all about virus " Backdoor.Win32.Phanta.aq, Trojan:Win32/Popureb.C"

Win32/Ghodow.NAG

 

Aliases: Backdoor.Win32.Phanta.aq (Kaspersky), Trojan:Win32/Popureb.C (Microsoft), Trojan.Click1.37375 (Dr. Web)  Type of infiltration: Trojan   Size: 101968 B  Affected platforms: Microsoft Windows  Signature database version: 6126 (20110516)

Short description

Win32/Ghodow.NAG is a trojan that changes the home page of certain web browsers. Win32/Ghodow.NAG replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

• C:\smsc.exe (57856 B)
• C:\mb.exe (84992 B)
• C:\alg.exe (57856 B)
• %system%\hello_tt.sys (6656 B)
• %appdata%\Microsoft\Internet Explorer\Quick
  Launch\Internet Explorer.IE
• %desktop%\Internet Explorer.IE

The trojan may create the following files:

• %commonvideo%\PulgFile.log
• %commonvideo%\al.ini

The trojan registers itself as a system service using the following filename:

• hello_tt

In order to be executed on every system start, the trojan sets the following Registry entry:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\
  Run]
  "Alg" = "C:\alg.exe"

Win32/Ghodow.NAG replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code, as well as placing additional code to load and patch the following files:

• ntldr
• ntkrnlpa.exe
• beep.sys

The following Registry entries are created:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\
  shell\OpenHomePage\Command]
  "(Default)" = "%programfiles%\Internet
  Explorer\iexplore.exe http://123.765%removed%.info"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\
  shell\OpenHomePage\Command]
  "(Default)" = "%programfiles%\Internet
  Explorer\iexplore.exe http://123.765%removed%.info"
• [HKEY_CLASSES_ROOT\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\
  shell\OpenHomePage\Command]
  "(Default)" = "%programfiles%\Internet
  Explorer\iexplore.exe http://123.765%removed%.info"

The following Registry entries are removed:

• [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-153485866016}]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Explorer\Desktop\NameSpace\{20000000-0000-0000-0000-000000000000}]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
• [HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc850}]

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It may perform the following actions:

• download files from a remote computer and/or the Internet
  
• run executable files
• open a specific URL address
• collect information about the operating system used
• send gathered information
• update itself to a newer version

(by-shasha)"Three Ways Of Bypass Starforce Cd Protection"

 u can add me as frnd....."click here"

Hello, i'm gonna post here 3 ways of bypass the StarForce CD Protection that comes with some games. The 2 first ways, were used to bypass the StarForce Protection of «Codename Panzers Phase», the last one, is the way of play «D-Day», but they might work with other games:

First:

1) Do not put any cd...;
2) Run Daemon-Tools with RMPS on (don't know how necessary is this);
3) Run the game...it will say Error, No CD Found or something like this;
4) Turn off Daemon-Tools rpms...
5) Eject the CDrom/DVDrom and put it in...and when it's beginning to retract back the CD tray... i click retry immediately! Before it even goes in.

When doing this i get 100% success loading the game with the backup CD!...If i waited until the CD goes all the way in, it never worked for me.

================================================================================


Second:

1) CD1 & CD2 has to be burned on a 700MB CD-R or CD-RW, burn CD3 on a 700MB CD-RW!!!
2) Select the following preferences with Alcohol 120% and then burn the CD:

Filetype:...............................:Useradvan ced (as the user want´s it?)
Murnmethod:.........................AO/SAO
Buffer Underrun Technology activate:.oh.gifN
Don´t Close The Last Session:........:OFF
Ignore EFM Error :.....................:OFF
Correct Sub-Channel :................oh.gifN (default)
"RMPS" write on disc (or write on medium I don´t know):............:OFF

3) Install the game and start it;
4) Reboot your pc that the Starforce 3 driver is going to activate itsself;
5) Insert the disc 3 an play the game;

NOTE: Before the Start you aren´t allowed to activate Emulations with alcohol or to run any kind of deamontool
Don´t Mount the Images! The game starts only if you have Disc 3 in your drive!

Addition:
Burn CD1, CD2, CD3 as it´s described in the upper part, than remove alcohol 120.

Remove all CD´s of your drives.
Start Deamon-Tools and activate RMPS.

Start Panzers.
Than there is a ERROR: CD not found (or something like that)- but thats ok.

Now deactivate the RMPS in your DeamonTools but still run the program in the background . Deactivate only PMPS . Now insert CD3 to your drive an click on the button retry

Now the game starts.

================================================================================



Third:

1) Install D-Day;
2) Shut Down PC;
3) Turn off the power from yor CD/DVD-Roms manually;
4) Turn on your PC;
5) Mount the D-Day CD1 with Deamon-Tools, use RMPS Emulation;

6) Play and have fun.