December 2008
S	M	T	W	T	F	S
« Oct		Jan »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Archive for December 2008

Seven Best IT based capers of 2008

29. December 2008 by Myke.

Ever wonder to yourself, I wonder if I could get away with that? Well a few folks have tried various ways of making money or getting back at others using the Internet but most fail one way or another. The thing to remember is that someone somewhere can figure out who was there and what was done. I mean come on, some of the greatest hackers of the world now hold top jobs in the IT Security field across the world.

Here is the best of 2008 when it comes to busted Capers.

1. Pepper Spray Bandit
In September, a robber disguised as a gardener pepper-sprayed an armored car driver using a pesticide sprayer and ran off with a bag stuffed with $400,000 in cash. When police arrived seconds later, they found the sidewalk crowded with dozens of men decked out in the same attire as the perp: blue shirt, Day-Glo vest, safety mask and glasses. While the cops hacked through a forest of suspects, the real perp fled to a nearby creek and escaped in a waiting inner tube.

Turns out the unwitting decoys had been lured to the crime scene by a Craigslist ad that promised construction work to those showing up in a “yellow vest, safety goggles, a respirator mask … and, if possible, a blue shirt.” A month later, following a lead from a homeless man who witnessed the preparation for the Brinks job, police arrested 28-year-old Anthony Curcio fresh from a Las Vegas vacation. Curcio is now charged with “Interference with commerce by threats or violence,” because “Pulling the most awesome robbery ever” isn’t listed in the U.S. code.

2. Nickel and Dime Your Way to the Top
If you’ve ever linked up your checking account to an online brokerage house or digital payment service, you may have noticed that the company automatically initiates one or two small deposits — typically less than a dollar each — for verification purposes. If you’re hard up for cash, or just really bored, you might have thought, “if only there was a way to make real money off this …”

Twenty-two-year-old Michael Largent of Plumas Lake, California allegedly figured out a way: Volume! Prosecutors say Largent wrote a script that rapidly opened about 60,000 new accounts under aliases like Johnny Blaze and Hank Hill, then linked them all to a handful of bank accounts under his control. Largent allegedly accumulated some $58,000 in nickels and dimes from Schwab.com, E-Trade, and Google Checkout, and transferred the free money to pre-paid debit cards before the companies could renege on their generosity. The venture was ultimately thwarted by bank reporting regulations, and Largent is now facing federal computer and wire fraud charges.

3. Master Splynter Wins This Round
Not every brilliant caper is masterminded by a criminal. For two years, a mysterious Eastern European cyber crook known as “Master Splynter” ran a flourishing cyber crime supersite called DarkMarket.ws. Brazen and defiant, Splynter boasted of turning his nefarious site into “the premier English-speaking forum for conducting business” — i.e., buying and selling stolen identity information and hacked credit card numbers. And he took particular delight in spitting bile on the federal agents trying to take him down.

In September, following the arrest of another DarkMarket administrator in Turkey, Splynter announced he was getting out while the getting was good. A month after he shuttered the site, which boasted 2,500 members at its peak, DarkMarket’s displaced denizens learned the truth: the site was a sting operation, and their buddy Master Splynter was Pittsburgh FBI agent J. Keith Mularski. The FBI says the long con netted 56 arrests worldwide, and prevented $70 million in fraud losses. Threat Level thinks Mularski would make a damn fine criminal if he weren’t one of the good guys.

4. Forgot to Change the Default Password
First spotted in 2005, this caper takes advantage of retail ATM owners and operators who leave the administrative passcodes on their Tranax and Triton cash machines set to the defaults published in easily-obtained service manuals. Armed with the passcodes, fast-fingered swindlers reprogram the ATMs to think they’re loaded with $1.00 bills instead of $20s, so a withdrawal of twenty bucks (say, on an anonymous, pre-paid debit card) nets the thief $380 in free cash.

Last August, Lobo’s City Mex in Lincoln, Nebraska, was the scene of the first known arrest for the long-running ATM hack. Manager Raul Omar Lobo held two purported PIN-pad perps at gunpoint after they allegedly showed up to add to the $1,400 they’d already plundered from the restaurant’s Tranax MiniBank. Local prosecutors charged Jordan Eske and Nicolas Foster, both 21, with four counts of theft by deception, and one count of computer fraud, for allegedly stealing a total of $13,600 from Lincoln-area ATMs.

5. Russian Style Big Gulp
You’re a Russian hacker who’s just managed to crack a server that processes transactions from Citibank ATMs at 7-Eleven convenience stores. No fool, you suck down thousands of Citibank customers’ account numbers and PIN codes. Only one problem remains: How best to monetize your hacking haul.

The solution: offshore it, of course. The hacker, identity unknown, farmed out the stolen data to confederates in America, who traveled from as far as Missouri to converge on the Citibank ATM supercluster known as New York City. Using blank cards programmed with the hacked account numbers, the gang managed to steal at least $2 million from Citibank accounts, sending 70% of the take back to mother Russia, before a lucky traffic stop unraveled the scheme. In the end, the FBI made ten arrests, including two Ukrainian immigrates with more than $800,000 each stashed in their closets. That’s a lot of Slurpees.

6. On the Road Again
How do you run a profitable interstate trucking company without all the hassle of driving trucks? Step one: Visit the online “load boards” where brokers advertise cargo in need of transport and negotiate a deal to, for example, haul a load from California to Maryland for $3,500. Step two: hack into the Department of Transportation website that maintains the master list of licensed trucking companies, and change the contact information for a legitimate firm to an address and phone number you control.

Step three: Profit! Posing as the company whose identity you just stole, outsource your job to another trucking firm for whatever price it wants; when the load is delivered, collect your $3,500, leaving the company that actually drove the truck trying in vain to invoice the company you hijacked. Step four: Get a lawyer. In October, federal prosecutors charged Russian immigrants Nicholas Lakes and Viachelav Berkovich with computer fraud for allegedly pulling this scam over-and-over again, to the tune of $500,000.

7. Deaf, Dumb and Blind…Not Really
When 18-year-old Matthew Weigman’s telephone line was disconnected, the legally-blind phone phreak didn’t just get mad; he got royally pissed. First, the FBI says, he social engineered the phone company into reconnecting the line — take that, phone cops. Then he made another pretext call to obtain the unlisted phone number and home address of William Smith, the Verizon security agent who got him disconnected.

Armed with the information, Weigman allegedly began calling Smith and berating him over the phone. To ensure that Smith answered the calls and took his punishment like a man, Weigman social engineered the phone company into giving him near real-time access to Smith’s billing data, then repeatedly used Caller ID spoofing to make the harried security official think people were returning his own calls: when Smith phoned a travel agent to book a flight, his phone would ring a few minutes later, displaying the number of the travel agency he’d just called. It wasn’t until Weigman took his vendetta into meat space and showed up at Smith’s New Hampshire home with his burly older brother that he was arrested. He now faces federal charges of intimidating a witness.

posted by: Myke Reinhold
credit: Wired Magazine

Posted in Nerdism, Security | No Comments »

Exagrid announces customer-focused enhancements

17. December 2008 by Myke.

ExaGrid Announces Customer-Focused Enhancements to Disk-based Backup System with Data Deduplication
New Features and Enhancements Deliver Added Performance, Expanded Data Handling, Instant DR Capabilities and Automated System Health Reporting

Westborough, Mass. - December 17, 2008 - ExaGrid® Systems, Inc. (http://www.exagrid.com), the leader in cost-effective and scalable disk-based backup solutions with data deduplication, today announced that it has enhanced its Disk-based Backup System with several customer-focused enhancements, including an industry-first, instant disaster recovery (DR) capability, higher performance connectivity options, expanded data handling and automated system health reports. These product enhancements allow customers to significantly improve the way they manage their backups by providing greater flexibility in handling disparate backup data types, delivering backup data more rapidly for DR purposes and providing proactive system health reporting on key operational metrics.“We speak with IT professionals every day who struggle with tape backup and are eager to move to disk backup with deduplication,” said Lauren Whitehouse, analyst, Enterprise Strategy Group. “ExaGrid’s Disk-based Backup System has the ingredients many organizations need to address their backup issues. Customers stand to benefit from ExaGrid’s focus on increasing performance, expanding DR capabilities, a growing list of supported data types, and automated email-based reporting that reduces the system management burden.” The latest version of the ExaGrid Disk-based Backup system includes the following important enhancements and customer benefits:Support for Higher Performance 10 Gigabit Ethernet Interfaces:

ExaGrid’s Disk-based Backup product line will now support the use of higher performance 10 gigabit Ethernet interfaces for connectivity to a customer’s backup environment. This capability provides the speed of fibre channel connectivity without the higher cost or hassle.

Instant DR Capability for Fastest Data Restoration from Remote Sites:

ExaGrid’s Disk-based Backup System has always maintained a full copy of an organization’s most recent backup at the site where the backup was performed. To ensure the fastest possible recovery time during a disaster, ExaGrid now keeps the most recent full backup at a customer’s disaster recovery site in its non-deduplicated form, ready for high-speed recovery in the event of a disaster at the primary location. ExaGrid is the first and only disk-backup with deduplication vendor to deliver this capability.
By using the innovative, byte-level delta data deduplication technology, this instant DR capability is accomplished while still sending only deduplicated data over a customer’s wide-area network, preserving a 50 to 1 WAN efficiency, versus sending entire non-deduplicated backups. This instant DR capability provides significantly faster restores than competing solutions, which have to reassemble deduplicated backups from millions or even billions of deduplicated fragments.

Additional Data Type Support Provides Increased Flexibility:
Beyond its interoperability with industry-leading backup applications, ExaGrid now supports additional data types. ExaGrid delivers a 10 to 50:1 deduplication ratio, replicates the deduplicated data to a disaster recovery location, and can report a deduplication ratio by the individual backup jobs (Oracle RMAN and Unix/Linux data dumps). Additional supported data types include the following:

Oracle RMAN Backups – customers can now simply send Oracle backups via the RMAN utility set directly to an ExaGrid disk-based backup system, bypassing the use of a backup agent.
Unix/Linux File System Data Dumps – customers can now simply transfer file system data from Unix or Linux systems, bypassing the use of a backup agent.
Non-deduplicating Data – customers now have the flexibility to simply allocate portions of the ExaGrid disk-based backup system for any type of data they want to protect on the ExaGrid system but do not wish to deduplicate.

With this release, ExaGrid supports leading backup applications such as Symantec Backup Exec™ and NetBackup™, CA ARCserve ®, EMC Networker®, CommVault® Galaxy™, and Vizioncore vRanger Pro; as well as other data types including VMware® VMDK, Oracle® RMAN, Linux/Unix data dumps and Microsoft ™ SQL dumps. ExaGrid’s future product plans include the support of many additional backup applications and utilities.Automated System Reporting for Ease of Management:
With the release of this version, each ExaGrid Disk-based Backup System will deliver a daily status to a defined set of administrators, lowering the management touch time of the system even further. This easy to understand report includes:

System status
Current and past data deduplication ratios
Replication status
Detailed status by backup job

“ExaGrid continues to hear from organizations, which are eliminating tape from their backup and archive operations, that they want the full benefits of disk in terms of performance, scalability and ease-of-use,” said Marc Crespi, vice president of product management, ExaGrid Systems. “Too many disk-based backup products with deduplication rob disk of its natural performance and scalability through their deduplication implementation. With this software enhancement release, ExaGrid further extends our product leadership by providing significantly faster recovery time at DR sites, increased flexibility in data protection and tools to even further reduce necessary system management touch time.”
About ExaGrid Systems, Inc. Headquartered in Westborough, Massachusetts, ExaGrid® Systems is the leader in cost-effective and scalable disk-based backup solutions with byte-level data deduplication. A highly scalable system that works with existing backup applications, ExaGrid is ideal for companies looking to quickly eliminate the hassles of tape backup while reducing their existing backup windows. ExaGrid’s patented approach minimizes the amount of data to be stored by providing standard data compression for the most recent backups along with byte-level data de-duplication technology for all previous backups. Customers can deploy the ExaGrid system at a primary site and at secondary sites to supplement or eliminate offsite tapes with live data repositories or for disaster recovery. For more information, contact ExaGrid at 800-868-6985 or visit www.exagrid.com. # # #
ExaGrid is a registered trademark of ExaGrid Systems, Inc. All other trademarks are the property of their respective holders.For a complete listing of ExaGrid news releases, please visit our News and Events on our web site.

Posted in Backups, Storage | 1 Comment »

Lexmark Trojan - lx_Cats?

11. December 2008 by Myke.

If you are the proud owner of any Lexmark product you may wonder why you have a program called lx_Cats on your PC. Well after further investigation and tracking what this file does, it is Spyware.

A user calling himself “Commander” has posted to the printer-focused Usenet group, comp.periphs.printers, that:

“Just the other day I purchased a new Lexmark X5250 All-in-one printer. I installed it as per the instructions and monitored the install with Norton as I do with all new software.

On reviewing the install log I noticed a program called Lx_CATS had been placed in the c:program files directory. I investigated and found a data log and an initialisation file called Lx_CATS.ini. Further investigation of this file showed that Lexmark had, without my permission, loaded a Trojan backdoor on to my computer. Furthermore, it is embedded into the system registry, so average users would likely never know it was there and active.”

Commander noticed that the spyware was programmed to surreptitiously report back to a URL, www.lxkcc1.com, every thirty days. lxkcc1.com is registered to Lexmark International, Inc..

When Commander called Lexmark to demand an explanation, the company first denied that they had installed any spyware at all. Ultimately the person with whom he spoke conceded that Lexmark installs “tracking software” on their users’ computers“to report back on printer and cartridge use for survey purposes.” While the Lexmark representative avowed that they did not transmit any personal information, they also admitted that the program does transmit the printer’s serial number, which of course is registered to the user. No personal information my foot!

Rumours of the installation of spyware along with their printer software have swirled around Lexmark for several years, and posts to Usenet complaining of Lexmark spyware date from as early as 2001. Some users complain of their computer trying to connect to the Internet every time they print a document; others worry that the program is reporting not only their cartridge usage, but whether they are using non-Lexmark cartridges, or even refilling their own cartridges, thus possibly setting the stage for a denial of warranty service.

According to “Commander”, the offending files include a program file called lx_CATS, and a related .ini file, lx_CATS.ini, as well as 2 DLL files in the c:program fileslexmark500 folder.

In order to remove Lexmark’s spyware from your system, delete the file (probably in your c:program directory) called “lx_cats.exe”, and also search for and remove a file called “lx_cats.ini” (and, for that matter, any other file including the term “lx_cats”).

Nice job Lexmark…really.

posted by: Myke Reinhold

Posted in Security, Internet, Rant, General Hardware, Desktops, Laptops | No Comments »

Hong Kong strikes again

9. December 2008 by Myke.

Starting Wednesday December 3rd of 2008, some very nice little script kitties decided to bomb the world with some very nice fun filled SPAM/Virus/Malware/Spyware/Adware. You may or may not have seen these e-mails yet. The claim to be from McDonald’s, Coca-Cola and Hallmark. As you can venture to guess, they are not. They are full of all kinds of good little toys for end users to play with and help make the life of an IT person fun.

So what can you do if your end user opens one of these emails? If you have a solid anti-virus product (NOT McAFEE) on your network and on your local machines, you should be sitting very pretty. But lets say for grins, you use McAfee or nothing at all, which is pretty much the same thing. You will have some cleaning to do to get rid of your annoying pests.

If you want to just fix the issue, scroll down for solution but for others we will now try and explain the issue. These e-mails that were sent out contained a few different types of virus files. They had the every infamous Virtumonde (Vundo) and VirTool:Win32/CeeInject.gen!J (named by Microsoft).

The Vundo family of Trojans is one of the most common infections we find on user’s computers. This infection can cause popups that include advertisements for rogue anti-spyware programs. Some common rogue antispyware programs that are advertised include WinFixer, SysProtect and WinAntiSpyware. Users are normally targeted by false positives, fake alerts, and warning of infections on their computer. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. This infection is normally detectable by users receiving popups when they use the Internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer.

The Vundo infection has evolved over time to include harder and harder protection methods so that it cannot be easily removed. These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. Due to this, specialized tools have been created in order to target this specific infection and remove it. The following guide will explain how to use the tool, and hopefully rid your system of this malware.

VirTool:Win32/CeeInject.gen!J is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

Meanwhile, the worm connects to “Whatismyip.com” to get the victim’s IP address.

Depending on the variant, it then copies itself to the following locations:

%WinDir%\system32\vxworks.exe or
%WinDir%\system32\daemon.exe

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

%WinDir%\system32\qnx.exe
%WinDir%\system32\awtustsr.dll
%WinDir%\system32\ddcBTLfd.dll
%WinDir%\system32\efcDTLEX.dll
%WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

%WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

%WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

APSTPLDR.DLL from http://www.zylon.net/[blocked]
kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an “autorun.inf” file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following “Subject”, “Attachment Name” and “From address” combinations for these E-mails.

Some variants create SMTP connections to the following servers on various outbound ports:

205.134.188.162
211.233.80.119
212.7.64.23
217.167.29.246
64.26.62.254
dom-reg.mediaways.net
fmx.freemail.hu
imas.ahnlab.com
lb.acantho.net
mail.samba.org
mailprot.hilton.com
maxx.shmoo.com
mx.acantho.net
origin.hilton.com
persephone.instanthosting.com.au
relais-ias89.francetelecom.com
www.alinet.it
www.pacbell.net

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

web1.ser[removed].org

The backdoor has the following functions:

restart/shutdown computer
start/stop services
start/stop keylogger
download/upload files
create/terminate/list process
perform port scanning
modify host file
spread itself by instant messenger
gather passwords that firefox, internet explorer saved
gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run “QnX”
Data: %WinDir%\system32\qnx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “QnX”
Data: %WinDir%\system32\qnx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} “StubPath”
Data: “%WinDir%\system32\qnx.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Wind River Systems”
Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures”
Data: no
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper “bsd”
Data: 03
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper “free”
Data: 12
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes”
Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Daemon Tools”
Data: %WinDir%system32\daemon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “e887a2ae”
Data: rundll32.exe “%WinDir%system32\kvslgsfk.dll”,b

It adds the following registry key to add itself to the Firewall’s Authorised applications list.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\vxworks.exe”
Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\daemon.exe”
Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures”
Old data: yes
New data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden”
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00

Symptoms

Symptoms -

Network activity on TCP port 25 due to e-mails being sent by the worm.
Presence of the files and registry entries mentioned above.

Method of Infection

Method of Infection -

This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
This worm also spreads by copying itself to removable media.

REMOVAL

So to rid yourself of this stupid little “end user” hell, just follow these simple steps.

1 - Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop (or other download directory).
Malwarebytes’ Anti-Malware Download Link

2 - Once downloaded, close all programs and Windows on your computer, including this one.

3 - Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

4 - When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.

5 - MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

MalwareBytes Anti-Malware Screen

6 - On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Trojan.vundo and Virtumonde related files.

7 - MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

MalwareBytes Anti-Malware Scanning Screen

8 - When the scan is finished a message box will appear as shown in the image below.

MalwareBytes Anti-Malware Scan Finished Screen

You should click on the OK button to close the message box and continue with the Trojan.vundo and Virtumonde removal process.

9 - You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

10 - A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

MalwareBytes Scan Results

You should now click on the Remove Selectedbutton to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

11 - When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

12 - You can now exit the MBAM program.

13 - Richyt-click on My Computer and select Search. You will now want to do a search on your local C: for windaemon.exe and delete all instances of this file. Once completed close all windows you have open.

NOTE: The following steps should only be done once a good backup of your registry has been completed. Only modify registry settings if you are knowledgable and understand what can happen if you make a mistake.
14 - Click on Start/Run and type regedit and click Enter.

15 - With the Registry Editor open, click on Edit/Find… and search for windaemon.exe and delete all registry keys that refer to this name. Once you hace deleted all the registry keys, close the Registry Editor.

16 - Reboot your computer.

17 - Your computer should now be free of all Virus/Malware/Spyware/Adware issues.

posted by: Myke Reinhold and Travis Sarbin
post credits: http://techtalk.homerun-networks.com, http://travis.sarbin.net/, http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde, http://news.cnet.com/8300-1009_3-83.html?keyword=%22worm%22, http://securitylabs.websense.com/content/Alerts/3250.aspx, http://securitylabs.websense.com/content/Alerts/3248.aspx, http://www.avertlabs.com/research/blog/index.php/2008/12/03/christmas-worm-uses-mcdonalds-and-coca-cola-as-bait/

Posted in Internet, Security, Desktops, Laptops | No Comments »

World Record for Core i7 CPU Frequency Broken at 5510.09MHz

3. December 2008 by Myke.

ASUS ROG Rampage II Extreme Smashes World Record in CPU Frequency on Latest Intel Platform

The release of the Intel® Core™ i7 has set the overclocking arena abuzz with excitement in anticipation of new world records. Armed with the ASUS ROG Rampage II Extreme motherboard that supports the newest Intel platform, the Japanese overclocking enthusiast duck smashed to the top of the overclocking charts and notched in a world record for Core i7 CPU frequencies. He managed to record an exceptional score of 5510.09 MHz—clearly laying down the gauntlet to future challengers to the throne. A veteran of overclocking CPUs, duck still holds the world’s highest frequency for overclocking a Pentium 4 631 CPU to a staggering 8180.4MHz last year.

The successful breaking of the world record was in no small part thanks to the overclocking-oriented features found on the new Rampage II Extreme motherboard. TweakIt, an easy-to-use joystick-like control on the motherboard, enables overclockers to make real-time changes to their systems’ core frequency, voltage and other parameters—even while the benchmark utility is running. At no point does software come into play, as the tweaking is completely hardware-based. With such hassle-free tweaking, coupled with information like the system frequency relayed to overclockers in real-time via the LCD Poster, changes could be on-the-fly during CPU tests and result in extraordinary benchmark scores.

Posted in Intel, General Hardware, Desktops | No Comments »