at videa

Protect yourself from Conficker

2009-08-25T16:47:00.000+07:00

The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

If you are an IT professional, please visit Conficker Worm: Help Protect Windows from Conficker.

Is my computer infected with the Conficker worm?

Probably not. Microsoft released a security update in October 2008 (MS08-067) to protect against Conficker.

If your computer is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don't have the Conficker worm.

If you are still worried about Conficker, follow these steps:

Go to http://update.microsoft.com/microsoftupdate to verify your settings and check for updates.
If you can't access http://update.microsoft.com/microsoftupdate, go to http://safety.live.com and scan your system.
If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.

What does the Conficker worm do?

To date, security researchers have discovered the following variants of the worm in the wild.

Win32/Conficker.A was reported to Microsoft on November 21, 2008.
Win32/Conficker.B was reported to Microsoft on December 29, 2008.
Win32/Conficker.C was reported to Microsoft on February 20, 2009.
Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Win32/Conficker.E was reported to Microsoft on April 8, 2009.

Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.

The Conficker worm can also disable important services on your computer.

In the screenshot of the Autoplay dialog box below, the option Open folder to view files — Publisher not specified was added by the worm. The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

The option Open folder to view files — Publisher not specified was added by the worm.

How does the Conficker worm work?

Here’s an illustration of how the Conficker worm works.

How do I remove the Conficker worm?

If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live safety scanner.

Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

For additional information, see Centralized Information About the Conficker Worm.
For more technical information about the Conficker worm, see the Microsoft Malware Protection Center Virus Encyclopedia.
Bookmark the Microsoft Malware Protection Center portal and the Microsoft Malware Protection Center blog for updated information.
For symptoms and detailed information about how to remove the Conficker worm, see Help and Support: Virus alert about the Conficker Worm.
To continue to get updated information on security, sign up for the Microsoft Security for Home Computer Users newsletter.

For more information, see How to prevent computer worms and How to remove computer worms.

Stop Win32/Conficker from spreading by using Group Policy settings Notes

2009-08-25T16:38:00.001+07:00

Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.

Back to the top

Create a Group Policy object

Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:

Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the randomly named malware service from being created in the netsvcs registry value.

To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new GPO. Give it any name that you want.
3. Open the new GPO, and then move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
  Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
10. Click OK.
Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
8. Click OK.
Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

Note Depending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
- To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security bulletin MS08-038).
- To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715 (http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252) installed.
To set AutoPlay (Autorun) features to disabled, follow these steps:
1. In the same GPO that you created earlier, move to one of the following folders:
  - For a Windows Server 2003 domain, move to the following folder:
    Computer Configuration\Administrative Templates\System
  - For a Windows 2008 domain, move to the following folder:
    Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.
5. Click OK.
Close the Group Policy Management Console.
Link the newly created GPO to the location that you want it to apply to.
Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
After the Group Policy settings have propagated, clean the systems of malware.

To do this, follow these steps:
1. Run full antivirus scans on all computers.
2. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
  http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)
  Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.

AppleScript.THT Trojan Horse New OS X Trojan Horse in the Wild SecureMac Security Advisory

2009-08-17T20:17:00.001+07:00

Security Risk: Critical

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.

Until a patch is issued for the Apple Remote Desktop Agent exploit, SecureMac classifies the security risk presented by this Trojan horse as high.

Protection: To protect your system against this threat, run MacScan 2.5.2 (MacScan is a product of SecureMac) with the latest Spyware Definitions update (2008011), dated June 19th, 2008. SecureMac recommends that users download files only from trusted sources and sites.

Additional removal instructions and resources will be posted once available.

Resources:
WashingtonPost analysis on AppleScript.THT Trojan Horse

About MacScan:  MacScan quickly detects, isolates and removes spyware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later, and is compatible with OS X 10.5 (Leopard). For more information, or to download a demo version of MacScan, visit http://macscan.securemac.com.

About SecureMac:  Since 1999, SecureMac.com has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.

How Computer Viruses Work

2009-08-17T20:09:00.000+07:00

Strange as it may sound, the computer virus is something of an Information Age marvel. On one hand, viruses show us how vulnerable we are -- a properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.

For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. That's pretty impressive when you consider that many viruses are incredibly simple.

When you listen to the news, you hear about many different forms of electronic infection. The most common are:

Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
E-mail viruses - An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson].
Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.

In this article, we will discuss viruses -- both "traditional" viruses and e-mail viruses -- so that you can learn how they work and understand how to protect yourself.

Windows virus infects 9m computers

2009-08-16T20:09:00.000+07:00

The number of Windows computers infected with the new "downadup" worm – also known as "Conficker" and "Kido" – has exploded to almost 9 million worldwide, from roughly 2.4m last Thursday, according to the computer security company F-Secure.

The growth in the number of infected machines – which the company's researchers called "just amazing" – makes it one of the worst malware outbreaks of the past five years. The principal targets are corporate Windows servers belonging to small businesses who have not installed security updates released by Microsoft last October. F-Secure estimates that a third of all potentially vulnerable systems have not had the update.

But antivirus researchers are still unsure of the precise purpose of the malware, which is spreading via the internet, through unpatched corporate networks and through USB memory sticks attached to infected computers.

First discovered last October, downadup loads itself on to a computer by exploiting a weakness in Windows servers. Although the weakness was noticed and fixed by Microsoft last October, not enough people with vulnerable machines – including those running Windows XP and Vista – have installed it.

The worm can infect USB sticks and any corporate laptop that gets infected could then launch attacks if it was later connected to a home network.

The reason for the explosion in infected machines seems to be a new variant which appeared last week, updated by the hackers who wrote the original. The new one attempts to crack the passwords of machines on a network using the computing power of the infected machine to apply a "brute force" approach – so that passwords such as "admin", "password" or "123456" on potential target machines will quickly be broken.

Once it has infected a machine, the software also tries to connect to up to 250 different domains with random names every day. Researchers reckon that one of them will be the intended "control" domain, and that when the computers connect to it they will download a fresh program that will take over the infected computer.

"This makes it impossible and/or impractical for us good guys to shut them all down – most of them are never registered in the first place," the F-Secure team noted on its weblog. "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website – and they then gain access to all of the infected machines. Pretty clever."

So far, nobody knows when that domain will become active – or whether it already is. Some have tried registering the domains that the worm tries to connect to (by advancing the clock on an infected PC by a day or two, to see which ones it will connect to) – but gave up because the cost of registering domains grew too high.

McAfee, another antivirus company, points out that weaknesses in Windows are being exploited more and more quickly. In 2001, it took 335 days for a worm to appear that exploited a vulnerability already patched by Microsoft. That worm, called Nimda, nevertheless did serious damage.

Since then, the length of time between patches appearing – which hackers can use to "reverse engineer" a piece of malware that will attack the weakness – has shortened, until the latest patch appeared on the same day that an "exploit" against it was found online.

The 10 faces of computer malware

2009-08-16T20:03:00.000+07:00

The complexity of today's IT environment makes it easy for computer malware to exist, even flourish. Being informed about what's out there is a good first step to avoid problems.

With all the different terms, definitions, and terminology, trying to figure out what's what when it comes to computer malware can be difficult.

To start things off, let's define some key terms that will be used throughout the article:

Malware: malicious software that's specifically developed to infiltrate or cause damage to computer systems without the owners knowing or their permission.
Malcode: malicious programming code that's introduced during the development stage of a software application and is commonly referred to as the malware's payload.
Antimalware: includes any program that combats malware, whether it's real-time protection or detection and removal of existing malware. Antivirus, antispyware applications and malware scanners are examples of antimalware.

One important thing to remember about malware is that like its biological counterpart the number one goal is reproduction. Causing damage to a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Keeping the above definitions in mind, let's take a look at 10 different types of malware.

1: The infamous computer virus
A computer virus is malware that's capable of infecting a computer but has to rely on some other means to propagate. A true virus can only spread from the infected computer to a non-infected computer by attaching to some form of executable code that's passed between the two computers.

For example, a virus could be hidden in a PDF file attached to an e-mail message. Most viruses consist of the following three parts:

Replicator: When the host program is activated, so is the virus and the viral malcode's first priority is to propagate.
Concealer: The computer virus can employ one of several methods to hide from antimalware.
Payload: The malcode payload of a virus can be purposed to do just about anything, from disabling computer functions to destroying data.

Some examples of computer viruses currently in the wild are W32.Sens.A, W32.Sality.AM, and W32.Dizan.F. Most quality antivirus software will remove computer viruses once the application has the signature file for the virus.

2: The ever popular computer worm
Computer worms are more sophisticated than viruses, being able to replicate without user intervention. If the malware uses networks (Internet) to propagate it's a worm rather than a virus.

The main components of a worm are:

Penetration tool: Malcode that leverages vulnerabilities on the victim computer to gain access.

Installer: The penetration tool gets the computer worm past the initial defense mechanism. At that point the installer takes over and transfers the main body of malcode to the victim.
Discovery tool: Once settled in, the worm uses several different methods to discover other computers on the network, including e-mail addresses, Host lists, and DNS queries.
Scanner: The worm uses a scanner to determine if any of the newly-found target computers are vulnerable to the exploits available in its penetration tool.
Payload: Malcode that resides on each victim's computer. Could be anything from a remote access application to a key logger used to capture user names and passwords.

This category of malware is unfortunately the most prolific, starting with the Morris worm in 1988 and continuing today with the Conficker worm. Most computer worms can be removed by using malware scanners such as MBAM or GMER.

3: The unknown backdoor
Backdoors are similar to the remote access programs that many of us use all the time. They're considered malware when installed without permission, which is exactly what an attacker wants to do, by using the following methods:

One installation method used is to exploit vulnerabilities on the target computer.
Another approach is to trick the user into installing the backdoor through social engineering.

Once installed, back doors allow attackers complete remote control of the computer under attack. SubSeven, NetBus, Deep Throat, Back Orifice, and Bionet are backdoors that have gained notoriety. Malware scanners like MBAM and GMER are usually successful at removing backdoors.

4: The secretive Trojan horse
It's difficult to come up with a better definition for Trojan horse malware than Ed Skoudis and Lenny Zelter did in their book Malware: Fighting Malicious Code:

"A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality."

Trojan horse malware cloaks the destructive payload during installation and program execution, preventing antimalware from recognizing the malcode. Some of the concealment techniques include:

Rename the malware to resemble files that are normally present.
Corrupt installed antimalware to not respond when malware is located.
Polymorphic code is used to alter the malware's signature faster than the defensive software can retrieve new signature files.

Vundo is a prime example; it creates pop up advertising for rogue antispyware programs, degrades system performance, and interferes with Web browsing. Typically, a malware scanner installed on a LiveCD is required to detect and remove it.

5: Adware/Spyware, more than an annoyance
Adware is software that creates pop-up advertisements without the user's permission. Typically the way adware gets installed is by being a component of free software. Besides being very irritating, adware can significantly decrease computer performance.

Spyware is software that collects information from your computer without your knowledge. Free software is notorious for having spyware as a payload, so reading the user agreement is very important. The Sony BMG CD copy protection scandal is probably the most notable example of spyware.

Most quality antispyware program will quickly find unwanted adware/spyware and remove it from the computer. It's also not a bad idea to regularly remove temp files, cookies, and browsing history from the Web browser program as preventative maintenance.

Malware stew
Up until now, all the malware discussed has distinctive characteristics, making each type easy to define. Unfortunately that's not the case with the next categories. Malware developers have figured out how to combine the best features from different types of malware in an attempt to improve their success ratio.

Rootkits are an example of this, integrating a Trojan horse and a backdoor into one package. When used in this combination, an attacker can gain access to a computer remotely and do so without raising any suspicion. Rootkits are one of the more important combined threats, so let's take a deeper look at them.

Rootkits: Uniquely different
Rootkits are in a class all their own, choosing to modify the existing operating system instead of adding software at the application level like most malware. That's significant, because it makes detection by antimalware that much more difficult.

There are several different types of rootkits, but three make up the vast majority of those seen in the wild. They are user-mode, kernel-mode, and firmware rootkits. User-mode and kernel-mode may need some explanation:

User mode: Code has restricted access to software and hardware resources on the computer. Most of the code running on your computer will execute in user mode. Due to the restricted access, crashes in user mode are recoverable.
Kernel mode: Code has unrestricted access to all software and hardware resources on the computer. Kernel mode is generally reserved for the most trusted functions of the operating system. Crashes in kernel mode aren't recoverable.

6: User-mode rootkits
It's now understood that user-mode rootkits run on a computer with the same privileges reserved for administrators. This means that:

User-mode rootkits can alter processes, files, system drivers, network ports, and even system services.
User-mode rootkits remain installed by copying required files to the computer's hard drive, automatically launching with every system boot.

Hacker Defender is one example of a user-mode rootkit and luckily Mark Russinovich's well-known application Rootkit Revealer is able to detect it as well as most other user-mode rootkits.

7: Kernel-mode rootkits
Since rootkits running in user-mode can be found and removed, rootkit designers changed their thinking and developed kernel-mode rootkits:

Kernel-mode means the rootkit is installed at the same level as the operating system and rootkit detection software.
This allows the rootkit to manipulate the operating system to a point where the operating system can no longer be trusted.

Instability is the one downfall of a kernel-mode rootkit, typically leading to unexplained crashes or blue screens. At that point, it might be a good idea to try GMER. It's one of a few trusted rootkit removal tools that has a chance against kernel-mode rootkits like Rustock.

8: Firmware rootkits
Firmware rootkits are the next step up in sophistication, with rootkit developers figuring out how to store rootkit malcode in firmware. The altered firmware could be anything from microprocessor code to PCI expansion card firmware.

This means that:

When the computer is shut down the rootkit writes the current malcode to the specified firmware.
Restart the computer and the rootkit reinstalls itself.

Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

9: Malicious mobile code
In relative anonymity, malicious mobile code is fast becoming the most effective way to get malware installed on a computer. First, let's define mobile code as software that's:

Obtained from remote servers.
Transferred across a network.
Downloaded and executed on a local system.

Examples of mobile code include JavaScript, VBScript, ActiveX controls, and Flash animations. The primary idea behind mobile code is active content, which is easy to recognize. It's the dynamic page content that makes Web browsing an interactive experience.

What makes mobile code malicious? Installing it without the owner's permission or misleading the user as to what the software does. To make matters worse, it's usually the first step of a combined attack, similar to the penetration tool used by trojan horse malware. After which the attacker can install additional malware.

The best way to combat malicious mobile code is to make sure that the operating system and all ancillary software is up to date.

10: Blended threat
Malware is considered a blended threat when it seeks to maximize damage and propagate efficiently by combining several pieces of single-intentioned malcode. That said, blended threats deserve special mention as security experts grudgingly admit they're the best at what they do.

A blended threat typically includes the following abilities:

Exploit several known vulnerabilities or even create vulnerabilities.
Incorporate alternate methods for replicating.
Automate code execution, which eliminates user interaction.

Blended threat malware for example may send an HTML e-mail message containing an embedded Trojan horse along with a PDF attachment containing a different type of Trojan horse. Some of the more famous blended threats are Nimda, CodeRed, and Bugbear. Removing blended threat malware from a computer may take several different pieces of antimalware as well as using malware scanners installed on a LiveCD.

Final thoughts
Malware: is it even possible to reduce the harmful effect it causes? Here are a few final thoughts on that subject:

Malware isn't going away any time soon. Especially when it became evident that money, lots of money can be made from its use.
Since all antimalware applications are reactionary, they are destined to fail.
Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment in.
It cannot be stressed enough, please make sure to keep operating system and application software up to date

Scam Antivirus App Spreads Malware

2009-08-16T19:52:00.001+07:00

Web users have been warned about a new scam that posts fake product reviews in a bid to encourage people to buy a rogue security application called Anti-virus-1.

The app is one of a number of bogus security products which promise to provide protection against the latest online threats, but instead have been designed to spread malware or hold users' PCs to ransom.

But if you use the internet to research Anti-virus-1, it's possible you'll find a number of glowing reviews, because the tool is posting fake articles online which appear to be endorsed by a number of the web's top tech sites - including PC Advisor.

In reality, the likelihood of you coming across a Anti-virus-1 review is slim. According to Lawrence Abrams, owner of technology site BleepingComputer.com, fake reviews will only be seen by those who install the rogue security app.

He said that when he installed Anti-virus-1 - which also goes by the name Antivirus2010 - it added a series of entries into the Windows hosts file which direct users to what appear to be the websites of a number of UK and US tech sites.

"By adding these entries into your HOSTS file, it will make it so that if you go to any of the websites listed, instead of going to the legitimate site, you will instead be redirected to a site under the control of the developers of Anti-virus-1 and not realise you are doing so," said Abrams on his site.

That means those with Anti-virus-1 running on their PC may be directed to bogus reviews such as the one in the screenshot below.

The software has never been tested by PC Advisor, and the fake review is not hosted on the PC Advisor site. Other sites apparently targeted by the scam include PC Magazine and TechRadar.

Abrams warned that, once installed, Anti-virus-1 also issues fake security alerts, screen savers showing a blue screen crash caused by spyware and Internet Explorer hijacks. He's provided tips on how to remove Anti-virus-1/Antivirus 2010 on his website - although we've yet to test the procedure.

Conficker virus activates in a bid to aid cybercriminals

2009-08-16T19:42:00.001+07:00

The Conficker virus, which has infected millions of computers around the world, is finally activating itself in a bid to become a money-making machine for cybercriminals.

Infected machines have started to update themselves and download a fake anti-virus program aimed at tricking users into paying out for useless security software, security researchers said.

The virus may also be destined to be used by its cybercriminal creators to send millions of spam emails and steal passwords from infected computers by creating a "botnet" of "zombie" machines.

Ivan Macalintal, a Trend Micro advanced threats researcher, said Conficker began showing activity on Tuesday, nearly a week after the expected April 1 activation date that had computer security experts on alert around the world.

Infected machines were contacting each other to download new malicious software, he said.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update," Macalintal wrote in a post on the TrendLabs Malware blog. "The Conficker/Downad P2P communications is now running in full swing!"

Other researchers at Kaspersky Labs found that Conficker was downloading a fake $49.95 security scanner called Spyware Protect 2009, which may mean millions of Conficker-infected machines will start getting pop-up messages advertising the product.

The latest version of Conficker is also downloading another, separate worm called Waledac onto the infected systems. Waledac is a known botnet linked to data theft and email spam campaigns.

Paul Ferguson at internet security company Trend Micro noted: "Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about — these criminals are motivated by one thing: money.

"How was Downad/Conficker helping them meet their goals? It wasn’t. A very large botnet of compromised computers doesn’t make money if it justs 'sits there' doing nothing. So now we see that the Downad/Conficker botnet has awakened, and perhaps their desire to monetising their efforts is becoming more clear."

Waledac usually spreads via a malicious web link or an e-mail, typically a fake greeting card. Once it infects a numer of machines they can be remotedly controlled to send scam emails advertising medical products or phishing messages.

The Conficker virus started spreading late last year. At first it was a relatively simple worm but its creators issued updates turning it into a more sophisticated and resilient virus that has found new ways to spread. It has also gained the ability to shut down a computer's defences

Conficker infects machines by exploiting a weakness in Windows, the software that runs on most computers. At its peak it had compromised about 12 million PCs, although that may have fallen to about two million thanks to new security measures.

Once the worm is on a computer, that PC becomes part of a “botnet” – a network of computers that can be controlled by the virus's creator.

In the past year the virus has spread to computers in schools, hospitals and government departments. It has got into the defence forces of Britain, Germany and France, grounding the French Navy's fighter jets for a time.

A task force assembled by Microsoft has been working to stamp out the worm and the company has placed a bounty of $250,000 on the heads of those responsible for the threat.

The worm, a self-replicating program, takes advantage of networks or computers that have not kept up to date with Windows security patches. Microsoft has modified its free Malicious Software Removal Tool to detect and get rid of Conficker.

Among the ways one can tell if their machine is infected is that the worm will block efforts to connect with websites of security firms such as Trend Micro or Symantec where there are online tools for removing the virus.

New Service Provides Malware, Virus Protection for Websites

2009-08-16T19:34:00.000+07:00

ChattahBox)—Websites are forced to navigate an ever-increasing battlefield of unseen enemies, namely damaging malware, botnets, trojans and viruses that have the potential to land websites on malware blacklists.

Website owners finding themselves victims of malware attacks oftentimes receive a further hit, resulting in loss of reputation and business when the sites become blacklisted and are labeled as unsafe.

A new malware monitoring service, created by two former Google workers, named Dasient offers website owners a way to protect their sites from attack and landing on blacklists.

Co-founders Neil Daswani and Shariq Rizvi both come from years of working in the trenches at Google defending the company’s networks against malware and click fraud.

Daswani and Rizvi believe the time is ripe for a malware service like theirs, as cyber attacks become more sophisticated, leaving most website owners ill equipped to deal with the problems. Some of the more recent attacks against browsers and Web applications, include the use of SQL injections and cross-site scripting that lead to drive-by downloads

A new worm, named Gumblar that is believed to be more damaging than Conficker, steals FTP credentials so attackers can compromise Web sites.

The new Dasient service is set to launch a public beta version of its free blacklist alert service and fee-based monitoring service, which would start at a fee of at $50 a month.

The free service will identify the parts of a site that are infected with malware, identify the suspect code and recommend actions to take. The fee-based service will automatically quarantines the malicious code, while still allowing the site, and even the hosting page to remain accessible.

Macro Virus

2009-08-14T20:13:00.001+07:00

A macro virus is a computer infection written in macro language, which is commonly built into word processing applications. In general, macros is a series of commands and executions that help automate specific tasks. Regardless of how they are created, they must be executed by a system able to interpret stored commands. Some macro systems are actually self-contained utilities while others are built into more advanced applications that allow users to easily repeat a sequence of commands or enable a programmer to customize the application to suite the user's needs.

What has made some programs vulnerable to the macro virus is a feature that allows macros to be stored in the documents that are edited, processed and saved by the application. This means that a virus can be easily attached to a document without the user's knowledge and executed upon opening the file. This provides a mechanism that enables the infection to spread throughout the system.

How it Functions

A macro virus may be distributed via email, floppy disk, network sharing, a modem and compromised sites on the internet. Since most macros automatically start when a documented is opened and closed, a macros virus seeks to replace the original with it's malicious code. From their, the infection tags the replacement code with the same name and functions when the command is executed which happens when a user accesses the file.

Once opened, the macro virus begins to embed itself within other documents and templates. It also makes preparations to infect any files that will eventually be created. Depending on what resources it is able to access, a macro virus can damage other areas of the operating system. This occurs as the infected documents are shared amongst other users and devices.

One of the most popular variations of this infection is the Melissa Virus, first detected in 1999. It spread via email attachment and infected any recipient who opened it. This virus manipulated the victim's address book and distributed itself to numerous email contacts, enabling it to replicate at an alarming rate.

A macro virus has the ability to infect nearly any system running word processing software. This is because it seeks to corrupt that application opposed to the operating system. The virus has been known to attack computers running Mac OS X, Windows and other platforms that are compatible with Microsoft Word.

Prevention

Because of the wide spread of macro viruses, it is important to remain cautious of the emails you receive. Many of the messages waiting in your inbox are attached with financial scams and malicious programs. By downloading an attachment from these unsolicited messages, a macro virus can be easily installed onto your computer, and from there, the madness begins.

The best defense against a macro virus is a reliable anti-virus program. A good scanner will check every file and directory in your system and even scan emails and attachments before you even open them. This small step is one that can save you a lot of time, money and the frustrations associated with internet threats.

Macro Virus Protection in the Microsoft Office Line

2009-08-14T20:03:00.000+07:00

The Microsoft Office programs are the most well known and widely-used programs in the world. They are also the most vulnerable targets for macro virus infection. One could easily blame Microsoft for not doing anything to prevent the virus threat; however, to do so would be to overlook the efforts that the software giant has made to diminish these threats. This is the first of two articles that will review some of the macro viruses that have targeted MS Office products. This series will also analyze some of the efforts made by Microsoft to contain the macro virus situation and attempt to point out what they did right and what they did wrong. This article will look at some of the earlier Microsoft products, such as Word 2.0, Word 97, Office 97 and Office 97 Service Release 1.

Word 2.0

The first Microsoft Office product that was sophisticated enough for macro virus creation was Word 2.0, which came with the first version of WordBASIC. Fortunately, virus writers did not realize this potential until the appearance of the first Word 6 macro viruses in 1995. Then a couple of Word 2 proof-of-concept viruses, Polite and WiederOffnen were written; however, by then Word 2 was going obsolete, so these viruses went mostly unnoticed.

In the summer of 1995, Concept started its spread all over the world, changing the game once and for all. As Microsoft had an undisputable role in the spread of this particular virus, they soon (i.e. within a year) came up with solutions. First they issued the infamous ScanProt macro virus protection utility macros (there were at least 4 versions of them.) They shouldn't have - these utilities provided protection only against Concept, ignoring the fact that by then there were about a dozen of Word macro viruses back then. In fact, this protection macro created a dangerous false sense of security: users thought that using ScanProt would protect them from all macro viruses, while it was only effective against Concept (although, in all fairness to Microsoft, this particular virus was the most widespread back then.)

Users who tried to install SCANPROT to protect themselves at the first sign of macro virus infection overlooked this fact. This action usually did not affect the virus, except that some of its macros may have been overwritten by SCANPROT's AutoOpen or AutoClose macro. The result was that some viruses, such as Colors and Muck, remained viable even with some of their macros being overwritten by SCANPROT. This mating effect resulted in dozens of new virus variants.

MS Word 7.0a

Realizing the serious threat that macro viruses posed, Microsoft released a patched version Word 7.0a relatively quickly (although they never cared to update Word 6.0.) This version included a macro virus warning box (shown below). The only problem is that, contrary to what the message box stated, it was not a macro virus warning box, it was not even a macro warning box; rather, it was a customization warning box. In fact, there were several problems with this implementation:

The user was warned even if the opened document contained only personalized menu items or command bar buttons. The reason for this is not clear; however, the fact that the macros, command bar and menu bar customizations are stored together in the same structure within the Word document, could point out to laziness in coding and design.

The warning came up even if the document contained innocent macro programs. Several companies used utility macros to improve productivity, as these macros also fired the warning, the users soon became annoyed and disabled the warning.

It was possible to turn off this warning feature outside Word, by simply changing the value of a single registry key.

        Figure one: the Microsoft Macro Virus Warning Box

MS Office 97

Except for one "leftover", the original release of Office 97 didn't provide additional protection measures against macro viruses. The "leftover" came out accidentally, when some of the virus scanners found WWINTL32.DLL, part of the standard Office 97 installation, infected with macro virus - which is clearly a nonsense. So what happened? The transition from Word 7.0 to Word 97 was a huge step as far as macro programming was concerned. The WordBASIC interpreter, used in the older version was replaced with VBA, which was already in use in Excel 5, in order to establish a unified macro development environment in all Office applications.

With this development, the entire development environment, including the macro code storage mechanism and the programming language itself, changed. In order to provide some compatibility for the WordBASIC macro utilities, Word 97 introduced internal macro conversion that converted the WordBASIC code to VBA code. This was a great opportunity to prevent Word 6 viruses from upconversion. Otherwise Word itself would have just generated new virus variants. So Microsoft built in a simple filter that tried to determine whether the macro to be converted belonged to a virus or not. If the macro was found to belong to a known virus, it was removed from the upconverted document without any warning or information.

Unfortunately, there were several shortcomings of this method, including:

It used simple pattern matching signature scanning;

It worked only on a per-macro basis. As a result, from an upconverted Concept sample the AutoOpen, AAAZAO and AAAZFS macros were removed, while the Payload macro was upconverted happily;

It only provided detection for only a limited number of viruses (the static database linked into a DLL provided no possibility for further updates); and,

The virus signatures were stored in unencrypted format. As a result, some scanners, which were not careful enough to search for macro signatures only in places where they could normally occur, could pick up these signatures and raise false virus alerts.

Nevertheless, this was good enough to prevent the vast majority of existing Word 6 viruses to spread under Word 97. Well, almost. It turned out that at the very early beta versions this upcoversion virus check was not implemented, so a couple of popular Word 6 viruses could upconvert after all. All in all these did not make much impact.

There was another change in Office 97 that, as a side effect, prevented Word 6 viruses that use execute-only (encrypted macro) from spreading. Word 6/7 provided a (very, very weak) macro-level protection in the form of execute-only macros. In Office 97, only the entire project could be protected with a password. What should happen, when someone wants to copy macros from a protected project to an unprotected project? (This is exactly the case when a virus with protected macros attempts to copy macros to the unprotected global template.) Either the protected project should be converted to unprotected, in which case VBA developers will lose protection on their copyrighted utility products, or the global template should be converted to protected, in which case users will be angry for not being able to modify their macros. The solution is very simple. It is not possible to copy macros from a protected project. Therefore, even if a Word 6 virus using execute-only macros was upconverted to a Word 97 virus, it would have a protected VBA project, and it wouldn't be able to infect further documents.

MS Office 97 Service Release 1

An unheralded improvement came with Service Release 1, which indicated a major change in Microsoft's attitude. Instead of external patches and blocks, they went to the heart of the problem: the VBA object model itself.

Before procedure further, let me clarify what VBA is. It consists of at least the following major components:

Programming language and development environment

Several automation objects and framework for processing application events

Storage mechanism for VBA code

It is important to state that VBA itself provides the VBIDE object model, which contains the infamous VBProject object with several methods for injecting code into macro storages. It is not implemented in the VBA licensee application; it is an intrinsic VBA feature. However, it can be optionally hidden from Automation. This is the key factor in an application's susceptibility to macro viruses. If a VBA application exposes this interface then it is an easy target for macro viruses. If hides it, then it is safe. Currently only WordPerfect chose to be on the safe side, which is reflected in the number of known WordPerfect VBA macro viruses. Others are all potentially vulnerable: MSOffice, Visio and AutoCAD 2000 have already been infected.

VBA makes it easy and comfortable for applications to define application and document level events that can be handled in the macro. As these events are defined, driven by practical reasons (e.g. it is reasonable to implement an action hook when the current document is closed), most of them are implemented in each VBA licensee application although the actual names could be somewhat different. These events allow VBA viruses to activate on specific actions, e.g. when the application is closed (Application_Quit) or the document containing the VBA code is being closed (Document_BeforeClose). It is important to understand that the application object model and the VBE object model are two separate object models.

The VBE object model provides several methods for manipulating VBA code. Office 97 SR-1 disabled only one of these methods, the use of the OrganizerCopy and the WORDBASIC.MacroCopy (which was the upconverted version of WordBASIC's MacroCopy) method to copy macrocode from the normal template into the active document. The opposite way was left open, so that the self-installing utility macros would still work after this security improvement. Up to that point all of the known Office 97 macro viruses used the OrganizerCopy method to spread, so this limitation effectively stopped them. These old-style viruses were able to infect the global template. They could even execute any destructive or annoying payload they had, but they could not infect further documents. Only the following error message was displayed (not showing any sign that a virus was acting).

This solution was better than the previous ones for several reasons:

It prevented viruses and only viruses from running. Self-installing utility macros kept working with this patch installed, while viruses were effectively stopped

It was not possible to switch it off.

It restricts the vulnerable VBA object model, and nothing else

However, it did not stop the virus writers, who soon found alternative methods to insert virus code into VBA projects. As effective as it was, the restriction introduced in SR1 was not an ultimate solution. For some reason, it still allowed a couple other methods for manipulating VB project code, including importing text files or test strings into a module. Both tricks were soon discovered and intensively employed by virus writers in WM97.Strangedays or members of the WM97.Class family.

In the Next Installment?

This concludes our look at the macro viruses that affected earlier Microsoft Word and Office products. In the next installment of this series, we will examine MS Office 2000, the new version of Microsoft Office, codenamed Office XP, and Outlook.

To read Macro Virus Protection in the Microsoft Office Line, Part Two, click here.

What is MACRO Virus

2009-08-14T19:59:00.000+07:00

A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is the undesired insertion of some comic text at certain points when writing a line. A macro virus is often spread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus.

Removal Tools

2009-08-13T14:10:00.000+07:00

Malicious Code has become increasingly complex and infections involve more system elements than ever before. Symantec Security Response has developed tools to automatically conduct what would often amount to extensive and tedious manual removal tasks. If your system has become infected, the tools listed below should aid you in repairing the damage.

Symantec now offers a Spyware & Virus Removal service. Sit back and watch while a Symantec expert scans and clears your PC of spyware and viruses. This is a fee based service.

Date	Name
04/16/09	Symantec Trojan.Ransomlock Key Generator Tool
04/15/09	Trojan.Initbar Removal Tool
03/24/09	Trojan.Xrupter Removal Tool
02/20/09	W32.Virut Removal Tool
02/01/09	Trojan.Bankpatch Removal Tool
01/13/09	W32.Downadup Removal Tool
07/22/08	Trojan.Brisv.A!inf Removal Tool
01/11/07	Backdoor.Haxdoor.S/Trojan.Schoeberl.E Removal Tool
01/04/07	W32.Spybot.ANDM Removal Tool
11/29/06	W32.Spybot.ACYR Removal Tool
10/19/06	W32.Rajump Removal Tool
10/17/06	W32.Pasobir Removal Tool
10/04/06	Symantec Support Tool ActiveX Control Cleanup Tool
09/23/06	Trojan.Linkoptimizer Removal Tool
09/14/06	W32.Bacalid Removal Tool
03/23/06	W32.Antinny Removal Tool
03/23/06	Trojan.Abwiz Removal Tool
03/23/06	Trojan.Exponny Removal Tool
03/23/06	Trojan.Sientok Removal Tool
03/17/06	W32.Davs Removal Tool
02/02/06	W32.Kiman Removal Tool
01/17/06	W32.Blackmal@mm Removal Tool
12/02/05	W32.Secefa Removal Tool
11/10/05	Backdoor.Ryknos Removal Tool
11/03/05	Trojan.Lodear Removal Tool
10/20/05	Symantec Mobile Threats Removal Tool
09/22/05	W32.Pexmor@mm Removal Tool
08/29/05	W32.Bobax@mm Removal Tool
08/17/05	W32.Esbot Removal Tool
08/15/05	W32.Zotob Removal Tool
07/19/05	W32.Reatle@mm Removal Tool
05/16/05	Trojan.Jasbom Removal Tool
04/29/05	Trojan.Vundo.B Removal Tool
04/13/05	W32.Mytob.AR@mm Removal Tool
03/18/05	W32.Serflog Removal Tool
03/08/05	W32.Kelvir Removal Tool
03/07/05	W32.Serflog.A Removal Tool
02/28/05	W32.Mytob@mm Removal Tool
02/03/05	W32.Bropia Removal Tool
12/17/04	W32.Envid@mm Removal Tool
11/22/04	Trojan.Vundo Removal Tool
11/17/04	W32.Bofra@mm Removal Tool
10/04/04	Adware.JustFindIt Removal Tool
08/10/04	Backdoor.Agent.B Removal Tool
08/04/04	W32.Evaman.C Removal Tool
06/14/04	W32.Erkez.B@mm Removal Tool
06/02/04	W32.Korgo Removal Tool
05/20/04	W32.Donk.Q Removal Tool
05/06/04	Tool to reset shell\open\command registry keys
05/01/04	W32.Sasser Removal Tool
04/21/04	W32.Opasa@mm Removal Tool
04/20/04	W32.Erkez@mm Removal Tool
04/07/04	W32.Blackmal.B@mm Removal Tool
04/02/04	W32.Gaobot.UJ Removal Tool
03/14/04	W32.Beagle.MO@mm Removal Tool
02/18/04	W32.Netsky@mm Removal Tool
01/30/04	W32.HLLW.Anig Removal Tool
01/27/04	W32.Mydoom@mm Removal Tool
01/19/04	W32.Beagle@mm Removal Tool
01/13/04	W32.Gaobot Removal Tool
10/29/03	W32.Sober Removal Tool
10/03/03	Trojan.Qhosts Removal Tool
09/19/03	W32.Swen.A@mm Removal Tool
08/19/03	W32.Sobig.F@mm Removal Tool
08/19/03	W32.Dumaru Removal Tool
08/18/03	W32.Welchia.Worm Removal Tool
08/11/03	W32.Blaster.Worm Removal Tool
08/08/03	Backdoor.Winshell.50 Removal Tool
08/01/03	W32.Mimail Removal Tool
06/27/03	W32.Mumu.B.Worm Removal Tool
06/25/03	W32.Sobig.E@mm Removal Tool
06/16/03	W32.ExploreZip.Worm Removal Tool
06/06/03	W32.Femot.Worm Removal Tool
06/05/03	W32.Bugbear.B@mm Removal Tool
06/04/03	Bat.Mumu.A.Worm Removal Tool
06/01/03	W32.Sobig.C Removal Tool
05/18/03	W32.Sobig.B Removal Tool
05/12/03	W32.HLLW.Fizzer Removal Tool
04/14/03	W32.HLLW.Nebiwo Removal Tool
02/24/03	W32.HLLW.Lovgate Removal Tool
01/25/03	W32.SQLExp.Worm Removal Tool
01/14/03	W32.Sobig.A@mm Removal Tool
01/09/03	W32.Lirva Removal Tool
11/25/02	W32.HLLW.Winevar/W32.Funlove.4099 Removal Tool
11/15/02	W32.Brid.A@mm/W32.Funlove.4099 Removal Tool
10/01/02	W32.Bugbear@mm Removal Tool
09/30/02	W32.Opaserv.Worm Removal Tool
08/01/02	W32.Magistr Removal Tool
07/16/02	W32.Frethem Removal Tool
07/03/02	W32.Yaha Removal Tool
05/10/02	Backdoor.Autoupder Removal Tool
04/18/02	W32.Klez Removal Tool
04/15/02	W2k.Stream Removal Tool
04/15/02	Wscript.Kakworm Removal Tool
04/01/02	W32.Gibe@mm Removal Tool
03/28/02	W32.Mylife Removal Tool
12/04/01	W32.Goner.A@mm Removal Tool
11/28/01	W32.Badtrans.B@mm Removal Tool
10/30/01	W32.Nimda.E@mm Removal Tool
09/19/01	W32.Nimda.A@mm Removal Tool
08/09/01	CodeRed Removal Tool
07/31/01	VBS.Potok@mm Removal Tool
07/20/01	W32.Sircam.Worm@mm Removal Tool
07/16/01	VBS.Haptime Removal Tool
03/09/01	DOS FunLove.4099 Fix Tool
02/20/01	W32 HybrisF Fix Tool
01/11/01	W95.CIH Removal Tool
01/06/01	W95.HybrisF Fix Tool
12/22/00	Fix W32.Funlove.4099 Tool (Cleanflc.exe)
12/22/00	VBS.Stages.A Fix
12/22/00	VBS.LoveLetter Fix
12/22/00	PrettyPark.Worm Removal Tool
12/21/00	Happy99.Worm Removal Tool
12/21/00	W32.Navidad Fix
12/20/00	W32.Kriz Removal Tool
12/20/00	Kak.Worm.B Fix
12/20/00	W32.HLLW.QAZ.A Fix
12/19/00	BuddyList Removal Tool
12/15/00	W95.MTX Fix Tool

Norton AntiVirus 2003 Stay Lightweight For Regular Computer

2009-08-13T14:03:00.000+07:00

Every 1 unit of computer programs have certain common or are in the computer, the Office is always there, a music player such as WinAmp, WinZip, Image Viewer such as ACDSee, and others. Perhaps one of the AntiVirus is always to keep the computer from the day the virus was increasing. AntiVirus is important, therefore, on every computer must have at least one AntiVirus program, for example, Norton AntiVirus 2003. Kanapa I profilkan Norton AntiVirus 2003? AntiVirus 2003 specification for light than the usual computer-usual course, the program can automatically identify the virus, when the UFD (USB Flash Disk) or floppy disks, CD-R is input into the computer. Same as how the latest version of Norton AntiVirus can detect the latest viruses, as long as your routine to update the address http://www.symantec.com/. Run automatically or can I get LiveUpdate.Biasanya update it from the cafe where I play, I take it, so no need to download, lumayan sparingly for money. I really had to install Norton AntiVirus version 2004 and 2005, but very slow on my computer, so I still use Norton AntiVirus 2003, which remains light at low-specification computers. That we are always sure to update virus definition terbaru.Sering time you can not remove the new virus even if you have to update the latest virus definitions, most of the viruses that made the country or local children. Most you have to wait several days or weeks to be able to remove the virus locally. AntiVirus usually a fast response when the virus is a new local Norman AntiVirus, but I do not like to use it because its use is less, meaning no amenities as well as Norton AntiVirus, although the number of additional ringan.Untuk virus from the date of 21 October 2004 to 6 november 2005 a number of 1030 virus, including viruses that attack SymbianOS Handphone such as Cabir, Commwarior. Remember the virus is always mengincar your computer. Therefore, the required computer in AntiVirus definitions update Anda.SaranSelalu latest week once every 1 or 2 weeks or once a maximum of 1 months. To keep your computer protected from the virus can membandel.Kelebihan: It can automatically detect the many facilities that membantu.Kekurangan: To update the virus definitions like the latest local late.

Tips Ringan Melindungi Komputer dari Virus

2009-08-13T13:58:00.000+07:00

You often use computers to surf in the virtual world (aka the Internet)? Well of course your computer is vulnerable from a virus, because the virus can come without invite, bisanya free ngerusak file only (the name is also bound virus ngerusak ya ... haha). To protect your computer from viruses, you can use a reliable anti-virus, (which of course is up to date) because if its not antivirus up to date anti-virus so it can not work with the maximum and not able to detect the virus with a new variannya, as was also you also use a firewall such as zone alarm and lain2 defense to improve your computer. If the above software you have installed does not have one you also protect the computer from the virus in a way hide file2. Exe is usually included in the system. Well There is the step of step file2. Exe is in the computer for you, directly aja ya:

First you open the start and select search

New windows appear after you select all files and folder and type *. exe under c directory you select and click search

Ago the results found after block all the file and right click select properties Select

Check the hidden options and select ok (this function to hide the file berextensi. Exe)
Then open windows explorer in the tools menu select folder options select view hidden files ago on the folder and select a check or do not show hidden files and folder (not its function to show files that dihidden) after that click ok

Now with the above virus difficult to damage the system on the computer for you, return it again to select show hidden files and folders on the tools (in windows explorer).

Security 101: Look back to advance

2009-08-12T19:31:00.001+07:00

The security landscape may be rapidly evolving, but the clue to standing a better chance in the fight against threats could be in looking back, not forward.

Chia Wing Fei, F-Secure's senior security response manager, pointed out in an e-mail interview, today's threats ring of themes such as stealth, sophistication and financial gain.

Eric Chong, regional marketing director at Trend Micro, said in an e-mail that cybercriminals have evolved their modus operandi not only in coming up with variants to penetrate existing security measures, but also by mirroring attacks "with the way users think about and use technology in day to day communication". For instance, attacks around a decade ago were via e-mail attachments; today, attackers have moved to shared devices and social networking platforms on the Web.

Yet, according to Paul Ducklin, Asia-Pacific head of technology at Sophos, "modern cybercriminals aren't as novel and inventive as we sometimes credit them with being".

People, he noted in an e-mail, fail to learn from the past and end up falling victim to newer threats. "Modern threats like Conficker succeed by exploiting the same sort of holes, for example unpatched computers and poor passwords, as the earliest network malware," he pointed out.

Alwin Ow, Symantec's senior director of systems engineering in Asia-Pacific and Japan, concurred. "So far this year, Symantec has observed that older attack techniques have resurfaced and are part of the methods used in several recent and highly publicized threats such as Koobface, Conficker and Trojan.Dozer."

In an attempt to get a better hold of current and potential attacks, ZDNet Asia finds out from Trend Micro five cyberthreats perceived to be the most dangerous in the last decade, and why.

1. Conficker or Downadup
Termed as Downad by Trend Micro, the first variant of the worm appeared in November 2008, targeting the MS08-067 vulnerability. It spawned several other variants, with each new one an improvement over the last. New propagation avenues were added, including USB drives. The worm has successfully generated 50,000 domains, of which it has connected to 500, noted Chong.

Symantec's Ow added however, the first Conficker variant did not quite achieve the level of disruption it was capable of. The estimated infection was 500,000 "due to an aggressive infection routine and a sophisticated exploitation algorithm, which makes use of geolocation and OS fingerprinting", he explained.

2. Koobface
The Koobface worm first appeared in August 2008, targeting social networking sites such as Facebook by infecting user profiles. Koobface possessed a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines.

3. Zbot
The Trojan variants infect machines via e-mail or Web exploits. Underground research and documented cases reveal Zbot to be a thriving business where infected computers give up their owners' personal information--including credit card data--to remote servers run by cybercriminals.

Zbot variants are especially damaging due to their ever-changing social engineering techniques, according to Trend Micro.

4. Slammer
The worm is notorious for drastically slowing down general Internet traffic in 2003 despite being a solitary packet worm in memory, attacking without a file system component. It exploits a patched buffer overflow bug in MS SQL Server and Desktop Engine, and its trickling effects are still observed in current times.

5. I Love You
The Loveletter virus, also known as Love Bug, plagued inboxes in 2000 and infected some 10 percent of computers worldwide, with each system harboring an average of 600 infected files. It had a destructive payload, overwriting files with multimedia file extensions.

Anti-Virus Firms Investigating Sexy-View Smartphone Worm

2009-08-12T19:30:00.001+07:00

In yet another example of how mobile malware is gaining momentum, a new variant of the Wily worm is making the rounds. It's spreading through text messages and researchers warn it may be a smartphone botnet in the making.

The attack spreads by appearing as a legit Symbian phone application, only users get dialed into a Trojan that pilfers subscriber, phone, and network information, and transmits that data to a Website. And, in keeping with the tradition of old-school mass-mailer Outlook worms, it spams SMS messages to the contact's in the user's phone. Nice.

And this bugger appears to be a signed app, so users are much more likely to get infected with only once click needed to authorize installation. And, as Gartner security analyst John Pescatore points out today in his post Myth of The Responsible User, we can't really rely on users to always do the right thing.

It seems this "Sexy View/Sexy Space" does something of an update, or attempts to update, upon network connection. And it's that characteristic that has researchers thinking it may be a botnet.

From today's Dark Reading:

The so-called Sexy View/Sexy Space malware has researchers split over whether to officially call it a botnet. While Trend Micro says it's indeed a smartphone botnet, F-Secure is less convinced. "It's almost a stretch to call it a botnet, or at least a botnet in the sense that we normally think of them," says Patrik Runald, chief security advisor for F-Secure, which reported the first version of the worm to Symbian in February.
While the worm is able to update the SMS template it uses while spreading, it doesn't have other bot features, he says. "When we think of botnets, we think of a malicious program that calls home for further instructions," such as updating malware, attacking a Website, sending email, or installing an application, he says. "Sexy View does one of those features, which is the ability to update the SMS template it uses when spreading...But Sexy View doesn't have any of the other features we normally take for granted in a bot. So although it can be called a botnet, it's a very simple one with very limited, for now at least, functionality."

If you combine the capability of a worm like this with comprimised, and widely followed Twitter or Facebook accounts, we're off to the races.

I mean, really, who can refuse a Sexy View?

If you'd like to follow my mobile security and technology observations, you can find me (malware-free) on Twitter.

Conficker Worm Support Desk is Available 24/7 via Toll-free Number 1-800 237-3901

2009-08-12T19:28:00.000+07:00

August 11, 2009 ( PowerHomeBiz.com ) - iYogi, a global direct to consumer and small business remote Best Computer Technical Support technical support provider has setup a dedicated support desk for securing and protecting consumers against the Conficker (Conficker.c) worm also known as Downadup or April Fools Worm. This fast spreading computer worm has already said to have impacted millions of computers, and expected to spread more aggressively in the coming days.

iYogi's dedicated support desk has proactively reached its existing base of 65,000 subscribers and helping other individuals and small businesses that have been infected or would like to take the precaution to protect themselves.

iYogi's security experts can be reached instantly via Toll Free Number 1-800-237-3901 to sign-up for a subscription service that provides unlimited access to technical support and virus removal, Virus and Spyware spyware removal along with a free, anti-virus and anti-spyware software to protect, secure and manage the computer and all connected devices.

As the industry braces for the impact of the worm on April 1st, our Microsoft Certified experts will help diagnose if your machine is infected, update settings and definitions for your security software and install Windows Operating System update to reduce the threat from the Conficker worm. Our computer support service includes a free subscription to anti-virus and anti-spyware software, in the scenario where the customer does not have a subscription said Vishal Dhar, President Marketing for iYogi.

Conficker worm is said to take advantage of the vulnerabilities in the Windows Operating System environment and embeds itself into the computer and spreads across the network. The worm restricts the computer from accessing security updates and believed to have the capability to destroy and steal data. Experts claim that the worm can also download additional code onto a machine that is infected and is continuously evolving into variations, thereby making attempts to fix it through automation more difficult.

Potential indicators that Conficker Worm may have infected your PC includes restricted access to Microsoft.com and websites of security vendors like Symantec, McAfee, etc. and prevents the user from shutting down their machines.

About iYogi

iYogi delivers live, comprehensive, 24/7 technical support services directly to consumers and small businesses and is the first, global, technical support brand based out of India. Providing an annual unlimited subscription to technical support, iYogi now boasts of more than 65,000 customers. The company employs 600 professionals servicing customers in the U.S., U.K., Canada, Australia and fast expanding to 12 new geographies across the globe.

iYogi's resolution rate of 87 percent and customer satisfaction rate of 95 % are amongst the highest published benchmarks in the industry.

For further information, please visit - http://www.iyogi.net

Smart Meter Worm Could Spread Like A Virus

2009-08-11T21:07:00.001+07:00

For a utility that’s in the process of installing smart meters, there are probably few things more terrifying than the simulation of a smart meter worm that IOActive’s Mike Davis showed off at the annual security conference Black Hat on Thursday. During Davis’ presentation, he showed how he and his team at the security consulting firm created a simulation in which over a period of 24 hours about 15,000 out of 22,000 homes had their smart meters taken over by a worm that could render the device under the control of the worm’s designers.

Davis showed off a time-condensed version of the simulation using an overlay on Google Earth. At the beginning of the simulation there were 22,000 green pins on the image of the satellite map to signify actual plotted address in a metropolitan area; after the introduction of the smart meter worm, the majority of the pins quickly turned a shade of red, rapidly spreading from the point where the worm was introduced. The image was reminiscent of the introduction of infectious diseases and Davis said in a real world scenario the rate of the spread of the worm could be slower or faster considering a variety of technical conditions.

Davis said the reason that the he could so easily hack and spread the worm in the simulation was because there was a fundamental design flaw in the specific meter model itself, though Davis wouldn’t name any individual manufacturers. Among other things, the meter he took over didn’t have the proper data encryption and didn’t know the difference between the meter next to it in the network or a device that was intended to wirelessly upgrade its software. “The guys that built this meter had a short term view of how it would work,” Davis said.

The manufacturer used in the simulation didn’t take kindly to being told their security wasn’t up to snuff. Davis explained to the audience how when he told the manufacturer about the capabilities of the worm simulation, the first response from the meter maker was: “that’s impossible, our meters can’t spread something like that.” When Davis told them he had personally done this in his company’s security lab, the next response from the meter maker was: “how can you even access our meters,” to which Davis says he explained he bought it on eBay.

Given Davis’ research has already gotten a lot of press (and negative reactions from some in the utility and energy industry) over the past month, Davis was cautious during his presentation. Over the past couple of months he seemed to have gone through a range of emotions, from the hacker-style joy of successfully being able to take over a system (he showed a photo of him and a colleague drinking champagne at 4AM the morning he “pwned” the meter) to an admitted sensitivity over wanting to explain to the utility and energy industry that the point of his exercise was to get them to take security seriously and patch the vulnerabilities. “Nobody [in that industry] likes me,” he said at one point in response to a question about whether or not he would do more research on parts of the smart grid network that were more under control of the utilities.

But while the specific meter company didn’t respond well to Davis’ simulation, there are greater lessons for the industry. Davis explained in his presentation that once a worm started to spread in the manner of his simulation, “it’s hard to see how a vendor could react quickly enough.” The only effective response he could think of he said, was to have a kill switch that would just shut down the meter, to stop the spread. Members of the utility industry seemed to agree and queried Davis after his talk about their company’s own experiences with meter security. In addition meters should be designed to be recoverable from such an attack, and be as secure as the mechanical meters of the first generation of dumb meters, Davis said.

Davis was also concerned with what someone could do with a large amount of meters under their control and reminded the audience that he didn’t research how the worm could be used as a weapon. After the presentation members of the audience discussed how turning on and off a large amount of meters — say, 50,000 meters and 3 MW worth of electricity — could cause problems for the stability of that section of the grid.

At the end of the day the allocation of the smart grid stimulus funds has caused a rush to roll out smart meters and Davis is concerned that the speed in deployment could cause companies to be neglectful of proper security. There’s an attitude of “we’ll fix this later,” he explained. But as Davis’ worm simulation showed: no company wants the attention and financial and reputation problems, of a meter security incident.

W32/Lovsan.worm.a

2009-08-11T21:03:00.001+07:00

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Lovesan

Lovsan.H (F-Secure)

msblast.exe

tftp

W32.Blaster.Worm (Symantec)

W32/Blaster.worm.a

W32/Blaster.worm.gen

W32/Blaster.worm.k

W32/Lovsan.worm

W32/Lovsan.worm.gen

Win32.Poza (CA)

Worm/Lovsan.G (Central Command)

WORM_MSBLAST.A (Trend)

WORM_MSBLAST.H (Trend)

Characteristics

Characteristics -

-- Update 21 April 2004 --
A new variant was discovered and was proactively detected as Exploit-DcomRpc with the 4289 DAT files when scanning compressed executables (default setting)

eschlp.exe (66,048 bytes)

Detection for this variant as W32/Blaster.worm.k had been added to 4352 DATs and above. It propagates in the same way as previous variants. A backdoor dropped by this variant was detected as W32/Blaster.worm!backdoor using the 4352 DATs and above.

-- Update 11 March 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update 25 August 2003 --
The risk assessment of this threat was lowered to Medium due to a decrease in prevalence.

-- Update 15 August 2003 --
Microsoft has removed the DNS entry for windowsupdate.com to prevent the Denial of Service attack against this domain. This does not prevent users from using Windows Update to patch their systems, as this is not the address used when clicking on the Windows Update link.

-- Update 13 August 2003 --
Two new variants were discovered and are detected exactly with the 4285 DAT files.

teekids.exe (5,360 bytes) [detected as W32/Lovsan.worm.b]
penis32.exe (7,200 bytes) [detected as Exploit-DcomRpc]

These are functionally similar to the original W32/Lovsan.worm.
--

This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.

When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].

Once run, the worm creates the registry key (may be either of the following):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

This will appear in regedit as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe

Although Win9x/ME/NT/2K/XP can carry the virus. Automatic execution and infection only occurs on Win2K/XP.

Symptoms

Symptoms -

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown

Method of Infection

Method of Infection -

This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.

When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine.

Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine!

The author didn't code anything for Windows NT 4, so therefore it will only crash this platform!

The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted.

This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP.

Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.

However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.

Other symptoms may include:

inability to cut/paste
inability to move icons
Add/Remove Programs list empty
dll errors in most Microsoft Office programs
generally slow, or unresponsive system performance

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pick up msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.

Removal -

Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).

What You Should Know About the Blaster Worm

Virus Removal :
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stand alone remover
Stinger has been updated to include detection/removal of this threat.

Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Apply the MS03-039 patch (includes MS03-026 patch)
Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
Edit the registry
- Delete the "windows auto update" value from
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run

Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

From within ePO open the “Policies” tab.
Select “McAfee ThreatScan” and then select “Scan Options”
In the pane below click the “Launch AutoUpdater” button.
Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-12 has completed successfully.
From within ePO create a new “AutoUpdate on Agent(s)” task.
Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that “tsc20” in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is “tsc25”.
Launch this task against all agent machines.
When the task(s) complete information will be available in the “Task Status Details” report.

To create and execute a new task with the new Hot Fix functionality do the following:

Create a new ThreatScan task.
Edit the settings of this task.
Edit the “Task option”, “Host IP Range” to include all desired machines to scan.
Select the “Remote Infection Detection” category and “Windows Virus Checks” template.
-or-
Select the “Other” category and “Scan All Vulnerabilities” template.
Launch the scan.

Variants

Variants -

W32/Lovsan.worm.g
W32/Lovsan.worm.k

Virus alert about the Win32/Conficker worm

2009-08-11T20:47:00.002+07:00

The information in this Knowledge Base article is intended for business environments that have system administrators who can implement the details in this article. There is no reason to use this article if your antivirus program is cleaning the virus correctly and if your systems are fully updated. To confirm that the system is clean of the Conficker virus, perform a quick scan from the following Web page:

http://safety.live.com (http://safety.live.com)

For detailed information about the Conficker virus, visit the following Microsoft Web page:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker)
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

Account lockout policies are being tripped.
Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
Domain controllers respond slowly to client requests.
The network is congested.
Various security-related Web sites cannot be accessed.
Various security-related tools will not run. For a list of known tools, visit the following Microsoft Web page, and then click the Analysis tab for information about Win32/Conficker.D. For more information, visit the following Microsoft Web page:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D (http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D)

For more information about Win32/Conficker, visit the following Microsoft Malware Protection Center Web page:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker (http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker)
Win32/Conficker has multiple propagation methods. These include the following:

Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)
The use of network shares
The use of AutoPlay functionality

Therefore, you must be careful when you clean a network so that the threat is not reintroduced to systems that have previously been cleaned.

Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a network. Win32/Conficker.D is installed by previous variants of Win32/Conficker.

Use strong administrator passwords that are unique for all computers.
Do not log on to computers by using Domain Admin credentials or credentials that have access to all computers.
Make sure all systems have the latest security updates applied.
Disable the Autoplay features. For more information, see step 3 of the "Create a Group Policy object" section.
Remove excessive rights to shares. This includes removing write permissions to the root of any share.
Stop Win32/Conficker from spreading by using Group Policy settings
Notes
Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article
Create a Group Policy object
Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:
Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the randomly named malware service from being created in the netsvcs registry value.

To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new GPO. Give it any name that you want.
3. Open the new GPO, and then move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
  Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
10. Click OK.
Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:
  Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
8. Click OK.
Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

Note Depending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
- To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security bulletin MS08-038).
- To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715 (http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252) installed.
To set AutoPlay (Autorun) features to disabled, follow these steps:
1. In the same GPO that you created earlier, move to one of the following folders:
  - For a Windows Server 2003 domain, move to the following folder:
    Computer Configuration\Administrative Templates\System
  - For a Windows 2008 domain, move to the following folder:
    Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.
5. Click OK.
Close the Group Policy Management Console.
Link the newly created GPO to the location that you want it to apply to.
Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
After the Group Policy settings have propagated, clean the systems of malware.

To do this, follow these steps:
1. Run full antivirus scans on all computers.
2. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
  http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)
  Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.
3. Run the Malicious Software Removal tool
  The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
  
  Note The MSRT does not prevent reinfection because it is not a real-time antivirus program.
  
  You can download the MSRT from either of the following Microsoft Web sites:
  http://www.update.microsoft.com (http://www.update.microsoft.com)
  http://support.microsoft.com/kb/890830 (http://support.microsoft.com/kb/890830)
  
  For more information about specific deployment details for the MSRT, click the following article number to view the article in the Microsoft Knowledge Base:
  891716 (http://support.microsoft.com/kb/891716/ ) Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
  Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support. To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site:
  http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx (http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx)
  If Windows Live OneCare or Microsoft Forefront Client Security is running on the system, these programs also block the threat before it is installed.
4. Manual steps to remove the Win32/Conficker virus
  Notes
5. These manual steps are not required any longer and should only be used if you have no antivirus software to remove the Conficker virus.
6. Depending on the Win32/Conficker variant that the computer is infected with, some of these values referred to in this section may not have been changed by the virus.
The following detailed steps can help you manually remove Conficker from a system:
Log on to the system by using a local account.

Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows for the malware to spread.
Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.

Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.

To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps:
1. Depending on your system, do the following:
  - In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
  - In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
2. Double-click Server.
3. Click Stop.
4. Select Disabled in the Startup type box.
5. Click Apply.
Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
Stop the Task Scheduler service.
- To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
- To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
  
  Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
  322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
  1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
  3. In the details pane, right-click the Start DWORD entry, and then click Modify.
  4. In the Value data box, type 4, and then click OK.
  5. Exit Registry Editor, and then restart the computer.
    
    Note The Task Scheduler service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on Windows Vista and Windows Server 2008 because this step will affect various built-in Scheduled Tasks. As soon as the environment is cleaned up, re-enable the Server service.
Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.
Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc875814.aspx (http://technet.microsoft.com/en-us/library/cc875814.aspx)
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, right-click the netsvcs entry, and then click Modify.
If the computer is infected with the Win32/Conficker virus, a random service name will be listed.

Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the list. With later variants, the service name may be anywhere in the list and may seem to be more legitimate. If the random service name is not at the bottom, compare your system with the "Services table" in this procedure to determine which service name may have been added by Win32/Conficker. To verify, compare the list in the "Services table" with a similar system that is known not to be infected.

Note the name of the malware service. You will need this information later in this procedure.

Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.

Notes about the Services table

All the entries in the Services table are valid entries, except for the items that are highlighted in bold.
The items that are highlighted in bold are examples of what the Win32/Conficker virus may add to the netsvcs value in the SVCHOST registry key.
This may not be a complete list of services, depending on what is installed on the system.
The Services table is from a default installation of Windows.
The entry that the Win32/Conficker virus adds to the list is an obfuscation technique. The highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L." However, it is actually an uppercase "I." Because of the font that is used by the operating system, the uppercase "I" seems to be a lowercase "L."

Services table

Collapse this tableExpand this table

Windows Server 2008	Windows Vista	Windows Server 2003	Windows XP	Windows 2000
AeLookupSvc	AeLookupSvc	AppMgmt	6to4	EventSystem
wercplsupport	wercplsupport	AudioSrv	AppMgmt	Ias
Themes	Themes	Browser	AudioSrv	Iprip
CertPropSvc	CertPropSvc	CryptSvc	Browser	Irmon
SCPolicySvc	SCPolicySvc	DMServer	CryptSvc	Netman
lanmanserver	lanmanserver	EventSystem	DMServer	Nwsapagent
gpsvc	gpsvc	HidServ	DHCP	Rasauto
IKEEXT	IKEEXT	Ias	ERSvc	Iaslogon
AudioSrv	AudioSrv	Iprip	EventSystem	Rasman
FastUserSwitchingCompatibility	FastUserSwitchingCompatibility	Irmon	FastUserSwitchingCompatibility	Remoteaccess
Ias	Ias	LanmanServer	HidServ	SENS
Irmon	Irmon	LanmanWorkstation	Ias	Sharedaccess
Nla	Nla	Messenger	Iprip	Ntmssvc
Ntmssvc	Ntmssvc	Netman	Irmon	wzcsvc
NWCWorkstation	NWCWorkstation	Nla	LanmanServer
Nwsapagent	Nwsapagent	Ntmssvc	LanmanWorkstation
Rasauto	Rasauto	NWCWorkstation	Messenger
Rasman	Rasman	Nwsapagent	Netman
Iaslogon	Iaslogon	Iaslogon	Iaslogon
Remoteaccess	Remoteaccess	Rasauto	Nla
SENS	SENS	Rasman	Ntmssvc
Sharedaccess	Sharedaccess	Remoteaccess	NWCWorkstation
SRService	SRService	Sacsvr	Nwsapagent
Tapisrv	Tapisrv	Schedule	Rasauto
Wmi	Wmi	Seclogon	Rasman
WmdmPmSp	WmdmPmSp	SENS	Remoteaccess
TermService	TermService	Sharedaccess	Schedule
wuauserv	wuauserv	Themes	Seclogon
BITS	BITS	TrkWks	SENS
ShellHWDetection	ShellHWDetection	TrkSvr	Sharedaccess
LogonHours	LogonHours	W32Time	SRService
PCAudit	PCAudit	WZCSVC	Tapisrv
helpsvc	helpsvc	Wmi	Themes
uploadmgr	uploadmgr	WmdmPmSp	TrkWks
iphlpsvc	iphlpsvc	winmgmt	W32Time
seclogon	seclogon	wuauserv	WZCSVC
AppInfo	AppInfo	BITS	Wmi
msiscsi	msiscsi	ShellHWDetection	WmdmPmSp
MMCSS	MMCSS	uploadmgr	winmgmt
browser	ProfSvc	WmdmPmSN	TermService
winmgmt	EapHost	xmlprov	wuauserv
SessionEnv	winmgmt	AeLookupSvc	BITS
ProfSvc	schedule	helpsvc	ShellHWDetection
EapHost	SessionEnv		helpsvc
hkmsvc	browser		xmlprov
schedule	hkmsvc		wscsvc
AppMgmt	AppMgmt		WmdmPmSN
sacsvr			hkmsvc

In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "Iaslogon." Using this information, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
  For example, locate and then click the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iaslogon
2. Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
3. In the Permissions Entry for SvcHost dialog box, click Advanced.
4. In the Advanced Security Settings dialog box, click to select both of the following check boxes:
  Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
  
  Replace permission entries on all child objects with entries shown here that apply to child objects.
Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as "ServiceDll." To do this, follow these steps:
1. Double-click the ServiceDll entry.
2. Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following:
```
 %SystemRoot%\System32\doieuln.dll
```
  Rename the reference to resemble the following:
```
 %SystemRoot%\System32\doieuln.old
```
3. Click OK.
Remove the malware service entry from the Run subkey in the registry.
1. In Registry Editor, locate and then click the following registry subkeys:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 12b. Delete the entry.
3. Exit Registry Editor, and then restart the computer.
Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that it is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file.
```
[autorun]

shellexecute=Servers\splash.hta *DVD*

icon=Servers\autorun.ico
```
A valid Autorun.inf is typically 1 to 2 kilobytes (KB).
Delete any Autorun.inf files that do not seem to be valid.
Restart the computer.
Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
Set Show hidden files and folders so that you can see the file. To do this, follow these steps:
1. In step 12b, you noted the path of the referenced .dll file for the malware. For example, you noted a path that resembles the following:
  %systemroot%\System32\doieuln.dll
  In Windows Explorer, open the %systemroot%\System32 directory or the directory that contains the malware.
2. Click Tools, and then click Folder Options.
3. Click the View tab.
4. Select the Show hidden files and folders check box.
5. Click OK.
Select the .dll file.
Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps:
1. Right-click the .dll file, and then click Properties.
2. Click the Security tab.
3. Click Everyone, and then click to select the Full Control check box in the Allow column.
4. Click OK.
Delete the referenced .dll file for the malware. For example, delete the %systemroot%\System32\doieuln.dll file.
Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft Management Console (MMC).
Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps:
1. Depending on your system, install one of the following updates:
  - If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    967715 (http://support.microsoft.com/kb/967715/ ) How to disable the Autorun functionality in Windows
  - If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    950582 (http://support.microsoft.com/kb/950582/ ) MS08-038: Vulnerability in Windows Explorer could allow remote code execution
  Note Update 967715 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 23b.
2. Type the following command at a command prompt:
  reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the following command at the command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe –hide" /f
For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window Autotuning to disabled. To change this setting back, type the following command at a command prompt:
netsh interface tcp set global autotuning=normal

If, after you complete this procedure, the computer seems to be reinfected, either of the following conditions may be true:

One of the autostart locations was not removed. For example, either the AT job was not removed or an Autorun.inf file was not removed.
The security update for MS08-067 was installed incorrectly.

This malware may change other settings that are not addressed in this article. Please visit the following Microsoft Malware Protection Center Web page for the latest details about Win32/Conficker:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker (http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker)

Verify that the system is clean

Verify that the following services are started:

Automatic Updates (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Defender (windefend) (if applicable)
Windows Error Reporting Service

To do this, type the following commands at the command prompt. Press ENTER after each command:

Sc.exe query wuauserv
Sc.exe query bits
Sc.exe query windefend
Sc.exe query ersvc

After each command runs, you will receive a message that resembles the following:

SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

In this example, "STATE : 4 RUNNING" indicates that the service is running.

To verify the status of the SvcHost registry subkey, follow these steps:

In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom of the list. If the computer is reinfected with Conficker, a random service name will be listed. For example, in this procedure, the name of the malware service is "Iaslogon."

If these steps do not resolve the issue, contact your antivirus software vendor. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

49500 (http://support.microsoft.com/kb/49500/ ) List of antivirus software vendors

If you do not have an antivirus software vendor, or your antivirus software vendor cannot help, contact Microsoft Consumer Support Services for more help.

After the environment is fully cleaned

After the environment is fully cleaned, follow these steps:

Re-enable the Server service and the Task Scheduler service.
Restore the default permissions on the SVCHOST registry key and the Tasks folder. This should be reverted to the default settings by using Group Policy settings. If a policy is only removed, the default permissions may not be changed back. See the table of default permissions in the "Mitigation steps" section for more information.
Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager (SCCM), or your third-party update management product. If you use SMS or SCCM, you must first re-enable the Server service. Otherwise, SMS or SCCM may be unable to update the system.
If you have problems identifying systems that are infected with Conficker, the details provided in the following TechNet blog may help:
http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx (http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx)

The following table shows default permissions for each operating system. These permissions are in place before you apply the changes that we recommend in this article. These permissions may differ from the permissions that are set in your environment. Therefore, you must note your settings before you make any changes. You must do this so that you can restore your settings after you clean the system.

Collapse this tableExpand this table

Operating system	Windows Server 2008		Windows Vista		Windows Server 2003		Windows XP		Windows 2000
Setting	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder	Svchost Registry	Tasks Folder
Account
Administrators (Local Group)	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control
System	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control	Full Control
Power Users (Local Group)	not applicable	not applicable	not applicable	not applicable	Read	not applicable	Read	not applicable	Read	not applicable
Users (Local Group)	Special	not applicable	Special	not applicable	Read	not applicable	Read	not applicable	Read	not applicable
	Apply to: This key and subkeys		Apply to: This key and subkeys
	Query Value		Query Value
	Enumerate Subkeys		Enumerate Subkeys
	Notify		Notify
	Read Control		Read Control
Authenticated Users	not applicable	Special	not applicable	Special	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable
		Apply to: This folder only		Apply to: This folder only
		Traverse Folder		Traverse Folder
		List Folder		List Folder
		Read Attributes		Read Attributes
		Read Extended Attributes		Read Extended Attributes
		Create Files		Create Files
		Read Permissions		Read Permissions
Backup Operators (Local Group)	not applicable	not applicable	not applicable	not applicable	not applicable	Special	not applicable	Special
						Apply to: This folder only		Apply to: This folder only
						Traverse Folder		Traverse Folder
						List Folder		List Folder
						Read Attributes		Read Attributes
						Read Extended Attributes		Read Extended Attributes
						Create Files		Create Files
						Read Permissions		Read Permissions
Everyone	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	not applicable	Special
										Apply to: This folder, subfolder and files
										Traverse Folder
										List Folder
										Read Attributes
										Read Extended Attributes
										Create Files
										Create Folders
										Write Attributes
										Write Extended Attributes

APPLIES TO

Windows Server 2008 Datacenter without Hyper-V
Windows Server 2008 Enterprise without Hyper-V
Windows Server 2008 for Itanium-Based Systems
Windows Server 2008 Standard without Hyper-V
Windows Server 2008 Datacenter
Windows Server 2008 Enterprise
Windows Server 2008 Standard
Windows Web Server 2008
Windows Vista Service Pack 1, when used with:

Windows Vista Business
Windows Vista Enterprise
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Starter
Windows Vista Ultimate
Windows Vista Enterprise 64-bit Edition
Windows Vista Home Basic 64-bit Edition
Windows Vista Home Premium 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business 64-bit Edition

Microsoft Windows Server 2003 Service Pack 1, when used with:

Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 2, when used with:

Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

Microsoft Windows XP Service Pack 2, when used with:

Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Microsoft Windows XP Service Pack 3, when used with:

Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Microsoft Windows 2000 Service Pack 4, when used with:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server

The Trojan War

2009-08-10T20:49:00.000+07:00

The Apple of Discord

The Trojan War has its roots in the marriage between Peleus and Thetis, a sea-goddess. Peleus and Thetis had not invited Eris, the goddess of discord, to their marriage and the outraged goddess stormed into the wedding banquet and threw a golden apple onto the table. The apple belonged to, Eris said, whomever was the fairest.

Hera, Athena, and Aphrodite each reached for the apple. Zeus proclaimed that Paris, prince of Troy and thought to be the most beautiful man alive, would act as the judge.

Hermes went to Paris, and Paris agreed to act as the judge. Hera promised him power, Athena promised him wealth, and Aphrodite promised the most beautiful woman in the world.

Paris chose Aphrodite, and she promised him that Helen, wife of Menelaus, would be his wife. Paris then prepared to set off for Sparta to capture Helen. Twin prophets Cassandra and Helenus tried to persuade him against such action, as did his mother, Hecuba. But Paris would not listen and he set off for Sparta.

In Sparta, Menelaus, husband of Helen, treated Paris as a royal guest. However, when Menelaus left Sparta to go to a funeral, Paris abducted Helen (who perhaps went willingly) and also carried off much of Menelaus' wealth.

In Troy, Helen and Paris were married. This occured around 1200 B.C. (Wood, 16).

Greek Armament

Menelaus, however, was outraged to find that Paris had taken Helen. Menelaus then called upon all of Helen's old suitors, as all of the suitors had made an oath long ago that they would all back Helen's husband to defend her honor.

Many of the suitors did not wish to go to war. Odysseus pretended to be insane but this trick was uncovered by Palamedes. Achilles, though not one of the previous suitors, was sought after because the seer Calchas had stated that Troy would not be taken unless Achilles would fight.

One of the most interesting stories is of Cinyras, king of Paphos, in Cyprus, who had been a suitor of Helen. He did not wish to go to war, but promised Agamemnon fifty ships for the Greek fleet. True to his word, Cinyras did send fifty ships. The first ship was commanded by his son. The other forty-nine, however, were toy clay ships, with tiny clay sailors. They dissembled soon after being placed in the ocean (Tripp, 584-584).

The Greek fleet assembled, under Agamemnon's inspection, in Aulis. However, Agamemnon either killed one of Diana's sacred stags or made a careless boast. Either way, Diana was outraged and she calmed the seas so that the fleet could not take off.

The seer Calchas proclaimed that Iphigenia, daughter of Agamemnon, must be sacrificed before the fleet could set sail. This was done, and the Greek ships set off in search of Troy.

Finding Troy

Finding Troy proved difficult, however, and the Greek fleet at first landed in Mysia. According to Herodotus, the Greeks were under the impression that Helen had been taken by the Teuthranians (Teucrians), and though the Teuthranians denied such allegations, the Greeks layed siege to the city (Herodotus, Bk. II.118). The Greeks ultimately prevailed, but suffered heavy casualties at the hands of Telephus, king of the Teuthranians, and, at the end, were still without Helen. Telephus, in the course of the war, was wounded by Achilles.

With no where else to turn, the Greeks returned home.

The Trojan War might not have happened had not Telephus gone to Greece in the hopes of having his wound cured. Telephus had been told by an oracle that only the person who wounded him (in this case, Achilles) could cure him. Achilles assented and Telephus told the Greeks how to get to Troy.

Embassy to Priam

Odysseus, known for his eloquence, and Menelaus were sent as ambassadors to Priam. They demanded Helen and the stolen treasure be returned. Priam refused, and Odysseus and Menelaus returned to the Greek ships with the announcement that war was inevitable.

The War

The first nine years of the war consisted of both war in Troy and war against the neighboring regions. The Greeks realized that Troy was being supplied by its neighboring kingdoms, so Greeks were sent to defeat these areas.

As well as destroying Trojan economy, these battles let the Greeks gather a large amount of resources and other spoils of war, including women (e.g., Briseis, Tecmessa and Chryseis).

The Greeks won many important battles and the Trojan hero Hector fell, as did the Trojan ally Penthesilea. However, the Greeks could not break down the walls of Troy.

Patroclus was killed and, soonafter, Achilles was felled by Paris.

Helenus, son of Priam, had been captured by Odysseus. A prophet, Helenus told the Greeks that Troy would not fall unless:

a) Pyrrhus, Achilles' son, fought in the war,
b) The bow and arrows of Hercules were used by the Greeks against the Trojans,
c) The remains of Pelops, the famous Eleian hero, were brought to Troy, and
d) The Palladium, a statue of Athena, was stolen from Troy (Tripp, 587).

Phoenix persuaded Pyrrhus to join the war. Philoctetes had the bow and arrows of Hercules, but had been left by the Greek fleet in Lemnos because he had been bitten by a snake and his wound had a horrendous smell. Philoctetes was bitter, but was finally persuaded to join the Greeks. The remains of Pelops were gotten, and Odysseus infiltrated Trojan defenses and stole the Palladium.

The Trojan Horse

Still seeking to gain entrance into Troy, clever Odysseus (some say with the aid of Athena) ordered a large wooden horse to be built. Its insides were to be hollow so that soldiers could hide within it.

Once the statue had been built by the artist Epeius, a number of the Greek warriors, along with Odysseus, climbed inside. The rest of the Greek fleet sailed away, so as to deceive the Trojans.

One man, Sinon, was left behind. When the Trojans came to marvel at the huge creation, Sinon pretended to be angry with the Greeks, stating that they had deserted him. He assured the Trojans that the wooden horse was safe and would bring luck to the Trojans.

Only two people, Laocoon and Cassandra, spoke out against the horse, but they were ignored. The Trojans celebrated what they thought was their victory, and dragged the wooden horse into Troy.

That night, after most of Troy was asleep or in a drunken stupor, Sinon let the Greek warriors out from the horse, and they slaughtered the Trojans. Priam was killed as he huddled by Zeus' altar and Cassandra was pulled from the statue of Athena and raped.

After the War

After the war, Polyxena, daughter of Priam, was sacrificed at the tomb of Achilles and Astyanax, son of Hector, was also sacrificed, signifying the end of the war.

Aeneas, a Trojan prince, managed to escape the destruction of Troy, and Virgil's Aeneid tells of his flight from Troy. Many sources say that Aeneas was the only Trojan prince to survive, but this statement contradicts the common story that Andromache was married to Helenus, twin of Cassandra, after the war.

Menelaus, who had been determined to kill his faithless wife, was soon taken by Helen's beauty and seductiveness that he allowed her to live.

The surviving Trojan women were divided among the Greek men along with the other plunder. The Greeks then set sail for home, which, for some, proved as difficult and took as much time as the Trojan War itself (e.g., Odysseus and Menelaus).

Trojan, Virus, and Worm Information

2009-08-10T20:23:00.001+07:00

Trojans
A Trojan refers to a program that appears as something you may think is safe, but hidden inside is usually something harmful, probably a worm or a virus. The lure of Trojans is that you may download a game or a picture, thinking it's harmless, but once you execute this file (run it), the worm or virus gets to work. Sometimes they will only do things to annoy you, but usually a worm or virus will cause damage to your system.

Viruses
Viruses are computer programs with the sole purpose of destroying data on our computers. The virus may only destroy unimportant files, or it may decide to erase all of your document files. A virus can cause an infected computer to do funny things on certain dates, as well as issue serious commands such as erasing our Registry file, thus disabling the operation and booting up of our computers.
Viruses are spread through executable files we either get from friends, download off the net, or install through a floppy disk. A virus will often come disguised under the cloak of a Trojan, which is the carrier for the virus.

Worms
Worms operate differently. Do you remember the Star Trek show called 'The Trouble with Tribbles'? (Star-Trek fans, if I've remembered the name wrong, please correct me). These little creatures just kept replicating themselves, each one multiplying themselves over and over. Worms act much the same way.
Worms generally come through our email client, but people can also get infected if they accept a Trojan File which has as the payload a worm. If you receive a worm program through your email, and then execute it, this program sends the worm file out to all that are listed in your email address book. If you work in a major corporation, this could means hundreds of people, and so the multiplying continues.

Recently we all witnessed the world-wide problems of the "Love bug". That is a perfect example of all of the above. (yes!) It's a Trojan because it came disguised as a 'Love Letter' when really it was carrying a harmful program. It is a virus because once executed, it infected files on your computer, turning them into new trojans. It's a worm because it propogated itself by sending itself out to everyone listed in your email address book or IRC client.

This is reality -- bad things are out there, disguised as good things....and we must use our computers safely and wisely.

The Best Defense (top)

Never click on links through IRC that come from someone you do not know
Never accept files from anyone you don't know
When downloading files off the Internet, be sure it's from a reputable site.
Never run or even peek at files you receive through your email program from people you don't know. If you have any doubts at all, write the person back, and ask for verification that they sent you a file. Some of the more recent viruses will send mail (and file) to everyone listed in your email address book, then it deletes itself and you have no idea of what happened. Scary, huh?
Install a Virus Detection program -- you can find a free one called Inoculate. I use it, along with another one, and while no program is foolproof 100% of the time (due to the complexity of new viruses appearing everyday), it is a good program, and something you should consider.
Set yourself up a regular time to update the virus scans, and do it -- if we don't keep our computers up-to-date on the latest technologies, then we are leaving ourselves vulnerable. With over 200 new viruses being reported each month, tomorrow is not the time to update...but TODAY.
One more important step is to backup your important files regularly.
Better safe than sorry!

If you'd like to read more about Trojans and Viruses, check here for more resource links. For a comprehensive page with antivirus solutions as well as trojan scanners/cleaners, visit here: Virus & Trojan Solutions You may also wish to download a file that describes in more detail various viruses and trojans. It's called Virus Help. Get it here.

Infection and What to Do (top)

If you have become infected and need to repair your computer, you have several choices:

One of your choices is to download a program called The Cleaner. You can use the program free for 30 days (good deal!). After that time, registration is required at a cost of about $30 (US). This price includes free future updates of the program as well.
Another option is to visit this website, http://www.nohack.net, for more information about being infected. Find the information describing your infection and follow their steps listed for removing harmful trojans, worms, and viruses. Some programs are not totally removable through these steps, and that's where The Cleaner can benefit you as it will remove all traces of infection.
Trend Micro, the makers of PC-cillin (an antivirus program, and one that I use) offers free online assistance. You may wish to visit their site and let their system scan your computer. Visit Trend Micro's Housecall for this free evaluation. You can buy their product from this site, or you can find this antivirus program in many of the larger software outlets.
Visit our new Virus, Trojan, and Security Solutions page for a comprehensive listing of sites and programs that can help anyone wanting to protect their computer.

E-Mail Virus Hoaxes (top)

There will always be newbies on the net, so there will always be a market for spreading the news about E-mail virus hoaxes. This is when someone forwards on a letter which often makes claims that if you receive a mail titled something similar to "Win a Holiday Cruise", and open it, your harddrive will be erased (or some other such dire warning). While we can never be too careful, we have to be cautious to not be too gullible as well :) If you have any doubts about whether or not a warning you receive may be true or false, visit Symantec's Antivirus Research Center Virus Hoax site. They list (and describe) over 80 of the most prevalent virus hoaxes circulating worldwide.

This site isn't completed yet -- we will have much more information here soon describing in more detail viruses, worms, trojans, etc

What is a Trojan Horse Virus?

2009-08-10T20:20:00.000+07:00

A Trojan Horse Virus is a common yet difficult to remove computer threat. This is a type of virus that attempts to make the user think that it is a beneficial application.

A Trojan Horse virus works by hiding within a set of seemingly useful software programs. Once executed or installed in the system, this type of virus will start infecting other files in the computer.

A Trojan Horse Virus is also usually capable of stealing important information from the user's computer. It will then send this information to Internet servers designated by the developer of the virus. The developer will then be able to gain a level of control over the computer through this Trojan virus. While these things take place, the user will notice that the infected computer has become very slow or unexpected windows pop up without any activity from the user. Later on, this will result to a computer crash.

A Trojan Horse virus can spread in a number of ways. The most common means of infection is through email attachments. The developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users.

These emails contain attachments. Once the user opens the attachment, the Trojan Horse Virus immediately infects the system and performs the tasks mentioned above.

Another method used by malware developers to spread their Trojan Horse viruses is via chat software such as Yahoo Messenger and Skype. Another method used by this virus in order to infect other machines is through sending copies of itself to the people in the address book of a user whose computer has already been infected by the virus.

The best way to prevent a Trojan Horse Virus from entering and infecting your computer is to never open email attachments or files that have been sent by unknown senders. However, not all files we can receive are guaranteed to be virus-free. With this, a good way of protecting your PC against malicious programs such as this harmful application is to install and update an antivirus program.

How to remove a Trojan, Virus, Worm, or other Malware

2009-08-10T20:19:00.001+07:00

If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.

Malware - Malware is programming or files that are developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, Trojan horses, spyware, hijackers, and certain type of adware.

This article will focus on those malware that are considered viruses, trojans, worms, and viruses, though this information can be used to remove the other types of malware as well. We will not go into specific details about any one particular infection, but rather provide a broad overview of how these infections can be removed. For the most part these instructions should allow you to remove a good deal of infections, but there are some that need special steps to be removed and these won't be covered under this tutorial.

Before we continue it is important to understand the generic malware terms that you will be reading about.

Adware - A program that generates popups on your computer or displays advertisements. It is important to note that not all adware programs are necessarily considered malware. There are many legitimate programs that are given for free that display ads in their programs in order to generate revenue. As long as this information is provided up front then they are generally not considered malware.

Backdoor - A program that allows a remote user to execute commands and tasks on your computer without your permission. These types of programs are typically used to launch attacks on other computers, distribute copyrighted software or media, or hack other computers.

Dialler - A program that typically dials a premium rate number that has per minute charges over and above the typical call charge. These calls are with the intent of gaining access to pornographic material.

Hijackers - A program that attempts to hijack certain Internet functions like redirecting your start page to the hijacker's own start page, redirecting search queries to a undesired search engine, or replace search results from popular search engines with their own information.

Spyware - A program that monitors your activity or information on your computer and sends that information to a remote computer without your knowledge.

Trojan - A program that has been designed to appear innocent but has been intentionally designed to cause some malicious activity or to provide a backdoor to your system.

Virus - A program that when run, has the ability to self-replicate by infecting other programs and files on your computer. These programs can have many effects ranging from wiping your hard drive, displaying a joke in a small box, or doing nothing at all except to replicate itself. These types of infections tend to be localized to your computer and not have the ability to spread to another computer on their own. The word virus has incorrectly become a general term that encompasses trojans, worms, and viruses.

Worm - A program that when run, has the ability to spread to other computers on its own using either mass-mailing techniques to email addresses found on your computer or by using the Internet to infect a remote computer using known security holes.

How these infections start

Just like any program, in order for the program to work, it must be started. Malware programs are no different in this respect and must be started in some fashion in order to do what they were designed to do. For the most part these infections run by creating a configuration entry in the Windows Registry in order to make these programs start when your computer starts.

Unfortunately, though, in the Windows operating system there are many different ways to make a program start which can make it difficult for the average computer user to find manually. Luckily for us, though, there are programs that allow us to cut through this confusion and see the various programs that are automatically starting when windows boots. The program we recommend for this, because its free and detailed, is Autoruns from Sysinternals.

When you run this program it will list all the various programs that start when your computer is booted into Windows. For the most part, the majority of these programs are safe and should be left alone unless you know what you are doing or know you do not need them to run at startup.

At this point, you should download Autoruns and try it out. Just run the Autoruns.exe and look at all the programs that start automatically. Don't uncheck or delete anything at this point. Just examine the information to see an overview of the amount of programs that are starting automatically. When you feel comfortable with what you are seeing, move on to the next section.

How to remove these infections

We have finally arrived at the section you came here for. You are most likely reading this tutorial because you are infected with some sort of malware and want to remove it. With this knowledge that you are infected, it is also assumed that you examined the programs running on your computer and found one that does not look right. You did further research by checking that program against our Startup Database or by searching in Google and have learned that it is an infection and you now want to remove it.

If you have identified the particular program that is part of the malware, and you want to remove it, please follow these steps.

Download and extract the Autoruns program by Sysinternals to C:\Autoruns
Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.
Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
1. Include empty locations
2. Verify Code Signatures
3. Hide Signed Microsoft Entries
Then press the F5 key on your keyboard to refresh the startups list using these new settings.
The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our computer help forums.
Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.
Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. To allow you to see hidden files you can follow the steps for your operating system found in this tutorial:

How to see hidden files in Windows
When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.

How to protect yourself in the future

In order to protect yourself from this happening again it is important that take proper care and precautions when using your computer. Make sure you have updated antivirus and spyware removal software running, all the latest updates to your operating system, a firewall, and only open attachments or click on popups that you know are safe. These precautions can be a tutorial unto itself, and luckily, we have one created already:

Simple and easy ways to keep your computer safe and secure on the Internet

Please read this tutorial and follow the steps listed in order to be safe on the Internet. Other tutorials that are important to read in order to protect your computer are listed below.

Understanding Spyware, Browser Hijackers, and Dialers

Understanding and Using Firewalls

Safely Connecting a Computer to the Internet

Using Spybot - Search & Destroy to remove Spyware from Your Computer

Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Using IE-Spyad to enhance your privacy and Security

Conclusion

Now that you know how to remove a generic malware from your computer, it should help you stay relatively clean from infection. Unfortunately there are a lot of malware that makes it very difficult to remove and these steps will not help you with those particular infections. In situations like that where you need extra help, do not hesitate to ask for help in our computer help forums. We also have a self-help section that contains detailed fixes on some of the more common infections that may be able to help. This self-help section can be found here:

Spyware & Malware Self-Help and Reading Room

How good is Microsoft's free antivirus software?

2009-08-09T16:39:00.000+07:00

Microsoft has officially unveiled its long-awaited consumer antivirus offering. Formerly code-named “Morro,” it’s now been christened Microsoft Security Essentials, and it will enter public beta testing next week. If you have a licensed copy of Windows XP (Service Pack 2 or above), Windows Vista, or Windows 7, you’ll be able to download and install the software at no additional charge. No subscription is required for ongoing definition updates, either. The final release is scheduled for this fall. (My colleague Mary Jo Foley has more on what beta testers can expect next week.)

The public beta will be limited to 75,000 downloads, Microsoft says, and the targets are global. The initial beta release is limited to the United States, Israel (where a core development team is based), and Brazil. Next month, the beta will open up for users in China. It’s no coincidence that Microsoft is rolling out early in Brazil and China, which are large-scale vectors of malware infections because of the sheer number of Windows users running without antivirus protection. According to Microsoft, barriers to adoption of paid security software are especially high in developing markets, where internet access is slower and credit cards are unavailable to a large percentage of the population.

Microsoft Security Essentials requires validation, which means it won’t be available to anyone using a pirated copy of Windows. But it won’t require registration or personal information of any kind. In an interview last week, Theresa Burch, director of product management for Microsoft Security Essentials, confirmed that decision in no uncertain terms: “We collect no information from you at all,” she told me. No Windows Live ID, nothing. You agree to the EULA, validate, download, and you’re done.”

Over the past few days I’ve been testing recent builds of Microsoft Security Essentials on two machines, one running a 32-bit edition of Windows Vista, the other running a 64-bit copy of the Windows 7 release candidate. The software I describe in this post is a more recent build than the current beta that has been floating around back channels on the Internet. Here’s my report:

If you get a sense of deja vu when you see Microsoft Security Essentials, that’s no accident. It’s a pure superset of Microsoft’s antispyware product, Windows Defender, which was publicly released nearly three years ago and is included by default with Windows Vista and Windows 7. Microsoft Security Essentials adds antivirus protection—both real-time protection and on-demand scanning—to the mix. It shares the same engine and signatures as other Microsoft antimalware products, including the enterprise-focused Forefront and the monthly Microsoft Malicious Software Removal Tool.

The MSE download is impressively lightweight. The x64 copy I installed on Windows 7 was 3.8 MB in size; x86 copies are 4.8 MB for Vista/Windows 7 and 7.7 MB for Windows XP. Installation (including the most recent definition updates) took less than four minutes and, as promised, the initial setup didn’t require any personal information or registration. After I accepted the license agreement, the software informed me that it needed to update its virus definitions and then proceeded to get the most recent updates on its own.

After that it launched a quick system scan that took another 5 minutes or so and predictably found nothing out of the ordinary.

Microsoft says the program is, not surprisingly, Windows Logo Certified and updates its virus and spyware signatures daily through Microsoft Update. New signatures are published three times a day, which means that clients will never get a new update that is ~~less~~ more than eight hours old. [Updated previous sentence to correct minor error.] The core antimalware engine, with new features and bug fixes, is scheduled for updates on a monthly basis. If Automatic Update is enabled, this process will be completely transparent to the user, Microsoft claims.

The first thing I noticed about MSE is how quiet it is. A single tray icon (hidden by default in Windows 7) is the only indication that it’s running. It doesn’t add any browser toolbars or desktop gadgets, and the associated service AntiMalware Service used between 35 and 50MB of RAM on my two test machines. Microsoft’s Alan Packer explained that the company has made “a major effort in terms of performance, in terms of both memory management and CPU.” Except when I deliberately tried to download a test virus, the program didn’t send up any notifications of updates or scans. Iif there’s a problem with updates or another action is required, notifications will show up in Windows (Security Center in XP or Vista, Action Center in Windows 7).

The main user interface follows the “red is bad, green is good” metaphor that Microsoft has adopted across its security software in general.

Like most of its peers, MSE offers real-time protection and an on-demand scanning engine. I noticed that the scanning engine throttled its use of the CPU to 50% or less, which lessened its impact on other tasks. When I tried to download the industry standard EICAR test virus, the real-time scanning intercepted the download immediately:

A quick click of the Show Details button opened this informative, ”red is bad” warning from Microsoft’s malware database.

The cleanup process is designed to get rid of the immediate thread and then to immediately run a more detailed scan. As Packer explained, “Malware travels in packs, so we look for other stuff when we detect a problem.”

Like most modern antivirus software, MSE relies on up-to-date signatures, but adds its own cloud-based twists. Contrary to some recent reports, this isn’t a cloud-based service. Instead, it offers a dynamic signature service that pushes signatures on a daily basis, but adds the ability to query the signature service when need to reduce the window of exposure to new malware. By monitoring for suspicious behavior, the service can query for a sample when necessary. Rootkit detection features target kernel-mode malware and can detect the sort of tampering in the kernel that is typical of rootkits.

How good is the coverage? Microsoft scored dismal test results in the early days of OneCare, hitting a nadir in 2007, but its record has improved dramatically since. A new study (May 2009) by the independent AV-Comparatives group gave Microsoft OneCare (which shares the same engine and signatures as MSE) its highest (Advanced+) rating. Only 3 of the 16 products in the test earned that rating. Microsoft’s technology scored second in the accuracy ratings, behind AVIRA but ahead of AVG, Symantec, McAfee, and a dozen other products. And on the crucial measure of delivering the fewest false positives, Microsoft stood far ahead of the pack, delivering the fewest false positives of any program tested.

In the most recent round of tests from the independent ICSA Labs, Microsoft’s technology passed, while McAfee’s VirusScan family joined several smaller competitors on the FAIL list.

You can bet that the beta release will be seriously tested by independent labs and especially by Microsoft’s for-profit competitors in the coming weeks. If it has any weaknesses, expect to see them heavily publicized. Meanwhile, I’m sufficiently impressed by MSE in operation to give it a more in-depth workout on multiple systems here.

Would you put your trust in a Microsoft-run antivirus product? Leave your opinion in the TalkBack section below.

Free Microsoft virus protection

2009-08-09T16:35:00.000+07:00

Free Microsoft virus protection is readily available on the Microsoft website in the form of a number of online utilities. While they don't offer standalone anti-virus programs they do have some free Microsoft virus protection utilities that can be used to scan your system, remove malicious software, and update the security of your Windows operating system.

To get to their site you'll need to put this URL "www.microsoft.com/protect/computer/viruses/default.mspx" minus the quote symbols into the address bar in your internet browser. This is Microsoft's main computer virus support page which puts a number of free resources at your disposal to protect your computer.
Step 2

Free Microsoft virus protection basically starts out with a free PC safety scan which you see at the top of the page. By clicking on that link the Windows Live OneCare scanner will look through your computer to see if everything is functioning properly and will check for any problems.
Step 3

The next thing that you can do to protect your computer and continue to take advantage of their Free Microsoft virus protection services is to download their malicious software removal tool that checks your Windows operating system for any kind of malware and suspicious programs.
Step 4

After you've completed steps 1-3 you can continue to read their educational materials on how to keep yourself safe in the future and notice threats before your computer becomes infected by viruses or malware.

Microsoft to Offer Free Virus Protection Software for Windows

2009-08-09T16:30:00.000+07:00

Microsoft plans to offer Windows users a new antivirus package designed to protect the OS from viruses, spyware, rootkits and trojans. The new software is tentatively code-named Morro, and will be available for free to Windows XP, Vista and 7 users sometime in the second half of 2009.

The new software will reportedly use very minimal resources, which means it should work well with older PCs. If fact, Microsoft says Morro has been specially designed for older PCs and low-spec machines popular in developing nations. In addition to its minimal processor demands, Morro has been developed to use very little bandwidth, making it ideal for those without broadband connections.

Morro will replace Microsoft’s current, paid service, Windows Live OneCare, which has been available on a subscription basis for $50 per year.

While a free, antivirus solution that ships with Windows would be a boon for the average user, it could also mean trouble for third-party software solutions. Given that a bundled solution could raise antitrust concerns — and would no doubt see competitors like McAfee and Grisoft reaching for the lawyers — Microsoft will be offering Morro as a separate download.

Assuming Morro can deliver decent security it should be a welcome free addition to Windows, but we don’t suggest throwing away your third-party software just yet. Antivirus software suites will likely continue to hold an edge over Morro by offering additional handy tools — like password managers, identity theft protection and browser-based phishing protection.

Still, if you’ve been running Windows with no antivirus software at all, Morro will no doubt be better than nothing, and it’s hard to argue with free.

[via Slashdot]

See Also:

Free virus protection for your home PC

2009-08-09T16:22:00.000+07:00

New viruses are being found "in the wild" all the time. Further, the speed at which these new viruses spread is increasing all the time. A key problem is not that antivirus programs do not detect such viruses, but the fact that most users do not use any antivirus program at all or, perhaps worse, the antivirus software and / or virus definitions database is out of date.

ALWIL Software, the producer of avast!, decided in June 2001 to help to solve this situation by offering avast! Home Edition free of charge for home users who do not use their computer for profit. To get industry leading antivirus protection for your home PC, download the software, and then register it.

The whole process is very simple: you need to download the program from the avast! 4 Home Download page, selecting the appropriate language. Then you need to install it, which is a mostly an automatic process. Initially, if you don't register straight away, you'll install the trial version, which is fully functional for sixty days. During this period, you can register yourself on the avast! 4 Home Free Registration page, and you will receive your license key by E-mail within 24 hours. Insert this key into the avast! 4 Home product, and you will receive the non-restricted version of avast! 4 Home Edition, including access to the update service (the incremental update of the virus database), for one year. After this period you can reregister to obtain a new free license key.

avast! 4 Home Edition can only be used by home users that do NOT use their computer for profit. If you do not meet both conditions, you should download avast! 4 Professional Edition instead, which may also be trialed for up to 60 days before you will need to purchase a valid license key.

avast! 4 Home Edition is a complete antivirus solution, fully able to find computer viruses, to create and check the integrity of programs installed, to test executed programs and opened documents, to test and check email and other functions. Scanning is also available in the shell extension and screen server.

You can read about avast! 4 Home Edition here. You can get avast! 4 Home Edition on our download page. You can later register it on a special avast! 4 Home Edition Free Registration page, where you can also request a renewal registration. You can also access our frequently asked questions section in case you are having difficulties with your product, or visit the forums where many questions have been or can be answered about the product.

PCMAV (PC MEDIA ANTIVIRUS)

2009-08-09T12:30:00.000+07:00

FEATURES & Facts excellent PCMAV (PC MEDIA ANTI-VIRUS):
This is the excellence that distinguishes them PCMAV antivirus with others:
- BEST ANTIVIRUS: Recognizing as well the interference computer virus, both
virus, both local and foreign, which are spread in more than antivirus
other in the world.
- PRODUCTION INDONESIA: Antivirus national production in the first
quality in a completely different type of computer virus that interference
be naughty.
- Thorough NET: With the power basmi PCMAV respite, the virus be naughty
even can be hunted at the same time completely cleaned up to the "radical" without
remain.
- PENYELAMATAN DOCUMENTS: Folder and file your important documents
hidden (hidden) and infected by the virus can be restored to perfect
100% without worry or risk of loss of damage to the file.
- RECOVERY SYSTEM: Settingan registry and important system files that Windows has
"broken", either by virus or other anti-virus as a result of the less powerful, capable
maintenance (repair) to completely recover 100%.
- Accurate: Formula which makes us able to find as one of PCMAV
the best antivirus in the world in terms of accuracy pendeteksian. Error detecting virus
which is known not in the dictionary PCMAV, so an error in saving file
can be avoided.
- ON PROTECTING: Designed for pro-active to ensure a file
free virus has been executed and will wait before virus spread, even to
new virus is not yet known. So you can calm, because when your computer is working,
PCMAV not stop protect.
- AUTO UPDATE: About 100 new viruses found in each
2 / 8
PCMAV (PC MEDIA ANTIVIRUS)
Written by Suherman
Friday, 09 January 2009 16:38 - Last Updated Tuesday, 07 July 2009 09:09
month. Automatically, with the regular online update, PCMAV akan protect
your computer from the latest virus threats.
- Thorough examination: Technology multi-point scanning in PCMAV effective in
lolosnya avoid the virus is capable of automatically active code injection as well, process,
services, until the scheduled even.
- Recognize NEW VIRUS: Technology "GeneticHeuristic" unique effectively able
to detect new viruses that have not been known.
- PENDETEKSIAN fastest: With a special algorithm included in the code
core component pendeteksiannya, PCMAV able to produce the fastest performance compared
other antivirus that have been produced in Indonesia.
- DUAL CORE ANTIVIRUS Engine: Engine PCMAV can be combined with the engine
ClamAV has been enhanced by the team to get PCMAV results pendeteksian
virus protection and more, even up to 400,000 virus / malware over.
- EASY operated: Menu and the display of an antivirus program is now so
fun, easy-operated and does not ribet. WITHOUT INSTALL: PCMAV be
portable, so it can be operated directly without the need to install it.
- Expert TERPERCAYA: With experience since 1992, developers in the PC antivirus
Media is a computer virus researchers and antivirus is very experienced
and includes rare in Indonesia. Therefore, we know how to correct the
antivirus trusted and best suit the condition in Indonesia.
- MEDIA SUPPORT PC: PCMAV fully supported by PC Media, a computer magazine
in Indonesia.
- FREE: It is an extra bonus on every purchase of the PC Magazine Media edition
that every month.
3 / 8
PCMAV (PC MEDIA ANTIVIRUS)
Written by Suherman
Friday, 09 January 2009 16:38 - Last Updated Tuesday, 07 July 2009 09:09
MINIMAL SYSTEM NEEDS
Processor: Pentium
RAM: 64 MB
Operating systems: • Windows XP for Cleaner + RTP
• Non-XP (98, 2000, Vista) for Cleaner only. RTP follow.
PARAMETERS FOR THE BERGUNA Cleaner (ADVANCED USER)
Parameter
Function
/ REGSHELL To display the "Scan with PCMAV" when right-click the file / UNREGSHELL
To remove the option "Scan with PCMAV."
/ FORCE
PCMAV permit to force clean the infected file.
/ REGCLEAN
Try and restore the registry setting "Tools Folder Options" to the default condition.
/ NOMEM No need to scan memory.
/ NOSTARTUP No need to do a scan at startup PCMAV.
/ NOUPDATE
No need to check updates.
Double Engine ANTIVIRUS: PCMAV & ClamAV
NOTE: THE DATABASE VIRUS TERBARU a ClamAV OF THE
LARGE CUKUP, the logical consequence of Engine ClamAV USE IN PCMAV
WILL CUKUP affect the length PENDETEKSIAN FILE AND PROCESS
Memory THAT MUCH MORE. THAN ITU, Engine ClamAV MORE
A SCANNER intended as that do not have PROCEDURES
Cleaner Engine PCMAV the withdrawal. Therefore, ANY VIRUS THAT
Detected by ClamAV engine can only be done by visiting FILE
NO EFFORTS PENUNTASAN / CONSTRUCTION / RECOVERY SYSTEM AND FILE.
4 / 8
PCMAV (PC MEDIA ANTIVIRUS)
Written by Suherman
Friday, 09 January 2009 16:38 - Last Updated Tuesday, 07 July 2009 09:09
PCMAV, both Realtime Cleaner and Protector, in detecting the virus, in addition to
use its own engine, also can be combined with ClamAV. The combination of
generated from both truly terrible to detect computer viruses.
ClamAV (www.clamav.net) is an opensource antivirus program for the Unix
GPL licensed. The use of double-engine results is that the virus can pendeteksian
gained more. ClamAV database of its own at this time reached 400,000 virus /
more malware. Of course, a logical consequence of the size of the database is ever more
process pendeteksian compared with ClamAV engine, but also the result of more
convincing.
For some of the needed library files (libclamav.dll, libclamunrar.dll, and
libclamunrar_iface.dll) database file and the two viruses (main.cvd and daily.cvd) which later
to be placed in the same folder where PCMAV folder is located. For more details,
in integrating ClamAV into PCMAV, the following sequence of the steps:
ClamAV 0.94.1
1. ClamAV installation procedure library
A. Download the file from the library ClamAV address below:
http://oss.netfarm.it/clamav/
See the section "Current stable", and download the library files with clamav 0.94.1 to click
the appropriate link, such as http://oss.netfarm.it/clamav/files/clamav-0.94.1.7z.
When the link is no longer active due to an update or change the version,
please download only new files that are available.
B. Once you get the file "clamav-Win32-0.94.1.7z" download earlier results, do
extract some of the following files in the folder where PCMAV Cleaner / RTP are:
- Libclamav.dll
- Libclamunrar.dll
5 / 8
PCMAV (PC MEDIA ANTIVIRUS)
Written by Suherman
Friday, 09 January 2009 16:38 - Last Updated Tuesday, 07 July 2009 09:09
- Libclamunrar_iface.dll
* File is a 7z archive 7-Zip. Use 7-Zip program through:
http://www.7-zip.org
2. Installation procedures database virus ClamAV
A. Download using the download manager file database daily from the following address
this:
http://db.local.clamav.net/daily.cvd
NOTE: If the appointment directly with the address above as your browser failed
download the second file, then go to the site www.clamav.net, and right in the
under the title "Latest releases" links "daily.cvd". You stay to the right-click each link
file, and select "Save As".
B. Place the file "daily.cvd" and their files "main.cvd" in the folder ClamAV
in the CD / DVD PC Media magazine edition is in the folder where PCMAV Cleaner / RTP are,
or can be downloaded from the following address:
http://db.local.clamav.net/main.cvd
3. After all the procedures performed above, make sure that the folder has PCMAV
there are 8 (eight) the file, namely:
No.
File Origin File
1
PCMAV-CLN.exe
PCMAV package from the CD / DVD PC Media / download results
2 PCMAV-RTP.exe in PCMAV package from the CD / DVD PC Media / download results
3 README.TXT
PCMAV package from the CD / DVD PC Media / download results
4 libclamav.dll
6 / 8
PCMAV (PC MEDIA ANTIVIRUS)
Written by Suherman
Friday, 09 January 2009 16:38 - Last Updated Tuesday, 07 July 2009 09:09
results extract download
5 libclamunrar.dll
results extract download
6 results libclamunrar_iface.dll extract download
7 main.cvd
ClamAV package from the CD / DVD PC Media / download results
8 daily.cvd
Downloaded
Now you run PCMAV-CLN.EXE, if successful integrated ClamAV
PCMAV akan then by showing information about the ClamAV database on the "PCMAV
Informations. "And now you can use PCMAV as usual (including the RTP),
of course with a database of more virus.
IMPORTANT TO be:
Make sure the Windows operating system you are using the library MSVCRT80 appropriate. If
not, ClamAV will not be integrated well. If that happens, please you
Download the file below, extract and place the file-the file (Microsoft.VC80.CRT.manifest,
msvcm80.dll, msvcp80.dll, and msvcr80.dll) together with the file PCMAV and ClamAV
other:
http://oss.netfarm.it/clamav/files/Microsoft.VC80.8.0.50727.762.CRT.x86.7z

Virus killing Guide

2009-08-09T12:26:00.000+07:00

1. Preparation
Before we eradicate the virus, would that prepare first things that we later
need. Between laian that we need to siapakan namely:
* Anti virus
* Tools-tools like: currproses, regworkshop portable, portable cmd, etc.
* Windows PE or Windows portable
* A cup of sweet tea
Anti Virus
Anti virus (which is of course update) is we need in killing viruses. Of
mananya only have anti-virus, I sure need it ...
Nah, the problem now is, where the most anti-virus better ..? Evaluation on the
whether or not anti-virus can be assessed from:
1. The extent to which anti virus to virus-virus and how quickly he recognizes it.
To further understand the above I mean, I will make a case example.
Eg on the day this appears a virus with the name "batosai". After the emergence of this virus,
the anti-virus which most quickly detect this virus. And he takes time
how long can mendeteksinya. Anti virus that is good he can be as soon as possible
mendetaksi virus. Because of the rapid anti-virus can detect the virus it will be more
quickly to minimize the spread of the virus.
Some anti-virus is a necessary provided PCMAV. Anti virus is quite powerful in
killing virus-virus local indonesia. Other anti-virus such as: Norton, avg, avira, BitDefender,
Kaspersky, McAfee etc.. For anti-virus, we simply choose one.
2. Tools-tools
One of the things that is not less important is the tools-tools. Not how, some large
the virus spread in Indonesia, even the process of turning off the antivirus. So that any anti-virus
not slightly> _ <. Therefore, disinilah we need other tools to be able to turn off
virus activity. Other useful tools if the registry editor and windows command promt
didisable by virus
3. Windows PE or Windows Portable
The two windows are very useful when we already can not menbasmi virus
through the normal Windows. Excess is the second windows, windows will not be
fell ill virus. Because the two windows stand alone. In addition, the windows PE and
there are already portable and anti-virus tools. Just add, this made windows PE
approximately 2005, so anti-virus data base can not be used. However there are other tools that
not least, the registry editor for the OS. So although we make Windows PE,
we can still mengotak especial property registry windows installed
4. A cup of tea is enough to accompany us. I'm not dizzy anymore ketemu ketemu-ago
headache, may be drinking tea with the mind we can restore a daze. ^ _ ^
2. Step mengatatasi common virus
1. Stop the process suspicious
Most of the processes currently running on the windows is the windows system is
own, such as svchost.exe, services.exe, lsass.exe etc.. However most of the process
system, there are several program processes, such Winamp.exe, firefox.exe etc.. However, not infrequently
there is also the virus. The process of this virus which is the root of the problem. Because this process
akan possible even damage the system even system. The process is what makes us cranky,
make a slow computer, the process to spread themselves and menduplikai themselves, even
make a lot of data disappeared.
Not infrequently we are wrong in the process of death, the virus appeared dikira process system.
When this happens it is likely that appear akan akan computer is restarting itself, or
even no effect at all. To avoid this, we need to be careful and we must
have little knowledge of the windows. Which is a process system, process
programs and processes which the virus. Here are a few tricks adlah to distinguish between kusus
the virus or not
a. The process of virus usually have a strange name and not known, such kspool.exe
kspools the virus, the virus runner.exe on bhatosai, explorasi on brontok virus.
b. The process of virus usually have the same name with the system. Such
svchost.exe on the bird flu virus, the lsass.exe virus brontok
c. The process of virus usually have a strange icon, such as the serration on the icon virus kspool, icon
folder on bhatosai virus icon and microsoft word on the bird flu virus.
Which is the problem is how can we distinguish between the process of virus
with the process when the system has the same name ..? Is how we need to know
where the process is running. That is by using software such as currproses.
If there is a process that has the same name with the name of the process system process
virus usually does not set the process in the c: \ windows \ system32. Because all the system
akan running in the c: \ windows \ system32. For example a bird flu virus, this location is in the process
c: \ recycled. Virus bathosai c: \ windows \ system \ dll.
When we already know all the viruses, the next step is we need to be
turn off the virus simultaneously. If we do not kill together
then later on the other (not that we turn off) of the virus will run the process again
virus that we turn off again (for some viruses). How to turn off the virus can be
done with beberaa ways:
a. By using software such as currproses.
b. By using Command Promt. Namely with the command tasklist to see
the process is running. Medium taskkill command to kill the process. Example
the death process taskkill / F / IM notepad.exe / IM xxx.exe or with
PID use taskkill / PID 3214. PID can be seen on the right side of the process.
2. Disable virus triggered activity
The virus, which only copied to your computer clean from viruses, will not cause
computer contracting. Virus akan akan become active when the virus file
executed by the user manually or memalui program that can run on
automatically. And when the virus is active, the virus program itself will make the virus so that it can
run automatically. This is called a rift with the virus triggered the event. The rift
trigger:
a. Registry
Registry provides a facility that allows programs on their own before the start menu
appear. This facility is provided for application programs, but many
used by the virus. Registry settings can be viewed and manipulated using the program
Regedit default Windows (Run, regedit). The structure consists of the five root
(HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS,
and HKEY_CURRENT_CONFIG). Each root has many branches called the key.
Each key can contain multiple key and / or value. Management structure in the file, the root can
diidentikkan with the drive, a folder with the identical key and value associated with the file. Like
folder, the key can not load data, it can only load key and value. Registry data that
can affect overall system behavior in the loaded value. To know
structure more clearly registry, run regedit. Be careful to run regedit, because
incorrect procedure can cause total paralysis system!
Key "Run"
Key "Run" is made to accommodate the list of programs that will run the system shortly before
start menu is active. In the registry, this key can be found in several places, namely on:
* "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion"
* "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion"
* "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ explorer"
If one or more of the registered user in User Accounts (Control Panel> User Accounts),
then the root akan HKEY_USERS key, there are several settings to accommodate the
each user. Some of the key also contains the key
"Software \ Microsoft \ Windows \ CurrentVersion", and the key may also include "Run".
Value "Shell" and "Userinit" key in the "Winlogon"
Value "Shell" and value "Userinit" key in the "Winlogon" can provide the same effect
effective virus-for-value with the stored key in the "Run". Generally, the data for
second value is:
Shell = "Explorer.exe"
Userinit = "C: \ WINDOWS \ system32 \ userinit.exe,"
Key "Winlogon" in:
* HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion "
* HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion "
* Some of the key in the key "HKEY_USERS"
In addition to key and value mentioned above, it is still possible for many key / value that
can be used by the virus, although it may not be effective, and this author has not
never find.
If the value found suspicious, do an adequate analysis before deciding
to remove them. But remember, do not delete the original!
b. Start Menu and Desktop a. Start> Programs> Startup
Folder "Startup" in the start menu is provided to accommodate the programs akan
be run automatically by Windows when the process is finished booting. The virus can take advantage of
this folder to actively trigger the virus by creating a shortcut in it, or with
create a duplicate in the virus. Brontok virus early versions utilize this folder with
create a file called "EMPTY.PIF" DOS image program.
c. Link / Shortcut
Files link or shortcut (file berekstensi. "LNK" and. "PIF") that are in the start menu or in the
desktop functions as a "shortcut" to the program files for easy user run
program. Files such as this, since it's not really the program, generally is small,
not more than 4KB. This file can be manipulated so that the virus does not refer to the program
should, but be deflected to the virus program. To know the shortcut to be deflected
or not, right-click on the shortcut file, click "Properties", then see the information on
the "Target".
File shortcut can also be removed only by the virus program and replaced with the virus that
icon is created with the shortcuts of the original file. Rare cases such as this, but never
occurred. If this happens, generally the size of the files' shortcut 'is more than 4KB. But the size of the file
"shortcut" is not a guarantee that a file has been manipulated into
virus program. To check the contents must be viewed using a Hex Editor.
Unfortunately, only certain people, especially the ever-learn programming or
electronics-digital techniques that can understand the program Hex Editor. Shortcut files generally
arrow image has, unless the file is viewed in the start menu. If we see the contents of the folder
start menu using Windows Explorer, all original file shortcut (not the folder) will have
arrow image. If no image panahnya, possibly (not guarantee) file shortcut
is not a shortcut beneran.
d. Task Scheduler
See Control Panel> Scheduled Tasks to see the list of already scheduled periodic
scheduled in the system. The virus sometimes make the schedule here to run the program
virus from a particular location. Delete Scheduled task harmful only.
e. AUTOEXEC.BAT
Each booting, the computer will check the file C: \ AUTOEXEC.BAT and run perintahperintah
in it, if any. Of course this opportunity and benefit program applications
virus program. Check the contents, and remove the hurt or the file that points to the virus.
If not sure of the consequence, the AUTOEXEC.BAT file can be copied first, so if there halhal
that is not desired, can be restored as the override file
AUTOEXEC.BAT with copies have been made. To disable one or more
command in the AUTOEXEC.BAT file can be added the word "REM" (without quotation marks).
f. Take a transfer program
The virus can also take over the program as follows:
* Change the name of the application programs are often used by users. For example WINWORD.EXE
(Microsoft Word) changed to WINWORD1.EXE.
* Make a duplicate of virus with the name of the program is often used by users. In this example,
create a duplicate with the virus name WINWORD.EXE.
* When users intend to run the application (Microsoft Word), and the user is actually
run a virus program, virus program and then call the application programs
native has been renamed (WINWORD1.EXE).
This strategy is implemented by d2/Decoil leaf virus, taking over the program Winamp. To
check, check the programs shortcutnya available in the start menu or the desktop.
Virus programs generally small, between 30KB to 300KB, while the application
usually relatively large size (more than WINWORD.EXE size 8.000KB, EXCEL.EXE
larger than 6.000KB). Date of making the program can also be used to
to determine whether a program is original or not, even if a file can actually
date changed easily.
g. Another rift
....???
3. Remove duplicate file virus
If the virus in the system (on drive C:) is clean, also search in the data folder and in the other drive. Delete
believed that all the files as a virus. Menggapus du [likat file can manually or with
how to scan with anti virus. Save me, when we scan with anti virus kemputer akan
but there is still a process that is running the scan results are less than the maximum of
we scan the computer at the time of the virus have all turned off.
4. Restore system
Restore registry settings that have been manipulated to make the virus aksinya, for example:
re-enable regedit, back munculkan Folder Options menu, Folder Options configuration
that allows the user to identify the characteristics of the file, and so forth.

F-Secure Mobile Security ™ for S60

2009-08-09T12:24:00.001+07:00

Installing and Enabling
Version
Previous
You do not need to delete instalan F-Secure Mobile Security version
previously. Check the F-Secure Mobile Security after you
install the new version.
Installing To install:
• Download the installation file to your computer, and then move to
device,
• Download the installation file to your computer, then install this product
via Nokia PC Suite, or
• Download the installation directly to your device. Installation akan
run automatically.
Once the installation is complete, re-activate the device if the installation
ask you to do so. Once installed, you must
activate the product. This product does not protect the device if not
activated.
To activate the start:
1. Open the application. Welcome screen is displayed.
2. Press Continue.
3. Choose the type:
• To start the evaluation period, select Free evaluation as a type of
activation if available, and then press Go, or
• To get the full version berlinsesi, select a number
as the type, then press Continue. Enter the number
subscription, and then press OK.
4. Press Yes, then select the Internet access point to connect to the service
update. After that start downloading the update.
Applications will be connected to the renewal and send the number
your subscription. During the first renewal, the application will
download the latest virus definition database.
5. After the download is complete, a message will tell you that
registration is successful and the application has been activated. Press OK
to complete the activation.
6. After the finish, a virus scan on the device to ensure
the device was clean. Virus Scan see chapter below.
You should scan your device each time the application
request.
2. Virus Scan
F-Secure Mobile Security will be running in the background and scans files
automatically.
1. If the virus is found while scanning real-time progress, the message will be
appear on the screen. Press Yes to view the infected file or No to
close the dialog box.
2. Views infection contains a list of infected files on the device and status
file (either quarantined or released).
To see more details about the infected files:
1. Scroll to the infected file, and press the button of choice.
2. Select Display.
3. Infection of the details view displays the location and name of the file
infected, and the name of the virus menginfeksi file.
File Processing
the infected
To process infected files:
1. In the infection, scroll to the infected file will be processed.
2. Press the button of choice.
3. Select one of the following actions:
• Delete - delete the infected file. This option is recommended. File akan
removed entirely from the device.
• Quarantine - mengkarantina file has not been quarantined if infected. File
the quarantined akan locked and can not be dangerous
device when F-Secure Mobile Security is active.
• Release - release the quarantined file. If you release
file, the file will not be locked again. You can
access to the personal risk.
3. Preventing Network Traffic is not authorized
Firewall in F-Secure Mobile Security will be running in the background.
Firewall will monitor the Internet and the incoming and outgoing traffic
network, as well as efforts to protect you from interference. Level firewall that has been
set allows you to change the level of protection with rapid
as needed.
Selecting a Level
Security
To select the security level:
1. Go to Settings, and then press the button of choice.
2. Select the Firewall settings option from the list.
3. Select the desired level firewall:
• Deny All - stops all network traffic.
• High - allows the most commonly used and
to block all incoming traffic.
• Normal - allows all outgoing connections and block
all incoming traffic.
• Allow All - allows all network traffic.
• Customize - allows network traffic based on rules
Your special. To edit a custom set of rules, use
Options> Edit the custom when the security level of Adjust
selected.
4. Protecting Confidential Information
With Antipencurian, you can ensure that the device or data
stored in it will not be misused if the device
stolen.
Use
Key
Device
Antipencurian can automatically lock the device when the SIM card in
devices are replaced. Device that is locked can only be activated
using your lock code.
To configure the device key:
1. Go to Settings, and then press the button of choice.
2. Select Antipencurian settings in the options list.
3. Enter the code key. The length of the lock code must have at least 5 characters long.
Store in a safe place.
4. If you want to lock the device when the SIM card is replaced, select Yes on
Lock if SIM changed.
Use
Antipencurian
Far
With antipencurian far, you can send SMS text messages that contain
key to the device to lock or delete all information
in it.
To configure the remote:
1. Go to Settings, and then press the button of choice.
2. Select Antipencurian settings in the options list.
3. To be able to lock the device remotely, follow the instructions below:
a. Enter the code key if you have not already so.
b. Activate the remote.
Device that is locked can only be activated using the lock code
You.
4. To remove the device from the remote, follow the instructions below:
a. Enter the code clear. The length of the code should be clear at least 8 characters.
Store in a safe place.
b. Activate Delete remote.
When the device has been removed, all data stored in the
in it will be deleted.
To lock or remove the device from the remote:
• To lock the device, send the following SMS message to your device:
# # LOCK (For example: # # abcd1234 LOCK)
• To remove the device, send the following SMS message to the device
You:
# # Wipe (For example: # # wipe abcd1234)
Because the memory card can be removed easily, keep
your confidential information in the memory device that can be locked
and deleted using Antipencurian.
Akan protect key settings Antipencurian. You
must enter the lock code that can change the active
Antipencurian settings.
5. Stay order for maintaining the Newest Products
Update
Automatic
F-Secure Mobile Security includes an update service that automatically means that the
virus definition database in the application will be updated regularly. Only
virus definition database that will protect the device from virus
latest. Automatic updates will be used after the product is activated.
This application requires active Internet connection for updates. When
connection to the Internet is available, the application will check the latest updates
virus definition database and download the latest updates, if necessary.
Update
Manual
To update the application manually:
1. Open virus protection, and then press the button of choice.
2. Select Update Now.
3. Select the Internet access point to connect to server updates. Applications
akan download the latest virus definition database and immediately
use it.
4. After the update finished, press Yes to scan for viruses in the device
if you are prompted to do so. See the chapter on the Virus Scan.
Update
Version
If the version of F-Secure Mobile Security is available new, a message will ask
You to download this version. Applications will be activated
automatically reset after the update is completed.

Best Antivirus Software

2009-08-08T20:35:00.001+07:00

1 Shield Deluxe 2009 - Antivirus Protection

Review date: 07.02.2009

Description:

The best part of using Security Shield 2009 is the fact that is powered by BitDefender. This antivirus company protects tens of millions of home and corporate users across the globe. The Shield Deluxe 2009 will protect your PC and personal data from theft, making it worth considering.

Screenshots

Price:

$19.99

Buy from the Publisher

Advanced Features:

Total virus and spyware protection
Free technical support
Intelligent scanning
Real time threat detection
Hourly updates, Vista compatible
Decides best security actions to take
Stealth web browsing
Excellent extended parental controls
Uses minimal system resources

Review:

Buy from the Publisher

You can set your computer to update viruses weekly and run a complete virus scan. The system can be restored after malicious activity. It controls the status of the system registry and notifies users of any suspicious objects.

Monitors the activity of programs and processes that have been launched in the computer’s memory.
Controls over changes in the file system. Proactive protection.
Removes spyware parasites to protect your privacy and prevent system crashes and slow-downs.
Protection from rootkits and worms.
Blocks access to inappropriate websites and e-mail.
Reduces the system load and postpones updates, allowing for secure gaming at top speed.
Scans all Web, e-mail and instant messaging traffic in real-time.
Advanced system maintenance tools.

Best of all, no additional or hidden charges for the technical support services assistance while most of antivirus companies charge an additional amount to correct virus or spyware damage either per minute or per incident.

#2 Trend Micro Antivirus Internet Security 2009

Review date: 05.11.2009

Description:

Trend Micro Internet Security 2009 provides comprehensive and easy to use protection from viruses, intruders, and other Internet-based threats. Inexpensive product received excellent scores in our performance tests.

Screenshots

Price:

$49.95

Buy from the Publisher

Advanced Features:

Effective Antivirus Protection
Customizable security for your home PCs
Prevents virus-infected emails
Home Protection for up to 3 PCs
Spyware and Adware Protection
Automatic Virus Pattern Updates
Enhanced Software History Cleaner
Effective Antivirus Protection
Excellent value

Review:

Buy from the Publisher

Best of all, the anti-virus engine protects against computer viruses, worms, Trojan horse
programs, and related security threats.

Free phone, email and chat support, with your annual subscription.
Block websites with inappropriate content based on specific categories.
Protect your privacy by getting rid of records listing Web sites and files recently opened.
Stops viruses, worms, spyware and bots.
Automatically download the latest signature updates. Quarantined file recovery.
Real-time protection. You can run scheduled and manual scans.
Keeps your system protected against all types of malicious threats.
Remote File Lock safeguards your private files in case your laptop is lost or stolen.

Powerful anti-spyware technology guards your personal information and privacy against spyware, rootkits and other malicious software. Trend Micro Internet Security 2009 covers the basics, providing antivirus, antispyware, antiphishing, antispam, two-way firewall, and, unlike other Internet Security suites, includes parental controls.

#3 Norton Antivirus 2009

Review date: 05.17.2009

Description:

Norton AntiVirus 2009 provides fast, responsive defense against all types of malicious software. The new Norton Protection System employs a multilayered set of security technologies that work in concert to detect, identify, and block attacks.

Screenshots

Price:

$39.99

Buy from the Publisher

Main Features:

Advanced antivirus with anti-spyware
Best proactive protection
Rapid pulse updates every 5 to 15 minutes
Rootkit detection, two way firewall
Defends against Web-based attacks
Automatic Virus Pattern Updates

Review:

Buy from the Publisher

The most trusted Symantec Norton Antivirus have updates their latest product Norton Antivirus 2009, have released and gives a faster and better performance of your pc against Viruses and spywares.

Maps your wireless home network
Free chat and phone support.
Monitor your home network and more safely connect to Wi-fi networks.
AutoFix technology will diagnose and fix common problems for you.
Automatically schedules scans and updates to occur while PC is idle.
Blocks browser exploits and protects against infected Web sites.
Prevents unauthorized users from changing your critical applications.
Monitors all processes and registry changes.

New Norton Internet Worm Protection blocks certain more sophisticated worms (such as Blaster and Sasser) before they enter your computer. A good product for keeping your computer safe from viruses. All regular telephone technical support calls are free.

#4 Panda Antivirus Pro 2009

Review date: 05.09.2009

Description:

Panda Antivirus features a new ultraFast scan engine, 30% faster than its predecessors, Panda's exclusive SmartClean technology. In a nutshell, a good antivirus solution for Windows, that keeps your computer protected from any Internet threats.

Screenshots

Price:

$49.95

Buy from the Publisher

Main Features:

Automatically eliminates viruses
Anti-Malware Engine
On-demand scanning
Smart auto-configuration
Automatic Virus Pattern Updates

Review:

Buy from the Publisher

Anti-Rootkit Technology detects and removes silently-installed rootkits used by
malware or intruders to evade traditional antivirus products.

Intrusion prevention blocks known and unknown hacker attacks and vulnerability.
Identity protection: Anti-Phishing Filter, Anti-Banking Trojans Engine.
Incorporates an advanced heuristic scan that detects more identity theft.
Identity protection: Anti-Phishing Filter, Anti-Banking Trojans Engine.
Personal Firewall protects you against Internet-borne worms and hacker attacks.
Removes all traces of clutter left by spyware on your PC.

Panda 2009 products offer a better customer experience than before, thanks to the new registration process and the new user interface.

The Web filter lets you browse safely without the risk of infections, vulnerabilities exploits or phishing websites. The scanning features have been sped up and the new interface is a clean and modern take on a time-tested product.

#5 ZoneAlarm Anti-virus 2009

Review date: 05.09.2009

Description:

New engine delivers the best virus protection with significantly enhanced detection and removal capabilities. A configuration wizard leads you through setup, making it easy for everyday users to secure their systems fast.

Screenshots

Price:

$19.95

Buy from the Publisher

Software Summary:

The ZoneAlarm online forums are active, with users worldwide eager and willing to answer your question.

Main Features:

Advanced antivirus, spyware removal protection
On demand scanner interface
Simple to install and run
Advanced virus removal technology

Review:

Buy from the Publisher

Enhanced detection and removal capabilities stop even the latest and most aggressive viruses before they infect your PC.

Pre-loaded security settings provide easy, instant protection.
Minimum PC resources and bandwidth consumption.
Proactive firewall protection with multiple layers of security.

Not certified by any of the three major independent testing labs (Virus Bulletic, Checkmark, or ICSA).
Unlike other antivirus products, Auto-Learn from Check Point is a system that automatically configures security settings based on a user's unique computer environment and behavior, making the initial set-up virtually silent.

#6 ESET NOD32 Antivirus

Review date: 05.08.2009

Description:

ESET NOD32 Antivirus proactively detects and disables viruses, trojans, worms, adware, spyware, phishing, rootkits. It includes advanced archive scanning, access control for removable media.

Screenshots

Price:

$39.99

Buy from the Publisher

Software Summary:

Self-Defense - a built-in technology to prevent malicious software from corrupting or disabling the system's security.

Main Features:

Uses a combination of filtration methods
Identifies known and unknown threats
System restore

Review:

Buy from the Publisher

This antivirus program can take some resources when running a full scan.

Blocks all attempts to collect and forward your confidential data.
Best protection against zero-day threat and attacks.
Small size of update files, fast scanning speed and accurate detection .
Offers several layers of protection including real time email scanning.

ESET typically uses only 35-40MB of system memory, a fraction of what other products consume. Laptop users will welcome the new automatic energy-conserving battery mode. ESET NOD32 Antivirus is supported by Windows XP 32-bit, Windows Vista 32-bit, Windows 2000.

#7 Kaspersky Anti-Virus

Review date: 05.25.2009

Description:

Kaspersky Anti-Virus protects your computer against known and unknown threats, and against unwanted data. Besides, it monitors system activities by user applications, preventing any dangerous actions by applications.

Screenshots

Price:

$39.95

Buy from the Publisher

Software Summary:

It doesn’t scan for all potentially unwanted programs.

Main Features:

Free Trial
Scans files and Internet traffic
Updates automatically

Review:

Buy from the Publisher

Best of all and like most antivirus software today, the new system restore wizard helps repair damage to your system arising from malware attacks.

Built-in system restore capabilities included
You can e-mail or call a toll-free number for live technical support
Users can change interface appearance
New threat response time: less than 2 hours

Please note that Kaspersky Anti-Virus 2009 requires Windows XP and Windows Vista. Free technical support and one year subscription to anti-malware updates.

Ways Overcoming Computer Virus

2009-08-08T19:17:00.000+07:00

Steps Virus Prevention
Better Preventing of Mengubati. This practice should be the virtue computer users. Between the steps is the beginning;

1. Do not use floppy disks or any storan unknown puncanya.
Diskette is not known who may have been tercemar with the virus. Practice write-protect floppy disks should always be done for mempastikan virus could not write himself into the diskette.

2. Do not use a perisian print rompak (pirated copy)
Perisian print rompak is often trap the virus author. Perisian the real has been modified by inserting the virus is often sold at very cheap prices.

3. Do not open the attachment that has emel
Internet technology has been fully used by virus writers. The virus is now able to spread through reading emel that have tercemar. Most emel akan This attachment contains fail. Sometimes he still tense despite dihantar not contain the virus by people who you know.
Make sure you menelefon your acquaintance, for mempastikan what he really sent that contains emel fail attachment to you.
Between viruses that use this technology is;
Anna Kournikova, Sircam, Code Red, Nimda and iloveyou.

4. Use Perisian Anti-Virus.
Perisian anti-virus is perisian Utilities for mengesan and destroy the virus. There are perisian this can be found on the Internet are free of them;

a. AVG Anti-virus
b. Free Anti-Virus
c. Innoculate IT (there are up to windows95 OS and Palm OS)

When anti-virus that is sold dipasaran;
a. Mine did Anti-Virus
b. Norton Anti-Virus
c. Pc-Cillin
d. Armor Anti Virus
e. VBuster
f. Virus Rx (for Apple computers)

Most anti-virus perisian this upgrade may be in for it mempastikan data base contains anti-virus events. He also sometimes offers immediate assistance to users berdaftar.

VBuster example is perisian anti-virus which is very popular in fact that it is used by NASA. It was created by Dr. Looi Hong Thong originating from Pulau Pinang, Malaysia.

Recognizing the signs of your computer virus attack
Often a computer virus can only dikesan by anti-virus, but so if your computer has sintom-sintom below, is most likely your computer has a virus attack.

Diskette

1. There is a bad sector on the diskette
2. Fail in the disk suddenly not only may be used.
3. There mesej diskette in your directory.
4. Volume label has been changed
5. Number of saiz fail does not change while you fail to use it.

Harddisk

1. Hard to take a long time to boot.
2. There is a fail suddenly not only be used
3. There is a bad sector
4. There is a directory or fail the new created without your knowledge.
5. Number of saiz fail to change.

Computer

1. There mesej which were presented at the skrin
2. Speaker Muzik play that you do not know puncanya
3. There are complicated things, such as can not fail the save, the case of the skrin fall, there is a ping pong ball on the rebound skrin, printing print mesej unknown and so forth.
4. Bulge in the macro fail fail-word, excel and so on without your knowledge.

Norman Virus Control for Marshal8e6

2009-08-08T14:42:00.000+07:00

The Business Issue
Email and the Internet are vital business tools,
allowing your organization to communicate
and access information efficiently. However,
they also present vulnerable entry points
for viruses and malicious code into your
organization, diminishing the benefits that
email and the Internet were intended to
provide.
The 2006 CSI/FBI Computer Crime and
Security Survey reported that 65% of the
615 companies surveyed suffered significant
financial losses as a result of virus infection
during the year. The average reported cost of
these virus infections was US$69,125 per
company. Other industry experts have
estimated that as many as 80% of the
world’s computers are infected with some
form of malicious code, such as spyware.
Managing virus security risk in a corporate
environment can be very difficult. Users bring
all manner of external devices into
the office to connect to their computers.
They download unknown files and
applications from the Internet. They connect
their laptops to unsecured networks outside
the office. They open email attachments sent
to them by complete strangers. A layered
approach to anti-virus security incorporating
user education, active desktop anti-virus and
“always on” gateway virus monitoring is fast
becoming best practice.
The Solution
With Norman Virus Control, you can apply
anti-virus from one of the world’s leading
antivirus providers to email and Internet
activity before viruses reach the trusted,
internal network.
MailMarshal SMTP integrates Norman
scanning at the email content inspection
level. As messages are filtered for spam and
other non-business content, MailMarshal
employs Norman to scan each message
for viruses and malicious code. Scanning is
essentially instant thanks to MailMarshal’s
multi-threaded design and tight product
integration. Infected emails are identified and
quarantined. Notification messages can be
automatically sent to IT staff, and detailed
reports can be generated -- identifying how
many and what viruses MailMarshal has
blocked over any given period.
Norman also works with MailMarshal
Exchange, providing real-time anti-virus
protection on inter-office Exchange email.
WebMarshal integrates Norman at the Web
proxy level. Any files requested by users
are virus scanned by Norman before they
are passed to the user’s browser. Users are
informed in realtime of suspected
virusinfected
files and any offending files are automatically
blocked. Reports are available detailing how
many and what viruses WebMarshal has
blocked and what the offending URLs were.
Norman Sandbox Technology
Norman Virus Control now features Norman’s
innovative “SandBox” technology.
Conventional anti-virus solutions rely on
signature files that are created when a new
virus is discovered in the wild. This requires
that the anti-virus solution be regularly
updated
to be effective against the latest virus threats.
If it is not, it will not recognize a new virus.
The Norman SandBox technology is
designed
to identify new viruses that have not been
seen before. When a file is passed to
Norman Virus Control for checking by
MailMarshal or WebMarshal, it is first tested
using the virus signature file to see if it is
a known virus. If it’s not found in the
known virus list, it is passed on to the
SandBox where the file is let loose to
reveal its intentions. The SandBox
is a simulated environment controlled
by theNorman virus scanner; so, if it is
a virus, it cannot actually do any harm.
The SandBox assesses the behavior
of the file as it executes. If the file
behaves suspiciously or exhibits virus-like
qualities, it is classified as harmful.
If the file is harmless, it is delivered to
the application that requested the check.
If it is harmful, it is placed in quarantine
thus preventing the network from being
infected. The Norman SandBox feature
is not only effective against viruses but
also spyware and other malicious content.
Technical Features and
Benefits of Norman
Virus control
• Detects and blocks viruses at the
Internet gateway before reaching your
internal computer network.
• Protects users from opening
virus-infected emails, by blocking the
emails before they reach individual
mailboxes.
• Prevents users from accidentally
accessing virus infected Web sites or
files by blocking downloads in realtime.
• Provides high-speed virus scanning via
multi-threaded message unpacking
design.
• Features Norman’s innovative new
SandBox technology to identify potentially
harmful files based on behavior. Provides
greater virus detection, particularly
against new viruses never seen before.
• Controls viruses in a total policy-based
framework. You can choose what happens
when viruses are detected. They can
be quarantined for investigation or
automatically deleted. You can also send
notification messages to the administrator
or email sender, informing them of the
detected virus. Essentially any
policyrelated measures that you wish to
take regarding viruses are possible with
MailMarshal and WebMarshal.
(Options for email and Web scanning differ.)
• Creates detailed virus incident reports that
clearly demonstrate Return on Investment
for your staff and executive management.
You know when and where a virus was
detected, how many viruses have been
blocked, and what types of viruses you are
blocking.
• Shows real-time monitoring of viruses
quarantined in the MailMarshal Today
page.
• Provides 24x7x365, always-on virus
protection. Users cannot turn off virus
protection.
• Scans both incoming and outgoing email.
Scans both downloaded and uploaded files
to and from the Web.

New virus emerges in Malaysia

2009-08-08T14:40:00.001+07:00

On Mar. 7, 1999, a 49-year-old pig farmer in
Malaysia developed fever, headache, behavioural
changes, blurred vision and lethargy. On admission
complete blood count, electrolyte levels and a CT scan
of the head were normal. Over the following days he deteriorated
rapidly, with generalized seizures, respiratory failure,
unstable blood pressure and high spiking fevers. He
died 6 days after the onset of symptoms. On
the day of his death, lumbar puncture revealed
a high protein level (2.09 g/L). His
brother, a worker on the same pig farm, had
died a few days earlier from encephalitis.1
Between Sept. 29, 1998, and Apr. 4, 1999,
229 cases of febrile encephalitis were reported
in Malaysia. Patients typically presented
with a 3- to 14-day history of fever
and severe headache, followed by drowsiness
and disorientation often progressing to coma within 24 to
48 hours. Almost half of those affected died. Three clusters
of cases, primarily adult men reporting close contact with
swine, have been identified. Respiratory and neurologic
symptoms and death among swine from the same regions
occurred concurrently. In Singapore in March, 9 similar
cases, 1 of which was fatal, and 2 cases of respiratory illness
occurred among abattoir workers who had handled swine
imported from Malaysia.1
Although Japanese encephalitis virus was suspected at
first, tissue culture from central nervous system specimens
has identified the presence of an agent never previously described.
Electron microscopic studies and preliminary nucleotide
sequencing indicate that the agent is a virus similar
but not identical to another relatively new entity, the Hendra
virus. Hendra-virus IgM antibodies were identified in
the serum of 23 of 26 cases, and Hendra-like antigens have
been detected in tissue specimens from affected swine.1
Hendra virus was first recognized in September 1994 in
the wake of an outbreak of respiratory illness in 20 horses
and 2 humans in Hendra, Queensland, Australia. One man
and 14 horses died.2 An outbreak in Mackay, Queensland, in
August 1994 was later shown to be due to the same virus.3
Although some investigators recommend classifying the
Hendra virus in a new genus, most have described it as an
equine morbillivirus within the family Paramyxoviridae.2,4
Other morbilliviruses include human measles virus and a variety
of viruses pathogenic in animals, including rinderpest,
canine distemper and peste des petits ruminants viruses.2 In
horses, cats, guinea-pigs and humans, the Hendra virus has
been shown to cause vascular lesions in the lungs and other
tissues.5–7 Fruit bats of the species Pteropus poliocephalus are
believed to be the natural hosts.5,8 Although transmission between
species can occur, the virus is not highly contagious,
and transmission from horses to humans through exposure
to infected blood or bodily fluids is rare.5
A variety of new morbilliviruses have emerged in recent
years. Beginning in the late 1980s investigators identified
new morbilliviruses occurring in marine
mammals.3 A recent report has
implicated yet another novel morbillivirus
transmitted by bats in the increased incidence
of stillbirths and deformities among
piglets in New South Wales, Australia.9
Preliminary investigations suggest that
spread of the new Hendra-like virus in
Malaysia occurred through transport of infected
swine.1 Although the presumed
wildlife reservoir and modes of transmission of the virus
have yet to be determined, close contact with pigs seems to
be necessary for human infection. No cases have been reported
among unexposed family members or health care
workers caring for ill patients. To prevent further spread,
transportation of pigs within Malaysia has been banned, and
all people in affected areas who are in close contact with
pigs have been advised to use protective clothing and equipment.
Although travel restrictions have not been imposed,
visitors to Malaysia should be aware of the outbreak.1

LARGEMOUTH BASS VIRUS COMMON

2009-08-08T14:39:00.001+07:00

COMMON NAME: Largemouth Bass Virus
Some other common names have been suggested for Largemouth Bass Virus (LMBV),
like Lake Weir iridovirus, Lake Weir ranavirus, and Santee-Cooper ranavirus. These
names credit the water bodies where the virus was first isolated, Lake Weir, and the
reservoir where the first fish kill occurred, Santee-Cooper Reservoir. As of now
Largemouth Bass Virus is the accepted common name.
SCIENTIFIC NAME: Virus
LMBV is in the family Iridoviridae. There are four genus level groups in the Iridoviridae
family, Iridovirus, Chloriridovirus, Ranavirus and Lymphocystisvirus. It is not known
what genus this specific virus belongs to.
DISTRIBUTION: The origin of LMBV is unknown. It was first discovered in the
United States in Florida. It has since been detected in 18 other states including Alabama,
Arkansas, Georgia, Illinois, Indiana, Kentucky, Louisiana, Michigan, Missouri,
Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia,
Vermont and Wisconsin.
Indiana: In Indiana the first confirmed case of LMBV was in 2000 at Lake
George which lies on the Indiana/Michigan border. A largemouth bass die off at
the lake prompted testing of the fish which showed the fish were positive for
LMBV. Subsequent bass mortality with the fish testing positive for LMBV were
found at Hamilton Lake (Steuben Co.), Little Long Lake (Indiana/Michigan
border), Dewart Lake (Kosciusko Co.), Chapman Lake (Kosciusko Co.),
Dogwood Lake (Davies Co.), and Starve Hollow Lake (Jackson Co.).
DESCRIPTION: The signs of a fish infected with LMBV are sometimes hard to
recognize. Some carriers of the virus will seem completely normal. If the virus has
triggered disease in a fish that fish will be near the surface, having trouble staying
upright, and having difficulty swimming. LMBV seems to infect the swim bladder of
fish. Some bladders will have a thick yellow or brown exude, or it could only be slightly
red and over inflated, and sometimes the swim bladder will look normal. For precise
diagnosis a DNA based test must be preformed.
LIFE CYCLE BIOLOGY: LMBV does not only infect largemouth bass, it also has
been found in guppies, smallmouth bass, spotted bass, Suwanee bass, bluegill,
redbreasted sunfish, white crappie and black crappie. This virus usually only causes
death in largemouth bass. It is unknown why this virus kills largemouth bass and not
other fish. Often largemouth bass infected with LMBV will show no signs of disease. It
is believed that stress triggers the disease of the virus. Stressful factors include hot
weather, poor water quality, pollution, crowding in livewell tanks, frequent handling by
anglers, and other pathogens. The virus attacks the swim bladder of infected individuals.
Besides fish, LMBV has been found in other cold-blooded animals like amphibians and
reptiles. LMBV has never been detected in warm-blooded animals, including humans.
Infected fish are edible as long as they are cooked properly.
PATHWAYS/HISTORY: This virus was first isolated in Lake Weir in Florida in 1991.
A fish kill in Santee-Cooper Reservoir of South Carolina occurred in 1995 and LMBV
was detected. In 1998, kills occurred in Alabama, Georgia, South Carolina, Mississippi
and Texas. In 1999, fish kills were reported from Missouri, Arkansas, Mississippi, two
Largemouth Bass Virus
from Texas and two in Louisiana. Arkansas, Oklahoma, Louisiana, Michigan, Illinois,
Wisconsin, Vermont and Indiana all suffered losses from 2000 to 2002. Since then
Virginia, North Carolina, Tennessee and Kentucky all joined the list of states that have
detected LMBV.
DISPERSAL/SPREAD: It seems that LMBV can be transmitted through the water, fish
to fish contact, and by consuming infected prey. Because LMBV can survive in the
water for up to seven days, it can be transferred in the live wells of boats. Other fish
carry the disease so infected but not diseased fish could be stocked and transfer the virus
into new waters. The virus is present in the cutaneous mucus of infected fish which
allows for spread by fish to fish contact.
RISKS/IMPACTS: A disease outbreak of LMBV usually attacks adult largemouth bass
which causes concern among anglers. Anglers are worried that this virus could damage
the fishery at their favorite fishing spot. Usually the number of fish that die from the
disease is relatively low compared to the entire population. Fishing may be poor
following a fish kill but it is thought that there are no long-term effects on largemouth
bass populations. Fish kills only seem to occur during or after stressful situations, so
theoretically a fish could be carrying the virus but feel none of the effects. Much has yet
to be learned about LMBV so precautions should be taken to ensure that this virus does
not spread into new waters.
MANAGEMENT/PREVENTION: There is nothing that can be done to eradicate
LMBV in the wild. What we can do is educate the public on how to prevent the spread of
this virus and ways to minimize its impacts. We also need to learn more about the virus
so we can then turn to finding ways to manage it. You can reduce the likelihood of
spreading this disease if you follow a few simple guidelines.
􀀹 Dispose of all unused bait in the trash or on land, never into the water.
􀀹 Never transfer live fish from one body of water to another.
􀀹 Never discard fish entrails or skeletal parts in a body of water.
􀀹 Rinse any mud and/or debris from equipment and wading gear and drain any
water from boats before leaving the launch area. Remember that LMBV can live
for seven days in water so this step is important.
􀀹 Handle bass gently if you intend to release them.
􀀹 Stage fishing tournaments in cooler weather to reduce stress on caught bass.
􀀹 If you see any dead or dying fish, report your observation to the district fisheries
biologist so that they may be tested for the virus.

Virus-Serum-Toxin Act

2009-08-08T14:38:00.001+07:00

151. Preparation and sale of worthless or harmful products for domestic animals
prohibited; preparation to be in compliance with rules at licensed establishments.
It shall be unlawful for any person, firm or corporation to prepare, sell, barter, or
exchange in the District of Columbia, or in the Territories or in any place under the
jurisdiction of the United States, or to ship or deliver for shipment in or from the United
States, the District of Columbia, any territory of the United States, or any place under the
jurisdiction of the united States, any worthless, contaminated, dangerous, or harmful
virus, serum, toxin, or analogous product intended for use in the treatment of domestic
animals, and no person, firm, or corporation shall prepare, sell, barter, exchange, or ship
as aforesaid any virus, serum, toxin, or analogous product manufactured within the
United States and intended for use in the treatment of domestic animals, unless and until
the said virus, serum, toxin, or analogous product shall have been prepared, under and in
compliance with regulations prescribed by the Secretary of Agriculture, at an
establishment holding an unsuspended and unrevoked license issued by the Secretary of
Agriculture as herein after authorized.
152. Importation regulated and prohibited.
The importation into the United States, without a permit from the Secretary of
Agriculture, of any virus, serum, toxin, or analogous product for use in the treatment of
domestic animals, and the importation of any worthless, contaminated, dangerous, or
harmful virus, serum, toxin, or analogous product for use in the treatment of domestic
animals, are hereby prohibited.
Virus-Serum-Toxin Act 2 of 4
21USC 151-159
153. Inspection of imports; denial of entry and destruction.
The Secretary of Agriculture is hereby authorized to cause the Bureau of Animal Industry
to examine and inspect all viruses, serums, toxins, and analogous products, for use in the
treatment of domestic animals, which are being imported or offered for importation into
the United States, to determine whether such viruses, serums, toxins, and analogous
products are worthless contaminated, dangerous, or harmful, and if it shall appear that
any such virus, serum, toxin, or analogous product, for use in the treatment of domestic
animals, is worthless, contaminated, dangerous, or harmful, the same shall be denied
entry and shall be destroyed or returned at the expense of the owner or importer.
154. Regulations for preparation and sale; licenses.
The Secretary of Agriculture is hereby authorized to make and promulgate from time to
time such rules and regulations as may be necessary to prevent the preparation, sale,
barter, exchange, or shipment as aforesaid of any worthless, contaminated, dangerous, or
harmful virus, serum, toxin, or analogous product for use in the treatment of domestic
animals, or otherwise to carry out this paragraph, and to issue, suspend, and revoke
licenses for the maintenance of establishments for the preparation of viruses, serums,
toxins, and analogous products, for use in the treatment of domestic animals, intended for
sale, barter, exchange, or shipment as aforesaid.
154a. Special licenses for special circumstances; expedited procedure; conditions;
exemptions; criteria.
In order to meet an emergency condition, limited market or local situation, or other
special circumstance (including production solely for intrastate use under a State
program), the Secretary may issue a special license under an expedited procedure on such
conditions as are necessary to assure purity, safety, and a reasonable expectation of
efficacy. The Secretary shall exempt by regulation from the requirement of preparation
pursuant to an unsuspended and unrevoked license any virus, serum, toxin, or analogous
product prepared by any person, firm, or corporation--
(1) solely for administration to animals of such person, firm, or corporation;
(2) solely for administration to animals under a veterinarian-client-patient relationship in
the course of the State licensed professional practice of veterinary medicine by such
person, firm, or corporation; or
(3) solely for distribution within the State of production pursuant to a license granted by
such State under a program determined by the Secretary to meet the criteria under which
the State--
(A) may license virus, serum, toxin, and analogous products and establishments that
produce such products;
(B) may review the purity, safety, potency, and efficacy of such products prior to
licensure;
(C) may review product test results to assure compliance with applicable standards for
purity, safety, and potency prior to release to the market;
(D) may deal effectively with violations of State law regulating virus, serum, toxin, and
analogous products; and
(E) exercises the authority referred to in subclauses (A) through (D) consistent with the
Virus-Serum-Toxin Act 3 of 4
21USC 151-159
intent of this paragraph of prohibiting the preparation, sale, barter, exchange, or shipment
of worthless, contaminated, dangerous, or harmful virus, serum, toxin, or analogous
products.
155. Permits for importation.
The Secretary of Agriculture is hereby authorized to issue permits for the importation
into the United States of viruses, serums, toxins, and analogous products, for use in the
treatment of domestic animals, which are not worthless, contaminated, dangerous, or
harmful.
156. Licenses conditioned on permitting inspection; suspension of licenses.
All licenses issued under authority of this chapter to establishments where such viruses,
serums, toxins, or analogous products are prepared for sale, barter, exchange, or shipment
as aforesaid, shall be issued on condition that the licensee shall permit the inspection of
such establishments and of such products and their preparation; and the Secretary of
Agriculture may suspend or revoke any permit or license issued under authority of said
chapter, after opportunity for hearing has been granted the licensee or importer, when the
Secretary of Agriculture is satisfied that such license or permit is being used to facilitate
or effect the preparation, sale, barter, exchange, or shipment as aforesaid, or the
importation into the United States of any worthless, contaminated, dangerous, or harmful
virus, serum, toxin, or analogous product for use in the treatment of domestic animals.
157. Same; inspection daytime or nighttime.
Any officer, agent, or employee of the Department of Agriculture duly authorized by the
Secretary of Agriculture for the purpose may, at any hour during the daytime or
nighttime, enter and inspect any establishment where any virus, serum, toxin, or
analogous product for use in the treatment of domestic animals is prepared for sale,
barter, exchange, or shipment as aforesaid.
158. Offenses; punishment.
Any person, firm, or corporation who shall violate any of the provisions of this chapter
shall be deemed guilty of a misdemeanor, and shall, upon conviction, be punished by a
fine of not exceeding $1,000 or by imprisonment not exceeding one year, or by both such
fine and imprisonment, in the discretion of the court.
159. Enforcement, penalties applicable. Congressional findings.
The procedures on sections 672, 673, and 674 of this title (relating to detentions, seizures
and condemnations, and injunctions, respectively) shall apply to the enforcement of this
chapter with respect to any product prepared, sold, bartered, exchanged, or shipped in
violation of this chapter or a regulation promulgated under this chapter. The provisions
(including penalties) of section chapter 675 of this title shall apply to the performance of
official duties under this paragraph. Congress finds that (1) the products and activities
that are regulated under this chapter are either in interstate or foreign commerce or
substantially affect such commerce or the free flow thereof and (ii) regulations of the
products and activities as provided in this chapter is necessary to prevent and eliminate
burdens on such commerce and to effectively regulate such commerce.
Virus-Serum-Toxin Act 4 of 4
21USC 151-159
This section is effective on December 23, 1985, except that:
(1) Subject to subparagraphs (2) through (4), in the case of a person, firm or corporation
preparing, selling, bartering, exchanging, or shipping a virus, serum, toxin, or analogous
product during the 12 month period ending on the date of enactment of this Act solely for
intrastate commerce or for exportation, such product shall not after such date of
enactment, as a result of its not having been licensed or produced in a licensed
establishment, be considered in violation of the eighth paragraph of the matter under the
heading BUREAU OF ANIMAL INDUSTRY" of the Act entitled The Virus- Serum-
Toxin Act.
An Act making appropriations for the Department of Agriculture for fiscal year ending
June thirtieth, nineteen hundred and fourteen", approved March 14, 1913 (as amended by
this section), until the 1st day of the 49th month following the date of enactment of this
Act.
(2) The exemption granted by subparagraph (1) may be extended by the Secretary of
Agriculture for a period up to 12 months in an individual case on a showing by a person,
firm, or corporation of good cause and a good faith effort to comply with such eighth
paragraph with due diligence.
(3) The exemption granted by subparagraph (1) must be claimed by the person, firm, or
corporation preparing such product by the 1st day of the 13th month following the date of
enactment of this Act, in the form and manner prescribed by the Secretary, unless the
Secretary grants an extension of the time to claim such exemption in an individual case
for good cause shown.
(4) On the issuance by the Secretary of a license to such person, firm, or corporation for
such product prior to the 1st day of the 49th month following the date of enactment of
this Act, or the end of an extension of the exemption granted by the Secretary, the
exemption granted by subparagraph (1) shall terminate with respect to such product.

Recovering from a Trojan Horse or Virus

2009-08-08T14:34:00.000+07:00

It can happen to anyone. Considering the vast number of viruses and Trojan horses traversing the Internet at any given moment, it’s amazing it doesn’t happen to everyone. Hindsight may dictate that you could have done a better job of protecting yourself, but that does little to help you out of your current predicament. Once you know that your machine is infected with a Trojan Horse or virus (or if your machine is exhibiting unexpected behavior and you suspect that something is wrong), what can you do? If you know what specific malicious program has infected your computer, you can visit one of several antivirus web sites and download a removal tool. Chances are, however, that you will not be able to identify the specific program. Unfortunately your other choices are limited, but the following steps may help save your computer and your files.
1. Call IT support If you have an IT support department at your disposal, notify them immediately and follow their instructions.
2. Disconnect your computer from the Internet Depending on what type of Trojan horse or virus you have, intruders may have access to your personal information and may even be using your computer to attack other computers. You can stop this activity by turning off your Internet connection. The best way to accomplish this is to physically disconnect your cable or phone line, but you can also simply “disable” your network connection.
3. Back up your important files
At this point it is a good idea to take the time to back up your files. If possible, compile all of your photos, documents, Internet favorites, etc., and burn them onto a CD or DVD or save them to some other external storage device. It is vital to note that these files cannot be trusted, since they are still potentially infected. (Actually, it’s good practice to back up your files on a regular basis so that if they do get infected, you might have an uninfected set you can restore.)
4. Scan your machine
Since your computer (including its operating system) may be infected with a malicious program, it is safest to scan the machine from a live CD (or “rescue” CD) rather than a previously installed antivirus program. Many antivirus products provide this functionality. Another alternative is to use a web-based virus removal service, which some antivirus software vendors offer (try searching on “online virus scan”). Or you could just try Microsoft’s web-based PC Protection Scan. The next best action is to install an antivirus program from an uncontaminated source such as a CD-ROM. If you don’t have one, there are many to choose from, but all of them should provide the tools you need.
After you install the software, complete a scan of your machine. The initial scan will hopefully identify the malicious program(s). Ideally, the antivirus program will even offer to remove the malicious files from your computer; follow the advice or instructions you are given. If the antivirus software successfully locates and removes the malicious files, be sure to follow the precautionary steps in Step 7 to prevent another infection. In the unfortunate event that the antivirus software cannot locate or remove the malicious program, you will have to follow Steps 5 and 6.
5. Reinstall your operating system
If the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computer is free from backdoors and intruder modifications.
Many computer vendors also offer a rescue partition or disc(s) that will do a factory restore of the system. Check your computer’s user manual to find out whether one of these is provided and how to run it.
Before conducting the reinstall, make a note of all your programs and settings so that you can return your computer to its original condition.
It is vital that you also reinstall your antivirus software and apply any patches that may be available. Consult “Before You Connect a New Computer to the Internet” for further assistance.
6. Restore your files
If you made a backup in Step 3, you can now restore your files. Before placing the files back in directories on your computer, you should scan them with your antivirus software to check them for known viruses.
7. Protect your computer
To prevent future infections, you should take the following precautions:
• Do not open unsolicited attachments in email messages. • Do not follow unsolicited links. • Maintain updated antivirus software. • Use an Internet firewall.
• Secure your web browser. • Keep your system patched.
To ensure that you are doing everything possible to protect your computer and your important information, you may also want to read some of the articles in the Resources section below.
Resources

The types of computer virus

2009-08-08T14:30:00.001+07:00

1. Compiler virus, the virus is already in the executable so that it can compile directly. This is a virus that first appeared in the computer world, and is now experiencing rapid growth. Virs first be liquidated because it is very difficult to be made with low language, assembler. Indeed, this language is suitable to make a virus but it is very difficult to use. The advantage of this virus is capable of doing almost all the manipulation of which this is not always can be done by another type of virus because it is limited.

2. Virus File, is a virus that can take advantage of the file that diijalankan / executed directly. Usually the files *. EXE or *. COM. But it can also menginfeksi files *. SYS, *. drv, *. BIN, *. OVL and *. OVY. This type of virus can move from one media to any type of storage media and spread in a network.

3. Virus System, better known as a Boot virus. Why do so because the virus is utilizing the files used to create a computer system. Often found in the disk / storage space without us. Akan when using a computer (restart), then this virus akan menginfeksi Sector Master Boot and System Boot Sector if the infected floppy in the floppy drive / storage area.

4. Boot Sector Virus, the virus that utilizes the relationship between computers and storage area for the distribution virus.Apabila on the boot sector there is a program that is able to propagate themselves and can live in the memory during computer work, the program can be called a virus. Virus boot sector virus that is two to attack the virus and floppy diskettes and the partition table.

5. Dropper Virus, a program is modified to install a computer virus which is the target of attacks. once installed, the virus will spread Dropper but not spread. Dropper can be a file name such as Readme.exe or through Command.com that become active when the program began. One program can Dropper, there are several types of virus.

6. Virus Script / Batch, this virus was initially popular with the name of the virus batch as the first found in the batch file that is in the script usually DOS.Virus often obtained from the Internet because of the benefits of flexible and can run when we play on the internet, this type of virus usually stay the HTML file (Hype Text Markup Language) is created by using facilities such as script Javascript, VBScript, 4 and combination of the script to enable Active-X programs from Microsoft Internet Explorer.

7. Macro Virus, the virus that is made using the facilities in a modular programming, program applications such as Ms Word, Ms Excel, Corel WordPerfect, and so forth. Although this virus in the application there is a certain danger incurred but not less berbahanya-virus from other viruses.

8. Polymorphic virus, the virus can be said because the virus can intelligently change the structure so that after the difficult task of implementing detected by Antivirus.

9. Stealth virus, the virus uses a jockey, that is, modify the file structure for the program code meyembunyikan added. This code allows this virus can menyembunyika themselves. All other types of viruses also take advantage of this code. Size-the size of the file does not change after the virus menginfeksi file.

10. Companion Virus, the virus of this type of search for *. EXE file to create a *. COM file and copy to put a virus. The reason, run the file *. COM *. EXE file before.

11. Worm, this is a parasitic program that can duplicate for yourself. However, no worm-like virus because the computer program does not menginfeksi other. Therefore, the Worm is not classified to the virus. Mainframe is the type of computer which is often attacked Worm. Spreading through other computers on the network. Worm in the growth of the "genetic mutation" so that in addition to create a new file, it will try to glue themselves to a file, the virus is usually called Hybrid.

12. Hybrid Virus, the virus is a virus that has two abilities can usually go to the boot sector and can also go to the file. An example of this virus is a virus Mystic made in Indonesia.

13. Trojan horse, also called horse TROYA. Trojan Horse does not spread like the others. Therefore, the Trojan Horse virus although not quite the same characteristics. Trojan menginfeksi computer through a file that does not seem dangerous, and usually it seems to do something useful. However, eventually the virus to become dangerous, for example, to format hardisk.

Computer Virus Timeline

2009-08-08T14:10:00.000+07:00

1949: Theories for self-replicating programs are first developed.

1981: Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1983: Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.”

1986: Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label.

1987: The Lehigh virus, one of the first file viruses, infects command.com files.

1988: One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .exe and .com files and deletes any programs run on that day.; MacMag and the Scores virus cause the first major Macintosh outbreaks.

1990: Symantec launches Norton AntiVirus, one of the first antivirus programs developed by a large company.

1991: Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.

1992: 1300 viruses are in existence, an increase of 420% from December of 1990.; The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that turns ordinary viruses into polymorphic viruses. The Virus Creation Laboratory (VCL) is also made available. It is the first actual virus creation kit.

1994: Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line “Good Times.” Though disproved, the hoax resurfaces every six to twelve months.

1995: Word Concept becomes one of the most prevalent viruses in the mid-1990s. It is spread through Microsoft Word documents.

1996: Baza, Laroux (a macro virus), and Staog viruses are the first to infect Windows95 files, Excel, and Linux respectively.

1998: Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.; The Chernobyl virus spreads quickly via .exe files. As the notoriety attached to its name would suggest, the virus is quite destructive, attacking not only files but also a certain chip within infected computers.; Two California teenagers infiltrate and take control of more than 500 military, government, and private sector computer systems.

1999: The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any previous virus, infecting an estimated 1 million PCs.; Bubble Boy is the first worm that does not depend on the recipient opening an attachment in order for infection to occur. As soon as the user opens the email, Bubble Boy sets to work.; Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files.

2000: The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook, much like Melissa. The virus comes as a VBS attachment and deletes files, including MP3, MP2, and .JPG. It also sends usernames and passwords to the virus's author.; W97M.Resume.A, a new variation of the Melissa virus, is determined to be in the wild. The “resume” virus acts much like Melissa, using a Word macro to infect Outlook and spread itself.; The “Stages” virus, disguised as a joke email about the stages of life, spreads across the Internet. Unlike most previous viruses, Stages is hidden in an attachment with a false “.txt” extension, making it easier to lure recipients into opening it. Until now, it has generally been safe to assume that text files are safe.; “Distributed denial-of-service” attacks by hackers knock Yahoo, eBay, Amazon, and other high profile web sites offline for several hours.

2001: Shortly after the September 11th attacks, the Nimda virus infects hundreds of thousands of computers in the world. The virus is one of the most sophisticated to date with as many as five different methods of replicating and infecting systems. The “Anna Kournikova” virus, which mails itself to persons listed in the victim's Microsoft Outlook address book, worries analysts who believe the relatively harmless virus was written with a “tool kit” that would allow even the most inexperienced programmers to create viruses. Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems. Sircam spreads personal documents over the Internet through email. CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected approximately 359,000 hosts in the first twelve hours. BadTrans is designed to capture passwords and credit card information.

2002: Author of the Melissa virus, David L. Smith, is sentenced to 20 months in federal prison. The LFM-926 virus appears in early January, displaying the message “Loading.Flash.Movie” as it infects Shockwave Flash (.swf) files. Celebrity named viruses continue with the “Shakira,” “Britney Spears,” and “Jennifer Lopez” viruses emerging. The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes), creates hidden copies of the originals, and attempts to disable common anti-virus products. The Bugbear worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems.

2003: In January the relatively benign “Slammer” (Sapphire) worm becomes the fastest spreading worm to date, infecting 75,000 computers in approximately ten minutes, doubling its numbers every 8.5 seconds in its first minute of infection. The Sobig worm becomes the one of the first to join the spam community. Infected computer systems have the potential to become spam relay points and spamming techniques are used to mass-mail copies of the worm to potential victims.

2004: In January a computer worm, called MyDoom or Novarg, spreads through emails and file-sharing software faster than any previous virus or worm. MyDoom entices email recipients to open an attachment that allows hackers to access the hard drive of the infected computer. The intended goal is a “denial of service attack” on the SCO Group, a company that is suing various groups for using an open-source version of its Unix programming language. SCO offers a $250,000 reward to anyone giving information that leads to the arrest and conviction of the people who wrote the worm.; An estimated one million computers running Windows are affected by the fast-spreading Sasser computer worm in May. Victims include businesses, such as British Airways, banks, and government offices, including Britain's Coast Guard. The worm does not cause irreparable harm to computers or data, but it does slow computers and cause some to quit or reboot without explanation. The Sasser worm is different than other viruses in that users do not have to open a file attachment to be affected by it. Instead, the worm seeks out computers with a security flaw and then sabotages them. An 18-year-old German high school student confessed to creating the worm. He's suspected of releasing another version of the virus.

2005: March saw the world's first cell phone virus: Commwarrior-A. The virus probably originated in Russia, and it spread via text message. In the final analysis, Commwarrior-A only infected 60 phones, but it raised the specter of many more—and more effective—cell phone viruses.

2008: First discovered in November, the Conficker virus is thought to be the largest computer worm since Slammer of 2003. It's estimated that the worm infected somewhere between nine and 15 million server systems worldwide, including servers in the French Navy, the UK Ministry of Defense, the Norwegian Police, and other large government organizations. Since it's discovery, at least five variants of the virus have been released. Authorities think that the authors of Conficker may be releasing these variants to keep up with efforts to kill the virus.

Update Mac OS X v10.5.8 Leopard

2009-08-08T14:06:00.000+07:00

On the day Thursday (5 / 8) yesterday issued a version of Apple updates Mac OS X v10.5.8 Leopard. As usual Mac OS X updated to improve the stability, compatibility and security of your Mac.

update-copy

In this latest update Mac OS X v10.5.8 include some additional vitur RAW file format support for some type of camera such as Nikon and Canon. Besides the improvement of several functions such as iCal, Bluetooth and Wi-Fi to be more stable.

Here are the features that terrangkum on Mac OS X v10.5.8 (cited KabarIT from Apple):

* Upgrades to Safari version 4.0.2.
* Increase the strength of history in Safari 4.
* Fix a problem in a specific resolution that may not appear in the display pane in System Preferences.
* Dragging an image into APERTURE now invokes an Automator action APERTURE instead of iPhoto incorrectly invoking an action.
* Fix problem transver image file size and video from digital cameras.
* Improve the overall reliability of the device with an external Bluetooth, webcam and USB printer
* Pengalamatan a problem that can cause extended startup time
* Improve reliability with iCal and MobileMe Sync CalDav.
* Pengalamatan data on the iDisk and MobileMe reliability ..
* Improve the reliability of the AFP.
* Improve the reliability of the Managed Client.
* Improve the reliability and compatibility for the Airport connection networks.
* Improve the reliability Sync Service.
* Includes additional RAW image support for several third-party camera.
* Improve compatibility with some USB external hard drive.
* Includes the latest security improvements.

Keyboard Korner tackles computer viruses

2009-08-08T14:04:00.001+07:00

Computer security is a sensitive subject. There are steps you can take to protect your machine.

It's time once again for Keyboard Korner, the computer-advice column that uses simple, "jargon-free" terminology that even an idiot like you can grasp; the column that shows you how to "take command" of your personal computer, if necessary by reducing it to tiny smoking shards with a hatchet.

Today on Keyboard Korner we will address a very important topic: computer security. If you own a computer, or have touched a computer, or have ever shaken hands with somebody who might have touched a computer, you need to take precautionary measures NOW. Because modern cyberspace is not the friendly, open, trusting, safe place it was back in February. Modern cyberspace is a deadly festering swamp, teeming with dangerous programs such as "viruses," "worms," "Trojan horses" and "licensed Microsoft software" that can take over your computer and render it useless.

This is exactly what happened last summer when the "SoBig" virus infected computers around the world, causing millions of computer users to be completely cut off from the Internet during what turned out to be a critical phase in the relationship of Jennifer Lopez and Ben Affleck. Fortunately, most of these computer users were able to resume monitoring the situation by turning on their televisions. But precious minutes were lost.

If you want to prevent a similar tragedy from happening to you, you should immediately take the following steps to protect your computer from viruses:

1. Determine what version of operating system your computer uses, and write this information on a piece of paper. If you don't know how to determine the version, just write down "Version 2.038."

2. Now write down the numbers and expiration dates of all your credit cards.

3. Now mail this information, along with your mother's maiden name, to

WARNING WARNING DELETE DELETE

Whoa! That was a close one! A computer virus just attempted to take over the Keyboard Korner column WHILE YOU WERE READING IT. That's how sophisticated these darned things have become!

And that's why it is so important that you take certain simple, basic steps to protect your computer. To determine what these steps are, Keyboard Korner called the Association of Technical Support Personnel Who Actually Understand Computers, where, after a brief wait, we were connected with a cheerful, knowledgeable and sympathetic recorded message informing us that we would be kept on hold until the sun was a cold dark cinder the size of a walnut.

So we decided to do our own research into computer security, and here's what we learned: There is a Nigerian businessman, Mr. John Ombmwlbmle, who has come into possession of $285 million in cash, and he needs to give 35 percent of it to somebody, and out of all the people on the planet earth, he has chosen Keyboard Korner! All we had to do is send him some banking information and samples of our signature! So pretty soon we will be on "Easy Street" and won't have to write this stupid computer advice column

for you losers, so ha ha ha!

But in the meantime, here are some simple, basic steps that you can take to make your computer secure:

1. GET RID OF TEENAGERS - Teenagers are a major cause of computer trouble, because they think they're so smart, and they're always messing with things and changing things and installing things and swapping songs and downloading disgusting porno filth that they refuse to share with their parents. To prevent this from happening to you, get a good anti-teenager program such as Teen-B-Gone, which causes the computer, when booted up, to play, at full volume, a video of Mr. Barry Manilow singing his rousing hit number "Copacabana." (NOTE: Teen-B-Gone is a complex program; to install and configure it properly, you will need the help of a teenager.)

2. CHECK FOR INCOMING ELECTRICITY - One factor common to many computer viruses is that, in order to function, they require electricity. Get down on your hands and knees and crawl under your desk; do you see a wire going from the computer to the wall? If so, chances are that - unbeknownst to you - this wire is bringing electricity directly into your house from a massive "power grid" that is also connected to prisons, crack houses, municipal sewage facilities, porno filth stores, etc. Yank it out. (The wire, we mean.) Then curl into a fetal position and REMAIN UNDER THE DESK, because there are new computer viruses out there now that can travel through the air and bypass your computer entirely and enter your brain via your dental fillings. Keyboard Korner can feel it happening right now.

What is a computer virus

2009-08-08T14:02:00.000+07:00

Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation.

A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk.

Viruses are often spread by attachments in e-mail messages or instant messaging messages. That is why it is essential that you never open e-mail attachments unless you know who it's from and you are expecting it.

Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.

Viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download.

To help avoid viruses, it's essential that you keep your computer current with the latest updates and antivirus tools, stay informed about recent threats, and that you follow a few basic rules when you surf the Internet, download files, and open attachments.

Once a virus is on your computer, its type or the method it used to get there is not as important as removing it and preventing further infection.

Concerned about worms? See What is a computer worm?

Protect yourself from Conficker

2009-08-08T13:59:00.000+07:00

The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

If you are an IT professional, please visit Conficker Worm: Help Protect Windows from Conficker.

Is my computer infected with the Conficker worm?

Probably not. Microsoft released a security update in October 2008 (MS08-067) to protect against Conficker.

If your computer is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don't have the Conficker worm.

If you are still worried about Conficker, follow these steps:

Go to http://update.microsoft.com/microsoftupdate to verify your settings and check for updates.
If you can't access http://update.microsoft.com/microsoftupdate, go to http://safety.live.com and scan your system.
If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.

What does the Conficker worm do?

To date, security researchers have discovered the following variants of the worm in the wild.

Win32/Conficker.A was reported to Microsoft on November 21, 2008.
Win32/Conficker.B was reported to Microsoft on December 29, 2008.
Win32/Conficker.C was reported to Microsoft on February 20, 2009.
Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Win32/Conficker.E was reported to Microsoft on April 8, 2009.

The Conficker worm can also disable important services on your computer.

If you select the first option, the worm executes and can begin to spread itself to other computers.

The option Open folder to view files — Publisher not specified was added by the worm.

How does the Conficker worm work?

Here’s an illustration of how the Conficker worm works.

How do I remove the Conficker worm?

Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

For additional information, see Centralized Information About the Conficker Worm.
For more technical information about the Conficker worm, see the Microsoft Malware Protection Center Virus Encyclopedia.
Bookmark the Microsoft Malware Protection Center portal and the Microsoft Malware Protection Center blog for updated information.
For symptoms and detailed information about how to remove the Conficker worm, see Help and Support: Virus alert about the Conficker Worm.
To continue to get updated information on security, sign up for the Microsoft Security for Home Computer Users newsletter.

For more information, see How to prevent computer worms and How to remove computer worms.

at videa

Protect yourself from Conficker

On This Page

Is my computer infected with the Conficker worm?

What does the Conficker worm do?

How does the Conficker worm work?

How do I remove the Conficker worm?

Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

Stop Win32/Conficker from spreading by using Group Policy settings Notes

Create a Group Policy object

AppleScript.THT Trojan Horse New OS X Trojan Horse in the Wild SecureMac Security Advisory

How Computer Viruses Work

Windows virus infects 9m computers

The 10 faces of computer malware

Scam Antivirus App Spreads Malware

Conficker virus activates in a bid to aid cybercriminals

New Service Provides Malware, Virus Protection for Websites

Macro Virus

How it Functions

Prevention

Macro Virus Protection in the Microsoft Office Line

What is MACRO Virus

Removal Tools

Norton AntiVirus 2003 Stay Lightweight For Regular Computer

Tips Ringan Melindungi Komputer dari Virus

Security 101: Look back to advance

Anti-Virus Firms Investigating Sexy-View Smartphone Worm

Conficker Worm Support Desk is Available 24/7 via Toll-free Number 1-800 237-3901

Smart Meter Worm Could Spread Like A Virus

W32/Lovsan.worm.a

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Virus alert about the Win32/Conficker worm

Stop Win32/Conficker from spreading by using Group Policy settings

Create a Group Policy object

Run the Malicious Software Removal tool

Manual steps to remove the Win32/Conficker virus

Services table

Verify that the system is clean

After the environment is fully cleaned

APPLIES TO

The Trojan War

Trojan, Virus, and Worm Information

What is a Trojan Horse Virus?

How to remove a Trojan, Virus, Worm, or other Malware

How good is Microsoft's free antivirus software?

Free Microsoft virus protection

Microsoft to Offer Free Virus Protection Software for Windows

Free virus protection for your home PC

PCMAV (PC MEDIA ANTIVIRUS)

Virus killing Guide

F-Secure Mobile Security ™ for S60

Best Antivirus Software

Ways Overcoming Computer Virus

Norman Virus Control for Marshal8e6

New virus emerges in Malaysia

LARGEMOUTH BASS VIRUS COMMON

Virus-Serum-Toxin Act

Recovering from a Trojan Horse or Virus

The types of computer virus

Computer Virus Timeline

Update Mac OS X v10.5.8 Leopard

Keyboard Korner tackles computer viruses

What is a computer virus

Protect yourself from Conficker

On This Page

Is my computer infected with the Conficker worm?

What does the Conficker worm do?

How does the Conficker worm work?

How do I remove the Conficker worm?