at videa

Protect yourself from Conficker

noreply@blogger.com (at_videa) — Tue, 25 Aug 2009 16:47:00 +0700

The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

If you are an IT professional, please visit Conficker Worm: Help Protect Windows from Conficker.

Is my computer infected with the Conficker worm?

Probably not. Microsoft released a security update in October 2008 (MS08-067) to protect against Conficker.

If your computer is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don't have the Conficker worm.

If you are still worried about Conficker, follow these steps:

Go to http://update.microsoft.com/microsoftupdate to verify your settings and check for updates.
If you can't access http://update.microsoft.com/microsoftupdate, go to http://safety.live.com and scan your system.
If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.

What does the Conficker worm do?

To date, security researchers have discovered the following variants of the worm in the wild.

Win32/Conficker.A was reported to Microsoft on November 21, 2008.
Win32/Conficker.B was reported to Microsoft on December 29, 2008.
Win32/Conficker.C was reported to Microsoft on February 20, 2009.
Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Win32/Conficker.E was reported to Microsoft on April 8, 2009.

Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.

The Conficker worm can also disable important services on your computer.

In the screenshot of the Autoplay dialog box below, the option Open folder to view files — Publisher not specified was added by the worm. The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

The option Open folder to view files — Publisher not specified was added by the worm.

How does the Conficker worm work?

Here’s an illustration of how the Conficker worm works.

How do I remove the Conficker worm?

If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live safety scanner.

Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

For additional information, see Centralized Information About the Conficker Worm.
For more technical information about the Conficker worm, see the Microsoft Malware Protection Center Virus Encyclopedia.
Bookmark the Microsoft Malware Protection Center portal and the Microsoft Malware Protection Center blog for updated information.
For symptoms and detailed information about how to remove the Conficker worm, see Help and Support: Virus alert about the Conficker Worm.
To continue to get updated information on security, sign up for the Microsoft Security for Home Computer Users newsletter.

For more information, see How to prevent computer worms and How to remove computer worms.

Stop Win32/Conficker from spreading by using Group Policy settings Notes

noreply@blogger.com (at_videa) — Tue, 25 Aug 2009 16:38:00 +0700

Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.

Back to the top

Create a Group Policy object

Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:

Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the randomly named malware service from being created in the netsvcs registry value.

To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new GPO. Give it any name that you want.
3. Open the new GPO, and then move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
  Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
10. Click OK.
Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
8. Click OK.
Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

Note Depending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
- To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security bulletin MS08-038).
- To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715 (http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252) installed.
To set AutoPlay (Autorun) features to disabled, follow these steps:
1. In the same GPO that you created earlier, move to one of the following folders:
  - For a Windows Server 2003 domain, move to the following folder:
    Computer Configuration\Administrative Templates\System
  - For a Windows 2008 domain, move to the following folder:
    Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.
5. Click OK.
Close the Group Policy Management Console.
Link the newly created GPO to the location that you want it to apply to.
Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
After the Group Policy settings have propagated, clean the systems of malware.

To do this, follow these steps:
1. Run full antivirus scans on all computers.
2. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
  http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)
  Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.

AppleScript.THT Trojan Horse New OS X Trojan Horse in the Wild SecureMac Security Advisory

noreply@blogger.com (at_videa) — Mon, 17 Aug 2009 20:17:00 +0700

Security Risk: Critical

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.

Until a patch is issued for the Apple Remote Desktop Agent exploit, SecureMac classifies the security risk presented by this Trojan horse as high.

Protection: To protect your system against this threat, run MacScan 2.5.2 (MacScan is a product of SecureMac) with the latest Spyware Definitions update (2008011), dated June 19th, 2008. SecureMac recommends that users download files only from trusted sources and sites.

Additional removal instructions and resources will be posted once available.

Resources:
WashingtonPost analysis on AppleScript.THT Trojan Horse

About MacScan:  MacScan quickly detects, isolates and removes spyware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later, and is compatible with OS X 10.5 (Leopard). For more information, or to download a demo version of MacScan, visit http://macscan.securemac.com.

About SecureMac:  Since 1999, SecureMac.com has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.

How Computer Viruses Work

noreply@blogger.com (at_videa) — Mon, 17 Aug 2009 20:09:00 +0700

Strange as it may sound, the computer virus is something of an Information Age marvel. On one hand, viruses show us how vulnerable we are -- a properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.

For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. That's pretty impressive when you consider that many viruses are incredibly simple.

When you listen to the news, you hear about many different forms of electronic infection. The most common are:

Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
E-mail viruses - An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson].
Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.

In this article, we will discuss viruses -- both "traditional" viruses and e-mail viruses -- so that you can learn how they work and understand how to protect yourself.

Windows virus infects 9m computers

noreply@blogger.com (at_videa) — Sun, 16 Aug 2009 20:09:00 +0700

The number of Windows computers infected with the new "downadup" worm – also known as "Conficker" and "Kido" – has exploded to almost 9 million worldwide, from roughly 2.4m last Thursday, according to the computer security company F-Secure.

The growth in the number of infected machines – which the company's researchers called "just amazing" – makes it one of the worst malware outbreaks of the past five years. The principal targets are corporate Windows servers belonging to small businesses who have not installed security updates released by Microsoft last October. F-Secure estimates that a third of all potentially vulnerable systems have not had the update.

But antivirus researchers are still unsure of the precise purpose of the malware, which is spreading via the internet, through unpatched corporate networks and through USB memory sticks attached to infected computers.

First discovered last October, downadup loads itself on to a computer by exploiting a weakness in Windows servers. Although the weakness was noticed and fixed by Microsoft last October, not enough people with vulnerable machines – including those running Windows XP and Vista – have installed it.

The worm can infect USB sticks and any corporate laptop that gets infected could then launch attacks if it was later connected to a home network.

The reason for the explosion in infected machines seems to be a new variant which appeared last week, updated by the hackers who wrote the original. The new one attempts to crack the passwords of machines on a network using the computing power of the infected machine to apply a "brute force" approach – so that passwords such as "admin", "password" or "123456" on potential target machines will quickly be broken.

Once it has infected a machine, the software also tries to connect to up to 250 different domains with random names every day. Researchers reckon that one of them will be the intended "control" domain, and that when the computers connect to it they will download a fresh program that will take over the infected computer.

"This makes it impossible and/or impractical for us good guys to shut them all down – most of them are never registered in the first place," the F-Secure team noted on its weblog. "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website – and they then gain access to all of the infected machines. Pretty clever."

So far, nobody knows when that domain will become active – or whether it already is. Some have tried registering the domains that the worm tries to connect to (by advancing the clock on an infected PC by a day or two, to see which ones it will connect to) – but gave up because the cost of registering domains grew too high.

McAfee, another antivirus company, points out that weaknesses in Windows are being exploited more and more quickly. In 2001, it took 335 days for a worm to appear that exploited a vulnerability already patched by Microsoft. That worm, called Nimda, nevertheless did serious damage.

Since then, the length of time between patches appearing – which hackers can use to "reverse engineer" a piece of malware that will attack the weakness – has shortened, until the latest patch appeared on the same day that an "exploit" against it was found online.

The 10 faces of computer malware

noreply@blogger.com (at_videa) — Sun, 16 Aug 2009 20:03:00 +0700

The complexity of today's IT environment makes it easy for computer malware to exist, even flourish. Being informed about what's out there is a good first step to avoid problems.

With all the different terms, definitions, and terminology, trying to figure out what's what when it comes to computer malware can be difficult.

To start things off, let's define some key terms that will be used throughout the article:

Malware: malicious software that's specifically developed to infiltrate or cause damage to computer systems without the owners knowing or their permission.
Malcode: malicious programming code that's introduced during the development stage of a software application and is commonly referred to as the malware's payload.
Antimalware: includes any program that combats malware, whether it's real-time protection or detection and removal of existing malware. Antivirus, antispyware applications and malware scanners are examples of antimalware.

One important thing to remember about malware is that like its biological counterpart the number one goal is reproduction. Causing damage to a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Keeping the above definitions in mind, let's take a look at 10 different types of malware.

1: The infamous computer virus
A computer virus is malware that's capable of infecting a computer but has to rely on some other means to propagate. A true virus can only spread from the infected computer to a non-infected computer by attaching to some form of executable code that's passed between the two computers.

For example, a virus could be hidden in a PDF file attached to an e-mail message. Most viruses consist of the following three parts:

Replicator: When the host program is activated, so is the virus and the viral malcode's first priority is to propagate.
Concealer: The computer virus can employ one of several methods to hide from antimalware.
Payload: The malcode payload of a virus can be purposed to do just about anything, from disabling computer functions to destroying data.

Some examples of computer viruses currently in the wild are W32.Sens.A, W32.Sality.AM, and W32.Dizan.F. Most quality antivirus software will remove computer viruses once the application has the signature file for the virus.

2: The ever popular computer worm
Computer worms are more sophisticated than viruses, being able to replicate without user intervention. If the malware uses networks (Internet) to propagate it's a worm rather than a virus.

The main components of a worm are:

Penetration tool: Malcode that leverages vulnerabilities on the victim computer to gain access.

Installer: The penetration tool gets the computer worm past the initial defense mechanism. At that point the installer takes over and transfers the main body of malcode to the victim.
Discovery tool: Once settled in, the worm uses several different methods to discover other computers on the network, including e-mail addresses, Host lists, and DNS queries.
Scanner: The worm uses a scanner to determine if any of the newly-found target computers are vulnerable to the exploits available in its penetration tool.
Payload: Malcode that resides on each victim's computer. Could be anything from a remote access application to a key logger used to capture user names and passwords.

This category of malware is unfortunately the most prolific, starting with the Morris worm in 1988 and continuing today with the Conficker worm. Most computer worms can be removed by using malware scanners such as MBAM or GMER.

3: The unknown backdoor
Backdoors are similar to the remote access programs that many of us use all the time. They're considered malware when installed without permission, which is exactly what an attacker wants to do, by using the following methods:

One installation method used is to exploit vulnerabilities on the target computer.
Another approach is to trick the user into installing the backdoor through social engineering.

Once installed, back doors allow attackers complete remote control of the computer under attack. SubSeven, NetBus, Deep Throat, Back Orifice, and Bionet are backdoors that have gained notoriety. Malware scanners like MBAM and GMER are usually successful at removing backdoors.

4: The secretive Trojan horse
It's difficult to come up with a better definition for Trojan horse malware than Ed Skoudis and Lenny Zelter did in their book Malware: Fighting Malicious Code:

"A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality."

Trojan horse malware cloaks the destructive payload during installation and program execution, preventing antimalware from recognizing the malcode. Some of the concealment techniques include:

Rename the malware to resemble files that are normally present.
Corrupt installed antimalware to not respond when malware is located.
Polymorphic code is used to alter the malware's signature faster than the defensive software can retrieve new signature files.

Vundo is a prime example; it creates pop up advertising for rogue antispyware programs, degrades system performance, and interferes with Web browsing. Typically, a malware scanner installed on a LiveCD is required to detect and remove it.

5: Adware/Spyware, more than an annoyance
Adware is software that creates pop-up advertisements without the user's permission. Typically the way adware gets installed is by being a component of free software. Besides being very irritating, adware can significantly decrease computer performance.

Spyware is software that collects information from your computer without your knowledge. Free software is notorious for having spyware as a payload, so reading the user agreement is very important. The Sony BMG CD copy protection scandal is probably the most notable example of spyware.

Most quality antispyware program will quickly find unwanted adware/spyware and remove it from the computer. It's also not a bad idea to regularly remove temp files, cookies, and browsing history from the Web browser program as preventative maintenance.

Malware stew
Up until now, all the malware discussed has distinctive characteristics, making each type easy to define. Unfortunately that's not the case with the next categories. Malware developers have figured out how to combine the best features from different types of malware in an attempt to improve their success ratio.

Rootkits are an example of this, integrating a Trojan horse and a backdoor into one package. When used in this combination, an attacker can gain access to a computer remotely and do so without raising any suspicion. Rootkits are one of the more important combined threats, so let's take a deeper look at them.

Rootkits: Uniquely different
Rootkits are in a class all their own, choosing to modify the existing operating system instead of adding software at the application level like most malware. That's significant, because it makes detection by antimalware that much more difficult.

There are several different types of rootkits, but three make up the vast majority of those seen in the wild. They are user-mode, kernel-mode, and firmware rootkits. User-mode and kernel-mode may need some explanation:

User mode: Code has restricted access to software and hardware resources on the computer. Most of the code running on your computer will execute in user mode. Due to the restricted access, crashes in user mode are recoverable.
Kernel mode: Code has unrestricted access to all software and hardware resources on the computer. Kernel mode is generally reserved for the most trusted functions of the operating system. Crashes in kernel mode aren't recoverable.

6: User-mode rootkits
It's now understood that user-mode rootkits run on a computer with the same privileges reserved for administrators. This means that:

User-mode rootkits can alter processes, files, system drivers, network ports, and even system services.
User-mode rootkits remain installed by copying required files to the computer's hard drive, automatically launching with every system boot.

Hacker Defender is one example of a user-mode rootkit and luckily Mark Russinovich's well-known application Rootkit Revealer is able to detect it as well as most other user-mode rootkits.

7: Kernel-mode rootkits
Since rootkits running in user-mode can be found and removed, rootkit designers changed their thinking and developed kernel-mode rootkits:

Kernel-mode means the rootkit is installed at the same level as the operating system and rootkit detection software.
This allows the rootkit to manipulate the operating system to a point where the operating system can no longer be trusted.

Instability is the one downfall of a kernel-mode rootkit, typically leading to unexplained crashes or blue screens. At that point, it might be a good idea to try GMER. It's one of a few trusted rootkit removal tools that has a chance against kernel-mode rootkits like Rustock.

8: Firmware rootkits
Firmware rootkits are the next step up in sophistication, with rootkit developers figuring out how to store rootkit malcode in firmware. The altered firmware could be anything from microprocessor code to PCI expansion card firmware.

This means that:

When the computer is shut down the rootkit writes the current malcode to the specified firmware.
Restart the computer and the rootkit reinstalls itself.

Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

9: Malicious mobile code
In relative anonymity, malicious mobile code is fast becoming the most effective way to get malware installed on a computer. First, let's define mobile code as software that's:

Obtained from remote servers.
Transferred across a network.
Downloaded and executed on a local system.

Examples of mobile code include JavaScript, VBScript, ActiveX controls, and Flash animations. The primary idea behind mobile code is active content, which is easy to recognize. It's the dynamic page content that makes Web browsing an interactive experience.

What makes mobile code malicious? Installing it without the owner's permission or misleading the user as to what the software does. To make matters worse, it's usually the first step of a combined attack, similar to the penetration tool used by trojan horse malware. After which the attacker can install additional malware.

The best way to combat malicious mobile code is to make sure that the operating system and all ancillary software is up to date.

10: Blended threat
Malware is considered a blended threat when it seeks to maximize damage and propagate efficiently by combining several pieces of single-intentioned malcode. That said, blended threats deserve special mention as security experts grudgingly admit they're the best at what they do.

A blended threat typically includes the following abilities:

Exploit several known vulnerabilities or even create vulnerabilities.
Incorporate alternate methods for replicating.
Automate code execution, which eliminates user interaction.

Blended threat malware for example may send an HTML e-mail message containing an embedded Trojan horse along with a PDF attachment containing a different type of Trojan horse. Some of the more famous blended threats are Nimda, CodeRed, and Bugbear. Removing blended threat malware from a computer may take several different pieces of antimalware as well as using malware scanners installed on a LiveCD.

Final thoughts
Malware: is it even possible to reduce the harmful effect it causes? Here are a few final thoughts on that subject:

Malware isn't going away any time soon. Especially when it became evident that money, lots of money can be made from its use.
Since all antimalware applications are reactionary, they are destined to fail.
Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment in.
It cannot be stressed enough, please make sure to keep operating system and application software up to date

Scam Antivirus App Spreads Malware

noreply@blogger.com (at_videa) — Sun, 16 Aug 2009 19:52:00 +0700

Web users have been warned about a new scam that posts fake product reviews in a bid to encourage people to buy a rogue security application called Anti-virus-1.

The app is one of a number of bogus security products which promise to provide protection against the latest online threats, but instead have been designed to spread malware or hold users' PCs to ransom.

But if you use the internet to research Anti-virus-1, it's possible you'll find a number of glowing reviews, because the tool is posting fake articles online which appear to be endorsed by a number of the web's top tech sites - including PC Advisor.

In reality, the likelihood of you coming across a Anti-virus-1 review is slim. According to Lawrence Abrams, owner of technology site BleepingComputer.com, fake reviews will only be seen by those who install the rogue security app.

He said that when he installed Anti-virus-1 - which also goes by the name Antivirus2010 - it added a series of entries into the Windows hosts file which direct users to what appear to be the websites of a number of UK and US tech sites.

"By adding these entries into your HOSTS file, it will make it so that if you go to any of the websites listed, instead of going to the legitimate site, you will instead be redirected to a site under the control of the developers of Anti-virus-1 and not realise you are doing so," said Abrams on his site.

That means those with Anti-virus-1 running on their PC may be directed to bogus reviews such as the one in the screenshot below.

The software has never been tested by PC Advisor, and the fake review is not hosted on the PC Advisor site. Other sites apparently targeted by the scam include PC Magazine and TechRadar.

Abrams warned that, once installed, Anti-virus-1 also issues fake security alerts, screen savers showing a blue screen crash caused by spyware and Internet Explorer hijacks. He's provided tips on how to remove Anti-virus-1/Antivirus 2010 on his website - although we've yet to test the procedure.

Conficker virus activates in a bid to aid cybercriminals

noreply@blogger.com (at_videa) — Sun, 16 Aug 2009 19:42:00 +0700

The Conficker virus, which has infected millions of computers around the world, is finally activating itself in a bid to become a money-making machine for cybercriminals.

Infected machines have started to update themselves and download a fake anti-virus program aimed at tricking users into paying out for useless security software, security researchers said.

The virus may also be destined to be used by its cybercriminal creators to send millions of spam emails and steal passwords from infected computers by creating a "botnet" of "zombie" machines.

Ivan Macalintal, a Trend Micro advanced threats researcher, said Conficker began showing activity on Tuesday, nearly a week after the expected April 1 activation date that had computer security experts on alert around the world.

Infected machines were contacting each other to download new malicious software, he said.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update," Macalintal wrote in a post on the TrendLabs Malware blog. "The Conficker/Downad P2P communications is now running in full swing!"

Other researchers at Kaspersky Labs found that Conficker was downloading a fake $49.95 security scanner called Spyware Protect 2009, which may mean millions of Conficker-infected machines will start getting pop-up messages advertising the product.

The latest version of Conficker is also downloading another, separate worm called Waledac onto the infected systems. Waledac is a known botnet linked to data theft and email spam campaigns.

Paul Ferguson at internet security company Trend Micro noted: "Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about — these criminals are motivated by one thing: money.

"How was Downad/Conficker helping them meet their goals? It wasn’t. A very large botnet of compromised computers doesn’t make money if it justs 'sits there' doing nothing. So now we see that the Downad/Conficker botnet has awakened, and perhaps their desire to monetising their efforts is becoming more clear."

Waledac usually spreads via a malicious web link or an e-mail, typically a fake greeting card. Once it infects a numer of machines they can be remotedly controlled to send scam emails advertising medical products or phishing messages.

The Conficker virus started spreading late last year. At first it was a relatively simple worm but its creators issued updates turning it into a more sophisticated and resilient virus that has found new ways to spread. It has also gained the ability to shut down a computer's defences

Conficker infects machines by exploiting a weakness in Windows, the software that runs on most computers. At its peak it had compromised about 12 million PCs, although that may have fallen to about two million thanks to new security measures.

Once the worm is on a computer, that PC becomes part of a “botnet” – a network of computers that can be controlled by the virus's creator.

In the past year the virus has spread to computers in schools, hospitals and government departments. It has got into the defence forces of Britain, Germany and France, grounding the French Navy's fighter jets for a time.

A task force assembled by Microsoft has been working to stamp out the worm and the company has placed a bounty of $250,000 on the heads of those responsible for the threat.

The worm, a self-replicating program, takes advantage of networks or computers that have not kept up to date with Windows security patches. Microsoft has modified its free Malicious Software Removal Tool to detect and get rid of Conficker.

Among the ways one can tell if their machine is infected is that the worm will block efforts to connect with websites of security firms such as Trend Micro or Symantec where there are online tools for removing the virus.

New Service Provides Malware, Virus Protection for Websites

noreply@blogger.com (at_videa) — Sun, 16 Aug 2009 19:34:00 +0700

ChattahBox)—Websites are forced to navigate an ever-increasing battlefield of unseen enemies, namely damaging malware, botnets, trojans and viruses that have the potential to land websites on malware blacklists.

Website owners finding themselves victims of malware attacks oftentimes receive a further hit, resulting in loss of reputation and business when the sites become blacklisted and are labeled as unsafe.

A new malware monitoring service, created by two former Google workers, named Dasient offers website owners a way to protect their sites from attack and landing on blacklists.

Co-founders Neil Daswani and Shariq Rizvi both come from years of working in the trenches at Google defending the company’s networks against malware and click fraud.

Daswani and Rizvi believe the time is ripe for a malware service like theirs, as cyber attacks become more sophisticated, leaving most website owners ill equipped to deal with the problems. Some of the more recent attacks against browsers and Web applications, include the use of SQL injections and cross-site scripting that lead to drive-by downloads

A new worm, named Gumblar that is believed to be more damaging than Conficker, steals FTP credentials so attackers can compromise Web sites.

The new Dasient service is set to launch a public beta version of its free blacklist alert service and fee-based monitoring service, which would start at a fee of at $50 a month.

The free service will identify the parts of a site that are infected with malware, identify the suspect code and recommend actions to take. The fee-based service will automatically quarantines the malicious code, while still allowing the site, and even the hosting page to remain accessible.

Macro Virus

noreply@blogger.com (at_videa) — Fri, 14 Aug 2009 20:13:00 +0700

A macro virus is a computer infection written in macro language, which is commonly built into word processing applications. In general, macros is a series of commands and executions that help automate specific tasks. Regardless of how they are created, they must be executed by a system able to interpret stored commands. Some macro systems are actually self-contained utilities while others are built into more advanced applications that allow users to easily repeat a sequence of commands or enable a programmer to customize the application to suite the user's needs.

What has made some programs vulnerable to the macro virus is a feature that allows macros to be stored in the documents that are edited, processed and saved by the application. This means that a virus can be easily attached to a document without the user's knowledge and executed upon opening the file. This provides a mechanism that enables the infection to spread throughout the system.

How it Functions

A macro virus may be distributed via email, floppy disk, network sharing, a modem and compromised sites on the internet. Since most macros automatically start when a documented is opened and closed, a macros virus seeks to replace the original with it's malicious code. From their, the infection tags the replacement code with the same name and functions when the command is executed which happens when a user accesses the file.

Once opened, the macro virus begins to embed itself within other documents and templates. It also makes preparations to infect any files that will eventually be created. Depending on what resources it is able to access, a macro virus can damage other areas of the operating system. This occurs as the infected documents are shared amongst other users and devices.

One of the most popular variations of this infection is the Melissa Virus, first detected in 1999. It spread via email attachment and infected any recipient who opened it. This virus manipulated the victim's address book and distributed itself to numerous email contacts, enabling it to replicate at an alarming rate.

A macro virus has the ability to infect nearly any system running word processing software. This is because it seeks to corrupt that application opposed to the operating system. The virus has been known to attack computers running Mac OS X, Windows and other platforms that are compatible with Microsoft Word.

Prevention

Because of the wide spread of macro viruses, it is important to remain cautious of the emails you receive. Many of the messages waiting in your inbox are attached with financial scams and malicious programs. By downloading an attachment from these unsolicited messages, a macro virus can be easily installed onto your computer, and from there, the madness begins.

The best defense against a macro virus is a reliable anti-virus program. A good scanner will check every file and directory in your system and even scan emails and attachments before you even open them. This small step is one that can save you a lot of time, money and the frustrations associated with internet threats.

Macro Virus Protection in the Microsoft Office Line

noreply@blogger.com (at_videa) — Fri, 14 Aug 2009 20:03:00 +0700

The Microsoft Office programs are the most well known and widely-used programs in the world. They are also the most vulnerable targets for macro virus infection. One could easily blame Microsoft for not doing anything to prevent the virus threat; however, to do so would be to overlook the efforts that the software giant has made to diminish these threats. This is the first of two articles that will review some of the macro viruses that have targeted MS Office products. This series will also analyze some of the efforts made by Microsoft to contain the macro virus situation and attempt to point out what they did right and what they did wrong. This article will look at some of the earlier Microsoft products, such as Word 2.0, Word 97, Office 97 and Office 97 Service Release 1.

Word 2.0

The first Microsoft Office product that was sophisticated enough for macro virus creation was Word 2.0, which came with the first version of WordBASIC. Fortunately, virus writers did not realize this potential until the appearance of the first Word 6 macro viruses in 1995. Then a couple of Word 2 proof-of-concept viruses, Polite and WiederOffnen were written; however, by then Word 2 was going obsolete, so these viruses went mostly unnoticed.

In the summer of 1995, Concept started its spread all over the world, changing the game once and for all. As Microsoft had an undisputable role in the spread of this particular virus, they soon (i.e. within a year) came up with solutions. First they issued the infamous ScanProt macro virus protection utility macros (there were at least 4 versions of them.) They shouldn't have - these utilities provided protection only against Concept, ignoring the fact that by then there were about a dozen of Word macro viruses back then. In fact, this protection macro created a dangerous false sense of security: users thought that using ScanProt would protect them from all macro viruses, while it was only effective against Concept (although, in all fairness to Microsoft, this particular virus was the most widespread back then.)

Users who tried to install SCANPROT to protect themselves at the first sign of macro virus infection overlooked this fact. This action usually did not affect the virus, except that some of its macros may have been overwritten by SCANPROT's AutoOpen or AutoClose macro. The result was that some viruses, such as Colors and Muck, remained viable even with some of their macros being overwritten by SCANPROT. This mating effect resulted in dozens of new virus variants.

MS Word 7.0a

Realizing the serious threat that macro viruses posed, Microsoft released a patched version Word 7.0a relatively quickly (although they never cared to update Word 6.0.) This version included a macro virus warning box (shown below). The only problem is that, contrary to what the message box stated, it was not a macro virus warning box, it was not even a macro warning box; rather, it was a customization warning box. In fact, there were several problems with this implementation:

The user was warned even if the opened document contained only personalized menu items or command bar buttons. The reason for this is not clear; however, the fact that the macros, command bar and menu bar customizations are stored together in the same structure within the Word document, could point out to laziness in coding and design.

The warning came up even if the document contained innocent macro programs. Several companies used utility macros to improve productivity, as these macros also fired the warning, the users soon became annoyed and disabled the warning.

It was possible to turn off this warning feature outside Word, by simply changing the value of a single registry key.

        Figure one: the Microsoft Macro Virus Warning Box

MS Office 97

Except for one "leftover", the original release of Office 97 didn't provide additional protection measures against macro viruses. The "leftover" came out accidentally, when some of the virus scanners found WWINTL32.DLL, part of the standard Office 97 installation, infected with macro virus - which is clearly a nonsense. So what happened? The transition from Word 7.0 to Word 97 was a huge step as far as macro programming was concerned. The WordBASIC interpreter, used in the older version was replaced with VBA, which was already in use in Excel 5, in order to establish a unified macro development environment in all Office applications.

With this development, the entire development environment, including the macro code storage mechanism and the programming language itself, changed. In order to provide some compatibility for the WordBASIC macro utilities, Word 97 introduced internal macro conversion that converted the WordBASIC code to VBA code. This was a great opportunity to prevent Word 6 viruses from upconversion. Otherwise Word itself would have just generated new virus variants. So Microsoft built in a simple filter that tried to determine whether the macro to be converted belonged to a virus or not. If the macro was found to belong to a known virus, it was removed from the upconverted document without any warning or information.

Unfortunately, there were several shortcomings of this method, including:

It used simple pattern matching signature scanning;

It worked only on a per-macro basis. As a result, from an upconverted Concept sample the AutoOpen, AAAZAO and AAAZFS macros were removed, while the Payload macro was upconverted happily;

It only provided detection for only a limited number of viruses (the static database linked into a DLL provided no possibility for further updates); and,

The virus signatures were stored in unencrypted format. As a result, some scanners, which were not careful enough to search for macro signatures only in places where they could normally occur, could pick up these signatures and raise false virus alerts.

Nevertheless, this was good enough to prevent the vast majority of existing Word 6 viruses to spread under Word 97. Well, almost. It turned out that at the very early beta versions this upcoversion virus check was not implemented, so a couple of popular Word 6 viruses could upconvert after all. All in all these did not make much impact.

There was another change in Office 97 that, as a side effect, prevented Word 6 viruses that use execute-only (encrypted macro) from spreading. Word 6/7 provided a (very, very weak) macro-level protection in the form of execute-only macros. In Office 97, only the entire project could be protected with a password. What should happen, when someone wants to copy macros from a protected project to an unprotected project? (This is exactly the case when a virus with protected macros attempts to copy macros to the unprotected global template.) Either the protected project should be converted to unprotected, in which case VBA developers will lose protection on their copyrighted utility products, or the global template should be converted to protected, in which case users will be angry for not being able to modify their macros. The solution is very simple. It is not possible to copy macros from a protected project. Therefore, even if a Word 6 virus using execute-only macros was upconverted to a Word 97 virus, it would have a protected VBA project, and it wouldn't be able to infect further documents.

MS Office 97 Service Release 1

An unheralded improvement came with Service Release 1, which indicated a major change in Microsoft's attitude. Instead of external patches and blocks, they went to the heart of the problem: the VBA object model itself.

Before procedure further, let me clarify what VBA is. It consists of at least the following major components:

Programming language and development environment

Several automation objects and framework for processing application events

Storage mechanism for VBA code

It is important to state that VBA itself provides the VBIDE object model, which contains the infamous VBProject object with several methods for injecting code into macro storages. It is not implemented in the VBA licensee application; it is an intrinsic VBA feature. However, it can be optionally hidden from Automation. This is the key factor in an application's susceptibility to macro viruses. If a VBA application exposes this interface then it is an easy target for macro viruses. If hides it, then it is safe. Currently only WordPerfect chose to be on the safe side, which is reflected in the number of known WordPerfect VBA macro viruses. Others are all potentially vulnerable: MSOffice, Visio and AutoCAD 2000 have already been infected.

VBA makes it easy and comfortable for applications to define application and document level events that can be handled in the macro. As these events are defined, driven by practical reasons (e.g. it is reasonable to implement an action hook when the current document is closed), most of them are implemented in each VBA licensee application although the actual names could be somewhat different. These events allow VBA viruses to activate on specific actions, e.g. when the application is closed (Application_Quit) or the document containing the VBA code is being closed (Document_BeforeClose). It is important to understand that the application object model and the VBE object model are two separate object models.

The VBE object model provides several methods for manipulating VBA code. Office 97 SR-1 disabled only one of these methods, the use of the OrganizerCopy and the WORDBASIC.MacroCopy (which was the upconverted version of WordBASIC's MacroCopy) method to copy macrocode from the normal template into the active document. The opposite way was left open, so that the self-installing utility macros would still work after this security improvement. Up to that point all of the known Office 97 macro viruses used the OrganizerCopy method to spread, so this limitation effectively stopped them. These old-style viruses were able to infect the global template. They could even execute any destructive or annoying payload they had, but they could not infect further documents. Only the following error message was displayed (not showing any sign that a virus was acting).

This solution was better than the previous ones for several reasons:

It prevented viruses and only viruses from running. Self-installing utility macros kept working with this patch installed, while viruses were effectively stopped

It was not possible to switch it off.

It restricts the vulnerable VBA object model, and nothing else

However, it did not stop the virus writers, who soon found alternative methods to insert virus code into VBA projects. As effective as it was, the restriction introduced in SR1 was not an ultimate solution. For some reason, it still allowed a couple other methods for manipulating VB project code, including importing text files or test strings into a module. Both tricks were soon discovered and intensively employed by virus writers in WM97.Strangedays or members of the WM97.Class family.

In the Next Installment?

This concludes our look at the macro viruses that affected earlier Microsoft Word and Office products. In the next installment of this series, we will examine MS Office 2000, the new version of Microsoft Office, codenamed Office XP, and Outlook.

To read Macro Virus Protection in the Microsoft Office Line, Part Two, click here.

What is MACRO Virus

noreply@blogger.com (at_videa) — Fri, 14 Aug 2009 19:59:00 +0700

A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is the undesired insertion of some comic text at certain points when writing a line. A macro virus is often spread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus.

Removal Tools

noreply@blogger.com (at_videa) — Thu, 13 Aug 2009 14:10:00 +0700

Malicious Code has become increasingly complex and infections involve more system elements than ever before. Symantec Security Response has developed tools to automatically conduct what would often amount to extensive and tedious manual removal tasks. If your system has become infected, the tools listed below should aid you in repairing the damage.

Symantec now offers a Spyware & Virus Removal service. Sit back and watch while a Symantec expert scans and clears your PC of spyware and viruses. This is a fee based service.

Date	Name
04/16/09	Symantec Trojan.Ransomlock Key Generator Tool
04/15/09	Trojan.Initbar Removal Tool
03/24/09	Trojan.Xrupter Removal Tool
02/20/09	W32.Virut Removal Tool
02/01/09	Trojan.Bankpatch Removal Tool
01/13/09	W32.Downadup Removal Tool
07/22/08	Trojan.Brisv.A!inf Removal Tool
01/11/07	Backdoor.Haxdoor.S/Trojan.Schoeberl.E Removal Tool
01/04/07	W32.Spybot.ANDM Removal Tool
11/29/06	W32.Spybot.ACYR Removal Tool
10/19/06	W32.Rajump Removal Tool
10/17/06	W32.Pasobir Removal Tool
10/04/06	Symantec Support Tool ActiveX Control Cleanup Tool
09/23/06	Trojan.Linkoptimizer Removal Tool
09/14/06	W32.Bacalid Removal Tool
03/23/06	W32.Antinny Removal Tool
03/23/06	Trojan.Abwiz Removal Tool
03/23/06	Trojan.Exponny Removal Tool
03/23/06	Trojan.Sientok Removal Tool
03/17/06	W32.Davs Removal Tool
02/02/06	W32.Kiman Removal Tool
01/17/06	W32.Blackmal@mm Removal Tool
12/02/05	W32.Secefa Removal Tool
11/10/05	Backdoor.Ryknos Removal Tool
11/03/05	Trojan.Lodear Removal Tool
10/20/05	Symantec Mobile Threats Removal Tool
09/22/05	W32.Pexmor@mm Removal Tool
08/29/05	W32.Bobax@mm Removal Tool
08/17/05	W32.Esbot Removal Tool
08/15/05	W32.Zotob Removal Tool
07/19/05	W32.Reatle@mm Removal Tool
05/16/05	Trojan.Jasbom Removal Tool
04/29/05	Trojan.Vundo.B Removal Tool
04/13/05	W32.Mytob.AR@mm Removal Tool
03/18/05	W32.Serflog Removal Tool
03/08/05	W32.Kelvir Removal Tool
03/07/05	W32.Serflog.A Removal Tool
02/28/05	W32.Mytob@mm Removal Tool
02/03/05	W32.Bropia Removal Tool
12/17/04	W32.Envid@mm Removal Tool
11/22/04	Trojan.Vundo Removal Tool
11/17/04	W32.Bofra@mm Removal Tool
10/04/04	Adware.JustFindIt Removal Tool
08/10/04	Backdoor.Agent.B Removal Tool
08/04/04	W32.Evaman.C Removal Tool
06/14/04	W32.Erkez.B@mm Removal Tool
06/02/04	W32.Korgo Removal Tool
05/20/04	W32.Donk.Q Removal Tool
05/06/04	Tool to reset shell\open\command registry keys
05/01/04	W32.Sasser Removal Tool
04/21/04	W32.Opasa@mm Removal Tool
04/20/04	W32.Erkez@mm Removal Tool
04/07/04	W32.Blackmal.B@mm Removal Tool
04/02/04	W32.Gaobot.UJ Removal Tool
03/14/04	W32.Beagle.MO@mm Removal Tool
02/18/04	W32.Netsky@mm Removal Tool
01/30/04	W32.HLLW.Anig Removal Tool
01/27/04	W32.Mydoom@mm Removal Tool
01/19/04	W32.Beagle@mm Removal Tool
01/13/04	W32.Gaobot Removal Tool
10/29/03	W32.Sober Removal Tool
10/03/03	Trojan.Qhosts Removal Tool
09/19/03	W32.Swen.A@mm Removal Tool
08/19/03	W32.Sobig.F@mm Removal Tool
08/19/03	W32.Dumaru Removal Tool
08/18/03	W32.Welchia.Worm Removal Tool
08/11/03	W32.Blaster.Worm Removal Tool
08/08/03	Backdoor.Winshell.50 Removal Tool
08/01/03	W32.Mimail Removal Tool
06/27/03	W32.Mumu.B.Worm Removal Tool
06/25/03	W32.Sobig.E@mm Removal Tool
06/16/03	W32.ExploreZip.Worm Removal Tool
06/06/03	W32.Femot.Worm Removal Tool
06/05/03	W32.Bugbear.B@mm Removal Tool
06/04/03	Bat.Mumu.A.Worm Removal Tool
06/01/03	W32.Sobig.C Removal Tool
05/18/03	W32.Sobig.B Removal Tool
05/12/03	W32.HLLW.Fizzer Removal Tool
04/14/03	W32.HLLW.Nebiwo Removal Tool
02/24/03	W32.HLLW.Lovgate Removal Tool
01/25/03	W32.SQLExp.Worm Removal Tool
01/14/03	W32.Sobig.A@mm Removal Tool
01/09/03	W32.Lirva Removal Tool
11/25/02	W32.HLLW.Winevar/W32.Funlove.4099 Removal Tool
11/15/02	W32.Brid.A@mm/W32.Funlove.4099 Removal Tool
10/01/02	W32.Bugbear@mm Removal Tool
09/30/02	W32.Opaserv.Worm Removal Tool
08/01/02	W32.Magistr Removal Tool
07/16/02	W32.Frethem Removal Tool
07/03/02	W32.Yaha Removal Tool
05/10/02	Backdoor.Autoupder Removal Tool
04/18/02	W32.Klez Removal Tool
04/15/02	W2k.Stream Removal Tool
04/15/02	Wscript.Kakworm Removal Tool
04/01/02	W32.Gibe@mm Removal Tool
03/28/02	W32.Mylife Removal Tool
12/04/01	W32.Goner.A@mm Removal Tool
11/28/01	W32.Badtrans.B@mm Removal Tool
10/30/01	W32.Nimda.E@mm Removal Tool
09/19/01	W32.Nimda.A@mm Removal Tool
08/09/01	CodeRed Removal Tool
07/31/01	VBS.Potok@mm Removal Tool
07/20/01	W32.Sircam.Worm@mm Removal Tool
07/16/01	VBS.Haptime Removal Tool
03/09/01	DOS FunLove.4099 Fix Tool
02/20/01	W32 HybrisF Fix Tool
01/11/01	W95.CIH Removal Tool
01/06/01	W95.HybrisF Fix Tool
12/22/00	Fix W32.Funlove.4099 Tool (Cleanflc.exe)
12/22/00	VBS.Stages.A Fix
12/22/00	VBS.LoveLetter Fix
12/22/00	PrettyPark.Worm Removal Tool
12/21/00	Happy99.Worm Removal Tool
12/21/00	W32.Navidad Fix
12/20/00	W32.Kriz Removal Tool
12/20/00	Kak.Worm.B Fix
12/20/00	W32.HLLW.QAZ.A Fix
12/19/00	BuddyList Removal Tool
12/15/00	W95.MTX Fix Tool

Norton AntiVirus 2003 Stay Lightweight For Regular Computer

noreply@blogger.com (at_videa) — Thu, 13 Aug 2009 14:03:00 +0700

Every 1 unit of computer programs have certain common or are in the computer, the Office is always there, a music player such as WinAmp, WinZip, Image Viewer such as ACDSee, and others. Perhaps one of the AntiVirus is always to keep the computer from the day the virus was increasing. AntiVirus is important, therefore, on every computer must have at least one AntiVirus program, for example, Norton AntiVirus 2003. Kanapa I profilkan Norton AntiVirus 2003? AntiVirus 2003 specification for light than the usual computer-usual course, the program can automatically identify the virus, when the UFD (USB Flash Disk) or floppy disks, CD-R is input into the computer. Same as how the latest version of Norton AntiVirus can detect the latest viruses, as long as your routine to update the address http://www.symantec.com/. Run automatically or can I get LiveUpdate.Biasanya update it from the cafe where I play, I take it, so no need to download, lumayan sparingly for money. I really had to install Norton AntiVirus version 2004 and 2005, but very slow on my computer, so I still use Norton AntiVirus 2003, which remains light at low-specification computers. That we are always sure to update virus definition terbaru.Sering time you can not remove the new virus even if you have to update the latest virus definitions, most of the viruses that made the country or local children. Most you have to wait several days or weeks to be able to remove the virus locally. AntiVirus usually a fast response when the virus is a new local Norman AntiVirus, but I do not like to use it because its use is less, meaning no amenities as well as Norton AntiVirus, although the number of additional ringan.Untuk virus from the date of 21 October 2004 to 6 november 2005 a number of 1030 virus, including viruses that attack SymbianOS Handphone such as Cabir, Commwarior. Remember the virus is always mengincar your computer. Therefore, the required computer in AntiVirus definitions update Anda.SaranSelalu latest week once every 1 or 2 weeks or once a maximum of 1 months. To keep your computer protected from the virus can membandel.Kelebihan: It can automatically detect the many facilities that membantu.Kekurangan: To update the virus definitions like the latest local late.

Tips Ringan Melindungi Komputer dari Virus

noreply@blogger.com (at_videa) — Thu, 13 Aug 2009 13:58:00 +0700

You often use computers to surf in the virtual world (aka the Internet)? Well of course your computer is vulnerable from a virus, because the virus can come without invite, bisanya free ngerusak file only (the name is also bound virus ngerusak ya ... haha). To protect your computer from viruses, you can use a reliable anti-virus, (which of course is up to date) because if its not antivirus up to date anti-virus so it can not work with the maximum and not able to detect the virus with a new variannya, as was also you also use a firewall such as zone alarm and lain2 defense to improve your computer. If the above software you have installed does not have one you also protect the computer from the virus in a way hide file2. Exe is usually included in the system. Well There is the step of step file2. Exe is in the computer for you, directly aja ya:

First you open the start and select search

New windows appear after you select all files and folder and type *. exe under c directory you select and click search

Ago the results found after block all the file and right click select properties Select

Check the hidden options and select ok (this function to hide the file berextensi. Exe)
Then open windows explorer in the tools menu select folder options select view hidden files ago on the folder and select a check or do not show hidden files and folder (not its function to show files that dihidden) after that click ok

Now with the above virus difficult to damage the system on the computer for you, return it again to select show hidden files and folders on the tools (in windows explorer).

Security 101: Look back to advance

noreply@blogger.com (at_videa) — Wed, 12 Aug 2009 19:31:00 +0700

The security landscape may be rapidly evolving, but the clue to standing a better chance in the fight against threats could be in looking back, not forward.

Chia Wing Fei, F-Secure's senior security response manager, pointed out in an e-mail interview, today's threats ring of themes such as stealth, sophistication and financial gain.

Eric Chong, regional marketing director at Trend Micro, said in an e-mail that cybercriminals have evolved their modus operandi not only in coming up with variants to penetrate existing security measures, but also by mirroring attacks "with the way users think about and use technology in day to day communication". For instance, attacks around a decade ago were via e-mail attachments; today, attackers have moved to shared devices and social networking platforms on the Web.

Yet, according to Paul Ducklin, Asia-Pacific head of technology at Sophos, "modern cybercriminals aren't as novel and inventive as we sometimes credit them with being".

People, he noted in an e-mail, fail to learn from the past and end up falling victim to newer threats. "Modern threats like Conficker succeed by exploiting the same sort of holes, for example unpatched computers and poor passwords, as the earliest network malware," he pointed out.

Alwin Ow, Symantec's senior director of systems engineering in Asia-Pacific and Japan, concurred. "So far this year, Symantec has observed that older attack techniques have resurfaced and are part of the methods used in several recent and highly publicized threats such as Koobface, Conficker and Trojan.Dozer."

In an attempt to get a better hold of current and potential attacks, ZDNet Asia finds out from Trend Micro five cyberthreats perceived to be the most dangerous in the last decade, and why.

1. Conficker or Downadup
Termed as Downad by Trend Micro, the first variant of the worm appeared in November 2008, targeting the MS08-067 vulnerability. It spawned several other variants, with each new one an improvement over the last. New propagation avenues were added, including USB drives. The worm has successfully generated 50,000 domains, of which it has connected to 500, noted Chong.

Symantec's Ow added however, the first Conficker variant did not quite achieve the level of disruption it was capable of. The estimated infection was 500,000 "due to an aggressive infection routine and a sophisticated exploitation algorithm, which makes use of geolocation and OS fingerprinting", he explained.

2. Koobface
The Koobface worm first appeared in August 2008, targeting social networking sites such as Facebook by infecting user profiles. Koobface possessed a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines.

3. Zbot
The Trojan variants infect machines via e-mail or Web exploits. Underground research and documented cases reveal Zbot to be a thriving business where infected computers give up their owners' personal information--including credit card data--to remote servers run by cybercriminals.

Zbot variants are especially damaging due to their ever-changing social engineering techniques, according to Trend Micro.

4. Slammer
The worm is notorious for drastically slowing down general Internet traffic in 2003 despite being a solitary packet worm in memory, attacking without a file system component. It exploits a patched buffer overflow bug in MS SQL Server and Desktop Engine, and its trickling effects are still observed in current times.

5. I Love You
The Loveletter virus, also known as Love Bug, plagued inboxes in 2000 and infected some 10 percent of computers worldwide, with each system harboring an average of 600 infected files. It had a destructive payload, overwriting files with multimedia file extensions.

Anti-Virus Firms Investigating Sexy-View Smartphone Worm

noreply@blogger.com (at_videa) — Wed, 12 Aug 2009 19:30:00 +0700

In yet another example of how mobile malware is gaining momentum, a new variant of the Wily worm is making the rounds. It's spreading through text messages and researchers warn it may be a smartphone botnet in the making.

The attack spreads by appearing as a legit Symbian phone application, only users get dialed into a Trojan that pilfers subscriber, phone, and network information, and transmits that data to a Website. And, in keeping with the tradition of old-school mass-mailer Outlook worms, it spams SMS messages to the contact's in the user's phone. Nice.

And this bugger appears to be a signed app, so users are much more likely to get infected with only once click needed to authorize installation. And, as Gartner security analyst John Pescatore points out today in his post Myth of The Responsible User, we can't really rely on users to always do the right thing.

It seems this "Sexy View/Sexy Space" does something of an update, or attempts to update, upon network connection. And it's that characteristic that has researchers thinking it may be a botnet.

From today's Dark Reading:

The so-called Sexy View/Sexy Space malware has researchers split over whether to officially call it a botnet. While Trend Micro says it's indeed a smartphone botnet, F-Secure is less convinced. "It's almost a stretch to call it a botnet, or at least a botnet in the sense that we normally think of them," says Patrik Runald, chief security advisor for F-Secure, which reported the first version of the worm to Symbian in February.
While the worm is able to update the SMS template it uses while spreading, it doesn't have other bot features, he says. "When we think of botnets, we think of a malicious program that calls home for further instructions," such as updating malware, attacking a Website, sending email, or installing an application, he says. "Sexy View does one of those features, which is the ability to update the SMS template it uses when spreading...But Sexy View doesn't have any of the other features we normally take for granted in a bot. So although it can be called a botnet, it's a very simple one with very limited, for now at least, functionality."

If you combine the capability of a worm like this with comprimised, and widely followed Twitter or Facebook accounts, we're off to the races.

I mean, really, who can refuse a Sexy View?

If you'd like to follow my mobile security and technology observations, you can find me (malware-free) on Twitter.

Conficker Worm Support Desk is Available 24/7 via Toll-free Number 1-800 237-3901

noreply@blogger.com (at_videa) — Wed, 12 Aug 2009 19:28:00 +0700

August 11, 2009 ( PowerHomeBiz.com ) - iYogi, a global direct to consumer and small business remote Best Computer Technical Support technical support provider has setup a dedicated support desk for securing and protecting consumers against the Conficker (Conficker.c) worm also known as Downadup or April Fools Worm. This fast spreading computer worm has already said to have impacted millions of computers, and expected to spread more aggressively in the coming days.

iYogi's dedicated support desk has proactively reached its existing base of 65,000 subscribers and helping other individuals and small businesses that have been infected or would like to take the precaution to protect themselves.

iYogi's security experts can be reached instantly via Toll Free Number 1-800-237-3901 to sign-up for a subscription service that provides unlimited access to technical support and virus removal, Virus and Spyware spyware removal along with a free, anti-virus and anti-spyware software to protect, secure and manage the computer and all connected devices.

As the industry braces for the impact of the worm on April 1st, our Microsoft Certified experts will help diagnose if your machine is infected, update settings and definitions for your security software and install Windows Operating System update to reduce the threat from the Conficker worm. Our computer support service includes a free subscription to anti-virus and anti-spyware software, in the scenario where the customer does not have a subscription said Vishal Dhar, President Marketing for iYogi.

Conficker worm is said to take advantage of the vulnerabilities in the Windows Operating System environment and embeds itself into the computer and spreads across the network. The worm restricts the computer from accessing security updates and believed to have the capability to destroy and steal data. Experts claim that the worm can also download additional code onto a machine that is infected and is continuously evolving into variations, thereby making attempts to fix it through automation more difficult.

Potential indicators that Conficker Worm may have infected your PC includes restricted access to Microsoft.com and websites of security vendors like Symantec, McAfee, etc. and prevents the user from shutting down their machines.

About iYogi

iYogi delivers live, comprehensive, 24/7 technical support services directly to consumers and small businesses and is the first, global, technical support brand based out of India. Providing an annual unlimited subscription to technical support, iYogi now boasts of more than 65,000 customers. The company employs 600 professionals servicing customers in the U.S., U.K., Canada, Australia and fast expanding to 12 new geographies across the globe.

iYogi's resolution rate of 87 percent and customer satisfaction rate of 95 % are amongst the highest published benchmarks in the industry.

For further information, please visit - http://www.iyogi.net

Smart Meter Worm Could Spread Like A Virus

noreply@blogger.com (at_videa) — Tue, 11 Aug 2009 21:07:00 +0700

For a utility that’s in the process of installing smart meters, there are probably few things more terrifying than the simulation of a smart meter worm that IOActive’s Mike Davis showed off at the annual security conference Black Hat on Thursday. During Davis’ presentation, he showed how he and his team at the security consulting firm created a simulation in which over a period of 24 hours about 15,000 out of 22,000 homes had their smart meters taken over by a worm that could render the device under the control of the worm’s designers.

Davis showed off a time-condensed version of the simulation using an overlay on Google Earth. At the beginning of the simulation there were 22,000 green pins on the image of the satellite map to signify actual plotted address in a metropolitan area; after the introduction of the smart meter worm, the majority of the pins quickly turned a shade of red, rapidly spreading from the point where the worm was introduced. The image was reminiscent of the introduction of infectious diseases and Davis said in a real world scenario the rate of the spread of the worm could be slower or faster considering a variety of technical conditions.

Davis said the reason that the he could so easily hack and spread the worm in the simulation was because there was a fundamental design flaw in the specific meter model itself, though Davis wouldn’t name any individual manufacturers. Among other things, the meter he took over didn’t have the proper data encryption and didn’t know the difference between the meter next to it in the network or a device that was intended to wirelessly upgrade its software. “The guys that built this meter had a short term view of how it would work,” Davis said.

The manufacturer used in the simulation didn’t take kindly to being told their security wasn’t up to snuff. Davis explained to the audience how when he told the manufacturer about the capabilities of the worm simulation, the first response from the meter maker was: “that’s impossible, our meters can’t spread something like that.” When Davis told them he had personally done this in his company’s security lab, the next response from the meter maker was: “how can you even access our meters,” to which Davis says he explained he bought it on eBay.

Given Davis’ research has already gotten a lot of press (and negative reactions from some in the utility and energy industry) over the past month, Davis was cautious during his presentation. Over the past couple of months he seemed to have gone through a range of emotions, from the hacker-style joy of successfully being able to take over a system (he showed a photo of him and a colleague drinking champagne at 4AM the morning he “pwned” the meter) to an admitted sensitivity over wanting to explain to the utility and energy industry that the point of his exercise was to get them to take security seriously and patch the vulnerabilities. “Nobody [in that industry] likes me,” he said at one point in response to a question about whether or not he would do more research on parts of the smart grid network that were more under control of the utilities.

But while the specific meter company didn’t respond well to Davis’ simulation, there are greater lessons for the industry. Davis explained in his presentation that once a worm started to spread in the manner of his simulation, “it’s hard to see how a vendor could react quickly enough.” The only effective response he could think of he said, was to have a kill switch that would just shut down the meter, to stop the spread. Members of the utility industry seemed to agree and queried Davis after his talk about their company’s own experiences with meter security. In addition meters should be designed to be recoverable from such an attack, and be as secure as the mechanical meters of the first generation of dumb meters, Davis said.

Davis was also concerned with what someone could do with a large amount of meters under their control and reminded the audience that he didn’t research how the worm could be used as a weapon. After the presentation members of the audience discussed how turning on and off a large amount of meters — say, 50,000 meters and 3 MW worth of electricity — could cause problems for the stability of that section of the grid.

At the end of the day the allocation of the smart grid stimulus funds has caused a rush to roll out smart meters and Davis is concerned that the speed in deployment could cause companies to be neglectful of proper security. There’s an attitude of “we’ll fix this later,” he explained. But as Davis’ worm simulation showed: no company wants the attention and financial and reputation problems, of a meter security incident.

W32/Lovsan.worm.a

noreply@blogger.com (at_videa) — Tue, 11 Aug 2009 21:03:00 +0700

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Lovesan

Lovsan.H (F-Secure)

msblast.exe

tftp

W32.Blaster.Worm (Symantec)

W32/Blaster.worm.a

W32/Blaster.worm.gen

W32/Blaster.worm.k

W32/Lovsan.worm

W32/Lovsan.worm.gen

Win32.Poza (CA)

Worm/Lovsan.G (Central Command)

WORM_MSBLAST.A (Trend)

WORM_MSBLAST.H (Trend)

Characteristics

Characteristics -

-- Update 21 April 2004 --
A new variant was discovered and was proactively detected as Exploit-DcomRpc with the 4289 DAT files when scanning compressed executables (default setting)

eschlp.exe (66,048 bytes)

Detection for this variant as W32/Blaster.worm.k had been added to 4352 DATs and above. It propagates in the same way as previous variants. A backdoor dropped by this variant was detected as W32/Blaster.worm!backdoor using the 4352 DATs and above.

-- Update 11 March 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update 25 August 2003 --
The risk assessment of this threat was lowered to Medium due to a decrease in prevalence.

-- Update 15 August 2003 --
Microsoft has removed the DNS entry for windowsupdate.com to prevent the Denial of Service attack against this domain. This does not prevent users from using Windows Update to patch their systems, as this is not the address used when clicking on the Windows Update link.

-- Update 13 August 2003 --
Two new variants were discovered and are detected exactly with the 4285 DAT files.

teekids.exe (5,360 bytes) [detected as W32/Lovsan.worm.b]
penis32.exe (7,200 bytes) [detected as Exploit-DcomRpc]

These are functionally similar to the original W32/Lovsan.worm.
--

This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.

When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].

Once run, the worm creates the registry key (may be either of the following):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

This will appear in regedit as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe

Although Win9x/ME/NT/2K/XP can carry the virus. Automatic execution and infection only occurs on Win2K/XP.

Symptoms

Symptoms -

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown

Method of Infection

Method of Infection -

This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.

When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine.

Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine!

The author didn't code anything for Windows NT 4, so therefore it will only crash this platform!

The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted.

This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP.

Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.

However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.

Other symptoms may include:

inability to cut/paste
inability to move icons
Add/Remove Programs list empty
dll errors in most Microsoft Office programs
generally slow, or unresponsive system performance

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pick up msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.

Removal -

Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).

What You Should Know About the Blaster Worm

Virus Removal :
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stand alone remover
Stinger has been updated to include detection/removal of this threat.

Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Apply the MS03-039 patch (includes MS03-026 patch)
Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
Edit the registry
- Delete the "windows auto update" value from
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run

Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

From within ePO open the “Policies” tab.
Select “McAfee ThreatScan” and then select “Scan Options”
In the pane below click the “Launch AutoUpdater” button.
Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-12 has completed successfully.
From within ePO create a new “AutoUpdate on Agent(s)” task.
Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that “tsc20” in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is “tsc25”.
Launch this task against all agent machines.
When the task(s) complete information will be available in the “Task Status Details” report.

To create and execute a new task with the new Hot Fix functionality do the following:

Create a new ThreatScan task.
Edit the settings of this task.
Edit the “Task option”, “Host IP Range” to include all desired machines to scan.
Select the “Remote Infection Detection” category and “Windows Virus Checks” template.
-or-
Select the “Other” category and “Scan All Vulnerabilities” template.
Launch the scan.

Variants

Variants -

W32/Lovsan.worm.g
W32/Lovsan.worm.k

Virus alert about the Win32/Conficker worm

noreply@blogger.com (at_videa) — Tue, 11 Aug 2009 20:47:00 +0700

The information in this Knowledge Base article is intended for business environments that have system administrators who can implement the details in this article. There is no reason to use this article if your antivirus program is cleaning the virus correctly and if your systems are fully updated. To confirm that the system is clean of the Conficker virus, perform a quick scan from the following Web page:

http://safety.live.com (http://safety.live.com)

For detailed information about the Conficker virus, visit the following Microsoft Web page:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker)
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

Account lockout policies are being tripped.
Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
Domain controllers respond slowly to client requests.
The network is congested.
Various security-related Web sites cannot be accessed.
Various security-related tools will not run. For a list of known tools, visit the following Microsoft Web page, and then click the Analysis tab for information about Win32/Conficker.D. For more information, visit the following Microsoft Web page:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D (http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D)

For more information about Win32/Conficker, visit the following Microsoft Malware Protection Center Web page:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker (http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker)
Win32/Conficker has multiple propagation methods. These include the following:

Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)
The use of network shares
The use of AutoPlay functionality

Therefore, you must be careful when you clean a network so that the threat is not reintroduced to systems that have previously been cleaned.

Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a network. Win32/Conficker.D is installed by previous variants of Win32/Conficker.

Use strong administrator passwords that are unique for all computers.
Do not log on to computers by using Domain Admin credentials or credentials that have access to all computers.
Make sure all systems have the latest security updates applied.
Disable the Autoplay features. For more information, see step 3 of the "Create a Group Policy object" section.
Remove excessive rights to shares. This includes removing write permissions to the root of any share.
Stop Win32/Conficker from spreading by using Group Policy settings
Notes
Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article
Create a Group Policy object
Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:
Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the randomly named malware service from being created in the netsvcs registry value.

To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new GPO. Give it any name that you want.
3. Open the new GPO, and then move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
  Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
10. Click OK.
Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
8. Click OK.
Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

Note Depending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
- To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security bulletin MS08-038).
- To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715 (http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252) installed.
To set AutoPlay (Autorun) features to disabled, follow these steps:
1. In the same GPO that you created earlier, move to one of the following folders:
  - For a Windows Server 2003 domain, move to the following folder:
    Computer Configuration\Administrative Templates\System
  - For a Windows 2008 domain, move to the following folder:
    Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.
5. Click OK.
Close the Group Policy Management Console.
Link the newly created GPO to the location that you want it to apply to.
Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
After the Group Policy settings have propagated, clean the systems of malware.

To do this, follow these steps:
1. Run full antivirus scans on all computers.
2. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
  http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)
  Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.
3. Run the Malicious Software Removal tool
  The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
  
  Note The MSRT does not prevent reinfection because it is not a real-time antivirus program.
  
  You can download the MSRT from either of the following Microsoft Web sites:
  http://www.update.microsoft.com (http://www.update.microsoft.com)
  http://support.microsoft.com/kb/890830 (http://support.microsoft.com/kb/890830)
  
  For more information about specific deployment details for the MSRT, click the following article number to view the article in the Microsoft Knowledge Base:
  891716 (http://support.microsoft.com/kb/891716/ ) Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
  Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support. To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site:
  http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx (http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx)
  If Windows Live OneCare or Microsoft Forefront Client Security is running on the system, these programs also block the threat before it is installed.
4. Manual steps to remove the Win32/Conficker virus
  Notes
5. These manual steps are not required any longer and should only be used if you have no antivirus software to remove the Conficker virus.
6. Depending on the Win32/Conficker variant that the computer is infected with, some of these values referred to in this section may not have been changed by the virus.
The following detailed steps can help you manually remove Conficker from a system:
Log on to the system by using a local account.

Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows for the malware to spread.
Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.

Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.

To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps:
1. Depending on your system, do the following:
  - In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
  - In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
2. Double-click Server.
3. Click Stop.
4. Select Disabled in the Startup type box.
5. Click Apply.
Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
Stop the Task Scheduler service.
- To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
- To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
  
  Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
  322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
  1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
  3. In the details pane, right-click the Start DWORD entry, and then click Modify.
  4. In the Value data box, type 4, and then click OK.
  5. Exit Registry Editor, and then restart the computer.
    
    Note The Task Scheduler service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on Windows Vista and Windows Server 2008 because this step will affect various built-in Scheduled Tasks. As soon as the environment is cleaned up, re-enable the Server service.
Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.
Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc875814.aspx (http://technet.microsoft.com/en-us/library/cc875814.aspx)
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, right-click the netsvcs entry, and then click Modify.
If the computer is infected with the Win32/Conficker virus, a random service name will be listed.

Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the list. With later variants, the service name may be anywhere in the list and may seem to be more legitimate. If the random service name is not at the bottom, compare your system with the "Services table" in this procedure to determine which service name may have been added by Win32/Conficker. To verify, compare the list in the "Services table" with a similar system that is known not to be infected.

Note the name of the malware service. You will need this information later in this procedure.

Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.

Notes about the Services table

All the entries in the Services table are valid entries, except for the items that are highlighted in bold.
The items that are highlighted in bold are examples of what the Win32/Conficker virus may add to the netsvcs value in the SVCHOST registry key.
This may not be a complete list of services, depending on what is installed on the system.
The Services table is from a default installation of Windows.
The entry that the Win32/Conficker virus adds to the list is an obfuscation technique. The highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L." However, it is actually an uppercase "I." Because of the font that is used by the operating system, the uppercase "I" seems to be a lowercase "L."

Services table

Collapse this tableExpand this table

Windows Server 2008	Windows Vista	Windows Server 2003	Windows XP	Windows 2000
AeLookupSvc	AeLookupSvc	AppMgmt	6to4	EventSystem
wercplsupport	wercplsupport	AudioSrv	AppMgmt	Ias
Themes	Themes	Browser	AudioSrv	Iprip
CertPropSvc	CertPropSvc	CryptSvc	Browser	Irmon
SCPolicySvc	SCPolicySvc	DMServer	CryptSvc	Netman
lanmanserver	lanmanserver	EventSystem	DMServer	Nwsapagent
gpsvc	gpsvc	HidServ	DHCP	Rasauto
IKEEXT	IKEEXT	Ias	ERSvc	Iaslogon
AudioSrv	AudioSrv	Iprip	EventSystem	Rasman
FastUserSwitchingCompatibility	FastUserSwitchingCompatibility	Irmon	FastUserSwitchingCompatibility	Remoteaccess
Ias	Ias	LanmanServer	HidServ	SENS
Irmon	Irmon	LanmanWorkstation	Ias	Sharedaccess
Nla	Nla	Messenger	Iprip	Ntmssvc
Ntmssvc	Ntmssvc	Netman	Irmon	wzcsvc
NWCWorkstation	NWCWorkstation	Nla	LanmanServer
Nwsapagent	Nwsapagent	Ntmssvc	LanmanWorkstation
Rasauto	Rasauto	NWCWorkstation	Messenger
Rasman	Rasman	Nwsapagent	Netman
Iaslogon	Iaslogon	Iaslogon	Iaslogon
Remoteaccess	Remoteaccess	Rasauto	Nla
SENS	SENS	Rasman	Ntmssvc
Sharedaccess	Sharedaccess	Remoteaccess	NWCWorkstation
SRService	SRService	Sacsvr	Nwsapagent
Tapisrv	Tapisrv	Schedule	Rasauto
Wmi	Wmi	Seclogon	Rasman
WmdmPmSp	WmdmPmSp	SENS	Remoteaccess
TermService	TermService	Sharedaccess	Schedule
wuauserv	wuauserv	Themes	Seclogon
BITS	BITS	TrkWks	SENS
ShellHWDetection	ShellHWDetection	TrkSvr	Sharedaccess
LogonHours	LogonHours	W32Time	SRService
PCAudit	PCAudit	WZCSVC	Tapisrv
helpsvc	helpsvc	Wmi	Themes
uploadmgr	uploadmgr	WmdmPmSp	TrkWks
iphlpsvc	iphlpsvc	winmgmt	W32Time
seclogon	seclogon	wuauserv	WZCSVC
AppInfo	AppInfo	BITS	Wmi
msiscsi	msiscsi	ShellHWDetection	WmdmPmSp
MMCSS	MMCSS	uploadmgr	winmgmt
browser	ProfSvc	WmdmPmSN	TermService
winmgmt	EapHost	xmlprov	wuauserv
SessionEnv	winmgmt	AeLookupSvc	BITS
ProfSvc	schedule	helpsvc	ShellHWDetection
EapHost	SessionEnv		helpsvc
hkmsvc	browser		xmlprov
schedule	hkmsvc		wscsvc
AppMgmt	AppMgmt		WmdmPmSN
sacsvr			hkmsvc

In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "Iaslogon." Using this information, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
  For example, locate and then click the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iaslogon
2. Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
3. In the Permissions Entry for SvcHost dialog box, click Advanced.
4. In the Advanced Security Settings dialog box, click to select both of the following check boxes:
  Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
  
  Replace permission entries on all child objects with entries shown here that apply to child objects.
Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as "ServiceDll." To do this, follow these steps:
1. Double-click the ServiceDll entry.
2. Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following:
```
 %SystemRoot%\System32\doieuln.dll
```
  Rename the reference to resemble the following:
```
 %SystemRoot%\System32\doieuln.old
```
3. Click OK.
Remove the malware service entry from the Run subkey in the registry.
1. In Registry Editor, locate and then click the following registry subkeys:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 12b. Delete the entry.
3. Exit Registry Editor, and then restart the computer.
Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that it is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file.
```
[autorun]

shellexecute=Servers\splash.hta *DVD*

icon=Servers\autorun.ico
```
A valid Autorun.inf is typically 1 to 2 kilobytes (KB).
Delete any Autorun.inf files that do not seem to be valid.
Restart the computer.
Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
Set Show hidden files and folders so that you can see the file. To do this, follow these steps:
1. In step 12b, you noted the path of the referenced .dll file for the malware. For example, you noted a path that resembles the following:
  %systemroot%\System32\doieuln.dll
  In Windows Explorer, open the %systemroot%\System32 directory or the directory that contains the malware.
2. Click Tools, and then click Folder Options.
3. Click the View tab.
4. Select the Show hidden files and folders check box.
5. Click OK.
Select the .dll file.
Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps:
1. Right-click the .dll file, and then click Properties.
2. Click the Security tab.
3. Click Everyone, and then click to select the Full Control check box in the Allow column.
4. Click OK.
Delete the referenced .dll file for the malware. For example, delete the %systemroot%\System32\doieuln.dll file.
Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft Management Console (MMC).
Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps:
1. Depending on your system, install one of the following updates:
  - If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    967715 (http://support.microsoft.com/kb/967715/ ) How to disable the Autorun functionality in Windows
  - If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    950582 (http://support.microsoft.com/kb/950582/ ) MS08-038: Vulnerability in Windows Explorer could allow remote code execution
  Note Update 967715 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 23b.
2. Type the following command at a command prompt:
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the following command at the command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe –hide" /f
For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window Autotuning to disabled. To change this setting back, type the following command at a command prompt:
netsh interface tcp set global autotuning=normal

If, after you complete this procedure, the computer seems to be reinfected, either of the following conditions may be true:

One of the autostart locations was not removed. For example, either the AT job was not removed or an Autorun.inf file was not removed.
The security update for MS08-067 was installed incorrectly.

This malware may change other settings that are not addressed in this article. Please visit the following Microsoft Malware Protection Center Web page for the latest details about Win32/Conficker:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker (http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker)

Verify that the system is clean

Verify that the following services are started:

Automatic Updates (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Defender (windefend) (if applicable)
Windows Error Reporting Service

To do this, type the following commands at the command prompt. Press ENTER after each command:

Sc.exe query wuauserv
Sc.exe query bits
Sc.exe query windefend
Sc.exe query ersvc

After each command runs, you will receive a message that resembles the following:

SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

In this example, "STATE : 4 RUNNING" indicates that the service is running.

To verify the status of the SvcHost registry subkey, follow these steps:

In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom of the list. If the computer is reinfected with Conficker, a random service name will be listed. For example, in this procedure, the name of the malware service is "Iaslogon."

If these steps do not resolve the issue, contact your antivirus software vendor. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

49500 (http://support.microsoft.com/kb/49500/ ) List of antivirus software vendors

If you do not have an antivirus software vendor, or your antivirus software vendor cannot help, contact Microsoft Consumer Support Services for more help.

After the environment is fully cleaned

After the environment is fully cleaned, follow these steps:

Re-enable the Server service and the Task Scheduler service.
Restore the default permissions on the SVCHOST registry key and the Tasks folder. This should be reverted to the default settings by using Group Policy settings. If a policy is only removed, the default permissions may not be changed back. See the table of default permissions in the "Mitigation steps" section for more information.
Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager (SCCM), or your third-party update management product. If you use SMS or SCCM, you must first re-enable the Server service. Otherwise, SMS or SCCM may be unable to update the system.
If you have problems identifying systems that are infected with Conficker, the details provided in the following TechNet blog may help:
http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx (http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx)

The following table shows default permissions for each operating system. These permissions are in place before you apply the changes that we recommend in this article. These permissions may differ from the permissions that are set in your environment. Therefore, you must note your settings before you make any changes. You must do this so that you can restore your settings after you clean the system.

Collapse this tableExpand this table

Operating system	Windows Server 2008		Windows Vista		Windows Server 2003		Windows XP		Windows 2000
Setting	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder
Account
Administrators (Local Group)	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control
System	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control
Power Users (Local Group)	not applicable	not applicable	not applicable	not applicable	Read	not applicable	Read	not applicable	Read	not applicable
Users (Local Group)	Special	not applicable	Special	not applicable	Read	not applicable	Read	not applicable	Read	not applicable
	Apply to: This key and subkeys		Apply to: This key and subkeys
	Query Value		Query Value
	Enumerate Subkeys		Enumerate Subkeys
	Notify		Notify
	Read Control		Read Control
Authenticated Users	not applicable	Special	not applicable	Special	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable
		Apply to: This folder only		Apply to: This folder only
		Traverse Folder		Traverse Folder
		List Folder		List Folder
		Read Attributes		Read Attributes
		Read Extended Attributes		Read Extended Attributes
		Create Files		Create Files
		Read Permissions		Read Permissions
Backup Operators (Local Group)	not applicable	not applicable	not applicable	not applicable	not applicable	Special	not applicable	Special
						Apply to: This folder only		Apply to: This folder only
						Traverse Folder		Traverse Folder
						List Folder		List Folder
						Read Attributes		Read Attributes
						Read Extended Attributes		Read Extended Attributes
						Create Files		Create Files
						Read Permissions		Read Permissions
Everyone	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	Special
										Apply to: This folder, subfolder and files
										Traverse Folder
										List Folder
										Read Attributes
										Read Extended Attributes
										Create Files
										Create Folders
										Write Attributes
										Write Extended Attributes

APPLIES TO

Windows Server 2008 Datacenter without Hyper-V
Windows Server 2008 Enterprise without Hyper-V
Windows Server 2008 for Itanium-Based Systems
Windows Server 2008 Standard without Hyper-V
Windows Server 2008 Datacenter
Windows Server 2008 Enterprise
Windows Server 2008 Standard
Windows Web Server 2008
Windows Vista Service Pack 1, when used with:

Windows Vista Business
Windows Vista Enterprise
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Starter
Windows Vista Ultimate
Windows Vista Enterprise 64-bit Edition
Windows Vista Home Basic 64-bit Edition
Windows Vista Home Premium 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business 64-bit Edition

Microsoft Windows Server 2003 Service Pack 1, when used with:

Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 2, when used with:

Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

Microsoft Windows XP Service Pack 2, when used with:

Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Microsoft Windows XP Service Pack 3, when used with:

Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Microsoft Windows 2000 Service Pack 4, when used with:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server

The Trojan War

noreply@blogger.com (at_videa) — Mon, 10 Aug 2009 20:49:00 +0700

The Apple of Discord

The Trojan War has its roots in the marriage between Peleus and Thetis, a sea-goddess. Peleus and Thetis had not invited Eris, the goddess of discord, to their marriage and the outraged goddess stormed into the wedding banquet and threw a golden apple onto the table. The apple belonged to, Eris said, whomever was the fairest.

Hera, Athena, and Aphrodite each reached for the apple. Zeus proclaimed that Paris, prince of Troy and thought to be the most beautiful man alive, would act as the judge.

Hermes went to Paris, and Paris agreed to act as the judge. Hera promised him power, Athena promised him wealth, and Aphrodite promised the most beautiful woman in the world.

Paris chose Aphrodite, and she promised him that Helen, wife of Menelaus, would be his wife. Paris then prepared to set off for Sparta to capture Helen. Twin prophets Cassandra and Helenus tried to persuade him against such action, as did his mother, Hecuba. But Paris would not listen and he set off for Sparta.

In Sparta, Menelaus, husband of Helen, treated Paris as a royal guest. However, when Menelaus left Sparta to go to a funeral, Paris abducted Helen (who perhaps went willingly) and also carried off much of Menelaus' wealth.

In Troy, Helen and Paris were married. This occured around 1200 B.C. (Wood, 16).

Greek Armament

Menelaus, however, was outraged to find that Paris had taken Helen. Menelaus then called upon all of Helen's old suitors, as all of the suitors had made an oath long ago that they would all back Helen's husband to defend her honor.

Many of the suitors did not wish to go to war. Odysseus pretended to be insane but this trick was uncovered by Palamedes. Achilles, though not one of the previous suitors, was sought after because the seer Calchas had stated that Troy would not be taken unless Achilles would fight.

One of the most interesting stories is of Cinyras, king of Paphos, in Cyprus, who had been a suitor of Helen. He did not wish to go to war, but promised Agamemnon fifty ships for the Greek fleet. True to his word, Cinyras did send fifty ships. The first ship was commanded by his son. The other forty-nine, however, were toy clay ships, with tiny clay sailors. They dissembled soon after being placed in the ocean (Tripp, 584-584).

The Greek fleet assembled, under Agamemnon's inspection, in Aulis. However, Agamemnon either killed one of Diana's sacred stags or made a careless boast. Either way, Diana was outraged and she calmed the seas so that the fleet could not take off.

The seer Calchas proclaimed that Iphigenia, daughter of Agamemnon, must be sacrificed before the fleet could set sail. This was done, and the Greek ships set off in search of Troy.

Finding Troy

Finding Troy proved difficult, however, and the Greek fleet at first landed in Mysia. According to Herodotus, the Greeks were under the impression that Helen had been taken by the Teuthranians (Teucrians), and though the Teuthranians denied such allegations, the Greeks layed siege to the city (Herodotus, Bk. II.118). The Greeks ultimately prevailed, but suffered heavy casualties at the hands of Telephus, king of the Teuthranians, and, at the end, were still without Helen. Telephus, in the course of the war, was wounded by Achilles.

With no where else to turn, the Greeks returned home.

The Trojan War might not have happened had not Telephus gone to Greece in the hopes of having his wound cured. Telephus had been told by an oracle that only the person who wounded him (in this case, Achilles) could cure him. Achilles assented and Telephus told the Greeks how to get to Troy.

Embassy to Priam

Odysseus, known for his eloquence, and Menelaus were sent as ambassadors to Priam. They demanded Helen and the stolen treasure be returned. Priam refused, and Odysseus and Menelaus returned to the Greek ships with the announcement that war was inevitable.

The War

The first nine years of the war consisted of both war in Troy and war against the neighboring regions. The Greeks realized that Troy was being supplied by its neighboring kingdoms, so Greeks were sent to defeat these areas.

As well as destroying Trojan economy, these battles let the Greeks gather a large amount of resources and other spoils of war, including women (e.g., Briseis, Tecmessa and Chryseis).

The Greeks won many important battles and the Trojan hero Hector fell, as did the Trojan ally Penthesilea. However, the Greeks could not break down the walls of Troy.

Patroclus was killed and, soonafter, Achilles was felled by Paris.

Helenus, son of Priam, had been captured by Odysseus. A prophet, Helenus told the Greeks that Troy would not fall unless:

a) Pyrrhus, Achilles' son, fought in the war,
b) The bow and arrows of Hercules were used by the Greeks against the Trojans,
c) The remains of Pelops, the famous Eleian hero, were brought to Troy, and
d) The Palladium, a statue of Athena, was stolen from Troy (Tripp, 587).

Phoenix persuaded Pyrrhus to join the war. Philoctetes had the bow and arrows of Hercules, but had been left by the Greek fleet in Lemnos because he had been bitten by a snake and his wound had a horrendous smell. Philoctetes was bitter, but was finally persuaded to join the Greeks. The remains of Pelops were gotten, and Odysseus infiltrated Trojan defenses and stole the Palladium.

The Trojan Horse

Still seeking to gain entrance into Troy, clever Odysseus (some say with the aid of Athena) ordered a large wooden horse to be built. Its insides were to be hollow so that soldiers could hide within it.

Once the statue had been built by the artist Epeius, a number of the Greek warriors, along with Odysseus, climbed inside. The rest of the Greek fleet sailed away, so as to deceive the Trojans.

One man, Sinon, was left behind. When the Trojans came to marvel at the huge creation, Sinon pretended to be angry with the Greeks, stating that they had deserted him. He assured the Trojans that the wooden horse was safe and would bring luck to the Trojans.

Only two people, Laocoon and Cassandra, spoke out against the horse, but they were ignored. The Trojans celebrated what they thought was their victory, and dragged the wooden horse into Troy.

That night, after most of Troy was asleep or in a drunken stupor, Sinon let the Greek warriors out from the horse, and they slaughtered the Trojans. Priam was killed as he huddled by Zeus' altar and Cassandra was pulled from the statue of Athena and raped.

After the War

After the war, Polyxena, daughter of Priam, was sacrificed at the tomb of Achilles and Astyanax, son of Hector, was also sacrificed, signifying the end of the war.

Aeneas, a Trojan prince, managed to escape the destruction of Troy, and Virgil's Aeneid tells of his flight from Troy. Many sources say that Aeneas was the only Trojan prince to survive, but this statement contradicts the common story that Andromache was married to Helenus, twin of Cassandra, after the war.

Menelaus, who had been determined to kill his faithless wife, was soon taken by Helen's beauty and seductiveness that he allowed her to live.

The surviving Trojan women were divided among the Greek men along with the other plunder. The Greeks then set sail for home, which, for some, proved as difficult and took as much time as the Trojan War itself (e.g., Odysseus and Menelaus).

Trojan, Virus, and Worm Information

noreply@blogger.com (at_videa) — Mon, 10 Aug 2009 20:23:00 +0700

Trojans
A Trojan refers to a program that appears as something you may think is safe, but hidden inside is usually something harmful, probably a worm or a virus. The lure of Trojans is that you may download a game or a picture, thinking it's harmless, but once you execute this file (run it), the worm or virus gets to work. Sometimes they will only do things to annoy you, but usually a worm or virus will cause damage to your system.

Viruses
Viruses are computer programs with the sole purpose of destroying data on our computers. The virus may only destroy unimportant files, or it may decide to erase all of your document files. A virus can cause an infected computer to do funny things on certain dates, as well as issue serious commands such as erasing our Registry file, thus disabling the operation and booting up of our computers.
Viruses are spread through executable files we either get from friends, download off the net, or install through a floppy disk. A virus will often come disguised under the cloak of a Trojan, which is the carrier for the virus.

Worms
Worms operate differently. Do you remember the Star Trek show called 'The Trouble with Tribbles'? (Star-Trek fans, if I've remembered the name wrong, please correct me). These little creatures just kept replicating themselves, each one multiplying themselves over and over. Worms act much the same way.
Worms generally come through our email client, but people can also get infected if they accept a Trojan File which has as the payload a worm. If you receive a worm program through your email, and then execute it, this program sends the worm file out to all that are listed in your email address book. If you work in a major corporation, this could means hundreds of people, and so the multiplying continues.

Recently we all witnessed the world-wide problems of the "Love bug". That is a perfect example of all of the above. (yes!) It's a Trojan because it came disguised as a 'Love Letter' when really it was carrying a harmful program. It is a virus because once executed, it infected files on your computer, turning them into new trojans. It's a worm because it propogated itself by sending itself out to everyone listed in your email address book or IRC client.

This is reality -- bad things are out there, disguised as good things....and we must use our computers safely and wisely.

The Best Defense (top)

Never click on links through IRC that come from someone you do not know
Never accept files from anyone you don't know
When downloading files off the Internet, be sure it's from a reputable site.
Never run or even peek at files you receive through your email program from people you don't know. If you have any doubts at all, write the person back, and ask for verification that they sent you a file. Some of the more recent viruses will send mail (and file) to everyone listed in your email address book, then it deletes itself and you have no idea of what happened. Scary, huh?
Install a Virus Detection program -- you can find a free one called Inoculate. I use it, along with another one, and while no program is foolproof 100% of the time (due to the complexity of new viruses appearing everyday), it is a good program, and something you should consider.
Set yourself up a regular time to update the virus scans, and do it -- if we don't keep our computers up-to-date on the latest technologies, then we are leaving ourselves vulnerable. With over 200 new viruses being reported each month, tomorrow is not the time to update...but TODAY.
One more important step is to backup your important files regularly.
Better safe than sorry!

If you'd like to read more about Trojans and Viruses, check here for more resource links. For a comprehensive page with antivirus solutions as well as trojan scanners/cleaners, visit here: Virus & Trojan Solutions You may also wish to download a file that describes in more detail various viruses and trojans. It's called Virus Help. Get it here.

Infection and What to Do (top)

If you have become infected and need to repair your computer, you have several choices:

One of your choices is to download a program called The Cleaner. You can use the program free for 30 days (good deal!). After that time, registration is required at a cost of about $30 (US). This price includes free future updates of the program as well.
Another option is to visit this website, http://www.nohack.net, for more information about being infected. Find the information describing your infection and follow their steps listed for removing harmful trojans, worms, and viruses. Some programs are not totally removable through these steps, and that's where The Cleaner can benefit you as it will remove all traces of infection.
Trend Micro, the makers of PC-cillin (an antivirus program, and one that I use) offers free online assistance. You may wish to visit their site and let their system scan your computer. Visit Trend Micro's Housecall for this free evaluation. You can buy their product from this site, or you can find this antivirus program in many of the larger software outlets.
Visit our new Virus, Trojan, and Security Solutions page for a comprehensive listing of sites and programs that can help anyone wanting to protect their computer.

E-Mail Virus Hoaxes (top)

There will always be newbies on the net, so there will always be a market for spreading the news about E-mail virus hoaxes. This is when someone forwards on a letter which often makes claims that if you receive a mail titled something similar to "Win a Holiday Cruise", and open it, your harddrive will be erased (or some other such dire warning). While we can never be too careful, we have to be cautious to not be too gullible as well :) If you have any doubts about whether or not a warning you receive may be true or false, visit Symantec's Antivirus Research Center Virus Hoax site. They list (and describe) over 80 of the most prevalent virus hoaxes circulating worldwide.

This site isn't completed yet -- we will have much more information here soon describing in more detail viruses, worms, trojans, etc

What is a Trojan Horse Virus?

noreply@blogger.com (at_videa) — Mon, 10 Aug 2009 20:20:00 +0700

A Trojan Horse Virus is a common yet difficult to remove computer threat. This is a type of virus that attempts to make the user think that it is a beneficial application.

A Trojan Horse virus works by hiding within a set of seemingly useful software programs. Once executed or installed in the system, this type of virus will start infecting other files in the computer.

A Trojan Horse Virus is also usually capable of stealing important information from the user's computer. It will then send this information to Internet servers designated by the developer of the virus. The developer will then be able to gain a level of control over the computer through this Trojan virus. While these things take place, the user will notice that the infected computer has become very slow or unexpected windows pop up without any activity from the user. Later on, this will result to a computer crash.

A Trojan Horse virus can spread in a number of ways. The most common means of infection is through email attachments. The developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users.

These emails contain attachments. Once the user opens the attachment, the Trojan Horse Virus immediately infects the system and performs the tasks mentioned above.

Another method used by malware developers to spread their Trojan Horse viruses is via chat software such as Yahoo Messenger and Skype. Another method used by this virus in order to infect other machines is through sending copies of itself to the people in the address book of a user whose computer has already been infected by the virus.

The best way to prevent a Trojan Horse Virus from entering and infecting your computer is to never open email attachments or files that have been sent by unknown senders. However, not all files we can receive are guaranteed to be virus-free. With this, a good way of protecting your PC against malicious programs such as this harmful application is to install and update an antivirus program.

How to remove a Trojan, Virus, Worm, or other Malware

noreply@blogger.com (at_videa) — Mon, 10 Aug 2009 20:19:00 +0700

If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.

Malware - Malware is programming or files that are developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, Trojan horses, spyware, hijackers, and certain type of adware.

This article will focus on those malware that are considered viruses, trojans, worms, and viruses, though this information can be used to remove the other types of malware as well. We will not go into specific details about any one particular infection, but rather provide a broad overview of how these infections can be removed. For the most part these instructions should allow you to remove a good deal of infections, but there are some that need special steps to be removed and these won't be covered under this tutorial.

Before we continue it is important to understand the generic malware terms that you will be reading about.

Adware - A program that generates popups on your computer or displays advertisements. It is important to note that not all adware programs are necessarily considered malware. There are many legitimate programs that are given for free that display ads in their programs in order to generate revenue. As long as this information is provided up front then they are generally not considered malware.

Backdoor - A program that allows a remote user to execute commands and tasks on your computer without your permission. These types of programs are typically used to launch attacks on other computers, distribute copyrighted software or media, or hack other computers.

Dialler - A program that typically dials a premium rate number that has per minute charges over and above the typical call charge. These calls are with the intent of gaining access to pornographic material.

Hijackers - A program that attempts to hijack certain Internet functions like redirecting your start page to the hijacker's own start page, redirecting search queries to a undesired search engine, or replace search results from popular search engines with their own information.

Spyware - A program that monitors your activity or information on your computer and sends that information to a remote computer without your knowledge.

Trojan - A program that has been designed to appear innocent but has been intentionally designed to cause some malicious activity or to provide a backdoor to your system.

Virus - A program that when run, has the ability to self-replicate by infecting other programs and files on your computer. These programs can have many effects ranging from wiping your hard drive, displaying a joke in a small box, or doing nothing at all except to replicate itself. These types of infections tend to be localized to your computer and not have the ability to spread to another computer on their own. The word virus has incorrectly become a general term that encompasses trojans, worms, and viruses.

Worm - A program that when run, has the ability to spread to other computers on its own using either mass-mailing techniques to email addresses found on your computer or by using the Internet to infect a remote computer using known security holes.

How these infections start

Just like any program, in order for the program to work, it must be started. Malware programs are no different in this respect and must be started in some fashion in order to do what they were designed to do. For the most part these infections run by creating a configuration entry in the Windows Registry in order to make these programs start when your computer starts.

Unfortunately, though, in the Windows operating system there are many different ways to make a program start which can make it difficult for the average computer user to find manually. Luckily for us, though, there are programs that allow us to cut through this confusion and see the various programs that are automatically starting when windows boots. The program we recommend for this, because its free and detailed, is Autoruns from Sysinternals.

When you run this program it will list all the various programs that start when your computer is booted into Windows. For the most part, the majority of these programs are safe and should be left alone unless you know what you are doing or know you do not need them to run at startup.

At this point, you should download Autoruns and try it out. Just run the Autoruns.exe and look at all the programs that start automatically. Don't uncheck or delete anything at this point. Just examine the information to see an overview of the amount of programs that are starting automatically. When you feel comfortable with what you are seeing, move on to the next section.

How to remove these infections

We have finally arrived at the section you came here for. You are most likely reading this tutorial because you are infected with some sort of malware and want to remove it. With this knowledge that you are infected, it is also assumed that you examined the programs running on your computer and found one that does not look right. You did further research by checking that program against our Startup Database or by searching in Google and have learned that it is an infection and you now want to remove it.

If you have identified the particular program that is part of the malware, and you want to remove it, please follow these steps.

Download and extract the Autoruns program by Sysinternals to C:\Autoruns
Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.
Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
1. Include empty locations
2. Verify Code Signatures
3. Hide Signed Microsoft Entries
Then press the F5 key on your keyboard to refresh the startups list using these new settings.
The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our computer help forums.
Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.
Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. To allow you to see hidden files you can follow the steps for your operating system found in this tutorial:

How to see hidden files in Windows
When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.

How to protect yourself in the future

In order to protect yourself from this happening again it is important that take proper care and precautions when using your computer. Make sure you have updated antivirus and spyware removal software running, all the latest updates to your operating system, a firewall, and only open attachments or click on popups that you know are safe. These precautions can be a tutorial unto itself, and luckily, we have one created already:

Simple and easy ways to keep your computer safe and secure on the Internet

Please read this tutorial and follow the steps listed in order to be safe on the Internet. Other tutorials that are important to read in order to protect your computer are listed below.

Understanding Spyware, Browser Hijackers, and Dialers

Understanding and Using Firewalls

Safely Connecting a Computer to the Internet

Using Spybot - Search & Destroy to remove Spyware from Your Computer

Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Using IE-Spyad to enhance your privacy and Security

Conclusion

Now that you know how to remove a generic malware from your computer, it should help you stay relatively clean from infection. Unfortunately there are a lot of malware that makes it very difficult to remove and these steps will not help you with those particular infections. In situations like that where you need extra help, do not hesitate to ask for help in our computer help forums. We also have a self-help section that contains detailed fixes on some of the more common infections that may be able to help. This self-help section can be found here:

Spyware & Malware Self-Help and Reading Room

at videa

Protect yourself from Conficker

On This Page

Is my computer infected with the Conficker worm?

What does the Conficker worm do?

How does the Conficker worm work?

How do I remove the Conficker worm?

Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

Stop Win32/Conficker from spreading by using Group Policy settings Notes

Create a Group Policy object

AppleScript.THT Trojan Horse New OS X Trojan Horse in the Wild SecureMac Security Advisory

How Computer Viruses Work

Windows virus infects 9m computers

The 10 faces of computer malware

Scam Antivirus App Spreads Malware

Conficker virus activates in a bid to aid cybercriminals

New Service Provides Malware, Virus Protection for Websites

Macro Virus

How it Functions

Prevention

Macro Virus Protection in the Microsoft Office Line

What is MACRO Virus

Removal Tools

Norton AntiVirus 2003 Stay Lightweight For Regular Computer

Tips Ringan Melindungi Komputer dari Virus

Security 101: Look back to advance

Anti-Virus Firms Investigating Sexy-View Smartphone Worm

Conficker Worm Support Desk is Available 24/7 via Toll-free Number 1-800 237-3901

Smart Meter Worm Could Spread Like A Virus

W32/Lovsan.worm.a

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Virus alert about the Win32/Conficker worm

Stop Win32/Conficker from spreading by using Group Policy settings

Create a Group Policy object

Run the Malicious Software Removal tool

Manual steps to remove the Win32/Conficker virus

Services table

Verify that the system is clean

After the environment is fully cleaned

APPLIES TO

The Trojan War

Trojan, Virus, and Worm Information

What is a Trojan Horse Virus?

How to remove a Trojan, Virus, Worm, or other Malware