How Does the Welchia Worm Infect My Computer?
Copies itself to the Wins directory in the System or System32 folder in Windows usually
C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.
Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.
C:\Windows\System32\Wins\svchost.exe for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000
NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory
Creates the following services:
Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe
This service will be set to start automatically.
Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
Some of the patches it downloads into the system are as follows:
http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.
Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.
The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.
Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.
Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.
Menghilangkan cvlu.exe
I. click Start > Run.. ketik MSCONFIG. Pada tab startup hilangkan check (V) pada CVLU.EXE. Lalu lihat alamat tempat file CVLU.EXE ditempatkan. Itu induk dari virus tersebut.
II. tekan kombinasi tombol CTRL+ALT+DELETE satu kali untuk membuka Task Manager. Pada tab process, kill process CVLU.EXE.
III. delete file CVLU.EXE pada lokasi yang ditunjukkan oleh MSCONFIG tadi.. tenang, virus itu sudah non-aktif sekarang.
IV. delete CVLU.EXE pada Removable Disk lalu delete AUTORUN.INF.
Setelah itu copy seluruh data anda dari Removable Disk ke satu folder di HDD, lalu format Removable Disk anda. Masukkan kembali file² yang ada.. selesai..
II. tekan kombinasi tombol CTRL+ALT+DELETE satu kali untuk membuka Task Manager. Pada tab process, kill process CVLU.EXE.
III. delete file CVLU.EXE pada lokasi yang ditunjukkan oleh MSCONFIG tadi.. tenang, virus itu sudah non-aktif sekarang.
IV. delete CVLU.EXE pada Removable Disk lalu delete AUTORUN.INF.
Setelah itu copy seluruh data anda dari Removable Disk ke satu folder di HDD, lalu format Removable Disk anda. Masukkan kembali file² yang ada.. selesai..
How do I determine if my BlackBerry is "unlocked"?
How do I determine if my BlackBerry is "unlocked"?
From BlackBerryFAQ
To determine if your BlackBerry is "unlocked" for use on carriers other than for which it is branded:1. On your BlackBerry, go to Options > Advanced Options > Sim Card.
2. At that screen type MEPD (see note below) on your keyboard. A new menu will pop up.
- If your BlackBerry has a SureType keyboard (71xx and 81xx devices) you will need to double-tap the P, so the actual keys entered become M E P P D.
4. If your device is "unlocked", it should say Disabled or Inactive. If it says Active, it's still locked to that carrier.
Images of Locked Device
 |
Images of Unlocked Device
 |
Langganan:
Postingan (Atom)
-
Kalkulator PoE oleh PoE-World ini akan menghitung daya total yang diperlukan perangkat apa pun termasuk didalamnya kerugian daya pada semua ...
-
Dalam jaringan dengan jumlah PC lebih dari 10 dan salah satu-nya digunakan untuk sharing printer, sering terjadi beberapa pengguna tidak ...
-
Modul SIM800L merupakan jenis modul GSM/GPRS Serial yang cukup banyak digunakan. Modul SIM800L ini diaplikasikan dalam berbagai aplikasi pen...