&Follow SJoin OnSugar
Go to this website to let you know when a computer virus is on the loose.

Email |
|

Welcome! My real name is Ammar, Omega1 is my username...

Sun, 02/14/2010 - 6:20AM by Omega1 0 Comments -

Welcome to Ammar's blog on viruses! You will find detailed information on viruses( I hope it's fully detailed...) that is spreading loose via the internet. Leave a message and I will respond to it as soon as I can! If you want to create a post on this website, do not hesitate to private message me for the username and password. Thanks! (Sorry, I made the page too long... there are widgets to help you find posts and links easily. Oh, I plucked some articles(only people who register can acess the bulletin.) from Microsoft and a wee bit from Wikipedia. If you go down the page a bit more you will find posts I made. Of course, I at least made like 18 posts and it was enough to break my fingers! This website will be updated everyday (by me...) on new threats. Thank you! (Again...)  ( I wish to thank Google, for the images I Saved-As, and I also wish to thank Microsoft and Wikipedia, for the information I plucked. Those without the ''Plucked from Wikipedia'' , or ''plucked from Microsoft Updates'' are my work. Of course I made posts that belong to me. Anybody who is in my website now, feel free to copy the posts. Thanks. )



Email |
|
Sun, 02/14/2010 - 6:06AM by Omega1 0 Comments -


Email |
|

Do not attempt to download all this crapware or fakeware. (Lists of crapware.)

Sat, 02/13/2010 - 10:57PM by Omega1 0 Comments -

(Plucked from Wikipedia)   The following is a partial list of rogue security software, most of which can be grouped into families. These are functionally-identical versions of the same program repackaged as successive new products by the same vendor.[15][20]

 

All these software is called crapware. They are called spyware. If a victim ever gets attracted to any of these, they will see their computer slow down. Example: Tom (imaginary person), who does NOT have an anti-virus installed on his computer, when he switch on his computer, suddenly a window comes out and says that a very good anti-virus (fake) like ''Zinaps AntiSpyware'' tells him to download this link. When he downloads it and runs the program, he will realise that the computer is slowing down and another window comes out and says this, '' If you buy this software, you computer will be normal and error-free!'' . And, Tom buys it. 2-6 days later, he checks on the Automated Teller Machine or ATM for short, he finds that he lost more than a $1000 dollars or lesser. This is what will happen if you download these crapware. (If you buy it. This is a fictional story. There are real cases on people buying crapware.)

 

 



Email |
|

Virus.Win32.Sality.ag

Tue, 04/13/2010 - 3:23AM by Omega1 0 Comments -

Technical Details

This malicious program infects files on the victim computer. It is designed to download and launch other malicious programs on the victim computer without the user’s knowledge or consent. It is a Windows PE EXE file. It is written in C++.

Installation

When launching, the malicious program extracts a file from its body and saves it to the Windows system catalog under a random name:

%System%\drivers\<rnd>.sys

with <rnd> being a random sequence of Latin uppercase letters, such as "INDSNN". The file is a kernel mode driver of 5157 bytes. It is detected by Kaspersky Anti-Virus as Virus.Win32.Sality.ag.

The extracted driver is installed and launched in the system as a service called "amsint32".

Propagation

The malicious program infects Windows PE-EXE files with the following extensions:

EXE 
SCR

Only those files that contain the following sections in the PE header are infected:

TEXT
UPX
CODE

When it infects the PE file, the virus extends the last section in the file and copies its own body to the end of the section. The virus searches all hard disk partitions for files to infect. When an infected file is launched, the malicious program copies the body of the original clean file into a temporary folder created with the following name:

%Temp%\__Rar\.exe

To ensure the malicious program’s file launches automatically, it copies itself to all logical disks under random names with extensions chosen randomly from the following list:

.exe
.pif.
.cmd

The virus also creates a hidden file in the root folders of these disks:

:\autorun.inf

where the command to launch the malicious file is stored. Upon opening a logical disk in Windows Explorer the malicious program launches.

Payload

Once launched, the malicious program creates a unique identifier called "Ap1mutx7" in order to flag its presence in the system.

It attempts to download files from the following links:

http://sagocugenc.sa.funpic.de/images/logos.gif
http://www.eleonuccorini.com/images/logos.gif
http://www.cityofangelsmagazine.com/images/logos.gif
http://www.21yybuyukanadolu.com/images/logos.gif
http://yucelcavdar.com/logos_s.gif
http://www.luster-adv.com/gallery/Fusion/images/logos.gif
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/

The downloaded files are saved to the %Temp% folder and executed.

At the time of writing, the virus downloaded the following malicious programs from the above links:

Backdoor.Win32.Mazben.ah
Backdoor.Win32.Mazben.ax
Trojan.Win32.Agent.didu 

All of these malicious programs were designed to distribute spam.

Apart from downloading files, the virus can modify a range of parameters in the operating system, including the following:

  • disable Task Manager and prevent editing of the system registry by modifying the following registry parameters:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001
  • modify the settings of the Windows Security Center by creating the following registry key parameters:
    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UacDisableNotify"=dword:00000001
    

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001
  • ensure that hidden files are not displayed by adding the following parameter to the system registry:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced]
    "Hidden"=dword:00000002
  • It also installs options so the default browser always launches in online mode, adding the following to the system registry:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "GlobalUserOffline"=dword:00000000
  • The program disables UAC (User Account Control) by setting the registry key parameter "EnableLUA" to “0”:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA"=dword:00000000

    It adds itself to the Windows firewall as an application allowed to access the network. To do so, it saves the following parameter in the registry key:

    [HKLM\System\CurrentControlSet\Services\SharedAccess\
    Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "<the path to the virus’s original file>"
    = "<the path to the virus’s original file>:*:Enabled:ipsec"
  • Then it creates registry keys in which it stores its operational data:
    HKCU\Software\<rnd>

    where <rnd> - is an arbitrary value.

  • Then the malicious program searches for a file called
    %WinDir%\system.ini

    and adds the following record to it:

    [MCIDRV_VER]
    DEVICEMB=509102504668 (any arbitrary number)
  • It deletes the following registry keys, making it impossible to boot the infected computer in Safe Mode:
    HKLM\System\CurrentControlSet\Control\SafeBoot
    HKCU\System\CurrentControlSet\Control\SafeBoot 

    Deletes *.exe and *.rar files from the current user’s temporary folder:

    %Temp%\

    Searches for files with the following extensions and deletes them:

    "VDB", "KEY", "AVC", "drw"
  • The malicious program uses the driver it has extracted to block all references to domains with URLs containing the following strings:
    upload_virus
    sality-remov
    virusinfo.
    cureit.
    drweb.
    onlinescan.
    spywareinfo.
    ewido.
    virusscan.
    windowsecurity. s
    pywareguide.
    bitdefender.
    pandasoftware.
    agnmitum.
    virustotal.
    sophos.
    trendmicro.
    etrust.com
    symantec.
    mcafee.
    f-secure.
    eset.com
    kaspersky
    
  • The program terminates and deletes the following services:
    Agnitum Client Security Service
    ALG Amon monitor
     aswUpdSv    
    aswMon2 
    aswRdr  
    aswSP   
    aswTdi  
    aswFsBlk    
    acssrv  
    AV Engine   
    avast! iAVS4 
    Control Service    
    avast! Antivirus    
    avast! Mail Scanner 
    avast! Web Scanner  
    avast! Asynchronous Virus Monitor   
    avast! Self Protection  
    AVG E-mail Scanner  
    Avira AntiVir Premium Guard 
    Avira AntiVir Premium WebGuard  
    Avira AntiVir Premium MailGuard 
    avp1    
    BackWeb Plug-in - 4476822   
    bdss    
    BGLiveSvc   
    BlackICE    
    CAISafe 
    ccEvtMgr    
    ccProxy 
    ccSetMgr    
    COMODO Firewall Pro Sandbox Driver  
    cmdGuard    
    cmdAgent    
    Eset Service    
    Eset HTTP Server    
    Eset Personal Firewall  
    F-Prot Antivirus Update Monitor 
    fsbwsys 
    FSDFWD  
    F-Secure Gatekeeper Handler Starter 
    FSMA    
    Google Online Services  
    InoRPC  
    InoRT  
     InoTask 
    ISSVC   
    KPF4   
    KLIF    
    LavasoftFirewall    
    LIVESRV 
    McAfeeFramework 
    McShield    
    McTaskManager   
    navapsvc    
    NOD32krn    
    NPFMntor    
    NSCService  
    Outpost Firewall main module    
    OutpostFirewall 
    PAVFIRES    
    PAVFNSVR    
    PavProt PavPrSrv    
    PAVSRV  
    PcCtlCom    
    PersonalFirewal 
    PREVSRV 
    ProtoPort Firewall service  
    PSIMSVC 
    RapApp  
    SmcService  
    SNDSrvc 
    SPBBCSvc    
    SpIDer FS Monitor for Windows NT    
    SpIDer Guard File System Monitor    
    SPIDERNT    
    Symantec Core LC    
    Symantec Password Validation    
    Symantec AntiVirus Definition Watcher   
    SavRoam 
    Symantec AntiVirus  
    Tmntsrv 
    TmPfw  
    tmproxy 
    tcpsr   
    UmxAgent    
    UmxCfg  
    UmxLU   
    UmxPol  
    vsmon   
    VSSERV  
    WebrootDesktopFirewallDataService   
    WebrootFirewall 
    XCOMM   
    AVP 
    

The virus also attempts to terminate the processes of various antivirus programs and popular antivirus utilities.

Removal instructions

If your computer does not have an up-to-date antivirus program, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version). It may be impossible to delete the malicious program manually: most probably, it has infected a large number of executable files on your computer, all of which require treatment. You can also use the free SalityKiller tool to treat the virus.
  2. Restore the following registry keys as required:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA" = dword:00000000

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000001
    "UacDisableNotify"=dword:00000001

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusDisableNotify"=dword:00000000
    "AntiVirusOverride"=dword:00000000
    "FirewallDisableNotify"=dword:00000000
    "FirewallOverride"=dword:00000000
    "UacDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden"=dword:00000002

  3. Delete the following registry keys as required:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableRegistryTools"
    "DisableTaskMgr"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings] "GlobalUserOffline"

  4. Delete the contents of the %Temp% folder.


Email |
|

Trojan-Downloader.JS.Gumblar.x

Tue, 04/13/2010 - 3:20AM by Omega1 0 Comments -

Technical Details

This Trojan downloads and runs malicious scripts on the victim machine without the user's knowledge or consent. It is a JavaScript scenario. It is 809 bytes in size.

Payload

When an infected web-page is opened, the Trojan uses Java Script to decrypt its body and launch the malicious scenario for execution. The Trojan uses an HTML tag in an attempt to inject 2 objects into the HTML page. The objects are located here:

http://y***dental.co.kr/bbs/private_board.php?s=iYzjlps7w&id=2
http://y***dental.co.kr/bbs/private_board.php?s=iYzjlps7w&id=3

At the time of writing, these links were not active.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  2. Delete the contents of Temporary Internet Files, as this directory may contain infected files.
  3. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Email |
|

Memokit is a fake!

Thu, 04/01/2010 - 2:45AM by Omega1 0 Comments -

Virus: 'mkit30[1].exe from vendor Memokit tried to bypass my Norton Smart Firewall! ( Detected by Sonar ) The impact from the virus is beyond Severe. Date created: unknown. If this executable virus hits your computer, It impacts performance severely by 46.543%. Removal of this malware requires an excellent  anti-virus solution. Stealth rate: High. That means the overall risk impact is High! I highly recommend Norton Symantec to protect your computer from this infection!



Email |
|

Is your computer behaving suspiciously? Are you unsure of what this might mean?

Wed, 03/03/2010 - 1:52AM by Omega1 0 Comments -


What to Do If Your Computer Is Infected

Sometimes even an experienced user will not realise that a computer is infected with a virus. This is because viruses can hide among regular files, or camoflage themselves as standard files. This section contains a detailed discussion of the symptoms of virus infection, how to recover data after a virus attack and how to prevent data from being corrupted by malware.

Symptoms of infection

There are a number of symptoms which indicate that your computer has been infected. If you notice "strange things" happening to your computer, namely:

  • unexpected messages or images are suddenly displayed
  • unusual sounds or music played at random
  • your CD-ROM drive mysteriously opens and closes
  • programs suddenly start on your computer
  • you receive notification from your firewall that some applications have attempted to connect to the Internet, although you did not initiate this, then it is very likely that your computer has been infected by a virus

Additionally, there are some typical symptoms which indicate that your computer has been infected via email:

  • your friends mention that they have received messages from your address which you know you did not send
  • your mailbox contains a lot of messages without a sender's e-mail address or message header

These problems, however, may not be caused by viruses. For example, infected messages that are supposedly coming from your address can actually be sent from a different computer.

There is a range of secondary symptoms which indicate that your computer may be infected:

  • your computer freezes frequently or encounters errors
  • your computer slows down when programs are started
  • the operating system is unable to load
  • files and folders have been deleted or their content has changed
  • your hard drive is accessed too often (the light on your main unit flashes rapidly)
  • Microsoft Internet Explorer freezes or functions erratically e.g. you cannot close the application window

90% of the time the symptoms listed above indicate a hardware or software problem. Although such symptoms are unlikely to be caused by a virus, you should use your antivirus software to scan your computer fully.

What you should do if you notice symptoms of infection

If you notice that your computer is functioning erratically

  1. Don't panic! This golden rule may prevent the loss of important data stored in your computer and help you avoid unnecessary stress.
  2. Disconnect your computer from the Internet.
  3. If your computer is connected to a Local Area Network, disconnect it.
  4. If the computer cannot boot from the hard drive (error at startup), try to start the system in Safe Mode or from the Windows boot disk
  5. Before taking any action, back up all critical data to an external drive (a floppy disk, CD, flash memory, etc.).
  6. Install antivirus software if you do not have it installed.
  7. Download the latest updates for your antivirus database. If possible, do not use the infected computer to download updates, but use a friend's computer, or a computer at your office, an Internet cafe, etc. This is important because if you are connected to the Internet, a virus can send important information to third parties or may try to send itself to all email addresses in your address book. You may also be able to obtain updates for your antivirus software on CD-ROM from the software vendors or authorized dealers.
  8. Perform a full system scan.

If no viruses are found during a scan

If no viruses are found during the scan and the symptoms that alarmed you are classifed, you probably have no reason to worry. Check all hardware and software installed in your computer. Download Windows patches using Windows Update. Deinstall all unlicensed software from your computer and clean your hard drives of any junk files.

If viruses are found during a scan

A good antivirus solution will notify you if viruses are found during a scan, and offer several options for dealing with infected objects.

In the vast majority of cases, personal computers are infected by worms, Trojan programs, or viruses. In most cases, lost data can be successfully recovered.

  1. A good antivirus solution will provide the option to disinfect for infected objects, quarantine possibly infected objects and delete worms and Trojans. A report will provide the names of the malicious software discovered on your computer.
  2. In some cases, you may need a special utility to recover data that have been corrupted. Visit your antivirus software vendor's site, and search for information about the virus, Trojan or worm which has infected your computer. Download any special utilities if these are available.
  3. If your computer has been infected by viruses that exploit Microsoft Outlook Express vulnerabilities, you can fully clean your computer by disinfecting all infected objects, and then scanning and disinfecting the mail client's databases. This ensures that the malicious programs cannot be reactivated when messages which were infected prior to scanning are re-opened. You should also download and install security patches for Microsoft Outlook Express.
  4. Unfortunately, some viruses cannot be removed from infected objects. Some of these viruses may corrupt information on your computer when infecting, and it may not be possible to restore this information. If a virus cannot be removed from a file, the file should be deleted.

If your computer has suffered a severe virus attack

Some viruses and Trojans can cause severe damage to your computer:

  1. If you cannot boot from your hard drive (error at startup), try to boot from the Windows rescue disk. If the system can not recognize your hard drive, the virus has damaged the disk partition table. In this case, try to recover the partition table using scandisk, a standard Windows program. If this does not help, contact a computer data recovery service. Your computer vendor should be able to provide contact details for such services.

If you have a disk management utility installed, some of your logical drives may be unavailable when you boot from the rescue disk. In this case, you should disinfect all accessible drives, reboot from the system hard drive and disinfect the remaining logical drives.

  1. Recover corrupted files and applications using backup copies after you have scanned the drive containing this data.

Diagnosing the problem using standard Windows tools

Although this is not recommended unless you are an experience user, you may wish to:

  • check the integrity of the file system on your hard drive (using CHKDSK program) and repair file system errors. If there are a large number of errors, you must backup the most important files to removable storage media before fixing the errors
  • scan your computer after booting from the Windows rescue disk
  • use other standard Windows tools, for example, the scandisk utility

For more details on using these utilities, refer to the Windows Help topics.

If nothing helps

If the symptoms described above persist even after you have scanned your computer, and checked all installed hardware and software and your hard drive using Windows utilities, you should send a message with a full description of the problem to your antivirus vendor's technical support department.

Some antivirus software developers will analyse infected files submitted by users.

After you have eradicated the infection

Once you have eradicated the infection, scan all disks and removable storage media that may be infected by the virus.

Make sure that you have appropriately configured antivirus software installed on your computer.

Practice safe computing.

All of these measures will help prevent your computer getting infected in the future.



Email |
|
Sat, 02/20/2010 - 9:28PM by Omega1 0 Comments -


Email |
|
Sat, 02/20/2010 - 9:03PM by Omega1 0 Comments -


Email |
|

Net-Worm.Win32.Slammer

Sat, 02/20/2010 - 4:39AM by Omega1 0 Comments -

This is the latest update on viruses. This worm was created on May 30 2003. It is still running wild.

 

Technical details

Helkern (aka Helkern, aka Sapphire) is an extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000. To get into victim machines the worm exploits a buffer overrun vulnerability (see below).

When the worm code gets into a vulnerable SQL server it gains control (by using a buffer overrun trick), it then assumes three Win32 API functions:

GetTickCount (KERNEL32.DLL)
socket, sendto (WS2_32.DLL)

The worm then gets a random counter by using the GetTickCount function and goes into an endless spreading or "spawning" loop. In the spreading loop the worm sends itself to random IP addresses (depending on the random counter), to the MS SQL port 1434.

The worm sends multicast packets, meaning with only one "send" command hits all 255 machines in a subnet. As a result this worm is spreading 255 times faster than any other worm known at the moment.

Because MS SQL servers are often used on the Web this worm may cause a global INet DoS attack, because all infected servers will try to connect to other randomly selected machines in an endless loop - and this will cause a global INet traffic overflow.

The worm is memory only, and it spreads from an infected machine's memory to a victim machine's memory. The worm does not drop any additional files and does not manifest itself in any way.

There are text strings visible in the worm code (a mix of worm code and data):

 

h.dllhel32hkernQhounthickChGet
Qh32.dhws2_f
etQhsockf
toQhsend

Buffer Overflow

This buffer overrun exploit has the following name:
Unauthenticated Remote Compromise in MS SQL Server 2000

Affected systems are:
Microsoft SQL Server 2000, all Service Packs

This security breach was found in July, 2002 and was later fixed in "MS SQL Server 2000" patches. It may be fixed, but the internet worm created a backup of itself when it was caught. The backup of the internet worm updated itself on how to fight ''MS SQL Server 2000'' security patches. If you have a feeling that this worm is on your computer, go to the widget on the right of the page and look for ''Microsoft''