Getting Started with Arduino and Genuino UNO: [PR] Trojan.FakeAV.3510: Manipulasi Windows HOSTS File dan Block Antivirus

Kalau antivirus palsu (Rogue Antivirus) yang lain memiliki ciri khas menakut-nakuti korbannya dengan laporan infeksi virus yang palsu, maka antivirus palsu yang satu ini memiliki hobi melakukan blokir atas segambreng software sekuriti dan pengalihan file hosts Windows sehingga komputer korbannya yang berhasil di infeksinya tidak dapat mengakses situs-situs penyedia jasa sekuriti. Pengalihan Hosts file ini yang perlu diwaspadai oleh para pengguna komptuer, khususnya pengguna internet banking karena dengan pengalihan hosts, phishing website dan teknik rekayasa sosial yang tepat, hal ini berpotensi menyebabkan pembobolan pada akun internet banking. Sekalipun sudah dilengkapi dengan yang perlindungan Kalkulator PIN / Token (two factor authentication). Karena itulah penting bagi anda yang menggunakan Internet Banking untuk menggunakan antivirus yang memiliki fitur Proteksi Hosts file seperti yang diberikan oleh Dr Web Security Space.

Ciri-ciri dan gejala virus
Virus ini dibuat dengan menggunakan bahasa pemograman Visual Basic dengan ukuran sekitar 62 KB dengan menggunakan icon Visual Basic. (lihat gambar 1).

Salah satu ciri yang dapat dikenali adalalah, setiap user membuka Internet explorer akan muncul website [http://www.qseach.com/?ref=kzCXow==] yang menyerupai website search engine www.google.com (lihat gambar 2). Selain itu akan muncul beberapa file shortcut dengan icon yang berbeda-beda, kabar baiknya file shortcut ini sementara hanya akan muncul di USB Flash. File shortcut ini merupakan file duplikat dari file/direktori yang disembunyikan oleh virus dengan tujuan untuk mengelabui user. (lihat gambar 3).

Dengan update terbaru Dr.Web antivirus sudah mendeteksi virus ini sebagai Trojan.FaveAV.3510 (lihat gambar 4).

File induk virus
Pada saat user menjalankan file induk virus, maka akan muncul pesan error (lihat gambar 5) kemudian ia akan membuat file induk yang akan di jalankan secara otomatis pada saat komputer booting.

Berikut beberapa file yang akan dibuat oleh virus:

C:\Documents and Settings\%user%\132616c4\winlogon.exe

Catatan: %user%, adalah user yang digunakan pada saat login Windows

Registri Windows
Agar file tersebut dapat di aktifkan secara otomatis pada saat komputer booting, ia akan membuat beberapa registri berikut:

HKCU\Software\Microsoft\WIndows\CurrentVersion\Run
- 74e4144414 = C:\Documents and Settings\%user%\132616c4\winlogon.exe
HKLM\Software\Microsoft\WIndows\CurrentVersion\Run
- 74e4144414 = C:\Documents and Settings\%user%\132616c4\winlogon.exe

Catatan: %user% adalah user yang digunakan pada saat login Windows

Blok Fungsi Windows
Agar user kesulitan dalam melakukan pembersihan, ia akan melakukan blok beberapa fungsi Windows seperti Task Manager, MSConfig, CMD (Command Prompt), Regedit atau Folder Options dengan melakukan perubahan pada registry berikut:

HKCU\Software\Microsoft\WIndows\CurrentVersion\Policies\Associations
- LowRiskFileTypes = .exe
HKCU\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer
- NoFile = 1
- NoFolderOptions = 1
- NoRun = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools = 1
- DisableTaskMgr = 1
HKCU\Software\Policies\Microsoft\Windows\System
- DisableCMD = 1
HKLM\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer
- NoFolderOptions = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
- EnableFirewall = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
- EnableFirewall = 1

Selain itu ia jug akan membuat string pada registry berikut agar file virus diaktifkan pada layer administrator serta mendaftarkan pada list Firewall agar tidak di blok oleh Firewall Windows.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

Blok Software Security
Selain blok fungsi Windows tersebut, ia akan melakukan blok terhadap tools/software security termasuk program antivirus dengan membaca “caption text Windows” serta dengan melakukan debugger (pengalihan) untuk menjalankan file virus yang berada di direktori [C:\Documents and Settings\%user%\132616c4\winlogon.exe]. Untuk melakukan debugger (pengalihan) tersebut, ia akan membuat string pada registry berikut:

Alamat Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\

Alamat sub key:

_apv.exe
_avp32.exe
_apvcc.exe
_apvm.exe
_findviru.exe
a2servic.exe
ackwin32.exe
acs.exe
advxdwin.exe
agentsvr.exe
agentw.exe
ahnsd.exe
alerter.exe
alertsvc.exe
alogserv.exe
amon.exe
amon9x.exe
antigem.exe
anti-trojan.exe
antivirus.exe
ants.exe
apimonitor.exe
aplica32.exe
apvxdwin.exe
ashwebsv.exe
atcon.exe
atguard.exe
atro55en.exe
atupdates.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avcenter.exe
avconfig.exe
avconsol.exe
ave32.exe
avgcc32.exe
avgctrl.exe
avgmc.exe
avgnt.exe
avgserv9.exe
avguard.exe
avgw.exe
avkserv.exe
avkpop.exe
avkservice.exe
avkwcl9.exe
avkwtl9.exe
avnotify.exe
avnt.exe
avp.exe
avp32.exe
avpccc.exe
avpdos32.exe
avpexec.exe
avpinst.exe
avpm.exe
avpmon.exe
avpnt.exe
avptc32.exe
avpupd.exe
avrescue.exe avscanavsha-
dow.exe
avsched32.exe
avsynmgr.exe
avupgsvc.exe
avwebloader.exe
avwin95.exe
avwinnt.exe
avwsc.exe
avwupd32.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
avxw.exe
azonealarm.exe
bd_professional.exe
bidef.exe
bidserver.exe
bipcp.exe bipcpevalsetup.exe
bisp.exe
blackd.exe
blackice.exe
boot.exe
bootwarn.exe
borg2.exe
bs120.exe
BullGuard.exe
callmsi.exe
ccapp.exe
ccevtmgr.exe
cclaw.exe
ccpsetmgr.exe
ccshtdwn.exe
cdp.exe
cfgwiz.exe
cfiadmin.exe
cfiaudit.exe
cfind.exe
cfinet.exe
cfinet32.exe
ChromeSetup.exe
clamauto.exe
claw95.exe
claw95cf.exe
claw95ct.exe
Clean.exe
clear.exe
clear3.exe
cleanpc.exe
cmd.exe
cmgrdian.exe
cmon016.exe
combofix.exe
connectionmoni-tor.exe
cpd.exe
cpdclnt.exe
cpf.exe
cpf9x206.exe
cpfnt206.exe
csinject.exe
cdinsm32.exe
css1631.exe
ctfmon.exe
ctrl.exe
cv.exe
cwntdwmo.exe
defalert.exe
defscangui.exe
defwatch.exe
deputy.exe
Diskmon.exe
doors.exe
dpf.exe
drvins32.exe
drwatson.exe
drweb32.exe
dumphive.exe
dv95.exe
dv95_o.exe
dvp95.exe
dvp95_0.exe
earthagent.exe
ecengine.exe
ecls.exe
ecmd.exe
edi.exe
efinet32.exe
efpeadm.exe
egui.exe
EHttpSrv.exe
ekrn.exe
ent.exe
esafe.exe
escanhnt.exe
escanv95.exe
espwatch.exe
etrustcip.exe
evpn.exe
ewido.exe
exanantivirus-cnet.exe
exit.exe
expert.exe
explored.exe
fact.exe
f-agnt95.exe
fameh32.exe
fa-setup.exe
fast.exe
fch32.exe
fih32.exe
filemon.exe
findviru/exe
firewall.exe
FirewallCOntrolPanel.exe FirewallSettings.exe
fix-it.exe
flowprotector.exe
fnrb32.exe
FPAVServer.exe

fprot.exe
f-prot95.exe
fp-win.exe
fp-win_trial.exe
frw.exe
fsaa.exe
fsav.exe
fsav32.exe
fsav530stbyb.exe
fsav530wtbyb.exe
fsav95.exe
fsave32.exe
fsgk32.exe
fslaunch.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fssm32.exe
f-stopw.exe
fwenc.exe
fwinstall.exe
gbmenu.exe
gbpoll.exe GenericRenosFix.exe
generics.exe
gibe.exe GoogleToolsbalInstaller_download_signed.exe
gpedit.exe
guard.exe
guarddog.exe
guardgui.exe
guardhlp.exe hacktracersetup.exe
HelpPane.exe
hidec.exe
HijackThis.exe
HJTInstall.exe
HostsCHK.exe
htlog.exe
hwpe.exe
iamapp.exe
iamserv.exe
iamstats.exe
ibmasn.exe
ibmasn.exe
ibmavsp.exe
icloadnt.exe
icmon.exe
icmoon.exe
icssuppnt.exe
icsupp.exe
icsupp95.exe
icsuppnt.exe
IEDFix.exe
iface.exe
ifw2000.exe
iomon98.exe
iparmor.exe
iris.exe
isrv95.exe
jammer.exe
jed.exe
jedi.exe kav8.0.0.357es.exe
kavlite40eng.exe
kacpers40eng.exe
kavsvc.exe
kerio-pf-213-en-win.exe
kerio-wrl.421-en-win.exe
kerio-wrp-421-en-win.exe killprocesssetup-
161.exe
kiss8.0.0.50gla-
tam.exe
kpf.exe
kpfw32.exe
ldnetmon.exe
ldpro.exe
dpromenu.exe
ldscan.exe
licmgr.exe
localnet.exe
lockdown.exe
lockdown2000.exe
lookout.exe
lsetup.ese
luall.exe
luau.exe
lucomserver.exe
luinit.exe
lispt.exe
mbam.exe
mbamgui.exe
mbabservice.exe
mcagent.exe
mcmnhdlr.exe
mcshield.exe
mctool.exe
mcuimgr.exe
mcupdate.exe
mcvsrte.exe
mcvsshld.exe mfw2en.exe
mfweng3.02d30.exe
mgavrtcl.exe
mgahtml.exe
mgui.exe
minilog.exe
monitor.exe
monsys32.exe
monsysnt.exe
monwow.exe
moolive.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
mrflux.exe
MSASCui.exe
msblast.exe
msconfig.exe
msinfo32.exe
msn.exe
mspatch.exe
mssmmc32.exe
mu0311ad.exe
mwatch.exe
mxtask.exe
n32scan.exe n32scanw.exe
nai_vs_stst.exe
nav32_loader.exe
nav8-try.exe
navap.exe
navapsvc.exe
navvapw32.exe
navauto-protect.exe
navdx.exe
naveng.exe navengnavex15.exe
navex15.exe
navlu32.exe
navnt.exe
navrunr.exe
navsched.exe
navstub.exe
navw.exe navw32.exe
navwnt.exe
nc2000.exe
ncinst4.exe
nd98spst.exe
ndntspst.exe
neomonitor.exe
neowatchlog.exe
netarmor.exe
netcfg.exe
netinfo.exe
netmon.exe
netscanpro.exe
Netscape/exe
netspyhunter-1.2exe
netstat.exe
netutils.exe
nisserv.exe
nisum.exe
nmain.exe
nod32.exe
normist.exe norton_internet_sec_3.0_407.exe
notstart.exe npf40_tw_98_nt_me_2k.exe
npfmessenger.exe
nprotect.exe
npscheck.exe
npssvc.exe
nsched32.exe
ntdetect.exe
ntrtscan/exe
ntxconfig.exe
nui.exe
nupdate.exe
nupgrade.exe
nvapsvc.exe
nvarch16.exe
nvc95.exe
nvlaunch.exe
nvsvc32.exe
nwinst4.exe
nwservice.exe
nwtools16/exe

offguard.exe
ogrc.exe
opera.exe opera_964_int_Setup.exe
ostronet.exe
outpost.exe
outpostproinstall.exe
padmin.exe
panixk.exe
pathping.exe
pavcl.exe
pavproxy.exe
pavsched.exe
pavw.exe
pcc2002s902.exe
pccclient.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccntmon.exe
pccpfw.exe
pccwin97.exe
pccwin98.exe
pcdsetup.exe
pcfwallicon.exe
pcp10117_0.exe
pcscan.exe pcscanpdsetup.exe
penis32.exe
periscope.exe
persfw.exe
pev.exe
pf2.exe
pfwadmin.exe
ping.exe
pingscan.exe
platin.exe
pop3trap.exe
poproxy.exe
popscan.exe
portdetective.exe
portmon.exe
portmonitor.exe
ppinupdt.exe
pptbc.exe
ppvstop.exe
prckiller.exe
process.exe processmonitor.exe
procexp.exe
procexplorerv1.0.exe
procmon.exe
programauditor.exe
proport.exe
protectx.exe
pspf.exe
purge.exe
pview.exe
pview95.exe
qconsole.exe
qserver.exe
rapapp.exe
rav.exe
rav7.exe
rav7win.exe
rav8win32eng.exe
realmon.exe
regedt32.exe
rescue.exe
rescue32.exe
restart.exe
route.exe
routemon.exe
rrguard.exe
rshell.exe
rstrui.exe
rtvscn95.exe
rulaunch.exe
safari.exe
safeweb.exe
SandboxieBITS.exe
sandboxieCrypto.exe
sandboxieRPcSs.exe
sandboxieWUAU.exe
SbieCtrl.exe
SBieSvc.exe
sbserv.exe
scan32.exe
scan 95.exe
scanpm.exe
sched.exe
schedapp.exe
scrscan.exe
scvhosl.exe
sd.exe
sdclt.exe
serv95.exe
setup_flowprotector_us.exe
setupvameeval.exe
sgssfw32.exe
sh.exe
sharedaccess.exe
shellspyinstall.exe
shn.exe
smc.exe
SmitfraudFix.exe
sofi.exe
spf.exe
sphinx.exe
spider.exe
spysweeper.exe
spyxx.exe
SrchSTS.exe
srwatch.exe
ss3edit.exe
st2.exe
supftrl.exe
supporter5.exe
sweep.exe
sweep95.exe
sweepnet.ese
sweepsrv.sys.exe
swnetup.exe
swreg.exe
swsc.exe
swxcacls.exe
symprxysvc.exe
symtray.exe
sysdoc32.exe
syshelp.exe
taskkill.exe
tasklist.exe
taskmgr.exe
taskmon.exe
taumon.exe
tauscan.exe
tbscan.exe
tc.exe
tca.exe
tcm.exe
tcpsvs32.exe
tds2.exe
tds2-98.exe
tds2-nt.exe
tds-3.exe
tfak.exe
tfak5.exe
tftpd.exe
tgbob.exe
titain.exe
titainxp.exe
tmlisten.exe
tmntsrv.exe
tracertpt.exe
trjscan.exe
trjsetup.exe
trojantrap3.exe
UCCLSID.exe
Ui0Detect.exe
undoboot.exe
unzip.exe
update.exe
UserAccountControlSettings.exe
VACFix.exe
vbcmserv.exe
vbcons.exe
vbust.ese
vbwin9x,exe
vbwinntw.exe
vccmserv.exe
vcontrol.exe
vcsetup.exe vet32.exe
vet98.exe
vettray.exe
vfsetup.exe
vir-help.exe
virusmdpersonalfirewall.exe
vmsrvc.exe
vlan300.exe
vnpc3000.exe

vpc32.exe
vpc42.exe
vpcmap.exe
vpfw30s.exe
vtray.exe
vscan.exe
vscan40.exe
vscan6.02d30.exe
vsched.exe
vsecomr.exe
vshwin32.exe
vsisetup.exe
vsmain.exe
vsmon.exe
vsscan40.exe
vsstat.exe
vswin9xe.exe
vswinntse.exe
vswinperse.exe
vvstat.exe
w32dsm89.exe
w9x.exe
eatchdog.exe
webscan.exe
webscanx.exe
webtrap.exe
WerFault.exe
wfindv32.exe
whoswatchingme.exe
wingate.exe
winhlpp32.exe
wink.exe
winmgm32.exe
winppr32.exe
winrecon.exe
Winroute.exe
winservices.exe
winsfcm.exe
wmias.exe
wnt.exe
wradmin.exe
wrctrl.exe
WS2Fix.exe
wsbgate.exe
wuauclt.exe
wyvernworksfirewall.exe
xpf202en.exe
xscan.exe
zapro.exe
zapsetup3001.exe
zatutor.exe
zatutorzauinst.exe
zauinst.exe
zlh.exe
zonalarm.exe
zobalm2601.exe
zonealarm.exe

Alamat String dan value
Debugger = “C:\Documents and Settings\%user%\132616C4\winlogon.exe”
Catatan: %user% ini adalah user/account yang digunakan pada saat login Windows

Ubah halaman utama Internet Explorer
Selain itu, ia juga akan melakukan perubahan pada halaman utama Internet Explorer dengan menampilkan website yang telah ditentukan. Untuk melakukan hal tersebut ia akan merubah string registry berikut:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
- HomePage = 1
HKCU\Software\Microsoft\Internet Explorer\main
- Start Page = http://768yeh1j7yj5t07.directorio-w.com
- Search Page = http://e1hhl4a03j39jb3.directorio-w.com
- Local Page = http://nm17u2g9x4l2nj3.directorio-w.com
- Default_Search_URL = http://82580978n05e6zb.directorio-w.com
- Default_Page_URL = http://6448664he9p069e.directorio-w.com

Merubah icon USB Flash
Virus ini juga akan merubah icon USB Flash menjadi icon Folder dan blok akses USB Flash jika user mengakses dengan cara double click pada USB Flash tersebut. Dengan melakukan double click pada USB Flash tersebut maka secara otomatis akan mengaktifkan virus. (lihat gambar 6)

Menyembunyikan file/folder

Lagi-lagi USB Flash menjadi korban, kali ini ia akan menyembunyikan semua file/folder yang ada di USB Flash dan sebagai gantinya ia akan membuat file duplikat yang mempunyai nama yang sama dengan file/folder yang disembunyikan berupa file shortcut dengan ciri-ciri

Jika yang disembunyikan berupa Folder
- Icon Folder
- Mempunyai ekstensi .LNK
- Ukuran 1 KB
Jika yang disembunyikan berupa File
- Icon acak
- Mempunyai ekstensi %ekstensi asal%.lnk, dimana %ekstensi asal% adalah ekstensi asli yang dimiliki oleh file tersebut, contohnya: lamaran.doc.lnk
- Ukuran 1 KB

Untuk setiap file shortcut yang dibuat akan mempunyai target untuk menjalankan file virus (Ua3kmh73O3jyut4Iok.exe) yang sudah dipersiapkan bila di jalankan, file target tersebut biasanya akan di simpan di USB Flash. (lihat gambar 7)

Ubah Hosts File Windows
Ia juga akan melakukan perubahan terhadap file Hosts Windows [C:\Windows\System32\Drivers\Etc\Hosts] yang mengakibatkan sejumlah website tidak dapat di akses. Berikut beberapa alamat website yang akan di blok. (lihat gambar 8).

[spoiler]

208.109.220.97 viabcp.com

208.109.220.97 www.viabcp.com

208.109.220.97 bcpzonasegura.viabcp.com

173.236.65.144 www.produbanco.com

173.236.65.144 produbanco.com

173.236.65.144 www.pichincha.com

173.236.65.144 pichincha.com

173.236.65.144 wwwp1.pichincha.com

173.236.65.144 wwwp2.pichincha.com

173.236.65.144 wwwp3.pichincha.com

173.236.65.144 wwwp4.pichincha.com

173.236.65.144 wwww01.pichincha.com

173.236.65.144 wwww02.pichincha.com

173.236.65.144 wwww03.pichincha.com

173.236.65.144 wwww04.pichincha.com

173.236.65.144 www.bancoguayaquil.com

173.236.65.144 bancoguayaquil.com

216.245.208.36 bn.com.pe

216.245.208.36 www.bn.com.pe

216.245.208.36 zonasegura1.bn.com.pe

216.245.208.36 www.zonasegura1.bn.com.pe

151.164.123.246 iniciorapido.info

65.29.206.117 www.iniciorapido.info

129.230.114.137 buscalo.in

205.0.103.170 www.buscalo.in

107.39.173.27 buscafacil.com

21.160.69.154 www.buscafacil.com

85.105.233.106 emsisoft.com

161.131.222.207 ahnlab.com

63.171.36.253 antivir.es

234.35.119.192 antiy.net

41.236.27.143 authentium.com

118.7.16.176 avast.com

19.46.86.34 avg.com

190.234.237.229 bitdefender.com

253.112.145.181 quickheal.com

74.138.134.213 clamav.net

232.245.204.71 comodo.com

146.110.31.198 drweb.com

210.55.195.218 aladdin.com

30.13.184.251 ca.com

120.120.254.41 f-prot.com

102.241.82.235 f-secure.com

98.186.58.187 fortinet.com

242.212.47.220 gdata.es

76.252.49.78 ikarus.at

59.116.200.17 jiangmin.com

54.61.108.224 kaspersky.com

199.88.97.1 mcafee.com

32.127.167.115 microsoft.com

15.247.250.242 eset.es

10.193.226.6 norman.com

87.219.215.38 nprotect.com

245.2.217.84 pandasecurity.com

227.123.112.23 pctools.com

223.68.20.231 prevx.com

43.94.9.8 rising-global.com

201.201.79.121 sophos.com

183.66.163.60 sunbeltsoftware.com

179.11.71.12 symantec.com

255.225.60.45 hacksoft.com.pe

157.77.130.159 trendmicro.com

140.197.25.30 anti-virus.by

135.142.189.49 hauri.net

212.101.178.82 virusbuster.hu

113.208.248.196 www.emsisoft.com

96.72.75.67 www.ahnlab.com

91.18.239.19 www.antivir.es

168.44.228.51 www.antiy.net

70.83.42.165 www.authentium.com

52.204.125.104 www.avast.com

48.149.101.56 www.avg.com

124.175.90.89 www.bitdefender.com

26.214.92.202 www.quickheal.com

8.79.244.73 www.clamav.net

4.24.152.93 www.comodo.com

80.50.141.126 www.drweb.com

238.90.211.240 www.aladdin.com

221.22.38.111 www.ca.com

216.223.14.62 www.f-prot.com

37.182.3.95 www.f-secure.com

194.33.5.209 www.fortinet.com

109.153.156.148 www.gdata.es

172.99.64.100 www.ikarus.at

249.57.53.132 www.jiangmin.com

151.164.123.246 www.kaspersky.com

65.29.206.117 www.mcafee.com

129.230.114.137 www.microsoft.com

205.0.103.170 www.eset.es

107.39.173.27 www.norman.com

21.160.69.154 www.nprotect.com

85.105.233.106 www.pandasecurity.com

161.131.222.207 www.pctools.com

63.171.36.253 www.prevx.com

234.35.119.192 www.rising-global.com

41.236.27.143 www.sophos.com

118.7.16.176 www.sunbeltsoftware.com

19.46.86.34 www.symantec.com

190.234.237.229 www.hacksoft.com.pe

253.112.145.181 www.trendmicro.com

74.138.134.213 www.anti-virus.by

232.245.204.71 www.hauri.net

146.110.31.198 www.virusbuster.hu

210.55.195.218 www.emsisoft.com

30.13.184.251 www.anti-trojan.net

120.120.254.41 malwarescan.emsisoft.com

102.241.82.235 forum.emsisoft.com

98.186.58.187 www.emsisoft.net

242.212.47.220 www.emsisoft.it

76.252.49.78 www.emsisoft.de

59.116.200.17 www.anti-trojan-software.net

54.61.108.224 mamutu.com

199.88.97.1 www.emsisoft.es

32.127.167.115 malwarescan.emsisoft.de

15.247.250.242 ww.emsisoft.com

10.193.226.6 www.emsisoft.fr

87.219.215.38 www.emsisoft.nl

245.2.217.84 onlinecheck.emsisoft.com

227.123.112.23 onlinecheck.emsisoft.de

223.68.20.231 www.emsisoft.org

43.94.9.8 scan.anti-trojan.net

201.201.79.121 www.trojaner.info

183.66.163.60 onlinecheck.emsisoft.org

179.11.71.12 onlinecheck.emsisoft.net

255.225.60.45 blitzblank.com

157.77.130.159 www.emsisoft.at

140.197.25.30 www.emsisoft.jp

135.142.189.49 www.mamutu.com

212.101.178.82 malwarescan.emsisoft.es

113.208.248.196 www.mamutu.de

96.72.75.67 download5.emsisoft.com

91.18.239.19 download1.emsisoft.com

168.44.228.51 download4.emsisoft.com

70.83.42.165 global.ahnlab.com

52.204.125.104 www.hackshields.com

48.149.101.56 www.internationalservicecheck.com

124.175.90.89 www.irangoals.com

26.214.92.202 ixomodels.com

8.79.244.73 www.indielisboa.com

4.24.152.93 www.latin-mass-society.org

80.50.141.126 www.arpia.be

238.90.211.240 www.owen.org

221.22.38.111 www.prdouglas.co.uk

216.223.14.62 www.zarya.info

37.182.3.95 www.willsee.com

194.33.5.209 halmapr.com

109.153.156.148 karuna-shechen.org

172.99.64.100 www.barder.com

249.57.53.132 www.antivir.es

151.164.123.246 www.buraka.tv

65.29.206.117 www.dr-bull.com

129.230.114.137 www.manchester-offices.co.uk

205.0.103.170 saverssite.com

107.39.173.27 canada.karuna-shechen.org

21.160.69.154 developmentdrums.org

85.105.233.106 www.imddomains.co.uk

161.131.222.207 cutlines.org

63.171.36.253 elblogdemanu.com

234.35.119.192 ruben.bzin.net

41.236.27.143 welkam.co.jp

118.7.16.176 www.cambridge-steiner-school.co.uk

19.46.86.34 naturesimages.net

190.234.237.229 www.1stavenuelimousines.co.uk

253.112.145.181 www.mtr-design.com

74.138.134.213 dev.depeuter.org

232.245.204.71 www.emeraldclassic.co.uk

146.110.31.198 www.peterhearnwaste.co.uk

210.55.195.218 etrr.co.uk

30.13.184.251 www.avoncourt.com

120.120.254.41 sarahmcconnellphotography.net

102.241.82.235 www.ixomodels.com

98.186.58.187 natsko.com

242.212.47.220 www.nottinghampoetryseries.com

76.252.49.78 www.sheffieldmind.co.uk

59.116.200.17 ixostore.ixomodels.com

54.61.108.224 www.flairweddings.co.uk

199.88.97.1 www.fimasys.com

32.127.167.115 cohartuk.com

15.247.250.242 qqjkw.net

10.193.226.6 vivo-austin.com

87.219.215.38 www.freeality.com

245.2.217.84 bestofewan.com

227.123.112.23 www.handwritingforkids.com

223.68.20.231 cowsmo.com

43.94.9.8 www.2xlgames.com

201.201.79.121 kimzimmer.net

183.66.163.60 basetendencies.com

179.11.71.12 trackingtheworld.com

255.225.60.45 www.reviewsofbooks.com

157.77.130.159 www.collectedcurios.com

140.197.25.30 www.renningers.com

135.142.189.49 ccslaughterspdx.com

212.101.178.82 www.briarhurst.com

113.208.248.196 www.smf.org

96.72.75.67 ribbonwarehouse.com

91.18.239.19 www.garryowen.com

168.44.228.51 45pounds.com

70.83.42.165 isotopecomics.com

52.204.125.104 roysephotos.com

48.149.101.56 www.stadiumpage.com

124.175.90.89 www.elvis-express.com

26.214.92.202 www.tomorrowsedge.net

8.79.244.73 www.beautybar.com

4.24.152.93 pineleafboys.com

80.50.141.126 www.mountainlakeslodge.com

238.90.211.240 pvtc.org

221.22.38.111 bhsbees.com

216.223.14.62 baristamagazine.com

37.182.3.95 www.gokidding.com

194.33.5.209 defalcos.com

109.153.156.148 www.celticmerchant.com

172.99.64.100 www.hxproduction.com

249.57.53.132 www.wellgousa.com

151.164.123.246 blog.titanium-jewelry.com

65.29.206.117 www.brightoctober.com

129.230.114.137 hishomeforchildren.com

205.0.103.170 www.phoenixtrikeworks.com

107.39.173.27 www.professorbeyer.com

21.160.69.154 www.secondchanceboxer.com

85.105.233.106 www.residentphotography.com

161.131.222.207 woottonfootball.com

63.171.36.253 www.deborahshelton.net

234.35.119.192 bobbondart.com

41.236.27.143 www.authentium.com

118.7.16.176 asap.authentium.com

19.46.86.34 www.authentium.com.au

190.234.237.229 avast.com

253.112.145.181 www.avast.com

74.138.134.213 files.avast.com

232.245.204.71 download535.avast.com

146.110.31.198 avg.com

210.55.195.218 www.avg.com

30.13.184.251 grisoft.com

120.120.254.41 www.grisoft.com

102.241.82.235 antivirus-tools.com

98.186.58.187 archive.bitdefender.com

242.212.47.220 avx.rob-have.net

76.252.49.78 b-have.orgbitdefender-ar.com

127.184.12.85 bitdefender.com

122.129.176.36 bitdefender.org

11.156.165.69 bitdefenderchina.com

100.195.235.183 bitdefenderguatemala.com

83.59.62.54 bitdefendermalaysia.com

78.5.38.74 bitdefendertaiwan.com

155.31.27.106 bitdefenderuruguay.com

57.70.29.152 bitdefenderusa.com

39.191.180.91 buy.bitdefender-es.com

35.136.88.43 buy.bitdefender.com

111.162.77.76 buy.bitdefender.de

13.13.147.189 de.bitdefender.com

251.134.231.128 fr.bitdefender.com

247.79.139.80 futurenow.bitdefender.com

67.37.128.113 it.bitdefender.com

225.145.198.227 jobs.bitdefender.com

208.9.93.98 kb.bitdefender.com

203.210.1.117 kb.bitdefender.de

24.169.246.150 kb.bitdefender.us

181.20.60.8 latin.bitdefender.com

164.140.143.135 linux.bitdefender.com

159.86.51.87 malwarecity.com

236.112.40.119 malwarecity.netmalwarecity.org

138.151.110.233 malwarepedia.com

120.16.193.172 neunet.orgnews.bitdefender.com

116.217.169.124 nl.bitdefender.com

192.243.158.157 renewals.bitdefender.com

94.26.160.14 sales.bitdefender.com

76.147.56.141 square.bitdefender.com

72.92.220.161 store.bitdefender.com

148.118.209.194 store.de.bitdefender.com

50.158.23.52 us.bitdefender.com

33.90.106.179 virusscanonline.net

28.35.82.130 wedoantivirus.com

105.250.71.163 www.antivirus-tools.com

6.101.73.21 www.avx.ro

177.221.224.216 www.bit-defender.de

240.167.132.168 www.bitdefende.de

61.125.121.200 www.bitdefender-es.com

219.232.191.58 www.bitdefender.be

133.97.18.185 www.bitdefender.cl

197.42.182.205 www.bitdefender.co.uk

17.68.171.238 www.bitdefender.com

175.107.241.95 www.bitdefender.com.au

89.228.136.222 www.bitdefender.com.sg

153.173.45.174 www.bitdefender.com.tw

229.199.34.19 www.bitdefender.com.vn

131.239.104.65 www.bitdefender.de

46.103.187.4 www.bitdefender.es

109.48.95.211 www.bitdefender.fr

186.75.84.244 www.bitdefender.hk

87.114.154.102 www.bitdefender.us

2.46.49.41 www.bitdefenderme.com

65.180.213.249 www.malwarecity.com

178.242.238.62 www.malwarecity.fr

80.93.52.175 quickheal.com

250.214.135.46 www.quickheal.com

58.159.43.66 www.clamav.net

134.117.32.99 cgi.clamav.net

224.225.103.145 lurker.clamav.net

206.89.186.83 wwws.clamav.net

202.34.162.35 lists.clamav.net

91.60.151.68 bugs.clamav.net

180.100.153.182 system-cleaner.comodo.com

163.220.48.121 backup.comodo.com

158.165.212.72 www.comodoantispam.com

47.192.201.105 easy-vpn.comodo.com

136.231.15.219 www.trustlogo.com

119.95.98.90 ztl.comodo.com

114.41.74.110 www.livepcsupport.com

191.67.63.143 www.whichssl.com

93.106.65.188 www.trustix.com

75.227.216.127 disk-encryption.comodo.com

71.172.124.79 speedtest.comodo.com

147.198.113.112 www.contentverification.com

49.50.184.226 idauthority.com

31.170.11.164 www.comodo.tv

27.115.175.116 online-backup.comodo.com

104.73.164.149 www.testmypcsecurity.com

5.181.234.7 www.ccssforum.org

244.45.129.134 i-vault.comodo.com

239.246.37.153 internetsecurity.comodo.com

60.205.26.186 www.comodopartners.com

217.56.96.44 timestamp.comodoca.com

200.176.179.171 secure-email.comodo.com

195.122.87.123 timestamp.wosign.com

16.148.76.156 rover800.gaima.co.uk

174.187.146.13 www.nsclean.com

156.52.229.208 www.contentverification.com

152.253.205.160 new-estore.drweb.com

228.23.194.193 support.drweb.com

130.63.197.51 pda.drweb.com

112.183.92.177 updates.drweb.com

108.128.0.197 drweb.com

185.154.245.230 vms.drweb.com

86.194.59.88 solutions.drweb.com

69.126.142.215 news.drweb.com

64.71.118.166 my.drweb.com

141.30.107.199 buy.drweb.com

42.137.109.57 products.drweb.com

25.69.72.64 new-support.drweb.com

88.15.236.16 promotions.drweb.com

165.229.225.48 network.drweb.com

67.80.39.162 customers.drweb.com

237.201.122.33 store.drweb.com

45.146.30.53 company.drweb.com

121.172.19.86 training.drweb.com

23.212.90.200 license.drweb.com

193.76.241.70 cureit.ru

1.21.149.22 free.drweb.com

78.47.138.123 info.drweb.com

235.87.208.169 new-partners.drweb.com

150.207.35.108 drweb.net

213.152.199.59 new-company.drweb.com

34.179.188.92 new-beta.drweb.com

191.218.2.206 new-forum.drweb.com

106.150.153.145 secure.av-desk.com

169.28.61.97 www.av-desk.com

246.54.50.129 new-solutions.drweb.com

148.161.120.243 new-www.drweb.com

62.26.203.114 www.freedrweb.ru

126.227.111.134 daniloff.net

202.185.100.167 drweb-inside.com

36.37.171.213 drwebinside.com

18.157.254.151 aladdin.com

14.102.230.103 alladdin.ru

159.128.219.136 chickensroamfree.com

248.168.221.250 ealaddin.net

231.32.116.189 ealaddin.orgeshop.aladdin.com

226.233.24.140 secureme.com

115.4.13.173 www.aks.com

204.43.83.31 www.aladdin.com

187.163.166.158 www.ealaddin.com

182.109.142.178 www.ealaddin.com

3.135.131.210 auwww.ealaddin.nl

161.174.133.0 www.esafe.com

143.39.28.195 www.hasp.se

139.240.192.147 www.safenet-inc.com

215.10.181.180 www3.safenet-inc.com

117.118.252.38 www.ca.com

99.238.79.232 cacomvip.ca.com

95.183.243.184 www.netegrity.com

172.141.232.217 search.ca.com

73.249.46.75 cai.com

56.113.197.202 www.f-prot.com

51.58.105.221 frisk-software.com

128.17.94.254 www.frisk.is

29.124.164.112 www.frisk-software.com

12.244.247.239 f-secure.com

7.190.155.191 f-secure.frf-secure.hk

84.216.212.35 f-secure.nlfsecure.com

54.67.26.149 fsecure.nlwebyard.com

36.188.109.88 www.f-secure.com

32.133.85.40 www.fsecure.com

108.159.74.73 www.virus.fi

10.199.77.187 fortihero.com

248.63.228.57 fortilog.com

244.8.136.77 fortinet.co.at

65.34.125.110 fortinet.com

222.74.195.224 fortiprotect.com

205.6.22.95 fortiwifi.com

200.207.254.46 www.apsecure.com

21.166.243.79 www.fortifed.com

178.17.245.193 www.fortiid.com

93.137.140.132 www.fortimail.com

156.83.48.84 www.fortinet-apac.com

233.41.37.116 www.fortinet.ch

135.148.107.230 www.fortinet.co.il

49.13.190.101 www.fortinet.com

113.214.98.121 www.fortinet.com

189.240.87.154 arwww.fortinet.cz

91.24.157.12 www.fortinet.net

5.144.53.138 www.fortinet.nl

69.89.217.90 www.fortinet.sg

146.115.206.191 www.fortinetuk.com

47.155.20.237 www.secure-elements.com

218.19.103.176 gdata.es

25.220.11.127 www.gdata.es

102.247.0.160 ikarus.at

3.30.70.18 www.ikarus.at

174.218.221.213 global.jiangmin.com

237.96.197.233 jiangmin.com.cn

126.190.186.9 jiangmin.com

28.41.0.123 www.jiangmin.com.cn

198.162.83.250 www.kaspersky.com

6.107.247.14 forum.kaspersky.com

82.65.236.47 support.kaspersky.co

172.172.50.93 usa.kaspersky.com

154.37.134.31 brazil.kaspersky.com

150.238.110.239 latam.kaspersky.com

39.8.99.16 kaspersky.com

128.48.101.130 me.kaspersky.com

111.168.252.69 images.kaspersky.com

106.113.160.20 www.mcafee.com

251.140.149.53 support.mcafee.com

84.179.219.167 msr.mcafee.com

67.43.46.38 home.mcafee.com

62.245.22.58 networkassociates.com

139.15.11.90 us.mcafee.com

41.54.13.136 tr.mcafee.com

23.175.164.75 au.mcafee.com

19.120.72.27 mx.mcafee.com

95.146.61.60 networkassociates.nai.com

253.253.131.174 go.mcafee.com

235.118.215.112 fr.mcafee.com

231.63.123.64 uk.mcafee.com

52.21.112.97 de.mcafee.com

209.229.26.55 obscgi.mcafee.com

36.94.177.182 nai.com

32.39.86.202 www.entercept.com

108.253.75.235 jp.mcafee.com

10.105.145.93 mcafeeb2b.com

249.225.228.219 cn.mcafee.com

244.170.136.171 service.mcafee.com

65.197.125.204 br.mcafee.com

222.236.195.62 www.mcafee.at

205.100.22.1 mcafeeretail.com

200.46.254.209 it.mcafee.com

21.72.243.241 tw.mcafee.com

178.111.245.99 privacy.microsoft.com

161.231.140.226 tempuri.org

157.177.48.246 schemas.xmlsoap.org

233.203.37.23 www.microsoft.com

135.242.107.136 specs.xmlsoap.org

117.175.190.7 www.eugrantsadvisor.ie

113.120.167.215 schemas.microsoft.com

189.78.156.248 encarta.msn.com

91.186.158.106 www.sysinternals.com

6.50.53.44 grv.microsoft.com

69.251.217.252 www.xmlsoap.org

146.210.206.29 www.eugrantsadvisor.se

115.129.88.211 www.eugrantsadvisor.com

30.249.171.82 research.microsoft.com

93.195.79.102 www.engyro.com

170.221.68.134 www.exchangeyourcareer.com

71.4.138.248 www.eugrantsadvisor.de

242.124.33.119 exchangeyourcareer.net

50.70.197.71 eugrantsadvisor.de

126.96.186.172 eugrantsadvisor.cz

28.135.0.217 www.eset.es

198.0.83.156 demos.eset.es

6.201.247.108 descargas.eset.es

82.227.237.141 blogs.protegerse.com

240.11.51.255 eos.eset.es

155.199.202.193 pedidos.protegerse.com

218.76.110.145 reg-int.nod32-es.com

39.103.99.178 reg.eset.es

196.210.169.36 vicentevirtual.com

111.74.252.163 cou85.com

174.20.160.183 www.norman.com

251.234.149.215 fsc.norman.com

84.85.219.5 nprobeta.norman.com

67.205.114.12 register.norman.com

131.219.90.220 webadmin.norman.no

19.245.79.253 sandbox.norman.com

109.28.81.110 www.nprotect.com

91.149.232.49 global.nprotect.com

87.94.140.1 www.nprotect.co.kr

231.120.130.34 www.npin.co.kr

65.160.200.148 siren24.nprotect.com

48.24.27.18 15660808.co.kr

43.225.3.38 biz.nprotect.com

120.252.248.71 nprotect.net

21.35.250.117 www.nprotect.com.br

4.155.145.56 liveprotect.net

255.101.53.8 nprotect.seoul.go.kr

76.127.42.40 chollian.nprotect.co.kr

233.234.112.154 www.pandasecurity.com

216.98.195.93 research.pandasecurity.com

212.44.103.45 support.pandasecurity.com

32.2.92.78 pandalabs.pandasecurity.com

190.109.162.191 pandasecurity.com

172.230.57.62 mop.pandasecurity.com

168.175.221.82 timeforyourbusi.pandasecurity.com

56.201.23.183 cybercrime.pandasecurity.com

214.53.93.41 free.pandasecurity.com

196.173.176.167 cloudprotection.pandasecurity.com

192.118.84.119 shop.pandasecurity.com

13.145.73.152 soporte.pandasecurity.com

170.184.143.10 together.pctools.com

153.48.226.205 www.prevx.com

148.249.202.157 info.prevx.com

225.20.191.189 free.prevx.com

126.59.193.47 spywarefiles.prevx.com

109.179.88.174 spywaredlls.prevx.com

105.125.252.194 shield.prevx.com

181.151.241.227 www.prevx1.com

83.190.55.84 howsafeismypc.com

65.123.138.211 www.retento.com

61.68.114.163 www.freerav.com

137.26.104.196 www.rising-global.com

39.134.106.54 www.risingav.com.au

210.254.1.248 support.rising-global.com

17.199.165.200 superboy2010.com.au

94.158.154.233 www.sophos.com

251.9.224.91 feeds.sophos.com

166.129.51.218 esp.sophos.com

229.74.215.238 cn.sophos.com

50.101.204.14 tw.sophos.com

207.140.18.128 kr.sophos.com

122.4.169.255 sophos.com

186.206.77.207 podcasts.sophos.com

6.232.66.52 www.sunbeltsoftware.com

164.15.136.97 go.sunbeltsoftware.com

78.136.219.36 oem.sunbeltsoftware.com

178.117.164.24 antispam.sunbeltsoftware.com

254.143.153.57 antispyware.sunbeltsoftware.com

156.183.223.171 antivirus.sunbeltsoftware.com

71.115.118.110 sunbeltsoftware.com

134.248.26.61 shop.sunbeltsoftware.com

211.19.15.94 live.sunbeltsoftware.com

112.126.85.208 firewall.sunbeltsoftware.com

27.246.168.79 www.symantec.com

90.192.76.99 security.symantec.com

167.150.65.131 securityrespons.symantec.com

1.1.135.177 service1.symantec.com

239.122.218.116 enterprisesecur.symantec.com

235.67.194.68 eval.symantec.com

123.93.183.101 symantec.com

213.132.185.214 definitions.symantec.com

195.253.80.153 investor.symantec.com

191.198.245.105 et.symantec.com

79.224.234.138 sfdoccentral.symantec.com

169.8.48.252 servicenews.symantec.com

152.128.131.123 securityrespons.symantec.com

147.73.107.142 sea.symantec.com

224.100.96.175 go.symantec.com

125.139.98.221 dell.symantec.com

108.3.249.160 sun.symantec.com

103.205.157.112 marian.symantec.com

180.231.146.144 tms.symantec.com

82.82.216.2 securitycheck.symantec.com

64.203.43.197 smallbiz.symantec.com

60.148.207.149 www.symantec.com

136.106.196.182 visualtracking.symantec.com

38.213.10.39 search.symantec.com

20.78.161.166 liveupdate.symantec.com

16.23.70.186 sitedirector.symantec.com

92.237.59.219 edm.symantec.com

250.89.129.145 hostedmailsecur.symantec.com

45.21.24.16 www4.symantec.com

40.222.188.223 education.symantec.com

117.249.177.0 vos.symantec.com

18.32.247.114 www.hacksoft.com.pe

1.152.74.53 hacksoft.pe

252.98.50.5 www.hacksoft.pe

73.124.39.37 housecall.trendmicro.com

231.163.41.151 www.trendmicro.com

213.27.192.22 housecall65.trendmicro.com

209.229.100.42 us.trendmicro.com

29.255.89.75 blog.trendmicro.com

187.38.159.188 emea.trendmicro.com

169.227.242.59 housecall60.trendmicro.com

165.172.219.11 jp.trendmicro.com

241.130.208.44 de.trendmicro.com

143.238.210.158 it.trendmicro.com

58.102.105.97 itw.trendmicro.com

121.47.13.48 esupport.trendmicro.com

198.6.2.81 es.trendmicro.com

99.113.72.195 br.trendmicro.com

14.233.155.66 tw.trendmicro.com

77.179.63.86 la.trendmicro.com

154.205.52.118 uk.trendmicro.com

56.244.122.232 ru.trendmicro.com

226.108.17.103 smbstore.trendmicro.com

34.54.181.55 apac.trendmicro.com

110.80.170.156 store.trendmicro.com

12.119.240.201 training.trendmicro.com

182.240.67.140 trial.trendmicro.com

246.185.232.92 ushousecall02.trendmicro.com

66.211.221.125 subwiz.trendmicro.com

224.251.35.239 go.trendmicro.com

139.183.186.178 feeds.trendmicro.com

202.60.94.129 channelpartner.trendmicro.com

23.87.83.162 wtc.trendmicro.com

180.194.153.20 shop.trendmicro.com

95.58.236.147 fr.trendmicro.com

158.4.144.167 threatinfo.trendmicro.com

235.218.133.199 newsletters.trendmicro.com

69.69.203.245 www.anti-virus.by

51.189.30.184 bg.virusblokada.com

47.135.6.136 www.vba.com.by

191.161.251.169 beta.anti-virus.by

25.200.253.26 www.bg.virusblokada.com

7.65.148.221 www.hauri.net

3.10.57.173 www.hauri.co.kr

147.36.46.206 company.hauri.net

237.76.116.64 www.globalhauri.com

220.196.199.191 shop.hauri.co.kr

215.141.175.210 hauri.co.kr

36.168.164.243 pg.hauri.net

193.207.166.33 esecurity.livecall.co.kr

176.71.61.228 mall.hauri.co.kr

171.17.225.180 company.hauri.co.kr

248.43.214.212 haurijapan.com

150.150.28.70 virobot.co.kr

132.14.111.9 www.virusbuster.hu

128.216.19.217 virusbuster.hu

204.174.8.250 scanner.novirusthanks.org

106.25.78.107 scanner2.novirusthanks.or

88.146.229.234 novirusthanks.org

84.91.138.254 www.novirusthanks.org

160.49.127.31 virustotal.com

62.157.197.145 www.virustotal.com

45.21.24.16 virscan.org

40.222.188.223 www.virscan.org

117.249.177.0 virusscan.jotti.org

18.32.247.114 jotti.org

1.152.74.53 www.jotti.org

252.98.50.5 viruschief.com

73.124.39.37 www.viruschief.com

231.163.41.151 scanner.virus.org

213.27.192.22 virus.org

209.229.100.42 www.virus.org

29.255.89.75 scan4you.net

187.38.159.188 www.scan4you.net

169.227.242.59 avhide.com

165.172.31.79 www.avhide.com

53.198.20.112 anubis.iseclab.org

211.50.22.226 iseclab.org

126.170.173.165 www.iseclab.org

189.115.81.116 threatexpert.com

10.74.70.149 www.threatexpert.com

167.181.140.7 forospyware.com

82.45.223.134 www.forospyware.com

145.247.131.154 in.answers.yahoo.com

222.17.120.186 es.answers.yahoo.com

123.56.190.44 kioskea.net

38.176.85.171 www.kioskea.net

102.122.249.123 es.kioskea.net

178.148.238.224 mygeekside.com

80.187.52.13 www.mygeekside.com

250.52.135.208 www.tecniservicioslys.com

58.253.44.160 tecniservicioslys.com

134.23.33.193 virusfreezone.info

36.63.103.51 www.virusfreezone.info

207.251.254.246 intranet.cidiroax.ipn.mx

14.128.162.197 spycheck.es

91.155.151.230 www.spycheck.es

248.6.221.88 antivirus.hispavista.com

163.126.48.215 computing.net

226.72.212.235 www.computing.net

47.30.201.11 spycheck.co.uk

137.137.15.57 www.spycheck.co.uk

119.1.98.252 midescargas.com

115.203.74.204 www.midescargas.com

3.229.63.237 static.yoreparo.com

93.12.65.94 softfaq.com

75.133.216.33 www.softfaq.com

71.78.125.241 configurarequipos.com

215.104.114.18 www.configurarequipos.com

49.144.184.132 seasonsecurity.com

32.8.11.3 www.seasonsecurity.com

27.209.243.22 removetrojanvirus.org

104.236.232.55 www.removetrojanvirus.org

5.19.234.101 ibusca.me

244.139.129.40 www.ibusca.me

[/spoiler]

Media penyebaran

Untuk menyebarkan dirinya, ia akan menggunakan media USB Flash dengan memanfaatkan fitur autorun Windows dengan membuat 2 buah file yakni:

autorun.inf
85luFefZ08lzEPQXsS014zzp9LV3F54yhE0zz5k0g\S-1-3-01-4639134501-7494416267-104346834-7052\Ua3kmh73O3jyut4Iok.exe

File [autorun.inf] ini berisi script untuk menjalankan file [Ua3kmh73O3jyut4Iok.exe] yang akan di aktifkan secara otomatis pada saat user mengakses USB Flash. (lihat gambar 9)

Selain itu untuk “menjebak” user ia akan membuat file duplikat berupa shortcut yang akan mempunyai nama file yang sama dengan nama file yang disembunyikan, file shortcut ini akan mempunyai icon acak (lihat gambar 10).

Cara pembersihan Trojan.FakeAV.3510
1. Untuk pembersihan, Anda dapat menggunakan Tools Dr.Web CureIt! dari antivirus Dr.Web. Silahkan download tools tersebut di alamat berikut:

http://www.freedrweb.com/cureit/?lng=en

Setelah tools tersebut berhasil di download, jalankan tools tersebut dengan cara double click pada file Dr.Web CureIt!. Pada saat muncul konfirmasi “DrWeb CureIt! – Enhanced Protection Mode”, klik tombol [OK], pada saat Anda memilih mode ini Anda tidak akan dapat melakukan aktifitas di komputer hal ini di lakukan agar proses pembersihan dapat dilakukan lebih optimal. (lihat gambar 11)

Kemudian akan muncul layar scan “Dr.Web Scanner for Windows – Express Scan”, biarkan sampai proses scan selesai dilakukan. Jika muncul proses pembersihan pada saat proses scan dilakukan, klik tombol [Yes to All), lihat gambar 12.

Untuk pembersihan optimal, scan semua Drive termasuk USB Flash/HDD eksternal dengan memilih opsi [Scan complete] (lihat gambar 13).

Catatan:

Dr.Web antivirus juga akan secara otomatis mengembalikan HOSTS file Windows yang sudah di ubah oleh Trojan.fakeAV.3510 ke setting awal. Jika muncul konfirmasi perbaikan terhadap file HOSTS Windows yang sudah diubah oleh virus, klik tombol [Yes]. (Lihat gambar 14).

Klik Restart, jika muncul konfirmasi restart dari antivirus Dr.Web

2. Fix Registry Windows yang sudah di ubah oleh virus, untuk mempercepat proses perbaikan salin script di bawah ini pada program Notepad dan simpan dengan nama REPAIR.INF, jalankan file tersebut dengan cara

Klik kanan REPAIR.INF
Klik INSTALL

[Version]

Signature=”$Chicago$”

Provider=Vaksincom

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”

HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”

HKCU, Software\Microsoft\Internet Explorer\main, Start Page,0, “about:blank”

HKCU, Software\Microsoft\Internet Explorer\main, Search Page,0,”about:blank”

HKCU, Software\Microsoft\Internet Explorer\main, Local Page,0, “about:blank”

HKCU, Software\Microsoft\Internet Explorer\main, Default_Search_URL,0, “about:blank”

HKCU, Software\Microsoft\Internet Explorer\main, Default_Page_URL,0, “about:blank”

[del]

HKCU, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Associations

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFile

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoRun

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableTaskMgr

HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM, SOFTWARE\Policies\Microsoft\WindowsFirewall

HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage

HKLM, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414

HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\System, EnableLUA

2. Hapus secara manual lokasi registy berikut:

Klik menu [Start]
Klik [RUN]
Ketik REGEDIT.EXE, kemudian klik tombol [OK]
Kamudian hapus string registry berikut

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers

C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN

HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers

C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

Catatan: %user% ini adalah nama user/acount yang digunakan saat logon Windows

3. Fix Image File Execution File. Silahkan download file FixImageFile di alamat http://rapidshare.com/files/446070146/FixImageFile.zip kemudian import fileFixImageFile_XP.reg(Windows XP) atau FixImageFile_Vista_Win7.reg (Windows Vista/7) dengan cara: (lihat gambar 15)

Klik [Start]
Klik [Run]
Ketik REGEDIT.EXE kemudian klik tombol [OK]
Setelah muncul layar “Registry Editor”, klik menu [File]
Klik [Import]
Kemudian arahkan ke file FixImageFile.reg, kemudian klik tombol [Open] (lihat gambar 16)
Jika muncul layar konfirmasi, klik tombol [OK] (lihat gambar 17)

4. Tampilkan file yang telah disembunyikan oleh virus di USB Flash, caranya:

Klik [Start]
Klik [Run]
Ketik CMD kemudian klik tombol [OK]
Setelah muncul aplikasi Command Prompt (CMD), pindahkan posisi kursor ke USB Flash dengan mengetik perintah %USB Flash%: kemudian tekan tombol Enter.

Catatan:

%USB Flash% adalah drive yang berbeda-beda, contoh jika USB Flash Anda adalah E maka ketik perintah E:

Kemudian ketik perintah ATTRIB -s -h -r /s /d kemudian klik tombol Enter (lihat gambar 18)
Tunggu beberapa saat sampai proses selesai dilakukan

5. Untuk pembersihan optimal, scan dengan menggunaan antivirus yang up-to-date

Tags:

Getting Started with Arduino and Genuino UNO

Sunday 10 May 2015

[PR] Trojan.FakeAV.3510: Manipulasi Windows HOSTS File dan Block Antivirus

No comments:

Post a Comment