berikut ini penilitian saya terhadap virus x-fly pada tanggal 05 Mei 2010
Hasil Analisa (versi saya)
Nama Malware : W32.SillyFDC [Symantec], Worm.Win32.VB.ml [Kaspersky Lab], New Malware.iu [McAfee]
Ukuran : 172,032 bytes
Icon : icon folder, icon mp3, icon avg
Dibuat dengan: Visual Basic
Lokasi Project Virus:
D:\FADLY\mata kuliah\fadly123\newvir2\Project1.vbp
(Ooops. Ketahuan deh, kalo yang buat virus ini namanya fadly!. Ayo. Ayo. Panggil polisi!)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command]
(Default) = "%Windir%\r4m83.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.DYS]
(Default) = "exefile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fly]
(Default) = "exefile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.FYS]
(Default) = "exefile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.HHS]
(Default) = "exefile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoFolderOptions = 0x00000001
NoFind = 0x00000001
NoRun = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
mediaplayer = "%System%\realplay.exe"
real = "C:\soulfly\r4m83.exe"
soul = "C:\soulfly\isass.exe"
DLL = "C:\soulfly\RCSS.exe"
real1 = "D:\soulfly\r4m83.exe"
soul2 = "D:\soulfly\isass.exe"
ETC = "D:\soulfly\RCSS.exe"
NTLR = "C:\MSNTLR.DYS"
ELC = "C:\MSFLC.FYS"
DLF = "C:\MSDLF.HHS"
NTLS = "%Windir%\NTLS.DYS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
DisableSR = 0x00000001
LimitSystemRestoreCheckpointing = 0x00000001
DisableMSI = 0x00000001
DisableConfig = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
ExeRun = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
ExeRun = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Window Title = "..:: x-fly ::.."
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools = 0x00000001
DisableTaskMgr = 0x00000001
DisableCMD = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
r4m83 = "%Windir%\r4m83.exe"
regscv32 = "%System%\RCSS.exe"
isass = "%Windir%\system\isass.exe"
NTLR = "C:\MSNTLR.DYS"
ELC = "C:\MSFLC.FYS"
DLF = "C:\MSDLF.HHS"
NTLS = "%Windir%\NTLS.DYS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command]
(Default) = "%Windir%\r4m83.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]
(Default) = "%Windir%\r4m83.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command]
(Default) = "%Windir%\r4m83.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "Explorer.exe, %System%\RCSS.exe"
System = "%System%\RCSS.exe "
Userinit = "%System%\userinit.exe,%System%\RCSS.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
AlternateShell = "%System%\RCSS.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]
AlternateShell = "%System%\RCSS.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
AlternateShell = "%System%\RCSS.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = "%CommonPrograms%\Startup\rj.html"
Sesaat setelah scanning, dari sekian file virus yang terdeteksi ada satu file yang tidak bisa dihapus. File itu beralamat di:
”c:\windows\system32\Rcss.exe”
Hal itu disebabkan karena process file tersebut masih aktif. Supaya process file tersebut bisa mati, pake task manager ya…
jika ada kesalahan ane minta maaf!!!
Subyek: X-Fly.worm 
Fri May 06, 2011 5:27 pm
