Expert Virus Removal Services and Technical advice.

We are Providing Computer users with Expert Virus Removal Services and Technical Advice.

Threats and their Removal.

Do you need a quick solution to a technical problem? With our live remote-assistance tool, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution.

Spywares and their Removal.

Are you worried that your computer might be nfected with Spywares? Then this is were you can find Support.

Advices for Protecting the Computer.

Expert Advices for Protecting your computer from attacks from all threats

Different Anti Virus Software and Tools.

Familiarizing different Anti Virus Software and removal Tools.

January 5, 2011

Zero-Day Vulnerability in IE

Internet Explorer has become a victim for another Zero day vulnerability. The zero-day vulnerability is inherently found in the IE 6,7and 8 versions.Cyber criminals have chosen reputed companies like Microsoft and Adobe by using their software for attacking the users. commonly targeted software are Internet Explorer (IE), Adobe Reader, and Adobe Acrobat. There has been a script exploit in IE that could allow a remote malicious user to infiltrate a system without the user's knowledge. 

Users may get this script by visiting some malicious websites that searches for the vulnerability in IE. Once the vulnerability is spotted, the infected system attempts to connect to a URL to download a malicious file that is detected as BKDR_BADEY.A. On background it will also connect to other URLs to download encrypted files. These files, when decrypted, contain commands that the backdoor program is capable of being executed.

Effects: 
The most common reason why this script is being dropped into the IE of user's systems is to allow a remote malicious user to take control of an infected system in order to run codes on the system that aim to make it do whatever the malicious user wishes it to on user's PC.

The two files that are responsible for attacking this vulnerability are :
  • HTML_BADEY.A
  • BKDR_BADEY.A (%User Temp%\log.gif )
It executes the downloaded file %User Profile%\Application Data\alg.exe which will execute the malware and malicious routines of the downloaded file is exhibited on the affected system. The downloaded file is then deleted by this HTML script after execution.


Deleting this threat:

Step:1- Disable system restore and do a full system scan on your computer.
Step:2- Remove the above mentioned files HTML_BADEY.A and BKDR_BADEY.A
Step:3- If they are not removed we need to restart  the PC in safe mode and remove those files
Step:4- Delete the registry key In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation 
Step:5- delete the keys in temp folder specifically in %User temp%\filename.tmp 
Step:6- Restart the system in Normal Mode and Scan the system using a Good Anti-Virus Program like Trend Micro, Symantec or McAfee. 

Most Dangerous Keywords or Search Words

One of the ways we get attacked with a virus or our computers are prone to viruses is the search engine. The possible ways could be any keylogger attached to the links that you get when you type in, any malwares attached to it, Botnets attached to the search engines in particular sites, some redirections when you type particular keywords in the space provided for search. Apart from all these they key words we type in the attract some of the Malwares, viruses on internet.  


How to Remove TSPY_ZBOT.XMAS Malware Manually

For removing these type of malware we need to follow certain procedure which will be common for this family of infections. First and foremost thing is to disable system restore and do a full system scan.Then we need to remove the files dropped by the virus HTML_IFRAME.SMAX. It will be in Application Data folder. When we scan using any anti-virus program it will download


Identify and delete files detected as TSPY_ZBOT.XMAS using either the Recovery Console which needs to have a startup disc. Press R when it shows at the boot time. Go to the directory by using the command Cd "C:" (taken as an example. Go to the folder that has the infected files by using the same command. Delete the files using the command Del "filename ".

Restore the modified registry value:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • From: Userinit = %System%\userinit.exe,%System%\sdra64.exe, To: Userinit = %System%\userinit.exe, 
Delete  the following registry values:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • EnableFirewall = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
  • UID = {computer name}_{23645898} 
 In HKEY_USERS\.DEFAULT\Software\Microsoft
    • Protected Storage System Provider
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
    • {43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
    • {19127AD2-394B-70F5-C650-B97867BAA1F7}
Next step is to delete the files from the system files in system folder by typing %System%\lowsec in search box.After this we need to delete the host files that are below the local host file. After all these steps do a full system scan using good Anti-Viruses like Trend Micro, Norton etc. This will completely remove the virus.

TSPY_ZBOT.XMAS

This is a very dangerous spyware which lures the users perform tasks that may result in malicious routines or programs on their programs. It comes as a Christmas card and deceives the user that they are not accessing any malicious sites.


Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More