-
File Name:Naka.exe
File size:2097152 bytes
Filetype:PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5:a1b720650f4e943a13a1f97623ce98c9
SHA1:74d577f352bbc675271c640f0ee04f5f7544097c
File URL:
This is script kiddie who uses the program to generate the worm:
blackburnbbhh@gmail.com
These are his contact numbers to recover the password.... Any authority can contact these numbers for cyber criminal:
+8801917665290
+01919834692
First of all, THERE IS NO INFECTED AT ALL IN BURMA with that worm. You want to name "NAKA", we can name it "BSGH" - "Bangalishit Script-kiddie Got Hacked".
They think, Burmese people use PC like poor BD guys use. We use Mac and Linux!! Go and develop yourself to write a virus for Linux if you got skills, but we got skill in disassembly too.
1)
The worm modifies the IPs in Host file for Facebook, Google IP addresses to redirect to their website. If someone visit the Facebook with infected PC, they may think, this guy hacked Facebook, Real idiots! They don't know how Burmese people surf the web, everyone know host files, and everyone know how to bypass the big firewall of Government of Burma.
66.220.153.74 http://bdblackhats.com <=== To replace with Facebook
73.194.69.104 http://bdblackhats.com <=== To replace with Google
If you see in your host file, please kill these two lines.
2) Fake Msg : "This program has known Compaitablity Issues In VirturalBox. Please Run It Normally. The Application Will Now Close. Thankyou."
Fake Msg : "This program has known Compaitablity Issues In VirturalBox. Please Run It Normally. The Application Will Now Close. Thankyou." for SpyBot S&D
3)
Logger Email Address: torechudikhankirpola@gmail.com Password: +8801015209
Now we deleted their email, that account is created for malicious purposed only to get log from Burmese PC. We have report Google about this account not to accept the recovery request since we have proof.
You can look at following URL:
1#OWNED http://i50.tinypic.com/2u6pifk.gif
2#OWNED http://i45.tinypic.com/20js0vb.gif <== After I saw one activity to recover the password, really your confirmation code in my phone. LOL! So I am ready to do this.
3#TANGODOWN http://i49.tinypic.com/35d8g9h.gif <=== Ouch! That may hurt to BD guys!
4)
It has AntiNorman, AntiNOD32, AntiZoneAlarm, AntiBitDefender, AntiKaspers, AntiWireShark. So those anvirus can’t detect it. Avast, AVG, BitDefender, ClamAV, F-Secure, G-Data, Kaspersky, Panda, Quick Heal, VBA32, VirusBuster will not detect this.
Don’t worry, the worm “Generic.dx!” CAN BE detect with following antiviris : AntiVir, CPSecure, Dr.Web, Emsisoft, ESET, F-PORT, IKARUS, SOPHAS.
5)
You can find exe files (NakaNaka.exe, Naka.exe) in infected system.
Dll files are used: ntdll.dll , advapi2.dll, kernel32.dll for running the worm.
Batch file : MELT.bat, the batch file has command to delete C:\Windows\winlogon.exe.
6)
Once you run the file, it may infect your pc to log and send email to that email and disable some functions such as Run, CMD.exe and Task Managers. And it kills the some tasklists by following command, the worm, it runs "SC stop wscsvc", "SC stop SharedAccess" and run command “TASKKILL /F /T /IM in order to infect.
7)
For "RUN" problem please visit at http://technet.microsoft.com/en-us/library/cc938270.aspx
For Task Manager Problem please visit at http://support.microsoft.com/kb/555480,
For CMD.exe problem, please do following system:
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
8)
And they worm will hide their files in hidden. Because the worm executed to change register key to be 1.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
[1 is Hidden, 2 is Visible]
LOL, i don't know why this URL is used for http://automation.whatismyip.com/, that URL is already block for long time ago from whatismyip.com.
9)
The worm has abilities to spam at Yahoo, Live and Skype with fake message and file.
You may need to clean following files too.
C:\Documents and Settings\Username\Local Settings\Application Data\Yahoo Messenger\y.src
Y.src is for Yahoo Messenger sharable file to spread at your chat.
C:\Documents and Settings\Username\Local Settings\ Application\Data\Microsoft Messager\mypornpics.src
mypornpics.src sharable file to spread at your chat at Live/Hotmail Chat.
C:\Windows\System32\sy4c.vbs - SKYPE4COM – SKYPE
If your computer is infected, your account may send to your friend with this message:” Hey Check out my new program” At Skype.
10)
You may need to check your Registery at following:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AppPaths
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Ploicies\Explorer
NoControlPanel <=== remove it
11)
Universalwashere <==== If you see account your account password is changed, try this password, if you see new account in your system with that name, that is the password/username. Please remove/change it.
-
