Note From Lampung (Virus Film_Lampung.EXE)

HI All

After visiting lampung for two days then I finnally can cope with the mind games of our computer virus infection, the reverse engineering of the virus it self take me 1 whole day to discover of how it works and what the effect it might cause to the system.

eventhough my risk assessment of this viru is low however it takes a lot of effort to break the mind games, well i would say this is NOT the easiest as apparently my SYmantec end-point picking up some Hacktool on my machine. is it coming from film_lampung??? or have I been hacked??

meanwhile enjoy my work below…

Expected Removal Duration: 30 minutes

Risk Assessment

– Home Users: Low
– Corporate Users: Low
Date Discovered: 27/8/2008
Date Added: 29/8/2008
Origin: obviously from Lampung
Type: Trojan
SubType: –

Virus Characteristics
File Property: Property Value
File Name: MB’.exe

McAfee Detection: N/A
Trend Micro:          N/A
PCMAV:                 N/A
Length:                 104KB

Activity Risk Level
Hides itself by using commonly used filenames: Critical
Creates Registry Keys and Data values persistent on OS Reboot: Critical
Replaces and hidden original office files to .exe (folder): Low
Writes and hides executable in the Windows Folder: Low
Sniping original windows registry: Low
Program often suspends itself: Informational
Registers DLLs: Informational

Other detections that have been observed.

Creates these files on every drives:
PCMAV.exe
New Folder.exe
Film_lampung.exe
SuppMB.BAT
RegMB.reg

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:
%WINDIR%\ PCMAV.exe
%WINDIR%\ New Folder.exe
%WINDIR%\ Film_lampung.exe

Creates Registry Keys and Data values persistent on OS Reboot
C:\Document and Settings\All Users\Start Menu\Programs\Startup\msoffice.exe
C:\Document and Settings\windows XP\Start Menu\Programs\startup\Msoffice.exe
%WINDIR%\ SuppMB.BAT
%WINDIR%\ RegMB.reg

Indications of Infection

Hides and replace your office files to folder form with .exe extension ( “file_name”.exe)
It hides “Mem Usage” on your windows Task Manager and on some case its disable most of Windows Task Manager. It also consumes a lot of memory thus your computer become slow (as all Trojan would do).

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal Instructions

1. Go to Start > RUN > Msconfig then Untick MB’ process

2. Install The repair.inf you can should see the hidden files and folder now (download the file by clicking the hyperlink then right click install)

3. Go to “Folder Option” > “View Tab” > Tick “Show Hidden Files and Folders”

4. Delete Mb’.exe on C:\windows\system32\MB’.exe

5. To prevent the virus from being re-active after re-boot kill the startup process on my case I have 2 startup process.

C:\Document and Settings\All Users\Start Menu\Programs\Startup\msoffice.exe
and
C:\Document and Settings\windows XP\Start Menu\Programs\startup\ Msoffice.exe

Or

for this step you can use “killvb” from Yohanes Nugroho (yohanes@gmail.com) thanks Mr. Yohanes

6. Delete these files PCMAV.exe, New Folder.exe, Film_lampung.exe (these files has 172 KB of size) its commonly to be located on each drives of your machine
7. And also delete SuppMB.BAT & RegMB.reg.

8. This Virus will replace your file with “your filename”.exe (in the form of folder) and they all have the same file size of 104KB,however the Virus has hidden your original file which after the removal you could see them.

Advertisements

5 Responses

  1. Ooh begitu ya..
    Tadi gw abis benerin komputer temen gw yg kena ini virus. Blm gw apus si file reg n bat nya. Pengaruh gk ya? ini modifikasi virus apong kan?

  2. justru kl menurut gue, reg n bat nya itu yg bahaya boss.. mendingan mulai dari awal lagih dan lu apus reg n bat kalo ngga bat nya itu yg execute virus tsb dan reg yg merubah registry waktu kita startup.. selamat mencoba bro

  3. tolong donk omz .. bisa bahasain indonesia . saya gak ngerti plzzz kompi saya kena mb … kalo bisa kirim ke main saya … kenet_doang@yahoo.com .. thx b4

  4. hahahaahhaha…………………….. virus kacang………………… gak seganas virus myDoom..C

  5. very gud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: