Expert Virus Removal Services and Technical advice.

We are Providing Computer users with Expert Virus Removal Services and Technical Advice.

Threats and their Removal.

Do you need a quick solution to a technical problem? With our live remote-assistance tool, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution.

Spywares and their Removal.

Are you worried that your computer might be nfected with Spywares? Then this is were you can find Support.

Advices for Protecting the Computer.

Expert Advices for Protecting your computer from attacks from all threats

Different Anti Virus Software and Tools.

Familiarizing different Anti Virus Software and removal Tools.

January 31, 2011

WORM_STRATION.FA

It is another email virus that comes as an attachment. This worm propagates by attaching copies of itself to email messages that it sends to target addresses gathered from the Windows Address Book. It is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Its main payloads are dropping and downloading malicious file.

SASFIS

It arrives via a spammed message with a .RAR file attachment. Extracting the compressed file reveals what appears to be an .XLS file. This Trojan drops a file detected as BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.

January 29, 2011

Email Spoofing


E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Distributors of spam often use spoofing in an attempt to get recipients to open, and possibly even respond to, their solicitations. Spoofing can be used legitimately. Classic examples of senders who might prefer to disguise the source of the e-mail include a sender reporting mistreatment by a spouse to a welfare agency or a "whistle-blower" who fears retaliation. However, spoofing anyone other than yourself is illegal in some jurisdictions.

January 28, 2011

W32.Sobig.F

It is a mass mailing worn that infects hosts computer with innocuously named e-mail attachments such as application.pif and thank_you.pif .When activated, this worm transmitted itself to e-mail addresses discovered on a host of local file types. The end result was massive amounts of Internet traffic. Upon execution, this worm drops a copy of itself in the Windows folder as WINPPR32.EXE. It also drops a non-malicious text file, WINSTT32.DAT, in the Windows folder. 

Most Dangerous Threats

These are some of the most dangerous threats:
 
NIMDA:
Shortly after the September 11 tragedy this computer virus infected hundreds of thousands of computers worldwide. Nimda was considered to be one of the most complicated viruses, having up to 5 different methods of infecting computers systems and duplicating itself. It was started in 2001.

SAPPHIRE:
SQL Slammer, also known as Sapphire, was launched on January 25, 2003. It was a doozy of a worm that had a noticeable negative impact upon global Internet traffic. Its target was servers. The virus was a single-packet, 376-byte worm that generated random IP addresses and sent itself to those IP addresses. If the IP address was a computer running an unpatched copy of Microsoft’s SQL Server Desktop Engine, that computer would immediately begin firing the virus off to random IP addresses as well.

Slammer infected 75,000 computers in 10 minutes which is very remarkable. The outrageously high amounts of traffic overloaded routers across the globe, which created higher demands on other routers, which shut them down, and so on.

 BLASTER: 
The summer of 2003 was a rough time for businesses running PCs. In rapid succession, IT professionals witnessed the unleashing of both the Blaster and Sobig worms. Blaster, also known as Lovsan or MSBlast, was the first to hit. The virus was detected on August 11 and spread rapidly, peaking in just two days. Transmitted via network and Internet traffic, this worm exploited a vulnerability in Windows 2000 and Windows XP, and when activated, presented the PC user with a menacing dialog box indicating that a system shutdown was imminent.
Hidden in the code of MSBLAST.EXE — the virus’ executable ” were these messages: “I just want to say LOVE YOU SAN!!” and “billy gates why do you make this possible? Stop making money and fix your software!!”


SOBIG: 
The Sobig worm hit right at the end of Blaster, making August 2003 a miserable month for corporate and home PC users. The most destructive variant was Sobig.F, which spread so rapidly on August 19 that it set a record (which would later be broken by MyDoom), generating over 1 million copies of itself in its first 24 hours.
                   The virus infected host computers via innocuously named e-mail attachments such as application.pif and thank_you.pif. When activated, this worm transmitted itself to e-mail addresses discovered on a host of local file types. The end result was massive amounts of Internet traffic. On September 10, 2003, the virus deactivated itself and is no longer a threat. 

MyDoom

For a period of a few hours on January 26, 2004, the MyDoom shockwave could be felt around the world as this worm spread at an unprecedented rate across the Internet via e-mail. The worm, also known as Norvarg, spread itself in a particularly devious manner: It transmitted itself as an attachment in what appeared to be an e-mail error message containing the text “Mail Transaction Failed.” Clicking on the attachment spammed the worm to e-mail addresses found in address books. MyDoom also attempted to spread via the shared folders of users’ Kazaa peer-to-peer networking accounts.
The replication was so successful that computer security experts have speculated that one in every 10 e-mail messages sent during the first hours of infection contained the virus. MyDoom was programmed to stop spreading after February 12, 2004.

DOWNAD

The latest and most dangerous virus is the downadup worm, which was also called “Conficker”.  computer virus has infected 3.5 million computers worldwide. This malicious program was able to spread using a patched Windows flaw and Vulnerability. Downadup was successful in spreading across the Web due to the fact that it used a flaw that Microsoft patched in October in order to distantly compromise computers that ran unpatched versions of Microsoft’s operating system. But the greatest power of the worm is believed to be the ability of computers, infected with the worm, to download destructive code from a random drop point

Trojan Remover

Trojan or trojan horse is software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. Once a Trojan horse has been installed on a target computer system, a hacker may have access to the computer remotely and perform various operations, limited by user privileges on the target computer system and the design of the Trojan horse. 

Denial Of Service Attack

It is is an attempt to make a computer resource unavailable to its intended users by remote users. This is one of the Botnet Attacks. It generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Creators who use make or program this attack will target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.  


Types of Botnet Attacks

Bot net is a like a robot that sends some codes to remote user as requested by him. It first scans the computer or network for different vulnerabilities and it will use different types of attack . And we have seen what


  • Denial-of-service attacks where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy.
  • Adware exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.
  • Spyware is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.
  • E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
  • Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.
  • Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers.
  • Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Measures to prevent it:


  • The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware.
  • Removing services that provide reference points to botnets can cripple an entire botnet.
  • Updating the Operating system that will avoid or fill all the vulnerabilities will also prevent botnets.
  • You may go to opt for products like Norton Anti-Bot and other products given by different anti-virus companies will help in removing the botnets.


January 27, 2011

Botnet

A botnet is a collection of software agents, or robots, that run autonomously and automatically. It also refers to a network of computers using distributed computing software. A computer "robot" or "bot" that serves the wishes of some master spam or virus originator. The main motive behind these botnets is financial gain along with recognition. Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots.

January 26, 2011

Famous Hacking tools

Hacking tools are designed or programmed to scan other computers, networks, IP Addresses for vulnerabilities, passwords or any other required data.

Backdoor BREPLIBOT.C


This memory-resident backdoor arrives on a system as an attachment in spammed email messages. It may also arrive as a dropped or downloaded file from a remote malicious user. Upon execution, this backdoor drops a copy of itself in the Windows system folder.This backdoor uses Digital Rights Management (DRM) Software, which is a form of rootkit technology, in an attempt to hide malware-related files, folders, and processes.

Hacking Tool


Rootkits are used to hide system information, such as running processes, files, or registry entries. This technology is used in creating a tools that helps in hacking other machines. First 4 Internet Ltd has developed a tool that is a valid Digital Rights Management Software package. As a standalone application, it is non-malicious but some of the malicious application use it to hide their infiltrated files and auto start registry entries thus making the detection more difficult.

This rootkit is  installed in :C:" that is system folder and in windows sub-folder using a file name ARIES.SYS. The said rootkit is then executed as a service by an installation package and is configured to execute at every system startup by creating the following registry entries
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$aries 
This hides files folders and registry keys the begin with the string $sys$ in the Windows operating system. This prevents the user from viewing any files, folders and registry keys that begin with the said string.


There are two malware that will utilize this tool BKDR_BREPLIBOT.C , BKDR_BREPLIBOT.D. 

Removal: 
Take a back up of registry before you edit any thing in registry for this tool. Disable System Restore.
  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
  3. Still in the left panel, locate and delete the subkey:
    $sys$aries
  4. Close Registry Editor.
Scan your computer in safe mode with a good anti-virus like Trend Micro, Symantec to remove the files that are installed by malware that uses this tool and also this tool. Even online scanners like Housecall, Rootkit revealer, avast online scanner etc will detect this tool and will remove it.

January 25, 2011

Removal of NETSKY


This is a Email virus that comes in email attachments and just opening the email will affect the system.We have to find the malware program first. There are many automatic cleaner programs from Trend Micro, Symantec, or Kaspersky etc but preferably manual removal will give us a better cleaning of the file.

Net Sky Worm

This NETSKY variant spreads via email as a .PIF attachment and gathers email addresses from the files with Different extensions on all the drives.The email message it sends out has varying subjects, message bodies and attachment file names. This worm also deletes several autorun registry entries associated with the following malware in an attempt to prevent their automatic execution.

TSPY_ARDAMAX.HR

This is the additional infection that infects as a result of exploit HTML_SHELLCOD.SM which will be as a result of IE vulnerability. It steals information and sends it to FTP servers from where some malicious codes that run multiple routines on the infected systems. It logs keystrokes and accesses certain sites and chat logs, which further compromises a user’s privacy.

January 24, 2011

Virus that infects Executable Files

This is a virus that will spread  through computers. This file infector may be downloaded by other malware/grayware/spyware from remote sites. This comes with HTML_SHELLCOD.SM exploit that will allow 6more infections along with this. It drops a file that contains the main malicious code and is detected as PE_PARITE.A-O.

TROJ_GAMETHI.FMS

This is a Trojan Horse that will come in disguise of the users. Trojans are usually downloaded from the Internet and installed by unsuspecting users with or without their consent.Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an anti-virus program.

This comes in a combination of malware when there is an exploit HTML_SHELLCOD.SM. It brings 8 infections out of which Troj_GAMETHI.FMS is one of them. 


Effects:
This trojan drops copies of itself in system32 folder with a name
  • fqtkz.exe
It creates the following registry keys 
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main
    TabProcGrowth = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\URL
    SystemMgr = "Del"
Removal:

1) Disable system restore.
2) Use Process explorer tool to find the processes that are related to the Trojan.
3) If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode.
Search and delete the registry keys

  • In HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
    Internet Explorer\Main
    • TabProcGrowth = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
    Windows\CURRENTVERSION\URL
    • SystemMgr = "Del"
     
Delete the files that are dropped by the trojan in the system 32 folder. Uncheck Hide protected operating system files in Folders Option>View tab, and then check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result as the trojan may apply the hidden attributes to the files it dropped.

January 22, 2011

Multiple Malware

There are instances where more than one malware infecting at a same time because of many vulnerabilities and many ways that different malware can attack on a PC. It leads to severe situations and that will crash the PC entirely. There is one particular exploit that brings all the malware and trojans at a time HTML_SHELLCOD.SM that exploits CVE- 2010 3962 and because of which following trojans and malware attack the PC:

  • TROJ_LAMECHI.D,
  • JS_EXPLOIT.ADA,
  • JS_EXPLOIT.SM1, 
  • HTML_SHELLCOD.SM, 
  • TROJ_DLOADER.DAM, 
  • TROJ_GAMETHI.FMS, 
  • PE_PARITE.A, 
  • TSPY_ARDAMAX.HR
HTML_SHELLCOD.SM, a recently discovered malware that took advantage of a certain vulnerability in Internet Explorer (IE) and after all these infections infect the system and it many eagle-eyed cybercriminals look to further to inject their malicious money-making machinations that exploits all of the vulnerabilities present in the most efficient way possible.


Once HTML_SHELLCOD.SM has successfully taken advantage of the Uninitialized Memory Corruption Vulnerability (CVE-2010-3962) in IE, it connects to various URLs to download other malicious files detected as TROJ_LAMECHI.D, JS_EXPLOIT.ADA, JS_EXPLOIT.SM1, HTML_SHELLCOD.SM, TROJ_DLOADER.DAM, TROJ_GAMETHI.FMS, PE_PARITE.A, and TSPY_ARDAMAX.HR onto the affected systems.

This malware can render an infected system unusable.and puts the user’s confidential information at risk if another malware with backdoor capabilities affect the system. For instance, TROJ_GAMETHI.FMS, one of the malware HTML_SHELLCOD.SM downloads, steals user names and passwords related to popular online games such as Maple Story, Dungeon Fighter, Ragnarok Online, and World of Warcraft and can compromise the user accounts.

TSPY_ARDAMAX.HR will drop a file named TROJ_GAMETHI.FMS which drops more files on the infected system.  It also logs keystrokes and accesses certain sites and hacks chat logs which compromises user's privacy by stealing usernames and passwords. TROJ_GAMETHI.FMS terminates processes and downloads component files.

 PE_PARITE.A is a malware that infects .exe and .scr fils and spreads the entire network drives by choosing a port.

Prevention: 
Users can prevent this threat by updating their operating system with all the available patches and updating their anti-virus with latest updates. Scan the PC with the updated Malware by disabling system restore, it will remove the threat.

DIAL THREAT

Dialers dial to predefined numbers to connect to certain sites. Many users run dialers without knowing that some of these programs actually dial long distance numbers or connect to pay-per-call sites in any browser; and that they are being charged for the calls. Dialers are often offered as programs for accessing adult sites.

Symptoms Of Malware

Malware is the short form of malicious software, is a software designed to secretly access a computer system without the owner's consent or knowledge. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program that will

RootkitRevealer

RootkitRevealer

RootkitRevealer is an advanced rootkit detection utility. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender.


January 21, 2011

True Myths About Computer Viruses

One of the main reasons viruses have become such a threat to today's computer systems is the fact that modern viruses are different in almost every way from what they were in the past. But most computer users are aware of these changes and their idea of enough protection against viruses, worms, and Trojan horses it is still less than what is necessary. Some myths have turned into real situations as time passed by.

Symptoms of a Rootkit

Rootkit


A Rootkit may be composed of one program or a combination of malicious programs that are designed to take control of your computer. Basically, a rootkit will allow hackers or outside attackers have root access to an infected computer. They can virtually act as an administrator and have access to your system without your permission.

Rootkits were originally legitimate programs that gave a user or administrator control to fix issues on an unresponsive computer. Nowadays, hackers have used this type of technology for malicious purposes at the expense of computer users, who often times are unaware that they’ve been infected with a rootkit.

 

20th Century's Most Dangerous Infections

Viruses saw light and managed to cause serious damages to unprepared users and their machines. Millions of users downloaded computer viruses without even knowing about it. Hackers used various ways of penetrating the systems of universities from around the world, even NASA, armed Forces and Government Sites.It shows the increased level of mastery in writing virus programs, malware or hacking methods.


Jerusalem
The virus was named Jerusalem because it was identified in a Hebrew university. For the first time it was discovered in 1987 on October 1, but in 1991 antivirus experts found that Italy is the country where the first traces of the computer virus were noticed. Initially the Jerusalem virus included a bug that led to a repeat infection of the files that continued until the size of the files overcome computer resources. In addition, each Friday 13 it deleted all programs in the infected system as a result of a malicious payload that set off on the respective day. Jerusalem considerably slowed down the machine. A person could identify the virus but noticing two lines on the monitor.

 


Morris or  Internet Worm:
We wrote about this computer worm, which is believed to be one of the first worms that spread over the Internet. The name of the virus comes from its developer Robert Tappan Morris, who was a student at Cornell University. The computer worm was set off on November 2, 1988 and after some time it managed to infect 6,000 to 9,000 machines. It overloaded the whole Internet, leading to the failure of a large number of servers. According to its developer, the goal was to discover just how far and fast a computer worm can spread all over the network. Robert Tappan Morris was found guilty and sentenced to 3 years of probation along with 400 hours of community service. In addition, he had to pay a $10,000 fine.

CIH or Chernobyl:

CIH virus that caused an estimated damage of $20 to $80 million around the globe, the computer virus managed to affect huge amounts of data stored on computers. Later it was discovered that the computer virus was launched in Taiwan. It has been recognized to be one of the most dangerous computer viruses in history that has infected Windows 95, 98, and ME executable files. In addition, CIH remained resident in the memory of the machine, being able to carry on infecting other executables. After being activated, the virus overwrote data on the HDD of the infected PC, making the latter inoperable. CIH could also overwrite the BIOS of the infected computer, thus preventing boot-up. The second name of the virus - Chernobyl - was given because some of the biggest damages occurred on the day when the nuclear reactor exploded.

Solar Sunrise :
It is the name of the situation that occurred in 1998 when a team of hackers managed to take control of more than 500 computer system of the army, government as well as private sector of the United States. The name Solar Sunrise comes after the well-known vulnerabilities in machines that run on the Sun Solaris OS. At first the attack was believed to have been organized by hackers from Iraq, but later it was discovered that the ones to blame were two American youngsters from California.


Barrotes - 1993:
This is believed to be the first popular computer virus developed in Spain. As soon as it infected the system, it would remain there until January the 5th, when it would set off showing a series of bars on the screen. It infected .COM, .EXE and overlay files. The Barrotes computer virus represents a resident virus - it becomes a resident of the computer memory each time the machine starts up. Due to a series of vertical lines that appear on the monitor, it was easy to identify the virus. It could also overwrite the Master Boot Record of the HDD, thus making it impossible for the uses to access the hard disk.

There are many more viruses that are dangerous and damages the system very badly. We need to get a good anti-virus that has good search engine and which updates regularly and protects our computer.

January 20, 2011

Dangerous Things On Web

There are list of topics that will download viruses without our knowledge.There are list of threats or dangerous places by going where you may download unwanted infections.

Identifying Virus, Worm and Trojan -Symptoms

A Computer Virus can attack a PC in many number of ways; email attachments, clicking on links, pen drives, from network computers. Symptoms or identifying a virus infection will be based on many things and the main identifiers are listed below:



  • The computer crashes, and then it restarts every few minutes in the middle of something.
  • The computer restarts on its own.
  • Applications on the computer do not work correctly.
  • Disks or disk drives are inaccessible.
  • You cannot print items correctly.
  • You see distorted menus and dialog boxes.
  • There is a double extension on an attachment that you recently opened, such as a .jpg, .vbs, .gif, or .exe. extension.
  • An antivirus program is disabled for no reason and cannot be restarted.
  • An antivirus program cannot be installed on the computer, or the antivirus program will not run.
  • New icons appear on the desktop that you did not put there, or the icons are not associated with any recently installed programs.
  • A program disappears from the computer even though you did not intentionally remove the program.

Symptoms of worms and trojan horse viruses in e-mail messages:

When a computer virus infects e-mail messages or infects other files on a computer, you may notice the following symptoms:
  • The infected file may make copies of itself. This behavior may use up all the free space on the hard disk.
  • A copy of the infected file may be sent to all the addresses in an e-mail address list.
  • The computer virus may reformat the hard disk which will delete all files and programs.
  • The computer virus may install hidden programs, such as pirated software that will deactivate the original version and sells the same pirated version.
  • The computer virus may reduce security. This could enable intruders to remotely access the computer or the network.
  • You receive an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear, or a sudden degradation in system performance occurs.
  • Someone tells you that they have recently received e-mail messages from you that contained attached files that you did not send. The files that are attached to the e-mail messages have extensions such as .exe, .bat, .scr, and .vbs extensions.
 

Virus and Its Properties

A computer virus is a small software program that spreads from one computer to another computer and that interferes with computer operation.Viruses can spread from one system to another system on a network. Computer viruses are most easily spread by attachments in e-mail messages or by instant messaging messages. Therefore, you must never open an e-mail attachment unless you know who sent the message or unless you are expecting the e-mail attachment. Computer viruses also spread by using downloads on the Internet. Computer viruses can be hidden in pirated software or in other files or programs that you may download. A true virus can spread from one computer to another, when its host is taken to the target computer. They are platform independent which means it can affect any operating system depending on its programming function. They can even disable or destroy hardware.

WORM_DOWNAD.KK

This is the latest variant of Worm_Downad.It exploits software vulnerabilities to propagate to other computers across a network. This Worm may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

WORM_DOWNAD.A

This is the primary variant of the family Conflicker/Downad. This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with free software packages as a malware component.

January 19, 2011

Virus That Damages Hardware

Virus is elaborated as Vital Information Resource Under Seige. A virus is capable of damaging hardware like hard drive, DVD drive, processor, motherboard, etc. There has been much debate on this topic whether it will infect the Hardware on the PC or is it just limited to Software.

Conflicker/Downad Prevention

The Conficker/DOWNAD worm makes use of a domain generation algorithm (DGA) to download other malware onto infected systems. It prevents user access to antivirus-related sites and propagates via removable drives, network shares, and peer-to-peer (P2P) networks.It drops Autorun.inf in the available hard drives.

Conflicker/Downad became Intense

This worm comes in four ways and attacks in four different ways. Its variants are Worm_Downad.A, Downad.Ad, Downad.KK, Downad.E. This is a worm that will infect through pendrives, as a bundled package with some malicious software.
This gave the worm the reputation of being one of the most notorious malware to ever set foot in the threat landscape. In fact, more than two years after its rise to infamy, its variants continue to infect thousands of unpatched systems worldwide.

Removal of New Folder Virus

New Folder is a file replicator that drops itself in each and every folder that is there on the hard disk. It will have a characteristics in such a way that it will be skipped from anti-viruses. It eats up the disk space and will make the hard drive crash and will destroy the complete hard drive completely.
It mainly propagates using a USB drive or thumb drive or a pen drive.

WORM_SOHANAD.MY

This is a worm that spreads Propagates via network shares, instant messaging applications,  via removable drives and copies itself in all available physical drives. This worm may be downloaded from remote sites by other malware and It drops copies of itself and sets the attributes of its dropped files to hidden and read-only.  It may be downloaded unknowingly by a user when visiting malicious Websites and that also spreads via removable drives.

TOP 5 VIRUS INFECTIONS OF ALL TIME

VIRUS is an acronym which stands for Vital Information Resources Under Siege. Computer Virus creates lots of problem in an organization which would result in millions, even billions of dollars in damages and losses.

January 18, 2011

Removal of WORM_SOHAND.MY

As this is the worm that auto-executes and comes from different means we may need to be cautious while clicking on any link on the internet and in instant messaging.


Removal Steps: 
  • Disable System Restore
  • Use process explorer to find the files loaded by WORM_SOHAND.MY that are running as processes kill their processes.
  • Enable registry Editor, Task Manager, and Folder options 
  • Delete the registry value
  • HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run 
                Yahoo Messengger = "C:\windows\gphone.exe" or "Users\Desktop" in Vista
  • HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>WorkgroupCrawler> Shares    shared = "\New Folder.exe"
  • HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule          AtTaskMaxHours = "0"
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • From: Shell = "Explorer.exe gphone.exe"
  • To: Shell = "Explorer.exe" 
Locate the file AutoRun.INF in all the drives, open it with notepad and if you find the lines 
  • [AutoRun]
  • Open=gphone.exe
  • Shellexecute=gphone.exe
  • Shell\Open\command=gphone.exe
  • Shell=Open 
Delete the file from all the folders.
Also delete the files   
  • %User Temp%\log_{time stamp}.txt
  • {install path}\setting.ini 
  • {install path}\setting.ini.old 
Select My computer from the drop down list and shift delete them to delete permanently. 
Delete the scheduled task
  • System%\{malware file name}.exe

Facebook Threat Feasibility

Facebook's advanced search feature has brought some of the vulnerabilities in it to the lime light. If some one sets up a habit as smoking and chooses the option only friends should see it, that profile is being displayed when it is searched by advanced search. It is not blocking unless their profile is being excluded from searches.

Facebook Threats

Facebook is the most used social networking website now a days which has attracted the hackers and attackers to pay interest on this most famous site. They have attacked in different ways:

Removal of Worm.TDSS.TX

The Trojan has Drops files, Lowers Internet Explorer(IE) security settings, Modifies the Internet Explorer Zone Settings as the payload. It might have occurred by user visiting a malicious website.  The removal of it will have the following steps :

  1. Disable System Restore
  2. Deletes the files dropped by the worm that is EXPL_CPLNK.SMA.
  3. Restart the computer in Safe mode
  4. Check mark Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files in the search result\
  5. Delete the registry values

  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
    • acceptlanguage=en-us
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    • svchost.exe=8888
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • maxhttpredirects=8888
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • enablehttp1_1=1
     
 Restore the modified values to their default values :
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • From: CurrentLevel=0To: CurrentLevel=69632
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • From: 1601=0To: 1601=1
     
 Scan your computer with a good anti-virus program which will remove the worm completely.

WORM_TDSS.TX

This is a very dangerous threat. It attacks the known vulnerability to drop the EXPL_CPLNK.SMA which drops the routines in to the affected system. It lowers the system security and allows access to malicious sites automatically.

Effects:
  • It basically exploits the Zeroday exploit 
  • It also lowers Internet Explorer(IE) security settings, allowing auto access to sites with malicious code to run.
  • To propagate, it drops copies of itself into network shares, thus, making itself available to other users
  • This worm may be unknowingly downloaded by a user while visiting malicious websites
  • It executes then deletes itself afterward
  • It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
  • It modifies the Internet Explorer Zone Settings.
It modifies the following registry entries:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    CurrentLevel = 0 where default value is 69632. 
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1601 = 0 where default value being 1. 

It adds the following registry entries:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international; acceptlanguage = "en-us"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    svchost.exe = 8888
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings maxhttpredirects = 8888
  •  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings enablehttp1_1 = 1
Mode of Attack:
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system
It drops itself on network drives with the names 
  • setup{random number}.dll
  • setup{random number}.dat 
  •   setup{random number}.lnk –  EXPL_CPLNK.SMA
This worm does the following:
  • Creates a copy of itself named C:\Documents and Settings\{user name}\Local Settings\Temp\{random file name}.TMP
  • Changes its file characteristics to .DLL

January 17, 2011

TROJ_RANSOM.QOWA

This trojan uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it disables functionality of the compromised computer so that victims are forced to dial a premium-rate SMS number. It displays a message and prevents users accessing their desktops and applications after which users are forced to provide the required ransom by dialing the premium-rate SMS number displayed on the screen. This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It modifies registry entries to enable its automatic execution at every system startup.

HouseCall - Free Online Virus Scan

Housecall is one of the free online virus scanners that is good in finding many kinds of threats. It is highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware. It is a highly rated software that gives almost all-round protection to our computer. 

Features: 
  • It has a well-known and user friendly interface.
  • It perform fast scans that target critical system areas and active malware. 
  • Its Recent Version has advanced feature of full system scan and custom scan as well.
  • Smart Scan technology refers to patterns in the cloud, delivering the latest protection while reducing download times.
  • Stand-alone, browser-independent implementation eliminates compatibility issues associated with browser-activated scanners.
  • Enhanced detection and cleanup addresses rootkits and other sophisticated threats.
System Requirements: 

  • Windows 7 (32-Bit, 64-Bit), Service Pack 1 or higher, CPU: 300 MHz, Memory: 256 MB, Disk space: 200 MB
  • Windows Vista (32-Bit, 64-Bit), Service Pack 1 or higher, CPU: 300 MHz, Memory: 256 MB, Disk space: 200 MB 
  • Windows XP Home or Professional (32-Bit), Service Pack 2 or higher, CPU: 300 MHz, Memory: 256 MB, Disk space: 200 MB

New Tax Scams

Phishers have gotten pretty sophisticated in their ability to create convincingly authoritative-looking web sites and email communications and lookout for phony emails warning you that your tax credit, tax refund, or other tax-related treat is in dire peril unless you go to a web site and divulge all your personal information. If you're ever tempted to respond to such an email, just remember that the IRS does not send out tax-related communications by email. Here's a new phishing scam to look out for—and a good way to recognize any phishing email.


A recent scam targets taxpayers who use the Electronic Federal Tax Payment System, or EFTPS, to make federal tax payments online. It follows a known format which tell victims that a payment can't or won't be processed until they provide additional information about themselves, please don't respond to those mails. EFTPS won't send any such information in the middle if you have already started paying them. It needs details in the beginning but not in any time after you have already started paying the tax. However, many scammers reside overseas and still haven't mastered English.Their misspellings, Poor grammar, or strange phrases are usually a means for a scam.

Many Anti-Virus companies warned users of a spam campaign that targeted U.S. taxpayers with Foreign Bank and Financial accounts. The spammed message includes the subject, "Notice of Under reported Income," and lures users to click the link that supposedly contains the tax statement. Users who click the URL are re-directed to a site where they get infected by various ZBOT variants, notorious for stealing information.

Please be careful and make your money safe and help governments to safegaurd you from those fraudsters and spammers stealing your money, attacking your computers and stealing your personal information.

Summary:
  • You will get an email from a look alike site of Electronic Federal tax Payment System stating that there is some information you need to fill to pay the tax. 
  • Don't click on those links, they will bring severe threats on to your computer that will steal your personal information and many things that you won't even expect.



<!--fad9b86e6c234aaf905f232cfd7e289c-->

January 15, 2011

Back Door

A backdoor in a compurwe system is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program or may subvert the system through a rootkit.


WHAT IS BACKDOOR?
A backdoor is a malicious computer program or particular means that provide the attacker with unauthorized remote access to a compromised system exploiting vulnerabilities of installed software and bypassing normal authentication. A backdoor works in background and hides from the user. It is very similar to a virus and therefore is quite difficult to detect and completely disable. A backdoor is one of the most dangerous parasite types, as it allows a malicious person to perform any possible actions on a compromised computer. The attacker can use a backdoor to spy on a user, manage files, install additional software or dangerous threats, control the entire system including any present applications or hardware devices, shutdown or reboot a computer or attack other hosts. Often a backdoor has additional harmful capabilities like keystroke logging, screenshot capture, file infection, even total system destruction or other payload. Such parasite is a combination of different privacy and security threats, which works on its own and doesn’t require to be controlled at all.

Most backdoors are autonomic malicious programs that must be somehow installed to a computer. Some parasites do not require the installation, as their parts are already integrated into particular software running on a remote host. Programmers sometimes left such backdoors in their software for diagnostics and troubleshooting purposes. Hackers often discover these undocumented features and use them to break into the system.

Generally speaking, backdoors are specific trojans, viruses, keyloggers, spyware and remote administration tools. They work in the same manner as mentioned viral applications do. However, their functions and payload are much more complex and dangerous, so they are grouped into one special category.



WAYS OF INFECTION
Only few backdoors are able to propagate themselves and infect the system without user knowledge. Most parasites must be manually installed as any other software with or without user consent. There are four major ways unsolicited threats can get into the system.

1. Typical backdoors can be accidentally installed by incautious and unaware users. Some backdoors come attached to e-mail messages or are downloaded from the Internet using filesharing programs. Their authors give them unsuspicious names and trick users into opening or executing such files.
2. Backdoors often are installed by other parasites like viruses, trojans or even spyware. They get into the system without user knowledge and consent and affect everybody who uses a compromised computer. Some threats can be manually installed by malicious local users who have sufficient privileges for the software installation. Few backdoors are able to spread by exploiting remote systems with certain security vulnerabilities.
3. Several backdoors are already integrated into particular applications. Even legitimate programs may have undocumented remote access features. The attacker needs to contact a computer with such software installed in order to instantly get full unauthorized access to the system or take over control over certain software.
4. Some backdoors infect a computer by exploiting certain software vulnerabilities. They work similarly to worms and automatically spread without user knowledge. The user cannot notice anything suspicious, as such threats do not display any setup wizards, dialogs or warnings.

Widely spread backdoors affect mostly computers running Microsoft Windows operating system. However, lots of less prevalent parasites are designed to work under different environments

WHAT A BACKDOOR DOES?
- Allows the intruder to create, delete, rename, copy or edit any file, execute various commands, change any system settings, alter the Windows registry, run, control and terminate applications, install arbitrary software and parasites.
- Allows the attacker to control computer hardware devices, modify related settings, shutdown or restart a computer without asking for user permission.
- Steals sensitive personal information, valuable documents, passwords, login names, identity details, logs user activity and tracks web browsing habits.
- Records keystrokes a user types on a computer’s keyboard and captures screenshots.
- Sends all gathered data to a predefined e-mail address, uploads it to a predetermined FTP server or transfers it through a background Internet connection to a remote host.
- Infects files, corrupts installed applications and damages the entire system.
- Distributes infected files to remote computers with certain security vulnerabilities, performs attacks against hacker defined remote hosts.
- Installs hidden FTP server that can be used by malicious persons for various illegal purposes.
- Degrades Internet connection speed and overall system performance, decreases system security and causes software instability. Some parasites are badly programmed, they waste too much computer resources and conflict with installed applications.
- Provides no uninstall feature, hides processes, files and other objects in order to complicate its removal as much as possible.


EXAMPLES OF BACKDOORS
There are lots of different backdoors. The following examples illustrate how functional and extremely dangerous these parasites can be.

Litebot is a backdoor that allows the remote attacker to download and execute arbitrary files from the Internet. The parasite decreases overall system security by changing default Windows firewall settings. Litebot main files have random names, so it is quite difficult to detect and get rid of. The backdoor automatically runs on every Windows startup.

Remote connection, also known as RedNeck, is a dangerous backdoor that gives the intruder full access to a compromised system. The parasite can shutdown or restart a computer, manage files, record user keystrokes, install and run various programs, take screenshots and perform other malicious actions.

Tixanbot is an extremely dangerous backdoor that gives the remote attacker full unauthorized access to a compromised computer. The intruder can manage the entire system and files, download and install arbitrary applications, update the backdoor, change Internet Explorer default home page, attack remote hosts and obtain system information. Tixanbot terminates running essential system services and security-related processes, closes active spyware removers and deletes registry entries related with firewalls, antivirus and anti-spyware software in order to prevent them from running on Windows startup. The parasite also blocks access to reputable security-related web resources. Tixanbot can spread. It sends messages with certain links to all MSN contacts. Clicking on such a link downloads and installs the backdoor.

Resoil FTP is a backdoor that gives the hacker remote unauthorized access to an infected computer. This parasite runs a hidden FTP server, which can be used to download, upload and run malicious software. Resoil FTP activity may result in noticeable computer performance loss and user privacy violation.

CONSEQUENCES OF A BACKDOOR INFECTION
A backdoor allows the attacker to work with an infected computer as with its own PC and use it for various malicious purposes or even criminal offences. The responsibility for such activity is usually assumed by guiltless users on which systems backdoors were installed, as in most cases it is really hard to find out who was controlling a parasite.

Practically all backdoors are very difficult to detect. They can violate user privacy for months and even years until the user will notice them. The malicious person can use a backdoor to find out everything about the user, obtain and disclose priceless information like user’s passwords, login names, credit card numbers, exact bank account details, valuable personal documents, contacts, interests, web browsing habits and much more.

Backdoors can be used for destructive purposes. If the hacker was unable to obtain any valuable and useful information from an infected computer or have already stole it, he eventually may destroy the entire system in order to wipe out his tracks. This means that all hard disks would be formatted and all the files on them would be unrecoverably erased.

HOW TO REMOVE A BACKDOOR?
Backdoors work in the same manner as the computer viruses and therefore can be found and removed with the help of effective antivirus products like Symantec Norton AntiVirus, Kaspersky Anti-Virus, McAfee VirusScan, eTrust EZ Antivirus, Panda Titanium Antivirus, AVG Anti-Virus. Some advanced spyware removers, which are able to scan the system in a similar way antivirus software does and have extensive parasite signature databases can also detect and remove certain backdoors and related components. Powerful anti-spyware solutions such as Spyware Doctor and Microsoft AntiSpyware Betaare known for quite fair backdoor detection and removal capabilities.

In some cases even an antivirus or spyware remover can fail to get rid of a particular backdoor. That is why there are Internet resources such as 2-Spyware.com, which provide manual malware removal instructions. These instructions allow the user to manually delete all the files, directories, registry entries and other objects that belong to a parasite. However, manual removal requires fair system knowledge and therefore can be a quite difficult and tedious task for novices.

AV Security Suite Removal

AV Security Suite is fake anti-spyware program which imitates a legitimate antimalware application and belongs to the notorious Antivirus Live family of rogue malware. It acts in the same manner as its predecessors, Antivirus Soft and Antispyware Soft, by trying to convince users to buy a license for the software. AV Security Suite enters a user’s computer via Trojans that arrive at the user’s system via infected PDF files. Once it has been installed on the user’s system, AV Security Suite starts performing fake system scans at regular intervals, returning results that claim that the user’s system is under serious threat. It also creates a number of harmless files that it later detects as dangerous viruses. AV Security Suite uses a Windows-style GUI and pop-ups generated from the Windows taskbar to convince users that this is the real thing. Then it claims that the currently installed ‘trial’ version is inadequate to remove the previously detected false ‘threats and urges the user the pay for the ‘full’ version of the software. However, the ‘full’ version is no more capable of cleaning a user’s system than the ‘trial’ version; therefore no user should ever purchase the false license to this rogue software.

January 14, 2011

WORM_CORONEX.A

This is a worm that comes as an email with an attachment with a names sars.exe, Virus.exe, Corona.exe, death.exe, CV.exe from the emails sars2@hotmail.com, corona@hotmail.com.It is a very dangerous and spreads very fast when executed and slows down the PC.

Effects:
It does the following things when executed:
  • Changes the home page to http://www.who.int/csr/don/2003_04_19/en/ 
  • Drops its file CORONA.exe in windows folder 
  • Adds itself to the registry key HKLM\Software\Microsoft\Windows\Current Version\Run "PC-Config32" = "C:\corona.exe -A" 
  • Drops a file in C:\My Download or in the current directory where it is executed.
  • The corrupted file is filled with useless data that occupies unwanted space on the hard disk which goes up to Certain GB's.
It drops itself as any of the following

  • Age Of Mythology.exe
  • Battlefield 1942 (full).exe
  • Black Hawk Down (full).exe
  • Doom 3.exe
  • Grand Theft Auto 3 (full).exe
  • Medel Of Honor: Allied Assault.exe
  • Quake 3 Full Version.exe
  • Rainbow 6 Full.exe
  • Return to Castle Wolfenstien (Full).exe
  • Starcraft full.exe
  • The Lord of the Rings.exe
  • The Sims: Unleashed.exe
  • Unreal 2: The Awakening (full).exe
  • Warcraft III Full.exe 
  •  It checks this registry key to obtain list of addresses HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name 
  • Initiates its own SMTP engine to send emails with any of the names Corona.exe, hongkong.exe, Virus.exe, Sars.exe, Deaths.exe from senders virus2@china.com
  • It also modifies the home page as http://www.who.int/csr/don/2003_04_19/en/ which is a site on SARS 

Manual Removal of Security Tool

Security tool which is a rogue anti-virus program that automatically scans the computer and will show fake security alerts, and induces users in to purchasing a fake anti-virus. It will disable all the windows legitimate programs and shows them as infected which actually are not.

Removal Instructions:

  • The first and foremost thing we need to do is go to safe mode with networking.
  • Kill the processes that are running in the background using MS-config or download Rkill.exe from the site www.bleepingcomputer.com or Process explorer.exe and run it. It will kill all the processes. Don't restart the computer.
  • Open Run and type  %user profile%\desktop which will open desktop and click on Iexplore.exe
  • Download the Malware Bytes and rename it as Explorer.exe while saving  which is safe and does not give any code 2 error while execution as Security tool thinks it as a Windows Process.
  • Run the tool and perform a full system scan on it. It will complete and show results like this.
Malware bytes displaying the results of Security Tool
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. In order to protect itself, Security Tool changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the file hosts-perm.bat file and save it to your desktop.When the file has finished downloading, double-click on the hosts-perm.bat file and click Ok. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder and delete the Explorer.exe program from your desktop.

Security Tool

This is a very frustrating Fake Anti-virus program that keeps on showing you fake threats on the computer and asks to purhcase. Security tool is a rogue anti-spyware program from the same family as System Security which is promoted through the use of Trojans and web pop-ups.

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More