Tuesday, February 24, 2009

List of Currnet relase of Viruses BEWARE of them!!

Lando
Trojan
5529
Low
2/17/2009
Exploit-MSWord.k
Trojan
5525
Low-Profiled
2/13/2009
Generic.dx!rootkit
Virus
5524
Low
2/12/2009
HTool-OpenTS
Program
5524
N/A
2/11/2009
W32/Virut.n.gen
Virus
5523
Low
2/11/2009
Vundo.gen.ac
Trojan
5517
Low
2/5/2009
Vundo.dldr!1231E9AC
Trojan
5516
Low-Profiled
2/4/2009
W32/Virut.n
Virus
5517
Low-Profiled
2/3/2009
W32/Tpecid
Virus
5514
Low
2/2/2009
OSX/IWService.b
Trojan
5509
Low-Profiled
1/27/2009
W32/Lujer
Virus
5507
Low
1/26/2009
W32/Autorun.worm.zu
Virus
5504
Low-Profiled
1/23/2009
W32/Autorun.worm.zu.dr
Virus
5504
Low
1/23/2009
SMSFraud
Trojan
5504
N/A
1/23/2009
OSX/IWService
Trojan
5504
Low-Profiled
1/22/2009
Vundo.gen.ab
Trojan
5502
Low
1/21/2009
Vundo!grb
Data File
5501
Low
1/20/2009
Exploit-PDF.i
Trojan
5500
Low
1/19/2009
Vundo.gen.aa
Trojan
5497
Low
1/16/2009
VBS/Step
Virus
5497
Low
1/16/2009
JS/Shellcode.gen
Trojan
5496
Low
1/15/2009
Vundo.gen.z
Trojan
5496
Low
1/15/2009
W32/Waledac.gen.b
Trojan
5495
Low-Profiled
1/14/2009
VBS/Autorun.worm.zo
Virus
5493
Low
1/12/2009
VBS/Autorun.worm.zo!lnk
Virus
5493
Low
1/12/2009
W32/Conficker.worm!inf
Virus
5488
Low
1/7/2009
VBS/IE-Title!C71CDCDC
Virus
4001
Low
1/6/2009
BackDoor-DTJ
Trojan
5487
Low
1/6/2009
W32/Conficker.worm.gen.a
Virus
5485
Low
1/6/2009
W32/Conficker.worm.gen.b
Virus
5481
Low
1/6/2009

Classic Virus Term

Classic Viruses
Computer viruses can be classified according to their environment and infection methods. The environment is the application or operating system required by any given virus to infect files within these systems. Infection methods are the techniques used to inject the virus code into an object.
Environment
Most viruses can be found in one of the following environments:
File systems
Boot sectors
Macro environments
Script hosts
File viruses use the file system of a given operating system (or more than one) to propagate. File viruses can be divided into the following categories:
Those that infect executable files (the largest group of file viruses)
Those that create duplicates of files (companion viruses)
Those that create copies of themselves in various directories
Those that utilize file systems features (link viruses)
Boot sector viruses write themselves either to the boot sector or to the master boot record or displace the active boot-sector. These viruses were widespread in the 1990s, but have almost disappeared since the introduction of 32-bit processors as standard and the decline of the floppy disks. It would be technically possible to write boot sector viruses for CDs and USB flash ROMs, but no such viruses have yet been detected.
Many word processing, accounting, editing and project applications have built-in macro scripts which automate frequently used sequences. These macro languages are often complex and include a wide range of commands. Macro viruses are written in macro languages and infect applications with built-in macros. Macro viruses propagate by exploiting macro language properties in order to transfer from an infected file to another file.
Infection Methods
The groups of viruses listed above can be sub-divided according to the technique a virus uses to infect objects.
File Viruses
File viruses use the following infection methods:
Overwriting
Parasitic
Companion
Links
Object modules (OBJ)
Compiling libraries (LIB)
Application source code
Overwriting
This is the simplest infection method: the virus replaces the code of the infected file with its own, erasing the original code. The file is rendered useless and cannot be restored. These viruses are easily detected because the operating system and affected applications will cease to function shortly after infection.
Parasitic
Parasitic viruses modify the code of the infected file. The infected file remains partially or fully functional.
Parasitic viruses are grouped according to the section of the file they write their code to:
Prepending: the malicious code is written to the beginning of the file
Appending: the malicious code is written to the end of the file
Inserting: the malicious code is inserted in the middle of the file
Inserting file viruses use a variety of methods to write code to the middle of a file: they either move parts of the original file to the end or copy their own code to empty sections of the target file. These are sometimes called cavity viruses.
Prepending viruses
Prepending viruses write their code to target files in two ways. In the first scenario, the virus moves the code from the beginning of the target file to the end and writes its own code to this space. In the second scenario the virus adds the code of the target file to its own code.
In both cases, every time the infected file is launched, the virus code is executed first. In order to maintain application integrity, the virus may clean the infected file, re-launch it, wait for the file to execute, and once this process is over, the virus will copy itself again to the beginning of the file. Some viruses use temp files to store clean versions of infected files. Some viruses will restore the application code in memory, and reset necessary addresses in the body, thus duplicating the work of the operating system.
Appending viruses
Most viruses fall into this category. Appending viruses write themselves to the end of the infected files. However, these viruses usually modify the files (change the entry point in the file header) to ensure that the commands contained in the virus code are executed before infected object commands.
Inserting viruses
Virus writers use a variety of methods to inject viruses into the middle of a file. The simplest methods are moving part of the file code to the end of the file or pushing the original code aside to create a space for the virus.
Inserting viruses include so-called cavity viruses; these write their code to sections of files that are known to be empty.. For instance, cavity viruses can copy themselves to the unused part of exe file headers, to the gaps between exe file sections, or to text areas of popular compilers. Some cavity viruses will only infect files where a certain block contains a certain byte; the chosen block will be overwritten with the virus code.
Finally, some inserting viruses are badly written and simply overwrite sections of code which are essential for the infected file to function. This causes the file to be irrevocably corrupted.
Entry point obscuring viruses - EPOs
There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
Searching for frames and overwriting them with infected starting points
Disassembling the host file code
Or changing the addresses of importing functions
Companion viruses
Companion viruses do not modify the host file. Instead they create a duplicate file containing the virus. When the infected file is launched the copy containing the virus will be executed first.
This category includes viruses that re-name the host file, record the new name for future reference and then overwrite the original file. For instance, a virus might rename notepad.exe as notepad.exd and write its own code to the file under the original name. Each time the user of the victim machine launches notepad.exe, the virus code will be executed, with the original Notepad file, notepad.exd, being run afterwards.
There are other types of companion viruses which use original infection techniques or exploit vulnerabilities in specific operating systems. For instance, Path-companion viruses place their copies in the Windows system directory, exploiting the fact that this directory is first in the PATH list; the system will start from this directory when launching Windows. Many contemporary worms and Trojans use such autorun techniques.
Other infection techniques
Some viruses do not use executable files to infect a computer, but simply copy themselves to a range of folders in the hope that sooner or later they will be launched by the user. Some virus writers give their viruses such as install.exe or winstart.bat in order to persuade the user to launch the file containing the virus.
Other viruses copy themselves to compressed files in formats such as ARJ, ZIP and RAR, while still others write the command to launch an infected file to a BAT-file.
Link viruses also do not modify host files. However, they force the operating system to execute the virus code by modifying the appropriate fields in the file system.
Boot Sector Viruses
The boot viruses which are currently known about infect the boot sectors of floppy disks and the boot sector or Master Boot Record (MBR) of the hard disk. Boot viruses act on the basis of the algorithm used to launch the operating system when the computer is switched on or rebooted. Once the necessary checks of memory, disks etc. have been carried out, the system boot program reads/ fetches the first physical sector of the boot disk (A:, C: or the CD-ROM, depending on the parameters configured/ installed in BIOS Setup, and passes control to this sector.
When infecting disks, a boot virus will substitute its code for that of a program which gains control when the system launches. In order to infect the system, the virus will force the system to read the memory and hand over control not to the original boot program, but the virus code.
Floppy disks can only be infected in one way. The virus writes its code in the place of the original code of the boot sector of the disk. Hard disks can be infected in three ways: the virus either writes its code in place of the MBR code; the boot sector code of the boot disk, or modifies the address of the active books sector in the Disk Partition Table in the hard disk MBR.
In the vast majority of cases, when infecting a disk the virus will move the original boot sector (or MBR) to another sector of the disk, often the first empty one. If the virus is longer than the sector, then the infected sector will contain the first part of the virus code, and the remainder of the code will be placed in other sectors, usually the first free ones.
Macro Viruses
The most widespread macro viruses are for Microsoft Office applications (Word, Excel and PowerPoint) which save information on OLE2 (Object Linking and Embedding) format. Viruses for other applications are relatively rare.
The actual location of a virus with an MS Office file depends on the file format, which in the case of Microsoft products is extremely complex. Every WORD document, Office 97 or Excel table is composed of a sequence of data blocks (each of which has its own format) which are joined/ linked/ united by service data. Due to the complex format of Word, Excel and Office 97 files, it is easiest to use a diagram to show the location of a macro virus in such a file:
Uninfected document or table file

Infected document or table file
File header
Service data (directories, FAT)
Text
Fonts
Macros (if any)
Other data

File header
Service data (directories, FAT)
Text
Fonts
Macros (if any)
Virus macros
Other data
When working with documents and tables, MS Office carries out a number of different actions: the application opens the document, saves it, prints it, closes it etc. MS Word will search for and execute/ launch the appropriate built-in macros. For example, using the File/Save command will call the FileSave macro, the File/SaveAs command will call the FileSaveAs macro, and so on, always assuming that such macros are defined/ configured.
There are also auto macros, which will be automatically called in a range of situations. For instance, when a document is opened, MS Word will check the document for the presence for the AutoOpen macro. If the macro is found, Word will execute it. When a document is closed, Word will execute the AutoClose macro, when Word is launched, the application will execute the AutoExec macro etc. These macros are executed automatically, without any action from the user, as are macros/ functions which are associated either with a particular key, or with a specific time or date.
As a rule, macro viruses which infect MS Office files will use one of the techniques described above. The virus will either contain an auto macro (automatic function) or one of the standard system macros (associated with a menu item) will be redefined, or the virus macro will be automatically called by a certain key stroke or key combination. Once the macro virus has gained control, it will transfer its code to other files, usually ones which are currently being edited. More rarely, the viruses will search disks for other files.
Script Viruses
Script viruses are a subset of file viruses, written in a variety of script languages (VBS, JavaScript, BAT, PHP etc.). They either infect other scripts e.g. Windows or Linux command and service files, or form a part of multi-component viruses. Script viruses are able to infect other file formats, such as HTML, if the file format allows the execution of scripts.

Win32 Virus

Virus.Win32.Nsag.a is a detection for an infected copy of the Windows' wininet.dll file. The purpose of this infection is to transfer calls to the HttpSendRequest function to a malicious .dll file.
There are several pieces of malware which install Virus.Win32.Nsag.a, (often referred to as Smitfraud). Smitfraud and Nsag are quite similar, and have the following in common:
When the malware which installs Nsag is run, two main .dll files are dropped into the system directory.
One of these .dll files is around 7 KB in size, and is usually named oleadm.dll. It serves as AdWare/Trojan-Downloader. Normally this file is detected as Trojan-Downloader.Win32.Agent.ns.
The other file however, oleadm32.dll, is an infected copy of the system's wininet.dll file, an important Windows file. In some cases infection corrupts the file, which will result in a crash of explorer.exe when the file is loaded.
The malware uses a technique to ensure that oleadm32.dll will replace the system's wininet.dll file without warning when the infected system is restarted.
There are quite a few variants of Smitfraud. They are best known for altering the desktop wallpaper. In most cases the changed wallpaper displays a message about a 'Trojan-Spy.HTML.Smitfraud.c infection'.
These wallpapers are dropped into the system directory as ws.bmp, which will be detected by Kaspersky Anti-Virus as not-virus:BadJoke.Win32.Nsag.a


Removal instructions
Make sure Kaspersky Anti-Virus is up to date.
Perform a full system scan and disinfect or delete all objects detected as infected.
Navigate to %sysdir% (Most likely C:\Windows\System32)
Find wininet.dll and rename it to wininet.dl
Wait a few moments. A new, clean version of wininet.dll should appear
Reboot the system and disinfect or delete the infected wininet.dl file

Monday, February 23, 2009

Starting with Email Froging..

Email Frogging is the most common form of IP theft attack that is commonly seen now a days.
You may receive a mail from Bill Gates offering you a job.
Or you boss sending you an abusive mail.
Think before you act because the original sender may be some other person spoofing as the Host who's name is visible to you.
  • Root cause with the email forging is that there are lots of Relay servers on the Internet that allow relay connection to any user in the world.

Another form of email forging is carried out by using fake accounts on the Internet web based email providers.

Actually there is no perfect solution to this problem yet.You can block such mails by simply marking them under pis hing scam.

Many may not know what Pissing Scam is

Pis hing Sam actual maintain a list of forger mail.server over the entire Internet and helps blogging mail from them by marking them as Junk.

So another time when you receive such mail.plz do mark them Pis hing Scam so as to help protect others also.

Thank you.

Introduction

Hello Dear Friends.
I am hackerp.007 here to help you out with some of the problems that you wished to solve with out getting in to details of how they have occurred.
  • Are you receiving abusive email from unknown email id?
  • Is your computer operating realiy slow?
  • Does your computer always remain infected with virus?And you are not abel to remove it ?thinking of getting an Antivirus?Well friends do give a second thought to it because most of the Anti-Virus are lacking in protecting your computer with new Viruses in the market.
  • Are you a victim of Facebooking or IP theft in Orkut? if Yes then here i am to solve your problems..
All you need to do is post a query here or just mail me at hackerp.007@gmail.com
Surley there will be solution to your problems.
Also we will be concentrating on making your computer more safe
With some Easy tips and tricks that you can implement your self.
So here it goes....
Hope you enjoy...the tour