tag:blogger.com,1999:blog-8371275769923656244.post1105679379258811836..comments2023-10-30T05:16:21.233-11:00Comments on Leecher Mods: eMule 0.49a Razorback 3 Next Generation 5.01 installer exe Virus Alert Win32/Parite.BReconhttp://www.blogger.com/profile/06503028238011791604noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-8371275769923656244.post-52300641599441370222008-08-12T04:35:00.000-11:002008-08-12T04:35:00.000-11:00nice proxy there:http://www.Google.pl/search?q=xaz...nice proxy there:<BR/>http://www.Google.pl/search?q=xaze.xs4all.nlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-91601148723909945782008-08-12T04:17:00.000-11:002008-08-12T04:17:00.000-11:00Troj:212.227.109.0 - 212.227.109.255kundenserver.d...Troj:<BR/>212.227.109.0 - 212.227.109.255<BR/><BR/><BR/>kundenserver.de<BR/><BR/>in Firewall<BR/><BR/>Schlund + Partner AGAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-67847299799900037452008-08-11T23:15:00.000-11:002008-08-11T23:15:00.000-11:00Makes computer run slow?Makes computer run slow?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-6606907709580308082008-08-11T23:02:00.000-11:002008-08-11T23:02:00.000-11:00Please submit to Kaspersky if it's different as th...Please submit to Kaspersky if it's different as this:<BR/><BR/>Type: Win32 polymorphic fileinfector virus <BR/>Affects: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP<BR/><BR/>Upon infection the virus adds a new section (this section is randomly named with 3 letters followed by the ASC-II character 07) to the host file, which contains the main viral code in encrypted form. This file is later dropped as a randomly named temp-file into the TEMP folder using windows API function to retrieve this path.<BR/><BR/>The temp-file (around 172Kb in size) is injected into Windows Explorer. This means that if Explorer runs, the virus stays active in memory.<BR/><BR/>The virus takes the Original Entry Point (OEP) from the infected file out of the Fileheader, encrypts the old Entry Point with a randomly generated 32bit value, and stores this calculated entrypoint value in the encrypted last section of the file, where the virus writes itself.<BR/><BR/>It needs the original entry point to execute an infected file after the viral code has been executed - otherwise infected programs would not be able to run after the virus runs. <BR/>Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.<BR/><BR/>The virus creates the following Registry key: <BR/><BR/>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF<BR/><BR/>Parite uses 2 different, randomly generated, 32bit values, at 2 random addresses in the original host file, and it overwrites these addresses if the file does not run.<BR/>If the infected file is active, the virus restores this data out of the encrypted section into the program code. This is a special mechanism to make the cleaning of infected files more difficult.<BR/>The virus enumerates and scans all network shares and tries to infect all Windows32 executables and screensaver files.<BR/><BR/>Other Details<BR/><BR/>The polymorphic Dropper is written using TASM, and the virus part itself is written with Borland C++ and packed with UPX, a executable file compressor.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-81811845609120496342008-08-11T22:18:00.000-11:002008-08-11T22:18:00.000-11:00Just downloaded from them homepage. Same MD5Just downloaded from them homepage. Same MD5Anonymousnoreply@blogger.com