Hackers Area
What is Hacking ?
"... Traceroute is definitely a very exciting tool or utility. It should indeed be a part of every hacker’s toolkit as it can be used to gain some very important information regarding the target system’s configuration and its network configuration. In this white paper, we will not only understand the workings and intricacies of this kewl utility, but we will also explore all its possible uses and resourcefulness..."
I have explained many email borne Viruses, Email Borne Word Viruses and Email Borne Exe's too. Lets look at the working of the deadliest Zipped File Virus.
ExploreZip: The Working
ExploreZip is the latest malevolent virus to hit the net which is a mixture of CIH
(i.e the Chernobyl) and the Melissa (remember?).It possess the replicating Power or capabilities of Melissa and the deadliness or the destruction power of the CIH.
ExploreZip uses the exploits in the MAPI( Messaging API) based email such as Microsoft Exchange, MicroSoft Outlook to mail itself out as replies to unread messages.
So what would an email infected by ExploreZip look like?
Now you would normally get this virus from a known person as a reply to an email that you sent this known person earlier.
Now this virus will be sent to you with the file "zipped_files.exe" attached.The subject of this email is decided appropriately.The body of the email message is an exellant example of social engineering and is designed to cajole or fool users to open it.
Hi "Recipient Name"!
I received your email and I shall send you a
reply ASAP. Till then, take a look at the
attached zipped docs.
bye,
"Recipient Name"
Now Instead of the above last two lines, this virus may also read:
sincerely,
"Recipient Name"
When you have opened the attched zipped file, then you might get a Winzip error, something like the below:
It looks for any mapped drives or any machines on the network and looks if Windows is installed. If it finds Windows running, then it copies itself to the Windows Directory of this remote machine and modify Win.ini appropriately.
Once the attachment is opened, the Virus copies itself to the c:\windows\system directory (system32 directory in NT)as the file Explore.exe or _setup.exe. It also modifies the Win.ini file or the registry such that this file is executed or this virus launched, every time Windows boots.Once this has been done,then each time it is executed,it proceeds to select random files on all drives with various extensions and starts destroying them by reducing their size to zero bytes. The extensions include: .h, .c, .cpp, .asm, .doc, .ppt, or .xls etc. When this process is occuring, then you may find an increase in Hard Disk activity.When you are viewing the mail containing the Virus, then maybe your client will also create a temporary file of this Virus in the Default Windows Temporary directory or the temporary directory used by the email client.This virus also deletes or infects new files created with the list of extensions. The virus will look for unread messages and spread itself by replying to them each time it is executed.
Removing ExploreZip
Now the simplest way to remove this Virus is to download it's Cleaner from either Mcafee or Symantec's site. To find out the exact URL just goto their respective sites and search for it.
But I am going to make things interesting by telling you a method of manually removing this Virus.This is where the things really become interesting.
Now first of all you should kill the process or close the Virus by pressing CTRL+ ALT +DEL and then selecting Explore.exe or _setup.exe from the popup window and then click on OK.
Now in the above step you just closed the Virus in that session of Windows i.e. the Virus is no longer active in the current Windows seesion but will be launched or will become active only when Windows is launched once again.Now to prevent this Virus from being launched everytime Windows boots you need to edit the file win.ini.
Now first of all open win.ini in Notepad or Wordpad.(Now in Word97) and then look for the line.
run=<Windows System Path>\Explore.exe
or
run=<Windows System Path>\_setup.exe
and delete it.Now this will work in Win 9x systems but in NT you will have to delete the following entry from the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
Which refers to either explore.exe or _setup.exe i.e. it will refer to the explorezip virus.
You PC is now disinfected but does have the exe file which when run will infect your system again on it's hard disk.So either you can play with the Virus exe's or simply delete them.So to delete them you can goto the c:\windows\system directory(system32 in NT) and delete the file explore.exe or _setup.exe.
MiniZip
This is a Explore Zip variant and is only 120 KB in Size. Like it's predecessor it too is quite deadly and deletes files from your system. The file attached has the same name and the body in this case says:
I received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs."
Once the MiniZip is launched that is the zipped files opened, it look for all mapped drives to the computer and spreads to them.It also looks for unread emal on the victim's computer and replies to all of them with the message described above. It too is copied to the c:\windows\system directory with the filename explore.exe and it modifies the Win.ini file such that this file or virus is run or launched each time Windows boots.
You can delete it too by following the same manual method described above.
Well, that's it for now, see you later and till then Happy Virus Hunting!!!!
Another Trojan
PrettyPark.exe: A gigatic Study By Ankit Fadia [email protected]
________________________________________________________________
The W32/Pretty.Worm worm is yet another one of those which spreads by
email.This worm infects only Windows 9x and NT users.It is believed to have
been originated in France almost a year ago.
This worm arrives by email.So if you get an email which is something like
the
below then you can pretty much assume that you were sent the Pretty Park
worm.Infected email would contain the following subject:
Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :)
A file named: 'prettypark.exe' would be attached to the infected email.This
attached virus will have an icon which is supposedly a character 'Kyle' from
the animated series 'SouthPark'.(See the Icon at:
http://www.crosswinds.net/~hackingtruths/icon.gif).Sometimes the attached
virus would have the name: Pretty~1.exe'.
As soon as you execute this prettypark.exe attachment, the dreaded virus
will
start it's process of infecting your system.This file when executed copies
itself to the file FILES32.VXD in c:\windows\system directory.
To ensure that the file FILES32.VXD (which is the Virus itself)is executed
whenever any .EXE file is runned, it modifies the following Registry Key:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
In this key, it changes the key value of 'command' from
"%1" %* to FILES32.VXD "%1" %*.As a result after this Registry editing, all
.EXE which are executed, will in turn be infected by this virus.
Once infected this worm will automatically try to email itself every 30
minutes to all the email addresses in Outlook Express's Address Book.Thus
spreading itself to all quarters of the Internet.This feature or behaviour
is
quite common amongst other email borne viruses.This is how they spread
themselves and keep alive.
The other more interesting and rarer behaviour or feature of this Virus is
that it tries to connect to an IRC server.Once connected it joins a
particular(specific)channel.It then tries to remain connected to this
channel by sending information to the server every 30 minutes and also
retrieves commands from the IRC channel. Via this predefined specific IRC
channel, the auther of the virus can use this worm as a utility of remote
access and gather various kinds of information like the computer name,
registered owner, registered organization, system root path, and Dial Up
Networking username and passwords, ICQ identification numbers, ICQ
nicknames,
victim's email address.As it acts as a remote access software, it can also
be
used via the IRC channel to tranfer files to and from the client, which is
the victim.
Removal Instructions
PrettyPark like some other intelligent viruses, does not allow users to
remove references to the itself from the registry.One trick which Anti
Viral
organizations have discovered is that if the Registry Editor is renamed from
regedit.exe to regedit.com (On win9x systems) and from regedit32.exe to
regedit32.com (On NT systems)then we can still view the entire Windows
Registry and the Worm or Virus cannot restrict us from editing the various
keys.
Run the Windows registry Editor i.e. Regedit.exe in Win9x and regedit32.exe
on NT. Make sure that you reboot in MSDOS from the start up disk and then
launch the Registry Editor.
Now remove references to the worm from the following Registry Keys:
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
To remove the references to the Trojan change the value of the above key
from
FILES32.VXD "%1" %* to "%1" %* (Note the space in between the new value.)
All software or services which have been referred to in the following
Registry keys, start automatically with Windows.So make sure that the
following keys have no regerence to the Virus:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Also delete any references to the Virus from the following:
1. open WIN.INI in Notepad and in the 'run= line' under the [windows]
section
look for any reference to the trojan.
2. Now, open SYSTEM.INI and in the 'shell= line' under the [boot] section,
remove all references except the reference to Exporer.exe
Then look for the following Registry key:
HKEY_CLASSES_ROOT\.dl
This key is not found on all systems.If you find it Delete it.
Now reboot and delete the Trojan .exe file itself.If you had followed the
above procedure correctly without any errors, then the worm will be deleted
otherwise you will get an error message.Also delete the
c:\windows\system\Files32.vxd file.
This Trojan has many aliases like I-Worm.PrettyPark, Pretty Worm, PrettyPark
And the most recent and the most common one: W32/Pretty.worm.unp
The W32/Pretty.worm.unp is almost similar to this worm and can be removed by
following the same steps.With this alias what was discovered that this
trojan
connects to a random IRC from
banana.irc.easynet.net:6667
irc.ncal.verio.net:6667
irc.stealth.net:6667
irc.twiny.net:6667
irc1.emn.fr:6667
krameria.skybel.net:6667
mist.cifnet.com:6667
zafira.eurecom.fr:6667
The trojan also listens a random TCP or UDP port for some data.