Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\?.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Luffy' = '%WINDIR%\lsass.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Thousand Sunny' = 'C:\Going Merry.html'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\<Virus name>.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\<Virus name>.exe
- %WINDIR%\Tasks\The Straw Hat.exe
- %WINDIR%\Tasks.exe
Creates the following files on removable media:
- <Drive name for removable media>:\The Straw Hat.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Executes the following:
- <SYSTEM32>\net1.exe user StrawHat bangsawan /add
- <SYSTEM32>\taskkill.exe /f /im avguard.exe
Modifies settings of Windows Explorer:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoRun' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoFind' = '00000001'
Modifies file system :
Creates the following files:
- %WINDIR%\Prefetch.exe
- %WINDIR%\Provisioning\The Straw Hat.exe
- %WINDIR%\Provisioning.exe
- %WINDIR%\PeerNet\The Straw Hat.exe
- %WINDIR%\PeerNet.exe
- %WINDIR%\Prefetch\The Straw Hat.exe
- %WINDIR%\Registration.exe
- %WINDIR%\repair\The Straw Hat.exe
- %WINDIR%\repair.exe
- %WINDIR%\pss\The Straw Hat.exe
- %WINDIR%\pss.exe
- %WINDIR%\Registration\The Straw Hat.exe
- %WINDIR%\msapps.exe
- %WINDIR%\mui\The Straw Hat.exe
- %WINDIR%\mui.exe
- %WINDIR%\msagent\The Straw Hat.exe
- %WINDIR%\msagent.exe
- %WINDIR%\msapps\The Straw Hat.exe
- %WINDIR%\Offline Web Pages.exe
- %WINDIR%\pchealth\The Straw Hat.exe
- %WINDIR%\pchealth.exe
- %WINDIR%\OemDir\The Straw Hat.exe
- %WINDIR%\OemDir.exe
- %WINDIR%\Offline Web Pages\The Straw Hat.exe
- %WINDIR%\Resources\The Straw Hat.exe
- %WINDIR%\Web\The Straw Hat.exe
- %WINDIR%\Web.exe
- %WINDIR%\WinSxS\The Straw Hat.exe
- %WINDIR%\Temp.exe
- %WINDIR%\twain_32\The Straw Hat.exe
- %WINDIR%\twain_32.exe
- %WINDIR%\Cursors\Roronoa.exe
- <LS_APPDATA>\Shank.exe
- %HOMEPATH%\SendTo\Compressed (zipped) Folder.exe
- %WINDIR%\WinSxS.exe
- %WINDIR%\<Auxiliary name>.exe
- %WINDIR%\inf\Sanji.exe
- %WINDIR%\SoftwareDistribution\The Straw Hat.exe
- %WINDIR%\SoftwareDistribution.exe
- %WINDIR%\srchasst\The Straw Hat.exe
- %WINDIR%\Resources.exe
- %WINDIR%\security\The Straw Hat.exe
- %WINDIR%\security.exe
- <SYSTEM32>\The Straw Hat.exe
- <SYSTEM32>.exe
- %WINDIR%\Temp\The Straw Hat.exe
- %WINDIR%\srchasst.exe
- %WINDIR%\system\The Straw Hat.exe
- %WINDIR%\system.exe
- %WINDIR%\Microsoft.NET.exe
- %PROGRAM_FILES%.exe
- %WINDIR%\The Straw Hat.exe
- %WINDIR%.exe
- <Auxiliary element>
- C:\<Auxiliary name>.exe
- %PROGRAM_FILES%\The Straw Hat.exe
- %WINDIR%\AppPatch.exe
- %WINDIR%\assembly\The Straw Hat.exe
- %WINDIR%\assembly.exe
- %WINDIR%\addins\The Straw Hat.exe
- %WINDIR%\addins.exe
- %WINDIR%\AppPatch\The Straw Hat.exe
- %WINDIR%\strawhat.exe
- %WINDIR%\lsass.exe
- C:\The Straw Hat.exe
- %WINDIR%\Cursors\wina.ico
- %WINDIR%\Cursors\zip.ico
- C:\Going Merry.html
- C:\Documents and Settings.exe
- C:\Far\The Straw Hat.exe
- C:\Far.exe
- <Current directory>\The Straw Hat.exe
- <Current directory>.exe
- C:\Documents and Settings\The Straw Hat.exe
- %WINDIR%\Config\The Straw Hat.exe
- %WINDIR%\Help\The Straw Hat.exe
- %WINDIR%\Help.exe
- %WINDIR%\ime\The Straw Hat.exe
- %WINDIR%\ehome.exe
- %WINDIR%\Fonts\The Straw Hat.exe
- %WINDIR%\Fonts.exe
- %WINDIR%\Media\The Straw Hat.exe
- %WINDIR%\Media.exe
- %WINDIR%\Microsoft.NET\The Straw Hat.exe
- %WINDIR%\ime.exe
- %WINDIR%\java\The Straw Hat.exe
- %WINDIR%\java.exe
- %WINDIR%\Cursors\The Straw Hat.exe
- %WINDIR%\Cursors.exe
- %WINDIR%\Debug\The Straw Hat.exe
- %WINDIR%\Config.exe
- %WINDIR%\Connection Wizard\The Straw Hat.exe
- %WINDIR%\Connection Wizard.exe
- %WINDIR%\Driver Cache\The Straw Hat.exe
- %WINDIR%\Driver Cache.exe
- %WINDIR%\ehome\The Straw Hat.exe
- %WINDIR%\Debug.exe
- %WINDIR%\Downloaded Program Files\The Straw Hat.exe
- %WINDIR%\Downloaded Program Files.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\inf\Sanji.exe
- %WINDIR%\Cursors\Roronoa.exe
- %WINDIR%\strawhat.exe
- %WINDIR%\lsass.exe
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'System Configuration Utility'
- ClassName: '' WindowName: 'Process Explorer - Sysinternals: www.sysinternals.com'
- ClassName: '' WindowName: 'Windows'
- ClassName: '' WindowName: 'Windows Task Manager'
- ClassName: '' WindowName: 'G a s a k !!! [ bY: Foker ]'
- ClassName: '' WindowName: 'Avira AntiVir PersonalEdition Classic'
- ClassName: '' WindowName: 'registry editor'
- ClassName: '' WindowName: 'Application Data'
- ClassName: '' WindowName: '%WINDIR%'
- ClassName: '' WindowName: '<SYSTEM32>'
- ClassName: '' WindowName: '<LS_APPDATA>'
- ClassName: '' WindowName: 'The Killer Machine'
- ClassName: '' WindowName: 'Process Viewer'
- ClassName: '' WindowName: 'X-RayPc'
- ClassName: '' WindowName: 'System32'
- ClassName: 'WordPadClass' WindowName: ''
- ClassName: 'TfrmIntegrator' WindowName: ''
- ClassName: 'TfrmRegistryEditor' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Notepad' WindowName: ''
- ClassName: 'TfrmMain' WindowName: ''
- ClassName: '' WindowName: 'Security Task Manager'
- ClassName: '' WindowName: 'Security Task Manager Versi shareware tanpa registrasi'
- ClassName: '' WindowName: 'a-squared HiJackFree'
- ClassName: '' WindowName: 'Netstat XP'
- ClassName: 'TfrmSearchWizard' WindowName: ''
- ClassName: 'TfrmRescueCenter' WindowName: ''
- ClassName: 'ANVIECLAZZ' WindowName: ''
