posted November 20, 2007 09:11 AM         

------------------
~
What we do for ourselves dies with us. What we do for others and the world is immortal"~

posted November 20, 2007 11:43 AM         

is there a way to remove it?

posted November 20, 2007 11:51 AM         

Formerly, the Sun was the largest object in the Solar System. Now, comet 17P/Holmes holds that distinction.

Spectacular outbursting comet 17P/Holmes exploded in size and brightness on October 24. It continues to expand and is now the largest single object in the Solar system, being bigger than the Sun (see Figure). The diameter of the tenuous dust atmosphere of the comet was measured at 1.4 million kilometers (0.9 million miles) on 2007 November 9 by Rachel Stevenson, Jan Kleyna and Pedro Lacerda of the University of Hawaii Institute for Astronomy. They used observations from a wide-field camera on the Canada-France-Hawaii Telescope (CFHT), one of the few professional instruments still capable of capturing the whole comet in one image. Other astronomers involved in the UH program to study the comet include Bin Yang, Nuno Peixinho and David Jewitt. The present eruption of comet Holmes was first reported on October 24 and has continued at a steady 0.5 km/sec (1100 mph) ever since. The comet is an unprecedented half a million times brighter than before the eruption began. This amazing eruption of the comet is produced by dust ejected from a tiny solid nucleus made of ice and rock, only 3.6 km (roughly 2.2 miles) in diameter.

posted November 20, 2007 12:32 PM         

It is only apt to discuss the strategy of a malware. First, a malware causes unusual behavior on a system. It may have been designed to propagate, as in the case of viruses, or to inflict havoc or damage on a system, which is what trojans actually do. Other types of malware such as droppers introduce other malware to systems. Virus kits generate malware for other malicious purposes on a system.

So, what are some of the tactics that various malware employ. Malware is designed to execute on a system. For this to happen, the malware is often packaged in interesting forms such as games, cool animation, and often as pornographic movies or images. Since it cannot get onto a system without user intervention, it uses any means necessary to fool the victim end user into executing its file on their system. Most of the safe computing tips suggest that any new file or attachment should always be scanned before it is executed or opened.

Once executed, malware can perform its intended malicious function on a system. Unfortunately, it may not always be apparent to users that their system is indeed infected. The remainder of this article will discuss how to determine whether or not the system has been infected and will offer some tips on to manually disinfect the system.

Memory Residency

Memory-resident programs are those that can be placed in, and remain in, an affected system's main memory space after execution. Memory residency enables a piece of malware to be readily available whenever needed, ensuring that the malware is easily accessible or can monitor every event on an affected system. This is a malware's way of controlling every activity on an affected system when a condition is satisfied.

To find out if a malware is resident in the memory, you may need to invoke system tools like the Task Manager in Windows NT-based systems. On Windows 95- or 98-based systems, you can press CTRL-ALT-DEL, which displays a window containing all the running processes in memory. Once you have full view of the things that are currently in memory, check if a malware is there or not.

This is tricky and at the same time risky. Terminating a memory-resident program that is critical to a system may cause some undesirable results, such as displaying the Blue Screen of Death or even triggering the system to restart. It is advisable to check if a specific memory-resident program is indeed alien to the system, which is not an easy task. You can either consult your operating system manual or search for that program in an Internet search engine. If the search returns no results or does not indicate a relation to any recent malware, it is best that you leave it alone. This is rather too risky to tinker with but may be used for checking if worst comes to worst.

Spoofed Process Names

Contemporary malware tends to use process names that look strikingly similar to common process names. It's more like spoofing them into a name that you might think is the real thing but its not. For example, WSOCK32.DLL, a common process in memory handling the library of socket functions, can be spoofed as WSOCK33.DLL. Another is KERNE132.dll (notice that the L in KERNEL is actually the number 1) can be mistaken for the real KERNEL32.DLL. Sometimes the names are actually valid but the path is different. The KERNEL32.DLL is always found in the \Windows\System32 directory but some malware puts it in \Windows\System.

There are other things you can do to check for infection. For example, you can check if a recently executed and supposedly terminated program is still in memory when it should not be. Another indication is when a program appears to have multiple copies of itself in memory even if no application with that name is currently.

Lastly, if upon closing all applications and checking the memory usage of a certain entry in memory, it is using up almost all the memory resources you may have to check it out. This is particularly true if there is no indication that there is a memory activity for that entry. The memory space may be deemed safe by just viewing but, tinkering with it, like terminating entries, may produce unwanted results. However, if you find out that certain malware is indeed on your system after verifying with the AV vendors' reports, you can terminate the malware in memory and proceed to find out what other things it has added or modified on your system.

Gaining Control

Before a malware becomes memory-resident, it needs to be executed first, as mentioned previously. The initial execution, a user executing the file, is only the first step. Malware often employs other techniques to make sure that it is executed at least once in every system session. It does this by putting links to itself in places where the system initializes or pre-configures the Operating System. These are places or configuration files where it is accessed by an Operating System upon startup. For a malware, it is rather important for it to be executed every time and to advocate its aim to be memory resident. What better way to be executed, or to be triggered to reside in memory, than to be executed upon computer startup.

There are plenty of places where a malware can use this technique. One of the earliest techniques used was to infect the Command Interpreter, more commonly known as command.com. Upon infecting this file, the malware can assure that it gets executed and can reside in memory even before the command interpreter is executed. A malware can also try to accomplish this by adding links to itself in the autoexec.bat or config.sys, which are configuration files used by DOS and even Windows systems on its basic start up scheme.

Registries

Contemporary malware has found new ways to position itself on a system and ensure its execution. One way is by adding or modifying Registry entries. The Registry is a repository of system configuration settings and includes links to applications that need to be executed once the system has been established. This is a good place for malware to exploit and this is what we will look at.

To access the registry, click "Start" then "Run" and then type "Regedit" beside the "Open:" box. This opens the Registry editor. A word of caution, similar to terminating processes in memory, modifying or deleting registry entries can lead to unwanted system problems. Since the registry is the repository of configuration settings, a minor change here can cause your system to not start or boot up properly or sometimes render some applications to be unusable. It is recommended that you follow these instructions with care.

In the registry editor, you will see that registry keys are organized similarly to the File/Folder structure. The location, \HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\CurrentVersion, contains 3-6 folders that are part of the Autostart Registries as follows:

"Run"
"RunOnce"
"RunOnce\Setup"
"RunOnceEx"
"RunServices"
"RunServicesOnce"

The applications in these folders are what Windows executes immediately after a system is started up. Another similar location and privilege that may contain these 3-6 Autostart registries are in \HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion

You may have to check and familiarize yourself with each entry. The total number of entries is different for every system and is often proportional to the number of system tray entries that you have. The system tray is usually located at the lower right section of the Windows desktop and contains small icons beside the clock.

These applications are usually Windows-based executable files that have an .EXE extension, and are thus assumed that these have File Properties just as typical Windows executables do. You may check each file that is associated in the AutoRun Registry by opening a File Manager (also known as Windows Explorer) to view the file properties of each entry. To do this, right-click the files, choose "Properties", and then check out the entries in the "Version" tab of each file. The "Company" and "Product Version" often tell you a lot about the file. Registry entries in these locations without the full path are located in the Windows Directory, Windows\System, or Windows\System32 Directory. Keep in mind that some malware sets the Hidden file attribute on files it drops on the system. If this is the case, you will have to set Windows Explorer to show hidden files (Tools->Folder Options, click the View tab, then select the Show hidden files and folders radio button).

If the folders contain unusual entries such as misspelled company names or grammatical errors, then this should give you more reason to investigate that application. Check out some manuals or refer to search engines. If these files are verified as being malicious, then you can start removing their links. Let me remind you again that removing critical entries, by mistake, in the registry produces undesirable results. It is important that you thoroughly examine and verify that the links you will remove from your system are links to a malware file.

Another way for a malware to gain control of systems is by modifying the association of commonly used file extensions. Windows is typically file extension-based and uses the HKEY_CLASSES_ROOT entries to determine which applications or programs to run for certain extensions. .EXE, .DLL, .COM, and other readily infectable files are commonly modified. These entries or registry keys are often not associated with programs and indicate internal system commands or contain the appropriate applications typically associated with it.

It is also advisable to back up a registry entry first by exporting its registry key to a file. To do this, right click the folder-like entry in the registry and then select "Export". Agree when prompted to save it to a file. After creating a backup, you can now delete or modify the registry key. If you find that what you deleted is a normal entry and not that of a malware, restore it from your backup.

Other StartUp locations

Other areas where AutoStart entries can be found are in the files, System.ini and Win.ini. A malware often modifies these with links to itself added to the "run=" or "load=" sections of the files. These files are located at the Windows Directory (typically C:\Windows).

Following the same approach that you followed with the registry entries, you can remove them from the AutoStart entries after you have verified that they are malicious. Again, back up these files before making any modification just in case the entries are not malicious and you have to restore the files to their original form.

All the necessary system configuration files can be accessed, viewed and edited with the Sysedit program. To invoke the program, click "Start", and then "Run", and then type "Sysedit" in the "Open:" box.

Another place where you can find autostart entries are in the Start > (All) Programs > Startup folder. The entries here are also referenced and are executed immediately after system startup. Similarly, you may need to back up these files before tinkering with them.

Macros

Applications like word processing, spreadsheets or PowerPoint presentations are often vulnerable to macro viruses. You can check for malicious activities by checking for macros within these files. To do this, access the macros organizer (you may refer to your applications help file) and check if there are any unknown macros inside, press the ALT-F11 keys in the more recent offerings of Microsoft Office Family (beginning in Office 97 and up). However, some macro viruses tend to hide themselves from users by changing the foreground/background of the macro font display or by adding multiple tabs to make the text invisible to the default view pane.

The following is an explanation of procedures readers can use for two different applications that use macros: MS Word and Excel.

MS Word

Search your hard drive for any file named NORMAL.DOT, which is the global template of this application. Rename it to make sure that you have a backup and this will trigger Word to recreate a new NORMAL.DOT and the assurance that it is clean of any macro viruses. Open Microsoft Word and then turn on the Macro Virus Protection. After which, you may now try and open the file that you suspect has a macro virus. If there are any macros inside these files, you will be prompted by the Macro Virus Protection. It may also help if you can jot down the file size of the NORMAL.DOT so that in the future, you can just refer to this size in comparing it with the existing global template. This way you can easily spot the difference.

MS Excel

Search your hard drive for any folder name XLStart. For Excel, this folder contains all the things necessary for customization and this includes macros as well. You can transfer the contents of this folder to a temporary directory. Open Excel and turn on the Macro Virus Protection. After doing so, you can now open the Excel file that may be infected and then the Macro Virus Protection should be able to figure that out for you.

So What Now?

Now that you have removed the link to the suspects, you can send your suspected file to your preferred Antivirus Vendor for analysis. You may send it via email and attach the suspected file in a password-protected zip file (don't forget to include the password in the mail so that the zip file can be extracted and analyzed). The vendor's response usually takes a matter of days, depending on your subscription. You can do the same to the files that you have seen in memory and fear to be malicious.

If after reading this article twice, you still cannot comprehend what has been discussed or is not willing to risk your system to be broken by the modifications suggested, it may be better for you to use an Antivirus software and allow that software to check your system for malicious codes or programs.

The best ways to keep your system from infection are found in safe computing guides that are available on most AV Vendors' Web sites. These discussions include the basic things you must do to minimize the risk of being infected. Not only are these helpful, they are also a good venue for you to know more about your system and making you a better citizen of Cyberspace.

posted November 20, 2007 12:49 PM         

You have been telling people that this is the Eleventh Hour, now you
must go back and tell the people that this is the Hour. And there are
things to be considered. . . .

Where are you living?
What are you doing?
What are your relationships?
Are you in right relation?
Where is your water?

Know your garden.
It is time to speak your truth.
Create your community.
Be good to each other.
And do not look outside yourself for your leader.

Then he clasped his hands together, smiled, and said, "This could be a
good time! There is a river flowing now very fast. It is so great and
swift that there are those who will be afraid. They will try to hold on
to the shore. They will feel they are being torn apart and will suffer
greatly. Know the river has its destination. The elders say we must let
go of the shore, push off into the middle of the river, keep our eyes
open, and our heads above the water.

And I say, see who is in there with you and celebrate. At this time in
history, we are to take nothing personally, least of all ourselves. For
the moment that we do, our spiritual growth and journey come to a halt.

The time of the one wolf is over. Gather yourselves!
Banish the word 'struggle' from your attitude and your vocabulary. All
that we do now must be done in a sacred manner and in celebration.

We are the ones we've been waiting for.