Logic Bomb

Logic Bomb

Logical bomb program is similar to a Trojan horse that have the same ability to damage data as well. Logic bombs include a timing device so that it will go off at a particular date and time. The Michelangelo virus is embedded in a logic bomb, for example. Other virus programs often include coding similar to that used in logic bombs, but the bombs can be very destructive on their own, even if they lack the ability of the virus to reproduce.

Read More

Two New Year Threats

Facebook has been updating its site and improving it for better usability. Unfortunately this has given a chance to the attackers; cyber criminals to take advantage of it and exploit the social networking site for inserting malicious content.

Read More

Man in the Middle and Redirection Attacks

We use to play a game where two people throw the ball to each other while the third person in the middle will have to intercept the ball then he changes the position with the person from whom he has intercepted the ball.

In the cyberworld, the game of keep-away gets a new twist; the two players have no idea the man in the middle (MITM) exists. It works like this:

• Computer A initiates conversation with Computer B
• Computer C intercepts that attempt and then relays the request to Computer B
• Computer B responds, Computer C intercepts it, and returns that response to Computer A. 

While the computer C has intercepted the communication between A and B it may change the data in the communication or even redirect it to an entirely different new destination while computer A still thinks that it is receiving the information from computer B.

Read More

Key Loggers

In general keystroke loggers is the action of tracking the keys that are typed on a keyboard without letting the user know that their actions are being monitored. In its simplest form, a keylogger trojan is malicious, surreptitious software that monitors your keystrokes, logging them to a file and sending them off to remote attackers. They can be classified as Software key loggers and Hardware key loggers.  

Read More

Unconquered Zeus Threat

ZeuS is a well-known banking Trojan horse program, also known as crimeware.  This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored.

The US FBI, Secret Service, and various NY agencies have issued a joint Cyber-Security Advisory warning of the threat posed by the Zeus botnet specifically and wire fraud risks from keylogger trojans in general. Zeus combines keylogger capabilities with man-in-the-middle (or man-in-the-brower) style attacks to steal online banking credentials.

Read More

How to remove Worm_Lamin.AC

First I suggest you to follow prevention is better than cure proverb as it is better to safe than trying clean up after the system getting infected. We have to be very careful in clicking the unknown links, enable pop-up blocker, Turn on firewall on your system, getting the Anti-virus updated are some of the basic things we need to make sure that they are done to safe guard our system.

Manual removal of the worm : 

Step 1: We need to turn the system restore off.
Step 2: Delete all the files and processes that belong to the worm from task manager processes tab
Step 3: Some times you will not be able to download the files from the locations found from the processes tab or using process explorer, at that time restart the system in safe mode and and try to remove the files.
Step 4: Enable Registry Editor
Step 5: Delete the registry values from the path 

• In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Shell = %Program Files%\Microsoft Office\OFFICE11\WINWORD.EXE
• In HKEY_CLASSES_ROOT\exefile
  • NeverShowExt =
• In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
  • EnableLUA = 0
• In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application name}
  • Debugger = cmd.exe /c del    
    
• Delete the registry keys 
  
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
    • Svc
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\
    • FWCFG
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    • WinDefend
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center              
   

• Restore this modified registry values in the files 
• In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced From: SuperHidden = 0
  To: SuperHidden = 1
• In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc 
• From: Type = 4
  To: Type = 20 
• In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
• From: Type = 4To: Type = 20 
• In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
• From: Type = 4To: Type = 20 
• There will be another location with the same path change the value from type 4 to 20.

Search and delete the keys in the following location for different files %Program Files%\Microsoft Office\OFFICE11\ control.ini 
Drvics32.dll
hjwgsd.dll
jwiegh.dll
PUB60SP.mrc
ruimsbbe.dll
smss.exe
yofc.dll
remote.ini


After doing this please scan your computer using any good updated anti-virus program.

Read More

Worm_Lamin.AC

This worm will propagate via instant messaging applications online like yahoo messenger, Gtalk, msn Messenger or Digsby.

Effects: 

• Deletes registry  that are related to anti-virus and security applications resulting in improper functioning of anti-virus programs leaving the system security at risk
• It disables security center functions like firewall security updates
• Disables Internet connection sharing service which will disable sharing
• It sends a copy of its link in the instant messages

It drops files following files in the system :

• %Program Files%\Microsoft Office\OFFICE11\services.exe
• %Program Files%\Microsoft Office\OFFICE11\WINWORD.EXE
• %User Startup%\Adobe Gamma Loader.com

1. These dll files are loaded into the system program files Drvics32.dl, hjwgsd.dll, jwiegh.dll, PUB60SP.mrc, remote.ini, yofc.dll, ruimsbbe.dll, smss.exe and creates an auto start entry in the registry attacking the word file. 
2. It also disables registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot which will not allow us to boot in safe mode and explorer, shared access, services related registry entry's values will be changed to 4.  
3. It also pings many sites that are harmful using command prompt.
4. The sent spam messages are predetermined, which is listed in HJWGSD.DLLl, and contains the link http://bukuger{BLOCKED}.hared.com. Copies of the malware maybe downloaded from this site, which is currently inaccessible.    

So please be aware while clicking on any links in any instant messenger sites.

Read More