just sharing my life experiences

Welcome

Kamis, 30 Juni 2011

Trojan.Siggen1.42827

Trojan.Siggen1.42827

Saat ini untuk membuat virus tidak harus menempuh pendidikan tinggi atau menyandang title sarjana atauu sederetan gelar di belakang nama, karena saat ini sudah banyak buku-buku ”pintar” atau tulisan-tulisan di dunia maya yang mengajarkan bagaimana teknik membuat virus, walaupun sebenarnya mempunyai tujuan yang baik tetapi jika dibaca oleh orang yang tidak bertanggung jawab tentu akan berbeda ceritanya.
Sebagai mana kita ketahui bahwa Screen Saver Windows akan muncul jika komputer dalam posisi tidak di gunakan (standby), tetapi pernahkan Anda mengalami dimana tiba-tiba muncul Screen Saver (lihat gambar 4) pada saat anda sedang menggunakan komputer. Dan pada saat screensaver tersebut muncul Anda tidak dapat  melakukan aktivitas lain dalam beberapa detik sampai Screen Saver (lebih tepat dikatakan Virus Saver) tersebut selesai aktif. Jika Anda pernah mengalami hal tersebut, sebaiknya berhati-hati karena perilaku yang  tidak normal menandakan ada suatu masalah dalam komputer tersebut  termasuk adanya aktivitas virus.
Ciri-ciri virus Trojan.Siggen1.42827
Secara ”kasat” mata, sebenarnya tidak terlalu sulit untuk mengetahui apakah komputer Anda sudah terinfeksi virus ini, berikut beberapa ciri-ciri yang muncul pada saat komputer terinfeksi Trojan.Siggen1.42827
·         Muncul beberapa file yang di simpan pada root setiap hard disk dengan nama file berikut :
o        %tanggal% _ TrueLove.exe, %tanggal%, menunjukan tanggal system komputer (contoh: 13 March 2011 _ TrueLove.exe)
o        TransparentScreenSaver...scr
o        Folder [kasihku]
o        Folder  [–], folder ini akan disembunyikan
o        Folder [Koleksi ScreenSaver]
Catatan: untuk file %tanggal% _ TrueLove.exe dan TransparentScreenSaver...scr tidak akan mempunyai icon
·         Muncul Screensaver yang akan ditampilkan secara otomatis sesuai dengan waktu yang telah ditentukan. Pada saat Screen Saver tersebut muncul user tidak dapat melakukan aktivitas di komputer sampai screensaver tersebut selesai dijalankan.
·         Tidak dapat mengakses (double click) file yang di kompresi baik menggunakan program WINZIP atau WINRAR dengan  menampilkan pesan error
·         Terjadi perubahan pada icon file dan type file yang mempunyai ekstensi ZIP

File induk Trojan.Siggen1.42827
Sama seperti kebanyakan virus lokal yang beredar saat ini yang rata-rata dibuat dengan menggunakan program bahasa Visual Basic, begitupun dengan virus Trojan.siggen1.42827, file ini akan mempunyai ciri-ciri :
·         Ukuran file 76 KB
·         Ekstensi EXE dan SCR
·         Tidak mempunyai icon yang menyertai file virus
·         Type ”Application” dan ”Screen Saver”
Pada saat file virus tersebut aktif ia akan membuat beberapa file induk yang akan di tempatkan di beberapa lokasi yang berbeda-beda dengan tujuan untuk mempersulit pencarian, berikut beberapa file induk yang akan dibuat:
  1. Semua Drive
    • 13 March 2011 _ TrueLove.exe (sesuai tanggal yang tercantum pada system komputer)
    • OBE.sacura
    • Autorun.inf
    • TransparentScreenSaver...scr
    • Folder [Kasihku]
      • $$Forever In Love.. TransparentScreenSaver.exe
      • GEO.Sayoki
      • Kenapa kamu mencintai se....txt
      • My Friendship...txt
    • Folder [-]
      • $v3-$CkP.exe
      • explorer.exe
      • TransparentScreenSaver...scr
      • %tanggal%-=- 01 25 01.ex_ (file regedit.exe) contohnya : 13 March 2011 -=- 01 25 01.ex_, tanggal acak sesuai dengan tanggal yang tercantum pada system komputer
    • Folder [Koleksi screensaver]
      • $$Forever In Love.. TransparentScreenSaver.exe
      • $$Forever In Love.. TransparentScreenSaver.scr
  1. C:\Windows
    • AudioSystem.exe
    • msVBVM60.dll
  1. C:\Windows\security
    • autorun.inf
    • pesan.htm
    • Kenapa kamu mencintai se....txt
    • My Friendship.txt
    • fItRi.txt
    • $v3-$CkP.exe
    • My Friendship.scr
    • svchost.exe
  1. C:\Windows\system32
    • blank.htm
    • OBE.sacura
    • My Friendship.scr
    • Forever In Love.scr
    • Fitri-on.scr
    • explorer.exe
    • AudioSystem.exe
    • Kenapa kamu mencintai se....txt
    • My Friendship.txt 
    •  C:\Document and Settings\%user%
    • Kenapa kamu mencintai se....txt
    • My Friendship.txt
  1. C:\Documents and Settings\%user%
    • http_www.patah-hati.com
  1. C:\Program Files\$v3-$CkP.exe

Registry Windows auto start
Dari sekian banyak file induk yang dibuat tersebut, beberapa diantaranya akan di aktifkan secara otomatis pada saat komputer dihidupkan, hal ini untuk memastikan virus aktif secara otomatis tanpa bantuan user. Berikut beberapa string registri yang diubah oleh virus:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AudioSystem.exe = C:\WINDOWS\system32\AudioSystem.exe

Virus ini juga akan aktif secara otomatis pada waktu-waktu yang telah ditentukan berupa Screen Saver dengan merubah string pada registry berikut:

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE = C\Windows\system32\Fitri-on.scr
ScreenSaveTimeOut = 100


Blok Fungsi Windows
Untuk mempertahankan dirinya, ia akan blok program security termasuk antivirus dengan melakukan debugger (pengalihan) untuk mengeksekusi file virus yang sudah ditentukan, blok file instalasi yang mempunyai ekstensi MSI, serta blok agar user tidak dapat menampilkan file yang tersembunyi.

Berikut beberapa lokasi registry yang akan diubah :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI = 1
LimitSystemRestoreCheckPointing = 1

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue = 0

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = 1
AntiVirusOverride = 1
FirewallDisableNotify = 1
FirewallOverride =1
FirstRunDisable = 1
UpdatesDisableNotify = 1

  • Debugger file
    • Alamat key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0000.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ahnlab.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avas.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVG.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ccapp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccleaner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleaner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverDetective.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverScanner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Fixinstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\folderlockbox_setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Free Fire Screensaver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hunter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install_flash_player.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISUNIST.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kaspersky.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keygen.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\limeware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LNKSTUB.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mobsync.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOOBE.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msra.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAPSTAT.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETSETUP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32krn.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32kui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Norman.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Norton.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Panda.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMV-RTP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppclean.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procexp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regdir.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restore my files.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rminstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTRUI.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityConfig.exe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Smadav 2009 Rev. 3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmaRTP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sophos.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\st5unst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supercleaner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Task.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskkill.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfnotice.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tiny.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trend.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrendAntiVirus.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojan Hunter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojan.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanHunter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TweakUi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Unins.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Unins000.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uninst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uninstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unlocer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unlocker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNWISE.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Upd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Update.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V2iBrowser.exe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VProConsole_.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinHIIP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\youtubesetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ypsr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ypsrru.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneLabs.exe

    • Value:
Debugger = C:\WINDOWS\security\svchost.exe

Mencoba jadi Robin Hood
Tidak seperti yang dilakukan oleh virus lokal lainnya, virus ini tidak akan  melakukan blok terhadap fungsi windows seperti  Task Manager, Folder Options ataupun Registry Editor, virus inimalah  mengembalikan beberapa fungsi Windows yang biasa di blok oleh virus lokal seperti RUN, Folder Options, Task Manager, CMD atau Registry Editor, berikut beberapa lokasi registr yang akan di pulihkan:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose = 0
NoControlPanel = 0
NoFind = 0
NoFolderOptions = 0
NoRun = 0
NoSaveSettings = 0
NoStartMenuMorePrograms = 0
NoViewContexMenu = 0
NoViewonDrive = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableMsConfig = 0
DisableRegistryTools = 0
DisableTaskMgr = 0
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\system
DisableCMD = 0

Selain melakukan perubahan registry di atas, ia juga akan membuat registry berikut:
  • HKEY_LOCAL_MACHINE\SOFTWARE\noF i T r I on Computer\Fitri\CurrentVersion
ComputerForeverInLove_status = 1
  • HKEY_CURRENT_USER\Software\noF i T r I on Computer
Build2009 = 1d (29 = decimal)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\noF i T r I on Computer
Changed = 0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noF i T r I on Computer
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noF i T r I on Computer
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noF i T r I on Computer

Aktif pada mode “Safe Mode with Command Prompt”
Untuk mempersulit proses pembersihan, ia akan melakukan perubahan pada registry berikut  dengan tujuan agar dirinya dapat aktif walaupun komputer booting pada mode “safe mode with command prompt”
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
AlternateShell = C:\WINDOWS\security\svchost.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
AlternateShell = C:\WINDOWS\security\svchost.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell = C:\WINDOWS\security\svchost.exe

Media penyebaran
Untuk menyebarkan dirinya, ia akan memanfaatkan USB Flash sebagai jalur penyebaran dengan membuat beberapa file berikut:
  • Autorun.inf
  • $v3-$CkP.exe
  • %tanggal Bulan Tahun % _ TrueLove.exe : contoh: 13 March 2011 _ TrueLove.exe ( sesuai tanggal yang berjalan pada system komputer)
  • OBE.sacura
  • TransparentScreenSaver...scr
  • Folder [-]
    • $v3-$CkP.exe
    • explorer.exe
    • TransparentScreenSaver...scr
  • Folder [Kasihku]
    • $$Forever In Love.. TransparentScreenSaver.exe
    • GEO.Sayoki

Agar dirinya dapat aktif secara otomatis pada saat user mengakses USB Flash, ia akan memanfaatkan  fitur autorun Windows dengan membuat file autorun.inf. File  autorun.inf ini berisi script untuk menjalankan file virus yang sudah dipersiapkan

Blok akses file WinZIp
Aksi lain yang akan dilakukan adalah blok akses file yang di kompresi baik dengan menggunakan program WINZIP maupun WINRAR serta merubah icon. Jika user mencoba untuk mengakses dengan cara double click (klik 2x file yang di kompresi) maka akan muncul pesan error 
Anda tidak perlu khawatir, karena file tersebut tidak akan benar-benar  diblok tetapi masih bisa di buka dengan cara:
  • Klik kanan pada file ZIP/WINRAR 
  • Klik [Winzip]
  • Kemudian  pilih menu yang disediakan untuk ekstrak file tersebut
Untuk melakukan perubahan tersebut, ia akan merubah string registri berikut:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip
  • Default = exefile

Pesan
Virus ini juga akan meninggalkan beberapa pesan yang ditujukan kepada “seseorang” baik dalam bentuk text document (TXT) atau pun HTML. Berikut beberapa lokasi penyimpanan pesan tersebut :
  • C:\Documents and Settings\All Users\Desktop\
My Friendship..TXT
Baca Aku..txt
  • C:\Users\Public\Publick Desktop\
My Friendship..TXT
Baca Aku..txt
  • Folder [Kasihku]
Kenapa kamu mencintai se....txt
My Friendship...txt

  • C:\Windows\Security\Kenapa kamu mencintai se....txt
  • C:\Windows\System32
Kenapa kamu mencintai se....txt
My Friendship.txt
  • C:\Document and Settings\%user%
Kenapa kamu mencintai se....txt
My Friendship.txt

Cara membasmi Trojan.Siggen1.42827
  1. Matikan proses virus yang aktif di memori. Sebagai informasi virus ini dibuat dengan menggunakan program Visual Basic (VB), sehingga relatif mudah untuk mematikan proses virus yang sedang aktif di memori salah satunya dengan menggunakan tools KillVB. Silahkan download tools tersebut di alamat berikut :
  1. Fix registry yang sudah di ubah oleh virus. Virus ini cukup banyak melakukan perubahan pada registry Windows, untuk mempercepat proses perbaikan copy script di bawah ini pada program notepad kemudian simpan dengan nama REPAIR.INF. Install file tersebut dengan cara :
    1. klik kanan REPAIR.INF
    2. Kemudian pilih [INSTALL]

Berikut script yang harus di copy:

[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\.zip,,, "winzip"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

[del]
HKCU, Software\noF i T r I on Computer
HKLM, SYSTEM\CurrentControlSet\Services\noF i T r I on Computer
HKLM, SYSTEM\ControlSet001\Services\noF i T r I on Computer
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\noF i T r I on Computer
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AudioSystem.exe
HKCU, Software\Policies\Microsoft\Windows\system, DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NosaveSettings
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewonDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Control Panel\Desktop,SCRNSAVE.EXE
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AudioSystem.exe
HKLM, SOFTWARE\noF i T r I on Computer
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckPointing
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0000.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ahnlab.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avas.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVG.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ccapp.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccleaner.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleaner.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverDetective.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverScanner.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Fixinstall.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\folderlockbox_setup.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Free Fire Screensaver.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hunter.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install_flash_player.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISUNIST.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kaspersky.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keygen.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\limeware.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LNKSTUB.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mobsync.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOOBE.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msra.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAPSTAT.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETSETUP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32krn.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32kui.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Norman.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Norton.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Panda.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMV-RTP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppclean.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procexp.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regdir.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restore my files.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rminstall.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTRUI.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityConfig.exe.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Smadav 2009 Rev. 3.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmaRTP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sophos.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symantec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\st5unst.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supercleaner.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Task.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskkill.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfnotice.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tiny.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trend.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrendAntiVirus.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojan Hunter.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojan.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanHunter.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TweakUi.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Unins.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Unins000.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uninst.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uninstall.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unlocer.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unlocker.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNWISE.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Upd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Update.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V2iBrowser.exe.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VProConsole_.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinHIIP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unwise32.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\youtubesetup.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ypsr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ypsrru.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneLabs.exe

  1. Hapus file yang dibuat oleh virus termasuk di USB Flash. Untuk mempercepat proses penghapusan, Anda dapat menggunakan fungsi Search/Find dari Windows. Sebelum melakukan pencarian direkomendasikan untuk menampilkan semua file yang tersembunyi agar lebih optimal hal ini disebabkan virus akan menyembunyikan beberapa file induk yang di buat.

Untuk menampilkan file yang tersembunyi caranya:
v  Windows XP
o    Buka [Windows Explorer]
o    Klik menu [Tools]
o    Klik [Folder Options]
o    Setelah layer Folder Options terbuka, klik tabulasi [View]
o    Pilih opsi [Show hidden files and folder]
o    Hilangkan tanda centang pada opsi [Hide extentions for known file types]
o    Hilangkan tanda centang pada opsi [Hide protected operating system files (Recommended)]
o    Klik tombol [Apply]
o    Klik tombol [OK]

v  Windows Vista / 7
o    Buka [Windows Explorer]
o    Klik [Organize]
o    Klik [Folder and search options]
o    Setelah muncul [Folder Options], klik tabulasi [View]
o    Pilih opsi [Show hidden files, folders, or drives]
o    Hilangkan tanda centang pada opsi [Hide extentions for known file types]
o    Hilangkan tanda centang pada opsi [Hide protected operating system files (Recommended)]
o    Klik tombol [Apply]
o    Klik tombol [OK]

Setelah berhasil menampilkan file yang tersembunyi, lakukan pencarian dengan menggunakan Search dengan format pencarian : *.exe, *.scr
Jangan sampai terjadi kesalahan dalam menghapus file tersebut, hapus file virus yang mempunyai ciri-ciri:
o    Ukuran 76 KB
o    Tidak menyertakan icon
o    Ekstensi EXE dan SCR
o    Type file “Application” atau “Screen Saver”

            Kemudian hapus juga file berikut:
-          OBE.sacura [semua drive]
-          Autorun.inf [semua drive]
-          Folder [-], semua drive
-          Folder [Kasihku], semua drive
-          Folder [Koleksi ScreenSaver], semua drive
-          C:\WINDOWS\system32\blank.htm
-          C:\Documents and Settings\%user%\http_www.patah-hati.com

  1. Untuk pembersihan optimal, sebaiknya scan dengan menggunakan antivirus yang up-to-date.

My Son