%Start Menu%Programs%Startup = “%Programs%\Startup”
      • C%%Documents and Settings%%UserName%%Application Data%PickaVamMaterina2 = “%AppData%\PickaVamMaterina2″
      • C%%DOCUME~1%%UserName%%LOCALS~1%Temp = “%UserProfile%\LOCALS~1\Temp”
Other details
  • There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote Host Port Number
199.15.234.7 80
70.38.98.239 80
92.243.20.57 3212
  • The data identified by the following URLs was then requested from the remote web server:
    • http://api.wipmania.com/
    • http://img105.herosh.com/2011/11/30/745759013.gif
Outbound traffic (potentially malicious)
  • There was an outbound traffic produced on port 3212:

00000000 | 1703 0000 1DAB E65A 5272 636E 2145 D536 | …….ZRrcn!E.6
00000010 | DE93 29D5 30B1 C61D 332C 9A67 949A BC7A | ..).0…3,.g…z
00000020 | 9E5B 1703 0000 274F ADFB BF5C 4E3A FB4E | .[….’O…\N:.N
00000030 | D8CC C0CA 0050 D50D 9575 5A23 C707 EC0B | …..P…uZ#….
00000040 | 7581 0719 F6AE 5AD5 F944 AE93 A1AA 1703 | u…..Z..D……
00000050 | 0000 2BD7 208A C1F7 256B F9F6 9CDE A553 | ..+. …%k…..S
00000060 | 9E96 B39D A07E 1DAD B1C6 97A4 3724 EC7E | …..~……7$.~
00000070 | 3C85 F623 B80B 6153 9522 16E0 3A10 1703 | <..#..aS."..:...
00000080 | 0000 2B17 0300 0021 DA71 8326 C5E8 AA2A | ..+....!.q.&...*
00000090 | 9569 1FB6 841A 28FF 3CFD E0B3 CAED 2701 | .i....(.<.....'.
000000A0 | 1E3B 92FF EAA9 C7EA F58C F1E4 D1DA 5265 | .;............Re
000000B0 | 3174 9F17 0300 002B B706 D784 55DF CA99 | 1t.....+....U...
000000C0 | F14D 26E9 7B04 A824 A720 6035 1958 3851 | .M&.{..$. `5.X8Q
000000D0 | 62B7 EF3D D371 4100 05A9 261E 9405 6B9A | b..=.qA...&...k.
000000E0 | 391E C3A9 1497 5C92 EE8B FF97 4DC9 F64B | 9.....\.....M..K
000000F0 | 0686 843D 1503 0000 12C0 9AF5 9FE9 9F49 | ...=...........I
00000100 | D9E3 B6AD 3696 8DE8 80F7 AA16 0300 0041 | ....6..........A
00000110 | 0100 003D 0300 4ED6 E189 B267 390E FDB0 | ...=..N....g9...
00000120 | F1DE 8842 4A95 84E3 FB81 300E 64F0 39B7 | ...BJ.....0.d.9.
00000130 | A36E 5D63 987C 0000 1600 0400 0500 0A00 | .n]c.|..........
00000140 | 0900 6400 6200 0300 0600 1300 1200 6301 | ..d.b.........c.
00000150 | 0015 0300 0002 0129 1603 0000 8410 0000 | .......)........
00000160 | 807F CF33 A19D 39EE 435D ED5D 92EF 7B8E | ...3..9.C].]..{.
00000170 | 5BCF AB87 2357 E0F2 1505 1282 6EE9 A547 | [...#W......n..G
00000180 | 4E1F 9858 939A 5769 3956 3625 8F42 893B | N..X..Wi9V6%.B.;
00000190 | 1E8B 4CF4 FD81 33EA B29E F34C 60CE 341B | ..L...3....L`.4.
000001A0 | 1C77 896E 6C8B E959 F873 F09A 1E96 DB05 | .w.nl..Y.s......
000001B0 | 9A35 3ABB 0986 976E 5283 1942 1B35 58DC | .5:....nR..B.5X.
000001C0 | 1452 FBA5 76CA FEED 54E9 CD6D 3C4D FA84 | .R..v...T..m 000001D0 | B3F1 6AE7 0CE6 9CA6 DA64 511A C0AE E2EF | ..j......dQ.....
000001E0 | EB14 0300 0001 0116 0300 0038 D6F1 B74A | ...........8...J
000001F0 | 6314 38F3 E899 A02A BF38 5088 2AF8 E066 | c.8....*.8P.*..f
00000200 | 2877 20CA DB84 5C66 E13C 6708 20C9 BD26 | (w ...\f. 00000210 | F737 82A8 5F21 37D8 A7B8 3AF5 7F65 2F82 | .7.._!7...:..e/.
00000220 | D0D9 7802 | ..x.

3. VirusTotal

Berikut hasil sample yang diperiksa dengan VirusTotal dengan 43 antivirusnya.

Antivirus Version Last Update Result
AhnLab-V3 2011.05.11.01 2011.05.11 Win-Trojan/Injector.135681.C
AntiVir 7.11.7.216 2011.05.11 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2011.05.11 Backdoor/Win32.Ruskill.gen
Avast 4.8.1351.0 2011.05.11 Win32:Malware-gen
Avast5 5.0.677.0 2011.05.11 Win32:Malware-gen
AVG 10.0.0.1190 2011.05.10 Dropper.Generic3.BCMM
BitDefender 7.2 2011.05.11 Gen:Trojan.Heur.JP.iu1@aOHdEdmi
CAT-QuickHeal 11.00 2011.05.11 Backdoor.Ruskill.p
ClamAV 0.97.0.0 2011.05.11 -
Commtouch 5.3.2.6 2011.05.11 -
Comodo 8659 2011.05.11 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.05.11 BackDoor.IRC.Bot.835
Emsisoft 5.1.0.5 2011.05.11 Gen.Trojan.Heur!IK
eSafe 7.0.17.0 2011.05.09 -
eTrust-Vet 36.1.8320 2011.05.11 -
F-Prot 4.6.2.117 2011.05.11 -
F-Secure 9.0.16440.0 2011.05.11 Gen:Trojan.Heur.JP.iu1@aOHdEdmi
Fortinet 4.2.257.0 2011.05.11 W32/Ruskill.P!tr.bdr
GData 22 2011.05.11 Gen:Trojan.Heur.JP.iu1@aOHdEdmi
Ikarus T3.1.1.103.0 2011.05.11 Gen.Trojan.Heur
Jiangmin 13.0.900 2011.05.11 -
K7AntiVirus 9.103.4614 2011.05.10 Backdoor
Kaspersky 9.0.0.837 2011.05.11 Backdoor.Win32.Ruskill.p
McAfee 5.400.0.1158 2011.05.11 Generic PWS.bfr!c
McAfee-GW-Edition 2010.1D 2011.05.10 Heuristic.BehavesLike.Win32.Suspicious.D
Microsoft 1.6802 2011.05.11 Worm:Win32/Dorkbot
NOD32 6111 2011.05.11 probably a variant of Win32/Injector.FTN
Norman 6.07.07 2011.05.10 W32/Suspicious_Gen2.KZIYM
nProtect 2011-05-10.01 2011.05.10 -
Panda 10.0.3.5 2011.05.10 Generic Malware
PCTools 7.0.3.5 2011.05.11 -
Prevx 3.0 2011.05.11 -
Rising 23.57.01.05 2011.05.10 Trojan.Win32.Generic.128630D2
Sophos 4.65.0 2011.05.11 Mal/Behav-103
SUPERAntiSpyware 4.40.0.1006 2011.05.11 -
Symantec 20101.3.2.89 2011.05.11 -
TheHacker 6.7.0.1.195 2011.05.11 -
TrendMicro 9.200.0.1012 2011.05.11 BKDR_RUSKILL.AA
TrendMicro-HouseCall 9.200.0.1012 2011.05.11 BKDR_RUSKILL.AA
VBA32 3.12.16.0 2011.05.11 BScope.FakeAV.xd
VIPRE 9250 2011.05.11 Trojan.Win32.Generic!BT
ViRobot 2011.5.11.4452 2011.05.11 -
VirusBuster 13.6.347.2 2011.05.10 Backdoor.Ruskill!rVOox3DhmwU
Additional information
MD5   : 62466ae813448aec7621b25e3102e2c2
SHA1  : 02127b7c97893f9fc76c72a46e5690b259bff7d8
SHA256: 0e3c6dc183696540c724a848b3f142338d046099c9efc460e9ab4ad67df51299

Sumber: detikINET, ThreatExpert, McAfee ThreatInteligence, dan VirusTotal

Leave a Reply