Coding Blog

The virus consists of the following. C:\Windows\system32\fservice.exe and C:\Windows\services.exe The virus is a key logger. It sends an email message every time a connection to the internet is made. It blocks the Windows XP Protect Shield and System Restore services. Removing the virus: 1. Kill fservice.exe - Use TASKKILL /F /IM fservice.exe - If it doesn’t work on the first attempt, use NTSD -P [PID of fservice.exe] then quit the debugger to kill the task. 2. Kill services.exe - Kill the bogus one not the genuine services.exe - Follow procedure in number 1. 3. Delete all occurrences of fservice.exe and the fake services.exe - Do not delete the real services.exe found in C:\Windows\system32 4. Clean the registry for entries containing fservice.exe and the fake services.exe

Felices Pascua Y Prospero Año Nuevo!

Today is Gat Andres Bonifacio’s day. No work, no pressure, so I took the advantage of going to my aunt’s workplace to remove the so-called Jaymyka worm. All the computers were infected. Worm: Jaymyka Threat Level: Low Target Victims: Users viewing adult sites (Geez! Who did that in the office?) Description: It creates an autorun.inf file per drive with the following contents, [autorun] open=jay.exe ;shell\open=Open(&O) shell\open\Command=jay.exe shell\open\Default=1 ;shell\explore=Manager(&X) shell\explore\Command=jay.exe The autorun.inf file is paired with jay.exe. The jay.exe file handles the annoying duplication of files and some resource-hogging tasks leading to DoS attack. If this worm is able to infect the target device successfully, it attaches a file named mveo.exe at startup. This mveo.exe is responsible for the worm’s capability of regeneration. [Diagnosis] 1. Kill mveo.exe and jay.exe TASKKILL /F /IM mveo.exe /IM jay.exe 2. Delete...

Most users complain about the error pop-ups rooted from the ads attached to their Yahoo! IM clients. Turning off from the registry is the best way shun them. In the registry, [HKEY_CURRENT_USER\Software\Yahoo\Pager\YUrl] Set or add these values, Messenger Ad = * Webcam Upload Ad = * Webcam Viewer Ad = * Webcam Viewer Ad Medium = * Webcam Viewer Ad Big = * Change Room Banner = * Conf Adurl = * Chat Adurl = * Edit the file \Program Files\Yahoo!\Messenger\Cache\urls.xml, erase all the contents and leave 2 double quotes (” “), save it then mark as read-only.

This is a simple user administration in Windows XP. There are lots of hidden gems here. Adding a new user, net user somename somepassword /add Deleting a user, net user somename somepassword /delete Making a user an administrator, net localgroup Administrators somename /add Removing user administrator rights, net localgroup Administrators somename /delete Hiding a user from the login screen, REG ADD \\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ SpecialAccounts\\UserList\\" /f /v somename /t REG_DWORD /d 0 Showing a user on the login screen, REG ADD \\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ SpecialAccounts\\UserList\\" /f /v somename /t REG_DWORD /d 1

In every programmer’s journey, the legendary “Hello World!” program excuses no one. So I wrote, compiled, then disassembled it. public class Hello { public static void main(String[] args) { System.out.println("Hello World!"); } } I fired up a hex editor to analyze the bytecode’s disassembly. This part contains the headers, class name and the superclass being extended . This is how a JDK 1.5-compiled bytecode looks. .bytecode 49.0 .source "Hello.java" .class public Hello .super java/lang/Object By default, a constructor is generated. Check that it constructs itself as an object of type ‘Object’ naturally because Java classes extend the ‘Object’ class. Here we have shown that a constructor is just a method. .method public ()V .limit stack 1 .limit locals 1 .line 1 aload_0 ; met001_slot000 invokespecial java/lang/Object. ()V return .end method Here’s the main method. .method...

31st of May 2007 minus 0x15, marked the day of Eradicus’ existence. It was with divine intervention that fate has chosen Santa Maria Health Center as his birthplace. .-----------------TTTT_-----_______ /''''''''''(______O] ----------____ \______/]_ __...---'\"\"\"\_ --'' Q ___________@ |''' ._ _______________=---------\"\"\"\"\"\"\" | ..--''| l L |_l | | ..--'' . /-___j ' ' | ..--'' / , ' ' |--'' / ` \ L__' \ - - '-. '. / '-./ Automatic Kalashnikov 47, can someone...