Virus FLEC006 dan HIDN2

Komputer saya memang selalu terkoneksi dengan internet karena saya harus segera mengetahui bila ada e-mail yang masuk, meskipun itu tidak berarti saya selalu “hadir” di dunia maya tetapi hanya “open” saja .

Suatu hari, ketika saya sedang membaca-baca email dan mengunjungi beberapa situs di internet. Tapi, entah kenapa browser saya kok jadi lambat sekali jalannya. Karena kesal, saya putuskan untuk berhenti main internet dan menutup browser.

Tapi ketika saya sempat melihat pada icon LAN connection (gambar dua buah komputer di sudut kanan bawah) komputer saya kok menyala terus ya, padahal kan saya sudah nggak menggunakan internet lagi? Saya perhatikan kok lampunya terus saja menyala, padahal biasanya kalau saya sudah tidak sedang online lampu tersebut akan mati. Saya tunggu beberapa saat, tetap saja masih menyala. Akhirnya saya coba melihat melalui windows task manager program-program apa saja yang sedang aktif, kok ada yang aneh: ada applikasi yang namanya belum pernah saya lihat (kebetulan saya sering menggunakannya, jadi sedikit tahu jika ada applikasi lain di luar yang biasa saya gunakan yang sedang aktif). Di situ ada tertulis flec006.exe. Apa ini? Tampilan pada Perfomance tampak persentase CPU Usage saya juga tinggi.

Kemudian saya coba mengakhiri proses applikasi tersebut (dengan menekan end proses). Lampu pada icon LAN connection segera padam (wah…berarti applikasi ini membuat saya seolah sedang konek ke salah satu server internet entah dimana), persentase CPU Usage juga menurun tapi masih tetap tinggi.

Saya perhatikan sekali lagi applikasi yang sedang aktif, ternyata ada satu lagi yang aneh: di situ tertulis HIDN2.exe. Ada juga beberapa applikasi lainnya yang saya curigai misalnya drv_scr……semacam itulah. Apa lagi ini? Segera saya tutup applikasi tersebut dan performance CPU saya makin membaik.

Saya mulai berfikir bahwa semua applikasi tadi adalah virus. Maka saya mulai mencari-cari informasi mengenai mereka. Ternyata ini adalah termasuk jenis trojan, dan sepertinya cukup membahayakan. Inilah informasi yang berhasil saya dapatkan

Sumber: greatis.com
FLEC006.EXE
DEFINITION OF: FLEC006.EXE
1. COVERT ANALYSIS OF: FLEC006.EXE
File Names Used: 24
Paths Used: 32
Common File Name: FLEC006.EXE
Common Path: %appdata%\m\
Vendor Information: No Vendor details specified

FLEC006.EXE may use 24 or more path and file names, these are the most common:

  1. :%CACHE%\CONTENT.IE5\????????\777[13].GIF
  2.  :%CACHE%\CONTENT.IE5\????????\777[20].GIF
  3.  :%CACHE%\CONTENT.IE5\????????\777[25].GIF
  4.  :%CACHE%\CONTENT.IE5\????????\777[33].GIF
  5. :%CACHE%\CONTENT.IE5\????????\777[40].GIF
  6. :%CACHE%\CONTENT.IE5\????????\777[45].GIF
  7. :%CACHE%\CONTENT.IE5\????????\777[5].GIF
  8. :%CACHE%\CONTENT.IE5\????????\777[6].GIF
  9. :%CACHE%\CONTENT.IE5\????????\777[7].GIF
  10. :%DESKTOP%\FCGJFHKGYLKU.EXE
  11. :%honeypotroot%\454731EE4080184214D52C65C744…..TXT
  12. :%WINDIR%\SYSTEM32\RE_FILE.EXE
  13. :?:\A00000000

• File Name Structure: Normal
• File and Path Structure: Suspicious, code execution from unusual location
2. RELATIONSHIP ANALYSIS OF: FLEC006.EXE
• Malicious Objects Created: 3 objects
• Malicious Creators: 27
• Malware Run Keys: None
• Self Persists: Yes, creates copies of itself
• Antivirus Detection: No third party antivirus detection observed
• Anti-Spyware Detection: No third party anti-spyware detection observed
3. ACTIVITY ANALYSIS OF: FLEC006.EXE
The following behaviors have been observed for this object:
• Installs programs.
• Deletes programs.
• Invokes dll components.
• Creates Run Keys.
• Modifies the hostsfile.
• Runs other programs.
• Communicates with web sites using httpout protocols.
• Communicates with other computers across the web.
• Scans active processes.
• Hijacks running processes.
• Has outbound communications.
• Creates known malware.
• Creates copies of itself.

From: spyware-net
flec006.exe
Component Name: flec006.exe

Description of flec006.exe

This is a component of Trojan Bagle.KP. Bagle.KP is a Trojan typically spread through email. Upon execution, it latches itself onto startup processes, running every time the system boots, and contacts a pre-set location online.
Recommendation for flec006.exe
It is highly recommended that this application be removed from the system.
Trusted: No
Trojan: Yes
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No
Company Name: NA
Platforms Affected:
Methods of Distribution: E-mail attached
Variants/Versions:
Release Date: NA
hidn2.exe is rootkit W32/Bagle-KJ.
hidn2.exe is used to hide files, processes and registry.
hidn2.exe is a kernel mode rootkit.
hidn2.exe spreads by e-mail.
hidn2.exe tries to terminate antiviral programs installed on a user computer.
Related files:
\Application Data\hidn\hidn2.exe
\Application Data\hidn\m_hook.sys
m_hook.sys is created new system driver.
Added to registry:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Adds the value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drv_st_key

to the Windows startup registry keys.
Rootkit attempts to delete the following registry entry into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
More info: http://www.sophos.com/virusinfo/analyses/w32baglekj.html

Flec006.exe is Trojan.Lodeight.C.
Related files:
%UserProfile%\Application Data\m\flec006.exe
%UserProfile%\Application Data\m\shared
%UserProfile%\Application Data\m\list.oct
%UserProfile%\Application Data\m\data.oct
%UserProfile%\Application Data\m\srvlist.oct
Read more: http://securityresponse.symantec.com/avcenter/venc/data/trojan.lodeight.c.html
Kill the process flec006.exe and remove flec006.exe from Windows startup using RegRun Reanimator.
http://www.regrun.com

HIDN2
Sumber: Bleepingcomputer.com
Name: drv_st_key
Filename: hidn2.exe
Fix hidn2.exe errors: Try a Registry Scan

Command: %UserProfile%\Application Data\hidn\hidn2.exe
Description: Added by the W32.Beagle.FN@mm mass-mailing worm. This infection also utilizes the m_hook.sys rootkit to hide itself.

W32.Beagle.FN@mm is a mass-mailing worm that uses its own SMTP engine to spread, and may also download and execute remote files. It also attempts to lower security settings on the compromised computer.
File Location: %UserProfile%\Application Data\hidn\hidn2.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry

Note: %UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP and c:\winnt\profiles\ for Windows NT.

Name : mule_st_key
Filename : flec006.exe
Status : X
Description : Added by the Troj/Bagle-KP Trojan.

Status Key
X – This status flags means the item should definitely not start up automatically. Items that have this flag are generally malware such as viruses, trojans, hijackers, spyware but could also be programs that are not desirable to run on your computer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s