ADMIN

Sign In


<May 2012>
SunMonTueWedThuFriSat
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789

Aggregate Me!

RSS 2.0 | Atom 1.0 | CDF

Categories

 ASPNET
 DOTNET
 Personal
 VBNET
 VS NET

Personal Links

Blog home


Credits
Blog powered by: newtelligence dasBlog 1.8.5223.0.
Nautica22 Theme by: tom watts
CSS Design by: studio7designs


Send mail to the author(s) E-mail

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.
Faberc blog website

 Sunday, June 08, 2008
XBAP Application : about my family
 #
 

This is an example of a WPF browser application (aka XBAP) running in a sandbox of your browser with partial trust security permission. Simple and impressive.

AboutMyFamily.xbap

Note: WPF mediaelement couldn't work in windows XP.

DOTNET | Personal
6/8/2008 12:50:54 AM (W. Europe Standard Time, UTC+01:00)
Faberc  |  Disclaimer  |  Comments [0]  | 
 Sunday, December 23, 2007
Worm w32.silly, cn911.exe, secpol.exe, fsmgmt.dll, song911, ufo.exe removal instructions
 #
 

Last week I was infected by a worm via a USB pen (UFO.EXE).

This is a variant of many similar backdoors/worms, these instructions
can be useful to understand how that attacks work.

These are the steps I made to remove the worm and related malwares
loaded from that backdoor. 

1) first of all: disconnect the infected PC from any network
and internet connection. 



The malware loads viruses and updates from internet sites 
during your browsing:

cn911.org, , obutan.com, baidu8.com, 222.122.45.146, 
eu.logon.worldofwarcraft.com, us.logon.worldofwarcraft.com
Try to block these sites with your firewall!



2) clean the USB pen 

delete UFO.EXE (hidden file)
delete autorun.inf (hidden file that load the ufo.exe worm)
this files are created from infected PCs anytime you boot a USB pen 
or removable harddisk
After you need create a fake empty autorun.inf file with READ-ONLY property
to block the loading of ufo.exe from a infected PC 

3) removal actions 

- Run the "process explorer" of Mark Russinovich (www.sysinternals.com)
and kill the svchost process at root level (It is the process that create 
the UFO.EXE/AUTORUN.INF files any time you insert a removable disk)



- with regedit remove just the string ",C:\WINDOWS\system32\secpol.exe" 
from the key 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe, 


need to be (don't remove the userinit.exe!):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe


- delete the secpol.exe file from C:\WINDOWS\system32



- with regedit remove the fsmgmt key from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify 



- delete the fsmgmt.dll file from c:\windows\system32 
Note: the product name shows: "Microsoft? Windows? Operating System" 

- delete any files from the locations:
C:\Documents and Settings\<user>\Impostazioni locali\Temporary Internet Files 
and
C:\Documents and Settings\<user>\Impostazioni locali\Temp 



That's all. I removed also some unknown users *S-1-5-21..... from security policies. 



Credits : I'd like to sincerely thank the folks at Sysinternals
Personal
12/23/2007 7:09:48 PM (W. Europe Standard Time, UTC+01:00)
Faberc  |  Disclaimer  |  Comments [10]  | 
 Saturday, October 01, 2005
A bicycle day
 #
 

My son has learned to ride a bike by a short time ago. Today we have cycled together. What a fine day! 

Sometime great satisfactions came in from little things. :-D

Personal
10/1/2005 9:40:08 PM (W. Europe Standard Time, UTC+01:00)
Faberc  |  Disclaimer  |  Comments [0]  |