T H E   B E S T   S E C U R I T Y  -  R E L A T E D   S I T E

VISIT   WWW.SOFTWARE-PC1.NAROD.RU

 

         Date

Hardware & Software Department Updates
  25th, August New page started ! Software news added ! Look for the previous in archive ! Latest Hardware and Software news were left !

 

 

AMD Athlon 64 FX - rumors will never end (07.08.2003)

Although the official release of AMD Athlon 64 processors has already been planned on the 23rd of September (read the previous news...for more) there are still rumors about it.

This time German hardware source reported that together with Athlon64 AMD are to release Athlon 64 FX as well. According to them, FX will be planned as a low-end solution as it will not support the dual-channel DDR SDRAM while the usual Athlon64 will do. Nevertheless another thought has been expressed in the Internet: Athlon64 FX will become a kind of AMD Opteron but with 512 Kb of L2 cache. That's because AMD will need to evaluate 2 sizes of L2 caches - 512 Kb and 1 MB. But because the name of Opteron for the 512 Kb would sound banal Athlon64 will be a kind of AMD Thorton that has also been mentioned in rumors nearly a month ago as a new processor AMD were also going to launch.

We shall see... :-)

Testing of AMD Athlon XP 3200+ and its market competitors                                                     -                      HERE !!!

Testing of NVIDIA GeForce FX 5900 Ultra (NV35) and its market competitors                                -              HERE !!!

Testing of AMD Athlon XP 3000+ (Barton) and P4 3,06 GHz                                                    -                 HERE !!!

Testing of 10 Main boards on the chipset VIA KT400                                                             -                 HERE !!!

Testing of 5 Low-End processors on different hardware systems                                             -                 HERE !!!

Testing of Athlon XP 2200+ Thoroughbred and Intel Pentium 4                                                 -                HERE !!!

 

LogiTech MX700 Cordless Optical Mouse  (13.02.2003)                             -         HERE !!!

 

RealOne Player v2.0 Build 6.0.11.864 (25.08.2003)

The new build of RealOne Player 2 appeared in the Internet.

RealOne - is a multimedia player basically destined to play streaming real audio and real video formats, so popular in the Internet for streaming media so far. RealOne also has a built-in web browser providing more comfortable options of playing media from web pages, Audio CD Burning & Playing software (Music Jukebox) and supports QuickTime, Windows Media, MPEG, DVD and VCD media formats.

RealOne Player v2.0 Build 6.0.11.864 (8,3 MB, Shareware, Windows 98/ME/2000/XP)

Although RealOne is recognized as shareware because it's supposed to be upgraded to Premium version, it can also be used as a basic free player for unlimited time.

PC Helper Viruses Review ! How to protect yourself (21.08.2003)

I've decided to unite all the news appearing about recent viruses into this article...(Thanx to Kaspersky Labs)

1) I-Worm.Sobig.f

Although I-Worm.Sobig itself appeared in the world of viruses only relatively recently (several months ago) it already has 6 modifications of itself. The last one - "f" - is what I'm going to describe. Sobig.f spreads via the Internet in the attachments to messages. It activates as soon as you open the attachment. Sobig.f has broken all the records set by previous mail viruses and nearly reached the level of computers infected by almost "legendary" I-Worm.Klez (still in the top 20 of the most "influential" viruses although it first appeared as long ago as in October 2001). On the 7th of August the level of infection by this virus reached 92% !

During installation the worm copies itself into the Windows directory under the name winppr32.exe and registers itself in the system registry autorun keys: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 TrayX = %WindowsDir%\winppr32.exe/sinc

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 TrayX = %WindowsDir%\winppr32.exe/sinc

To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, WAB, MHT and HLP files in all directories on all available local drives, scans for e-mail like text strings and sends infected e-mails to these addresses. To send infected messages the worm uses the SMTP engine specified in the system properties.

The worm scans all accessible network resources (other computers in a network) and copies itself to the auto-start directories (if there are such subdirectories) of each resource (computer) found.

The worm sends UDP packets at random IP addresses to port 8998 and awaits commands from the 'master' machine. The commands contain URLs from which Sobig.f downloads and executes files. Thus, the worm is able to upgrade itself and/or install other applications (Trojans for instance).

2) Worm.Win32.Lovesan

This is currently the most dangerous network worm. It exploits so "famous" now DCROM RPC hole in Microsoft Windows described in the MS Security Bulletin MS03-026 (I was writing about this update...you will soon know why it's so important). The vulnerability exploited by this worm has previously been found and fixed by Microsoft as they provided a patch I was writing about. The update filters the port TCP 135 thus protecting you from this virus. If the virus is already in the computer, it's too late...

Symptoms of Infection: MSBLAST.Exe in the Windows system32 folder and Error message: RPC service failure. This causes the system to reboot.

Lovesan registers itself in the autorun key when the system reboots and launches itself every time the computer reboots in the future: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows auto update="msblast.exe"

The worm then scans IP addresses, attempting to connect to 20 random IP addresses and infect any vulnerable machines. Lovesan sleeps for 1.8 seconds and scans the next 20 IP addresses.

Lovesan scans IP addresses following one of the patterns below:

  1. In 3 out of 5 cases Lovesan selects random base IP addresses (A.B.C.D) where D is equal to 0, while A, B and C are random numbers between 0 and 255.

     
  2. In the remaining 2 out of 5 cases Lovesan scans the subnet and gets the local IP address of the infected machine, extracts values A and B from it and sets D to 0. Then the worm extracts the C value. If C is less than or equal to 20, then Lovesan does not modify C. Thus, if the local IP address is 207.46.14.1 the worm will scan IP addresses starting from 207.46.14.0 If C is greater than 20, than Lovesan selects a random value between C and C-19. Thus, if the IP address of the infected machine is 207.46.134.191 the worm will scan IP addresses 207.46.{115-134}.0

The worm sends a buffer-overrun request to vulnerable machines via TCP port 135. The newly infected machine then initiates the command shell on TCP port 4444.

Lovesan runs the thread that opens the connection on port 4444 and waits for FTP 'get' request from the victim machine. The worm then forces the victim machine to sends the 'FTP get' request. Thus the victim machine downloads the worm from the infected machine and runs it. The victim machine is now also infected.

As of August 16, 2003 Lovesan will launch DDoS attacks on the Windowsupdate.com server with the objective of flooding the server so that it becomes unavailable.

This time the Internet was saved by the 1,8 second delay used by the virus between attempts of infecting machines. The delay of 1.8 second is programmed in the virus and that is what makes it less dangerous the the worldwide-known and the most dangerous ever network virus - Helkern aka Slammer which simply caused the de-segmentation and slowing down of the net by nearly 25% in January this year (Slammer didn't have the delay !):

20.40.50.0
20.40.50.1
20.40.50.2
...
20.40.50.19
----------- 1.8 second pause
20.40.50.20
...
20.40.50.39
----------- 1.8 second pause
...
...
20.40.51.0
20.40.51.1
...
20.41.0.0
20.41.0.1

3) Worm.Win32.Welchia

This is an anti-virus virus ! It's amazing, that Welchia fully removes Lovesan but installs itself and and starts using two holes (first - the same as Lovesan uses; second - WebDav in Microsoft IIS 5.0; it's described in Microsoft Security Bulletin MS03-007).

During installation the worm first copies itself to %System%\Wins\ folder under the dllhost.exe name and creates the service named WINS Client. Then the worm copies the tftpd.exe file from the %System%\dllcache folder naming it svchost.exe and creating an additional service - Network Connections Sharing.

As a result, Welchia will obtain control over the machine and execute itself every time the computer is re-booted.

The worm creates two different requests for sending to remote computers. The first request exploits the WebDAV vulnerability, the second request exploits the DCOM RPC vulnerability almost like Lovesan.

The worm finds an IP address, sends an ICMP request to it and waits for a response. If the remote machine responds, then the worm connects to it via port 135 (like Lovesan) or port 80 (if the machine uses IIS) and sends a ready-made package which loads Welchia from the host machine (via tftp).

The worm then scans the infected machine for the TFTPD.EXE file. If the TFTPD.EXE file does not exists, Welchia will download it (naming it svchost.exe) into the folder %System%\Wins\.

Once the current year becomes 2004, Welchia ceases to function and deletes itself from the system.

4) How to protect yourself !

The answer is simple: update your antivirus or install one if you haven't got any. My choice has always been (and I think always will be) Kaspersky AntiVirus Personal Pro (you can read all about it in the PC Helper Laboratory here).

But in case of Lovesan or Welchia infection, something has to be done emergently ! That's why Kaspersky Labs has updated their free utility (known as clrav) adding the ability to clean Lovesan as well. You can download it straight from my site:

clrav utility v10.0.5.2 (208 Kb)

To scan all your drives, run the utility with the key (without quotes) " /s[n]" ([n] extension also performs a check of mapped network drives).


 

Need For Speed IV: Hot Pursuit 2 Trailer (3,89 MB)                          -                 HERE  !!!

3D FISH v2.10 Screensaver (The best graphics I've ever seen)          -                 HERE  !!!

Sea Dogs I (The best 3D pirate adventuring game !!!)                      -                 HERE  !!!

 

 


Reviewed in the Laboratory last time:

ReGet Deluxe v3.3 build 182 Final (15.06.2003)

 

Missed something important ??? Get missed news here :

...<<    -- 21st, August, 2003     ...             HERE    ! ! !

 

 

If you missed some earlier news, get to the full News Archive !!!

 

 

Editorials

You can place banners of my site on your own site !!! Get one below:

                           

You can use up to 50% of materials placed on my site but only showing the source! Any mirroring of materials is prohibited !!! All these rules are followed by the LAW !!!

 

 

 

Best Regards, Majestic and PC Helper Company®

 

All Copyrights protected. 2002-2003.


 

Hosted by uCoz