Of late I have been distracted by many many things, a little like a moth erratically swirling around a flame. With luck, updates will soon appear.
Jan 15
The connection of two systems
A very robotic way to title a post which contains my wedding speech, but given that this site is primarily for the digital domain, I figured I would try to ease the juxtaposition. Any way, last year in August I very happily upgraded from Fiance to Husband and have wanted to put my speech somewhere perminant for my own review and because once it is on the internet, it can never be lost… So here it is.
Well having been terrified of this part of the day for a while, I had hoped that Jess would talk for the entire allocated speech time slot, but it would appear that on this occasion he has let me down.
I would like to thank Jess for his speech and kind words and furthermore I wish to extend my thanks to Jess and Jan for allowing me to ask their daughter to marry me. Casting my mind back I recall that very phone call to this day (I didn’t have the balls to ask face to face) and I was very pleased when they gave me their blessing. We have come a long way since the first time I met them both and although I was later told I had mis-heard him, I was convinced that Jess had threatened to castrate me within the course of conversation, so I’m glad that our relationship has improved since that day and that in the many years since then they have made me feel a welcome addition to their family.My wife and I, would like to thank you all for sharing today with us. It is very important to both of us that our families and friends have been able to share today with us we are a little shocked that the sun also made it to Yorkshire today, however your presence is the most critical part of proceedings.
Very few of you are local to god’s own county and we appreciate that attending a wedding isn’t as easy or cheap as it sounds, so thank you again for being here.
Before I move onto the gushing appraisal of my beautiful wife, I must first offer our thanks to a few individuals who have played a part today;
- Assuming they haven’t already been drunk, our Wedding Car drivers Doug and Peter, who can now consider themselves off duty, have a some extra wine each on the table.
- My ushers, who have taken responsibility for arranging the collective rabble you are sat amongst and other important background tasks and to my best man, who kept me alive and safeish on the stag and who will hopefully show equal compassion in his speech shortly..
- Our bridesmaids who have aided Jo throughout the day and ensured she made it to the church.
- My sisters who each played important roles within the ceremony and have kept my nerves in check throughout the day.
- My mum who I’d like to thank for being, in my opinion the best mum in the world and as early thanks for hosting an after-show party tomorrow that all are invited to.
- And finally to Jan aka the Mother-in-law, for the stress she has endured juggling a bride and a bridesmaid’s emotions for months and for crafting the wedding cake which you will all see later and or eat.
I would also like to very quickly thank both our parents for their roles in our lives. People often say to me how lucky we are to have the parents we have, and their appraisal is true but the facts they base this on are somewhat far from the mark. Both our parents have raised us with strong morals and values (tested in my case at times), have supported our goals and hobbies, whether that has been by watching Jo’s performance as a little Jay Bird, standing in the pouring rain watching me play football, teaching or watching us learn how to swim or many of the other fond memories we have of our childhoods. It is this guidance and the activities that we have enjoyed throughout our live that has largely defined the adults we have become and it is those adults who share in a love of sport, those same morals and are compatible enough to have had 7 happy years together with plans on many many more. Had we drifted from these guided and trodden paths we would probably not be here and married now. So to each of you I extend my heart felt thanks, respect and pride.
My final thanks and gratitude is reserved for Jo, who has almost single handedly assembled this wedding and has been absolutely amazing throughout the months that have been spent organising today. There have been ups and downs but she has largely managed the organisation on her own, without some of the stress and trouble that is a constant danger in these circumstances, today has far exceeded my expectations and I am in awe of what she is capable of doing when she puts her mind to a task.
Staying of the theme of my wife, I would like to take a moment to bear my emotional side.
Those who know me well know that although shielded behind a miserable frontage, I do have a softer side and am a big fan of songs which have words that I can identify with. To this end there is a portion of a song called Coder Girl, that I have recently introduced Jo to and one that I will READ to you, which expresses well, some of my thoughts of Jo and leans to my technology focused life. We have sprinkled geeks in amongst you, so you can glean explanations from them on the technical elements later if you wish but I hope the gist of the message will be obvious.
I put it like this so you can understand, she makes me want to update to be a better man
when we compile she is easy to interpret, a cross platform version I can work with
she’s not wrapped in flash, all she wants is a java and a shell to bash
wow she’s a sight to see plus, her smile glimmers just like a ruby does
she can never be sub routine, the high priority process of my machine
sharper than most chicks you know, she’s not another shallow copy I can sudo
its that good type dependancy, I function better with her next to me.Here ends the song and it is that last line which is one of the main reasons that I am stood in front of you now. As I am lead to believe, the best couples compensate for each others weaknesses with the others strengths. This is true with myself and Jo, she for example is a good cook, is able to manage a household, is responsible with finances, can hunt down a bargain online and is driven in her working life. I on the other hand am able to take out the recycling & rubbish each week, am well equipped to both load and unload a dishwasher and am the preferred long distance driver.
With a skill-set like that, you can probably already understand why she has agreed to marry me, but for those with slightly loftier wants who are struggling, you can at least benefit from the knowledge of why I wish to marry her, because this is a question that we were asked to discuss at a church meeting we attended many months ago. This question of marriage is something that I think is asked more and more nowadays and many couples do happily live with one another without the need to get married. So, why is it I wanted to marry Jo.? I suggested a few options at the time one of the better received was a desire to be able to refer to Jo as my wife in conversation rather than my partner. I felt that on too many occasions when talking to peers or colleagues the use of partner was met with confirmation that I indeed was gay, as the other person had suspected and that needed to be addressed. Flippant reasons aside the honest and most prominent reasons for me wanting to marry Jo was then as it is now, that I am proud and honoured to call Jo my wife and right now and for the many years we have been together, I have wanted nothing more than to spend the rest of my life with her and in time and with luck, to raise a family.
Although not strictly traditional and because I seldom excel in being publicly affectionate, I would like to end my speech today with a huge sense of relief and with a toast to my beautiful wife, the bride.
Jul 07
Phone ‘hacking’ scandal
There is much debate and coverage in the UK press (now spreading worldwide) currently in relation to a certain British Newspaper’s reporters ‘hacking’ into celebs and other news worthy individuals mobile phone voice mail.
What they have done is without question disgusting, it is a little hypocritical of me but my opinion is that the access to celebs voice mail and the discovery of their affairs or other indiscretions cause me little upset, but the access of murder victims phones, widows of war casualties and other members of the public who are dealing with loss or grief is abhorrent and prosecutions are the least that should happen.
What does perhaps cause me more annoyance than anything else though is the talk of hackers and the hacking of mobile phones. The reason this upsets me, is because in my mind this is not hacking this is putting default details into a phone, these people are far from the hacking masterminds we are lead to believe in.
The other thing that irks me, is the distinct lack of any advice at any point to the public or others to advise on how one can protect themselves against similar issues from an ex or other party that has your phone number. So this is what I am going to do.
How to stay safe
So, if you have a phone from one of these providers and have not changed your default entry code, then I or anyone else who’s call you do not answer can get into your voice mail. So change it.
Mar 03
Removal of malware distributed by banner ads within the London Stock Exchange’s, Autotrader’s, Vue Cinema’s and 6 other sites.
Having read a lot about tens of thousands of people being infected with malware, it seems as though as ever, the media has jumped on the virus bandwagon but haven’t actually told anyone how they remove the virus should they be infected. Helpful? No!
The virus or more correctly the exploit, has been placed within a banner ad, which has then delivered a ‘driveby download’ of a malicious file. Having done a little digging to try and help an infected friend (his PC not himself), it seems as though the malware is called System Tools and as such the removal process is below.
Removal Instructions for System Tool using Malwarebytes’ Anti-Malware:
- It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
- Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
- This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need to fix this problem so that we can download the utilities we need to remove this infection. Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below. You should now be in the Internet Options screen, now click on the Connections tab.
- You will now be at the Connection, now click on the Lan Settings button as designated by the blue arrow above.
- You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
- Now we must end the processes that belong to System Tool so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.RKill Download Link – (Download page will open in a new tab or browser window.)When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
- Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with System Tool and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by System Tool when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate System Tool . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again. If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
- Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)If you are unable to connect to the site to download Malwarebytes’, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
- Once downloaded, close all programs and Windows on your computer, including this one.
- Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
- When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
- MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
- On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for System Tool related files.
- MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
- When the scan is finished a message box will appear, you should click on the OK button to close the message box and continue with the SystemTool removal process.
- You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
- A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
- When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
- You can now exit the MBAM program.
- As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, SystemTool changes the permissions of the HOSTS file so you can’t edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
- We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As…, if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
Windows XP HOSTS File Download Link
Windows Vista HOSTS File Download Link
Windows 7 HOSTS File Download Link
Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
- Now reboot your computer.
Nb. Guide has been extracted from http://www.bleepingcomputer.com/virus-removal/remove-system-tool which has more images, file options and goes into the issue a little more deeply. So base information that I have used is all thanks to them.
Feb 24
The telebox tells me Wireless is insecure, how do I stay safe?
Having put a few guides on Wireless cracking here, I felt it irresponsible and certainly given my complaints about the advice disseminated by the media et al, a complete cop out, to not detail how one can or indeed must secure your network to keep the nearest bored teenager (or if you read the Daily Mail), terrorist, paedophile or homosexual from accessing your network.
So, what to do? Well to be perfectly honest there are a few genuine protective measures and some that are merely providing a false sense of security. So first, those that do offer enhanced protection.
- Use WPA not WEP. WEP or Wired Equivalent Protection, is really no form of protection at all, its encryption mechanism is flawed and obtaining access is almost easier than typing the password correctly yourself.
- When using WPA, use WPA2 if you can, it is mildly more protected than WPA.
- Choose a secure password, if it is in a dictionary, it is easy to crack. Choose a reasonably long one, with letters and numbers. You can have up to 64 hexadecimal characters, use them…. If you have trouble remembering complex passwords, pick a song lyric like “Iamthe1andonly” or similar. If you wish to be absolutely secure, use the GRC password generator (https://www.grc.com/passwords.htm), which creates unique passwords with full entropy which you can use. Clearly you can never remember those, but should you keep them somewhere safe, they offer that ‘belt and suspenders’ safe feeling.
Some will say that you should use MAC filtering as well, but honestly once your PC or laptop is connected to the router, it is exposed and can be faked. WPA is prone to brute force hash value attacks, but if your password is strong enough, the amount of computing power (actually denoted by the electrical power required to operate said computers) will be so high, that it would take a number of lifetimes to brute force successfully.
Having done all of the above, you now have a network free of nearby third parties and you need only worry about those connecting to your machines via that rotten sod the Internet.
Feb 24
WEP & WPA cracking made *simples (*Read with a GUI)
So as shown within this page, you are able to easily crack the password of WEP, with a simple chain of commands and a little bit of luck. Saving all of that effort and memory recall you can now download a wonderful little program called Wifite, which is a python based proggy which now adds a GUI to the aircrack-ng package. Good news no?
So first off, you need to install it. Fortunately it now lives within the BackTrack 4 library, so it is pretty easy to install, just apt-get install wifite
Once that is done, simply drill down into the correct folder cd /pentest/wireless/wifite and enter python wifite.py once done, you’ll see the GUI below.
As you can see, there are a number of very simple and somewhat self explanatory options, assuming you know anything about the aircrack-ng suite and if you don’t I’m not about to spell it out for you.
As said however, the options are;
- Interface (The network interface which you’re going to base the attack from)
- Encryption type (The network you are attacking)
- Channel (The channel you wish to target)
- Minimum power (The minimum network strength you are willing to accept)
- Dictionary (The wordlist you will use for cracking WPA)
- WEP timeout (How Long you are willing to wait for the WEP attack to ‘work’)
- WPA timeout (How Long you are willing to wait for the WPA attack to ‘work’)
- WEP options (Which attack do you wish to undertake)
- Packets per sec (How many packets per second are you willing to accept)
- h4x0r 1t n40 (Go, but in l33t speak)
Once you have selected your options, you need just click on the super cool button and you will be returned to the Konsole with a message, not dissimilar to that below, you have the option to then wait 30secs to fully scan for targets or to wait until your item of interest pops up and then Ctrl+ C to begin attacking.
Once the 30 (or so) seconds have elapsed a list of the targets will appear, wifite will then systematically begin working its way through the target list and each of the predefined attack ‘types’ from those previously chosen.
As it works its way through, you will begin to get a sense for the attacks likely success rate, you can at any given time choose to press Ctrl +C to stop the current attack, you may then choose C to continue, N to try the next attack type and E to give up and go home.
Once the required handshake files are obtained, wifite will save them within a folder named /hs it will also begin an automatic attempt to crack the password. WEP is simple enough and I would use it, WPA however can be run through smarter and faster mechanisms.
Feb 24
Installing Dropbox on BackTrack 4
OK, first off go and get the Ubuntu debian installation package form their site dropbox.com
Then within Backtrack open a Konsole and type apt-get install libnautilus-extension1 This will install the required dependency nautilus
Having installed that, you can then go to the location of your download and simply type dpkg – i xxx.deb (where xxx is the filename)
Once that has whirred through, you will be back at a Konsole prompt, type dropbox start -i to install the daemon, this will then open a DropBox installation window as below
Click on OK, a download will then begin… You will then be taken to a Dropbox splashscreen which will ask whether you have an existing account, progress through here as common sense dictates.
And voila! Dropbox is installed.
If you wish to stick with Konsole commands, they are as thus.
Feb 22
Back on Backtrack
It has been a while since I have learned or toyed with learning anything that warrants inclusion here, but of late I’ve found my interest being caught by a few tools within BackTrack 4 RC2. These include a GUI for aircrack-ng, a GPU (CUDA) enhanced passphrase brute force tool, a chap who has generated every possible BTHomeHub V1 WPA key, a tool called Crunch, which enables you to create your own wordlists using custom parameters, a hash value cracker called CowPatty and finally a GUI for MetaSploit called Armitage.
Need to gather my screen dumps and make sense of the salient detail to dump here. More to follow shortly…
Jun 02
Getting inside the Amstrad drx895 / 1tb Sky+ HD box
Been a while since I have done or learnt anything worthy of publication, but last night I took it upon myself to figure out how to access the internals of my new 1tb Sky HD box and since there seem to be no other guides, I figured I would stick my neck out.
So, why did I risk voiding my warranty and bricking the brand new box? Well, so that I could transfer all of my old recorded programs from the last box onto the new one, not mission critical, but I had a lot of recorded programs that I still needed to work my way through. I’ll put some guidance on those steps as well, but I would suggest following the FAQ’s on the Copy + page.
Required tools
- A standard electrical screwdriver
- A 2mm / 3mm flat head screwdriver
- Standard flat pliers
Gaining access
Turn the Sky box upside down, ensuring you place the nice new glossy topside on something that isn’t going to snag or scratch it.
Remove the two plastic ‘grills’ on either end. They should just pop off with a light outwards tug. Second photo shows the simple plastic clips that hold them in place.
Pull towards you to remove.
See simple plastic 'retaining clips'
Having removed side grills, there are four screws which need to be removed from the base of the device [ edit ] and one from the rear, just above and to the left of the HDMI port.
Remove four encircled screws.
Again from the underside of the box, lift the retaining clasp and ease the outer box forwards. BE CAREFULL TO KEEP LEVEL, any torquing may damage LEDs or buttons from the front of the device.
Carefully lift clip with a flathead screw driver and ease outer box forwards
You can now remove the remaining side pieces of black plastic, which will have probably fallen off on their own, but are again pushed towards the front of the box to release the ‘L’ retaining clip from the metal case body.
The last piece of the plastic outer body to remove
You should now only have a metal innards of the box now, you can turn this the right way up. CAREFULLY remove the ribbon from the front connection, to the left of the middle black piece.
Carefully remove from retaining port.
If you now look at the box from above you will see four twisted metal retaining clasps, with a set of pliers delicately twist these straight.
Twist each of the encircled items straight with pliers.
You should now be able to lift the lid from the front, gently pivoting it at the rear, before lifting up completely to reveal the compact and surprisingly well organised innards.
The insides that are revealed.
You can now access the SATA port and power for the hard drive in the bottom right hand corner. If using something like Copy +, I would suggest removing these items and connecting new cables from your PC, rather than trying to remove the hard disk (Surely you don’t need more than 1tb anyway….?)
Feb 22
Zeus may be old, but he isn’t afraid of change
I should really lay my cards on the table at the start of this item. I do not know that this is Zeus, it is currently a working assumption, noting a number of similarities between this new virus and other Zeus samples I have seen.
So first off, what is the same?
- It changes the registry item HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Inserting a dynamically changing executable, into the key data, to ensure its presence at each boot of the system. In my most recent infection instance, it changes the value data to C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\msicjg32.exe
- It loads the executable and hides it from view, using rootkit techniques.
- It conducts HTML injection attacks
- It is capable of MitB / MitM attacks
- It targets Banking credentials and more than likely other login details, such Paypal & Facebook.
What is new?
- The virus no longer uses the static executable name sdra64.exe. Instead it chooses a pseudo random name at install. I have seen msrwez32.exe | msjrtr32.exe | msicjg32.exe, so it would appear a format msXXXX32.exe is used.
- There is no creation of a c:\windows\system32\lowsec folder. So stolen data and configuration detail is stored somewhere other than usual. This would appear to come from a jpg that can be seen coming in if using packet capture. The file is normally at the C&C domain within a location of /images/arrowred.jpg If have not been able to obtain this file or indeed find anything that could even attempt to decrypt it, but I informed that config details are held within it.
- As with all viruses, these processes grab config detail from Command & Control servers. To the best of my ability I believe these sites to be http;//216.119.129.14 and http;//209.172.59.132. With luck these will be offline soon. I have now seen that these files have a list of possible C&Cs and move around as quickly as they are taken offline. Those who need to know of them do, and I do not propose to begin retaining a list here.
Antivirus detection rates, as follows;
Product – Version – Update – Virus Alias
a-squared 4.5.0.50 2010.02.22 Worm.Win32.Pushbot!IK
AhnLab-V3 5.0.0.2 2010.02.22 -
AntiVir 8.2.1.172 2010.02.22 TR/Spy.ZBot.afdw
Antiy-AVL 2.0.3.7 2010.02.22 -
Authentium 5.2.0.5 2010.02.22 -
Avast 4.8.1351.0 2010.02.22 Win32:EggDrop-CG
AVG 9.0.0.730 2010.02.22 -
BitDefender 7.2 2010.02.22 Trojan.Generic.3193268
CAT-QuickHeal 10.00 2010.02.22 -
ClamAV 0.96.0.0-git 2010.02.22 Trojan.EggDrop-121
Comodo 4026 2010.02.22 TrojWare.Win32.Spy.Zbot.afdw
DrWeb 5.0.1.12222 2010.02.22 Trojan.DownLoad.35735
eSafe 7.0.17.0 2010.02.22 Win32.EggDrop
eTrust-Vet 35.2.7318 2010.02.22 -
F-Prot 4.5.1.85 2010.02.22 -
F-Secure 9.0.15370.0 2010.02.22 Trojan.Generic.3193268
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.22 Trojan.Generic.3193268
Ikarus T3.1.1.80.0 2010.02.22 Worm.Win32.Pushbot
Jiangmin 13.0.900 2010.02.22 -
K7AntiVirus 7.10.980 2010.02.22 -
Kaspersky 7.0.0.125 2010.02.22 Trojan-Spy.Win32.Zbot.afdw
McAfee 5900 2010.02.22 -
McAfee+Artemis 5900 2010.02.22 Artemis!1B0138229529
McAfee-GW-Edition 6.8.5 2010.02.22 Heuristic.LooksLike.Trojan.Agent.B
Microsoft 1.5406 2010.02.22 -
NOD32 4888 2010.02.22 probably a variant of Win32/Injector.AXM
Norman 6.04.08 2010.02.22 -
nProtect 2009.1.8.0 2010.02.22 -
Panda 10.0.2.2 2010.02.22 Trj/CI.A
PCTools 7.0.3.5 2010.02.22 -
Prevx 3.0 2010.02.22 High Risk Cloaked Malware
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.22 Mal/Resdro-A
Sunbelt 5692 2010.02.22 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.22 Suspicious.Insight
TheHacker 6.5.1.6.205 2010.02.22 -
TrendMicro 9.120.0.1004 2010.02.22 -
VBA32 3.12.12.2 2010.02.22 -
ViRobot 2010.2.22.2196 2010.02.22 -
Removal
I am not yet confident in the exact way in which this malware functions, so I am not confident that the below is an absolute removal process. It does however appear to resolve the issue, so is better than nothing. As soon as I learn more, I will be sure to update.
- Open regedit (normally via Start > Run) and drill down into the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit string and note its value data.
- You will need to kill a thread, loaded into memory, which retains the malicious presence within the Winlogon key, simply deleting the malicious value data is not enough.
- Download and run the ProcessExplorer application from the TechNet website.
- Access View and ensure that Lower Pane view is enabled.
- On the top menu bar, select Find Handle or DLL. Within search type and search for the executable found within the Userinit data value. (msXXXX32.exe)
- This should find and select executable within your Lower Pane. In the top pane, locate and double click on Winlogon.
- From the new Window select the threads tab (this will sometimes produce an error, which can just be clicked past).
- Once the threads have displayed, sort by CSwitch Data. There will be one thread which shows as constantly active (retains a numeric value).
- Once this thread is identified, highlight it and select Kill from the bottom right.
- Exit ProcessExplorer, reopen regedit and drill down onto the Winlogon\Userinit key. Delete the malicious value, from the userinit key data.
- Restart the PC.
- This should have stopped the virus loading at boot, allowing you to locate the executable within C:\windows\system32\. This should be purged from the system.
Loading tweets...