Saturday, August 4, 2012

Chapter 20 Project 20-5

list three viruses from web www.f-secure.com:

Adware:W32/ClickPotato.A


Name : Adware:W32/ClickPotato.A
Aliases : Application.Generic.344399
Application.Generic.346725
Application.Generic.346219
WebToolbar.Win32.Zango
Category:Spyware
Type:Adware
Platform:W32

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Additional Details

ClickPotato is an adware program that will display pop-up advertisements based on the user's browsing activities or habits. It is distributed by Pinball Corporation via its free online streaming video.

The adware components are bundled with open source software, e.g., VLC media player and Xvid codec.

Upon execution, the adware attempts to connect to the following websites:.
  • hxxp://tei.clickpotato.tv
  • hxxp://cfgi.clickpotato.tv
  • hxxp://softparade.freelandmedia.com

Worm:ACAD/Kenilfe.A


Name : Worm:ACAD/Kenilfe.A
Detection Names : Worm:ACAD/Kenilfe.A
Kenife
Kenilfe.A
Aliases : Worm.Acad.Kenilfe.A
AutoCAD.Kenilfe
AL/Kenilfe
Category:Malware
Type:Worm
Platform:ACAD

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.

Additional Details

The worm is a malicious AutoCAD program that propagates via removable drives. It also attempts to download Visual Basic Scripts from remote servers, if certain conditions are met.

Installation

During installation, the malware creates the following registry entries:
  • HKEY_CURRENT_USER\Software\KenFiles\settings
    TMN = %Random Name% or "Temp"
    TMNL = %Random Name% or "TMNL"
    SHXN = %Random Name% or "isoshfr"
    CXBB = 102
    GXBZ = 103
    pth0 = %IP Address of updatebd.8800.org% (or "221223921023103" if cannot ping the host)
    pth3 = %Current Date%
    pth4 = %Current Date%
    pth5 = %Current Date% basepth = %User Support Folder%
    fontpth = %AutoCAD Fonts Folder%
It then creates copies of itself in the following locations:
  • %Folder of Current Drawing%\acad.fas
  • %User Support Folder%\acad.fas
  • %AutoCAD Fonts Folder%\%SHXN%.shx
Where %SHXN% is the same as the SHXN value found in the registry entry (above).

It also creates the following files:
  • %Windows Folder%\DivX.fin - possibly some sort of a infection marker
  • %Windows Folder%\system32\%TMN%.cmd - contains commands that will create copies of the malware (same as those mentioned earlier)
Where %TMN% is also the same as the TMN value found in the registry entry.

It enables the Windows Scripting Host by creating the following registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings Enabled = 1

Then deletes the registry key:
  • "HKEY_CURRENT_USER\Software\FileKen\settings"
It also deletes the following files:
  • isohztxt.shx
  • acad.fas1
  • logo.gif
  • isomianyi.shx


Payload

Once installed, Kenilfe downloads and executes Visual Basic Scripts based on the following conditons:
  • http://www.cadgs.com/[...]/gxcx.[...] - if the 3rd octect of the IP address of updatebd.8800.org > 102
  • http://www.cadgs.com/[...]/gxmz.[...] - if the 4th octect of the IP address of updatebd.8800.org > 103
Example: if the IP address of updatebd.8800.org is 221.239.103.104, both Visual Basic Scripts will be downloaded and executed.

These conditions are specified in the CXBB and GXBZ registry, respectively.


Propagation

The malware enumerates all folders in all removable drives. If it finds the file acad.fas, it replaces the file with a copy of
  • %AutoCAD Fonts Folder%\isomianyi.shx.
Alternatively, if the folder contains a drawing (.dwg) file, it will create the file acad.fas (which is really a copy of isomianyi.shx).

It then creates a file named pagefile in the same drive location, to mark that it is done infected the drive.

During the enumeration process, the malware also renames the following files to append a "_bak" in their filenames:
  • acad.lsp
  • acad.sys
  • acad.vlx
  • acadapp.lsp
  • acadappp.lsp
  • acadapq.lsp
  • acadiso.lsp
  • acadsmu.fas
  • dwgrun.bat
  • isohztxt.shx
  • lcm.fas
  • winfas.ini

Trojan-Dropper:OSX/Revir.A


Detection Names : Trojan-Dropper:OSX/Revir.A
Category:Malware
Type:Trojan
Platform:OSX

Summary

Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

Disinfection

Automatic
Allow F-Secure Anti-Virus for Mac to remove the relevant files.

Additional Details

Trojan-Dropper:OSX/Revir.A drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occuring:
Screenshot of a PDF file dropped by Trojan-Dropper:OSX/Revir.A.
The PDF file contains Chinese-language text related to political issues, which some users may find offensive.
Note that the PDF file in the screenshot above uses the name 'trojan.pdf'. The PDF file will actually use the same name as the trojan-dropper's binary file, which is usually saved to the /Users/%user%/Downloads or /User/%user%/Documents folders.

Activity
In the background, the malware will drop and execute the following downloader component (detected as Trojan-Downloader:OSX/Revir.A):
  • /tmp/host
This file downloads and executes a file from the following remote location:
  • h t t p://tarmu.narod.ru/[...]
The downloaded file is also saved as:
  • /tmp/updtdata
As of this writing, the downloaded file is detected as Backdoor:OSX/Imuler.A. Our Browsing Protection blocks the download server hosting the file.

Saturday, July 28, 2012

Verizon FiOS Chapter 18 project 18-3

What Is Verizon FiOS? Verizon FiOS is a bundled Internet access, telephone, and television service which operates over a fiber-optic communications network. It is offered in some areas of the United States by Verizon Communications and Frontier Communications. Verizon was one of the first major U.S. carriers to offer fiber to the home, and received positive ratings from Consumer Reports among cable television and Internet service providers. Other service providers often use fiber optics in the network backbone and existing copper or infrastructure for residential users. Service began in 2005, and coverage areas expanded through 2010, although some areas do not have service or cannot receive TV and phone service because of franchise agreements. Internet access FiOS offers several service tiers that are available individually, but are offered at significant discounts when combined in a bundle. Although all current tiers are available nationwide, price varies between markets and some legacy tiers are available only in select markets. The tiers are distinguished by data transmission speed measured in Mbit/s downstream and upstream. Six different offerings are available. What downstream and upstream speeds can FiOS support? 1310 nm wavelength for upstream data at 155 Mbit/s (1.2 Gbit/s with GPON) 1490 nm wavelength for downstream data at 622 Mbit/s (2.4 Gbit/s with GPON) 1550 nm wavelength for QAM cable television with 870 MHz of bandwidth. When using FiOS, does your telephone voice communication share the fiber-optic cable with internet data? Verizon offers regular telephone service as well as voice over IP over FiOS. The common model optical network terminals have two or four phone jacks. What does Verizon say about FiOS cabling used for television? Verizon's broadcast video service is not IPTV (Internet Protocol television), unlike AT&T's U-verse product. However, video on demand content and interactive features, such as widgets and programing guide data, are delivered using IPTV-based technology. The majority of content is provided over a standard broadcast video signal that carries digital QAM content up to 870 MHz. This broadcast content originates from a Super Head-End, which sends the signal to a Video Hub Office for distribution to FiOS TV customers. From the Optical Network Terminal (ONT) at the subscriber premise, the RF video is delivered with a coaxial connection to typically a FiOS set-top box that handles both RF and IPTV video. Interactive services such as VOD and widgets are delivered by IP and are only accessible through use of a FiOS set-top box and a Verizon-supplied router. The router supports multimedia (MOCA) and provides the set-top boxes with programming guides and all SD channels, but high definition content (beyond local HD channels which are in clear QAM) requires HD equipment like a FiOS HD set-top box/DVR or a CableCARD-supporting device, such as TiVo. In 2008, Verizon ceased carrying analog television signals in parallel with digital channels, meaning televisions without a QAM tuner or a set-top digital adapter received no signal Is FiOS available in your area? Yes.

Thursday, July 19, 2012

Chapter 17

How to use  the Dynamic Host Protocol Program (DHCP)

The Dynamic Host Configuration Protocol (DHCP) Application Programming Interface (API), also referred to as DHCP Client Options, enables Microsoft Windows clients to query specific options from DHCP servers. This enables vendor-specific options exposed through DHCP servers to be queried by Windows clients.
Developers are provided access to critical phases of DHCP processing with the DHCP Server API With this access, developers can create customized extensions to the DHCP Server, monitor statistics, create parallel lease databases, and provide other customized solutions.
DHCP is a standardized protocol that enables clients to be dynamically assigned with various configuration parameters, such as an IP address, subnet mask, default gateway, and other critical network configuration information. DHCP servers centrally manage such configuration data, and are configured by network administrators with settings that are appropriate for a given network environment. DHCP servers, in turn, communicate with DHCP clients through the use of DHCP messages.

Monday, July 2, 2012

Chapter 16:
Real Problems: Fixing a PC Problem.

Problem description: I offer a free computer check to all my friends and one reply to me with  this problem:" My computer is acting up, every time I been tried to turn the computer since yesterday. lights in te pc come on and screen star doing the search, and then suddenly everiryhing collaopses."  WhatI can do.

_I checked the power cord, and power source connection.
_I remove the internal board battery.
_Reset batery

Final solution was to replace the power source , with a bigger power source watts.

every thing is working  now, so i thing next time this thing happend I will replace the source power directly.

Friday, June 29, 2012

Chapter 15. solving boot problems.

when the computer has the data cable unplug, and error " hard disk not present". a subsecuent " press any key to reboot".

Friday, June 1, 2012

Chapter 2

How Many Bits at a time:  The CPU (Central Processing Unit), also called  a processor, partly determines which operating system can be installed. one major consideration is the number of bits a CPU processes at a time. All desktop and laptop processors sold today from either Intel or AMD can process 64 bits at a time, but older processors handled only 32 bits. To know which type of operating system to install, you need to be aware of three categories of processors currently used on desktop and laptop computers:

32 bit processors.
Processors that use underlying 32-bit processing with 64-bit instructions.
64-bit processors.