Даже боюсь подумать о том, какой вред он может принести

Будте бдительны, товарищи !!

This device was developed in our labs for those people who wants to share their desktop, documents, create screencasts and support documentation, stay in touch with people who are far away.

You can always stay online with new built-in wireless adapter which has super-style external antenna,

you can talk to your friends using super- sensitive microphone,

It doesn’t matter what day time is at the moment - your friends can see where you are because this device has built-in Full HD camera with night-vision mode.

Professional headphones make you feeling presence of your friends. You’ll never feel lonely using our new “SCREENCASTER 1″.

This device was tested in our labs and anonymous testers felt really good using “SCREENCASTER”

Low weight, good ergonomic, lots of features and modern design makes SCREENCASTER one of the best gadgets you can have at home.

In future SCREENCASTER models we are planning provide built in memory card and commutator - you’ll be able to connect few SCREENCASTERS in one network. If you want to see some other features in this amazing device - please leave a comment.

SCREENCASTER - YOUR BEST CHOICE!

]]> http://kukuruzman.com/2009/05/08/screencaster/feed/ http://kukuruzman.com/2009/01/22/worm-conficker/ http://kukuruzman.com/2009/01/22/worm-conficker/#comments Wed, 21 Jan 2009 23:46:29 +0000 Kukuruzman http://kukuruzman.com/?p=7 In this article I’ll try to describe how to remove Worm Conficker from your system.

Depends on the antivirus program you have, this worm can be detected with different names:

- Symantec: W32.Downadup.B
- Kaspersky: Net-Worm.Win32.Kido.fw
- F-Secure: Worm:W32/Downadup.gen!A
- Sophos: Mal/Conficker-A
- Panda: Trj/Downloader.MDW
- Grisoft: I-Worm/Generic.CJY
- Eset: a variant of Win32/Conficker.AE worm
- Bitdefender: Win32.Worm.Downadup.Gen

The easiest way to detect that you are infected is to try access these websites:

http://update.microsoft.com

http://www.kaspersky.com/

http://drweb.com/

This is not the whole list of websites that can be blocked. In such way virus tries

to prevent you update antivirus definition files and Windows system.

You will also get your AutomaticUpdates and BITS services disabled on the infected machine.

The Server and Workstation services can be disabled as well.

In our environment we determined three possible ways for its spreading:

1. Using autorun on the removable storage devices like USB sticks or external USB hard drives.

On the removable drive it creates autorun.inf file and RECYCLED folder.

The best way to prevent this worm spreading through the autorun is to disable autorun possibility

on your workstations. To disable it you just have to edit your regestry:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

After regestry modifications reboot your PC.

To enable the autorun you have to remove “Autorun.inf ” key and reboot the PC.

Note!!!

These regestry entry was tested on WindowsXP only.

2. This worm tries to hide itself as image file:

- .bmp

- .gif

- .png

- .jpg

3. Worm can spread over the network using Windows vulnerability in RPC service.
When worm gets on your PC, it copies itself to the following locations:

- %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx

- %ProgramFiles%\Internet Explorer\%random character string%.dll

- %ProgramFiles%\Movie Maker\%random character string%.dll

- %System%\%random character string%.dll

- %Temp%\%random character string%.dll

- %ALLUSERSPROFILE%\Application Data\%random character string%.dll

The following registry keys are added in order to load the service after reboot:

- HKLM\SYSTEM\CurrentControlSet\Services\%random words%\Parameters\

ServiceDll” = “%paths and filenames of malware copies%”
- HKLM\SYSTEM\CurrentControlSet\Services\%random words%\

“ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

“Type” = “4″

“Start” = “4″

“ErrorControl” = “4″
It uses the following login information in order to gain access to the remote machine,

so it is better to change weak passwords like “11111″ or “admin”.

You can also see tries to connect to these websites:

Virus do this to get your external IP address and send it to the “bad people”,

which allows them to control your system in future.

Here are the steps we performed to remove this worm in our network:

If you have domain and you have infected machines in it DONT login to the

damaged PCs with DOMAIN ADMINISTRATOR account when PC is connected to the

network - use local admin.

1. Disable network connection on the infected PCs;

2. Disable System Restore on the infected PCs;

3. Download MS08-67 vulnerability fix :

4. Run following tool on the infected system to remove the worm :

You can obtain some other removing tools if you don’t trust Microsoft:

or just use Google to find one you’d like more.

5. Restart the PC and install the fix from Microsoft to prevent the machine to be infected

in the future;

6. Plug in your network cable;

7. Update your antivirus program.;

8. Rerform Full System Scan with your antivirus program.

Hope this helps you to kill the worm on your systems.

Good luck!

Related links:

http://en.wikipedia.org/wiki/Conficker

http://www.eset.com/threat-center/blog/?p=433

http://www.avira.com/en/threats/section/fulldetails/id_vir/4474/worm_conficker.html

http://support.microsoft.com/kb/962007

http://vil.nai.com/vil/content/v_153464.htm