Removing jaymyka worm

Today is Gat Andres Bonifacio’s day. No work, no pressure, so I took the advantage of going to my aunt’s workplace to remove the so-called Jaymyka worm. All the computers were infected.

Worm: Jaymyka
Threat Level: Low
Target Victims: Users viewing adult sites (Geez! Who did that in the office?)

Description:

It creates an autorun.inf file per drive with the following contents,

[autorun]
open=jay.exe
;shell\open=Open(&O)
shell\open\Command=jay.exe
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=jay.exe

The autorun.inf file is paired with jay.exe. The jay.exe file handles the annoying duplication of files and some resource-hogging tasks leading to DoS attack. If this worm is able to infect the target device successfully, it attaches a file named mveo.exe at startup. This mveo.exe is responsible for the worm’s capability of regeneration.

[Diagnosis]

1. Kill mveo.exe and jay.exe

TASKKILL /F /IM mveo.exe /IM jay.exe

2. Delete all files named jay.exe and mveo.exe
3. Remove mveo.exe in msconfig’s startup tab
4. Clean the registry of entries containing jay.exe, jaymyka, mveo.exe
5. Reboot

Christmas is near! It’s been a while since I blogged. Nothing special.

Turn off error-causing ads from Yahoo! Messenger 8

Most users complain about the error pop-ups rooted from the ads attached to their Yahoo! IM clients. Turning off from the registry is the best way shun them.

In the registry,

[HKEY_CURRENT_USER\Software\Yahoo\Pager\YUrl]

Set or add these values,

Messenger Ad = *
Webcam Upload Ad = *
Webcam Viewer Ad = *
Webcam Viewer Ad Medium = *
Webcam Viewer Ad Big = *
Change Room Banner = *
Conf Adurl = *
Chat Adurl = *

Edit the file \Program Files\Yahoo!\Messenger\Cache\urls.xml, erase all the contents and leave 2 double quotes (” “), save it then mark as read-only.

CLI & Registry User Administration in Windows XP

This is a simple user administration in Windows XP. There are lots of hidden gems here.

Adding a new user,

net user somename somepassword /add

Deleting a user,

net user somename somepassword /delete

Making a user an administrator,

net localgroup Administrators somename /add

Removing user administrator rights,

net localgroup Administrators somename /delete

Hiding a user from the login screen,

REG ADD \\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\
SpecialAccounts\\UserList\\" /f /v somename /t REG_DWORD /d 0

Showing a user on the login screen,

REG ADD \\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\
SpecialAccounts\\UserList\\" /f /v somename /t REG_DWORD /d 1

Java bytecode disassembly

In every programmer’s journey, the legendary “Hello World!” program excuses no one. So I wrote, compiled, then disassembled it.

public class Hello {
	
	public static void main(String[] args) {
		System.out.println("Hello World!");
	}
	
}

I fired up a hex editor to analyze the bytecode’s disassembly. This part contains the headers, class name and the superclass being extended. This is how a JDK 1.5-compiled bytecode looks.

.bytecode 49.0
.source "Hello.java"
	
.class public Hello
.super java/lang/Object

By default, a constructor is generated. Check that it constructs itself as an object of type ‘Object’ naturally because Java classes extend the ‘Object’ class. Here we have shown that a constructor is just a method.

.method public ()V
  .limit stack 1
  .limit locals 1
  .line 1
    aload_0 ; met001_slot000
    invokespecial java/lang/Object.()V
    return
.end method

Here’s the main method.

.method public static main([Ljava/lang/String;)V
  .limit stack 2
  .limit locals 1
  .line 4
    getstatic java/lang/System.out Ljava/io/PrintStream;
    ldc "Hello World!"
    invokevirtual java/io/PrintStream.println(Ljava/lang/String;)V
  .line 5
    return
.end method

Easy isn’t it?

Today I turned 0x15

31st of May 2007 minus 0x15, marked the day of Eradicus’ existence. It was with divine intervention that fate has chosen Santa Maria Health Center as his birthplace.

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'\"\"\"\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------\"\"\"\"\"\"\"
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

Automatic Kalashnikov 47, can someone surprise me with a gift like this? I’m not a terrorist, I just want to experience dismantling this rifle and assembling it back beating the best time.

Evading Yahoo! Messenger worms

Dealing with worm-infected Yahoo! Messengers in Windows XP is fun. Just apply the fix. Do not reformat because it is the lazy way of fixing things!

In file fix.reg

REGEDIT4
	
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000 
	
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000 
	
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
	
[HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz]
"content url"=-
	
[HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast]
"content url"=-
	
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://eradicus.blogsome.com" 
	
[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage]
	
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Task Manager"=-
	
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svchost"=-

If the worm disabled the Registry, Task Manager, and Run command, fire up a command prompt and do the following.

1. To reactivate the Registry

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
/v DisableRegistryTools /t REG_DWORD /d 0 /f

2. To reactivate the Task Manager

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
/v DisableTaskMgr /t REG_DWORD /d 0 /f

Search for svchost.exe and delete the macro equivalent. Be careful! Make sure that it is the macro equivalent, not the system file!

MOSS: 1st Hands-on Power Training

Mindanao Open Source Society (MOSS) held its 1st Hands-on Power Training at the ADZU Open Source Laboratory. It was totally a new experience for me since I really do not know how to organize events. There is always a first time as they say. I really thank God for making this event a success though not yet perfect but hopefully the next will be planned and organized well. This event is so memorable for me since I have learned a lot of things that are not just technically related to Free and Open Source Software.

To Sir Fhics, thank you so much and I salute you sir! Sir Fhics is the head of CISCO Zamboanga. He is so down-to-earth, very kind, open-minded and a skilled man yet so humble. He is one of those skilled persons who never sets a gap between himself and those who are just starting up (newbies). He even considers himself a “droplet of water in the ocean of knowledge.” Again, thank you sir! I have learned not just pure networking stuffs from you but also values that are applicable to life as well.

To Ma’am Yolynne, you are one of a kind, you never let us down. Especially during those times when we were almost losing hope and our morale was almost negative 30,000 feet below sea level. You’ve shown us an understanding and a caring heart. Thank you so much. There should be more people like you in this world. Thank you for not just being part of my journey to the open source world but also to my life’s journey.

To Rj Ian Sevilla, Jay Manligas, Macky Alger, thanks bros! I know we can make it better the next time around. We have some mistakes but I know that from those we’ve grown as a person. Let’s congratulate ourselves for a successful event.

To the ADZU Computer Center staff, thanks a lot for helping us! Ma’am Maureen Bello, Sir Greg! Sir Genner Cerna, Sir Richter Vecina, Ma’am Girlie, Ma’am Cathy. Pro Deo et Patria!

To the new MOSS members, this event wouldn’t be a success if it weren’t because of you. Welcome to the open source world. Always stay interested. God bless us all.

Processor upgraded

Nothing special really, I have just upgraded the processor from 1.7GHz to 3.0GHz with HT technology. The 1.7GHz (1.9GHz overclocked) processor is now for sale. Too bad I’m still using Intel processors. Hopefully after graduation I’ll be able to make my switch to the dark side of the force, AMD.

CPU : Intel Pentium 4 (*1)
CPU Arch : 1 Cores - 2 Threads
CPU PSN : Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU EXT : MMX SSE SSE2
CPU Cache : L1 : 12/8 KB - L2 : 512 KB
Core : Northwood (0.130) / Revision : M0
CPUID : F.2.5 / Extended : F.2
Freq : 3006.76 MHz (200.45 * 15)

Click here for more details.

Web application development framework

Web application development can be time consuming and complex. The development process can be simplified by using frameworks. A web application development framework contains a set of tools and libraries for easier development.

Frameworks are preferred by enterprise developers since it simplify development process, reduce development time, improve readability of code, organize development and emphasize modularity. Using frameworks for enterprise development will surely make a team productive.

Most frameworks use the Model-View-Controller design paradigm. The MVC design paradigm separates the data and user interface. Changes to the user interface will not affect the handling of data and the data can be restructured without changing the user interface. The MVC handles this by decoupling the data access layer (DAL) and business logic layer (BLL) from data presentation and user interaction through the controller.

Wireless connection restored

I had my canopy replaced. All systems operational. Average bandwidth has increased a bit. I guess my time is running out. I have to accelerate, deadline’s fast approaching. Judgment day is never scripted.

[Thesis Update]

Development phase is doing great! Coding spree. Signing off through Robert Collier’s words of wisdom:

“We can only do what we think we can do. We can only be what we think we can be. We can only have what we think we can have. What we do, who we are, what we have, all depends upon what we think.”

Overclocked for Netbeans 5.5

With a processor clock of 1.70GHz and a pair of 256MB DDR PC3200 (200MHz), Netbeans 5.5 will never be an IDE of your choice especially if productivity concerns you. It runs on top of the Java Virtual Machine using the Swing Tool Kit which is a bit heavier compared to what Eclipse is using.

Since I prefer using Netbeans 5.5, a desperate move would be maximizing the use of the CPU’s core speed.

Here’s a validation from CPU-Z:

CPU : Intel Pentium 4 (*1)
CPU Arch : 1 Cores - 1 Threads
CPU PSN : Intel(R) Pentium(R) 4 CPU 1.70GHz
CPU EXT : MMX SSE SSE2
CPU Cache : L1 : 12/8 KB - L2 : 256 KB
Core : Willamette (0.180) / Revision : D0
CPUID : F.1.2 / Extended : F.1
Freq : 1953.28 MHz (114.9 * 17)

Click here for more info.

My CPU runs at 1.9GHz now. I just increased its Front-Side Bus clock to 114MHz and there’s a big impact on Netbeans’ performance.

P.S.: Thanks to Betelgeuse for the correction

Crack: Some javascript

This can be found in a RAD tool for generating DHTML menus. The name of the tool will remain secret from here. It’s up to you to find out. Take note that the original developer of this tool wrote the entire code in one line. Well, to add confusion?

in file tdqm_loader.js

...
function q28(){ca=new Array(97,108,101,114,116,40,110,101,116,115,99,97,112,101,49,41);
ct=new Array(69,114,114,111,114,32,45,32,85,110,114,101,103,105,115,116,101,114,101,100,32,79,112,
101,110,67,117,98,101,32,68,72,84,77,76,32,69,102,102,101,99,116,32,45,32,40,119,119,119,46,111,
112,101,110,99,117,98,101,46,99,111,109,41);
...

To remove the annoying alert box, you have to apply diff and patch. The function above should be replaced by something like this:

function q28(){
	ca=new Array('CRACKED');
	ct=new Array('CRACKED');
	netscape1="";
	ie1="";
	
	for(i=0;i<ct .length;i++)
		netscape1+=String.fromCharCode(ct[i]);
	for(i=0;i<ca.length;i++)
		ie1+=String.fromCharCode(ca[i]);
	
	eval(ie1);
};

Your generated DHTML menu now will no longer be bothered by the annoying alert box. The code is self-explanatory.