Portable Antivirus & Security Blog

Redirect to Data0.Net ...

2010-09-20T08:44:00.000+08:00

This blog will be automatically redirect to www.data0.net.

Move to Visual Basic 2008

2010-03-09T18:04:00.000+08:00

Microsoft Visual Basic and C++ 2008 is very powerful IDE for VB fans. After developing a few tools, I decided to change my Portable Antivirus code to VB2008 make it much stable and powerful. 50% of the code has been converted so far. No more VB6, its too old and almost 12 years already.

Unpacking AutoIt Script

2010-01-08T11:30:00.000+08:00

AutoIt is a known BASIC-like scripting and self-contained into UPX packed executable file. AutoIt also has been known to be used by virus author to create malicious program and spread it through all over network or media storages.

Here it is I show a sample that I've got from somebody who sent it to me. Most antivirus is already detected as W32/Almanahe.B. It seem this virus is still in the wild on some country. Ok, let focus on the topics. On this tutorial, let assume that you already have a sample of application or malware sample that compiled with AutoIt.

How do we know that it is an AutoIt file?
Its pretty simple to detect this kind of file. For me, just load up your sample with Notepad.exe. and search for 'AU3!EA' keyword. It will jump to the bottom of the file and there is some 'garbage' thing started with 'AU3!EA' character. And that was and encrypted AutoIt script that we want to decrypt. Lame way but fast to detect it.

The tools that we need for this dynamic analysis/reverse:
1. PEiD
2. myAutToExe.exe

All you need to do, download the tools above. Run PEiD and load-up your AutoIt sample file into it. You will see something similar with the picture below:

I use the sample malware from the people sent it to me. The PEiD will look show you some basic information and said it was compiled with Microsoft Visual C++ 7.0.

Next, run your myAutToExe.exe and drag and drop your sample AutoIt file into the top textbox. It will automatically start analyzing the file and extracting the script.

After the process it will look like this (picture above). All processing data will be saved as log, source code and resources file.

There it is, a sort file with the source code of the malware (or program). The source code file will be saved as .au3 extension file and can be viewed with any text editor. Starting from this point we can analize this piece of malware easily without needed to using complicated way (static analysis).

Here it is a screen shot of the source code that we already have. Seem like this people trying to expose itself by inserting their information into the source code. LoL.

Since this AutoIt script can be readable by any one, there is a few AutoIt script malware that I found that already obfuscated to prevent analyzer from easily trace their code. I'll explain this type on next blogpost...

Malware Playground

2009-11-29T22:34:00.010+08:00

Around 3 month ago, I was starting developing a sandbox tool for easy to analyst any of malware sample that can generate at least basic information from the sample. I just named it Malware Playground as its work to 'play' with almost all Windows programs within it. Sound funny like a kids playing with knife but wearing a shield. The program itself has been developed using Microsoft Visual Basic 6 and working with more than 20 other programs.

At this moment, this program includes all required features for doing malware analyst. Here it is some features:
+ Save report as text and HTML format.
+ Analysis can be started at your own choice such as you can dump process memory instead of analyst all of the function (Registry, Dump, Handle, String, Port, Files and Folders, AV alias and so on).
+ Work with Windows platform (on VMWare or VirPC).
+ Work together with Sandboxie.
+ Drag and drop and warn before start analyzing it.

Malware Playground is still in development and some advanced features still remains in progress. Here it is list of features that currently in development:
+ Network activities
+ Process activities
+ Smart suggestion and recommendation technologies.
+ Add more AV alias detection
+ Security Risk Level perimeter.
+ Provide an official website for useful information and services.
+ Integrates with web interfaces that allowed user uploading their malware sample.
+ Save all known threat object into database.
+ Mapping all origin location for the malware and visualize on global map.

While this useful tools is still in progress, I was unable to provide a fully compiled program to give a test but you can leave a comment and suggest for more features.

iPhone Worm - Ikee

2009-11-11T11:55:00.003+08:00

While surfing on the internet at Bayu Beach Resort, Port Dickson, found something interesting on the internet. It is iPhoneOS.Ikee worm. This kind of virus is rarely found especially on Apple iPhone. The worm do some basic function such as spreading via SSH and changing wallpaper as their payload.

During infection, this little worm will change victim wallpaper to Rick Astley image (80's singer). The worm has been written by Ashley Town a 21 years old unemployed programmer from Wollogong, Australia.

Upon executing the virus code, the worm will scan an IP address using default SSH configurations. IP range may be vary at random pool as well as copying it self to the startup folder and do some payload by changing default wallpaper. The worm source code also has been reveal as the picture below show some function that change the wallpaper and various commented code.

More detail report can be found here.

New Portable Antivirus on few final stage!

2009-10-15T21:49:00.000+08:00

This week I was updating new Portable Antivirus code with some user friendly features. This is one of the most advanced anti virus made by my self. Here it is a few change I have made this week for Portable Antivirus project:

+ New name; now it is Data0.Net Portable Antivirus.
+ Better system tray icon & pop up message.
+ Support multi language including Bahasa Melayu.
+ Speed up database reading for fast scanning.

Those code make me sleepless but its worth it. I'm happy to finish it but still got few more step. I need to finish up my beta sandbox tools called 'Malware Playground'. Sound funny but it could be an advanced sandbox soon.

Cyber-Communalism

2009-10-02T11:20:00.000+08:00

Since a few years ago, Malaysia, Indonesia and other south east Asian country have make some mistake that generating communalism or in easy word 'big misunderstanding' whether about culture, political, terrorism or religious. In cyber world also get the impact of this misunderstanding. Indonesian could call Malaysia as 'Malingsia' while Malaysian people could call them as 'Indonesial'.

communalism art 

Internet alone we can find so many articles, libel, forum, blog and many more about this issue (Example 1). Wikipedia also has been describe details about Communalism. This will give impact to all Asian country especially between Malaysia and Indonesia. As an example below show you many website from Malaysia has been defaced because of this issue:

Most of this issue produced by local/foreign media making the conflict more complicated and people will think different and negative perception each other by just read or hearing rumors. As I wrote this topic, there was the latest hot issue such as Pendet dance and Island. While the real thing is, there is none of this issue are truth.

Interesting about W32.Virut variant

2009-09-09T20:46:00.007+08:00

Within last 2 month, I continuously reading and made some RCE for well known viruses call W32.Virut or other malware analyst named it as W32.Sality. This is not a new virus. It is already detected around 2006. Since last 2 month I received more than 20 report from my friend around Malaysian about this virus that already infecting their labs and PCs.

W32.Virut is a parasitic file infector, polymorphic and backdoor capabilities. Once it has been executed it will inject its code into winlogon.exe process and create a new thread in that process. But its depend on version of the variant. Other variant injecting their code onto smss.exe and csrss.exe process. It infects all EXE and SCR file type by appending to the last section of the host file and set it entry point to point to viral code. So, any execution from the infected file will run the viral code first before passing to host code. W32.Virut prevent its execution from running on Virtual Machine such as VMWare or Virtual PC and make it difficult to trace its presence, thread and processes. Also, its polymorhic making my sandbox generate inaccurate result and need manually analyst.

From Picture 1, it is clearly shown that the string inside the W32.Virut is working its jobs such as adding its process list to the Windows Firewall, Disabling System File Protection, Modify HOSTS file, contacting external server address and as well as Windows API pointing to Windows DLL files.

W32.Virut has already generate a few hundred variant generated from its polymorphic technique. Making it hard to detect with a simple static Hash detection.

Solution: Repair & Cleaning
There is many tools out there for quick repair your infected file. One of the best tools is AVG Win32/Virut Removal. It free to download & use.

RCE - W32/Autorun.82944

2009-06-06T16:34:00.006+08:00

A few days ago I have discover a virus that spread using common known media, USB Flash disk. This virus seem to be the same as other malware and it was compressed with PECompact utilities. The worm itself has been written using Microsoft Visual Basic 6.0. This worm is commonly known as W32/Autorun.worm!n (McAfee), TR/Crypt.PEPM.Gen (Avira), Win32.Worm.VB.NXY (BitDefender).

File Information

File Name: various
Size: 82,944 Bytes
Type: Trojan
Static File: Yes
MD5 Checksum: 22b52c23e6dd2809733e011a8eedab03

File Name / Process File Name

This virus commonly use several file name to spoof it self as a folder. Here it is some sort of file name has been use by this malware:

1. romantic.exe
2. forever.exe
3. System Volume Information.exe
4. love.exe
5. task.exe
6. userinit.exe
7. system.exe
. autorun.inf

There is 2 common process file name used by this worm:
1. userinit.exe
2. system.exe

Startup / Registry Alteration

The worm altering Windows registry as a startup point everytime Windows load.

Key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=c:\windows\userinit.exe

Other modified registry key is:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoDriveTypeAutoRun"
"NoDriveAutoRun"

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt"
"ShowSuperHidden"
"Hidden"

Payload

The worm seem to overwrite a %systemroot%\system32\drivers\etc\hosts file and set every unwanted domain name to pointing to localhost (127.0.0.1) IP. Most of the listing are computer security website including antivirus, firewall and download site.

The worm also contain some DDoS attack code which will send a random packet to the target.

Programming

This virus has been created by people who was new to the programming especially Visual Basic 6. Take a look some of their codes, it uses many timer to use their malicious function thus, making this worm unstable and taking alot of CPU usages.

Other Analysis:

Here it is some extracted string from the compiled Executable file.
Download here

Other analysis:
Analysis from Virus Total

VDEF updates for Portable Antivirus is available to download.

New Microsoft Windows 7 RC Launch!

2009-05-06T23:57:00.005+08:00

Just a few minutes ago, I've read google news that Microsoft is already launch a new Microsoft Windows 7 Release Candidate (RC). Well, I'm still not finish yet exploring Windows 7 Beta Build 7000 but this is the chance to get free and unlimited licenses number from Microsoft product. Gotta get it now.

To download Microsoft Windows 7 RC click here!

Are you with Windows 7?

2009-05-03T00:33:00.005+08:00

After 4 month of using Microsoft Windows 7 Ultimate, I think there is much more improvement compared with Windows Vista Ultimate. Only a few minor bugs I found on Start Menu and visual effect thing. Well, as I read a news from ComputerWorld, Windows 7 could be lunch this August but still no specific date. Hope it much better after the first release.

Windows 7 taskbar have totally different compare with other Windows version. When many Windows opened, taskbar will appear only an icon with a great stable thumbnail preview. Also, when user try to open many Windows Explorer, all the Windows will be grouped into one icon on the taskbar until user over their mouse cursor on it to choose which Window they want to use.

Well, here it is a few minor uncomfortable thing/bugs I found my self on Windows 7 Ultimate Beta Build 7000:

1. Start menu scroll bar some time cannot be scroll or dragged by mouse.
2. In some cases, the wallpaper disappear and leave only plain color.
3. When I lock the Windows and the logged in back, the screen resolution reset to the recommended setting (another rarely situation).
4. Some old application (mine was Macromedia Fireworks 8) still can't totally support Aero/transparent window effect.

Data0.Net Temporary down!

2009-04-18T21:31:00.002+08:00

This week Data0.Net and several website has temporary down due to the change of new server from Germany to Malaysia. This may take a week to transfer all the data. Hopefully, it work better than before.

You together with Conflicker!

2009-04-01T22:52:00.002+08:00

Mmm... I have already monitoring this worm since it it was first version... I think around the end of last year. This worm have some unique technique to spread itself along with their payload. After I discover this worm hiding itself on 'recycler' folder on somebody USB flash drive. On some version this worm cannot be just delete to remove it. It will need special permission in order to remove it completely. But, once its running on your PCs with network. Your network could be clogged because this worm has an abilities to generate about 500 domain name by itself. The worm is not designed by non-professional programming. This 'guy' have a programming skill and the worm was designed to create a huge network clog. Quite interesting to me.

The complete and detailed analysis can be found from the link below:

http://mtc.sri.com/Conficker/addendumC/index.html

What is Heuristic?

2009-03-29T18:13:00.005+08:00

Many people ever heard about Heuristic detection or in other name some security product called it TruPrevent, AHeAD as well as Portable Antivirus called it Alternator Heuristic Technology (AHT). In simple word, Heuristic technology is a method to determine if the program is similar to the previous detection of common viruses.

Here it is a good explanation about Heuristic taken from Wikipedia:

Heuristic (/hjuːˈrɪs.tɪk/) is an adjective for methods that help in problem solving, in turn leading to learning and discovery. These methods in most cases employ experimentation and trial-and-error techniques. A heuristic method is particularly used to rapidly come to a solution that is reasonably close to the best possible answer, or 'optimal solution'. Heuristics are "rules of thumb", educated guesses, intuitive judgments or simply common sense. Heuristics (hyu-ˈris-tiks) as a noun is another name for heuristic methods.

In more precise terms, heuristics stand for strategies using readily accessible, though loosely applicable, information to control problem solving in human beings and machines.^[1] Forensic engineering is an important tool in tracing defects in products and processes. The Heuristic Model or commonly referred to as the (gut-level approach) is a simplified method of decision making that put emphasis on internal personality attributes of the decision maker.

There is several way for making Heuristic detection:

Detecting double extension file
Detecting based on PE-Section hash
Detecting based on Resource Section
Detecting based on Compression method
Detecting based on String
Detecting based on API

and many more...

Data0.Net Problem?

2009-03-20T20:59:00.004+08:00

Well, there was almost 2 weeks already that my data0.net domain went down. But this is not affected to all country and area. I was informed that TMNet was trying to do something with undersea cable that connected to the Europe. Data0.Net was currently hosted at Datacenter located in Frankfurt, Germany.

I was reported that a few major domain also affected such as www.syok.org, www.asiahoster.com, www.lombongit.net and so on.

AsiaHoster.com Web Hoster!

2009-03-06T09:58:00.003+08:00

Well, after a few weeks i'm keep monitoring this web hoster. It seem that this provider should take care very much about their server since there is many domain shared into one server. This because the server always down 3-4 times a weeks and sometime 1 time a day. It may take around 1-3 hours downtime.

As we can see below, the picture that cause of server down.

It seem someone from the shared hosting use lot of memory that may cause of the server down and all people on the shared domain loose their advantaged with unfair usage. AND, its keep low. I don't know how much domain name parked on this server.

Little detailed:

The main datacenter seem located at Frankfurt, Germany.

Here it is a few domain name list known shared with ns1.asiahoster.com and ns2.asiahoster.com:

http://ahmadfaidhi.com/

http://blog.ahmadfaidhi.com/

http://fairuji.nasz.my/

http://hujan.org/

http://image.syok.org/

http://rekreasikota.summitmy.com/

http://rocker.smktip.com/

http://savoc-nru.syok.org/

http://syok.org/

http://torrent.syok.org/

http://www.ahmadfaidhi.com/

http://www.asiahoster.com/

http://www.fairuji.nasz.my/

http://www.hujan.org/

http://www.indiefanzine.com/

http://www.jejakpuncak.summitmy.com/

http://www.limemyth.com/

http://www.mykjkk.com/

http://www.nasz.my/

http://www.penfluid.com/

http://www.summitmy.com/

http://www.syok.org/

Some of the website listed above is already change their server due to the lack of server response.

Google Problem? Turn all result to "This site may harm your computer"

2009-01-31T22:52:00.010+08:00

Today and a few minutes ago, i'm trying to search some plugin for my Wordpress pages on Google Search but suddenly all search result turn into "This site may harm your computer". As you can see below is an images from the result.

Then, if you click on one of those link it will turn result that says "Warning - Visiting the website may harm your computer!". See the images below.

If we click to all link came from the result it will give a warning of a fake malware. This also include search on images. All the link will return result from the following URL example.

http://www.google.com.my/interstitial?url=http://wordpress.org/

and another error images a few minutes ago...

I guess maybe Google people are trying to test something on the server in real situation...

"Downadup" worm infections skyrocket

2009-01-24T22:16:00.000+08:00

The number of desktops and servers infected by the "downadup" worm has skyrocketed to nearly nine million, according to security firm F-Secure.

That is an increase of more than six million since Thursday last week, when F-Secure warned that the worm was affecting corporate networks and spreading rapidly.

The worm, also known as "conficker", is a large family of network that causes various problems, including locking network users out of their accounts.

F-Secure said in a blog that the spread of the worm was "amazing" and that the situation was not getting better.

The firm ascribes the rapid infection rate to the fact that there are several different variants of the worm.

The most common variant F-Secure has been tracking is creating 250 possible domains each day, the firm said.

ComputerWeekly.com

What is a computer virus?

2009-01-05T23:29:00.004+08:00

To put it simply, a computer virus is just a small computer program that can replicate itself and place itself on a computer without the computer user knowing it. They typically come attached to other files. These files are typically executable files with a (.exe) file extension. People often use the term virus to mistakenly label other troublesome programs that are really malware or adware. There is a difference. Most malware and adware do not replicate themselves and therefore are not technically considered viruses. However, these days, malware is a far more common type of infection. Other things that can infect a computer but aren't really viruses are things like computer worms and Trojan horses.
Trojan horses are very common these days. As their name implies, they often sneak into a person's computer because they come packaged as a useful program like a screensaver or something. Then, once they are installed on the computer, they open up ports (like a secret door to the internet) on your computer and allow other types of infections to sneak in. These other infections come in totally unannounced. You won't realize they are there until your antivirus program happens to detect them. By then, it is possible that their intended damage has already occurred.
This is why it is important to have a firewall on your computer. The firewall increases the computer's security by closing all of these doors and locking them. The firewall only allows doors to open that are used by common programs like web browsers and email. For another port (door) to be opened, the firewall program usually asks for permission from the computer user. That's why you get the messages popping up in the lower right hand corner of your computer asking if it is okay for something to happen.
Another type of infection is the computer worm. Computer worms are like viruses except they do not come attached to any other files. These worms can move from computer to computer across a network. They move from computer to computer by going through open ports. This is the biggest benefit of having a firewall to keep those ports closed and locked. The internet is one giant network. So, just by being connected to the internet, your computer is exposed to this type of infection.
Adware is another type of program all together. Typically, these program come bundled with other software as well. When downloading some music sharing software, if you read all the fine print you would see that the reason that software is free is because it comes bundled with an adware program. The adware program will make pop ups come up on your computer. It might also modify your internet browser so that your search results are influenced in some way that benefits the author of the program.
I can honestly say from experience that you can guarantee getting an infection by using your Windows based computer to browse the internet regularly if you do not have an adequate firewall on your computer. The firewall is far more important than your antivirus software itself. This is one of the most misunderstood computer security issues among the general public.

Download Portable Antivirus

2009-01-04T08:44:00.003+08:00

[ Download Section temporary not available ]

Windefender2009 – not an Antivirus

2008-12-19T15:16:00.007+08:00

The WinDefender2009 infection starts any of three ways. You can go to a corrupt porn web page, a corrupt website that promotes gambling, or you can open an attachment in a spam email. Any of those three ways will get you infected with WinDefender2009. On the porn and gambling related sites, WinDefender2009 will pretend to be a video codec or an ActiveX control.

WinDefender2009 is new on the wild web. It is almost a funny thought that a fake antivirus has upgraded itself, but that is the alarming reality. Once WinDefender2009 has its hooks into your computer you start getting alarming pop-ups tell you that your computer is infected. These pop-ups make the claim that only WinDefender2009 will remove your infection. We have seen WinDefender2009 before. WinDefender2009 is a clone. The names WinDefender2009 has been known as in the past are TotalSecure2009, TotalSecure 2009 and Total Secure 2009.

Once you click on the pop-ups your computer goes to a website with a fake scan. This fake scan will tell you files, which are really part of your operating system, are your infection. Sometimes the scan can name hundreds of files. This can be alarming for the uninformed computer user. We all want our computer to be healthy and work properly. So when faced with the possibility of such a large infection, the uninformed computer user can fall for the scam and purchase the full version of the software when suggested after the scan.

When WinDefender2009 is “purchased” you have traded your credit card information in exchange for a bundle of spyware, malware and adware. So you have paid for an infection. No just an infection though--you have paid for an infection that is difficult to remove. The spyware will monitor your behavior for personal information, log ins and passwords, which it will send to the original programmers. The adware will monitor your browsing behavior and present you with pop-up ads for products and services it deems relative to your interests and browsing habits. Your pop-up blocker will be useless against these pop-ups. In addition, the malware will run in the background and affect your computer’s performance, making it slow to start up or shut down. Your system tray icons, background and screensaver will be changed. Legitimate system files, registry keys, and DLL files will go missing, causing you to get the “Blue Screen of Death.”

WinDefender2009 is difficult to remove manually. If you miss any file, WinDefender2009 will reinstall itself on system startup. To deal with WinDefender2009 you need an antispyware program, not an antivirus. If you already have one, but you still have WinDefender2009, you should contact the makers of your program. In most cases the software companies will make a fix for any new threats their users have found. If your program claims to have removed WinDefender2009, yet it fails to do so, look for an antispyware program with a 100% removal guarantee. With new threats it can take months for all antispyware companies to come up with effective removal tools.

7 Steps to Get the Best Online Internet Security

2008-12-18T14:38:00.003+08:00

The concerns of Internet Security have grown today like never before. Despite the continuous attempts of Internet community, the threats are increasing and getting more and more vicious by each passing day.

There are many Internet Security tools available in the market. Some of them are outstanding. But still, none of them is perfect. It can't be. The best protection is in your own hands. Follow a disciplined approach while using Internet services.

1. Be careful about using MS Outlook. Outlook is more susceptible to worms than other e-mail programs, unless you have efficient Anti-Virus programs running. Use Pegasus or Thunderbird (by Mozilla), or a web-based program such as Hotmail or Yahoo.

2. Take special precaution while dealing with email attachments. Be cautious about attachments with a double extension, such as .txt.vb or .jpg.exe, as the system will only recognize the extension to the extreme right, and run the file as such. Double extensions are often a good indicator that the file is malicious.

3. Do not use disks that other people gave you, even from work. The disk could be infected with a virus. Of course, you can run a virus scan on it first to check it out, but AV programs are not 100% effective.

4. Do not download software from just any website. If it is a reputable site that you trust, you are probably safe. The threat is not only from software; even other file types like .txt, .doc, .xml can have infections.

5. Be careful when surfing. You might get a malicious script from a webpage without even getting a warning. Tweak your Browser settings for maximum safety.

6. Try to balance paranoia with common sense. Some people get really weird about viruses, spyware, etc. It's just a computer! Back up your data and follow these steps, and it shouldn't be a big problem.

7. Setup your download manager to scan a download first before you open it. When you click to download a file from Internet, generally browser gives two options. To save it on the Disk or To Open the file with the default program. Always choose the first option, because, it ensures that the download is first scanned with your antivirus, before saving it on the disk.

10 Tips to Make your Windows Computer Faster

2008-12-16T15:09:00.004+08:00

Your computer running Windows isn’t running in the same speed that it used to run when you first used it. It’s slower, crappy, takes a while to start and tests your patience like anything. There are many reasons for this, let’s try fixing up a few things on your slow Windows PC:

Slow Start Up
There can be a variety of reasons to Windows loading slow during start up. Go to Run, type msconfig and hit enter. Under the ‘Start Up’ tab, uncheck the unwanted programs and press OK. Things should be a bit fine the next time Windows boots.

Another program worth mentioning here is StartUp Delayer which will help in setting after how much time programs should be loaded after Windows boots. For instance, you could set your instant messenger program to load 50 seconds after Windows starts up.

Slow Loading Start Menu
If the Start Menu items are loading slowly, you can open the Registry Editor by typing in the Run menu ‘regedit.exe’ and pressing Enter. Go to HKEY_CURRENT_USER\Control Panel\Desktop. Look for MenuShowDelay, and double click to edit the value. The lower the number specified, the faster the Start Menu will load.

Slow Right Click Context Menu
Probably the Windows Right Click menu on your computer is loading slow because too many programs added unwanted entries there. Just download this program called Mmm, install it and then modify your context menu to remove unwanted items to speed it up.

'Send To' Menu Slow Send To Menu
If the Send To menu loads slowly, you can type ’sendto’ in the Run Dialog, and remove unwanted items in the Explorer Window that appears. This should add some speed to it.

Slow Defragmentation
The Windows Defragmenter can’t get any slower. You need to have an alternative to the Windows Defragmenter, and Defraggler is just one of the best ones available in the market. It’s free, and works like a charm and can speed up defragmentation manifold. For some alternatives, see Five Free Programs to Defragment your PC.

Slow loading My Computer Window
my-computer.jpg If the My Computer Window loads slowly, in the Explorer Window, go to Tools>> Folder Options>> View and uncheck ‘Automatically search for network folders and printers”

Slow loading Add or Remove Programs Applet
This is one of the most annoying piece of programs present in Windows, it takes ages to load if you have a considerable number of programs installed on your computer. You can either use the all-in-one CCleaner for this purpose, or get MyUninstaller that comes as a speedy replacement for Add or Remove Programs.

Slow Ending of Unresponsive Programs
If you’ve clicked on ‘End Task’ if any program is running unresponsive, you might have noticed that the program is not terminated immediately. You can alter this by going to Run>> regedit.exe>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ and change this value to 1000.

Disable Animations and Appearance Overhauls to maximize performance
If you’re a serious performance junkie, you probably won’t bother about eyecandy. Go to System Properties in the Control Panel. Click ‘Advanced’, then ‘Performance’ and click ‘Adjust for best performance’. This might boost your PC’s performance up a bit.

Additional Tips:

- Always keep your computer clean. Remove Junk and Unnecessary registry entries. Use CCleaner for this purpose, one excellent tool that just does what it says.

- Don’t keep installing software. Install a program only if it really serves you a purpose.

- Keep as less programs as possible running on the System Tray. This essentially means reducing the number of programs that start during Windows start up.

10 Tips: Prevent from Viruses

2008-12-14T22:01:00.001+08:00

1. Regularly install updates for your anti-virus software.
New viruses are constantly appearing - unless you have updated your software, it may not have the necessary information for handling new virus types and variants. When you install an update, new entries are added to the software's virus definitions database so that suspect files can be recognised and dealt with. F-Secure issues a new anti-virus update daily, and unless you change the settings, will remind you every seven days that you should update.- normally, every couple of weeks should be considered the longest you should leave it. Make a special effort to update when a new virus "hits the headlines".

2. Think twice about using Outlook Express for your e-mail.
Outlook Express is too closely bound up in its workings with Internet Explorer and your access to the World Wide Web to maintain adequate security. Using more self-contained e-mail client* software, it's pretty well impossible for a virus to enter your computer except through your opening an infected attachment. With Outlook Express, simply through an e-mail being displayed in the Preview Pane you can be taken straight to a website from which infected script is loaded up on your computer. A patch has been issued by Microsoft to deal with this glaring security hole, but this has been severely criticised by independent evaluators. For more information, click here. It's much better to use fully-fledged e-mail client software, such as plain Outlook, First Class Conference etc. for handling your e-mail.

* The client-server relationship is something which you'll keep coming up against when you use Internet services - your computer needs the appropriate client software installed so you can use the services of particular types of server - e-mail, ftp (file transfer protocol), web. A server is just a "dedicated" computer - one which serves a specific purpose in a network.

3. Don't open e-mail attachments unless you know who's sent them and what they are. Change your view settings so you can see file extensions.
This is much more important with some types of file than with others - you can recognise different file types by the extensions they have. .EXE, .COM, .PIF, .JS, .VBS, .SHS, .SCR, .DOT are some of the most notably dangerous. Double file extensions - for example "readme.txt.vbs" - should always be treated with suspicion.
Look out also for oddities in the header information of e-mail messages - a sender you've never heard with a subject such as "sorry about yesterday"; a blank subject header.

On many computers, the default setting means that you see file names without their extensions. So, suspect attachments won't be immediately evident. To set your computer so that you see file extensions:open My Computer or Windows Explorer. From the View menu, select Options, then click the View tab. Make sure that "Hide file extensions for known file types" isn't checked.

4. Never leave a floppy disk in the drive when you start up or restart your computer.
This is the standard, old-fashioned pre-Internet way of passing on viruses. By default, your computer looks first for its operating system to the floppy disk drive, and only then to the hard disk. So, if an infected diskette is on the drive, off goes the virus when you boot up. Always reformat old disks before you reuse them. A virus may have been lurking on it for years. If you have the confidence to change your computer's BIOS settings, it's a good idea to alter the boot sequence to C: A: This will set your computer so that it refers first to the hard disk instead of the floppy drive when it boots up.

5. CDs and Zip disks can carry viruses too.
Now that Internet-transmitted viruses are far more popular than disk-transmitted ones, this isn't all that common. But it remains a possibility! You can run an anti-virus scan on any kind of diskette - this never does any harm.

6. If your anti-virus software reports a suspect file, take all possible action before you close down your computer.
Familiarise yourself in advance with your anti-virus software so that you know what decisions to make in an emergency. It's at the stage of booting up again that a virus file can pass all of its nastinesses into your operating system, and into your system registry.

Whatever anti-virus software you're using, you're likely to run into situations where a file is recognised as suspect, but contains a new or unusual virus which isn't included in the software's virus definitions database. If this happens you will be told that the suspect file can't be disinfected, and offered the choice to rename or delete it. Delete unless you have very good reasons for thinking it could be a wanted and important file.

F-Secure users in this situation may find it something other than intuitive that you must press the Back button to return to the screen where, when disinfect has failed, you can choose the delete or rename alternative. Don't press the Finish button!!

7. Make sure you have a system start-up disk to use in emergencies.
If a virus does manage to infect your system, it could mean that you can't load Windows. Without a start-up disk, which will be different for different computer models and operating systems, you - or anybody you call on for help - will have a much harder time rescuing your system in the event of failure. This applies whether or not failure is due to a virus infection. If a start-up disk wasn't supplied with your computer, follow the appropriate link (Internet connection required) to Microsoft's instructions for making one: Windows 95/98 ;Windows ME; Windows 2000; Windows XP.

8. When using Microsoft software, always make sure that you keep macro virus protection enabled.
Macros are stored sets of instructions which are used within Microsoft Office applications to automate complex or repetitive tasks. Unfortunately macros can also be used to introduce viruses. Macro virus protection is set from within each of the Office software applications:
Office 97: from the Tools menu, select Options, then General. By default protection is enabled - don't switch it off!
Office 2000/XP: go to Tools | Options | Security. With Macro security set to medium, Word warns of macros in a file and prompts whether you want to disable them. High security automatically disables all "unsigned" macros.

If you receive a macro warning when you open a Microsoft Office file, always select the "disable macros" option unless you expect the file to contain a macro and know that you can trust it.

9. Only download files from trustworthy websites.
Always avoid downloading files from bulletin boards or public newsgroups - these are particularly likely to be used by virus writers to distribute their new viruses. When downloading software updates (for instance drivers, multimedia players etc.), go to the manufacturer's official website. Be watchful!

10. Never pass on a virus warning without checking first yourself that it isn't a hoax.
Hoax virus warnings can be more than just a nuisance - they may be almost as dangerous as viruses themselves. For example, you may be instructed to delete a file from your computer in order to prevent a virus infection, when in fact the file is an essential system file. Before passing on any virus warning message, check on the specific virus you're being warned about at the F-secure website, or the website of any other producer of reputable anti-virus software.

U3 - Portable USB Apps Platform; Secure your USB Drive

2008-12-13T17:26:00.005+08:00

It's official, the floppy drive is dead. Indeed, Dell and a plethora of other PC manufacturers have simply stopped including the decades-old drive, thanks in no small part to the smaller, lighter, and faster USB flash drive that can carry over 1,000 times the standard 3.5" floppy. We've watched the evolution of the portable data disk, but now it's time to take that evolution a step further.

Enter the U3 smart drive. Co-developed by SanDisk and M-Systems, the open-standard U3 platform allows users to take their applications, not just data, with them to any USB-equipped Windows PC and to launch them with as little as two clicks. True, while applications have been tweaked by users to run directly off a flash drive, applications written for U3 smart drives don't require a geek to set up, and are 100% legal to operate.

Two Letters for the Price of One
The first time we plugged our retail Geek Squad U3 Smart Drive into the computer, Windows automatically recognized the drive and set the Add New Hardware wizard to work, identifying not one but two drives taking up two drive letters.
A small, 4MB read-only system partition of the U3 drive pretends to be a CD-ROM drive, while the data partition shows up as a regular flash drive. Because Windows is led to believe that the system partition is a CD, U3 takes advantage of the AutoPlay feature in windows to automatically run the U3 LaunchPad and unlock the data partition of the drive. It should be noted that U3 will run on any Windows 2000/XP system, regardless if the user has administrative rights or not.

After the LaunchPad's animated splash screen disappeared, we were greeted by an Oddcast talking presentation of the U3 platform's features and a quick intro of how to use the LaunchPad and download additional applications. Kudos goes to whoever thought of using the Oddcast system for a quick intro of how to use the drive, as it provides a user-friendly way for new users and computer-illiterate types to quickly jump into using the drive.

Apps Ahoy!
The LaunchPad is the heart of the U3 smart drive, and bears a striking resemblance to the Windows XP start menu. Accessed from a U3 icon in the system tray, it provides quick access to applications and documents installed on the U3 smart drive, as well as mean to manage them.

The left side of the LaunchPad lists the installed applications and next to their icons, with a convenient Download Programs link underneath that links to the U3 software catalog. The right side of the LaunchPad contains links to open the data partition in an explorer window, manage installed apps and the drive itself, and get help.

Programs can be either downloaded via the built-in web browser (barebones Internet Explorer), or installed from a file on the local computer. In the case of the Geek Squad drive, we are given a third option to download software from the Geek Squad's software catalog (actually hosted by M-Systems, one of the U3 co-founders), which is just the three applications and intro that came preloaded. Not that it matters to most users, but there are two file-types associated with the U3 platform. *.u3i is an XML-based text file that defines the application's version, download path and working parameters, whereas *.u3p is a zip file containing everything needed to run an application.

Most users will find themselves downloading new programs from software.u3.com. While somewhat quirky in design, the site organizes the various applications into 9 different overlapping categories that can then be sorted by name, price, or download availability. Quick links to download freeware or trialware allow users to quickly try software before making a purchase decision. A Top-5 Downloads and Coming Soon section also help to see what new applications everyone's raving about.

While some of our favorite applications like Dmailer, Thunderbird, Trillian, Winamp and McAfee AV are already out for download, it's quite interesting to see what's headed to the platform. Skype's PC to Phone VoIP service, Firefox's superior web browser, PocketSearch's file content search, and PocketCache's snapshot-based backup system are sure to make a splash when they become available, and there's even a DVD authoring program headed for the drive. What strikes us as odd however is that we couldn't find any word processing applications mentioned yet, so for now we'll just have to fill the gap with Portable OpenOffice.

Once a U3 application is installed on the drive, you can specify the order in which it appears in the LaunchPad, and tell it to start every time the drive is plugged into a computer. Detailed statistics on the version, footprint of the program, last run time, and vendor are also available.

For Your Eyes Only
It's possible to lock down the U3 smart drive's data partition with a password so that files will remain secure from prying eyes, complete with password hint. When security is enabled, the CD-ROM partition will load first, and will only enable the data partition after authentication. A password hint can be specified for those with bad memories, and in a worst case scenario the entire data partition can be erased if the password is truly forgotten.

Enabling security comes at the expense of backwards compatibility however. Because U3 is only compatible with Windows 2000 and XP, any Mac, Linux, or Windows 98/ME users will not be able to authenticate themselves to see the partition. When plugged into a Mac running OS X 10.3, we didn't see the data partition at all until security was disabled. Users working in a cross-platform environment may wish to look into an alternative security application to secure their documents. Also, it is unclear if files stored on the drive are encrypted or not, but most likely they are not because it takes mere seconds to enable security for a near-full 512MB drive.

One curious discovery we made was mention of a self-destruct feature in the U3 help files, stating that after a certain amount of invalid password attempts, the drive would lock itself permanently requiring a total reformat. We tested this on the Geek Squad drive, but after 100 invalid password attempts our data was still accessible. Only time can tell how secure the U3 platform really is.

The Bottom Line
U3 is an important step in the evolution of how we get our work done. User-friendly and well documented, U3 smart drives are something that we could actually give to our grandparents without worrying about how many times they'll be calling us for tech support.

In the future when office applications are released, parents can send their U3-equipped kids off to college knowing that they can get their work done on any of the school computers without having to buy an expensive laptop. Perhaps most importantly, people with multiple computers will actually be legal and don't have to deal with paying over $300 on products like Office thanks to End User License Agreements (EULAs) being written per flash drive instead of per computer.

About the only thing we can see wrong with the U3 platform is the lack of cross-platform compatibility, but that might change later on now that Macs are going x86.

By Scott Clark, Consumer Technology Editor
Edited by Alternator

How to Repair a Malfunction USB Flash Drive

2008-12-12T21:59:00.001+08:00

Flash memory, flash drive, pen drive and memory drive are just some of the names that are used to refer to USB flash drive. It is a compact device that was developed to be a secure and safe data transfer as well as data storage gadget. While this travel data storage device may seem to be perfect, it is still possible that it might corrupt your data. Just like in any other technology, a USB flash drive is also prone to technical problems that often lead to the corruption or loss of data. Assuming that its hardware is undamaged, doing a re-format can solve USB problems.

USB formatting is as easy as A-B-C. First, you have to right click on the removable drive corresponding to where the USB was inserted, and then click on the "format" option. Or you can try using the file system drop down, where options "FAT and FAT32" are available. Choose the FAT option, it will reveal format utilities, then click on the "Quick format" option then press on "start" to initiate format operations. This way, all the data that the USB contains will be deleted, but the errors will hopefully be gone. Usually, errors or malfunction occurs during file transfers or data storage. For simple drive errors, scanning and re-formatting can work. In this manner, all the bad sectors of the USB will work like new.

When formatting does not solve your USB problems, you can make use of an alternate method. For more complicated USB problems, you will need to check the bios first to determine the actual problem. Before doing that, it is advised that you backup all the files from your hard drive to another hard drive, CD or DVD, and then turn off your computer. Insert your problematic USB on the drive port and turn on the computer. When the system bios are prompted, immediately press the F8 key. For some computers, it is the delete key or F2 key that initiate bios checking and take note of the operators that are listed on the screen. Using the cursor keys, navigate the bios and boot the CD drive first, save and then exit. Insert your operating system restore disk, save and restart. Simply follow the cue that initiates installation of your operating system. When the USB disk appears on the list of which drive format comes, then your USB is in the clear.

Depending on the options, you must opt out the re-installation of the operating system at this point. If it is still running, simply quit and leave the other drives alone. Try to reset the computer to boot from the disk instead of the CD drive as before. If your USB flash drive is already usable, it must now be detected in windows. If you fail to do this operating system re-installation, then just continue following the installation instructions. However, never try to install the operating system onto the USB disk drive.

Before going over your USB problems and trying out some troubleshooting tricks, have all your files backed up first, this task is something that must not be taken lightly. Although formatting seems easy, it is a lengthy process that needs to be done by somebody who fully understands the application. If everything else fails, get hold of your USB's warranty so you can get it fixed from customer support.

Get Latest Exploit, Shellcode on the Net!

2008-12-10T22:30:00.001+08:00

Since a few years ago, i'm very interest and study about software exploit, shellcode, metasploit and so on. Here it is a few list of website contain information and exploit code that can be found:

1. http://www.milw0rm.com/
2. http://www.securiteam.com/
3. http://neworder.box.sk
4. http://www.governmentsecurity.org/
5. http://www.metasploit.com/

If you have any other good website that related to this topic. Feel free to share with me... ;D

Portable Antivirus Website Down?

2008-12-09T16:26:00.001+08:00

After a few week of my website at Data0.Net domain are several times down due to the poor web hoster server. It seem I have to change to a new and powerful server. I'm getting tired when I open my Data0.Net domain and its keep return a girl picture. Complaint is already been made several times. I'm losing lot of money if this keep happening.

How To run Multiple Versions of the Same Program on your PC

2008-11-20T18:10:00.001+08:00

I was asked in the comments of a previous post how I managed to run multiple versions of Skype at the same time and while answering him, I thought it was worth turning my answer into a post. It isn’t just Skype that this can be used for. You can also use this method to run multiple versions of your favourite instant messaging program (if you have more than one ID) or multiple versions of your internet browser if you have more than one email account with the same provider. For instance, using this tip you can access multiple gmail accounts at the same time.

With the Windows operating system, everything runs under a user account which you log into when you boot up the computer. Say for the purposes of this discussion, my main default user account on my PC is MARK_1. Well when I boot up the PC in the morning, MARK_1 will load and all programs I subsequently use will run under MARK_1.

But I sometimes help out a friend who runs a virtual telephone answering service through Skype. So obviously only one Skype line isn’t going to cut it. To open more Skype lines (without having to log in and out of Windows all the time), here’s what you do :

First, you need to set up more Windows user accounts. To make this simple, I’ll name them MARK_2, MARK_3 and so on. Since I have a German language computer, I can’t really post too many screenshots and I am unsure of the terminology on an English language computer so I will describe it to you in general terms and perhaps you can tell me the exact wording. In the Windows start menu, you have a “System Setup” option and in there is an option called “User Accounts”. This is where you maintain your Windows accounts, including the main administrator account.

Just open that option up, choose the new account option and set up as many new accounts as you need. YOU DON’T HAVE TO LOG OUT OF YOUR CURRENT USER ACCOUNT TO DO THIS! Plus you need to have administrator privileges to set up new accounts. So trying this at work is probably not a good idea as your IT department will probably not appreciate it.

Once the accounts are set up, go to the desktop icon (or the start menu link) of the program you want to start again and choose “run as”. This will open up a sign-in box with a drop-down list of your user accounts (which by now should contain the new ones you have just created). Just choose another account, enter the password (if you set one up during the account creation process) and the program will instantly open again under that new windows user account.

Using this method, I have run up to five Skype lines simultaneously and the ICQ chat program three times (although I am sure more is possible if you have the CPU capacity to support them all). As I said before, you can also use this method to run more than one Firefox browser to check email accounts or perhaps you want to be logged in as two different users in a social network? The possibilities for running more than one Windows user account is endless.

Can you think of other scenarios where running more than one user account would be beneficial? Let’s hear it in the comments!

By: Mark O’Neill is a freelance writer, proofreader and blogger. Visit his blog at BetterThanTherapy.net

SKILLS Competition

2008-11-15T00:00:00.001+08:00

This morning I wake up as early 6am to prepare to goto Cheras to watch SKILLS Competition sponsorship by Malaysia CIDB. The competition is taking several categories including IT/Software and Application, Web Design, Graphic Design, Industrial Electronic, CADD, Therapy and many more. I'm just interest about IT/Software and Application section which is seem to be easy if I could join. The question is simple. Every participant need to complete a Microsoft Access application including database and forms. Very simple. But thats take a days to complete it.

I came back to ADTEC Batu Pahat and arrive at 10:30pm having dinner at Parit Karjo.

Web Link

2008-09-25T20:00:00.005+08:00

There is many great website around the world. This is only less than 0.01% of total best website but its worth it. This page will show you most of Malaysian security related website.

Malaysian Security Related Website:

www.malaysia-best.com/vbuster/index.htm
www.hmsecurity.org
www.geekzlife.net
www.malaysiav.com
www.neologylab.com

Malaysian Official Cyber Security Agencies:

www.mycert.org.my / www.cybersecurity.org.my

Malaysia IT Forum

www.putera.com
www.lowyat.net
www.ittutor.net

Software

2008-09-25T19:06:00.026+08:00

This page show you the software that has been developed by the author. Leave your comment for your feedback.

1. Data0 Portable Antivirus
2. Data0 Process Viewer
3. Data0 Classic Explorer
4. Data0 Force Wipe File
5. Data0 Virus Database Generator
5. Data0 Quick Virus Remover
6. Windows Firewall Fixer
7. Shutdown Timer
8. Malware Manager
9. 3Firewall
10. Malware Playground (Advanced Sandbox)
11. OpenKamus

Tutorial

2008-09-25T11:04:00.004+08:00

Here it is some sort of my own tutorial. More tutorial will be listed here as I manage to make some updates on it. If you need me to write a tutorial just leave a comment.

Extract AutoIt Script from EXE file (Video).
Unpacking AutoIt Script.

Extract AutoIt Script

2008-09-25T10:58:00.006+08:00

This is quite old technique to extract an AutoIt script from the compiled EXE files espeacially malware. You can refer this tutorial from my video uploaded to YouTube.

Extract AutoIt Script Video Tutorial

Actually this kind of extracting method is depending on AutoIt version. Currently this tutorial show you how to extract AutoIt EXE version 3.2.2.0. Other version will be available soon.

Virus Glossary

2007-10-08T14:39:00.000+08:00

Adware
Adware is software that presents banner ads or in pop-up windows through a bar that appears on a computer screen. Those advertising spots usually can't be removed and are consequently always visible. The connection data allow many conclusions on the usage behavior and are problematic in terms of data security.

Backdoors
A backdoor can gain access to a computer by going around the computer access security mechanisms.

A program that is being executed in the background generally enables the attacker almost unlimited rights. User's personal data can be spied with the backdoor's help, but are mainly used to install further computer viruses or worms on the relevant system.

Boot viruses
The boot or master boot sector of hard drives is mainly infected by boot sector viruses. They overwrite important information necessary for the system execution. One of the awkward consequences: the computer system cannot be loaded any more…

Bot-Net
A Bot-Net is collection of softwarre bots, which run autonomously. A Bot-Net can comprise a collection of cracked machines running programs (usually referred to as worms, Trojans) under a common command and control infrastructure. Boot-Nets server various purposes, including Denial-of-service attacks, etc., partly without the affected PC user's knowledge. The main potential of Bot-Nets is that the networks can achieve dimensions on thousands of computers and its bandwidth sum bursts most conventional Internet accesses.

Dialer
A dialer is a computer programm that establishes a connection to the Internet or to another computer network through the telephone line or the digital ISDN network. Fraudsters use dialers to charge users high rates when dialing up to the Internet without their knowledge.

EICAR test file
The EICAR test file is a test pattern that was developed at the European Institute for Computer Antivirus Research for the purpose to test the functions of anti-virus programs. It is a text file which is 68 characters long and its file extension is “.COM” all virus scanners should recognize as virus.

Exploit
An exploit (security gap) is a computer program or script that takes advantage of a bug, glitch or vulnerability leading to privilege escalation or denial of service on a computer system. A form of an exploit for example are attacks from the Internet with the help of manipulated data packages. Programs can be infiltrated in order to obtain higher access.

Grayware
Grayware operates in a way similar to malware, but it is not spread to harm the users directly. It does not affect the system functionality as such. Mostly, information on the patterns of use is collected in order to either sell these data or to place advertisements systematically.

Hoaxes
The users have obtained virus alerts from the Internet for a few years and alerts against viruses in other networks that are supposed to spread via email. These alerts are spread per email with the request that they should be sent to the highest possible number of colleagues and to other users, in order to warn everyone against the "danger".

Honeypot
A honeypot is a service (program or server), which is installed in a network.

It has the function to monitor a network and to protocol attacks. This service is unknown to the legitime user - because of this reason he is never addressed. If an attacker examines a network for the weak points and uses the services which are offered by a Honeypot, it is protocolled and an alert sets off.

Keystroke logging
Keystroke logging is a diagnostic tool used in software development that captures the user's keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Like this, confidential and personal data, such as passwords or PINs, can be spied and sent to other computers via the Internet.

Macro viruses
Macro viruses are small programs that are written in the macro language of an application (e.g. WordBasic under WinWord 6.0) and that can normally only spread within documents of this application. Because of this, they are also called document viruses. In order to be active, they need that the corresponding applications are activated and that one of the infected macros has been executed. Unlike "normal" viruses, macro viruses do consequently not attack executable files but they do attack the documents of the corresponding host-application.

Polymorph viruses
Polymorph viruses are the real masters of disguise. They change their own programming codes - and are therefore very hard to detect.

Program viruses
A computer virus is a program that is capable to attach itself to other programs after being executed and cause an infection. Viruses multiply themselves unlike logic bombs and Trojans. In contrast to a worm, a virus always requires a program as host, where the virus deposits his virulent code. The program execution of the host itself is not changed as a rule.

Script viruses and worms
Such viruses are extremely easy to program and they can spread - if the required technology is on hand - within a few hours via email round the globe.

Script viruses and worms use a script language such as Javascript, VBScript etc. to infiltrate in other new scripts or to spread by activation of operating system functions. This frequently happens via email or through the exchange of files (documents).

A worm is a program that multiplies itself but that does not infect the host. Worms can consequently not form part of other program sequences. Worms are often the only possibility to infiltrate any kind of damaging programs on systems with restrictive security measures.

Spyware
Spyware are so called spy programs that intercept or take partial control of a computer's operation without the user's informed consent. Spyware is designed to expolit infected computers for commerical gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements. AntiVir is able to detect this kind of software with the category "ADSPY" or "adware-spyware".

Trojan horses (short Trojans)
Trojans are pretty common nowadays. We are talking about programs that pretend to have a particular function, but that show their real image after execution and carry out a different function that, in most cases, is destructive. Trojan horses cannot multiply themselves, which differenciates them from viruses and worms. Most of them have an interesting name (SEX.EXE or STARTME.EXE) with the intention to induce the user to start the Trojan. Immediately after execution they become active and can, for example, format the hard drive. A dropper is a special form of Trojan that 'drops' viruses, i.e. embeds viruses on the computer system.

Zombie
A Zombie-PC is a computer that is infected with malware programs and that enables hackers to abuse computers via remote control for criminal purposes. The affected PC, for example, can start Denial-of-Service- (DoS) attacks at command or send spam and phishing emails.

World First Computer Viruses!

2006-07-25T18:07:00.002+08:00

The Creeper virus was first detected on ARPANET, the forerunner of the Internet in the early 1970s.^[3] Creeper was an experimental self-replicating program written by Bob Thomas at BBN in 1971.^[4] Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was created to delete Creeper.^[5]

A program called "Rother J" was the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created.^{[citation needed]} Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk.^[6] This virus was created as a practical joke when Richard Skrenta was still in high school. It was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the computer and displaying a short poem beginning "Elk Cloner: The program with a personality."

The first PC virus in the wild was a boot sector virus dubbed (c)Brain^[7], created in 1986 by the Farooq Alvi Brothers, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written^{[citation needed]}. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.^{[original research?]}

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. PCs of the era would attempt to boot first from a floppy if one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector viruses were the most common in the wild for many years.^[8]

Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS, modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's.^{[citation needed]} Within the "pirate scene" of hobbyists trading illicit copies of retail software, traders in a hurry to obtain the latest applications were easy targets for viruses.^{[original research?]}

Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread onto Macintosh computers as well. Although the majority of these viruses did not have the ability to send infected e-mail, those viruses which did took advantage of the Microsoft Outlook COM interface.^{[citation needed]}

Some old versions of Microsoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents."^[9]

A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.

Cross-site scripting viruses emerged recently, and were academically demonstrated in 2005.^[10] Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, exploiting websites such as MySpace and Yahoo.

2005-10-03T08:59:00.004+08:00

Data0You may put this advertisement banner into your website to support local product. More banner size will be available soon.

480px × 30px

<a href='http://www.data0.net/' target='_blank'><img width='158' height='40' alt='Data0.Net Portable Antivirus' src='http://img526.imageshack.us/img526/7492/iklan2.gif' border='0'></a>

AT4RE FastScanner

2005-09-22T09:16:00.001+08:00

AT4RE FastScanner is one of packer, PE info, compiler, cryptor detector with plug-in capabilities. This tools works same like other packed detector to give alternative usage for user.

An example show you PE file is being analyzed with all basic information shown.

Show you PE section with all available offset.

Disassembler is another advantage giving user to analyze and finding useful instruction.

AT4RE FastScanner can be downloaded from:
Here

PROTECTiON iD

2005-09-21T21:37:00.003+08:00

Another small tools with great features. As I downloaded the latest one, there interfaces was changed and little bit confuse if some user new to it but again this great tools comes with special features.

Features

- detection of every major PC ISO Game / App protection
- sector scanning CDs / DVDs for Copy Protections
- covers more than 430 (different!) protections including exe protectors, .net protectors, packers, dongles, licenses & installers
- files / folders can simply be drag & droped into pid (link files will re resolved too)
- strong scanning routines allowing it to detect multiple protections in one file
- easy scanning via shell context menu
- usefully misc tools included
- coded 100% in Win32 assembly language
- fully 32bit & 64bit compliant
- working on every Windows OS from Win9x to windows Vista
- no additional files are required (like VB Runtimes, MSVC dlls or ASPI drivers)

PROTECTION ID can be downloaded from:
Here

Mal-ware Analyst Tools

2005-09-14T14:35:00.005+08:00

Most of anti virus developer has their own technique and skill to get rid of mal-ware content. Making analyst for the captured mal-ware is very important before deciding whether it is harmful or not. Anti virus or security company with Malware Analyst job has their own & useful tools to trace malware like behaviour. Well, here it is some basic tools for Reverse Code Engineering. Click on each list for detail:

PE Editor/Memory Dump:
LordPE Deluxe
OllyDump

Explorer Suite (Combine with all the tools we need).

Packer/ID Detector:
TrID
PEiD
ExeInfo PE
Protection ID
AT4RE FastScanner
DiE (Detect it Easy)
RDG Packer Detector
Jim Clausing's Malware Packer Signatures
Neil's Collection of Packer Signatures
packerid.py (Python)

Sometime, one packed detector is not enough. Not all detector can detect all packer.

Disassembly/Debugger Tools:
OllyDebugger, OllyScript
Interactive Disassembler (IDA)

Resource Viewer:
PE Explorer
ResHacker

Process Monitor:
Sysinternals Process Explorer

File & Folder Watcher:
SpyMe Tools

Registry Snapshot:
RegShot

Network Tools:
WireShark
NMap
Snort

Honeypot:
HiHAT (Website)

Sandbox:
Sandboxie

Other Miscellanous tools:
Sandboxie
VMWare
Microsoft Virtual PC

Online tools:
VirusTotal
ThreatExpert

ExeInfo PE

2004-09-21T20:53:00.001+08:00

ExeInfo PE have some same features with PEiD but with some extra function to make it more easier and faster to access such as

Main interfaces is very similar to PEiD but with some great functionalities.

With Rip button all resources can be extracted at once and saved into current directory.

With tools menu user can get a lot of information inside PE files such as registry key, OEP, save resource section, XoR permutator (easy to reverse any reversed string such as ROT13) and many more.

File Menu offer to you multiple options about taking action to your analyzed file. WYSIWYG.

EXEInfo PE can be downloaded from:
http://www.exeinfo.xwp.pl

PEiD - PE Identifier

2004-09-21T20:21:00.000+08:00

This small tools have a big features for those who want to extract information from PE files.

PEiD have its own special features:
1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Well, I use it for long time and this is the great and fast tools for getting PE information without need to install anything.

PEiD can be downloaded from here:
http://www.peid.info

Explorer Suite

2004-09-19T23:31:00.001+08:00

This one of most advanced freeware tools for Reverse Code Engineer. Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

- Explorer Suite (Multi-Platform Version, Recommended)
- Explorer Suite (x86 Version)
- CFF Explorer (x86 Version, stand-alone, Zip Archive)

- CFF Explorer Extensions Repository

The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Features:

Process Viewer
Windows Viewer
PE and Memory Dumper
Full support for PE32/64
Special fields description and modification (.NET supported)
PE Utilities
PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
View and modification of .NET internal structures
Resource Editor (full support for Windows Vista icons)
Support in the Resource Editor for .NET resources (dumpable as well)
Hex Editor
Import Adder
PE integrity checks
Extension support
Visual Studio Extensions Wizard
Powerful scripting language
Dependency Walker
Quick Disassembler (x86, x64, MSIL)
Name Unmangler
Extension support
File Scanner
Directory Scanner
Deep Scan method
Recursive Scan method
Multiple results
Report generation
Signatures Manager
Signatures Updater
Signatures Collisions Checker
Signatures Retriever

TrID - File Identifier

2004-09-19T23:22:00.007+08:00

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded rules, TriID has no such rules. Instead, it is extensible and can be trained to recognize new formats in a fast and automatic way.

TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.

TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.

Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.

To get you started, the current library of definitions is up to 3833 file types and growing fast.

TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.

For more information and download click here.

OllyDump for OllyDebugger

2004-09-19T22:48:00.002+08:00

OllyDump is one of advanced memory dumping tools. It is easy to use with OllyDbg as a plugin. Once the process is being debugged at runtime, it will be automatically search for PE section. But this tools does not give you automatically an OEP for any compressed PE file. You still have to find their OEP offset manually and write down the offset to the OllyDump window. The picture below show you how the OllyDump plugin works for dumping UPX packed file.

Just simply add your founded OEP to the Modify box and hit Dump button to save as a dumped file. You can edit the listed section for your own usages. You can easily dumping PE file without need to highlight all the debugged code and choose 'Follow in Dump > Selection'. This way sometime does not produce an accurate result.

You can find OllyDump here or here.

LordPE Deluxe

2004-09-19T17:31:00.003+08:00

LordPE Deluxe is one of the greatest tools for making process dump on memory for along time. It was developed by yoda. Here it is what this tools can do:

+ Dump process from memory and save as file.
+ Dump process module
+ Get Basic information about PE header.
+ Rebuild any PE file (realign, wipe relocation, rebuild import table, etc)

Author website can be reach at http://y0da.cjb.net but it no longer exist I guess. You can try get it from here.

Donate

2004-09-19T11:35:00.006+08:00

Your donation will help improving our website, software and the quality of product. Every donation will be much appreciated. If you want to make donation with PayPal please use the following form to start donate:

If you wish to donate via online banking, sending check or cash deposit, you can bank-in your donation to the following bank account:

Bank Name: Public Bank Berhad
Account Holder: Nur Mohammad Kamil Bin Mohammad Alta
Account No. : 4-9575680-16

Bank Name: CIMB Bank
Account Holder: Nur Mohammad Kamil Bin Mohammad Alta
Account No. : 05100027843526

Bank Name: Bank Simpanan Nasional (BSN)
Account Holder: Nur Mohammad Kamil Bin Mohammad Alta
Account No. : 11100-29-84372834-8

Bank Name: Maybank
Account Holder: Nur Mohammad Kamil Bin Mohammad Alta
Account No. : 164418076737

Every donation will be much appreciated. Thank you.

Submit Sample

2004-05-29T10:33:00.009+08:00

Please upload any malware samples which are not yet detected by Portable Antivirus products along with suspicious and other miscellaneous files using the upload form above. If you having problem uploading a files, then try to use a different web browser (Internet Explorer, Opera, etc.).

If you think our scanner has detected a clean file by mistake please select "False positive suspicion" from the drop down menu above. Note that suspicious files and false positives need to be uploaded separately. Please make sure you verified that the latest version will still detect the file and it is not a solved false alarm at this point in time.

Spam Emails:

Please do not submit spam emails to our analysis system. Spam is advertisement which does not contain any malicious content.

Several files at once:

In case you want to upload several suspicious files at the same time we suggest to use a common archiving software such as WinZIP, WinRAR, PKZip or Arj.

Submit via email:

Alternatively you can send suspicious files via email to alternator99@gmail.com. Please make sure that you compress the files using a packer such as WinZIP, WinRAR, PKZip or Arj. Since some email gateways are equipped with antivirus software, you should also give the file(s) a password to prevent them from being unpacked inadvertently. Please make sure that you're using the password "infected". Please note that false positives have to be uploaded via web interface and marked as such.

Result:

If the suspicious file contains a new malware which is unknown to us at this point in time we will update our signature database. After that we'll be able to detect and - if technically possible - remove it.

Portable Antivirus 1.7 (Coming Soon)

2004-05-06T20:37:00.004+08:00

Portable Antivirus 1.7 is the next generation of antivirus software and currently in development and will be available and almost finish developing and testing.

Portable Antivirus 1.6

2004-05-06T20:20:00.006+08:00

Portable Antivirus 1.6 is another upgraded new version from the previous one 1.5. A small, fast and advanced scanning engine making this antivirus the most people choice from around Asia.

The new version have many features such as repairing registry with advanced features, heuristics technologies, real-time scanning, can be updated from internet, come with few useful tools, more advanced configurations and the most important is keep it portable and easy to run anywhere when your PCs having problems.

Portable Antivirus 1.6 is currently in Beta version before releasing it into the new full version that compatible with all Windows platform. Currently, its work almost all Windows NT version including Windows 2000, XP and Vista.

You can download this version of Portable Antivirus by clicking here.

Portable Antivirus 1.5

2004-05-06T20:08:00.007+08:00

Portable Antivirus 1.5 is the most popular single executable antivirus that has been downloaded by more than 400,000 copies. This tiny antivirus can scan and remove up to 200 viruses that has been recorded as in-the-wild by most of commercial antivirus. User still can download this software by clicking here. Portable Antivirus 1.5 also have a unique function that can repair your registry that has been modified by viruses such as missing Folder Options, Task Manager, Start Menu item an many more. Also, this tiny antivirus only have 290KB of it's size and suitable to fit into your USB Drive even your floppy disk can fit it.

Portable Antivirus 1.5 does not required to installed on to your PCs. Simply, just download and run the file and start scanning your PC. Small and really portable. For those who still want to use this little antivirus, you download it here.

NOTE: Some antivirus program detect this tools as a virus or spyware. This is false detection because this small tools has been compressed with UPX utilities. Please disable other antivirus first before using it.

Manual Update your Portable Antivirus

2004-05-03T00:16:00.001+08:00

To update your Portable Antivirus virus definition you can do this with a few simple step. Follow this instruction:

1. Download the latest updates of VDEF file and then extract the ZIPped content. The file name should be appeared as 'vdef1.vdef'.

2. Simply, goto your Portable Antivirus system tray icon (near the clock). Right click on it and choose Updates... and click on Manual Update.

3. Choose where your VDEF file has been extracted and click Open button and wait until finish message appear.

4. And you're done updating your Portable Antivirus. You can see the date was change after the update.

Download

2004-05-02T22:09:00.032+08:00

Here you can download Portable Antivirus software for free. You can choose whether to download the latest version or an old version.

Portable Antivirus 1.6 Build 421

Download Here from Ziddu.com
Download Here from EasyShare
Download Here from MediaFire

Portable Antivirus 1.6 also available in standalone version which you can download it from here or here.

VDEF Updates (10 August 2009)

Download VDEF Updates here! from Ziddu.com
Download VDEF Updates here! from EasyShare

Note: To update your Portable Antivirus, first extract the VDEF1.zip file and then choose the extracted file to update. To learn more click here. Please make sure turn off any Download Manager to make sure the download to be successful.
____________________________________________________________

Portable Antivirus 1.5 (Old version)

Download Here from Ziddu.com
Download Here from EasyShare

Note: Portable Antivirus 1.5 has been discontinue their support however you still can use it to remove certain malware.
____________________________________________________________

Download Portable Antivirus 1.6 Help Document or Here

Awards

2004-05-02T21:52:00.005+08:00

Here it is Portable Antivirus has been awarded by a few downloaded host website:

Softpedia guarantees that Portable Antivirus 1.6 Beta is 100% CLEAN, which means it does not contain any form of malware, including spyware, viruses, trojans and backdoors.

About

2004-05-02T21:49:00.005+08:00

Portable Antivirus is software to help people maintaining their Windows system from and after being infected by malware in one click of button. Portable Antivirus was built to remove viruses without need to restart their Windows after scan and repairing is done. With a Portable concept, this antivirus software can be easily distribute to any of removable drive such as Flash Drive, Memory stick, Portable Hard drive and so on.

Portable Antivirus can detect several of viruses including worm, Trojan, spy ware, ad ware and many more. Portable Antivirus cannot detect such as old 80’s viruses. Thus, the virus is almost impossible to run on NT-based system such as Windows XP and Vista. Portable Antivirus also has its own technology to detect future viruses. Like other commercial antivirus software, Heuristic technology is a must on every antivirus industry.

Information About Portable Antivirus Generation

Portable Antivirus 1.7 (Coming Soon)

Portable Antivirus 1.6

Portable Antivirus 1.5

Contact

2004-05-02T21:12:00.008+08:00

You can contact the author directly at:

alternator99@gmail.com

If you want to reach the author via Yahoo! Messenger add the following name:

ID: alternat0r

or just leave a message at the shoutbox.