Tuesday, January 09, 2007

YAHOO VIRUS REMOVAL

This brand new virus is now everywhere. It is spreading so fast as it targets users of Yahoo Instant Messenger. Users can protect themselves by not clicking on links sent to them by other users or contained in Yahoo! Messenger status messages of those contacts on their contact list.

If your computer is infected with this powerful Trojan /virus, it sends the attacker's url to all of your friend list in yahoo messenger using your ID and expect that in only a few hours many of your friends will get infected with it.

So how to remove this manually from your computer ?

1: Close the IE browser. Log out messenger /[OR] Remove Internet Cable.

2: To enable Regedit

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\ Microsoft\ Windows\CurrentV ersion\Policies\ System /v DisableRegistryTool s /t REG_DWORD /d 0 /f


3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\ Microsoft\ Windows\CurrentV ersion\Policies\ System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to google.com or other.

HKEY_CURRENT_ USER\SOFTWARE\ Microsoft\ Internet Explorer\Main

HKEY_ LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Internet Explorer\Main

HKEY_USERS\Default\ Software\ Microsoft\ Internet Explorer\Main

Just replace the attacker site with google.com or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7: Go to regedit search for svhost and delete all the results you get.

Start menu > Run > Regedit >

8: Restart the computer. That's it now you are virus free.



Have a nice Day..
cheers n nJoy ...!!!!!

Monday, September 25, 2006

DOS ATTACKS DEMYSTIFIED

DOS Attacks or Denial Of Services Attack have become very common amongst Hackers who use them as a path to
fame and respect in the underground groups of the Internet. Denial of Service Attacks basically means denying valid
Internet and Network users from using the services of the target network or server. It basically means, launching an
attack, which will temporarily make the services, offered by the Network unusable by legitimate users.
In others words one can describe a DOS attack, saying that a DOS attack is one in which you clog up so much
memory on the target system that it cannot serve legitimate users. Or you send the target system data packets, which
cannot be handled by it and thus causes it to either crash, reboot or more commonly deny services to legitimate users.
DOS Attacks are of the following different types-:
1. Those that exploit vulnerabilities in the TCP/IP protocols suite.
2. Those that exploit vulnerabilities in the Ipv4 implementation.
3 There are also some brute force attacks, which try to use up all resources of the target system and make
the services unusable.
Before I go on with DOS attacks, let me explain some vulnerabilities in TCP/IP itself. Some common vulnerabilities
are Ping of Death, Teardrop, SYN attacks and Land Attacks.

Ping of Death

This vulnerability is quite well known and was earlier commonly used to hang remote systems (or even force them to
reboot) so that no users can use its services. This exploit no longer works, as almost all system administrators would
have upgraded their systems making them safe from such attacks.
In this attack, the target system is pinged with a data packet that exceeds the maximum bytes allowed by TCP/IP,
which is 65 536. This would have almost always caused the remote system to hang, reboot or crash. This DOS attack
could be carried out even through the command line, in the following manner:
The following Ping command creates a giant datagram of the size 65540 for Ping. It might hang the victim's
computer:
C:\windows>ping -l 65540
Teardrop
The Teardrop attack exploits the vulnerability present in the reassembling of data packets. Whenever data is being
sent over the Internet, it is broken down into smaller fragments at the source system and put together at the
destination system. Say you need to send 4000 bytes of data from one system to the other, then not all of the 4000
bytes is sent at one go. This entire chunk of data is first broken down into smaller parts and divided into a number of packets, with each packet carrying a specified range of data. For Example, say 4000 bytes is divided into 3 packets,
then:
The first Packet will carry data from 1 byte to 1500 bytes
The second Packet will carry data from 1501 bytes to 3000 bytes
The third packet will carry data from 3001 bytes to 4000 bytes
These packets have an OFFSET field in their TCP header part. This Offset field specifies from which byte to which
byte does that particular data packet carries data or the range of data that it is carrying. This along with the sequence
numbers helps the destination system to reassemble the data packets in the correct order. Now in this attack, a series
of data packets are sent to the target system with overlapping Offset field values. As a result, the target system is not
able to reassemble the packets and is forced to crash, hang or reboot.
Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet)
Normally a system receives data packets in the following form, with no overlapping Offset values.
_ _ _ _ _ _ _ _ _
(1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes)
Now in a Teardrop attack, the data packets are sent to the target computer in the following format:
_ _ _ _ _ _ _ _ _
(1 to 1500 bytes) (1500 to 3000 bytes) (1001 to 3600 bytes)
When the target system receives something like the above, it simply cannot handle it and will crash or hang or reboot.

SYN Attack

The SYN attack exploits TCP/IP's three-way handshake. Thus in order to understand as to how SYN Attacks work,
you need to first know how TCP/IP establishes a connection between two systems. Whenever a client wants to
establish a connection with a host, then three steps take place. These three steps are referred to as the three-way
handshake.
In a normal three way handshake, what happens is that, the client sends a SYN packet to the host, the host replies to
this packet with a SYN ACK packet. Then the client responds with a ACK (Acknowledgement) packet. This will be
clearer after the following depiction of these steps-:
1. Client --------SYN Packet--------------Host
In the first step the client sends a SYN packet to the host, with whom it wants to establish a three-way connection.
The SYN packet requests the remote system for a connection. It also contains the Initial Sequence Number or ISN of
the client, which is needed by the host to put back the fragmented data in the correct sequence.
2. Host -------------SYN/ACK Packet----------Client
In the second step, the host replies to the client with a SYN/ACK packet. This packet acknowledges the SYN packet
sent by the client and sends the client its own ISN.

3. Client --------------ACK-----------------------Host
In the last step the client acknowledges the SYN/ACK packet sent by the host by replying with a ACK packet.
These three steps together are known as the 3-way handshake and only when they are completed is a complete TCP/
IP connection established.
In a SYN attack, several SYN packets are sent to the server but all these SYN packets have a bad source IP Address.
When the target system receives these SYN Packets with Bad IP Addresses, it tries to respond to each one of them
with a SYN ACK packet. Now the target system waits for an ACK message to come from the bad IP address.
However, as the bad IP does not actually exist, the target system never actually receives the ACK packet. It thus
queues up all these requests until it receives an ACK message. The requests are not removed unless and until, the
remote target system gets an ACK message. Hence these requests take up or occupy valuable resources of the target
machine.
To actually affect the target system, a large number of SYN bad IP packets have to be sent. As these packets have a
Bad Source IP, they queue up, use up resources and memory or the target system and eventually crash, hang or
reboot the system.
Land Attacks
A Land attack is similar to a SYN attack, the only difference being that instead of a bad IP Address, the IP address of
the target system itself is used. This creates an infinite loop between the target system and the target system itself.
However, almost all systems have filters or firewalls against such attacks.
Smurf Attacks
A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping Requests are sent to a system
(normally the router) in the Target Network, using Spoofed IP Addresses from within the target network. As and
when the router gets a PING message, it will route it or echo it back, in turn flooding the Network with Packets, and
jamming the traffic. If there are a large number of nodes, hosts etc in the Network, then it can easily clog the entire
network and prevent any use of the services provided by it.
Read more about the Smurf Attacks at CERT: http://www.cert.org/advisories/CA-98.01.smurf.html
UDP Flooding
This kind of flooding is done against two target systems and can be used to stop the services offered by any of the
two systems. Both of the target systems are connected to each other, one generating a series of characters for each
packet received or in other words, requesting UDP character generating service while the other system, echoes all
characters it receives. This creates an infinite non-stopping loop between the two systems, making them useless for
any data exchange or service provision.

Distributed DOS Attacks

DOS attacks are not new; in fact they have been around for a long time. However there has been a recent wave of
Distributed Denial of Services attacks which pose a great threat to Security and are on the verge of overtaking
Viruses/Trojans to become the deadliest threat to Internet Security. Now you see, in almost all of the above TCP/IP
vulnerabilities, which are being exploited by hackers, there is a huge chance of the target's system administrator or
the authorities tracing the attacks and getting hold of the attacker.
Now what is commonly being done is, say a group of 5 Hackers join and decide to bring a Fortune 500 company's
server down. Now each one of them breaks into a smaller less protected network and takes over it. So now they have
5 networks and supposing there are around 20 systems in each network, it gives these Hackers, around 100 systems
in all to attack from. So they sitting on there home computer, connect to the hacked less protected Network, install a
Denial of Service Tool on these hacked networks and using these hacked systems in the various networks launch
Attacks on the actual Fortune 500 Company. This makes the hackers less easy to detect and helps them to do what
they wanted to do without getting caught. As they have full control over the smaller less protected network they can
easily remove all traces before the authorities get there.
Not even a single system connected to the Internet is safe from such DDOS attacks. All platforms Including Unix,
Windows NT are vulnerable to such attacks. Even MacOS has not been spared, as some of them are being used to
conduct such DDOS attacks.

Sunday, September 03, 2006

Pop a banner each time Windows Boots
To pop a banner which can contain any message you want to display just before a user is going to log on, go to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinLogon
Now create a new string Value in the right pane named LegalNoticeCaption and enter the value that you want to see in the Menu Bar. Now create yet another new string value and name it: LegalNoticeText. Modify it and insert the message you want to display each time Windows boots. This can be effectively used to display the company's private policy each time the user logs on to his NT box. It's .reg file would be:
REGEDIT4
[HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon]

"LegalNoticeCaption"="Caption here."
Disabling Display of Drives in My Computer
This is yet another trick you can play on your geek friend. To disable the display of local or networked drives when you click My Computer go to :
HKEY_CURRENT_
USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Now in the right pane create a new DWORD item and name it NoDrives. Now modify it's value and set it to 3FFFFFF (Hexadecimal) Now press F5 to refresh. When you click on My Computer, no drives will be shown. To enable display of drives in My Computer, simply delete this DWORD item. It's .reg file is as follows:
REGEDIT4
[HKEY_CURRENT_
USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDrives"=dword:03ffffff
Ban Shutdowns : A trick to Play on Lamers

This is a neat trick you can play on that lamer that has a huge ego, in this section I teach you, how to disable the Shut Down option in the Shut Down Dialog Box. This trick involves editing the registry, so please make backups. Launch regedit.exe and go to :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In the right pane look for the NoClose Key. If it is not already there then create it by right clicking in the right pane and selecting New > String Value.(Name it NoCloseKey ) Now once you see the NoCloseKey in the right pane, right click on it and select Modify. Then Type 1 in the Value Data Box.
Doing the above on a Win98 system disables the Shut Down option in the Shut Down Dialog Box. But on a Win95 machine if the value of NoCloseKey is set to 1 then click on the Start > Shut Down button displays the following error message:
This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
You can enable the shut down option by changing the value of NoCloseKey to 0 or simply deleting the particular entry i.e. deleting NoCloseKey.
Instead of performing the above difficult to remember process, simply save the following with an extension of .reg and add it's contents to the registry by double clicking on it.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"="1"

Untold Windows Tips and Secrets
______________________________________________________
Welcome to another Hacking Truths Manual. This time I have a collection of Tips and Tricks which no body normally knows, the secrets which let u control ur O.S. the way u like, the information which you will seldom find all gathered up and arranged in a single file. To fully reap this Manual you need to have a basic understanding of the Windows Registry, as almost all the Tricks and Tips involve this file.
****************
Important Note: Before you read on, you need to keep one thing in mind. Whenever you make changes to the Windows Registry you need to Refresh it before the changes take place. Simply press F5 to refresh the registry and enable the changes. If this does not work Restart your system
****************
Exiting Windows the Cool and Quick Way
Normally it takes a hell lot of time just Shutting down Windows, you have to move your mouse to the Start Button, click on it, move it again over Shut Down, click, then move it over the necessary option and click, then move the cursor over the OK button and once again (you guessed it) click.This whole process can be shortened by creating shortcuts on the Desktop which will shut down Windows at the click of a button. Start by creating a new shortcut( right click and select New> Shortcut). Then in the command line box, type (without the quotes.)
'C:\windows\rundll.exe user.exe,exitwindowsexec'
This Shortcut on clicking will restart Windows immediately without any Warning. To create a Shortcut to Restarting Windows, type the following in the Command Line box:
'c:\windows\rundll.exe user.exe,exitwindows'
This Shortcut on clicking will shut down Windows immediately without any Warning