Auto Shortcut Trouble with Internet Explorer

Once again I am here to post an issue but, I am really sorry to all readers of this blog because it took long to post something here.

I got a complaint regarding Internet Explorer. The machine installed Windows XP SP2 with Internet Explorer 6.0 version. That machine badly infected with some virus/malware. So, whenever user hit Internet Explorer's icon of desktop, every time it created shortcut of Internet Explorer instead of opened a browser page. I tried to remove it but malware edited machine's registry entry which belonged to Internet Explorer. So, I couldn't find "Open Home Page" option on right click of Internet Explorer's icon. You can see screen shot of infected Internet Explorer below.

How to restore this trouble?
You can also restore Internet Explorer's this trouble with help of registry editor. Type following text in notepad or copy-paste it then save it with .reg extension. Then simply run/merge it. It will restore above trouble with Internet Explorer.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell]
@="OpenHomePage"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage]
@="Open &Home Page"
"MUIVerb"="@shdoclc.dll,-10241"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
@=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,\
00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,\
65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,69,\
00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,2e,00,65,00,78,00,65,00,22,00,\
00,00

>>> Download Restore IE File Here <<<

Wanna make a Trick...??
Well.. you can play this trick with your friends and hide "Open Home Page" option from Internet Explorer's icon (please see screen shot below) and scare him/her.

For this, just type following text in notepad or copy-paste it then save it with .reg extension. Then simply run/merge it. It will remove "open Home Page" option from Internet Explorer.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell]
@="OpenHomePage"

[-HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage]
@="Open &Home Page"
"MUIVerb"="@shdoclc.dll,-10241"

[-HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
@=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,\
00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,\
65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,69,\
00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,2e,00,65,00,78,00,65,00,22,00,\
00,00

>>> Download Remove IE File Here <<<

MS Office Save as PDF

Sometimes, we do really miss important add on facility on basic software. As well, there is a Save as PDF option introduced by Microsoft Corporation for Microsoft Office 2007 Programs. This is really a cool add on by Microsoft Corporation. You just need to download a 'Save as PDF' tool from following link.

Download Save as PDF Link-1

You will get save as pdf option in save as type after installed above add on. This allows you to export and save to PDF (Portable Document Format) format of any programs of MS Office 2007 set. You can convert MS Word or Excel files in PDF with this tool so easily.

Download Save as PDF Link-2

.

Microsoft Office Outlook - Backup

Someone asked me about backup of Microsoft Office Outlook before few months ago. Their email account configured with Microsoft Office Outlook. So, each and every emails travel through Microsoft Office Outlook. The entire important emails and other relative data stored on hard disk. One day their Windows crashed and lost entire important emails including contacts details too. That is why they asked me about backup of Microsoft Office Outlook.

I found that Microsoft Corporation introduced Backup utility with Microsoft Office Outlook which is not so popular with Microsoft Office Outlook. This Backup utility works with following outlook client.

1. Microsoft Outlook 2002
2. Microsoft Office Outlook 2003
3. Microsoft Office Outlook 2007

It is just 160 KB size of tool named 'pfbackup.exe'. It is absolutely free tool. You just need to run/install it then you get 'Backup' options under File menu of your Outlook. You can backup of your outlook as per your requirements. It creates backup in .pst file format(Personal folder files). You can store it on another partition or external removable storage media like Pen Drive, USB Hard Disk, CDs etc. Please visit following link to download backup tools.

>>> Download Backup Tool Link-1 <<<

>>> Download Backup Tool Link-2 <<<

It is easy to get backup of stored .pst file from your storage media. You just need to use Import and Export options under File menu of Microsoft Office Outlook. To learn more please visit following link of Microsoft Corporation.

Using the Microsoft Outlook Personal Folders Backup tool

.

Hard Disk Partition

I posted an article on NTFS v/s FAT file system on July 08, 2007. Recently, I have noticed bad habit of Partitioning of Hard Disk. I found that people want more space on Data Partition instead of Main/OS Partition(e.g. once have 80 GB of HDD and make C = 20 GB, D=20 GB, E=20 GB, F=20 GB). The people cannot understand that C: is Primary/Logical Partition which needs more space than other partitions. Even, technical people don't have good practice regarding Partition. Thats why I need to write this article on Hard Disk Partition.

Disk Partition: It is nothing but separation/division of a single Hard Disk. There are Primary(logical) and Extended Partitions which contains NTFS or FAT file system.

Purpose for Partitioning:

• Separate area for Operating system.
• Separate area for Data.
• Multi booting operating system.
• Protect data when system crash.

Suggestion on Partitioning:

• Always use NTFS file system for partition.
• Always allocate more than 50% disk space to your logical partion.(I always create only 2 partitions per hard disk of 60:40 or 70:30 disk space ratio)
• Don't create so many partition. Use 2 or 3 partition per HDD.
• Always use compress drive on Data partition.
• Change default file save option so each and every file of your system may save on data partition.

.

Frozen Computer

People regularly ask me about frozen/hang computer. Mostly they kill all running process and forcefully restart computer again which will loss unsaved data. It will take time to reboot that machine again. So many running tasks, some viruses, low disk space, low physical memory, best appearance and low performance are main reasons for frozen computer. There is a trick which can help with frozen computer.

When your computer will freeze/hang, you don't really need to restart it forcefully. You just need to open Windows Task Manager with help of Ctrl+Alt+Del or Ctrl+Shift+Esc. Then move to its Process tab and find 'explorer'. You just need to kill 'explorer' with help of 'End Process'.(check Screen shot) It will shutdown your Windows Explorer only without restarting or killing any other running tasks.


Now go to File menu of Windows Task Manager. Select New Task(Run..) option. You will get a new window. Then just type 'explorer' and click on Ok.(check Screen shot) It will restart your Windows Explorer easily. I hope this will work with your frozen/hang computer.

eicar - Antivirus Tester

People regularly ask me about the best antivirus solution for their computer. I think any latest updated antivirus is the best against latest malicious software like Viruses, Worms. All of we are used one or another antivirus software to protect us from malicious software. But we don't know its ability to protect us, even we don't test its performance. There is an European Institute named "eicar" which provides facility to test your antivirus software. The "eicar" stands for European Institute for Computer Antivirus Research.

It has good facility to test your installed antivirus software. If you want to test your antivirus software then copy-paste following text in notepad and save it with .com extension and scan it with your antivirus. It is not virus. Its just testing text which tests your antivirus software.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS- TEST-FILE!$H+H*

You can create zip/multiple zip files from above text and carry out deep scan too. If you want to learn more and download antivirus testing file directly then visit following link below.
Anti Virus Test File.
.

PHISHING - Never Danger Before

When you want to catch fish, you fool fish and hunt them easily by hooking, trapping etc. Like this you can 'fish'(fool) people on internet with help of 'Phishing'(fishing). The 'Phishing' word is based on 'fishing'. In fishing, you hunt fish and in Phishing you hunt people's mind, steal their important data through identity theft/social engineering.

Definition - Phishing:
(1) It is the act of tricking someone into giving them confidential information or tricking them into doing something that they normally wouldn't do.
(2) It is a form of fraud that aims to steal valuable information such as, Bank account details, Credit card details, User IDs and Passwords, etc.

How does it work - Phishing:
Suppose, I am an attacker and I need your Bank account details such as ID and Password for profit/benefits. So, I will try to use Phishing attack out of few more.
I will create fake login page which looks exact like your Bank's login screen. Then, I will upload it on a server and send its link to you via email. So, when you will open your inbox, you will get link of fake login page. You will click on that link and input your ID and Passwords as normally you always enter on your real Bank's login page. In this case, your details will come to me instead of your real Bank because of Phishing. Please check 2 different login pages of Google Mail. (Maybe one is fake!!)



Target - Phishing:
(1) Banks
(2) Online shopping sites
(3) Well-known Email sites

Medium - Phishing:
(1) Email
(2) Messenger

Countermeasure against Phishing:
(1) Never click the links provided in email messages.
(2) Always type Real URL (Unique Resource Locater) in address bar of your browser.
(3) To read emails in plain text prevents some Phishing attacks.
(4) Never click any link in any messenger window.
(5) If you find any doubtful link in your mailbox then instantly 'Delete' it to prevent accidental accessing that link.

Foolproof Countermeasure:
Few banks recently introduced small device named "Security Device". My favorite secured bank website is "HSBC Bank - The World's Local Bank". They introduce "The Security Device" (Shown in following image). This device has unique number, it registered and mapped with your ID and Password. It has a small button on it. When you press that button it will display 6 digit number and it wont remain same next time. So, when you enter HSBC account ID on its login page then they will ask Password along with 6 digit Security Device number which displays on its small screen. Suppose, anyone steal your ID and Password after then he/she will NOT able to login to your HSBC account without having this Security Device. Thus makes HSBC banking even more safer than other Banks.

SPYWARE

We’ve heard this word “Spyware” either directly or indirectly. And we are using anti-spyware software to protect/prevent. I have tried to explain about “Spyware” here. Maybe it will useful to you.

What is Spyware?

As like its name, Spy+(soft)ware=Spyware. It has spying properties in it.

Any software that covertly gathers user information without user’s knowledge for advertising, marketing, malicious or any other purposes is known as “Spyware”. You can get spyware absolutely free with freeware or shareware programs. Spyware monitors your net surfing habits, collects information and sends same to the creator of the spaware.

It is not Virus or Worm

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. It does not usually self-replicate like viruses or worms.

Location of Installed Spyware:

You can manually find installed spyware on your computer. You should check the following registry entries.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\RunOnce

Spyware at Startup:

As like as run it modifies windows Winlogon. It adds an ADDITIONAL shell(default explorer application) a spyware program can get itself loaded on windows startup. The registry key is located:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Shell

Anti-Spyware:

There are many programs which prevent spyware and its activities. They remove/block them too. You can choose any one out of them and stop spyware easily.

DNS Lookup

DNS Lookup: A Domain Name Server(DNS) lookup is the conversion of a domain name into its respective IP address. A reverse DNS lookup is the conversion of an IP address into its respective domain name.

I described in older post named IP address that every machine on Internet has an IP address as like as every registered website has IP address too. When we use to type URL (Unique Resource Locater) like www.google.co.in in our browser's address bar then our request passes through DNS lookup server and it finds requested site's IP address. So, our request reaches to website and it's page display in our browser.

The URL is easy to remember, easy to type, its just for humans for remember. At other side, IP address is hard to remember, hard to type so it is for machine. Mostly we type www.google.co.in for open Google(India) website. But, you can type its IP address 72.14.235.104 and access same. It is Dotted Decimal Number. As like as you can use to type IP address in hexed number 0x48.0x0e.0xeb.0x68, or dword number1208937320, or octal number 0110.0016.0353.0150 and access same Google.

Please refer above picture. You type any described value in your browser's address bar and you just get only www.samair.ru.

Proxy Servers

A Proxy server is a computer system or an application program which services the request of its clients by forwarding requests to other servers. The Proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client.

OR

A mechanism which spoof or hide your identity on Internet is called Proxy.

Types of Proxy Servers:

• Anonymous Proxy

A proxy server that removes identifying information from the client's requests for the purpose of anonymity is called an anonymizing proxy server or anonymizer.

• Caching Proxy

A proxy server that stores the documents that it retrieves from other servers in a local cache.

• Web Proxy

Proxies that focus on Internet traffic are called web proxies. Many web proxies attempt to block some web content.

• Hostile Proxy

Proxies can also be installed by online criminals, in order to eavesdrop upon the dataflow between the client machine and the web.

• Transparent Proxy

A Proxy that does not modify the request or response beyond what is required for proxy authentication and identification.

• Non-Transparent Proxy

A Proxy that modifies the request or response in order to provide some added service to the user agent, such as group annotation services, media type transformation, protocol reduction, or anonymity filtering.

Normal Connection:


Connection via Proxy:

SALITY - Virus

One day they invited me to disinfect a virus infected computer. I checked certain places on that infected system and guessed that it might be Brontok-Worm there because of it didn’t have “Folder Options” under Tools menu, disabled registry editor and few more. But, I shocked when I found only Sality virus there. I tried enough with my level best and saved its data. But, I advised them to Format and reinstall Windows XP due to slow processing speed and few more reasons that I faced badly. As per my knowledge Sality virus acts as Keylogger so I thought it might be modified Sality virus there.

Sality: It infects Windows operating systems. At the time of execution it performs the following actions: It may drop a .dll file in the C:\Windows\System32 or C:\Windows\Temp The following are some examples of the filenames:

• SYSLIB32.DLL
• OLEDSP32.DLL
• SYSDLL.DLL
• OLEMDB32.DLL

1. Creates the mutex named "KUKU300a" so that only one instance of the threat runs on the compromised computer.
2. May infect executable files registered in the following registry:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
   
   Any files infected with this virus will be detected as W32.HLLP.Sality!inf.
3. Checks the current time and may activate its payload if minutes are equal to hours and if the date is May 1st or the 10th to 12th of any month.
4. May then activate the payload, and display a message box with the following characteristics:
   
   Title: Win32.HLLP.Kuku v[VERSION_NUMBER]
   Body:
   <<<<>>>>
   'Copy[REMOVED]tor'
5. May add its configuration data to the file C:\Windows\System.ini by appending some of the following lines to this file:
   
   [TFTempCache]
   id=[RANDOM_NUMBER]
   RtlMoveMeory=[RANDOM_NUMBER]
   PING=[NUMBER]
   TIME=[TIME]
   
6. May test connectivity by attempting to contact the following host:
   
   www.microsoft.com
7. Uses keylogging capabilities to gather the following information from the compromised computer:
• IP address, host name, and user names
• Sensitive computer information, such as size of memory, local disks, the Windows version, and product key
• RAS dialup accounts
• Net Share passwords
• Startup programs
• WebMoney files
8. Temporarily stores any information it gathers in the following encrypted file:
   
   %System%\TFTempCache
9. May send this information to several email addresses located in Russia using the following SMTP server over TCP port 25:
   
   msx.mail.ru
   
   This email has the following characteristics:
   From: CyberMazafaka@mailru.com
   To: sector2007@list.ru, bespontovik@list.ru
   Subject: Administrator
   Attachment:
• readme.tjc
• TFTempCache.tjc
10. Contains references to the following IRC server:
    
    rinet.msk.wenet.ru
    
    Note: At the time of writing, code to utilize this server is not implemented.
11. Allows a remote attacker to perform various unauthorized actions on the compromised computer.
12. May infect executable files by prepending its code to the host file. However, not all the variants of this virus are able to spread in this way. Any infected files will be detected as W32.HLLP.Sality!inf.
    
13. May delete the files which have the following extensions when searching for files to infect:
• .vdb
• .avc
• .key
14. May also delete those file names which begin with the following strings:
• KAV
• NOD
• ANTI
• SCAN
• ZONE
• ANDA
• TROJ
• TREN
• ALER
• CLEAN
• OUTP
• GUAR
• AVP
• TOTAL

Countermeasures:

• Patch your operating system with latest update on regular basis.
• Turn off and remove unneeded services on your server/systems.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• Use foolproof latest virus with updated signature.
• Always keep in touch with your employees and aware them against newly arrived viruses/worms or malicious activities on regular basis.

IP Address

As like telephone/cell number, every machine on the Internet has a unique number, called an IP address. In other term it is 32-bit number. It seems like this: 192.168.103.378

Dynamic IP address: It changes every time when you connect to the Internet like dial-up/ ISP and using PPP (Point to Point Protocol)
Static IP address: It is permanent IP address. It remains the same every time.

IP addresses are normally expressed in decimal format, called dotted decimal number.

The four numbers in IP address are called Octets. They each have eight position when viewed in binary form. Each octet can have any value from 0 to 255. The octets are split into two sections: NET & HOST (NODE). The Net section always contains the first octet. The Host/Node section always contains the last octet.
Class A: This class is for very large networks/big international company. IP address range from 1.0.0.1 to 126.255.255.254
Loopback: The IP address 127.0.0.1 is used as loopback address. It is used by the host computer to send a message back to itself. It is commonly used for troubleshooting and network testing.
Class B: This class is for medium size of networks like university/colleges. IP address range from 128.1.0.1 to 191.255.255.254
Class C: This class is for small size of networks. IP address range from 192.0.1.1 to 223.255.254.254
Class D: This class is reserved for multicast. IP address range from 224.0.0.0 to 239.255.255.254
Class E: It is also reserved like class-D. IP address range from 240.0.0.0 to 254.255.255.254

Private IP range:

• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
• 192.168.0.0 to 192.168.255.255

Default Network: The IP address of 0.0.0.0 is used for the default network.
Broadcast: Messages that are intended for all computers on a network are sent as broadcasts. These messages always use the IP address 255.255.255.255

NTFS v/s FAT

FAT(File Allocation Table) is a file system that was developed for MS-DOS and used in various Microsoft Windows. The FAT file system is considered relatively uncomplicated and because of that, it is popular format for removable storage like Floppy Disks and Pen Drives. It is supported by virtually all existing operating system.

• Maximum Volume Size: 2 TB
  
• Maximum Files on Volume: Unlimited
  
• Maximum File Size: 4 GB
  
• Maximum Cluster Numbers: 268435456
  
• Maximum File Name: Upto 255 characters
  

NTFS(New Technology File System) is high performance and self healing file system. It is supported to WindowsXP/ Windows2000/ WindowsNT. It supports file-level security, compression, and auditing. It also supports large volume and powerful storage solution such as RAID. The most important new feature of NTFS is the ability to Encrypt files and folders to protect your sensitive data.

• Maximum Volume Size: 2 TB
  
• Maximum Files on Volume: Unlimited
  
• Maximum File Size: Limit only by volume size
  
• Maximum Cluster Numbers: Unlimited
  
• Maximum File Name: Upto 255 characters
  

FUJACKS-Virus

Fujacks creates the following files in all drives:

* autorun.inf
* setup.exe

Creates Destop_.ini in all folders.

Adds the following values to the registry to auto start itself when
Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"

Terminates processes containing strings:

* VirusScan
* NOD32
* Symantec AntiVirus
* Duba
* esteem procs
* System Safety Monitor
* Wrapped gift Killer
* Winsock Expert
* msctls_statusbar32
* pjf(ustc)
* IceSword

Terminates the following processes:

* Mcshield.exe
* VsTskMgr.exe
* naPrdMgr.exe
* UpdaterUI.exe
* TBMon.exe
* scan32.exe
* Ravmond.exe
* CCenter.exe
* RavTask.exe
* Rav.exe
* Ravmon.exe
* RavmonD.exe
* RavStub.exe
* KVXP.kxp
* KvMonXP.kxp
* KVCenter.kxp
* KVSrvXP.exe
* KRegEx.exe
* UIHost.exe
* TrojDie.kxp
* FrogAgent.exe
* Logo1_.exe
* Logo_1.exe
* Rundl132.exe

Terminates the following Services:

* KVWSC
* KVSrvXP
* kavsvc
* AVP
* McAfeeFramework
* McShield
* McTaskManager
* McAfeeFramework
* navapsvc
* wscsvc
* KPfwSvc
* SNDSrvc
* ccProxy
* ccEvtMgr
* ccSetMgr
* SPBBCSvc
* Symantec Core LC
* Schedule
* sharedaccess
* RsCCenter
* RsRavMon
* NPFMntor
* MskService
* FireSvc

Deletes the following Registry entries:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ShStatEXE

Disables the show hidden file options in folder options
using the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:

* admin$
* 1234
* password
* 6969
* harley
* 123456
* golf
* pussy
* mustang
* 1111
* shadow
* 1313
* fish
* 5150
* 7777
* qwerty
* baseball
* 2112
* letmein
* 12345678
* 12345
* ccc
* admin
* 5201314
* qq520
* 123
* 1234567
* 123456789
* 654321
* 54321
* 111
* 000000
* abc
* 11111111
* 88888888
* pass
* passwd
* database
* abcd
* abc123
* sybase
* 123qwe
* server
* computer
* 520
* super
* 123asd
* ihavenopass
* godblessyou
* enable
* 2002
* 2003
* 2600
* alpha
* 110
* 111111
* 121212
* 123123
* 1234qwer
* 123abc
* 007
* aaa
* patrick
* pat
* administrator
* root
* sex
* god
* fuckyou
* fuck
* test
* test123
* temp
* temp123
* win
* asdf
* pwd
* qwer
* yxcv
* zxcv
* home
* xxx
* owner
* login
* Login
* pw123
* love
* mypc
* mypc123
* admin123
* mypass
* mypass123
* 901100
* Administrator
* Guest
* admin
* Root

Deletes files with .gho extensions from local partitions
except c drive.

Infects all the htm, html, asp, php, jsp, aspx files.

BRONTOK - Computer Worm

It affects computers which runs Windows operating system. It is also known as mass-mailing e-mail Worm. It spreads via e-mail attachments, file transfer, USB and flash drives etc.

Attacks:
When the infected e-mail attachment is opened, the worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:

• Placing a copy of itself in the user's startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif
• Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 p.m.
• Adding registry value: "Tok-Cirrhatus"
with data: <path to Win32/Brontok worm>
in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• Adding registry value: "Bron-Spizaetus"
with data: <path to Win32/Brontok worm>
in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• Adding registry value: Shell
  with data: "explorer.exe " <path to Win32/Brontok worm>
in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
• Modifies registry value: AlternateShell
  with data: <Win32/Brontok file name>
  in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  Note: the default setting for this key is "AlternateShell"="cmd.exe"

Brontok may attempt to lower security settings by making the following changes:

• Prevents the user from accessing the Registry Editor by making the following registry edit:
Adds value: DisableRegistryTools
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
• Prevents the display of files and folders with the 'hidden' attribute set:
Adds value: Hidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
• Prevents the display of Windows system files:
Adds value: ShowSuperHidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

• Prevents the display of executable file extensions:

Adds value: HideFileExt
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Prevents access to the Folder Options menu:
Adds value: NoFolderOptions
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
• Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
• Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
• Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
• Overwrites the autoexec.bat file with the word "pause", causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.

Countermeasures:

• Patch and update your operating system on daily basis
  
• Enable firewall protection
• Don't download unauthorizes email attachments
• Please scan downloaded attachments, USB pen drives, CDs, Floppy
• Use antivirus and updates it on daily basis
  

Computer Ports

There are two types of port in computer world.
(1) Physical Port: They are Hardware ports. They are located exact behind your CPU (computer tower). For example: Ports like Keyboard, Mouse, COM1, COM2, etc...
(2) Virtual Port: They also known as software ports. They are virtual pipes through which information flows. Every open software port has a service or daemon running on it. A service or daemon is a term used to describe the software running on these ports. It is just like doors. They are classified as following.

• Well-known Ports: Port number 0 to 1023
• Registered Ports: Port number 1024 to 49151
• Dynamic/Private Ports: Port number 49152 to 65535

Some popular ports are described as follows..

Ports->Description
0(TCP/UDP)->Reserved
1(TCP/UDP)->TCPMUX
5(TCP/UDP)->RJE(Remote Job Entry)
7(TCP/UDP)->ECHO Protocol
9(TCP/UDP)->DISCARD Protocol
11(TCP/UDP)->SYSTAT Protocol
13(TCP/UDP)->DAYTIME Protocol
17(TCP/UDP)->QOTD(Quote of the Day) Protocol
18(TCP/UDP)->Message Send Protocol
19(TCP/UDP)->CHARGEN (Character Generator) Protocol
20(TCP)->FTP - Data port
21(TCP)->FTP Control (command) Port
22(TCP/UDP)->SSH (Secure Shell) Secure logins
23(TCP/UDP)->TELNET Protocol
25(TCP/UDP)->SMTP (Simple Mail Transfer Protocol)
26(TCP/UDP)->RSFTP (simple FTP)
35(TCP/UDP)->QMS Megicolor Printer
37(TCP/UDP)->TIME Protocol
38(TCP/UDP)->Route Access Protocol
39(TCP/UDP)->Resource Location Protocol
41(TCP/UDP)->Graphics
42(TCP/UDP)->Host Name Server
43(TCP)->WHOIS Protocol
53(TCP/UDP)->DNS (Domain Name System)
57(TCP)->MTP (Mail Transfer Protocol)
69(UDP)->TFTP(Trivial File Transfer Protocol)
70(TCP)->Gopher Protocol
79(TCP)->Finger Protocol
80(TCP)->HTTP (Hyper Text Transfer Protocol)
109(TCP)->POP2 (Post Office Protocol version 2)
110(TCP)->POP3 (Post Office Protocol version 3)
118(TCP)->SQL Services
143(TCP/UDP)->IMAP4 (Internet Message Access Protocol 4)
156(TCP/UDP)->SQL Service
194(TCP)->IRC (Internet Relay Chat)
401(TCP/UDP)->UPS (Uninterruptible Power Supply)
443(TCP)->HTTPS/HTTP, TLS/SSL (encrypted transmission)

Viruses_Worms_Trojans

Viruses, worms and Trojans are all malicious programs/ software that can cause crash or damage to your computer.

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much talked about. Blaster Worm, the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

TCP/IP 3-way handshake connection

There are two important word in Internet Protocol suite. They are Transmission Control Protocol and Internet Protocol known as TCP/IP. The TCP/IP suite deal with Five layers where data transfer from one layer to other layer.