Pages

Thursday, October 14, 2010

New e-mail virus: email from Ashley Anderson

As the days are passing by, more and more malwares are released into the cyber space causing agony to the computer users. Now a new email virus has been reported. When you check e-mails, if you found an email from Ashely Anderson, then delete it imediately as it is a virus. The email comes with an attachment and the name of the sender made the people open the attachment and causes damage to their computers. So if you receive such an email, please dont open it, just delete it. It is supposed that the attachment contains a trojan that will copy the files from the system and also damages the files. Since it is a trojan, there is a high chance for the stealing of valuable data in the computer including details of the bank accounts. The trojan allow the sender to intrude into the victims computer and can control the victims computer or stole valuable data from the victim's computer. The easiest way to avoid any kind of problems, as per the experts, is to delete the email immediately.

       Add to Technorati Favorites     Bookmark and Share

Wednesday, October 13, 2010

Microsoft releases security patches to fix 49 vulnerabilities

Microsoft on Tuesday, released its largest ever batch of security patches to fix a record 49 vulnerabilities in Internet Explorer, Windows and other software.The Internet Explorer patch is aimed at fixing as many as twelve vulnerabilities. Due to the risk of zero-click drive-by download attacks, the company is suggesting Windows users to apply this patch immediately. The IE versions 7 and 8 running on Windows Vista and Windows 7 are said to be vulnerable to concerned attacks though these versions are claimed to have lessen the affect of such attacks.


Numerous other holes also make it possible to run a malicious code in the Windows common control library as well as the Microsoft foundation class library. But, these holes carried lesser ratings as they can be exploited only on using third-party browsers and file-archiving programs.
The patches also fix vulnerability in Windows XP which was exploited by the Stuxnet worm that is believed to have been released in order to disrupt Iran's nuclear program. The malware spread by exploiting four formerly unpatched Windows security holes. Tuesday's security release fixes three of these holes, while the fourth will be fixed in a future update.
According to Symantec (Norton Antivirus Provider), out of the total 49 flaws, 35 could give hackers the means to run malicious code on victim's computers. Microsoft has already released 86 security patches so far this year, as compared with a total of 74 security bulletins in the previous year.
 
 
 
                     Add to Technorati Favorites         Bookmark and Share

Thursday, September 16, 2010

'Here you have' e-mail virus threatens the computer world

Recently a massive virus hit e-mail accounts across the world, including the major corporation gaints like Google, Coca-cola, NASA. The trojan virus spread through e-mails with subject lines that read 'Here You Have,' while other versions of worm are hidden under the subject lines like 'This is The Free Download Sex Movies, you can find it here,' and 'Just For You.' Each e-mail contained a link that, if clicked, would download malware into a recepient's computer, and send a wave of similar e-mails to his or her contacts. Although the exact number of victims are not known, the virus attack has forced several employees to abandon their e-mail accounts altogather.
McAfee published a report on its blog, saying that the risk of infection on both home and work e-mail accounts is "low," while acknowledging that it may take time to root out all of the virus's multiple variants. The security firm also identified the virus as a trojan horse, but had not yet determined its origins. Symantec, meanwhile, told ABC that the worm, which it has called 'W32.Imsolk.A@mm,' is similar to the 'Anna Kournikova' worm that hit computers in 2001, and also spread under the 'Here You Have' subject. If you receive e-mails with suspicious subject lines, delete them instantly.


       Add to Technorati Favorites       Bookmark and Share

Wednesday, September 15, 2010

Adobe sounds alarm about the attacks on Flash

Adobe has warned the users of its pdf reader about the bugs in the reader and hackers were exploiting these bugs. But now it has come up with the shocking news of the bugs in the one of the most popular software- Adobe Flash. It is a matter of worry since almost all the computer users view video in their browsers with the help of Flash software. However the company told that it would patch Flash in two weeks and Reader in three weeks.In a new security advisory on Monday, Adobe said that the current version of Flash contains a critical flaw already being used in the wild by criminals to attack Windows PCs. According to the advisory,  "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system".
Unfortunately, the flaw is present in all the Flash including the editions for Mac, Linux, Android.. But Adobe described the attacks as "targeted" and limited". The attacks were targeted against the windows users. The same bug is also present in Adobe Reader and Acrobat, the company's free PDF viewer, and its commercial PDF creation tool. This is quite natural since both Reader and Acrobat include code to run Flash content embedded in PDF documents, making a bug in Adobe's media player typically require a patch for the PDF programs.
Adobe said it would update Flash to fix that program's flaw in two weeks, sometime during the week of Sept. 27. The two bugs in Reader and Acrobat -- the one disclosed last week and Monday's -- will be patched in the week of Oct. 4 with an emergency, or out-of-band security update.


                Add to Technorati Favorites          Bookmark and Share

Tuesday, September 14, 2010

How to remove IronDefender

I have written articles about several malwares that disguises themselves as the malware removal tool. Here is one more malware that disguises itself as the useful malware removal tool. It's function is almost same as that of the other disguised malwares. It does not scan your computer or find any virus or malware. When IronDefender is installed in a computer it will start along with windows on the next booting. It will perform a fake scan and informs the user that a harmful malware is present in his computer and it has to be removed. It asks the user to register IronDefender by paying a price for registration. Actually the message is a lie to make the poor victim to pay for the malware.
IronDefender will display options that other genuine antivirus as- "Full Scan", "System Scan", "Scan Basic Locations", "Scan Removable Media", "Scan Folder", "Realtime protection" and "Tools". All of the features do not really protect the computer but just show the fake functions only.
If you are a victim of the IronDefender, ir has to be removed immediately !....

Removal:

Kill the process

F0E84.exe
vur4.exe
[random].exe
 
Delete the registry
 
HKEY_CURRENT_USER\Software\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IronDefender
HKEY_CURRENT_USER\Software "Install_Dir" = "C:\Program Files\FDFCA"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "vur4.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "F0E84.exe"     

Delete the files and folders

%ALLUSERSPROFILE%\Start Menu\Programs\IronDefender.lnk
%ProgramFiles%\FDFCA\
%ProgramFiles%\FDFCA\F0E84.exe
%ProgramFiles%\FDFCA\Uninstall.exe
%SystemRoot%\[random].exe
%SystemRoot%\[random].bin
%SystemRoot%\[random].dll
%SystemRoot%\[random].cpl
%SystemRoot%\system32\[random].exe
%SystemRoot%\system32\[random].bin
%SystemRoot%\system32\[random].dll
%SystemRoot%\system32\[random].cpl
%UserProfile%\Desktop\hash
%UserProfile%\Desktop\IronDefender.lnk
%UserProfile%\Local Settings\Temp\[random].exe


        Add to Technorati Favorites      Bookmark and Share

Friday, August 27, 2010

Camouflage Viruses

You may not heard about Camouflage viruses. It is becacuse, it has never became a threat thanks to the evolution of advanced antivirus scanners. Camouflage viruses are viruses that are capable of infecting a computer by reporting it as a  harmless application to the antivirus software installed in that computer. In the less sophisticated antivirus softwares, the scanning is performed by checking the files for the virus signatures. In such cases, there is a possibility of non-infected files have codes similar to that of the virus codes (a statistical probability) will be notified to the user as virus infected files - a false alarm. This may frighten the user. To avoid this problem, the antivirus softwares implement a logic to ignore a virus signature and not issue alarm under right circumstance.
Eventhough this logic avoid the chances of false alarm, it has opened a door for the virus creators to attempt to camouflage their viruses so that they included the specific characteristics the antivirus softwares were checking for and thus have the antivirus program ignore that particular virus. Fortunately, camouflage virus never became a serious threat, but the possibility existed.
Today, the antivirus scanners are more advanced that they do much more than simply look for a virus signature string. In order to identify the specific virus varient, they not only check for the virus signature, but also even checksum the virus code to identify it. Due to the provision of these cross checks in the antivirus scanner, it would be very difficult for the virus to camouflage itself and spoof the scanner.

                     Add to Technorati Favorites                 Bookmark and Share

Sality Virus : Know more?

When I noticed that most of the visitors to my blog are searching for the remedies for infection by Sality Virus. I have already put a brief post on Sality virus at creatingcomputervirus.blogspot.com/2010/03/sality-virus-symptoms-and-removal.html. Now I think more information must be provided innorder to satisfy the visitors.  Sality is also known as W32/Kookoo-A [Sophos]. Sality was discovered in 2003 June 4. It affects the Operating Systems - Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000.

It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. When it infected my system, it disabled my antivirus software (BitDefender Free Edition), and antimalware software (MalwareBytes Free Edition). It also prevent the use of the anti rootkit software Rootkit Revealer.
 Some forms of Sality virus is reported to steal the key strokes from the infected machines for malicious purposes.W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file. In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts. Thus infected computer is like a country under the rule of the terrorists. All the security will be paralysed leading to complete crack down of the system. Sality will also prevent the installation of the antivirus in to the infected computer.
In 2003 when it was first discovered, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality. As years passed, it became more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.
As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.
Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.

Technical Details:


 In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Files Created:
 %System%\drivers\[RANDOM FILE NAME]


Registry Subkeys Created:

HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER

Registry entries deleted

HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Registry entries modified (final values given)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

Process Injected:

W32.Sality will not inject into processes that belong to the system, the local service or the network service. However, it does inject complex code instructions into other processes, allowing the code to load external DLLs that are downloaded from remote servers into target processes. This virus uses a named mutex based on the injected process ID (PID) for each injection so that it avoid repeatedly injecting code into the same processes.

Recommendations:


Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.

Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.

Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.

If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.


Removal:

Since it is hard to install antivirus software in an infected system, it is better to remove it by scanning the infected computer from another computer with an antivirus software capable of detecting and removing Sality virus. Otherwise you may try manual removal which is not recommended.
 

                      Add to Technorati Favorites             Bookmark and Share

Thursday, August 12, 2010

Patches

You mave have heard the term patches several times while using computer. But many of the people don't know what a patch is. Now let us know what a patch is ? 
Today, there are hundreds or perhaps thousands of companies that produces softwares for different purposes. These softwares are created by brilliant people according to the specifications given by the customer or by the standards set by the firm. If the software is very large, or has lot of functions, it is generally developed by a group of software engineers by working as a team. After manufacturing the software, it has to be tested for stability and vulnerabilities before handing over to the customer. For this there is a set of tools for software testing. During testing several bugs are found out and they are rectified. After passing the software testing, the software is declared ready for use.
You know, 'to error is human'. Like that every thing that is made by humans will have certain quantity of error in it. Same is the case of the software testing. The softwares that successfully pass the software testing need not be free from vulnerability and bugs. In most cases there will be bugs. In the case of important softwares as used in banks and finantial organisations, the software is tested several times, sometimes may test in sample populations to ensure that the software is free from bugs.
If a bug or vulnerability is found in a software after given to the customer for the use, the software manufacturer releases patch for that software. The goal of the patch is to ensure the correct functioning of the software and to insure that the software is not vulnerable to viruses. A software patch would be applied to a specific program to correct an error in function where as an anti-virus patch might seek to correct specific vulnerabilities linked to the functioning of one particular virus. A security patch, on the other hand, might be designed to strengthen aspects of a machine's connection to a network or to the Internet to guard against incursions into the system from outside sources.
Service packs are groupings of other patches, usually too numerous or complex to be installed one at a time. Usually service packs are directed at repairing known issues in larger software environment like operating systems. Microsoft releases several patches for the operating systems and these pathes are installed during the update of Windows. If you are using Windows Operating System, then install latest patches by Microsoft to make your system more secure against vulnerabilities and software attacks.



                Add to Technorati Favorites                 Bookmark and Share

Monday, July 12, 2010

How to choose passwords

The era of inland letters and postal greetings is approaching end. Today we could hardly find a person who uses postal service to get in touch with the relatives thanks to the technological developments. The arrival of new players like telecommunication and internet had pushing out the traditional services like postal out of the play ground. Today it is very hard to find a person without email ID. We all of us have email ID and a password to open the email account. The password is created at the time of creating the email ID. Since password can be stolen or guessed, most of the email service providers allows to change the password. While creating password most of the users create password carelessly. Some of them even forget the password after the account is created. The password must be chosen very wisely since internet is the best way to spread bad impression of a person to a great number of people.
Microsoft recommends the password must be at least 14 characters long. The strength of a password is determined by the different types of characters you use. It is always better not to use the words find in dictionaries as passwords. If words from dictionaries are used, the hacker can easily guess the password of your account. Also bear in mind do not use common passwords. Most of the people uses 123456 as password. How simply a hacker can find such a password ? Also don't use locally used words as password. It is very common trend in Kerala to write the PIN number over the ATM cards. It is like handling key of your account to the thief.
You can check the strength of your password at:  https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link

          Add to Technorati Favorites         Bookmark and Share

Real Time Protection

Real Time Protection is one of the features provided by most of the anti viruses. On-access scanning, background guard, resident shield, autoprotect are the other terms that represent real time protection. The term real time protection refers to the feature of the anti malware programs that monitors all the files in the system as well as the data coming into the computer from the internet. It also scans the files in the memory. If any change in the file or the data coming to the computer is found suspicious, then it will be reported to the user. If necessary the user can consult the recommendations from the experts by submitting the suspicious files to the anti malware manufacturer. The real time protection monitors the changes made in the files located in the hard drives and memory and also the data flowing to the computer from the internet while browsing checking emails and also when downloading files. Real time protection also includes monitoring the removable drives like CD, floppy, pen drives etc. In short the real time protection enables even the beginner to use the computer safely without even having the basic knowledge related to security issues.
Most real-time protection systems hook certain API functions provided by the operating system in order to scan files in real-time. For example, on Microsoft Windows, an antivirus program may hook the CreateProcess API function which executes programs. It can then scan programs which are about to be executed for malicious software. If malicious software is found, the antivirus program can block execution and inform the user.
Avast, Avira, Comodo Internet Security are some of the programs with real time protection. It is recommended to use an antivirus with real time protection so that malware can be blocked before it infects the PC. If viruses like Sality infects the PC, the whole security of the computer will be compromised. So it is better to prevent it before entering the system.

        Add to Technorati Favorites          Bookmark and Share

Friday, July 9, 2010

PC AntiSpyware 2010

PC AntiSpyware 2010 is a rogue anti-spyware program like Home Antivirus 2010. If it got installed in your PC AntiSpyware 2010 will create numerous harmless files on your computer that will then be displayed as infections when the program scans your computer. These files are named using random characters and are created in various locations on your hard drive. These files are created solely to validate the scan results that state that the infections exist on your computer, when in reality these files cannot harm it.





 PC AntiSpyware 2010 will also display a window that impersonates the Microsoft Windows Security Center. The Security center window created by the AntiSpyware 2010 will suggests that you purchase PC AntiSpyware 2010 in order to protect your computer. It will also hijack Internet Explorer so that while you are browsing you will randomly be shown a page stating that the site you are visiting is a security risk. It will then try and sell you PC AntiSpyware 2010 to protect you from this site.

The number of malware programs that disguise as useful programs are spreading at a increased rate in recent days, thus increasing the number of victims. So one must be watchful in selecting the software that is to be installed in his/her PC.

Removal: Download the latest version of Malware Bytes Anti Malware and do a scan, then remove the infected files.

                            Add to Technorati Favorites
Bookmark and Share

Friday, May 28, 2010

USBcillin : Disguised Malware

Today I was copying some of the new songs from my brother's computer to my pen drive. When I opened the pen drive in windows explorer, I noticed that a new file called USBcillin in the pen drive. My brother told me that he had installed the program but was unable to uninstall it since it was not shown in the Add or Remove Programs from the control panel. He told me it was not virus. Even though I was suspicious about the reliability of the program I didn't tell him anything. I just removed the program from the start up options in the msconfig file.



Now let me give a small information about USBcillin. USBcillin is said to be a software that protects your computer from malware when you plug in infected USB drives. However, it is just another rogue application. USBcillin is unable to protect your computer form any possible infections. The rogue modifies registry entries and drops various malicious files onto your computer.

Removal:

1.  Kill processes 

  • 13882768.EXE 
  • 64080532.EXE 
  • 82215601.EXE 
  • USBcillin.exe 
  • QWE.TXT.EXE 
   For killing a process, open task manager and then choose the process tab. From the process shown select the above process and click on the end now button. A warning will be displayed. Click OK button. For more details about killing malware process click here.

2.  Delete the registry values:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoPropertiesMyComputer” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableTaskMgr” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoSetFolders” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoNetHood” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFolderOptions” = “0″
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoDesktop” = “0″
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”DisableCMD” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoPrinters” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoSetFolders” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\”NoNetSetup” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title” = “Windows Internet Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoAddPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFind” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\”PastIconsStream” = “hex:14,00,00,00,05,00,00,00,01,00,01,00,b6,00,00,00,14,00,00,00,49,4c,00,06,b6,00,ba,00,04,00,10,00,10,00,ff,ff,ff,ff,21,00…”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoRun” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableRegistryTools” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoViewContextMenu” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoAddRemovePrograms” = “0″
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\”NoNetSetup” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFileMenu” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”USBcillin” = “C:\WINDOWS\system32\USBcillin.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoPropertiesMyComputer” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoViewContextMenu” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoActiveDesktop” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoAddRemovePrograms” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFolderOptions” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoDesktop” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “explorer.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”NoDispCPL” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoPrinters” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoControlPanel” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoRemovePage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoAddPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFind” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoActiveDesktop” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoRun” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoNetHood” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoRemovePage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoControlPanel” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispCPL” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFileMenu” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\”Order” = “hex:08,00,00,00,02,00,00,00,00,02,00,00,01,00,00,00,03,00,00,00,d2,00,00,00,00,00,00,00,c4,00,00,00,41,75,67,4d,02


To know about deleting registry values, click here.

3. Delete files

  • 64080532.EXE
  •  QWE.TXT.EXE
  •  57273426.SVD
  •  96402658.SVD
  •  71519181.SVD
  •  USBcillin.exe 
  • 13882768.EXE
  •  82215601.EXE  

Delete Directories:

  • %Temp%\      

You can also delete USBcillin by using Spyware Doctor. [ Download]


          Add to Technorati Favorites     Bookmark and Share





Thursday, April 22, 2010

Zeus Virus: Becoming more powerful

 Zeus virus comes of revision 1.6 with the capability of attacking Firefox and Internet Explorer. A truth that gives a chance for the Google Chrome and Opera users to rejoice. In the 5.5 million computers it has a part in protecting, 1 in each 3000 has become infected. The BBC site informs that not only does Trusteer operate in the U.K, it also is found in the U.S.A.

Zeus is a financial malware.  It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc.




Zues Virus is understood to be the biggest culprit among the family of malware targeting the financial websites and institutions. According to some of the studies, as much as 44% of all financial malware are based upon Zeus. Despite such an alarming state, it is shocking to know that most of the Latest Security Software,  even if they are updated to the latest version,  are incapable of finding and removing Zeus Malware infections. In a recent study by Trusteer, it has been revealed that as much as as 55% of all the tested 10,000 computers, which were equipped with the latest updated security software and antivirus, were not able to detect and remove the traces of Zeus Virus.

The malware steals login information by recording keystrokes when the infected user is on a list of target websites. These websites are usually banks and other financial institutions. The user’s data is then sent to a remote server to be used and sold on by cyber-criminals. “We expect this new version of Zeus to significantly increase fraud losses, since nearly 30% of internet users bank online with Firefox and the infection is growing faster than we have ever seen before,” said Amit Klein, chief technology officer at Trusteer.

For more details on spread of infection visit:  thepcsecurity.com/latest-security-software-cannot-detect-zeus-virus/

Removal:
Run an updated antivirus software capable of detecting Zeus virus. Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection. More Online Anti-virus Scanners. Anti-malware softwares like Malware Bytes and Super Anti-Spyware can also be used.



                    Add to Technorati Favorites         Bookmark and Share











Friday, March 26, 2010

Antivirus 2010: Removal

 Antivirus 2010 is a fake antivirus software which may harm your computer if used. It is a cunning malware that uses advertisements to make the user pay for the malware. It displays fake Blue Screen Of Death (BSOD). In the BSOD it shows that windows has detected unregistered version of the Antivirus 2010. It has to be registered for solving the problem. Do not believe this! It is the cunning task of Antivirus 2010. The BSOD displayed by Antivirus 2010 looks like this:



If your computer displays above screen, do not trust it and do not pay for Antivirus 2010 malware.
Screenshot of Antivirus 2010 is shown below:


Symptoms:

  • Changes browser settings
  • Shows commercial adverts
  • Connects itself to the internet
  • Stays resident in background



Removal:

You can remove Antivirus 2010 by using anti malware softwares like
1.  Malware Bytes                       Download
2. Windows Defender                 Download

Manual removal:

You can delete Antivirus 2010 by following the below steps.

1. Kill the process 'AV2010.exe svchost.exe wingamma.exe'
     Help: How to kill the process
2. Remove the following Registry values
     HKEY_CURRENT_USER\Software\AV2010
     HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
     HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
     HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
     HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
     HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
     HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
     HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser  Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
     HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-   08002bE10318}\0012
      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-  BFC1-08002bE10318}\0013
     HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"



       Help: How to remove registry values

3. Unregister DLLs

     IEDefender.dll
  
      Help: How to unregister malicious dlls

4. Delete files

    Program Files\\AV2010\\AV2010.exe Program Files\\AV2010\\svchost.exe WINDOWS\\system32\\IEDefender.dll WINDOWS\\system32\\wingamma.exe

    Help: How to delete malicious files

5  Delete Directories
     c:\Program Files\AV2010
       c:\Documents and Settings\All Users\Start Menu\Programs\AV2010

                               Add to Technorati Favorites                           Bookmark and Share






Thursday, March 25, 2010

Sality Virus: Symptoms and Removal...

It was two weeks ago a friend of mine gave me his pen drive to copy some of the softwares from my computer to his computer. Since I was in a hurry and trusted my antivirus for my computer's safety, I didn't check for the viruses in the pen drive. After a few minutes I noticed that the icons of anti virus and firewall disappeared. So I tried to run the applications from the start menu, but in vain. Then I tried to run the anti malware program. It also doesn't open. Then I tried to reinstall my anti virus. But it didn't worked. At last I had to format my computer. Then I collected the details about the virus to prevent the future attack. The situation that allowed the virus to enter into my computer were:

  1. My carelessness to disable auto run before inserting pen drive.
  2. Even though the antivirus was powerful to detect and remove Sality virus, it lacks real time protection that enable the virus to over power anti virus.

         Sality is a family of file infecting viruses.It spreads by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable drive when connected to a computer. In addition, Sality includes a downloader trojan component that installs additional malware from the internet. Sality  virus have keylogging and back door capabilities. It may infect executable files by prepending its code to host files.

Symptoms of infection:
                                         Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped files when the drive is accessed.

Removal:
                  Try deleting with an anti virus software. If it fails, then remove the hard disk from your computer and connect it to your friends computer and boot into the operating system installed in his computer. Then run the updated anti virus in his system. Anti viruses like avast or BitDefender or Kaspersky or etc can be used. AVG is a bit lame. Repair or delete the viruses found on the scan. Care must be taken not to open any of the drives or files in your hard disk before running the anti virus in your friend's system since it may infect his computer. Then detach the hard disk from his computer and connect it to your computer. Then install a good and updated anti virus with real time protection in order to prevent future infection. Avast provides real time protection and I am satisfied in its functioning. So I am recommending it for your computer.

                  Add to Technorati Favorites               Bookmark and Share