HomeMovies Blogger Saw Eh Lor News Health Dictionary
. .

Thursday 21 June 2012

Naka Virus နွင္႔ aungsansukyi@blumail.org

aungsansukyi@blumail.org ဟု add လာပါက လံုး၀လက္မခံပါနဲ႔ ။ ၂၄ နာရီအတြင္း မိမိတို႔အေကာင့္မ်ား ေပ်ာက္ဆံုးသြားပါလိမ့္မည္ ။ အေမစုေျဖေပးပါ အပိုင္း ၂ ဆိုၿပီး zip ဖိုင္နဲ႔ ပို႔ လာတာဟာ အလြန္ေၾကာက္စရာေကာင္းတဲ့ VIRUS ပါ ။ ကြန္ပ်ဴတာ ကုိ လုံး၀ ပ်က္သြားေစပါတယ္.. လုံး၀ ဖြင့္မၾကည့္ပါ နဲ႔ ။ မွတ္ခ်က္။ ။ကၽြန္ေတာ္တို႔ ကိုယ္ေတြ႔ ျဖစ္ၿပီး သတ္ဖို႔အေျဖရွာ မရ နိုင္ေသး ခင္ ႀကိဳတင္သတိေပးလိုက္ပါတယ္။



Source : Myanmar Cyber Defence Army (http://www.mmcyberdefencearmy.org/)



 အေရးၾကီးတဲ့ စာေလးမို႔ ေသခ်ာဖတ္ျပီး share လုပ္ေပးသြားေစခ်င္ပါတယ္

ဗိုင္းရပ္နာမည္ကေတာ့ Naka တဲ့ဗ်ာ ။

File Name:Naka.exe
File size:2097152 bytes
Filetype:PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5:a1b720650f4e943a13a1f97623ce98c9
SHA1:74d577f352bbc675271c640f0ee04f5f7544097c
File URL: http://goo.gl/A9sHt

[file is deleted - due to Suspend Hosting- Thank you Mike from GoDady who taking care this :)]
This is script kiddie who uses the program to generate the worm:
blackburnbbhh@gmail.com
These are his contact numbers to recover the password.... Any authority can contact these numbers for cyber criminal:
+8801917665290
+01919834692

(ပထမဆံုးေပါ့ ျမန္မာျပည္မွာ ဒီဗိုင္းရပ္မရွိေသးပါဘူး သင္ကဒီ worm ကို Naka လို႔ နာမည္ေပခ်င္ရင္ ကၽြန္ေတာ္တို႔ကေတာ့ BSGH လို႔ နာမည္ေပးရလိမ့္မယ္ အျပည့္အစံုကေတာ့ “"Bangalishit Script-kiddie Got Hacked" ေပါ့ ။

First of all, THERE IS NO INFECTED AT ALL IN BURMA with that worm. You want to name "NAKA", we can name it "BSGH" - "Bangalishit Script-kiddie Got Hacked".
(သူတို႔က ျမန္မာကလူေတြဟာ သူတို႔ေကာင္ေတြလို ကြန္ျပဴတာ PC အစုတ္ေလးေတြ သံုးေနတယ္ထင္ေနၾကတယ္ ။ ကၽြန္ေတာ္တို႔ဟာ MAC နဲ႔ Linuxေတြသံုးေနၾကတယ္ ။ ကဲ သင့္မွာ ကၽြမ္းက်င္တာမ်ားရွိရင္ Linus အတြက္ ဗိုင္းရပ္တစ္ေကာင္ေလာက္ေရးၾကည့္ပါဦး ငါတို႔မွာ သူတို႔နဲ႔ မတူညီတဲ့စြမ္းရည္ေတြရွိၾကပါတယ္ ။ )

They think, Burmese people use PC like poor BD guys use. We use Mac and Linux!! Go and develop yourself to write a virus for Linux if you got skills, but we got skill in disassembly too.

1)
ဒီ worm က ေဖ့ဘုတ္ နဲ႔ ဂူဂဲလ္ အိုင္ပီလိပ္စာေတြကို ျပဳျပင္ဖန္တီးျပီး သူတို႔ ၀ဘ္ဆိုက္ထဲ အိုင္ပီလိပ္စာေတြရေအာင္လုပ္ၾကတယ္ ။ အကယ္၍ တစ္ေယာက္ေယာက္ကမ်ား ဒီပိုး၀င္ေနတဲ့ ကြန္ျပဴတာသံုးျပီး ေဖ့ဘုတ္ ၀င္ၾကည့္မယ္ဆိုရင္ သူ႔ေဖ့ဘုတ္အေကာင့္ေတာ့ အဟတ္ခံရျပီ ။ ဒါေပမယ့္ ဒီေကာင္ေတြက ျမန္မာက လူေတြ အင္တာနက္ဘယ္လို သံုးတယ္ဆိုတာ မသိၾကဘူး ။ ျမန္မာျပည္က လူတိုင္းက အစိုးရက ပိတ္ထားတဲ့ ၾကီးမားတဲ့ Firewall ၾကီးေတြေတာင္ ဘယ္လို Bypass လုပ္ရမယ္ဆိုတာ ကၽြမ္းက်င္ၾကတယ္ ။ ဥပမာ Anonymous IP သံုးတာမ်ိဳးေပါ့ :P

The worm modifies the IPs in Host file for Facebook, Google IP addresses to redirect to their website. If someone visit the Facebook with infected PC, they may think, this guy hacked Facebook, Real idiots! They don't know how Burmese people surf the web, everyone know host files, and everyone know how to bypass the big firewall of Government of Burma.

66.220.153.74 http://bdblackhats.com/
<=== To replace with Facebook
73.194.69.104 http://bdblackhats.com/
<=== To replace with Google
If you see in your host file, please kill these two lines.

ကဲ သင့္ရဲ႕ ဖိုင္ေတြမွာ ဒါေတြေတြ႔ရင္ေတာ့ အထက္မွာျပထားတဲ့ ႏွစ္လိုင္းနဲ႔ သတ္ပစ္လိုက္ဗ်ာ ။

2) Fake Msg : "This program has known Compaitablity Issues In VirturalBox. Please Run It Normally. The Application Will Now Close. Thankyou."
Fake Msg : "This program has known Compaitablity Issues In VirturalBox. Please Run It Normally. The Application Will Now Close. Thankyou." for SpyBot S&D

မက္ေဆ့အတုေတြပို႔တာေပါ့ စာသားကေတာ့ ျပထားတဲ့အတိုင္းေပၚလိုက္မယ္ ဖြင့္လိုက္တဲ့ ပရိုဂရမ္က Compatible မျဖစ္ဘူးဘာသာေပါ့ ဒါေၾကာင့္ဒါကို run ပါေပါ့ မက္ေဆ့အတုေတြ သတိထားေပေတာ့ ။

3)
Logger Email Address: torechudikhankirpola@gmail.com Password: +8801015209

ဒီအီးေမးလ္လိပ္စာနဲ႔ ပါ့စပ္က ေဖာ္ျပထားတဲ့အတိုင္းပဲ အခုေတာ့ကၽြန္ေတာ္တို႔ အဲဒီအေကာင့္ကို hack ျပီး ဖ်က္လိုက္ပါျပီ ဒီအေကာင့္ရဲ႕ ရည္ရြယ္ခ်က္က ျမန္မာျပည္က PC ေတြကို လိုက္ျပီး log လုပ္ဖို႔ပါပဲ ။ ကၽြန္ေတာ္တို႔ ဂူဂဲလ္ကိုလည္း ဒီအေကာင့္ကို recovery လုပ္ရင္လက္မခံဖို႔နဲ႔ proof မေပးဖို႔အေၾကာင္းၾကားျပီးပါျပီ ။
Now we deleted their email, that account is created for malicious purposed only to get log from Burmese PC. We have report Google about this account not to accept the recovery request since we have proof.
ေအာက္ကလင့္ေတြမွာၾကည့္ႏုိင္ပါတယ္ ။

You can look at following URL:
1#OWNED http://i50.tinypic.com/2u6pifk.gif

2#OWNED http://i45.tinypic.com/20js0vb.gif
<== After I saw one activity to recover the password, really your confirmation code in my phone. LOL! So I am ready to do this.
3#TANGODOWN http://i49.tinypic.com/35d8g9h.gif
<=== Ouch! That may hurt to BD guys!

4)
ဒီအေကာင္မွာ အန္တီဗိုင္းရပ္ေတြ detect မလုပ္ႏုိင္ေအာင္ လုပ္ထားတဲ့အစြမ္းရွိတယ္ ဒါေၾကာင့္ Avast, AVG, BitDefender, ClamAV, F-Secure, G-Data, Kaspersky, Panda, Quick Heal, VBA32, VirusBuster စတာေတြနဲ႔စစ္လို႔မရဘူး ။

It has AntiNorman, AntiNOD32, AntiZoneAlarm, AntiBitDefender, AntiKaspers, AntiWireShark. So those anvirus can’t detect it. Avast, AVG, BitDefender, ClamAV, F-Secure, G-Data, Kaspersky, Panda, Quick Heal, VBA32, VirusBuster will not detect this.
မစိုးရိမ္ပါနဲ႔ Generic.dx ဆိုတဲ့ worm ကို AntiVir, CPSecure, Dr.Web, Emsisoft, ESET, F-PORT, IKARUS, SOPHAS စတာေတြက detect လုပ္ေပးႏုိင္ပါတယ္ ။
Don’t worry, the worm “Generic.dx!” CAN BE detect with following antiviris : AntiVir, CPSecure, Dr.Web, Emsisoft, ESET, F-PORT, IKARUS, SOPHAS.

5)

exe file ေတြကို ပိုး၀င္ေနတဲ့စနစ္ထဲမွာ သင္ရွာႏုိင္တယ္ ။ You can find exe files (NakaNaka.exe, Naka.exe) in infected system.
Dll files are used: ntdll.dll , advapi2.dll, kernel32.dll for running the worm.
Batch file : MELT.bat, the batch file has command to delete C:\Windows\winlogon.exe.
6)

ဒါေၾကာင့္ သင္ဒီဖိုင္ကို တစ္ၾကိမ္ေလာက္ run လိုက္ရင္ သင့္ကြန္ျပဴတာကို ပိုး၀င္ျပီး သင့္ရဲ႕အခ်က္အလက္ေတြမွန္သမွ် သူတို႔ ဟက္ကာေတြ အီးေမးလ္လိပ္စာကိုပို႔ေပးလိမ့္မယ္ ။ ျပီးေတာ့ Task Manager , cmd.exe , run box ေတြကို အကုန္ disable လုပ္လုိက္လိမ့္မယ္ ။ ျပီးေတာ့ တခ်ိဳ႔ task ေတြကို သတ္ပစ္လိ္မ့္မယ္ ဥပမာ "SC stop wscsvc", "SC stop SharedAccess"
Once you run the file, it may infect your pc to log and send email to that email and disable some functions such as Run, CMD.exe and Task Managers. And it kills the some tasklists by following command, the worm, it runs "SC stop wscsvc", "SC stop SharedAccess" and run command “TASKKILL /F /T /IM in order to infect.


7)
ဒါကေတာ့ေျဖရွင္းနည္းေတြပါ ။
For "RUN" problem please visit at http://technet.microsoft.com/en-us/library/cc938270.aspx

For Task Manager Problem please visit at http://support.microsoft.com/kb/555480
,
For CMD.exe problem, please do following system:


Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f


8)
worm က သူတို႔ ဖိုင္ေတြကို hidden လုပ္ေပးထားတယ္ ဘာေၾကာင့္လည္းဆိုေတာ့ worm ကregister key ကို နံပတ္ ၁ အျဖစ္ေျပာင္းလိုက္တယ္ ။
And they worm will hide their files in hidden. Because the worm executed to change register key to be 1.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
[1 is Hidden, 2 is Visible]

LOL, i don't know why this URL is used for http://automation.whatismyip.com/
, that URL is already block for long time ago from whatismyip.com.

9)
Worm က ရဟူး လိုက္ဖ္နဲ႔ စကိုက္ေတြကိုပါ မက္ေဆ့အတုနဲ႔ဖိုင္ေတြပို႔ေပးႏုိင္တယ္
The worm has abilities to spam at Yahoo, Live and Skype with fake message and file.
ဒါေၾကာင့္ေအာက္မွာ ျပထားတဲ့ဖိုင္ေတြကို ပါ ရွင္းပစ္ဖို႔လိုတယ္
You may need to clean following files too.
C:\Documents and Settings\Username\Local Settings\Application Data\Yahoo Messenger\y.src

Y.src is for Yahoo Messenger sharable file to spread at your chat.
C:\Documents and Settings\Username\Local Settings\ Application\Data\Microsoft Messager\mypornpics.src
mypornpics.src sharable file to spread at your chat at Live/Hotmail Chat.

C:\Windows\System32\sy4c.vbs - SKYPE4COM – SKYPE
If your computer is infected, your account may send to your friend with this message:” Hey Check out my new program” At Skype.


10)
ကဲ registery ကိုလည္း check လုပ္ၾကည့္ၾကပါဦး
You may need to check your Registery at following:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AppPaths
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Ploicies\Explorer
NoControlPanel <=== remove it

11)

သင့္အေကာင့္ပါ့စ၀ပ္က ေျပာင္းသြားတယ္လို႔ျမင္ရင္ Universalsashere ကို ပါ့စ၀ပ္ေနရာရိုက္ထည့္ပါ ။ သင့္ရဲ႕ system ထဲမွာ အဲဒီနာမည္နဲ႔အေကာင့္သစ္ေရာက္ေနခဲ့ရင္ pass ေရာ username ေရာ အတူတူပါပဲ ။ ဖယ္ထုတ္ျပီး change ပါ ။
Universalwashere <==== If you see account your account password is changed, try this password, if you see new account in your system with that name, that is the password/username. Please remove/change it.

Written by
လင္းထက္

မွတ္ခ်က္ -- အထက္ပါပို႔စ္ကို ကၽြန္ေတာ္ေရးတာမဟုတ္ပါဘူး ။ ကိုလင္းထက္ေရးတာျဖစ္ျပီး ျမန္မာလို ဘာသာျပန္တာကေတာ့ ကၽြန္ေတာ့္ဘာသာ ဆီေလွ်ာ္သလို ျပန္ေပးထားတာပါ အဂၤလိပ္လိုဖတ္ျပီးလည္း ဒီworm ေတြကိုကာကြယ္ႏုိင္ပါတယ္ ။

Source : သက္တန္႔ခ်ိဳ

No comments:

Post a Comment

ေဆာ႔၀ဲေတြ update လုပ္ခိုင္းလွ်င္မလုပ္ပါနွင္႔။

Related Posts Plugin for WordPress, Blogger...