It's been a very long long time since i last wrote on this blog, it's not my fault, it is school work that has been so demanding.
Aside that I felt the blog was so boring that noboidy cared to view it.
But again, I was wrong. i am presently working on some mind blowing articles about my Final Year Project, Bart PE & Sality.aa, and lots more...
Just hold on.
There was an error in this gadget
Tuesday, April 28, 2009
Monday, November 10, 2008
Red Alert: Microsoft Office Documents could be dangerous Pt 2
NOTE: As at the time of writing this post, I have seen a system attacked by this worm, but I believe this worm does not load with userinit or shell [explorer], so this method shoul work for it.
I just discovered that the Trojan that replicates file names as .exe is called ‘raila odinga’ though antiviruses call it by different names.
The worm which keeps displaying the picture Raila Odinga.gif has put many project students in OAU, ile-Ife into tears as many of them have mistakenly copied the worm in place of their original files.
The Worm which I talked about sometime ago replicates the name of all the files in a removable disk as a .exe.
A solution to the virus, which I can propose for now, is to use, Tune Up Utilities, process manager or any other process managing software.
The virus usually runs from %systemroot%/systsem32/drivers/~.exe
The file size is usually about 160Kb, please ensure that the extension of your known documents is always revealed by using Folder Options
To stop the virus, simply do the following:
- Restart your system, keep pressing F8 when it comes on, select “safe mode with command prompt”
- Then choose your default OS.
- Log in as an Administrator, Command Prompt starts
Then follow these commands:
TASKLIST
REM this displays the list of all running processes
TASKKILL /im [unusual_process_name] /f
REM this stops the process specified. Say ‘Raila Odinga.exe’, that is if it is pasrt of the processes listed.
CD %systemroot%\system32\drivers
REM this changes to the directory where the virus is mainly running from
DEL *.exe /f /q /ah
REM as no .exe is supposed to be in the drivers’ folder, this will delete all viruses
REM If it says file not found, try
DEL *.exe
REM This must delete the viruses if present.
cd "\Documents and Settings\All Users\Start Menu\Programs\Startup"
DEL *.lnk *.exe
DEL *.lnk *.exe /f/q/ah
REM Restart ur system and verify if the virus is still running.
Wednesday, October 22, 2008
Red Alert: Microsoft Office Documents could be dangerous!
Protect your System!
I just saw a new form of virus which copies the name of all the types of documents in your removable device, then replaces them with a .exe.
It also uses a Microsoft word 2007 icon to represent its .exe.
Please be careful in clicking on any form of ‘MS Word like’ document.
Before clicking on any of these MS Word Document, please do the following, place your cursor on the MS Document and be sure that the side bar shows ‘Microsoft Word Document’ or ‘Microsoft Word 1997-2003 Document’ .
If on placing your cursor on the document, you see anything like ‘Version…’ then the file is an exe, which is most likely a virus.
The size is about 160kb; it imitates all .doc, .zip, .rar and form of file you may think of!
Another alternative is to visit folder options and under view, uncheck ‘Hide extension for known file types’ click on OK.
This will ensure that the extension of all your files is revealed.
So before clicking on anything that looks like a Microsoft Office Document, be sure that the file is not an Executable.
I am yet to catch this virus.
BEWARE
Wednesday, October 8, 2008
Reduce the Risk of Attacks by 90% - Part 1
Having used Microsoft windows for quite some time, I can tell that the greatest source of infections is usually from external storage devices.
From the era of diskette viruses, to the era of flash drive viruses, one cannot overlook the fact that most infections are from external devices.
Initially, Viruses do not run themselves from external devices but with the use of autorun.inf files, viruses found way of running themselves from external devices.
As time went on, people discovered way of disabling ‘AUTORUNing’ viruses from external storage devices. But this was not enough as most people still had to double click on flash drives and double clicking on a flash drive reduces the risk of infection.
As time went on, writers of malwares discovered that by replacing the shell (right click) options of external drives with their virus options, they could still infect systems easily and this they did.
At a point, all you needed to do was just to right click on a flash drive and you will see options like ‘auto’, ‘autorun’ or some other options, by seeing any of these, you could easily tell that a virus was present on an external storage device.
With time, writers of malwares saw that people were easily detecting the presence of viruses. I can remember well that the first worm I saw that used a normal window shell, i.e. Open, Search & Explore was avpo.exe, and this was a very surprising event for me as a person.
So I discovered that the best way to avoid run a virus by clicking on a flash drive is either by using Run (i.e. Start Menu>Run), then typing in the name of the drive. Alternatively, you can use windows explorer, press f4 and the address bar drops down the list of available drives. Choose the drive you want to open and that’s it. As shown below
What about malwares that disguise as normal applications or folders or even documents.
Funny UST Scandal & Ahsan’ss Virus both disguise as Video Files
SVSCHOSTS disguises as an Offices Document.
BRONTOK and DETNAT both disguise using folder ICONS and there are any more disguises and one can only know this by revealing the extension of known files from folder options.
Be sure that the extensions of files are revealed, that will help you a lot.
My next article will be on using PATH RULES to prevent infections from all executables (.exe, .bat, .reg, .cmd, .vbs, .com)
Tuesday, October 7, 2008
Ahsan's Virus
Solution to Ahsan's Virus:
One big solution to Ahsan's virus is to use the new CPE Anti-Autorun Killer,
This little application works like magic to stop the Ahsan's virus.
Double click on the application, then it appears in your taskbar
Right click on the task bar icon and then choose kill in computer,
this will stop the virus for the time being.
Download this application from www.cpe17.com
If you don't have access to this application, then try to install tune up utilities, the process manager that comes with it can help you out!
About Ahsan's Virus
This virus is one of the most interstin viruses I have ever seen. it changes My Computer to Ahsan's computer
My Documents to Ahsan's Document, My Network places to Ahsan's places and finally, it changes Recycle Bin to G.W.Bush, i guess Ahsan hates America so much.
That's not all, all .com, .cmd, .bat are changed to regfile, all .reg & .vbs are changed to exefile.
All these is so as to prevent you from running some internal commands.
The command prompt is disabled, access to task manager and regedit is prevented.
This Ahsan guy must be very good.
The title of your internet explorer has something to do with Ahsan and so on.
This virus runs with a process name: csrss.exe which is one of windows' critical processes.
but this is located in %systemroot% instead of %systemroot% \system32 which the original file is located, Ahsan's virus also comes as system.exe and 'home video.exe' all in %systemroot%.
The major component that starts up the virus is located in
\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
you can do well to delete this file.
Enough about Ahsan.
Once you have succeeded in killing the process, just do well to do the folllowing:
Run Regedit then go to:
HKCU\Software\Policies\Microsoft\System\
Delete DisableCMD command, then continue.
Now you can run CMD.
From running CMD, run the follwing command
:
del \Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe /f/q/ah
del %systemroot%\system.exe %systemroot%\csrss.exe "%systemroot%\Home Video.exe"
From here, Go to start menu, rename
Ahsan's Computer to My Computer, apply the same for documents and network places.
For Recycle Bin, go to registry, and browse to the following location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
delete the default value which should be on G.W.Bush
The last thing to consider
Goto HKCR (Root), look for .com, .cmd, .bat from regfile to comfile, cmdfile, and batfile respectively.
Go to .reg, change from exefile to regfile
Go to .vbs, change from exe to vbs
One big solution to Ahsan's virus is to use the new CPE Anti-Autorun Killer,
This little application works like magic to stop the Ahsan's virus.
Double click on the application, then it appears in your taskbar
Right click on the task bar icon and then choose kill in computer,
this will stop the virus for the time being.
Download this application from www.cpe17.com
If you don't have access to this application, then try to install tune up utilities, the process manager that comes with it can help you out!
About Ahsan's Virus
This virus is one of the most interstin viruses I have ever seen. it changes My Computer to Ahsan's computer
My Documents to Ahsan's Document, My Network places to Ahsan's places and finally, it changes Recycle Bin to G.W.Bush, i guess Ahsan hates America so much.
That's not all, all .com, .cmd, .bat are changed to regfile, all .reg & .vbs are changed to exefile.
All these is so as to prevent you from running some internal commands.
The command prompt is disabled, access to task manager and regedit is prevented.
This Ahsan guy must be very good.
The title of your internet explorer has something to do with Ahsan and so on.
This virus runs with a process name: csrss.exe which is one of windows' critical processes.
but this is located in %systemroot% instead of %systemroot% \system32 which the original file is located, Ahsan's virus also comes as system.exe and 'home video.exe' all in %systemroot%.
The major component that starts up the virus is located in
\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
you can do well to delete this file.
Enough about Ahsan.
Once you have succeeded in killing the process, just do well to do the folllowing:
Run Regedit then go to:
HKCU\Software\Policies\Microsoft\System\
Delete DisableCMD command, then continue.
Now you can run CMD.
From running CMD, run the follwing command
:
del \Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe /f/q/ah
del %systemroot%\system.exe %systemroot%\csrss.exe "%systemroot%\Home Video.exe"
From here, Go to start menu, rename
Ahsan's Computer to My Computer, apply the same for documents and network places.
For Recycle Bin, go to registry, and browse to the following location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
delete the default value which should be on G.W.Bush
The last thing to consider
Goto HKCR (Root), look for .com, .cmd, .bat from regfile to comfile, cmdfile, and batfile respectively.
Go to .reg, change from exefile to regfile
Go to .vbs, change from exe to vbs
Subscribe to:
Posts (Atom)
