Google
 

Wednesday, May 30, 2007

"Hacked by Pokemon" virus

Removing "Hacked by Pokemon" virus

Did your Internet Explorer title bar shown this "Hacked by Pokemon"?Don't worry this is not a high risk virus.Just some visual basic program.The file that run this visual basic is BHA.VBS.DLL. I will show you how to remove this bug manually.




What will This Virus Do ?


-Infected every of your partition including removable drive.This is because the script was written to generate bha.vbs.dll and autorun.inf.

-Spread via removable drive such as pendrive or other storage device because of its capability to generate dll file using vbs script.

-Will generate new registry value in your windows registry that is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL - winpath&"\Bha.dll.vbs

HKCR\vbsfile\DefaultIcon - shell32.dll

And also modify this registry value:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by pokemon"

-All your partition cannot open normally if your PC infected because the authority was given to the 'autoplay' option not 'open' option if normal condition.To ensure this,just right click one of your drives and see the first bolt option,is it open or autoplay.




How to Show Autorun.inf & bha.vbs.dll in Your Computer?



-Go to Tools>Folder Option

-Uncheck Hide protected operating system files (Recommended) and Use simple file sharing(Recommended)

-Click Apply and Close the window.

WARNING: When you open your drive partition, MAKE SURE you open by right clicking it and choose Open, IF NOT,the thread will RUNNING again.


How to Delete/Remove *vbs File ?

1) CTRL + ALT + DEL and find wscript.exe if exist to make sure its running or not. If exist, click End Process.

2)You may delete 2 files that i mention above manually in every partition.

3) or, Start -> Search. Search for *vbs files . Delete the file if it is found.

How To Clean The Registry ?

-After clean and delete the file, now you must clean the windows registry because this thread generate new registry value after they were activated.

-Run registry editor:START--->Run (type regedit)

-Open this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL

Delete registry named MS32DLL

-And open this location:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

-Choose Window title and edit the string.

-You may put any names or delete the string value (Window title)


-Then reboot your PC


I hope this GUIDE will help you to eliminate this annoying virus . Good Luck !!!

Step-By-Step

To Get Rid Of Spylocked or Iesmin.exe

Yesterday, my laptop has been infected by Spylocked spyware. I believe that it is due to my brother has installed a fake anti-spyware.

Windows keeps giving me a warning that I have spyware and that i should get rid of it.Spylock kept coming up, and even though I've uninstalled it, the icon keeps flashing in system tray...

If you open the Task Manager, you will see iesmn.exe, iesmin.exe, imsmain, imsmn in the process. That's the spyware. Iesmin.exe is actually Trojan-Downloader.Zlob.Media-Codec.

After searching some info about the virus, I am able to remove the spyware. So, what you have to do to get rid of this spyware?

First, kill the process of those I've stated above one by one in the Task Manager.

Then run Hijack This or Startup Manager to remove iesmin.exe and the gang from Windows startup.

Final step, after making sure that iesmin.exe and the gang are not running in the process( open Task Manager and look at the process whether they still running or not ), go to

C:\Program Files\Video ActiveX Access\ and find iesbpl.dll and delete that file.

DONE !!! Now you will be able to remove the spyware manually.

Tuesday, May 29, 2007

Information W32/Netsky-P Worm

This section helps you to understand how it behaves

NOTE: The information contained in this analysis may be considered offensive by some customers.


W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.

The worm will also copy itself to various peer-to-peer shared folders as the following files:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Netsky-P harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.


The worm has a trigger date of 24 March 2004, at which time it will attempt to mass mail.

Emails have the following characteristics (note that not all variations listed):

Subject lines: constructed from the following groups of strings -

Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Message texts: chosen from -

Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment description: chosen from -

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

followed by -

:

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Attached file:

_ .

chosen from:

document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document

chosen from:

EXE
SCR
PIF
ZIP

W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms.

W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.

Sunday, May 20, 2007

Virus Description - W32.Blackmal.E@mm

Created: 27/01/06

  • CME-24,
  • Win32.Blackmal.F [Computer Associates],
  • Email-Worm.Win32.Nyxem.e [F-Secure],
  • Email-Worm.Win32.Nyxem.e [Kaspersky],
  • W32/MyWife.d@MM [McAfee],
  • W32/MyWife.d@MM!M24 [McAfee],
  • W32/Small.KI@mm [Norman],
  • Tearec.A [Panda Software],
  • W32/Nyxem-D [Sophos]
  • WORM_GREW.{A, B} [Trend Micro]
Description

W32.Blackmal.E@mm is a mass-mailing worm that tries to spread on networks using open network shares and on the third of each month this virus deletes data files such as Word documents and Excel spreadsheets.
The 'From' line of the email is spoofed (faked), and its Subject line and message body of the email vary, but tend to be of a 'sexual' nature. The attachment varies but often appears to be a 'zip' file.

Damage

Spreads, clogs email servers, generates False Alarms, attacks anti-virus programs and deletes Word documents, Excel files, Powerpoint presentations, Access Databases, Zips, RARs and Photoshop files on the third of the month. The virus also attacks anti-virus and security software installed on your computer (which is a common feature of modern viruses).
On the 3rd of each month, 30 minutes after the victim
computer is rebooted, the worm will overwrite (destroy) files
with the following extensions:

  • doc
  • xls
  • mdb
  • mde
  • ppt
  • pps
  • zip
  • rar
  • pdf
  • psd
  • dmp

Files corrupted by the worm contain the following text:
DATA Error [47 0F 94 93 F4 F5]
It is capable of disabling the mouse and keyboard of an affected system.
May reduce security on your PC.

Occurrence

Blackmal.E has been seen several times on campus - Symantec AntiVirus is recognising it and is stopping it (providing your 'virus definitions' are dated later than 17/01/06 .

Advice

Do not read suspicious email. Do not open the attachments with the above names or any unknown attachments. Keep Windows (& Outlook) up-to-date - see Updating Windows. And do not forward warnings to the apparent sender because the apparent sender is NOT the real sender.

Detecting Blackmal.E

An up-to-date copy of Symantec/Norton AntiVirus should detect and prevent infection from Blackmal.E. If you do not have Symantec/Norton AntiVirus and you are worried that you may have infected computer, you could run an online virus check or contact the Student Help Desk in the Library.

Cleaning Blackmal.E

Use the tool from Symantec: Blackmal Removal Tool.
Further Information
For further info about Blackmal.E:

  • Symantec on W32.Blackmal.E@mm
  • Trend on 'WORM_GREW.A' (w32.Blackmal.E@mm)

Friday, May 18, 2007

Combating Viruses, Worms and Trojan Horses

The first steps to protecting your computer are to ensure your Operating System (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from even reaching your computer. You should also install a firewall as well.

A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network.

It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network.

Tuesday, May 15, 2007

New Worm Name : W32.Fubalca.E-

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the worm executes, it copies itself to the following location
:

  • %System%\servet.exe
The worm then enables the autorun facitility on all drives by modifying the following registry entry:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
Next, the worm scans all drives from A through Z and creates the following file:[DRIVE LETTER]:
  • \AutoRun.inf
The worm then sets the system date to January 12th 1981, if the following file exists:
  • %System%\drivers\klick.sys
It then creates a service with the following characteristics:

Servicename:WindowsDownService

description: Windows


The worm creates the following registry subkey for the above service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown


The worm uses advanced techniques to hide itself on the computer as the following file: %System%\svchost.exe

Once the worm has completed its installation, it deletes itself.


The worm then attempts to download and execute the following malicious files every sixty seconds:

  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/[REMOVED]
  • [http://]www.18dmm.com/arp/10.[REMOVED]
  • [http://]www.18dmm.com/arp/11.[REMOVED]
  • [http://]www.18dmm.com/arp/12.[REMOVED]
  • [http://]www.18dmm.com/arp/13.[REMOVED]
  • [http://]www.18dmm.com/arp/14.[REMOVED]
  • [http://]www.18dd.net/new/system[REMOVED]

The above files are saved to the following location:


  • %System%\1.exe
  • %System%\2.exe
  • %System%\3.exe
  • %System%\4.exe
  • %System%\5.exe
  • %System%\6.exe
  • %System%\7.exe
  • %System%\8.exe
  • %System%\9.exe
  • %System%\10.exe
  • %System%\11.exe
  • %System%\12.exe
  • %System%\13.exe
  • %System%\14.exe
  • %System%\system22.exe

Your Ad Here