February 2010 - Posts
Mimicry of Microsoft Security Essential has been detached across the Internet. This rogue antivirus report false detection to convince user to upgrade their existing trial version to full version. Microsoft says this is due to Trojan:Win32/Fakeinit .
This fake AV get installed by Win32/fakeinit.
Symptoms
Symptoms vary among different distributions of Trojan:Win32/Fakeinit, however, the presence of the following system changes (or similar) may indicate the presence of this program:
-
Presence of the following folder and file, or similar (for example):
%ProgramFiles%\Securityessentials2010\SE2010.exe
%ProgramFiles%\antivirusxp\antivirusxp.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
<system folder>\helpers32.dll
-
Presence of registry modifications that load the malware as in the following example:
Adds value: "Security essentials 2010"
With data: "%ProgramFiles%\Securityessentials2010\SE2010.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Added value: "AntivirusXP.exe"
With data: "%ProgramFiles%\antivirusxp\antivirusxp.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Added value: "Internet Security 2010"
with data: "%ProgramFiles%\InternetSecurity2010\IS2010.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The Trojan will also restrict to some of genuine sites.
Snapshots:
Fake Report
Nagging to upgrade
Activation Windows
Seem like Genuine Antivirus!
Prevention is pretty easy:
- Always Turn on Windows Firewall
- Don’t open the attachment from unknown sender
- Always turn on Windows update and make sure you have installed all important updates
- Don’t use pirate software
Microsoft Security Essential is free for all . Please do remember this.
Compiled By Gandip Khaling.
Here few strings available only for windows 7
GUID.
Action Center
{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}
Backup and Restore
{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}
Biometric Devices
{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}
Credential Manager
{1206F5F1-0569-412C-8FEC-3204630DFB70}
Default Location
{00C6D95F-329C-409a-81D7-C46C66EA7F33}
Devices and Printers
{A8A91A66-3A7D-4424-8D24-04E180695C7A}
Display
{C555438B-3C23-4769-A71F-B6D3D9B6053A}
HomeGroup
{67CA7650-96E6-4FDD-BB43-A8E774F73A57}
Location and Other Sensors
{E9950154-C418-419e-A90A-20C5287AE24B}
Notification Area Icons
{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
Recovery
{9FE63AFD-59CF-4419-9775-ABCC3849F861}
RemoteApp and Desktop Connections
{241D7C96-F8BF-4F85-B01F-E2B043341A4B}
Speech Recognition
{58E3C745-D971-4081-9034-86E34B30836A}
Troubleshooting
{C58C4893-3BE0-4B45-ABB5-A63E4B8C8651}
You can create your own GodMode by Specifying a Namespace Extension's Location
The secret Behind the God Mode is simple. Windows signs certain folder with unique string which is Windows Class Identifiers. This has been since Windows Vista , I am not sure of XP or older version of OS. These specific folder can be found on Registry . Here is snap shot.
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Explorer
CLSID
Copy paste GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} and create New Folder and rename
:-)
Every time you reach to home from office and you have important document to print. Now I know the classic way is to press Ctrl+P and select printer and print…
Humm… how about Location aware printing where your windows will automatically select the printer for you so that you do not need to switch in between different printers.
Here how you do:
- Click on “Windows Orb” and then click on “Devices and Printers”.
- On “Printer and faxes” on menu bar click on “Manage Default printers”.
- Click on “Change my default printer when I change networks”, specify default Printer for each network
Php application can be hosted on IIS web server by using FastCGI Module that can be found in IIS. Here I am using Windows 7 as my IIS web server. Same is for server 2008 R2. Remember R2 has IIS ver7.5 ditto Windows 7.
First you need to install IIS in your server, make sure that you have installed CGI feature while installation.
Now you need to Install and Configure the php to run for IIS.
You may go to http://www.php.net/downloads.php and download the php zip file for windows.
Unzip the downloaded file somewhere like C:\php . Now rename the php.ini-recommanded to php.ini .
Now eopne php.ini and then uncomment and modify to following:
set fastcgi.impersonate = 1
Set cgi.force_redirect=0
Set cgi.fix=pathinfo=0
open_basedir and edit to your desired directory
Set extension_dir to the directory where php extension reside in this case C:\php\ext
Enable following by uncommenting:
extension=php_mssql.dll
extension=php_mysql.dll
Here your Configuration part is over. Now you need to handle to php Request. As I have mention before we will be using FastCGI for this purpose here.
Open your IIS manager. “inetmgt” Now double click on “Handle Mappings”
Now add Module Mapping and point phpCGI.exe for php files.
Now here what you need to do.
You will get a dialogue box stating FastCGI application. Click on “Yes” and you are good to go for php apps.
You may want to create a php info file in wwwroot folder like this <?php phpinfo(); ?> and test.
:-)
Here is small tool to make your USB Bootable for Windows 7 installation. Its simple and easy just couple of next and you are done with bootable usbdrive.
Download the Tool from Codeplex here is link. Install it and run it. Make sure you have ISO file of Windows 7 in your hard drive.
When you Configure your NLB host in unicast mode you wont be able to access dedicated IPs of your Guest VMs. However here a by Spoofing your VMs MAC IDs you can access your NLB host. By default your this will be turn off.
You can enable the Spoofing of MAC addresses.
Remember: Enabling this option will give ability to VMs to Override their MAC and send and receive traffic using any MAC ids.
Virtual switch in Hyper is Layer-2 switches. hence if Malicious VMs start sending packet with MAC owned by other machine then it may cause security flaws (DOS attacks).
Gandip Khaling
<