Saturday, December 30, 2006

Blogger's Clog - Writers block



What do you call it when a blogger stops posting for a long time ? Just like writers' block, may you want to call it Blogger's Clog ?

Why does it happen ? Do thoughts become clogged up in the blogger's mind ? Does it really matter ?


Is it possible to just run out of ideas ? To try to post something after exams are over and find that you don't have anything to say ?

To type one line that is not a question ?

Monday, October 23, 2006

Yahoo Messenger nsl-school virus - De vile Messenger




If your computer is infected , this is what you do


  1. Download the file http://www.fundazone.com/antivirus/registry/registry-enable-regedit.reg
  2. Copy these instructions to notepad or word or note it down. Close Internet Explorer ( and Yahoo messenger) . Double click the .reg file and click yes when it asks whether you want to merge the file to the registry. This will enable the regedit and task manager tools and restore your home page and other settings.
  3. Then restart the computer
  4. After restarting Press Ctrl + Alt + Del . Click Processes.
    End the process svhost32.exe . ( may be more than one process is running )
  5. Start> Search > Files and folders. Search for svhost32.exe , svhost.exe and enet.exe
  6. Delete the files found.
  7. Restart for good luck.
Use firefox http://www.fundazone.com/software/firefox/
Firefox is a fast and nice browser with tabs and RSS feeds and cool stuff.


So, the story behind this post ? Once again, another virus spread in all the computers here.
This time, it was a virus using Yahoo Messenger (tm) or MSN messenger to spread itself. (The previous one I wrote about was using a popular social networking site - www.orkut.com . Now this one uses a chatting software (chatting, file sharing, photo album sharing, video conferencing(I even used it for webcasting !), much more) Yahoo Messenger.

Now, How do you know that your computer (or yur friends') has this virus ??

It sends out messages like

(Don't try any of these links !!!)

  • damn, she is so cute http://nsl-school.org?id=miss_world
  • oh my god , i've won a 20000 usd lottery http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !!
  • Just check out my new personal website : http://mytermex.com c0ol !!!
  • check this link for me : http://nsl-school.org?id=forum . Why I cannot surf this site ???

And when you click on these links, it installs the virus in your computer too.



Here's what Suresh Kumar says. ( forums.sureshkumar.net/showthread.php?t=7790 )

I've copied it here for you.

If you are infected with it what is going to happen ?

1: It sets your default IE page to nsl-school.org, you can’t even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.

2: It will disables the Task manager / reg edit. So you can’t kill the Trojan process anymore.

3: Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe.

you can find these files in windows/ & temp/ directories.

4: It will sends the secured & protected information to attacker

How to remove this manually from your computer ?

1: Close the IE browser.

(IE - Internet Explorer. First copy this article into MS Word or Notepad or something )

Log out messenger / Remove Internet Cable.

2: To enable Regedit

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit. ( regedit is very dangerous if you randomly change stuff in it or delete important setting, so be careful - or make a backup before editing (file -> Export) )

Start>Run>Regedit

From the below locations in Regedit chage your default home page to google.com or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with google.com or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

( Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).( meaning there is an original svchost.exe that is part of Windows - http://support.microsoft.com/kb/314056 )

7: Go to regedit search for svhost and delete all the results you get. ( Be careful )

Start menu > Run > Regedit >

8: Restart the computer. That’s it now you are virus free.


I don’t know whether any removal patch that works for this Trojan/virus. But we can easily delete it manually.


And - use Firefox or something ! Most viruses are written for Internet Explorer ...

Don't open these URLs !!!
Possible Domains Owned by the Developer of this Trojan
http://www.nsl-school.org
http://www.giftshop.vn
http://www.myglobal-news.com
http://www.italiandirectory.com

You can block these URLs in your browser's Security settings.
A good idea for places where many users will use the same computer and inadvertently click the link.

In Internet Explorer , Tools -> Internet Options -> Security -> Restricted Sites -> Sites

Add the above sites in the list !!!

Ah, the tragedy called viruses ...


Use firefox http://www.fundazone.com/software/firefox/
Firefox is a fast and nice browser with tabs and RSS feeds and cool stuff.

Monday, October 02, 2006

The Magic Tap

magictap.JPG


Have you seen a magic tap earlier ?

One that seems to perpetually give water from itself even though it is not connected to any water pipe ?

Take a close look at the picture. It is not a camera trick. Or a computer trick.

Speaking of computer tricks, nowadays, with a good photo editing software (By the way, Google has a good photo organizing software called Picassa, it is there somewhere on my blog sidebar - good to fix up the colurs and brightness and contrast and stuff on photos - automatically too) you can make any sort of unbelievable picture.

Now, about the magic tap, this picture is of a big tap in the middle of a traffic island on the road. I have seen one in a science museum (in Bangalore) which is a normal size tap and I wondered for quite some time how it was done.

The water tap seems to be pouring out water continuously. But where is the water coming from ? There is no other connection to the tap which can carry water. And in the museum tap , the tap was hanging by thin ropes. So that was not a way to let in water either.

But before you go on to theories of spontaneous generation, look at what can be seen . . .

What ? A single place through which water flows. Hmmm ... Heard of co axial tubes or wires ?

Well, that is when one tube is placed inside another. So, if a tube containing water going up is placed inside the stream of water going down, the problem is solved !

So that's how it works. The trick was right in front of our eyes, but didn't see it in the beginning . The eyes do not see waht the mind does not know . . .

Thursday, September 28, 2006

Bend it like Betty




More about the clever crow ...

Did u think you were smart ? That you are the cleverst, most intelligent species on the planet ???

Well, think again before you call someone a birdbrain. Even though a bird's brain is much smaller compared to a human brain, a young pigeon can recognise patterns and do some basic counting (not exactly counting, but they have some idea about numbers) and that is more than a 3 year old human kid can do !!!

Now about the crow in the picture - She is Betty. Betty Crow if you like (Like Sheryl Crow) (I mean not if U like Sheryl Crow, but similar to Sheryl Crow ... did u get the point ? - I guess not , anyway don't read these stuff in the brackets - they make your head hurt (Actually these type of brackets are called parenthesis - see, I told u your head will hurt)) Did I close all the brackets ?? - I hope so - anyway back to Betty.


Well, Betty here proved that she was no bird brain - she used her tiny brain to make tools - a hook !!! Using metal wire .

Just check out this video !

Betty the tool making crow (http://www.sciencemag.org/feature/data/crow/weirmovie.mov)
Aother link to a video (http://users.ox.ac.uk/~kgroup/trial7_web.mov)


Also these websites about Betty !!

Bend it like Betty - not like Beckham !

http://www.newscientist.com/article.ns?id=dn2651

http://users.ox.ac.uk/~kgroup/tools/crow_photos.shtml
Betty on CNN (http://archives.cnn.com/2002/WORLD/europe/08/09/crow.betty/index.html)
http://www.hinduonnet.com/seta/2002/08/29/stories/2002082900070200.htm
http://www.earthsky.org/shows/edgeofdiscovery_profiles.php?id=48564
Betty and Abel (http://www.anomalies-unlimited.com/Science/Betty.html)
http://www.sciencemag.org/feature/data/crow/
http://news.nationalgeographic.com/news/2002/08/0808_020808_crow.html

Monday, September 25, 2006

That's the way the crow flies

crow.jpg




One of the cleverest (or should I say cunning ) birds in the whole wide world (www in short) is the Common Crow ! I suppose all of you have read the story of the clever crow and the pot of water. The water level was too low, so the crow dropped stones in the pot till the water rose and he/she could drink it.



Read this article from an Indian newspaper

The remarkable talent of a crow has challenged the chimpanzee's fame as the most proficient toolmaker in the animal world. A crow can make a hook from an ordinary piece of wire. Crows make and use a range of tools including hooks, which they use to extract food from cracks and crevices. But the crow has now shown that it can design and manufacture a tool from materials with which it has no previous experience.

These skills came to light when two crows were given a choice between a straight wire and a hook to extract a bucket of food from the bottom of a plastic pipe. When the male bird made off with the hook, the female bent the tip of the straight wire to make a replacement. To bend the wire, the crows sometimes hold it in their feet, then pulled the tip with the beak.

Crows make hooks from twigs and leaves and generally do not get materials like wires that bend and retain their shape. The bird's ability to make the right tool for the job from unfamiliar materials suggests that crows have some understanding of the properties of the material and what might be achieved with a hook.

Crows seem to have acquired a grip on basic physics and engineering. They have learned that they need to drop walnuts with thicker shells from greater heights in order to break them open. They seem to know that nuts dropped on asphalt and concrete surfaces need not be dropped from a great height, but if the crow is flying above soft earth, it will fly higher before dropping the nut.

Possibly then, the old story of the crow and the pot of water may well be true.

Saturday, September 23, 2006

Me, myself and IE ( Internet Explorer 7 and 6 too )


Well, those who have been reading my posts (or atleast the post Funda's Own Zone - FundaZone http://johndasfundas.blogspot.com/2006/08/fundas-own-zone.html ), will know that I'm building a website of puzzles at www.fundazone.com

As I wanted to be a nice webmaster, I tested my pages on various browsers - and what did I find ???

Well, for one : this blog's previous template would come properly on Mozilla Firefox but in Internet Explorer, the sidebar would go down ! ( Or was it that the sidebar stays there but the posts go down - I don't remember exactly )

So, I edited the template to change the page structure. I changed a few numbers here and there and finally, I refreshed the page in IE. I don't remeber how many attempts I made, but finally I made the sidebar come up (or the posts - whichever it was). And all this time, Mozilla Firefox displayed my blog perfectly.




"Eureka !" , I shouted. Actually I didn't. I was in a library and shouting is not a good habit in a library. Therefore, I shouted it in my mind I guess.

But .... when I scrolled down , ......


.


. .


. . .

. . . . .

. . . . . . . .


. . . . . . . . . . . . .


Scrolled enough ....

And saw that

There were huge ugly white spaces in between the posts section and sidebar section !!!



And, sad to say, Mozilla Firefox showed the whitespaces too ... All because of IE !

Note that this was the currently most used version of IE (IE6)

For days, I left my blog like that - whitespace and all (because I was very busy with offline work - means work in the non-virtual world aka real world)

When I came back, I set to work on the template.

Realizing that I didn't have time to figure out why the mysterious white matter ( as opposed to dark matter - that is really not very mysterious ) appeared in the page, I changed the template.

Changed the template !!!

Please note that you have to make a backup of the template when you change the template.
i.e. (IE again ha ha ha - means that is) go to edit template and copy everything that you see in the textarea and paste it into a text file in your computer and save it (obviously)
because changing template means all the customisations will be lost - all those sidebar thingies and stuff) Later u can find those bits of code and copy-paste into the new template.

And so I did change my template.

More on firefox vs IE later ... (about IE 7 and how it messed up my forums on www.fundazone.com )


Go firefox go ! (I mean come firefox come !!!)

Download Mozilla Firefox browser from the link on this page ( I think it's there somewhere on the sidebar )

Late … almost …





He gobbled down the food – like one who has never seen it before. He had to hurry … It was time… With one eye on the watch – he saw the seconds blinking away (ticking is for non-digital watches- hah a retronym) Washing down the food with a glass of water, he ran … Within seconds he was on the open road – looking for something… Still running – but eyes searching … He knew that he had to be fast – only during a small stretch of the long road could he really hope to find what he was looking for.

He heard various vehicle sounds – each time his eyes located the sound maker to note that this was not what he wished for. The road was almost ended – if it did, then he was alone … That’s when he heard it.. his ears pricked up to locate the sound and eyes darted to it – Yeah ! Exactly what he wanted ! He reduced his pace to almost a stop and then jumped on as his target came close. “Thanks da !” , he shouted in relief, as the vehicle sped on to the class…

Thank you all my buddies who give me a lift to class when I'm late (",)

Tuesday, September 19, 2006

Why should we walk on the right side of a path ?




What I'm talking about here is NOT why we should walk on the right path - what I try to explain here is why it is a better idea to walk on the right side of a road or street in a country like India. Rather than on the left.

The explanation is like this. In India, the vehicles have to go on the left side of the road - one of the customs the Britishers left behind for us when they finally let go of their prized empire.

Also, people have to walk on the road in many places because there is no space left for any footpath. Even if there was a footpath, it would be broken down with no slabs left. That is really dangerous because the footpaths are actually slabs covering the roadside drains - and there have been several instances of people falling into the drains through the missing footpaths.

Now, even if there was a good footpath, roadside hawkers and illegal shops would be set up there and there would be no space left for pedestrians . . .

So finally, the point is - U have to walk on the road - u have no choice.

And now that we are on the path - which side of it should we walk on ?

Now - take the left side . . . What if we walk on the left side ?

Imagine a speeding car - no, no noise (seen the latest car ads - these cars make no noise at all ) - Which way does it come if you are on the left side ?

From behind ! A silent speeding car may come up from behind and hit you ! And there will be nothing left of you ! Surely u don't want that to happen !

So which side is left ? The right side . So imagine u are walking on the right side. A silent speeding car comes. Which side ?

From in front of u ! U can see the car from afar and there is enough time left to jump to your right into safety.

So that is why u should be on the right side of the path .

Friday, August 18, 2006

FunDa's Own Zone

Finally , I bought a web domain name http://www.fundazone.com


I had wanted to buy a domain for a long time, but I kept putting it off, saying "Why ?"
Then I thought "Why not ?"


Especially after the strange incident where the Indian government blocked blogspot ( and typepad and other websites too) in a hasty decision to block communication between militants.


If I had my own site, then there would be no problem of that sort (unless of course I am a militant [;)] )

So finally, here it is : FunDa's Own FunDaZone.com

Monday, July 17, 2006

The virus evolves !!!

anim3sm.gif

The virus has evolved - just like a biological virus !!!
This is the latest scrap that I saw :

Oieee, all joia? I came here to deliver to a virtual card pra vc!

CLIQUE no link para ler seu cartão!!!

http://(suspicious link)


(Scrapped user's name - wow ! clever !)
Leia seu cartão e aproveite para saber como ganhar um MP3 player.

Tudo de Bom...



Still working out what this is and how to eliminate it ...

More later ... Follow the instructions on my previous posts for removing the virus.

How to remove the Orcu virus ...

REMOVAL


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.
  5. Restore the security settings in Internet Explorer modified by the threat.
For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note:
When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions:
    • If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.
    • If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).

    The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To run a full system scan
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected, follow the instructions displayed by your antivirus program.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  4. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the value:

    "WinZip" = "%System%\wzip32.exe"

  6. Navigate to and delete the subkey:

    HKEY_CLASSES_ROOT\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}


  7. Exit the Registry Editor.

5. To restore the security settings in Internet Explorer modified by the threat
  1. Click Start > Settings > Control Panel
  2. Select Internet Options
  3. Select the Advanced tab
  4. Scroll down to Security
  5. Uncheck Allow software to run or install even if the signature is invalid
  6. Check Check for signatures on dowloaded programs
  7. Click Apply
  8. Click OK
  9. Exit the Control Panel

Further details for the technically inclined

Infostealer.Orcu

Risk Level 1: Very Low

Discovered: June 20, 2006
Updated: June 21, 2006 11:54:54 AM ZE9
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

SUMMARY


Infostealer.Orcu is a Trojan horse that attempts to steal confidential information, such as bank and Paypal accounts. It may arrive as a message spammed across the Orkut network.


Protection

  • Virus Definitions (LiveUpdate™ Daily) June 21, 2006
  • Virus Definitions (LiveUpdate™ Weekly) June 21, 2006
  • Virus Definitions (Intelligent Updater) June 21, 2006
  • Virus Definitions (LiveUpdate™ Plus) June 21, 2006

Threat Assesment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Low
  • Payload: Downloads additional malware.
  • Releases Confidential Info: Gathers and sends out sensitive financial information.

Distribution

  • Distribution Level: Low

TECHNICAL DETAILS


Orkut's users may receive a malicious link from other infected contacts. The Trojan posts a message in the user's scrapbook area of the Orkut system. The message text is chosen by the attacker and can be a random sentence written in Brazilian Portuguese, such as the following:

Message example 1:
Opa, tudo bom? Eu criei um video com uma selecao de minhas fotos novas, clica ai pra ver - [MALICIOUS_LINK] - Esta bem legais!!!

Message example 2:
Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [MALICIOUS_LINK] - Sei que vai gostar

If users click on the link, a malicious file is downloaded, which is a copy of Infostealer.Orcu.

When Inforstealer.Orcu is executed, it performs the following actions:
  1. Copies itself as the following location:

    %System%\wzip32.exe

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the value:

    "WinZip" = "%System%\wzip32.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  3. Modifies the values:

    "CheckExeSignatures" = "no"
    "RunInvalidSignatures" = "1"


    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download

    so that Internet Explorer downloads files covertly.

  4. Contacts the following URL to download and execute another threat:

    [http://]www2.no.comunidades.net/sites/jo/joaosembraco/imagens/log[REMOVED]

  5. Copies the above threat as the following files:

    • %Temp%\tmp.dat
    • %System%\winlogon_.jpg
    • %System%\logo1.jpg
      %System%\login.dll

      Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  6. It may create the following folder:

    %Windir%\htmCache

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  7. Registers the above files as a Browser Helper Object for Microsoft Internet Explorer and creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
    HKEY_CLASSES_ROOT\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

  8. When Internet Explorer is executed, the BHO component shows the following message box:




  9. Monitors Internet Explorer windows and attempts to steal login information and passwords from the following Web sites:

    • www2.bancobrasil.com.br
    • www.bradesco.com.br
    • www.caixa.gov.br
    • internetcaixa.caixa.gov.br
    • bankline.itau.com.br
    • ibpf.unibanco.com.br
    • empresarial.unibanco.com.br
    • www2.realsecureweb.com.br
    • www.equifax.com.br
    • www.serarsa.com.br
    • www.nossacaixa.com.br
    • pf01.suadmeris.com.br
    • www.safra.com.br
    • www.paypal.com
    • www.orkut.com
    • www.itaucard.com

  10. Gathers the following information about the compromised computer:

    • MAC address
    • Serial number of hard drive
    • CPU type
    • OS version and service pack

  11. Stores the gathered information in the following file:

    C:\cpu.log

  12. May end the following security-related processes:

    • NPFMntor
    • ASHSERV.EXE
    • ASWUPDSV.EXE
    • ASHWEBSV.EXE
    • ASHMAISV.EXE
    • ASHDISP.EXE
    • AVGCC.EXE
    • AVGUPSVC.EXE
    • AVGAMSVR.EXE

  13. Sends back the gathered accounts and information using the following legitimate domain:

    submit.mailmyform.com


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Further details ...

Just like a biological virus, the infostealer virus has evolved ...

Take a look at this :

Discovered: June 20, 2006
Updated: June 21, 2006 11:54:54 AM ZE9
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Infostealer.Orcu is a Trojan horse that attempts to steal confidential information, such as bank and Paypal accounts. It may arrive as a message spammed across the Orkut network.


Protection

  • Virus Definitions (LiveUpdate™ Daily) June 21, 2006
  • Virus Definitions (LiveUpdate™ Weekly) June 21, 2006
  • Virus Definitions (Intelligent Updater) June 21, 2006
  • Virus Definitions (LiveUpdate™ Plus) June 21, 2006

Threat Assesment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Low
  • Payload: Downloads additional malware.
  • Releases Confidential Info: Gathers and sends out sensitive financial information.

Distribution

  • Distribution Level: Low
Writeup By: Elia Florio

Sunday, July 16, 2006

The Orkut virus - Infostealer.Orcu





Orkut has become a major social networking portal . It is so cool and so addictive ... But there are hidden dangers everywhere . . .
Recently u might have noticed that the hyperlinking feature has been modified . . . That was done to prevent phishing ( hackers stealing ur data - Just use the google search on my sidebar to read up on it )

A recent virus attack was by Infostealer.Orcu

Here is how the scrap will look like.
“Opa, tudo bom? Eu criei um vídeo com uma seleção de minhas fotos
novas, clica aí pra ver - h t t p :// y e p . i t / ? i k s t t v -
Estão
bem legais!!! “

What should you do?
Simply delete the scrap! As simple as that..

How does it spread?

It spreads through infected contacts. An orkut account gets infected
once you click on the link. The Trojan posts a message in your all your
friend's scrapbook area of the Orkut system. The message text is chosen
by the attacker and can be a random sentence written in Brazilian
Portuguese, such as the following:

Message example 1:
Opa, tudo bom? Eu criei um video com uma selecao de minhas fotos novas,
clica ai pra ver - ( suspicious link ) - Esta bem legais!!!

Message example 2:
Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser
publicadas na minha conta, eu criei um slide com algumas fotos minhas,
pra ver e so clicar clicar no link!!! ( suspicious link ) - Sei que vai
gostar

If anyone click on the link, it redirects u to the virus URL & asks u to download an .exe file , which is a
copy of Infostealer.Orcu.

When Inforstealer.Orcu runs on a computer, it infects the computer u use and uses your orkut account to scrap everyone in your friends list with the malicious scrap, starting from the first name that comes when u view freinds (at that particular time - the list order changes after some time )

The message is in Portuguese and means :

Opa, all good one? I created a video with an collection of my photos new,click for to see there -( suspicious link ) - I am well legal!

Name of the Trojan:
Infostealer.Orcu

Norton’s Description:
Infostealer.Orcu is a Trojan horse that attempts
to steal confidential information, such as bank and Paypal accounts. It
may arrive as a message spammed across the Orkut network.

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP


Don't click on any strange links in ur scrapbook ... especially if it asks u to download or run some file

Tuesday, July 04, 2006

Lock up your slippers


Ever lost ur shoes or slippers or sandals or any other kind of footwear while u left it outside somewhere. Now here's the solution to that problem. Just lock them up - yes lock them up !

As this interesting picture shows ( please note that those are not my slippers nor am I the photographer ), u just have to lock the two slippers together by a good lock.

U may wonder about the effectiveness of such a strategy. Yes, I wondered too... If they slippers are not locked to anything immobile, then what guarantee is there that they will stay there...

Then I realized, what stupid thief would carry off the tied slippers anyway ! Not only would he/she (for gender equality - nothing else) find it difficult to use them. And even if they want to steal it, I suppose they usually wear it and go...

So once again a funda that I think is absolutely crazy and idiotic... What do u think ?

Thursday, June 22, 2006

The case of the colour blind monitor






One fine day (I didn't know about the weather at the time - was inside and online for quite some time), I was calmly browsing and blogging away when I saw it ... (that's called an ellipsis , the 3 dots)

A computer screen which looked unique - different - one of kind. There was something about the way it looked (or rather showed) that caught the eye ... It took a few seconds (guess that less than 60 is few..(now that's not an ellipsis-that's just 2 dots-small things make a big difference)) to figure out that it was missing a color - Red. Almost saying - Gimme red !

Then I remembered....

Flashback
Anatomy class ... having a prized LCD projector , the department finally wanted to show a powerpoint (like xerox became a term for photocopy, powerpoint for presentation)...

Topic : Genetics ...

It was only halfway through the class that people realised that the projector was not showing its true colours. And then when we reached inheritance of colour blindness (color blindness for short - US spellings are shorter I guess- refer earlier post about partiality of Google). The teacher, who by now had realized that we were seeing the ppt without the red, joked that the projector must be having color blindness(there, short n sweet).
After class, I lingered back to examine it and discovered the defect - diagnosis: a broken pin. If I put in a small metal wire, maybe it could see again...

Quickly, I shut down the computer (quickly shut down - an oxymoron) . I pulled the monitor's plug and examined the pins - strangely everything was nomal ( two different problems can have the same outcome ) ... I was trying to break my head over the problem when I thought - maybe the other end of the cable...

Quickly (now truly) , I pulled out the other end from the monitor (usually it's fused to the monitor - a fact that I luckily forgot at the time (this was an LCD monitor in which the other end was detachable)) and examined it. ... ... ... nothing - everything normal ...

Sometimes, u feel frustrated when there is nothing worng ... u kind of feel that everything being right is kind of wrong... Dejected, I plugged in the cable and booted the comp. What do u know - the full colors were back !

Micro flashback
When I was pulling out the second end of the cable , I had noted that it was not screwed on tight.
Sometimes, u do things right even without ur knowledge...

Friday, June 09, 2006

The Gmail Mystery !


My life has changed since I got Gmail. I mean with 2.5 GB+ of space , it should change the way u store your email ! Upload infinite number of essential files and software to the mailbox and access anywhere.

But recently, I came to see that several new features were made available to my friends' Gmails, but not to mine. Like chat ! And calendar ! And photo ! And web clips ! And more ... (actually I ran out of things to say)
I sent an email to gmail saying I haven't received these things yet ! I received a polite reply (obviously looked computer generated - there must have been googols of people out there who wanted equality who would have asked) saying that it will be activated in phases. I resigned to the fact that they didn't care about me even though I use my gmail properly like a valued customer should.


It was later (that is today to be precise) that I finally got a message from a friend advising me to change the photo which had seemingly been selected by me(that's what the server told him, he said) for my Gmail account ( it was a monkey, if u'd like to know, and must have been done by the gmail server which had been making a monkey out of me)


Click ! Revelation struck ! It said that this option was available only to English (US) users !!!!
Huh ! Since I had chosen English (UK) I cpould not get these features !!! If I can manage with British English I definitely can manage US English too !!! As the basic funda of the problem entered into my brain, I rapidly went through the vaious clicks to reach the Holy Grail - the language option in the settings page. Click, Click, Click ! It was all over within seconds (quite a few seconds, slow net connection !) And then the transformation began !!!
The transformation was unlike any I'd seen before (duh !) .
Then I finally got what I'd wanted in Gmail. End of story !


P.S. Am I using too many quotation marks ?

Mastering Google AdWords


Thursday, June 08, 2006

A video of the candle light protest Taken by Me !!!



A view of the circle of candle light taken from the top of Lister Annexe. You cannot see the students and residents but you can see the light they hold, as they disperse from the circle formation to fix the candles on a square platform. Anti-reservation protest.

Wednesday, May 17, 2006

Say no to reservation

The policy of the politicians to divide and rule to gain votes is clearly brought out through the reservation quota being increased to a staggering 49.5%. This is definitely cutting off the seats available to normal people born into a socially disadvantaged non-reserved class. One must realize that the Open Category seats allow everyone – SC, ST, OBC, anyone – to gain admission based on their merit. There is a myth in many minds that removing or reducing reservation means that doors are closed to the ‘backward’ classes. It only opens the door wider to include the now disadvantaged non-reserved class. The perfect strategy is to reserve seats in coaching institutions for ‘backward’ classes so that they can develop the merit themselves and compete like the rest of the country to gain their rightful place. Remember – Give a man a fish, and he’ll eat for a day and maybe beg for free fish everyday. But teach a man to fish and he can fish to earn his living. Provide coaching at primary school level , develop the skill and let everyone compete at an equal level.

Free SMS worldwide

Monday, April 17, 2006

SMS invasion



Mobiles have taken over a major part of our life. I myself feel disconnected if my mobile phone is not with me. Even though I make few calls, I SMS a lot.

Stephen King's "Cell" - I haven't read it yet but surely would like to. The thought that these gadgets can turn us into mindless zombies doesn't seem too farfetched to me.

Even now, I mindlessly forward jokes and stuff I receive on my cell. "Send to list" I command I order and it obeys. but who exactly is commanding whom ? . . .

A few days back I read about a gadget that can turn on and off home appliances by sending an SMS to the system.

Sunday, April 09, 2006

Case of the broken pin in the jack


I had a computer problem recently – the Audio output jack was blocked by the broken (metal) tip of my speaker’s audio pin.

To solve it I had to use several methods of which finally one was successful. Initially I tried pulling it out with toothpicks … but to no avail. Luckily my motherboard and cabinet supported a separate audio out jack in the cabinet front panel. Using the motherboard manual, I changed the jumper settings to divert audio out to this jack (port).
It worked fine.

But my mind wasn’t rested till I got the motherboard’s audio out working. It couldn’t be opened from inside – it was a sealed metal box and I did not want to damage the motherboard.
First I tried to pull it out with toothpicks, forceps, but couldn’t grip the pin. Then I tried using the vacuum from a desoldering gun but to no avail. I also tried a magnet but it didn’t work – later I discovered that the pin was not attracted to magnets. Then , using needle and thread I tried to make a noose to lower it into the jack, wrap it tight round the pin and pull it out – but it kept slipping and was hard work.
Finally- the one that worked – I took and ordinary syringe needle, bent the tip very slightly. Then I inserted it into the jack with the bend sideways so that it(bend) went past the broken pin. Next I turned the needle so that the bend came under the pin. Then slowly but steadily I pulled outwards. Using another needle, I manipulated and straightened the upper part of the pin while still pulling. Finally, I got the broken pin out. I have preserved it still somewhere.

Friday, February 24, 2006

Terms and conditions and other blah blah blah ;-)


I will put up lots of ideas that I get in this blog. You are free to add your comments on them - whether u think they will work, whether they r really necessary, ur ideas added to mine, ... anything. Remember, I,m not responsible for anything that happens to u or anyone else because you read my blog. If at all u plan to use any of my ideas, do contact me- thru the guest book at My website (http://johnkerala.tripod.com or www.johndavis.i8.com or www.johndavis.tk (redirection service))

The Ultimate Rememberall for people whom u r supposed to remember but keep forgetting.




Wait I almost forgot that I had an idea. Well here it is. First u upload a database of all the people u r supposed to remember along with their photos. Then u need a program that can search thru photos to match a face in a new photo to that in the database. I really think it exists. I'm just not 100% sure. It can just store a database of the facial features (eye to eye distance, nose shape or something,...) or high tech like iris pattern (u know, in scifi movies, that exists too) Finally, whwn u see someone u know but u don't know who it is, u whip out ur camera mobile and start shooting(oh, u need that too). Send the photos via GPRS to ur top secret database & get the identification immediately. Now that's a rememberall.

Procrastination is reaaallly the thief of time !!!!


I finally decided that putting off something that has to be done today really puts it off for a really long time. For example , posting an entry in this blog. How many times I would have thought - "Now I'll just have enough time to check my mail. I'll blog that wonderful idea tomorrow. Anyway I'll check my mail tomorrow." This went on for quite a long time, I can assure you. For reference check my previous (first, actually) blog posting. For a remedy, I'll need to have an electronic organiser on my mobile(or cell - can't call it just a phone now - those things have everything in them) which decides what to do at what particular time determined in a scientific manner. Now I will sit down and meditate on this thought. Adios! Lots to study too! \P. S. - I didn't have time for this blog so I copied this post from another one of my blogs.

(http://johnkerala.tripod.com/ideas/)

How to get N95 Masks in India - कैसे पाएं मास्क? Yellow, White, Blue or Black ?

कैसे पाएं मास्क? पीला, सफेद, नीला या काला? There are many colors of masks available in India of different colors. What is the difference ? W...