Monday, June 13, 2011

Worm Win32.Zafi.B and its removal

Worm Win32.Zafi.B and its removal
The new internet worm Zafi.B spreads very fast mainly via email attachments, but also via filesharing networks.

The message subject and body text differs depending on the domain extension of the receiver's email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email address books.

Once the file has been executed, it will do following:

1. Creates mutex_Hazafibb
2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina
7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
8. Creates registry key and entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
12. May create files C:\SYS.TXT and _upload.exe
13. The virus contains the following string:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).

Removal:

All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.

Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.

The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.

1. Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
"_Hazafibb"="%system%\.exe"
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
6. Exit the registry editor.
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.
Worm Win32.Zafi.B and its removal

Ans to
"I apparently received an email that had the win32.zafi.b trojan attached to it. I have a sister who uses my computer and she opened it accidently, or so she says. Anyway, how do I remove this? Anyone know? Can I restore my PC to a previous date before the infection? Will McAfee Stinger detect this and correct things?"

Thursday, June 9, 2011

Win32.Rootkit

Win32.Rootkit is a very malicious item that designed to allow remote access to your computer to largely occupy precious system resource, trace your Internet habits to record/steal your personal information.

How to tell if the computer is infected by malware such as Win32.Rootkit?
The symptoms of Win32.Rootkit vary wildly, ranging from slow PC performance to loss of important data. If you are experiencing any of the symptoms listed below, chances are you have Win32.Rootkit or another risky unwanted programs installed on your computer:

Sudden slow PC performance

Win32.Rootkit can use a lot of your system resources to track your computer activities or deliver pop-up ads that may greatly slow down the computer or even make it crash randomly. If you are recently getting a lot of system crashes, the computer is running much slower than usual or you cannot access your hard properly, then your computer must be infected and should be took care of.

E-mail problems

Win32.Rootkit can collect and send your email address book to an email spammer and send unexpected email messages from your computer without your knowledge. If you get a lot of bounced back emails or notice that thousands of emails were sent without your permission, then it is possible that your computer is infected.

Constant unwanted ads

Win32.Rootkit will interrupt you with annoying pop-up ads for adult or other objectionable web sites. If it is controlled by hackers, this can make your computer completely useless once you visit the website in which malicious programming or code is planted.

Unexpected desktop icons, Toolbars or homepages

Win32.Rootkit or other threats may record and reset your account settings or change your default homepage to a different one, which sometimes cannot be changed back. Also, it can also add new desktop items or toolbars to Internet Explorer without letting you know.

How to remove Win32.Injector.CCQ manually?
How to remove Win32.Injector.CCQ from your computer?
What is Win32.Injector.CCQ?

Saturday, June 4, 2011

How to tell if the computer is infected by malware such as Win32.Injector.CCQ?

How to tell if the computer is infected by malware such as Win32.Injector.CCQ?
The symptoms of Win32.Injector.CCQ vary wildly, ranging from slow PC performance to loss of important data. If you are experiencing any of the symptoms listed below, chances are you have Win32.Injector.CCQ or another risky unwanted programs installed on your computer:

Sudden slow PC performance

Win32.Injector.CCQ can use a lot of your system resources to track your computer activities or deliver pop-up ads that may greatly slow down the computer or even make it crash randomly. If you are recently getting a lot of system crashes, the computer is running much slower than usual or you cannot access your hard properly, then your computer must be infected and should be took care of.

E-mail problems

Win32.Injector.CCQ can collect and send your email address book to an email spammer and send unexpected email messages from your computer without your knowledge. If you get a lot of bounced back emails or notice that thousands of emails were sent without your permission, then it is possible that your computer is infected.

Constant unwanted ads

Win32.Injector.CCQ will interrupt you with annoying pop-up ads for adult or other objectionable web sites. If it is controlled by hackers, this can make your computer completely useless once you visit the website in which malicious programming or code is planted.

Unexpected desktop icons, Toolbars or homepages

Win32.Injector.CCQ or other threats may record and reset your account settings or change your default homepage to a different one, which sometimes cannot be changed back. Also, it can also add new desktop items or toolbars to Internet Explorer without letting you know.


Also Read:-
How to remove Win32.Injector.CCQ manually?
How to remove Win32.Injector.CCQ from your computer?
What is Win32.Injector.CCQ?
How to tell if the computer is infected by malware such as Win32.Injector.CCQ?

Enhanced by Zemanta

How to remove Win32.Injector.CCQ manually?

How to remove Win32.Injector.CCQ manually?

1. Boot your computer into safe mode to close all running processes.
2. Remember to back up your system before making any changes for future restore job when necessary.
3. Remove these Win32.Injector.CCQ files:
%Documents and Settings%\All Users\Application Data iosejgfse.dll
%Documents and Settings%\[UserName]\Desktop\Protection Center Support.lnk
4. Open Registry Editor to delete the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 'WarnOnPostRedirect' = '0'
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall�1
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_CURRENT_USER\Software\Paladin Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments 'SaveZoneInformation' = '1'
5. It is possibly for Win32.Injector.CCQ to load by hiding within the system WIN.INI file and the strings "run=" and "load=". So you must check carefully in order to thoroughly remove it from your computer.
6 It is necessary for you t clean the IE temporary files where the original carrier may store.

Also Read:-
Recommended solution to remove Win32.Injector.CCQ
How to tell if the computer is infected by malware such as Win32.Injector.CCQ?
Enhanced by Zemanta

How to remove Win32.Injector.CCQ from your computer?

Win32.Injector.CCQ should be removed in safe mode with networking so as to ensure a much thorough removal – reboot the computer, continuously pressing F8 and choose “safe mode with networking” from the menu. However, to ensure a safer and quicker removal process, I recommend PC Safe Doctor as Win32.Injector.CCQ always hides itself in the deepest part of the computer or disguise some of its files as legitimate system files. If all of its related entries are not removed completely, serious problems like frequent program lock-ups, system crashes will come on the neck of another.

Recommended solution to remove Win32.Injector.CCQ :-
1) Download PC Safe Doctor on your computer.
2)Run PC Safe Doctor after finishing the installation.
3)Click “Start Online Scan” to thoroughly scan your computer.
4)If Win32.Injector.CCQ is detected after the scan, simply click “Remove” to delete this malicious item.

However, if you are sure that you have a full understanding on how the harmful Win32.Injector.CCQ works, you can try removing it manually.



How to tell if the computer is infected by malware such as Win32.Injector.CCQ?
Enhanced by Zemanta

What is Win32.Injector.CCQ ?

Win32.Injector.CCQ is a very malicious item that designed to allow remote access to your computer to largely occupy precious system resource, trace your Internet habits to record/steal your personal information.

Also Read :-
How to remove Win32.Injector.CCQ from your computer?
How to remove Win32.Injector.CCQ manually?
How to tell if the computer is infected by malware such as Win32.Injector.CCQ?
Enhanced by Zemanta

Wednesday, May 11, 2011

Why does the number of threats stopped go down?

"On TrendMicro, the list of "Threats stopped" in the past month sometimes goes down rather than up, sometimes by a huge amount in one day. Could this signify a threat that was previously thought to have been stopped but now isn't? Why would it do this?"

This is the normal procedure of this product. It consumes lots of cpu potential and slows down the process. you may use Trend Micro Smart Protection Network for better performance. Also it depends on RAM/Process speed/network bandwidth etc. you may link here to clear the concept, specially on TroubleShoot Chapter
Enhanced by Zemanta

Tuesday, May 10, 2011

How to Remove Fake AV Software

Trojan.FakeAV.3510
Manipulate the Windows HOSTS file and block antivirus

Fake antivirus this one has a hobby of doing a block on segambreng security software and Windows hosts file redirects the victim computer so successful in the infection can not access the sites security services provider. Transfer of Hosts file is a need to watch out by comptuer users, especially users of internet banking due to the transfer of hosts, phishing websites and the right social engineering techniques, it has the potential to cause break-ins on internet banking account. Although already equipped with a protection calculator PIN / Token (two-factor authentication). Because that's important for those of you who use Internet Banking to use anti virus protection features the Hosts file as given by Dr Web Security Space.

The characteristics and symptoms of the virus
The virus is made using Visual Basic programming language with a size of about 62 KB by using Visual Basic icon. One characteristic that can be recognized is that each user opens Internet Explorer will display a website [http://www.qseach.com/?ref=kzCXow ==] resembling a website search engine www.google.com

File parent virus
When the user runs the file parent virus, it will display an error message, then he will make a master file that will be run automatically when the computer boots.

Function Block Windows
In order for the user difficulty in doing the cleaning, it will do block some functions of Windows, such as Task Manager, MSCONFIG, CMD (Command Prompt), Regedit or Folder Options to make changes to the registry

Security Software Blocks
In addition to the Windows function block, he will do blocks of tools / software security including antivirus programs by reading the "caption text Windows" and by doing debugger (transfer) to run a virus file in the directory [C: \ Documents and Settings \% username % \ 132616c4 \ winlogon.exe]. To make a debugger (transfer), it will create a string in the registry

Changing the USB Flash icon
This virus will also change the icon into the icon Folder USB Flash and USB Flash block access if a user access by double click on the USB Flash. By doing double click on the USB Flash it will automatically activate the virus.

Hide files/folders
Again USB Flash be victims, this time he will hide all files / folders in USB Flash and instead it will create a duplicate file that has the same name as the file / folder that is hidden in the form of a shortcut file
For each shortcut file created will have a target to run a virus file (Ua3kmh73O3jyut4Iok.exe) which had been prepared when on the run, the target file would normally be stored on the USB Flash.

Change the Windows Hosts file
He also will make changes to the Windows Hosts file [C:\Windows\System32\Drivers\Etc\Hosts] which resulted in a number of websites can not be accessed. Here are some website addresses that will be on the block.

How to purge Trojan.FakeAV.3510
1. For cleaning, you can use the Tools Dr.Web CureIt! of the Dr.Web antivirus. Please download these tools at the following address:
http://www.freedrweb.com/cureit/?lng=en
Once these tools successfully downloaded, run the tools with the way double click on the file Dr.Web CureIt!. When the prompt appears "DrWeb CureIt! - Enhanced Protection Mode ", click the [OK], when you select this mode you will not be able to do activities on the computer this is done for the cleaning process can be performed more optimally.
This will bring up the screen scan "Dr.Web Scanner for Windows - Express Scan", leave until the scan is completed. If it appears the cleaning process when the scan is done, click the [Yes to All).
For optimal cleaning, scans all drives including USB flash / external HDD by selecting option [Scan complete].
Note:
Dr.Web anti-virus will also automatically restore the HOSTS file in Windows that has been changed by Trojan.fakeAV.3510 to the initial setting. If a prompt appears the Windows fixes to the HOSTS file has been modified by a virus, click the [Yes].
Click Restart, if a prompt appears restart of Dr.Web antivirus.

2. Fix Windows Registry that has been changed by the virus, to accelerate the repair process copy the script below in Notepad and save it as repair.inf, run the file in the following way
Right-click repair.inf
Click INSTALL

[Version]
Signature="$Chicago$"
Provider=Vaksincom

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKCU, Software\Microsoft\Internet Explorer\main, Start Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Search Page,0,"about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Local Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Default_Search_URL,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Default_Page_URL,0, "about:blank"

[del]
HKCU, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Associations
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFile
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM, SOFTWARE\Policies\Microsoft\WindowsFirewall
HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage
HKLM, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414
HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\System, EnableLUA

3. Manually delete the following registy locations:
click menu [Start]
Click [RUN]
Type Regedit.exe, then Click the [OK]
Then delete the following registry string
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN
HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

Note:
% user% is the name of the user / acount that is used during Windows logon
Fix Image File Execution Files. Please download files at the address FixImageFile http://rapidshare.com/files/446070146/FixImageFile.zip FixImageFile_XP.reg then import that file (Windows XP) or FixImageFile_Vista_Win7.reg (Windows Vista / 7) by: (see figure 15)
Click [Start]
Click [Run]
Type Regedit.exe and click the [OK]
Once the screen appears "Registry Editor", click [File] menu
Click [Import]
Then navigate to the file FixImageFile.reg, then click the [Open]
If the confirmation screen appears, click the [OK]

4. Show files that have been hidden by the virus in the USB Flash, how:
Click [Start]
Click [Run]
Type CMD and click the [OK]
After the application of the Command Prompt (CMD), move the cursor position to the USB Flash by typing% USB Flash%: then press the Enter key.

Note:

% USB Flash drive% is different, for example if you are USB Flash E then type the command E:
Then type the command attrib-s-h-r / s / d and then click the Enter key (see figure 18)
Wait a while until the process is completed.

5. For optimal cleaning, uses anti-virus scan with up-to-date.
Enhanced by Zemanta

Monday, May 9, 2011

What's the suitable protection level for internet-connected desktop?

I would include an antivirus (which nowadays usually includes an anti-spyware and sometimes an intrusion prevention component), an additional anti-spyware, a software firewall, and a well patched OS.
As far my knowledge first of all Hardening the OS, then properly configure the system (background services and so on) and now search for good Internet Service Provider. Of-course when the matter of Internet there are obviously the question about “Good Anti-Virus and tight Firewall Security”…. Though it is necessary to aware about the below mentioned points also:

1. Restrict internet access.
2. Password protect internet access.
3. Block internet web sites. (any unnecessary sites, or the site which make harmful)
4. Allow one or more web sites while blocking all others.
5. Prevent any user accounts from accessing internet.
6. Schedule internet access for any or all programs.
7. Any internet program can be protected, i.e IE, Firefox, Google Chrome, Outlook, FTP programs, Messengers etc.

Remember that, it is necessary to update regular virus patch and other related software also. And needless to say that, always update myself for security related threats, new virus, and new method of hacking etc….


Enhanced by Zemanta

Friday, May 6, 2011

Malware

Malware, short for malicious software, is programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.

How Malwares Attack
Malware is a category of malicious code that includes viruses, worms, and Trojan horses. Destructive malware will utilize popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded from peer-to-peer connections. Malware will also seek to exploit existing vulnerabilities on systems making their entry quiet and easy.

How Do You Know that there is a Malware
Malware works to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user

What To Do when your computer or file has Malware
Only open email or IM attachments that come from a trusted source and that are expected
Have email attachments scanned by Antivirus prior to opening
Delete all unwanted messages without opening
Do not click on Web links sent by someone you do not know
If a person on your friend list is sending strange messages, files, or web site links, terminate your IM session
Scan all files with an Internet Security solution before transferring them to your system
Only transfer files from a well known source
Use Internet Security software to block all unsolicited outbound communication
Keep security patches up to date

Enhanced by Zemanta

Thursday, May 5, 2011

How Computer Viruses Work

Computer Viruses...what are they and how do they work?
A computer virus can cause a lot of damage.
Strange as it may sound, the computer virus is something of an Information Age marvel. On one hand, viruses show us how vulnerable we are -- a properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.
TROJAN & SPYWARES
For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. That's pretty impressive when you consider that

How Computer Viruses Work
VIRUS : What is computer virus? Which is the best free antivirus available ?

When you listen to the news, you hear about many different forms of electronic infection. The most common are:

* Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
* E-mail viruses - An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson].
* Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
* Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.


Almost every computer user in the world has heard of computer viruses. Many even have had the misfortune of experiencing a virus attack at some point in their usage.

Virus attacks are becoming more prevalent than ever before. Yearly thousands of people suffer often-irrecoverable damage to their systems and data. Yet many do not even know what hit them let alone what they can do to avoid a recurrence. It’s time to fight back.

When it comes to virus attacks, ignorance is certainly not bliss. Indeed the best possible weapon against preventing a virus attack is knowledge. We need to know how virus enters into our computer system, how they infect our system and how they eventually spread and cause more damage.

Before elaborating on the modus operandi of the virus, it’s better that we learn a little bit more about it. For starters, exactly what is a virus? A computer virus is most often defined as “a malicious code of computer programming”. What this means is that a computer virus is just another software – only written with not so very noble intentions. A computer virus is designed to install, propagate and cause damage to computer files and data without the knowledge and/or express permission of the user. A computer virus can only survive, attack and propagate in computer memory. Computer memory is usually the RAM (and all different variations of it) and disk storage (hard, floppy and everything in between). Besides this you will not find computer viruses in your monitor, keyboard and certainly not in your own blood stream!

How Computer Viruses Work
HOW TO DETECT TROJAN ATTACK AND SOLUTION ?
The first step in any virus attack is always the invasion. This is when the virus actually enters the computer system from an outside source. Much of the effort in preventing a virus attack lies in understanding what these virus entry points are and how best to monitor and block out any possible intrusion. All viruses enter the computer system through two main entry points: the disk drives and the network adapter cards. The disk drives may be any sort of disk drive (hard, floppy, CD, Zip, Jazz and what have you). This makes any disks or CDs that you insert into these drives a possible source of virus infection. The network adapter card is most likely your computer network and/or modem card connected to the local Intranet and/or the Internet. Virus enters through the network card most likely disguised in the form of attachments in e-mails. These attachments are often program files and office documents containing macros. Besides this, certain webpages that we visit on the Internet may also contain harmful programming codes that might transfer virus or virus-like codes into our system. To guard our systems against virus intrusion from these sources, many good anti-virus programs allows users to completely scan all files read form disk drives or downloaded from the Intranet/Internet.

How Computer Viruses Work

How do virus infections occur? The act of infection often begins with a harmless looking action such as opening a file (like a video game or a Word document) that one often gets in e-mail attachments or while accessing any disk in a disk drive. These actions inadvertently activate the virus lurking in these files and disks. The virus then installs itself into the computer’s memory.

This is where things get nasty. After entering the computer memory, a virus often immediately sets out to multiply and spread duplicate copies of itself across the main data storage device (most often the hard disk drive). It does this by copying itself into as many files it can find on the disk drive. Later when users transfers or copies these files to their friends and colleagues, the virus gain entry into ever increasing number of systems. If the virus has found its way to this level of the user’s computer, the user runs a high risk of permanent damage to data and hardware. But such a level of infection only happens to two types of users. The first are those who do not employ any kind of anti-virus measures (or if they do, it obviously isn’t doing a good job). The second are those who do have good anti-virus programs installed and running but did not bother updating their software with the latest virus data files. As a result newer viruses can actually use the anti-virus programs to infect an even greater number of files. So we can see here that having good anti-virus software isn’t enough. One must constantly keep it updated (preferably on a monthly basis).
How do i know my computer is infected with virus

How Computer Viruses Work
If a virus were to just spread itself, users might not have much to worry about. But the worst is yet to come. Many viruses contain what is called a payload. This is the destructive sequence that is activated on a certain trigger. The trigger may be the arrival of a particular date or an action done by the user. The effect of the payload can be anything as benign as some harmless message appearing on screen to as frightening as the destruction of the disk drive’s boot record – making it completely unusable and in most cases completely irreparable. Indeed it is the later that causes permanent lost of data and hardware and which is responsible for the virus’ notorious reputation. If a virus is capable of unleashing its payload on the user’s system, this indicates a serious breach of security on part of the user. It’s time for the user to learn from the experience and never let computer virus have a second chance.
What is qsearch.exe?
What has been attempted here is to give the reader a quick run down of how a virus attacks our systems. It is not meant to be exhaustive as the subject matter is very broad. In short the best cure for a virus attack is a good prevention plan coupled with knowledge, caution and good anti-virus software!
How can I submit a new virus to avast ?
How Computer Viruses Work
Enhanced by Zemanta

Monday, May 2, 2011

TROJ_FAKEAV.BSM

TROJ_FAKEAV.BSM
This Trojan has increased potential for damage, propagation, or both, that it possesses. Specifically, it is related to an attack that involves blackhat SEO poisoning of Google Image search results.

This Trojan poses as a legitimate antivirus software using various commercial names. Similar to other FAKEAV variants, TROJ_FAKEAV.BSM also displays several graphical users interfaces (GUIs) to users in an attempt to convince them of system infection and to purchase this purported cleaning software.

It gathers sensitive information from the user they choose to purchase the product. The information gathered includes credit card and contact details.

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It deletes itself after execution.

It employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.

It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

What is qsearch.exe?
Enhanced by Zemanta

How can I submit a new virus to avast ?

How can I submit a new virus to avast ?
If you've sent the virus to the ’Virus Chest’ , open the ’Virus Chest’, right-click on the entry for the virus, and select 'Email to AVAST Software'. Alternatively, you can send it in a password-protected zip file to virus@avast.com making sure the password is included in the body of the email.



How can I submit a new virus to avast ?

HOW TO DETECT TROJAN ATTACK

VIRUS : What is computer virus? Which is the best free antivirus available ?
Enhanced by Zemanta

What is qsearch.exe?

It's not really known what exactly qsearch.exe is, but there are some indications that it may be some sort of malware.

Although its not a definitive answer. There are some indications that it may be malware of some sort, so I'd certainly stay up to date on virus and spyware scanning.

Corrupted File Repair is the premier resource for the recovery of corrupted or damaged data files, system files or application files. Data Recovery is the process of recovering lost, missing, or inaccessible data. File Repair is the process of repairing corrupted system, data or application files to make them usable again.

To send your corrupted file for repair or to request a lost of missing EXE, DLL, ZIP or RAR file, please fill in an online recovery request. There will be a charge for technical support to replace a corrupted or damaged system or data file. Further, you will need to have a license of the software application to request a replacement file. The file replacement service is for licensed owners only as per applicable laws.
Enhanced by Zemanta

ShareThis

Blog Widget by LinkWithin