AryaN:Trojan with Flooding Attack
November 8, 2011 Leave a comment
AryaN. Flooding dalam istilah IT adalah membebani sebuah server dengan cara mengirim paket yang besar secara terus menerus (DDoS / Denial of Service Attacks). AryaN bukan hanya menyebar melalui flash disk dengan shortcut tipe barunya, akan tetapi mendownload varian NgrBot dan melakukan Flooding Attack. Tentu saja, trojan akan berusaha agar aksi ini tidak disadari oleh user yang komputernya terinfeksi. Maka dari itu, trojan pun bersembunyi dibalik proses lain sambil melancarkan serangannya.
A. Info File
Nama Worm : AryaN
Asal : ~
Ukuran File : 95.5 KB (97,792 bytes)
Packer : ~
Pemrograman : C++
Icon : Exe / Application
Tipe : Trojan, Worm
B. About Malware
Gambar di atas adalah simulasi kejadian secara umum AryaN menyebar juga melalui yahoo messenger. Awalnya kami mendapat laporan dari forum virus Indonesia mengenai adanya malware yang menyebar lewat Facebook. Setelah kami cek, sekilas seperti variant NgrBot. Terlebih lagi setelah di jalankan, memang mendownload variant baru dari NgrBot. Kemudian ada lagi laporan mengenai malware yang sama dengan pola yang sama juga. Setelah di cek ulang, rupanya ini bukanlah variant atau companion dari NgrBot, melaikan worm yang dikhususkan untuk melakukan sebuah tugas tertentu.
1. Mendownload companion dan dijalankan bersamaan dengan hostnya
2. Mendownload Variant NgrBot
3. Melakukan DDoS terhadap salah satu website dengan metode SYN flooding attack.
Nama “AryaN” di ambil dari salah satu baris yang terdapat pada threads yang dibuatnya.
Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
Dalam tubuh AryaN tidak terdapat string yang bisa menunjukan apa saja yang akan dilakukannya. Akan tetapi berbeda jika kita melihat string yang terdapat pada threadsnya. Berikut ini adalah hasil dump yang kami dapatkan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
|
File pos Mem pos ID Text ======== ======= == ==== 00000000004D 000002DA004D 0 !This program cannot be run in DOS mode. 0000000001C8 000002DA01C8 0 .data 0000000001F0 000002DA01F0 0 .idata 000000000218 000002DA0218 0 .rsrc 00000000023F 000002DA023F 0 @.reloc 000000001368 000002DA1F68 0 Botkiller 000000001374 000002DA1F74 0 Successfully Killed And Removed Malicious File: "%s" 000000001400 000002DA2000 0 Usage: %s IP PORT DELAY LENGTH 000000001428 000002DA2028 0 Failed To Start Thread: "%d" 00000000144C 000002DA204C 0 Failed: Mis Parameter 000000001468 000002DA2068 0 WinINet 000000001474 000002DA2074 0 Failed: "%d" 000000001484 000002DA2084 0 Visit 00000000148C 000002DA208C 0 Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL] 0000000014D4 000002DA20D4 0 Filed To Visit: "%s" 0000000014F0 000002DA20F0 0 Successfully Visited: "%s" 000000001520 000002DA2120 0 %s #%s 00000000152C 000002DA212C 0 %s %s 000000001540 000002DA2140 0 Terminated WGet Thread 000000001564 000002DA2164 0 Running From: "%s" 00000000157C 000002DA217C 0 [%s][%s] - "%s" 000000001590 000002DA2190 0 hh':'mm':'ss 0000000015E8 000002DA21E8 0 {%s}: %s 000000001618 000002DA2218 0 Update Complete, Uninstalling 00000000163C 000002DA223C 0 Successfully Executed Process: "%s" 000000001668 000002DA2268 0 Failed To Create Process: "%s", Reason: "%d" 0000000016A0 000002DA22A0 0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot 000000001748 000002DA2348 0 Successfully Downloaded File To: "%s" 000000001778 000002DA2378 0 Downloading File: "%s" 000000001794 000002DA2394 0 Download 000000001840 000002DA2440 0 IsWow64Process 000000001884 000002DA2484 0 http://api.wipmania.com/ 000000001FD4 000002DA2BD4 0 PRIVMSG 00000000205C 000002DA2C5C 0 Config 000000002064 000002DA2C64 0 Failed to load config 00000000212C 000002DA2D2C 0 AryaN{%s-%s-x%d}%s 000000002144 000002DA2D44 0 New{%s-%s-x%d}%s 000000002158 000002DA2D58 0 %s "" "%s" :%s 00000000216C 000002DA2D6C 0 %s %s 000000002174 000002DA2D74 0 %s %s :[AryaN]: %s 000000002190 000002DA2D90 0 %s %s %s 0000000021A4 000002DA2DA4 0 Finished Flooding "%s:%d" 0000000021C4 000002DA2DC4 0 Terminated UDP Flood Thread 0000000021E8 000002DA2DE8 0 %d%d%d%d%d%d%d%d 000000002200 000002DA2E00 0 Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds 0000000023A4 000002DA2FA4 0 LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files 0000000025B4 000002DA31B4 0 AutoRun Infected Removable Device: "%s\" 000000002857 000002DA3457 0 4 RAS_e 000000002877 000002DA3477 0 4 RAS 000000002AC9 000002DA36C9 0 z)ze' 000000002D7D 000002DA397D 0 /4*&{ 000000002D9D 000002DA399D 0 O(hHj 000000003BBB 000002DA47BB 0 OWShX 000000003E13 000002DA4A13 0 D$0Pht 0000000044DA 000002DA50DA 0 SSPhZ 000000004BB9 000002DA57B9 0 j[YPSSh 000000004C26 000002DA5826 0 SSSSh 000000004C5F 000002DA585F 0 t)SSj 000000005209 000002DA5E09 0 Yt3Pj 000000005302 000002DA5F02 0 QQSVj File pos Mem pos ID Text ======== ======= == ==== 0000000055C9 000002DA61C9 0 Yt}Vh 0000000055FA 000002DA61FA 0 tF@Pj 000000005720 000002DA6320 0 SUVWh 000000005822 000002DA6422 0 VVVVh 00000000583C 000002DA643C 0 SVVVVh 000000005927 000002DA6527 0 tDVWWh$ 000000005AF9 000002DA66F9 0 tUWSV 000000005B31 000002DA6731 0 WWWPWW 000000005C33 000002DA6833 0 +Y4;YPw2 000000005CB0 000002DA68B0 0 Yt8Pj 000000005F14 000002DA6B14 0 SUVWh 000000006098 000002DA6C98 0 QSUVWj 0000000063A7 000002DA6FA7 0 YYVVVhx 000000006499 000002DA7099 0 VVVhF 000000006650 000002DA7250 0 UUUVUU 00000000670F 000002DA730F 0 PVVj(WVVV 000000006920 000002DA7520 0 VPVh? 000000006A30 000002DA7630 0 VPVh? 000000006B14 000002DA7714 0 QSVW3 000000006C20 000002DA7820 0 YtPhL 000000006D31 000002DA7931 0 VVVhY 000000006E35 000002DA7A35 0 QQSVWj, 000000006EF7 000002DA7AF7 0 VSSSh 00000000735A 000002DA7F5A 0 PWhD! 000000007370 000002DA7F70 0 PWh,! 000000007414 000002DA8014 0 YPhX! 0000000075A2 000002DA81A2 0 trSWh, 000000007DB2 000002DAA1B2 0 PVVh% 00000000877C 000002DAAB7C 0 0866031 000000008950 000002DAAD50 0 udp.stop 0000000089B4 000002DAADB4 0 #newbitch 000000008A1C 000002DAAE1C 0 #newbitch1 000000008A80 000002DAAE80 0 6RnRPKMb77qvsg5RiVNXdu6D9mgzE8 000000008AE4 000002DAAEE4 0 unsort 000000008B48 000002DAAF48 0 download.stop 000000008BAC 000002DAAFAC 0 remove 000000009564 000002DAD564 0 botkill 00000000962C 000002DAD62C 0 haso.dukatlgg.com 0000000096F4 000002DAD6F4 0 reconnect 000000009820 000002DAD820 0 HeavenOnEarth 0000000098E8 000002DAD8E8 0 visit 0000000099B0 000002DAD9B0 0 download 00000000A856 000002DAA856 0 PwS*Pw 00000000A88A 000002DAA88A 0 wcsstr 00000000A894 000002DAA894 0 memset 00000000A89E 000002DAA89E 0 _snwprintf 00000000A8AC 000002DAA8AC 0 wcscmp 00000000A8BE 000002DAA8BE 0 strncmp 00000000A8C8 000002DAA8C8 0 strstr 00000000A8D2 000002DAA8D2 0 _snprintf 00000000A8DE 000002DAA8DE 0 strcmp 00000000A8E8 000002DAA8E8 0 strncpy 00000000A8FA 000002DAA8FA 0 printf 00000000A904 000002DAA904 0 _vsnprintf 00000000A912 000002DAA912 0 wprintf 00000000A91C 000002DAA91C 0 _vsnwprintf 00000000A92A 000002DAA92A 0 srand 00000000A932 000002DAA932 0 strlen 00000000A93C 000002DAA93C 0 wcstombs 00000000A948 000002DAA948 0 mbstowcs File pos Mem pos ID Text ======== ======= == ==== 00000000A954 000002DAA954 0 strcpy 00000000A95E 000002DAA95E 0 memcpy 00000000A968 000002DAA968 0 _wcsicmp 00000000A974 000002DAA974 0 malloc 00000000A986 000002DAA986 0 wcscpy 00000000A990 000002DAA990 0 realloc 00000000A99A 000002DAA99A 0 strtok 00000000A9A4 000002DAA9A4 0 fclose 00000000A9AE 000002DAA9AE 0 fwprintf 00000000A9BA 000002DAA9BA 0 _wfopen 00000000A9C2 000002DAA9C2 0 MSVCRT.dll 00000000A9D0 000002DAA9D0 0 HeapFree 00000000A9DC 000002DAA9DC 0 ExpandEnvironmentStringsW 00000000A9F8 000002DAA9F8 0 HeapAlloc 00000000AA04 000002DAAA04 0 CloseHandle 00000000AA12 000002DAAA12 0 Process32NextW 00000000AA24 000002DAAA24 0 DeleteFileW 00000000AA32 000002DAAA32 0 MoveFileW 00000000AA3E 000002DAAA3E 0 SetFileAttributesW 00000000AA54 000002DAAA54 0 Sleep 00000000AA5C 000002DAAA5C 0 Process32FirstW 00000000AA6E 000002DAAA6E 0 CreateToolhelp32Snapshot 00000000AA8A 000002DAAA8A 0 lstrlenA 00000000AA96 000002DAAA96 0 SetThreadPriority 00000000AAAA 000002DAAAAA 0 GetLastError 00000000AABA 000002DAAABA 0 CreateThread 00000000AACA 000002DAAACA 0 GetLocaleInfoA 00000000AADC 000002DAAADC 0 TerminateThread 00000000AAEE 000002DAAAEE 0 GetModuleFileNameA 00000000AB04 000002DAAB04 0 GetModuleHandleA 00000000AB18 000002DAAB18 0 GetTimeFormatA 00000000AB2A 000002DAAB2A 0 GetTimeFormatW 00000000AB3C 000002DAAB3C 0 OutputDebugStringA 00000000AB52 000002DAAB52 0 OutputDebugStringW 00000000AB68 000002DAAB68 0 ReleaseMutex 00000000AB78 000002DAAB78 0 WaitForSingleObject 00000000AB8E 000002DAAB8E 0 WriteFile 00000000AB9A 000002DAAB9A 0 CreateFileW 00000000ABA8 000002DAABA8 0 GetTickCount 00000000ABB8 000002DAABB8 0 SetLastError 00000000ABC8 000002DAABC8 0 FindNextFileW 00000000ABD8 000002DAABD8 0 FindNextFileA 00000000ABE8 000002DAABE8 0 OpenProcess 00000000ABF6 000002DAABF6 0 GetProcAddress 00000000AC08 000002DAAC08 0 LoadLibraryW 00000000AC18 000002DAAC18 0 GetFileAttributesW 00000000AC2E 000002DAAC2E 0 GetVersionExA 00000000AC3E 000002DAAC3E 0 ReadFile 00000000AC4A 000002DAAC4A 0 GetFileSize 00000000AC58 000002DAAC58 0 CreateMutexW 00000000AC68 000002DAAC68 0 OpenMutexW 00000000AC76 000002DAAC76 0 GetProcessHeap 00000000AC88 000002DAAC88 0 CreateRemoteThread 00000000AC9E 000002DAAC9E 0 WriteProcessMemory 00000000ACB4 000002DAACB4 0 VirtualProtectEx 00000000ACC8 000002DAACC8 0 VirtualAllocEx 00000000ACDA 000002DAACDA 0 ReadProcessMemory 00000000ACEE 000002DAACEE 0 GetCurrentProcess 00000000AD02 000002DAAD02 0 VirtualAlloc 00000000AD12 000002DAAD12 0 GetCurrentProcessId File pos Mem pos ID Text ======== ======= == ==== 00000000AD28 000002DAAD28 0 LockResource 00000000AD38 000002DAAD38 0 LoadResource 00000000AD48 000002DAAD48 0 SizeofResource 00000000AD5A 000002DAAD5A 0 FindResourceW 00000000AD6A 000002DAAD6A 0 ExitProcess 00000000AD78 000002DAAD78 0 ExitThread 00000000AD86 000002DAAD86 0 GetDriveTypeW 00000000AD96 000002DAAD96 0 GetModuleFileNameW 00000000ADAC 000002DAADAC 0 GetModuleHandleW 00000000ADC0 000002DAADC0 0 SetErrorMode 00000000ADD0 000002DAADD0 0 CreateProcessW 00000000ADE2 000002DAADE2 0 TerminateProcess 00000000ADF6 000002DAADF6 0 lstrlenW 00000000AE02 000002DAAE02 0 CreateEventW 00000000AE12 000002DAAE12 0 CreateDirectoryW 00000000AE26 000002DAAE26 0 CopyFileW 00000000AE32 000002DAAE32 0 FindFirstFileW 00000000AE44 000002DAAE44 0 GetLogicalDriveStringsW 00000000AE5C 000002DAAE5C 0 KERNEL32.dll 00000000AE6A 000002DAAE6A 0 WS2_32.dll 00000000AE78 000002DAAE78 0 PathAppendW 00000000AE84 000002DAAE84 0 SHLWAPI.dll 00000000AE92 000002DAAE92 0 InternetReadFile 00000000AEA6 000002DAAEA6 0 InternetOpenUrlA 00000000AEBA 000002DAAEBA 0 InternetCloseHandle 00000000AED0 000002DAAED0 0 InternetOpenW 00000000AEDE 000002DAAEDE 0 WININET.dll 00000000AEEC 000002DAAEEC 0 CoCreateInstance 00000000AF00 000002DAAF00 0 CoUninitialize 00000000AF12 000002DAAF12 0 CoInitialize 00000000AF20 000002DAAF20 0 ole32.dll 00000000AF2C 000002DAAF2C 0 GetModuleFileNameExW 00000000AF42 000002DAAF42 0 PSAPI.DLL 00000000AF4E 000002DAAF4E 0 ShellExecuteA 00000000AF5E 000002DAAF5E 0 SHGetFolderPathW 00000000AF70 000002DAAF70 0 SHELL32.dll 00000000AF7E 000002DAAF7E 0 RegCloseKey 00000000AF8C 000002DAAF8C 0 RegDeleteValueW 00000000AF9E 000002DAAF9E 0 RegCreateKeyExW 00000000AFB0 000002DAAFB0 0 RegQueryValueExW 00000000AFC4 000002DAAFC4 0 RegOpenKeyExW 00000000AFD4 000002DAAFD4 0 RegSetValueExW 00000000AFE6 000002DAAFE6 0 RegNotifyChangeKeyValue 00000000B000 000002DAB000 0 GetUserNameW 00000000B00E 000002DAB00E 0 ADVAPI32.dll 00000000C088 000002DAC088 0 1Al8deESCWJQjKrniRIiz5Ofdzfi1h 00000000C0A7 000002DAC0A7 0 A6RnRPKMb77qvsg5RiVNXdu6D9mgzE8 00000000C112 000002DAC112 0 egregregerfwde 00000000C121 000002DAC121 0 svhost.exe 00000000C18B 000002DAC18B 0 APADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD 00000000D01D 000002DAD01D 0 00000000D029 000002DAD029 0 ">P>d>j> 00000000D051 000002DAD051 0 ?#?h? 00000000D06B 000002DAD06B 0 0=0C0g0n0{0 00000000D081 000002DAD081 0 0c1t1z1 00000000D091 000002DAD091 0 2'2.2:2?2I2\2l2q2w2|2 00000000D0B7 000002DAD0B7 0 3.333H3e3 00000000D0D1 000002DAD0D1 0 45400000000D0F3 000002DAD0F3 0 5%5Y5e5p5w5 File pos Mem pos ID Text ======== ======= == ==== 00000000D129 000002DAD129 0 7n8~8 00000000D135 000002DAD135 0 819F9N9 00000000D149 000002DAD149 0 <img src="http://virusindonesia.com/wp-includes/images/smilies/icon_smile.gif" alt=":)"> :4:?:J:U: 00000000D155 000002DAD155 0 :k:y: 00000000D183 000002DAD183 0 4>:>@>F>L>c>p> 00000000D1F0 000002DAD1F0 0 -070>0O0 00000000D1FF 000002DAD1FF 0 031:1h1 00000000D209 000002DAD209 0 202;2]2b2h2o2 00000000D21F 000002DAD21F 0 3'3.3=3C3R3a3 00000000D237 000002DAD237 0 4)4@4i4w4~4 00000000D25F 000002DAD25F 0 6$6-696E6J6W6]6 00000000D27B 000002DAD27B 0 62777G7M7S7b7n7 00000000D295 000002DAD295 0 7'8-8B8I8a8o8z8 00000000D2B1 000002DAD2B1 0 949>9J9c9i9 00000000D2D5 000002DAD2D5 0 9 :.:P:c:i:p: 00000000D2F3 000002DAD2F3 0 ;%;00000000D2FF 000002DAD2FF 0 _>m>s>x> 00000000D329 000002DAD329 0 >&?+?;?A?G? 00000000D35B 000002DAD35B 0 1*1V1d1q1~1 00000000D379 000002DAD379 0 2,292F2S2 00000000D383 000002DAD383 0 2m2z2 00000000D393 000002DAD393 0 2l3v3 00000000D3B5 000002DAD3B5 0 4 4-42494?4D4J4W4_4g4p4v4 00000000D3E5 000002DAD3E5 0 4]5c5j5 00000000D401 000002DAD401 0 6&6:6@6X6 00000000D40B 000002DAD40B 0 6q6w6~6 00000000D413 000002DAD413 0 7$757 00000000D41D 000002DAD41D 0 778G8R8]8 00000000D42F 000002DAD42F 0 839C9L9 00000000D441 000002DAD441 0 :C:T:o:x: 00000000D44F 000002DAD44F 0 :3;00000000D459 000002DAD459 0 ;g;~; 00000000D467 000002DAD467 0 E>N> 00000000D4AD 000002DAD4AD 0 ?=?Y?y? 00000000D4C7 000002DAD4C7 0 0E0Z0_0v0 00000000D4DF 000002DAD4DF 0 1=1C1L1R1\1b1 00000000D4EF 000002DAD4EF 0 2 2+2C2 00000000D501 000002DAD501 0 3!3]3s3|3 00000000D517 000002DAD517 0 4 4A4M4b4h4z4 00000000D52F 000002DAD52F 0 4(5755D5J5P5V5\5b5h5n5t5z5 00000000D719 000002DAD719 0 6"6(6.646:6@6F6L6R6X6 00000000D72F 000002DAD72F 0 6d6j6p6v6|6 File pos Mem pos ID Text ======== ======= == ==== 00000000D76F 000002DAD76F 0 7$7*7076700000000131D 000002DA1F1D 0 %userprofile% 000000001340 000002DA1F40 0 %appdata% 000000001358 000002DA1F58 0 %temp% 0000000013B4 000002DA1FB4 0 %s\removethis_%d%d%d.exe 0000000015C8 000002DA21C8 0 hh':'mm':'ss 0000000015F4 000002DA21F4 0 {%s}: %s 000000001718 000002DA2318 0 %temp%\oldfile.exe 0000000017A0 000002DA23A0 0 Mozilla/5.0 (compatible) 0000000017DC 000002DA23DC 0 %s\%d%d%d.exe 000000001800 000002DA2400 0 explorer.exe 000000001820 000002DA2420 0 Kernel32.dll 000000001860 000002DA2460 0 %s-deadlock 0000000018A4 000002DA24A4 0 %s\SysWOW64 000000001D70 000002DA2970 0 advapi32.dll 000000001D90 000002DA2990 0 comsupp.dll 000000001DAC 000002DA29AC 0 shell32.dll 000000001DC8 000002DA29C8 0 wininet.dll 000000001DE4 000002DA29E4 0 shlwapi.dll 000000001E00 000002DA2A00 0 dnsapi.dll 000000001E1C 000002DA2A1C 0 user32.dll 000000001E38 000002DA2A38 0 ws2_32.dll 000000001E54 000002DA2A54 0 psapi.dll 000000001E6C 000002DA2A6C 0 Ole32.dll 000000001E84 000002DA2A84 0 kernel32.dll 000000001EA4 000002DA2AA4 0 msvcrt.dll 000000001EC0 000002DA2AC0 0 dwm.exe 000000001ED4 000002DA2AD4 0 alg.exe 000000001EE8 000002DA2AE8 0 csrss.exe 000000001F00 000002DA2B00 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Run 000000001F70 000002DA2B70 0 %s-readfile 000000002048 000002DA2C48 0 cmd.exe 0000000020BC 000002DA2CBC 0 Software\Microsoft\Windows\CurrentVersion\Run 000000002240 000002DA2E40 0 %temp%\deletethis.exe 000000002274 000002DA2E74 0 Removable_Drive.exe 0000000022BC 000002DA2EBC 0 %s\{%s-%s} 0000000022D8 000002DA2ED8 0 /k "%s" Open %s 000000002300 000002DA2F00 0 %windir%\System32\cmd.exe 000000002340 000002DA2F40 0 %s\Removable_Drive.exe 000000002378 000002DA2F78 0 %s\%s 000000002388 000002DA2F88 0 %s\%s.lnk 000000002590 000002DA3190 0 %s\autorun.inf 0000000087C0 000002DAABC0 0 svhost.exe 000000008CDC 000002DAB0DC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe 0000000090EC 000002DAD0EC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe 000000009758 000002DAD758 0 egregregerfwde 00000000004D 000002DA004D 0 !This program cannot be run in DOS mode. 0000000001C8 000002DA01C8 0 .data 0000000001F0 000002DA01F0 0 .idata 000000000218 000002DA0218 0 .rsrc 00000000023F 000002DA023F 0 @.reloc 000000001368 000002DA1F68 0 Botkiller 000000001374 000002DA1F74 0 Successfully Killed And Removed Malicious File: "%s" 000000001400 000002DA2000 0 Usage: %s IP PORT DELAY LENGTH 000000001428 000002DA2028 0 Failed To Start Thread: "%d" 00000000144C 000002DA204C 0 Failed: Mis Parameter 000000001468 000002DA2068 0 WinINet 000000001474 000002DA2074 0 Failed: "%d" 000000001484 000002DA2084 0 Visit 00000000148C 000002DA208C 0 Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL] File pos Mem pos ID Text ======== ======= == ==== 0000000014D4 000002DA20D4 0 Filed To Visit: "%s" 0000000014F0 000002DA20F0 0 Successfully Visited: "%s" 000000001520 000002DA2120 0 %s #%s 00000000152C 000002DA212C 0 %s %s 000000001540 000002DA2140 0 Terminated WGet Thread 000000001564 000002DA2164 0 Running From: "%s" 00000000157C 000002DA217C 0 [%s][%s] - "%s" 000000001590 000002DA2190 0 hh':'mm':'ss 0000000015E8 000002DA21E8 0 {%s}: %s 000000001618 000002DA2218 0 Update Complete, Uninstalling 00000000163C 000002DA223C 0 Successfully Executed Process: "%s" 000000001668 000002DA2268 0 Failed To Create Process: "%s", Reason: "%d" 0000000016A0 000002DA22A0 0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot 000000001748 000002DA2348 0 Successfully Downloaded File To: "%s" 000000001778 000002DA2378 0 Downloading File: "%s" 000000001794 000002DA2394 0 Download 000000001840 000002DA2440 0 IsWow64Process 000000001884 000002DA2484 0 http://api.wipmania.com/ 000000001FD4 000002DA2BD4 0 PRIVMSG 00000000205C 000002DA2C5C 0 Config 000000002064 000002DA2C64 0 Failed to load config 00000000212C 000002DA2D2C 0 AryaN{%s-%s-x%d}%s 000000002144 000002DA2D44 0 New{%s-%s-x%d}%s 000000002158 000002DA2D58 0 %s "" "%s" :%s 00000000216C 000002DA2D6C 0 %s %s 000000002174 000002DA2D74 0 %s %s :[AryaN]: %s 000000002190 000002DA2D90 0 %s %s %s 0000000021A4 000002DA2DA4 0 Finished Flooding "%s:%d" 0000000021C4 000002DA2DC4 0 Terminated UDP Flood Thread 0000000021E8 000002DA2DE8 0 %d%d%d%d%d%d%d%d 000000002200 000002DA2E00 0 Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds 0000000023A4 000002DA2FA4 0 LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files 0000000025B4 000002DA31B4 0 AutoRun Infected Removable Device: "%s\" 000000002857 000002DA3457 0 4 RAS_e 000000002877 000002DA3477 0 4 RAS 000000002AC9 000002DA36C9 0 z)ze' 000000002D7D 000002DA397D 0 /4*&{ 000000002D9D 000002DA399D 0 O(hHj 000000003BBB 000002DA47BB 0 OWShX 000000003E13 000002DA4A13 0 D$0Pht 0000000044DA 000002DA50DA 0 SSPhZ 000000004BB9 000002DA57B9 0 j[YPSSh 000000004C26 000002DA5826 0 SSSSh 000000004C5F 000002DA585F 0 t)SSj 000000005209 000002DA5E09 0 Yt3Pj 000000005302 000002DA5F02 0 QQSVj 0000000055C9 000002DA61C9 0 Yt}Vh 0000000055FA 000002DA61FA 0 tF@Pj 000000005720 000002DA6320 0 SUVWh 000000005822 000002DA6422 0 VVVVh 00000000583C 000002DA643C 0 SVVVVh 000000005927 000002DA6527 0 tDVWWh$ 000000005AF9 000002DA66F9 0 tUWSV 000000005B31 000002DA6731 0 WWWPWW 000000005C33 000002DA6833 0 +Y4;YPw2 000000005CB0 000002DA68B0 0 Yt8Pj 000000005F14 000002DA6B14 0 SUVWh 000000006098 000002DA6C98 0 QSUVWj 0000000063A7 000002DA6FA7 0 YYVVVhx 000000006499 000002DA7099 0 VVVhF File pos Mem pos ID Text ======== ======= == ==== 000000006650 000002DA7250 0 UUUVUU 00000000670F 000002DA730F 0 PVVj(WVVV 000000006920 000002DA7520 0 VPVh? 000000006A30 000002DA7630 0 VPVh? 000000006B14 000002DA7714 0 QSVW3 000000006C20 000002DA7820 0 YtPhL 000000006D31 000002DA7931 0 VVVhY 000000006E35 000002DA7A35 0 QQSVWj, 000000006EF7 000002DA7AF7 0 VSSSh 00000000735A 000002DA7F5A 0 PWhD! 000000007370 000002DA7F70 0 PWh,! 000000007414 000002DA8014 0 YPhX! 0000000075A2 000002DA81A2 0 trSWh, 000000007DB2 000002DAA1B2 0 PVVh% 00000000877C 000002DAAB7C 0 0866031 000000008950 000002DAAD50 0 udp.stop 0000000089B4 000002DAADB4 0 #newbitch 000000008A1C 000002DAAE1C 0 #newbitch1 000000008A80 000002DAAE80 0 6RnRPKMb77qvsg5RiVNXdu6D9mgzE8 000000008AE4 000002DAAEE4 0 unsort 000000008B48 000002DAAF48 0 download.stop 000000008BAC 000002DAAFAC 0 remove 000000009564 000002DAD564 0 botkill 00000000962C 000002DAD62C 0 haso.dukatlgg.com 0000000096F4 000002DAD6F4 0 reconnect 000000009820 000002DAD820 0 HeavenOnEarth 0000000098E8 000002DAD8E8 0 visit 0000000099B0 000002DAD9B0 0 download 00000000A856 000002DAA856 0 PwS*Pw 00000000A88A 000002DAA88A 0 wcsstr 00000000A894 000002DAA894 0 memset 00000000A89E 000002DAA89E 0 _snwprintf 00000000A8AC 000002DAA8AC 0 wcscmp 00000000A8BE 000002DAA8BE 0 strncmp 00000000A8C8 000002DAA8C8 0 strstr 00000000A8D2 000002DAA8D2 0 _snprintf 00000000A8DE 000002DAA8DE 0 strcmp 00000000A8E8 000002DAA8E8 0 strncpy 00000000A8FA 000002DAA8FA 0 printf 00000000A904 000002DAA904 0 _vsnprintf 00000000A912 000002DAA912 0 wprintf 00000000A91C 000002DAA91C 0 _vsnwprintf 00000000A92A 000002DAA92A 0 srand 00000000A932 000002DAA932 0 strlen 00000000A93C 000002DAA93C 0 wcstombs 00000000A948 000002DAA948 0 mbstowcs 00000000A954 000002DAA954 0 strcpy 00000000A95E 000002DAA95E 0 memcpy 00000000A968 000002DAA968 0 _wcsicmp 00000000A974 000002DAA974 0 malloc 00000000A986 000002DAA986 0 wcscpy 00000000A990 000002DAA990 0 realloc 00000000A99A 000002DAA99A 0 strtok 00000000A9A4 000002DAA9A4 0 fclose 00000000A9AE 000002DAA9AE 0 fwprintf 00000000A9BA 000002DAA9BA 0 _wfopen 00000000A9C2 000002DAA9C2 0 MSVCRT.dll 00000000A9D0 000002DAA9D0 0 HeapFree 00000000A9DC 000002DAA9DC 0 ExpandEnvironmentStringsW 00000000A9F8 000002DAA9F8 0 HeapAlloc File pos Mem pos ID Text ======== ======= == ==== 00000000AA04 000002DAAA04 0 CloseHandle 00000000AA12 000002DAAA12 0 Process32NextW 00000000AA24 000002DAAA24 0 DeleteFileW 00000000AA32 000002DAAA32 0 MoveFileW 00000000AA3E 000002DAAA3E 0 SetFileAttributesW 00000000AA54 000002DAAA54 0 Sleep 00000000AA5C 000002DAAA5C 0 Process32FirstW 00000000AA6E 000002DAAA6E 0 CreateToolhelp32Snapshot 00000000AA8A 000002DAAA8A 0 lstrlenA 00000000AA96 000002DAAA96 0 SetThreadPriority 00000000AAAA 000002DAAAAA 0 GetLastError 00000000AABA 000002DAAABA 0 CreateThread 00000000AACA 000002DAAACA 0 GetLocaleInfoA 00000000AADC 000002DAAADC 0 TerminateThread 00000000AAEE 000002DAAAEE 0 GetModuleFileNameA 00000000AB04 000002DAAB04 0 GetModuleHandleA 00000000AB18 000002DAAB18 0 GetTimeFormatA 00000000AB2A 000002DAAB2A 0 GetTimeFormatW 00000000AB3C 000002DAAB3C 0 OutputDebugStringA 00000000AB52 000002DAAB52 0 OutputDebugStringW 00000000AB68 000002DAAB68 0 ReleaseMutex 00000000AB78 000002DAAB78 0 WaitForSingleObject 00000000AB8E 000002DAAB8E 0 WriteFile 00000000AB9A 000002DAAB9A 0 CreateFileW 00000000ABA8 000002DAABA8 0 GetTickCount 00000000ABB8 000002DAABB8 0 SetLastError 00000000ABC8 000002DAABC8 0 FindNextFileW 00000000ABD8 000002DAABD8 0 FindNextFileA 00000000ABE8 000002DAABE8 0 OpenProcess 00000000ABF6 000002DAABF6 0 GetProcAddress 00000000AC08 000002DAAC08 0 LoadLibraryW 00000000AC18 000002DAAC18 0 GetFileAttributesW 00000000AC2E 000002DAAC2E 0 GetVersionExA 00000000AC3E 000002DAAC3E 0 ReadFile 00000000AC4A 000002DAAC4A 0 GetFileSize 00000000AC58 000002DAAC58 0 CreateMutexW 00000000AC68 000002DAAC68 0 OpenMutexW 00000000AC76 000002DAAC76 0 GetProcessHeap 00000000AC88 000002DAAC88 0 CreateRemoteThread 00000000AC9E 000002DAAC9E 0 WriteProcessMemory 00000000ACB4 000002DAACB4 0 VirtualProtectEx 00000000ACC8 000002DAACC8 0 VirtualAllocEx 00000000ACDA 000002DAACDA 0 ReadProcessMemory 00000000ACEE 000002DAACEE 0 GetCurrentProcess 00000000AD02 000002DAAD02 0 VirtualAlloc 00000000AD12 000002DAAD12 0 GetCurrentProcessId 00000000AD28 000002DAAD28 0 LockResource 00000000AD38 000002DAAD38 0 LoadResource 00000000AD48 000002DAAD48 0 SizeofResource 00000000AD5A 000002DAAD5A 0 FindResourceW 00000000AD6A 000002DAAD6A 0 ExitProcess 00000000AD78 000002DAAD78 0 ExitThread 00000000AD86 000002DAAD86 0 GetDriveTypeW 00000000AD96 000002DAAD96 0 GetModuleFileNameW 00000000ADAC 000002DAADAC 0 GetModuleHandleW 00000000ADC0 000002DAADC0 0 SetErrorMode 00000000ADD0 000002DAADD0 0 CreateProcessW 00000000ADE2 000002DAADE2 0 TerminateProcess 00000000ADF6 000002DAADF6 0 lstrlenW 00000000AE02 000002DAAE02 0 CreateEventW File pos Mem pos ID Text ======== ======= == ==== 00000000AE12 000002DAAE12 0 CreateDirectoryW 00000000AE26 000002DAAE26 0 CopyFileW 00000000AE32 000002DAAE32 0 FindFirstFileW 00000000AE44 000002DAAE44 0 GetLogicalDriveStringsW 00000000AE5C 000002DAAE5C 0 KERNEL32.dll 00000000AE6A 000002DAAE6A 0 WS2_32.dll 00000000AE78 000002DAAE78 0 PathAppendW 00000000AE84 000002DAAE84 0 SHLWAPI.dll 00000000AE92 000002DAAE92 0 InternetReadFile 00000000AEA6 000002DAAEA6 0 InternetOpenUrlA 00000000AEBA 000002DAAEBA 0 InternetCloseHandle 00000000AED0 000002DAAED0 0 InternetOpenW 00000000AEDE 000002DAAEDE 0 WININET.dll 00000000AEEC 000002DAAEEC 0 CoCreateInstance 00000000AF00 000002DAAF00 0 CoUninitialize 00000000AF12 000002DAAF12 0 CoInitialize 00000000AF20 000002DAAF20 0 ole32.dll 00000000AF2C 000002DAAF2C 0 GetModuleFileNameExW 00000000AF42 000002DAAF42 0 PSAPI.DLL 00000000AF4E 000002DAAF4E 0 ShellExecuteA 00000000AF5E 000002DAAF5E 0 SHGetFolderPathW 00000000AF70 000002DAAF70 0 SHELL32.dll 00000000AF7E 000002DAAF7E 0 RegCloseKey 00000000AF8C 000002DAAF8C 0 RegDeleteValueW 00000000AF9E 000002DAAF9E 0 RegCreateKeyExW 00000000AFB0 000002DAAFB0 0 RegQueryValueExW 00000000AFC4 000002DAAFC4 0 RegOpenKeyExW 00000000AFD4 000002DAAFD4 0 RegSetValueExW 00000000AFE6 000002DAAFE6 0 RegNotifyChangeKeyValue 00000000B000 000002DAB000 0 GetUserNameW 00000000B00E 000002DAB00E 0 ADVAPI32.dll 00000000C088 000002DAC088 0 1Al8deESCWJQjKrniRIiz5Ofdzfi1h 00000000C0A7 000002DAC0A7 0 A6RnRPKMb77qvsg5RiVNXdu6D9mgzE8 00000000C112 000002DAC112 0 egregregerfwde 00000000C121 000002DAC121 0 svhost.exe 00000000C18B 000002DAC18B 0 APADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD 00000000D01D 000002DAD01D 0 00000000D029 000002DAD029 0 ">P>d>j> 00000000D051 000002DAD051 0 ?#?h? 00000000D06B 000002DAD06B 0 0=0C0g0n0{0 00000000D081 000002DAD081 0 0c1t1z1 00000000D091 000002DAD091 0 2'2.2:2?2I2\2l2q2w2|2 00000000D0B7 000002DAD0B7 0 3.333H3e3 00000000D0D1 000002DAD0D1 0 45400000000D0F3 000002DAD0F3 0 5%5Y5e5p5w5 00000000D129 000002DAD129 0 7n8~8 00000000D135 000002DAD135 0 819F9N9 00000000D149 000002DAD149 0 <img src="http://virusindonesia.com/wp-includes/images/smilies/icon_smile.gif" alt=":)"> :4:?:J:U: 00000000D155 000002DAD155 0 :k:y: 00000000D183 000002DAD183 0 4>:>@>F>L>c>p> 00000000D1F0 000002DAD1F0 0 -070>0O0 00000000D1FF 000002DAD1FF 0 031:1h1 00000000D209 000002DAD209 0 202;2]2b2h2o2 00000000D21F 000002DAD21F 0 3'3.3=3C3R3a3 00000000D237 000002DAD237 0 4)4@4i4w4~4 00000000D25F 000002DAD25F 0 6$6-696E6J6W6]6 00000000D27B 000002DAD27B 0 62777G7M7S7b7n7 File pos Mem pos ID Text ======== ======= == ==== 00000000D295 000002DAD295 0 7'8-8B8I8a8o8z8 00000000D2B1 000002DAD2B1 0 949>9J9c9i9 00000000D2D5 000002DAD2D5 0 9 :.:P:c:i:p: 00000000D2F3 000002DAD2F3 0 ;%;00000000D2FF 000002DAD2FF 0 _>m>s>x> 00000000D329 000002DAD329 0 >&?+?;?A?G? 00000000D35B 000002DAD35B 0 1*1V1d1q1~1 00000000D379 000002DAD379 0 2,292F2S2 00000000D383 000002DAD383 0 2m2z2 00000000D393 000002DAD393 0 2l3v3 00000000D3B5 000002DAD3B5 0 4 4-42494?4D4J4W4_4g4p4v4 00000000D3E5 000002DAD3E5 0 4]5c5j5 00000000D401 000002DAD401 0 6&6:6@6X6 00000000D40B 000002DAD40B 0 6q6w6~6 00000000D413 000002DAD413 0 7$757 00000000D41D 000002DAD41D 0 778G8R8]8 00000000D42F 000002DAD42F 0 839C9L9 00000000D441 000002DAD441 0 :C:T:o:x: 00000000D44F 000002DAD44F 0 :3;00000000D459 000002DAD459 0 ;g;~; 00000000D467 000002DAD467 0 E>N> 00000000D4AD 000002DAD4AD 0 ?=?Y?y? 00000000D4C7 000002DAD4C7 0 0E0Z0_0v0 00000000D4DF 000002DAD4DF 0 1=1C1L1R1\1b1 00000000D4EF 000002DAD4EF 0 2 2+2C2 00000000D501 000002DAD501 0 3!3]3s3|3 00000000D517 000002DAD517 0 4 4A4M4b4h4z4 00000000D52F 000002DAD52F 0 4(5755D5J5P5V5\5b5h5n5t5z5 00000000D719 000002DAD719 0 6"6(6.646:6@6F6L6R6X6 00000000D72F 000002DAD72F 0 6d6j6p6v6|6 00000000D76F 000002DAD76F 0 7$7*7076700000000131D 000002DA1F1D 0 %userprofile% 000000001340 000002DA1F40 0 %appdata% 000000001358 000002DA1F58 0 %temp% 0000000013B4 000002DA1FB4 0 %s\removethis_%d%d%d.exe 0000000015C8 000002DA21C8 0 hh':'mm':'ss 0000000015F4 000002DA21F4 0 {%s}: %s 000000001718 000002DA2318 0 %temp%\oldfile.exe 0000000017A0 000002DA23A0 0 Mozilla/5.0 (compatible) 0000000017DC 000002DA23DC 0 %s\%d%d%d.exe 000000001800 000002DA2400 0 explorer.exe 000000001820 000002DA2420 0 Kernel32.dll 000000001860 000002DA2460 0 %s-deadlock 0000000018A4 000002DA24A4 0 %s\SysWOW64 File pos Mem pos ID Text ======== ======= == ==== 000000001D70 000002DA2970 0 advapi32.dll 000000001D90 000002DA2990 0 comsupp.dll 000000001DAC 000002DA29AC 0 shell32.dll 000000001DC8 000002DA29C8 0 wininet.dll 000000001DE4 000002DA29E4 0 shlwapi.dll 000000001E00 000002DA2A00 0 dnsapi.dll 000000001E1C 000002DA2A1C 0 user32.dll 000000001E38 000002DA2A38 0 ws2_32.dll 000000001E54 000002DA2A54 0 psapi.dll 000000001E6C 000002DA2A6C 0 Ole32.dll 000000001E84 000002DA2A84 0 kernel32.dll 000000001EA4 000002DA2AA4 0 msvcrt.dll 000000001EC0 000002DA2AC0 0 dwm.exe 000000001ED4 000002DA2AD4 0 alg.exe 000000001EE8 000002DA2AE8 0 csrss.exe 000000001F00 000002DA2B00 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Run 000000001F70 000002DA2B70 0 %s-readfile 000000002048 000002DA2C48 0 cmd.exe 0000000020BC 000002DA2CBC 0 Software\Microsoft\Windows\CurrentVersion\Run 000000002240 000002DA2E40 0 %temp%\deletethis.exe 000000002274 000002DA2E74 0 Removable_Drive.exe 0000000022BC 000002DA2EBC 0 %s\{%s-%s} 0000000022D8 000002DA2ED8 0 /k "%s" Open %s 000000002300 000002DA2F00 0 %windir%\System32\cmd.exe 000000002340 000002DA2F40 0 %s\Removable_Drive.exe 000000002378 000002DA2F78 0 %s\%s 000000002388 000002DA2F88 0 %s\%s.lnk 000000002590 000002DA3190 0 %s\autorun.inf 0000000087C0 000002DAABC0 0 svhost.exe 000000008CDC 000002DAB0DC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe 0000000090EC 000002DAD0EC 0 C:\Documents and Settings\Administrator\Application Data\svhost.exe 000000009758 000002DAD758 0 egregregerfwde |
C. Companion/File yang dibuat
1. Autorun.inf
Autorun.inf sepertinya adalah perangkat wajib bagi malware yang menyebarkan companionya di flash disk. Memang bisa dikatakan bahwa AryaN berbeda dengan malware sebelumnya dalam source code autourun. Berikut ini adalah contohnya.
Umumnya, pada perintah untuk memanggil host malware yang terdapat didalam folder di flash disk seperti Open, Shell Open / Shell Explore tidaklah mendeskripsikan lokasi drive tersebut. Karena apabila pada komputer yang bersih drive letter removable disknya adalah tidak sama seperti perintah pada autorun, maka kemungkinan besar malware tersebut tidak akan bisa dieksekusi.
2. Shortcut dan Foder Backup
Gambar di atas menunjukan file yang ada di flash disk dirubah menjadi shortcut. sebenarnya, file aslinya dipindahkan kedalam folder {[nama user]-nama acak}. Selain itu, target pada shortcutnya juga sedikit berbeda.
1
|
C:\WINDOWS\system32\cmd.exe /k "F:\svhost.exe" Open F:\{Administrator-egregregerfwde}\rku37300509.exe |
Untuk penjelasan lebih jauh mengenai parameter tersebut, bisa dengan cara buka command prompt / cmd.exe kemudian ketika perintah “cmd.exe /?”.
D. Hasil Infeksi
Malware ini termasuk salah satu malware yang unik. Payload yang dilakukan oleh malware diluar perkiraan. Baik itu membackup file yang terdapat di flash disk kemudian digantikan dengan shortcut yang memiliki icon sama seperti file aslinya, atau melakukan koneksi ke beberapa IP seperti:
– 199.15.234.7
– 91.217.153.113
– 92.234.27.178
Menambahkan value key pada startup agar bisa berjalaan saat proses startup.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
1
2
3
4
5
|
"svhost.exe"="C:\Documents and Settings\Administrator\Application Data\svhost.exe" "egregregerfwde"="C:\Documents and Settings\Administrator\Application Data\svhost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "svhost.exe"="C:\Documents and Settings\Administrator\Application Data\svhost.exe" |
Untuk menandai bahwa dirinya sudah aktif di memory, AryaN membuat mutex dengan nama “HGFSMUTEX000000000000f53a”