Security Risks - Viruses processes in Windows Xp
Avserve.exe, Avserve2.exe (Sasser Worm)
Sasser Worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of avserve.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.
Damage Level: Low/Medium
Distribution Level: Low
Bling.exe (Spybot Worm)
Spybot Worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of bling.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.
Damage Level: High
Distribution Level: Medium
Cmd32.exe (Loadcfg / Sdbot Trojan)
Loadcfg / Sdbot Trojans is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of cmd32.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.
Damage Level: High
Distribution Level: Very Low
Dl.exe (Weather Watcher/W32.Bagz@mm worm)
Weather Watcher is a desktop weather station that is located in the system tray and automatically gives information on weather status at specified time intervals for any location in the world. It has customizable options for time of forecast and can convert between Celsius and Fahrenheit. It also provides information such as dew point, humidity, wind, visibility, pressure, and the UV index value.W32.Bagz@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses gathered from the infected computer.
Damage Level: Low
Distribution Level: High
Doriot.exe (Ject Downloader Trojan)
Ject Downloader Trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of doriot.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.
Damage Level: Medium
Distribution Level: Very Low
Windows Computer Software Mobiles Tips Virus Trojan Manual Removal Informations
Enter your Keyword, Search here,
Windows IE History Cleaning and Removing Unplugged Network icon from tray
Remove history in internet explorer address bar
However, any user that uses your computer can find out what addresses you typed in as well so some may be interested in clearing the address bar addresses. Just clearing the browser history will not do this as a registry modification is needed:
Click on Start, then Run.
Type regedit in the box provided.
In Regedit navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Typed URLs
Then just delete all of the keys that list the URL's you no longer want to see.
Note: Clearing the recent documents history from start menu properties will clear this list as well.
Remove A network cable is unplugged icon from tray
Click on Start>Run..., type regedit.exe and click OK. Delete this key:
HKEY_CLASSES_ROOT\CLSID\{7007ACCF-3202-11D1-AAD2-00805FC1270E}
Restart to apply the changes. I haven't had any ill effects so far. Make a backup of the key just in case (select the key and click on File>Export...).
However, any user that uses your computer can find out what addresses you typed in as well so some may be interested in clearing the address bar addresses. Just clearing the browser history will not do this as a registry modification is needed:
Click on Start, then Run.
Type regedit in the box provided.
In Regedit navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Typed URLs
Then just delete all of the keys that list the URL's you no longer want to see.
Note: Clearing the recent documents history from start menu properties will clear this list as well.
Remove A network cable is unplugged icon from tray
Click on Start>Run..., type regedit.exe and click OK. Delete this key:
HKEY_CLASSES_ROOT\CLSID\{7007ACCF-3202-11D1-AAD2-00805FC1270E}
Restart to apply the changes. I haven't had any ill effects so far. Make a backup of the key just in case (select the key and click on File>Export...).
Email-Worm.Win32.Mydoom.m
Email-Worm.Win32.Mydoom.m (Kaspersky Lab) is also known as: I-Worm.Mydoom.m (Kaspersky Lab), W32/Mydoom.o@MM (McAfee), W32.Mydoom.M@mm (Symantec), Win32.HLLM.MyDoom.54464 (Doctor Web), W32/MyDoom-O (Sophos), Win32/Mydoom.O@mm (RAV), WORM_MYDOOM.M (Trend Micro), Worm/Mydoom.M (H+BEDV), W32/Mydoom.O@mm (FRISK), Win32:Mydoom-M (ALWIL), I-Worm/Mydoom.O (Grisoft), Win32.Mydoom.M@mm (SOFTWIN/BitDefender), Worm.Mydoom.M (ClamAV), W32/Mydoom.N.worm (Panda), Win32/Mydoom.R (Eset)
Behavior: Email Worm
I-Worm.Mydoom.m spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX. The unpacked file is approximately 50KB in size.
The worm is only activated when a user opens the archive and launches the infected file by double-clicking on it. The worm will then install itself on the system and begin propagating.
The worm contains a backdoor function.
Part of the body of the worm is encrypted.
Installation
When installing, the worm copies itself as 'java.exe' to the Windows root directory, and registers this file in the system registry. This ensures the worm will be launched each time the infected system is booted.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
JavaVM = %windir%\java.exe
This ensures the worm will be launched each time the infected system is booted.
The worm also creates a file named 'services.exe.', which is 8192 bytes in size, in the Windows root directory. This file is an additional component, and is also added to the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Services = %windir%\services.exe
Read How to Remove Manually or with Automatic Tools
Mailing messages
The worm searches the victim machine for email addresses to harvest, and then sends itself to these addresses by directly connecting to the recipient's SMTP server.
It also harvests addresses by using the following search engines:
Google
Lycos
Altavista
Yahoo
Infected messages
Sender's address: (either chosen from the list below or spoofed):
MAILER-DAEMON
Mail Administrator
Automatic Email Delivery Software
Post Office
The Post Office
Bounced mail
Returned mail
Mail Delivery Subsystem
Message header (chosen at random from the list below):
Message could not be delivered
hello
Hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
{{The|Your} m|M}essage could not be delivered
instruction
Message body (chosen at random from the list below)
The message body will be altered to correspond to the user's details.
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during { this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {$T {user |technical |}support team.|The $T {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your message {was not|could not be} delivered within $D days: {{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message: <$t>
Please reply to postmaster@{$F|$T} if you feel this message to be in error. The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}
----- The following addresses had permanent fatal errors ----- {<$t>|$t}
{----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{$T.|$i}: {>>> MAIL F{rom|ROM}:$f <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>..
. {Mail quota exceeded|Message is too large} 554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5. 0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<$t> <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded|}<<< 400}|} The original message was included as attachment {{The|Your} m|M}essage could not be delivered
Attachment name:
The attachment name is generated at random.
Attachment extension (chosen at random from the list below):
cmd
bat
com
pif
scr
doc
exe
The worm may also be sent in the form of a ZIP archive.
Other
The worm opens TCP port 1034 in order to receive remote commands.
Behavior: Email Worm
I-Worm.Mydoom.m spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX. The unpacked file is approximately 50KB in size.
The worm is only activated when a user opens the archive and launches the infected file by double-clicking on it. The worm will then install itself on the system and begin propagating.
The worm contains a backdoor function.
Part of the body of the worm is encrypted.
Installation
When installing, the worm copies itself as 'java.exe' to the Windows root directory, and registers this file in the system registry. This ensures the worm will be launched each time the infected system is booted.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
JavaVM = %windir%\java.exe
This ensures the worm will be launched each time the infected system is booted.
The worm also creates a file named 'services.exe.', which is 8192 bytes in size, in the Windows root directory. This file is an additional component, and is also added to the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Services = %windir%\services.exe
Read How to Remove Manually or with Automatic Tools
Mailing messages
The worm searches the victim machine for email addresses to harvest, and then sends itself to these addresses by directly connecting to the recipient's SMTP server.
It also harvests addresses by using the following search engines:
Lycos
Altavista
Yahoo
Infected messages
Sender's address: (either chosen from the list below or spoofed):
MAILER-DAEMON
Mail Administrator
Automatic Email Delivery Software
Post Office
The Post Office
Bounced mail
Returned mail
Mail Delivery Subsystem
Message header (chosen at random from the list below):
Message could not be delivered
hello
Hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
{{The|Your} m|M}essage could not be delivered
instruction
Message body (chosen at random from the list below)
The message body will be altered to correspond to the user's details.
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during { this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {$T {user |technical |}support team.|The $T {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your message {was not|could not be} delivered within $D days: {{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message: <$t>
Please reply to postmaster@{$F|$T} if you feel this message to be in error. The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}
----- The following addresses had permanent fatal errors ----- {<$t>|$t}
{----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{$T.|$i}: {>>> MAIL F{rom|ROM}:$f <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>..
. {Mail quota exceeded|Message is too large} 554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5. 0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<$t> <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded|}<<< 400}|} The original message was included as attachment {{The|Your} m|M}essage could not be delivered
Attachment name:
The attachment name is generated at random.
Attachment extension (chosen at random from the list below):
cmd
bat
com
pif
scr
doc
exe
The worm may also be sent in the form of a ZIP archive.
Other
The worm opens TCP port 1034 in order to receive remote commands.
Activex Control
ActiveX was a by product of Microsoft's Object Linking and Embedding or OLE and Component Object Model or COM technologies. ActiveX control is a way of controlling these ActiveX technologies. It is basically an OLE that supports the IUnkown interface.
An ActiveX control can be activated by a Web browser. Since the ActiveX is not a programming language, programmers are able to create and develop ActiveX controls in different languages which include Visual Basic, C, C++, and Java. It is the third version of OLE controls that came out and is capable of managing the distribution of components over networks and enabling the integration of controls into Web browsers for easier applications of ActiveX.
Such enhancements brought about by controls of ActiveX results to additional features like:
1. incremental rendering
2. code signing
3. identification of authors of controls
There are a variety of controls for ActiveX that handles specific functions. One version is the FolderView ActiveX Control which allows the user to perform:
1. Deletion and reinsertion of controls on the form
2. Setting control properties to the original properties.
3. Rebuilding of the development project
However, programmers need to input the right information about the control in the system registry even before an control can be utilized properly and efficiently. One needs to "register" the control or the whole system will not recognize it as a valid program. Your computer system normally automatically installs the components of the controls but full manual installations are possible.
When you observe an control up close, you'll find that the system is very similar to a Java applet. The only difference is that Java applets do not have a full access to the Windows operating system. Nevertheless, since these controls are able to access the operating system, extreme care must be undertaken because these controls might initiate actions which can crash the software or data stored on your computer.
But the creators of the control have found a solution to address this problem. Because of the threat of corruption the operating system, Microsoft made a registration system which allows the identification and authentication of a control before users download and use it for their Web browsers and networking needs. Still, it is quite unfortunate that ActiveX controls can only be used on the Windows platform limiting their adaptability and usability unlit Java applets which can work well with all platforms.
Announced by computersarticlesweb.com
An ActiveX control can be activated by a Web browser. Since the ActiveX is not a programming language, programmers are able to create and develop ActiveX controls in different languages which include Visual Basic, C, C++, and Java. It is the third version of OLE controls that came out and is capable of managing the distribution of components over networks and enabling the integration of controls into Web browsers for easier applications of ActiveX.
Such enhancements brought about by controls of ActiveX results to additional features like:
1. incremental rendering
2. code signing
3. identification of authors of controls
There are a variety of controls for ActiveX that handles specific functions. One version is the FolderView ActiveX Control which allows the user to perform:
1. Deletion and reinsertion of controls on the form
2. Setting control properties to the original properties.
3. Rebuilding of the development project
However, programmers need to input the right information about the control in the system registry even before an control can be utilized properly and efficiently. One needs to "register" the control or the whole system will not recognize it as a valid program. Your computer system normally automatically installs the components of the controls but full manual installations are possible.
When you observe an control up close, you'll find that the system is very similar to a Java applet. The only difference is that Java applets do not have a full access to the Windows operating system. Nevertheless, since these controls are able to access the operating system, extreme care must be undertaken because these controls might initiate actions which can crash the software or data stored on your computer.
But the creators of the control have found a solution to address this problem. Because of the threat of corruption the operating system, Microsoft made a registration system which allows the identification and authentication of a control before users download and use it for their Web browsers and networking needs. Still, it is quite unfortunate that ActiveX controls can only be used on the Windows platform limiting their adaptability and usability unlit Java applets which can work well with all platforms.
Announced by computersarticlesweb.com
Subscribe to:
Comments
(
Atom
)