SALITY - Virus

One day they invited me to disinfect a virus infected computer. I checked certain places on that infected system and guessed that it might be Brontok-Worm there because of it didn’t have “Folder Options” under Tools menu, disabled registry editor and few more. But, I shocked when I found only Sality virus there. I tried enough with my level best and saved its data. But, I advised them to Format and reinstall Windows XP due to slow processing speed and few more reasons that I faced badly. As per my knowledge Sality virus acts as Keylogger so I thought it might be modified Sality virus there.

Sality: It infects Windows operating systems. At the time of execution it performs the following actions: It may drop a .dll file in the C:\Windows\System32 or C:\Windows\Temp The following are some examples of the filenames:

• SYSLIB32.DLL
• OLEDSP32.DLL
• SYSDLL.DLL
• OLEMDB32.DLL

1. Creates the mutex named "KUKU300a" so that only one instance of the threat runs on the compromised computer.
2. May infect executable files registered in the following registry:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
   
   Any files infected with this virus will be detected as W32.HLLP.Sality!inf.
3. Checks the current time and may activate its payload if minutes are equal to hours and if the date is May 1st or the 10th to 12th of any month.
4. May then activate the payload, and display a message box with the following characteristics:
   
   Title: Win32.HLLP.Kuku v[VERSION_NUMBER]
   Body:
   <<<<>>>>
   'Copy[REMOVED]tor'
5. May add its configuration data to the file C:\Windows\System.ini by appending some of the following lines to this file:
   
   [TFTempCache]
   id=[RANDOM_NUMBER]
   RtlMoveMeory=[RANDOM_NUMBER]
   PING=[NUMBER]
   TIME=[TIME]
   
6. May test connectivity by attempting to contact the following host:
   
   www.microsoft.com
7. Uses keylogging capabilities to gather the following information from the compromised computer:
• IP address, host name, and user names
• Sensitive computer information, such as size of memory, local disks, the Windows version, and product key
• RAS dialup accounts
• Net Share passwords
• Startup programs
• WebMoney files
8. Temporarily stores any information it gathers in the following encrypted file:
   
   %System%\TFTempCache
9. May send this information to several email addresses located in Russia using the following SMTP server over TCP port 25:
   
   msx.mail.ru
   
   This email has the following characteristics:
   From: CyberMazafaka@mailru.com
   To: sector2007@list.ru, bespontovik@list.ru
   Subject: Administrator
   Attachment:
• readme.tjc
• TFTempCache.tjc
10. Contains references to the following IRC server:
    
    rinet.msk.wenet.ru
    
    Note: At the time of writing, code to utilize this server is not implemented.
11. Allows a remote attacker to perform various unauthorized actions on the compromised computer.
12. May infect executable files by prepending its code to the host file. However, not all the variants of this virus are able to spread in this way. Any infected files will be detected as W32.HLLP.Sality!inf.
    
13. May delete the files which have the following extensions when searching for files to infect:
• .vdb
• .avc
• .key
14. May also delete those file names which begin with the following strings:
• KAV
• NOD
• ANTI
• SCAN
• ZONE
• ANDA
• TROJ
• TREN
• ALER
• CLEAN
• OUTP
• GUAR
• AVP
• TOTAL

Countermeasures:

• Patch your operating system with latest update on regular basis.
• Turn off and remove unneeded services on your server/systems.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• Use foolproof latest virus with updated signature.
• Always keep in touch with your employees and aware them against newly arrived viruses/worms or malicious activities on regular basis.

Block Specific Website (Win XP)

Your friend often visits you and use your computer for access some websites those you don't like. But you cannot say NO to him/her. There is a trick following bellow. It will block specific website which you wish to stop anyone access those from your own computer.

Step:1
Go to start and hit Run command. Then type following and open "hosts" file in notepad.

• C:\Windows\System32\drivers\etc\hosts

Now go at the bottom "hosts" file and add "127.0.0.1"<-more than one space->"SiteName" exact below under typed string "127.0.0.1"<-space->"localhost". Then save it.(See above image where I typed "127.0.0.1" "ajansu.blogspot.com".)

Step:2
Go to start and hit Run command and type "Services.msc" and you will get following window of Services(Local) settings.


Then find "DNS Client" settings in right pane. Now right click on "DNS Client" and get Properties. You will get DNS Client properties exact like following window.


Then go to General tab. Now click on Startup Type and make it Disable. Then Apply it. Now refresh your computer.(Maybe you need to restart your computer)

Step:3
Now go to Internet Browser. Type URL in address bar which you just entered at the bottom of "hosts" file and wanted to block. Amazing!! Its Blocked!!

It is also known as DNS Spoofing.

Write Protected Pen Drive(Win XP)

Sometimes, some one comes to you and asks to exchange data from Pen Drive. You really cannot easily say NO to him/her due to virus infected Pen Drive. There is a trick from which you can Disable Pen Drive Writing easily and you don't need to say NO to any of them.

Go to Registry Editor and make "WriteProtect" dword value under following registry hive.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\StorageDevicePolicies

... then set "WriteProtect" value 1(one-hexa) for Disable and 0(zero-hexa) for Enable Pen Drive Writing.

Remember if there is no "StorageDevicePolicies" key then just right click on "Control" key and add it easily.

OR

Simply copy-paste following text and save it with .reg extension then simply run/merge it.

• For Disable Pen Drive Writing

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \StorageDevicePolicies]
"WriteProtect"=dword:00000001

• For Enable Pen Drive Writing

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \StorageDevicePolicies]
"WriteProtect"=dword:00000000


See following error message of Pen Drive writing:

>>> Download Enable Write Protection of Pen Drive Registry File <<<

>>> Download Disable Write Protection of Pen Drive Registry File <<<

..

Hide Specific Drives in Windows

Do you want to make a trick and have fun with your friends? Then, hide/disable specific drives located in My Computer folder and fool your friends.

Just open Registry editor and make "NoDrives" dword value under following registry hives:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer

Then set predefined decimal value of above added "NoDrives" as per following chart and make them Disable. To Enable them just set decimal value 0(zero). Remember don't forget to restart your machine after any above edition in registry.

>>> Download Disable Drive 'A' Registry File here <<<

>>> Download Disable Drive 'C' Registry File here <<<

>>> Download Disable Drive 'D' Registry File here <<<

>>> Download Disable Drive 'E' Registry File here <<<

>>> Download Disable Drive 'F' Registry File here <<<

>>> Download Enable Drive(any) Registry File here <<<

..

Common Control Panel Applets in Windows

• access.cpl - Accessibility Applet
• appwiz.cpl - Add/Remove Programs Applet
• console.cpl - Console Applet
• timedate.cpl - Date and Time Applet
• desk.cpl - Display Applet
• fax.cpl - Fax Applet
• hdwwiz.cpl - Hardware Wizard Applet
• irprops.cpl - Infrared Port Applet
• intl.cpl - International and Regional Applet
• inetcpl.cpl - Internet Settings Applet
• joy.cpl - Joystick Applet
• liccpa.cpl - Licensing Applet
• main.cpl - Mouse and Keyboard Applet
• mlcfg32.cpl - Mail Applet
• mmsys.cpl - Sound and Multimedia Applet
• modem.cpl - Modem and Phone Applet
• ncpa.cpl - Network and connectivity Applet
• netcpl.cpl - Network and Dial-up Connectivity Applet
• nwc.cpl - Netware Client Applet
• odbccp32.cpl - ODBC Applet
• devapps.cpl - PC Card Applet
• ports.cpl - Ports Applet
• powercfg.cpl - Power Management Applet
• srvmgr.cpl - Server Manager Applet
• sapi.cpl - Speech Properties Applet
• sysdm.cpl - System Applet
• telephon.cpl - Telephony Applet
• nusrmgr.cpl - User Manager Applet

Enable Properties from MyComputer(Win XP)

Maybe System Administrator disable Properties from MyComputer icon on right click for security reasons.

You can Enable Properties from MyComputer icon on right click with help of simple steps. Just go to Registry Editor and find "NoPropertiesMyComputer" dword key under the hive:"HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer" and modify its value with 0(zero) and make it Enable. And yes, you can make it disable to set "NoPropertiesMyComputer" value as 1(one).

OR

Just copy-paste following text and save it with .reg extension in notepad and simply run it.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer]
"NoPropertiesMyComputer"=dword:00000000

>>> Download Enable My Computer Properties Registry File <<<

>>> Download Disable My Computer Properties Registry File <<<

..

Windows Task Manager

Task Manager displays information about the performance of your computer and the programs and processes that are running on your computer. You can use Task Manager to start programs, to start or to end processes, and to view a dynamic display of your computer's performance. To start Task Manager, do any of the following:

• Press CTRL+ALT+DELETE
• Press CTRL+SHIFT+ESC
• Right-click an empty area of the taskbar, and then click Task Manager

Sometimes System Administrator may disable Task Manager for security reasons or some latest modified virus like Brontok also make it disable. So, you cannot kill some unwanted processes running by installed virus.

You can Enable Task Manager with help of simple steps. Just go to Registry Editor and find "DisableTaskMgr" dword key under the hive: "HKCU\Software\Microsoft\Windows \CurrentVersion\Policies\System" and modify its value with 0(zero) and make it Enable.

>>> Download Enable Task Manager Registry File <<<

>>> Download Disable Task Manager Registry File <<<

..

Folder Options - Enable/Disable (Win XP)

There are few reasons that why you don't get "Folder Options" under Tools menu in Windows XP operating system. Maybe your System Administrator hide it under its privileges or due to some viruses.

You can make it Enable with following steps.

(A) With help of Registry Editor: Open Registry editor and find the key named "NoFolderOptions" under following registry hive:

(1) HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Policies\Explorer
(2) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\Explorer

... then set o(zero) value for "NoFolderOptions" and make Enable "Folder Options" under Tools menu and set 1(one) value for "NoFolderOptions" and make Disable "Folder Options" under Tools menu.

(B) With help of Registry Merger: Type or copy-paste following text in notepad and save it with .reg extension and simply run it.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer]
"NoFolderOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer]
"NoFolderOptions"=dword:00000000

(C) With help of Group Policy: You can enable Folder Options through Administrative tools named Group Policy. These are steps...

1. go to Run command and type "gpedit.msc"
2. you will get "Group Policy" window with left and right pane
3. expand "Administrative Template" under "User Configuration" in left pane
4. then expand "Windows Components" in left pane
   
5. then click on "Windows Explorer" in left pane
6. then double click and get properties of "Removes the Folder Options menu item from the Tools menu" in right pane.
7. then make "Folder Options" Enable, Disable or Not Configured through settings

>>> Download Enable Folder Options Registry File here <<<


>>> Download Disable Folder Options Registry File here <<<

Note: Please restart your computer if it needs.

IP Address

As like telephone/cell number, every machine on the Internet has a unique number, called an IP address. In other term it is 32-bit number. It seems like this: 192.168.103.378

Dynamic IP address: It changes every time when you connect to the Internet like dial-up/ ISP and using PPP (Point to Point Protocol)
Static IP address: It is permanent IP address. It remains the same every time.

IP addresses are normally expressed in decimal format, called dotted decimal number.

The four numbers in IP address are called Octets. They each have eight position when viewed in binary form. Each octet can have any value from 0 to 255. The octets are split into two sections: NET & HOST (NODE). The Net section always contains the first octet. The Host/Node section always contains the last octet.
Class A: This class is for very large networks/big international company. IP address range from 1.0.0.1 to 126.255.255.254
Loopback: The IP address 127.0.0.1 is used as loopback address. It is used by the host computer to send a message back to itself. It is commonly used for troubleshooting and network testing.
Class B: This class is for medium size of networks like university/colleges. IP address range from 128.1.0.1 to 191.255.255.254
Class C: This class is for small size of networks. IP address range from 192.0.1.1 to 223.255.254.254
Class D: This class is reserved for multicast. IP address range from 224.0.0.0 to 239.255.255.254
Class E: It is also reserved like class-D. IP address range from 240.0.0.0 to 254.255.255.254

Private IP range:

• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
• 192.168.0.0 to 192.168.255.255

Default Network: The IP address of 0.0.0.0 is used for the default network.
Broadcast: Messages that are intended for all computers on a network are sent as broadcasts. These messages always use the IP address 255.255.255.255

Registry Enable-Disable (Win XP)

The Registry is the core of operating system. It is a hierarchical database that contains all information about computer's configuration. You can open Registry Editor from Start->Run and type "regedit" without quotation marks. It has huge facility sleeps in. If you can understand and start playing with it, then you can do a lot of tricks and trips on computer. BEWARE!! it is dangerous because of a small mistake will crash your operating system. So, be careful while playing with it. That is why sometimes System Administrator make Disable and hide it. And yes, some modified viruses/Worms also make it Disable so you will not find them manually and remove same. You can easily Enable/Disable it from following steps:

Disable Registry:
Type following text in notepad or copy-paste it and save it with .reg extension then run/merge it. It will Disable Registry.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System]

"DisableRegistryTools"=dword:00000001

>>> Download Disable Registry File Here <<<

Enable Registry:
Type following text in notepad or copy-paste it and save it with .reg extension then run/merge it. It will Enable Registry.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System]

"DisableRegistryTools"=dword:00000000

>>> Download Enable Registry File Here <<<

If above trick will not work then don't worry, just email me. I will send one more trick and I am sure, it will work.

NTFS v/s FAT

FAT(File Allocation Table) is a file system that was developed for MS-DOS and used in various Microsoft Windows. The FAT file system is considered relatively uncomplicated and because of that, it is popular format for removable storage like Floppy Disks and Pen Drives. It is supported by virtually all existing operating system.

• Maximum Volume Size: 2 TB
  
• Maximum Files on Volume: Unlimited
  
• Maximum File Size: 4 GB
  
• Maximum Cluster Numbers: 268435456
  
• Maximum File Name: Upto 255 characters
  

NTFS(New Technology File System) is high performance and self healing file system. It is supported to WindowsXP/ Windows2000/ WindowsNT. It supports file-level security, compression, and auditing. It also supports large volume and powerful storage solution such as RAID. The most important new feature of NTFS is the ability to Encrypt files and folders to protect your sensitive data.

• Maximum Volume Size: 2 TB
  
• Maximum Files on Volume: Unlimited
  
• Maximum File Size: Limit only by volume size
  
• Maximum Cluster Numbers: Unlimited
  
• Maximum File Name: Upto 255 characters
  

FUJACKS-Virus

Fujacks creates the following files in all drives:

* autorun.inf
* setup.exe

Creates Destop_.ini in all folders.

Adds the following values to the registry to auto start itself when
Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"

Terminates processes containing strings:

* VirusScan
* NOD32
* Symantec AntiVirus
* Duba
* esteem procs
* System Safety Monitor
* Wrapped gift Killer
* Winsock Expert
* msctls_statusbar32
* pjf(ustc)
* IceSword

Terminates the following processes:

* Mcshield.exe
* VsTskMgr.exe
* naPrdMgr.exe
* UpdaterUI.exe
* TBMon.exe
* scan32.exe
* Ravmond.exe
* CCenter.exe
* RavTask.exe
* Rav.exe
* Ravmon.exe
* RavmonD.exe
* RavStub.exe
* KVXP.kxp
* KvMonXP.kxp
* KVCenter.kxp
* KVSrvXP.exe
* KRegEx.exe
* UIHost.exe
* TrojDie.kxp
* FrogAgent.exe
* Logo1_.exe
* Logo_1.exe
* Rundl132.exe

Terminates the following Services:

* KVWSC
* KVSrvXP
* kavsvc
* AVP
* McAfeeFramework
* McShield
* McTaskManager
* McAfeeFramework
* navapsvc
* wscsvc
* KPfwSvc
* SNDSrvc
* ccProxy
* ccEvtMgr
* ccSetMgr
* SPBBCSvc
* Symantec Core LC
* Schedule
* sharedaccess
* RsCCenter
* RsRavMon
* NPFMntor
* MskService
* FireSvc

Deletes the following Registry entries:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ShStatEXE

Disables the show hidden file options in folder options
using the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:

* admin$
* 1234
* password
* 6969
* harley
* 123456
* golf
* pussy
* mustang
* 1111
* shadow
* 1313
* fish
* 5150
* 7777
* qwerty
* baseball
* 2112
* letmein
* 12345678
* 12345
* ccc
* admin
* 5201314
* qq520
* 123
* 1234567
* 123456789
* 654321
* 54321
* 111
* 000000
* abc
* 11111111
* 88888888
* pass
* passwd
* database
* abcd
* abc123
* sybase
* 123qwe
* server
* computer
* 520
* super
* 123asd
* ihavenopass
* godblessyou
* enable
* 2002
* 2003
* 2600
* alpha
* 110
* 111111
* 121212
* 123123
* 1234qwer
* 123abc
* 007
* aaa
* patrick
* pat
* administrator
* root
* sex
* god
* fuckyou
* fuck
* test
* test123
* temp
* temp123
* win
* asdf
* pwd
* qwer
* yxcv
* zxcv
* home
* xxx
* owner
* login
* Login
* pw123
* love
* mypc
* mypc123
* admin123
* mypass
* mypass123
* 901100
* Administrator
* Guest
* admin
* Root

Deletes files with .gho extensions from local partitions
except c drive.

Infects all the htm, html, asp, php, jsp, aspx files.