Cleaning W32/Moonlight Virus

Written By The Ones on Monday, November 2, 2009 | 8:57 AM

"Moonlight", so the worm type malware is named herself. Local worm actually been around since W32/Brontok or W32/Rontokbro era, but still exist until now. This is because variants that continue to emerge. In fact, there are many reports of AVI that computer users infected by this worm. Therefore, we were interested to discuss the issue of Moonlight at this time.

Made using the compiler W32/Moonlight mainstay vxer (term for malicious programmers) ie local VB6 (Visual Basic 6) and compressed using FSG packer PE programs. Original size of 324 KB, and after compressed to 144 KB. Its own identity using Windows XP folder icon standard.

Action (Payload)
When first run, W32/Moonlight.L will create the file "systear.dll" in a system directory, for example: "C:-WINDOWS-system32-systear.dll". This file is an initialization file so that the worm can identify himself and to mark the position where the worm has spread. After that, create a file of supporting Moonlight shaped dynamic link library (DLL) "moonlight.dll" in the Windows directory (example: "C:-WINDOWS-moonlight.dll") and extract the MIDI-formatted music files "onceinabluemoon.mid" to the Windows directory . After that, the worm makes a directory with a random name in Windows and System subdirectory in the format 'C:-WINDOWS-[random] ". Mean "[random]" here contains random names such as:


Use a random name is probably intended to complicate the process of investigation and cleanup.
Then the worm will reproduce itself in the following places:
* C:-WINDOWS-[random]-service.exe
* C:-WINDOWS-[random]-smss.exe
* C:-WINDOWS-[random]-system.exe
* C:-WINDOWS-[random]-winlogon.exe
* C:-WINDOWS-lsass.exe
* C:-WINDOWS-system32-[random] - [random]. Cmd
* C:-WINDOWS-[random]. Exe
* C:-WINDOWS-system32-[random]. Exe
* C:-WINDOWS-[random] - [random]. Com

W32/Moonlight.L deliberately duplicate themselves with names similar to the Windows services such as innate "smss.exe", "service.exe" with the intention that the process is not easy to stop using the Windows Task Manager built. Keep in mind, the Task Manager will refuse to stop the process with the name include: "service.exe", "smss.exe", "system.exe", "winlogon.exe", and "lsass.exe".

Because the worm is made using VB6, and because each application requires VB6 runtime named "msvbvm60.dll", the worm is smart strategy to make the runtime file is not deleted or deleted (which makes the worm can not run). Way, by making backups of the runtime files to "C:-WINDOWS-system-msvbvm60.dll".
Another thing done is to make Moontime file named "MooNlight.txt" in the Windows directory (example: "C:-Windows-MooNlight.txt"). This file contains a message from the creators who called himself the nick "Lunalight" aka "Moonlight":

W32/Moonlight.L dissemination is very similar to the worm aka W32/Brontok legendary W32/Rontokbro, by doubling itself to every directory with a name similar to the parent directory.

Cleaning and prevention
Fairly easy to clean, you need to do is run the AVI (Antivirus Info Computer) that has been bundled into one DVD inherent in this magazine. Run, and do checks to each location and storage media connected to your computer. Keep in mind, do not do any activity during the review process. For prevention we recommend you to install the AVI as a guard to prevent your computer infected by this worm again.

AVI Changelog:
* Improved buffer overflow bug that caused crashes when AVI to update online.
* Improved compatibility bug with Windows Vista / 7.
* Improved access violation bug that caused crashes AVI while scanning.
* Improvement of detection of some Windows system files 7.


Post a Comment