Posts from the ‘Articles’ Category

Inside Windows Product Activation – Algorithm Explanation

The current public discussion of Windows Product Activation (WPA) is

characterized by uncertainty and speculation. In this paper we supply

the technical details of WPA – as implemented in Windows XP – that

Microsoft should have published long ago.


While we strongly believe that every software vendor has the right to

enforce the licensing terms governing the use of a piece of licensed

software by technical means, we also do believe that each individual

has the right to detailed knowledge about the full implications of the

employed means and possible limitations imposed by it on software

usage.


In this paper we answer what we think are currently the two most

important open questions related to Windows Product Activation.


* Exactly what information is transmitted during activation?


* How do hardware modifications affect an already activated

installation of Windows XP?


Our answers to these questions are based on Windows XP Release

Candidate 1 (build 2505). Later builds as well as the final version of

Windows XP might differ from build 2505, e.g. in the employed

cryptographic keys or the layout of some of the data

structures.


However, beyond such minor modifications we expect Microsoft to cling

to the general architecture of their activation mechanism. Thus, we

are convinced that the answers provided by this paper will still be

useful when the final version of Windows XP ships.


This paper supplies in-depth technical information about the inner

workings of WPA. Still, the discussion is a little vague at some

points in order not to facilitate the task of an attacker attempting

to circumvent the license enforcement supplied by the activation

mechanism.


XPDec, a command line utility suitable for verifying the presented

information, can be obtained from http://www.licenturion.com/xp/. It

implements the algorithms presented in this paper. Reading its source

code, which is available from the same location, is highly

recommended.


We have removed an important cryptographic key from the XPDec source

code. Recompiling the source code will thus fail to produce a working

executable. The XPDec executable on our website, however, contains

this key and is fully functional.


So, download the source code to learn about the inner workings of WPA,

but obtain the executable to experiment with your installation of

Windows XP.


We expect the reader to be familiar with the general procedure of

Windows Product Activation.


>> INSIDE THE INSTALLATION ID


We focused our research on product activation via telephone. We did

so, because we expected this variant of activation to be the most

straight-forward to analyze.


The first step in activating Windows XP via telephone is supplying the

call-center agent with the Installation ID displayed by msoobe.exe,

the application that guides a user through the activation process. The

Installation ID is a number consisting of 50 decimal digits that are

divided into groups of six digits each, as in


002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX


In this authentic Installation ID we have substituted digits that we

prefer not to disclose by ‘X’ characters.


If msoobe.exe is invoked more than once, it provides a different

Installation ID each time.


In return, the call-center agent provides a Confirmation ID matching

the given Installation ID. Entering the Confirmation ID completes the

activation process.


Since the Installation ID is the only piece of information revealed

during activation, the above question concerning the information

transmitted during the activation process is equivalent to the

question


‘How is the Installation ID generated?’


To find an answer to this question, we trace back each digit of the

Installation ID to its origins.


>>> Check digits


The rightmost digit in each of the groups is a check digit to guard

against simple errors such as the call center agent’s mistyping of one

of the digits read to him or her. The value of the check digit is

calculated by adding the other five digits in the group, adding the

digits at even positions a second time, and dividing the sum by

seven. The remainder of the division is the value of the check

digit. In the above example the check digit for the first group (6) is

calculated as follows.


1 | 2 | 3 | 4 | 5 <- position

—+—+—+—+—

0 | 0 | 2 | 6 | 6 <- digits


0 + 0 + 2 + 6 + 6 = 14 (step 1: add all digits)

0 + 6 + 14 = 20 (step 2: add even digits again)


step 3: division

20 / 7 = 2, remainder is 20 – (2 * 7) = 6


=> check digit is 6


Adding the even digits twice is probably intended to guard against the

relatively frequent error of accidentally swapping two digits while

typing, as in 00626 vs. 00266, which yield different check digits.


>>> Decoding


Removing the check digits results in a 41-digit decimal number. A

decimal number of this length roughly corresponds to a 136-bit binary

number. In fact, the 41-digit number is just the decimal encoding of

such a 136-bit multi-precision integer, which is stored in little

endian byte order as a byte array. Hence, the above Installation ID

can also be represented as a sequence of 17 bytes as in


0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX

0x94 0xAA 0x46 0xD6 0x0F 0xBD 0x2C 0xC8

0x00


In this representation of the above Installation ID ‘X’ characters

again substitute the digits that we prefer not to disclose. The ‘0x’

prefix denotes hex notation throughout this paper.


>>> Decryption


When decoding arbitrary Installation IDs it can be noticed that the

most significant byte always seems to be 0x00 or 0x01, whereas the

other bytes look random. The reason for this is that the lower 16

bytes of the Installation ID are encrypted, whereas the most

significant byte is kept in plaintext.


The cryptographic algorithm employed to encrypt the Installation ID is

a proprietary four-round Feistel cipher. Since the block of input

bytes passed to a Feistel cipher is divided into two blocks of equal

size, this class of ciphers is typically applied to input blocks

consisting of an even number of bytes – in this case the lower 16 of

the 17 input bytes. The round function of the cipher is the SHA-1

message digest algorithm keyed with a four-byte sequence.


Let + denote the concatenation of two byte sequences, ^ the XOR

operation, L and R the left and right eight-byte input half for one

round, L’ and R’ the output halves of said round, and First-8() a

function that returns the first eight bytes of an SHA-1 message

digest. Then one round of decryption looks as follows.


L’ = R ^ First-8(SHA-1(L + Key))

R’ = L


The result of the decryption is 16 bytes of plaintext, which are –

together with the 17th unencrypted byte – from now on interpreted as

four double words in little endian byte order followed by a single

byte as in


name | size | offset

—–+————-+——-

H1 | double word | 0

H2 | double word | 4

P1 | double word | 8

P2 | double word | 12

P3 | byte | 16


H1 and H2 specify the hardware configuration that the Installation ID

is linked to. P1 and P2 as well as the remaining byte P3 contain the

Product ID associated with the Installation ID.


>>> Product ID


The Product ID consists of five groups of decimal digits, as in


AAAAA-BBB-CCCCCCC-DDEEE


If you search your registry for a value named ‘ProductID’, you will

discover the ID that applies to your installation. The ‘About’ window

of Internet Explorer should also yield your Product ID.


>>>> Decoding


The mapping between the Product ID in decimal representation and its

binary encoding in the double words P1 and P2 and the byte P3 is

summarized in the following table.


digits | length | encoding

——–+———+—————————————

AAAAA | 17 bits | bit 0 to bit 16 of P1

BBB | 10 bits | bit 17 to bit 26 of P1

CCCCCCC | 28 bits | bit 27 to bit 31 of P1 (lower 5 bits)

| | bit 0 to bit 22 of P2 (upper 23 bits)

DDEEE | 17 bits | bit 23 to bit 31 of P2 (lower 9 bits)

| | bit 0 to bit 7 of P3 (upper 8 bits)


The meaning of each of the five groups of digits is documented in the

next table.


digits | meaning

——–+————————————————-

AAAAA | apparently always 55034 (in Windows XP RC1)

BBB | most significant three digits of Raw Product Key

| (see below)

CCCCCCC | least significant six digits of Raw Product Key

| plus check digit (see below)

DD | index of the public key used to verify the

| Product Key (see below)

EEE | random value


As can be seen, the (Raw) Product Key plays an important role in

generating the Product ID.


>>>> Product Key


The Raw Product Key is buried inside the Product Key that is printed

on the sticker distributed with each Windows XP CD. It consists of

five alphanumeric strings separated by ‘-‘ characters, where each

string is composed of five characters, as in


FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK


Each character is one of the following 24 letters and digits:


B C D F G H J K M P Q R T V W X Y 2 3 4 6 7 8 9


Very similar to the decimal encoding of the Installation ID the 25

characters of the Product Key form a base-24 encoding of the binary

representation of the Product Key. Decoding the Product Key yields a

multi-precision integer of roughly 115 bits, which is stored – again

in little endian byte order – in an array of 15 bytes. Decoding the

above Product Key results in the following byte sequence.


0x6F 0xFA 0x95 0x45 0xFC 0x75 0xB5 0x52

0xBB 0xEF 0xB1 0x17 0xDA 0xCD 0x00


Of these 15 bytes the least significant four bytes contain the Raw

Product Key in little endian byte order. The least significant bit is

removed by shifting this 32-bit value (0x4595FA6F – remember the

little endian byte order) to the left by one bit position, resulting

in a Raw Product Key of 0x22CAFD37, or


583728439


in decimal notation.


The eleven remaining bytes form a digital signature, allowing

verification of the authenticity of the Product Key by means of a

hard-coded public key.


>>>> Product Key -> Product ID


The three most significant digits, i.e. 583, of the Raw Product Key’s

nine-digit decimal representation directly map to the BBB component of

the Product ID described above.


To obtain the CCCCCCC component, a check digit is appended to the

remaining six digits 728439. The check digit is chosen such that the

sum of all digits – including the check digit – is divisible by

seven. In the given case, the sum of the six digits is


7 + 2 + 8 + 4 + 3 + 9 = 33


which results in a check digit of 2, since


7 + 2 + 8 + 4 + 3 + 9 + 2 = 33 + 2 = 35


which is divisible by seven. The CCCCCCC component of the Product ID

is therefore 7284392.


For verifying a Product Key, more than one public key is available. If

verification with the first public key fails, the second is tried,

etc. The DD component of the Product ID specifies which of the public

keys in this sequence was successfully used to verify the Product Key.


This mechanism might be intended to support several different parties

generating valid Product Keys with different individual private keys.


However, the different private keys might also represent different

versions of a product. A Product Key for the ‘professional’ release

could then be signed with a different key than a Product Key for the

‘server’ release. The DD component would then represent the product

version.


Finally, a valid Product ID derived from our example Product Key might

be


55034-583-7284392-00123


which indicates that the first public key (DD = index = 0) matched and

123 was chosen as the random number EEE.


The randomly selected EEE component is the reason for msoobe.exe

presenting a different Installation ID at each invocation. Because of

the applied encryption this small change results in a completely

different Installation ID.


So, the Product ID transmitted during activation will most probably

differ in the last three digits from your Product ID as displayed by

Internet Explorer or as stored in the registry.


>>> Hardware Information


As discussed above, the hardware configuration linked to the

Installation ID is represented by the two double words H1 and H2.


>>>> Bit-fields


For this purpose, the double words are divided into twelve

bit-fields. The relationship between the computer hardware and the

bit-fields is given in the following table.


double word | offset | length | bit-field value based on

————+——–+——–+—————————-

H1 | 0 | 10 | volume serial number string

| | | of system volume

H1 | 10 | 10 | network adapter MAC address

| | | string

H1 | 20 | 7 | CD-ROM drive hardware

| | | identification string

H1 | 27 | 5 | graphics adapter hardware

| | | identification string

H2 | 0 | 3 | unused, set to 001

H2 | 3 | 6 | CPU serial number string

H2 | 9 | 7 | harddrive hardware

| | | identification string

H2 | 16 | 5 | SCSI host adapter hardware

| | | identification string

H2 | 21 | 4 | IDE controller hardware

| | | identification string

H2 | 25 | 3 | processor model string

H2 | 28 | 3 | RAM size

H2 | 31 | 1 | 1 = dockable

| | | 0 = not dockable


Bit 31 of H2 specifies, whether the bit-fields represent a notebook

computer that supports a docking station. If docking is possible, the

activation mechanism will be more tolerant with respect to future

hardware modifications. Here, the idea is that plugging a notebook

into its docking station possibly results in changes to its hardware

configuration, e.g. a SCSI host adapter built into the docking station

may become available.


Bits 2 through 0 of H2 are unused and always set to 001.


If the hardware component corresponding to one of the remaining ten

bit-fields is present, the respective bit-field contains a non-zero

value describing the component. A value of zero marks the hardware

component as not present.


All hardware components are identified by a hardware identification

string obtained from the registry. Hashing this string provides the

value for the corresponding bit-field.


>>>> Hashing


The hash result is obtained by feeding the hardware identification

string into the MD5 message digest algorithm and picking the number of

bits required for a bit-field from predetermined locations in the

resulting message digest. Different predetermined locations are used

for different bit-fields. In addition, a hash result of zero is

avoided by calculating


Hash = (Hash % BitFieldMax) + 1


where BitFieldMax is the maximal value that may be stored in the

bit-field in question, e.g. 1023 for a 10-bit bit-field, and ‘x % y’

denotes the remainder of the division of x by y. This results in

values between 1 and BitFieldMax. The obtained value is then stored in

the respective bit-field.


>>>> RAM bit-field


The bit-field related to the amount of RAM available to the operating

system is calculated differently. The seven valid values specify the

approximate amount of available RAM as documented in the following

table.


value | amount of RAM available

——+—————————

0 | (bit-field unused)

1 | below 32 MB

2 | between 32 MB and 63 MB

3 | between 64 MB and 127 MB

4 | between 128 MB and 255 MB

5 | between 256 MB and 511 MB

6 | between 512 MB and 1023 MB

7 | above 1023 MB


It is important to note that the amount of RAM is retrieved by calling

the GlobalMemoryStatus() function, which reports a few hundred

kilobytes less than the amount of RAM physically installed. So, 128 MB

of RAM would typically be classified as “between 64 MB and 127 MB”.


>>>> Real-world example


Let us have a look at a real-world example. On one of our test systems

the hardware information consists of the following eight bytes.


0xC5 0x95 0x12 0xAC 0x01 0x6E 0x2C 0x32


Converting the bytes into H1 and H2, we obtain


H1 = 0xAC1295C5 and H2 = 0x322C6E01


Splitting H1 and H2 yields the next table in which we give the value

of each of the bit-fields and the information from which each value is

derived.


dw & | |

offset | value | derived from

——-+——-+———————————————–

H1 0 | 0x1C5 | ‘1234-ABCD’

H1 10 | 0x0A5 | ’00C0DF089E44′

H1 20 | 0x37 | ‘SCSI\CDROMPLEXTOR_CD-ROM_PX-32TS__1.01’

H1 27 | 0x15 | ‘PCI\VEN_102B&DEV_0519&SUBSYS_00000000&REV_01’

H2 0 | 0x1 | (unused, always 0x1)

H2 3 | 0x00 | (CPU serial number not present)

H2 9 | 0x37 | ‘SCSI\DISKIBM_____DCAS-34330______S65A’

H2 16 | 0x0C | ‘PCI\VEN_9004&DEV_7178&SUBSYS_00000000&REV_03’

H2 21 | 0x1 | ‘PCI\VEN_8086&DEV_7111&SUBSYS_00000000&REV_01’

H2 25 | 0x1 | ‘GenuineIntel Family 6 Model 3’

H2 28 | 0x3 | (system has 128 MB of RAM)

H2 31 | 0x0 | (system is not dockable)


>>> Using XPDec


XPDec is a utility to be run from the command prompt. It may be

invoked with one of four command line options to carry out one of four

tasks.


>>>> XPDec -i


This option enables you to access the information hidden in an

Installation ID. It decodes the Installation ID, decrypts it, and

displays the values of the hardware bit-fields as well as the Product

ID of your product. Keep in mind that the last three digits of the

Product ID contained in the Installation ID are randomly selected and

differ from the Product ID displayed by Internet Explorer.


The only argument needed for the ‘-i’ option is the Installation ID,

as in


XPDec -i 002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX


>>>> XPDec -p


To help you trace the origin of your Product ID, this option decodes a

Product Key and displays the Raw Product Key as it would be used in a

Product ID.


The only argument needed for the ‘-p’ option is the Product Key, as in


XPDec -p FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK


Note that this option does not verify the digital signature of the

Product Key.


>>>> XPDec -v


This option calculates the hash of a given volume serial number. It

was implemented to illustrate our description of string hashing. First

use ‘-i’ to display the hardware bit-fields. Then use this option to

verify our claims concerning the volume serial number hash.


The only argument needed for the ‘-v’ option is the volume serial

number of your system volume, as in


XPDec -v 1234-ABCD


(The volume serial number is part of the ‘dir’ command’s output.)


>>>> XPDec -m


This option calculates the network adapter bit-field value

corresponding to the given MAC address. Similar to ‘-v’ this option

was implemented as a proof of concept.


The only argument needed for the ‘-m’ option is the MAC address of

your network adapter, as in


XPDec -m 00-C0-DF-08-9E-44


(Use the ‘route print’ command to obtain the MAC address of your

network adapter.)


>> HARDWARE MODIFICATIONS


When looking at the effects of hardware modifications on an already

activated installation of Windows XP, the file ‘wpa.dbl’ in the

‘system32’ directory plays a central role. It is a simple

RC4-encrypted database that stores, among other things like expiration

information and the Confirmation ID of an activated installation,


a) the bit-field values representing the current hardware

configuration,


and

the bit-field values representing the hardware configuration

at the time of product activation.


While a) is automatically updated each time the hardware configuration

is modified in order to reflect the changes, remains fixed. Hence,
can be thought of as a snapshot of the hardware configuration at

the time of product activation.


This snapshot does not exist in the database before product activation

and if we compare the size of ‘wpa.dbl’ before and after activation,

we will notice an increased file size. This is because the snapshot is

added to the database.


When judging whether re-activation is necessary, the bit-field values

of a) are compared to the bit-field values of , i.e. the current

hardware configuration is compared to the hardware configuration at

the time of activation.


>>> Non-dockable computer


Typically all bit-fields with the exception of the unused field and

the ‘dockable’ field are compared. If more than three of these ten

bit-fields have changed in a) since product activation, re-activation

is required.


This means, for example, that in our above real-world example, we

could replace the harddrive and the CD-ROM drive and substantially

upgrade our RAM without having to re-activate our Windows XP

installation.


However, if we completely re-installed Windows XP, the information in
would be lost and we would have to re-activate our installation,

even if we had not changed our hardware.


>>> Dockable computer


If bit 31 of H2 indicates that our computer supports a docking

station, however, only seven of the ten bit-fields mentioned above are

compared. The bit-fields corresponding to the SCSI host adapter, the

IDE controller, and the graphics board are omitted. But again, of

these remaining seven bit-fields, only up to three may change without

requiring re-activation.


>> CONCLUSIONS


In this paper we have given a technical overview of Windows Product

Activation as implemented in Windows XP. We have shown what

information the data transmitted during product activation is derived

from and how hardware upgrades affect an already activated

installation.


Looking at the technical details of WPA, we do not think that it is as

problematic as many people have expected. We think so, because WPA is

tolerant with respect to hardware modifications. In addition, it is

likely that more than one hardware component map to a certain value

for a given bit-field. From the above real-world example we know that

the PX-32TS maps to the value 0x37 = 55. But there are probably many

other CD-ROM drives that map to the same value. Hence, it is

impossible to tell from the bit-field value whether it is a PX-32TS

that we are using or one of the other drives that map to the same

value.


In contrast to many critics of Windows Product Activation, we think

that WPA does not prevent typical hardware modifications and,

moreover, respects the user’s right to privacy.


>> ABOUT THE AUTHORS


Fully Licensed GmbH is a start-up company focusing on novel approaches

to online software licensing and distribution. Have a look at their

website at

http://www.licenturion.com


for more information.


Their research branch every now and then analyzes licensing solutions

implemented by other companies.


>> COPYRIGHT


Copyright © 2001 Fully Licensed GmbH (www.licenturion.com)

All rights reserved.


You are free to do whatever you want with this paper. However, you

have to supply the URL of its online version

http://www.licenturion.com/xp/


with any work derived from this paper to give credit to its authors.

NTFS vs FAT

To NTFS or not to NTFS—that is the question. But unlike the deeper questions of life, this one isn’t really all that hard to answer. For most users running Windows XP, NTFS is the obvious choice. It’s more powerful and offers security advantages not found in the other file systems. But let’s go over the differences among the files systems so we’re all clear about the choice. There are essentially three different file systems available in Windows XP: FAT16, short for File Allocation Table, FAT32, and NTFS, short for NT File System. 
FAT16
The FAT16 file system was introduced way back with MS–DOS in 1981, and it’s showing its age. It was designed originally to handle files on a floppy drive, and has had minor modifications over the years so it can handle hard disks, and even file names longer than the original limitation of 8.3 characters, but it’s still the lowest common denominator. The biggest advantage of FAT16 is that it is compatible across a wide variety of operating systems, including Windows 95/98/Me, OS/2, Linux, and some versions of UNIX. The biggest problem of FAT16 is that it has a fixed maximum number of clusters per partition, so as hard disks get bigger and bigger, the size of each cluster has to get larger. In a 2–GB partition, each cluster is 32 kilobytes, meaning that even the smallest file on the partition will take up 32 KB of space. FAT16 also doesn’t support compression, encryption, or advanced security using access control lists. FAT32
The FAT32 file system, originally introduced in Windows 95 Service Pack 2, is really just an extension of the original FAT16 file system that provides for a much larger number of clusters per partition. As such, it greatly improves the overall disk utilization when compared to a FAT16 file system. However, FAT32 shares all of the other limitations of FAT16, and adds an important additional limitation—many operating systems that can recognize FAT16 will not work with FAT32—most notably Windows NT, but also Linux and UNIX as well. Now this isn’t a problem if you’re running FAT32 on a Windows XP computer and sharing your drive out to other computers on your network—they don’t need to know (and generally don’t really care) what your underlying file system is. The Advantages of NTFS
The NTFS file system, introduced with first version of Windows NT, is a completely different file system from FAT. It provides for greatly increased security, file–by–file compression, quotas, and even encryption. It is the default file system for new installations of Windows XP, and if you’re doing an upgrade from a previous version of Windows, you’ll be asked if you want to convert your existing file systems to NTFS. Don’t worry. If you’ve already upgraded to Windows XP and didn’t do the conversion then, it’s not a problem. You can convert FAT16 or FAT32 volumes to NTFS at any point. Just remember that you can’t easily go back to FAT or FAT32 (without reformatting the drive or partition), not that I think you’ll want to. The NTFS file system is generally not compatible with other operating systems installed on the same computer, nor is it available when you’ve booted a computer from a floppy disk. For this reason, many system administrators, myself included, used to recommend that users format at least a small partition at the beginning of their main hard disk as FAT. This partition provided a place to store emergency recovery tools or special drivers needed for reinstallation, and was a mechanism for digging yourself out of the hole you’d just dug into. But with the enhanced recovery abilities built into Windows XP (more on that in a future column), I don’t think it’s necessary or desirable to create that initial FAT partition. When to Use FAT or FAT32
If you’re running more than one operating system on a single computer, you will definitely need to format some of your volumes as FAT. Any programs or data that need to be accessed by more than one operating system on that computer should be stored on a FAT16 or possibly FAT32 volume. But keep in mind that you have no security for data on a FAT16 or FAT32 volume—any one with access to the computer can read, change, or even delete any file that is stored on a FAT16 or FAT32 partition. In many cases, this is even possible over a network. So do not store sensitive files on drives or partitions formatted with FAT file systems.

Evolution of computer viruses or history of virus


part 1


Like any other field in computer science, viruses have evolved -a great deal indeed- over the years. In the series of press releases which start today, we will look at the origins and evolution of malicious code since it first appeared up to the present.

Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann described self-replicating programs which could resemble computer viruses as they are known today. However, it was not until the 60s that we find the predecessor of current viruses. In that decade, a group of programmers developed a game called Core Wars, which could reproduce every time it was run, and even saturate the memory of other players’ computers. The creators of this peculiar game also created the first antivirus, an application named Reeper, which could destroy copies created by Core Wars.

However, it was only in 1983 that one of these programmers announced the existence of Core Wars, which was described the following year in a prestigious scientific magazine: this was actually the starting point of what we call computer viruses today.

At that time, a still young MS-DOS was starting to become the preeminent operating system worldwide. This was a system with great prospects, but still many deficiencies as well, which arose from software developments and the lack of many hardware elements known today. Even like this, this new operating system became the target of a virus in 1986: Brain, a malicious code created in Pakistan which infected boot sectors of disks so that their contents could not be accessed. That year also saw the birth of the first Trojan: an application called PC-Write.

Shortly after, virus writers realized that infecting files could be even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However, the worst was still to come: 1988 set the date when the “Morris worm” appeared, infecting 6,000 computers.

From that date up to 1995 the types of malicious codes that are known today started being developed: the first macro viruses appeared, polymorphic viruses … Some of these even triggered epidemics, such as MichaelAngelo. However, there was an event that changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by little, viruses started adapting to this new situation until the appearance, in 1999, of Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for computer viruses.



part 2


This second installment of ‘The evolution of viruses’ will look at how malicious code used to spread before use of the Internet and e-mail became as commonplace as it is today, and the main objectives of the creators of those earlier viruses.
Until the worldwide web and e-mail were adopted as a standard means of communication the world over, the main mediums through which viruses spread were floppy disks, removable drives, CDs, etc., containing files that were already infected or with the virus code in an executable boot sector.

When a virus entered a system it could go memory resident, infecting other files as they were opened, or it could start to reproduce immediately, also infecting other files on the system. The virus code could also be triggered by a certain event, for example when the system clock reached a certain date or time. In this case, the virus creator would calculate the time necessary for the virus to spread and then set a date –often with some particular significance- for the virus to activate. In this way, the virus would have an incubation period during which it didn’t visibly affect computers, but just spread from one system to another waiting for ‘D-day’ to launch its payload. This incubation period would be vital to the virus successfully infecting as many computers as possible.

One classic example of a destructive virus that lay low before releasing its payload was CIH, also known as Chernobyl. The most damaging version of this malicious code activated on April 26, when it would try to overwrite the flash-BIOS, the memory which includes the code needed to control PC devices. This virus, which first appeared in June 1998, had a serious impact for over two years and still continues to infect computers today.

Because of the way in which they propagate, these viruses spread very slowly, especially in comparison to the speed of today’s malicious code. Towards the end of the Eighties, for example, the Friday 13th (or Jerusalem) virus needed a long time to actually spread and continued to infect computers for some years. In contrast, experts reckon that in January 2003, SQLSlammer took just ten minutes to cause global communication problems across the Internet.

Notoriety versus stealth

For the most part, in the past, the activation of a malicious code triggered a series of on screen messages or images, or caused sounds to be emitted to catch the user’s attention. Such was the case with the Ping Pong virus, which displayed a ball bouncing from one side of the screen to another. This kind of elaborate display was used by the creator of the virus to gain as much notoriety as possible. Nowadays however, the opposite is the norm, with virus authors trying to make malicious code as discreet as possible, infecting users’ systems without them noticing that anything is amiss.



pat 3


This third installment of ‘The evolution of viruses’ will look at how the Internet and e-mail changed the propagation techniques used by computer viruses.

Internet and e-mail revolutionized communications. However, as expected, virus creators didn’t take long to realize that along with this new means of communication, an excellent way of spreading their creations far and wide had also dawned. Therefore, they quickly changed their aim from infecting a few computers while drawing as much attention to themselves as possible, to damaging as many computers as possible, as quickly as possible. This change in strategy resulted in the first global virus epidemic, which was caused by the Melissa worm.

With the appearance of Melissa, the economic impact of a virus started to become an issue. As a result, users -above all companies- started to become seriously concerned about the consequences of viruses on the security of their computers. This is how users discovered antivirus programs, which started to be installed widely. However, this also brought about a new challenge for virus writers, how to slip past this protection and how to persuade users to run infected files.

The answer to which of these virus strategies was the most effective came in the form of a new worm: Love Letter, which used a simple but effective ruse that could be considered an early type of social engineering. This strategy involves inserting false messages that trick users into thinking that the message includes anything, except a virus. This worm’s bait was simple; it led users to believe that they had received a love letter.

This technique is still the most widely used. However, it is closely followed by another tactic that has been the center of attention lately: exploiting vulnerabilities in commonly used software. This strategy offers a range of possibilities depending on the security hole exploited. The first malicious code to use this method –and quite successfully- were the BubbleBoy and Kakworm worms. These worms exploited a vulnerability in Internet Explorer by inserting HTML code in the body of the e-mail message, which allowed them to run automatically, without needing the user to do a thing.

Vulnerabilities allow many different types of actions to be carried out. For example, they allow viruses to be dropped on computers directly from the Internet -such as the Blaster worm-. In fact, the effects of the virus depend on the vulnerability that the virus author tries to exploit.



part 4


In the early days of computers, there were relatively few PCs likely to contain “sensitive” information, such as credit card numbers or other financial data, and these were generally limited to large companies that had already incorporated computers into working processes.

In any event, information stored in computers was not likely to be compromised, unless the computer was connected to a network through which the information could be transmitted. Of course, there were exceptions to this and there were cases in which hackers perpetrated frauds using data stored in IT systems. However, this was achieved through typical hacking activities, with no viruses involved.

The advent of the Internet however caused virus creators to change their objectives, and, from that moment on, they tried to infect as many computers as possible in the shortest time. Also, the introduction of Internet services -like e-banking or online shopping- brought in another change. Some virus creators started writing malicious codes not to infect computers, but, to steal confidential data associated to those services. Evidently, to achieve this, they needed viruses that could infect many computers silently.

Their malicious labor was finally rewarded with the appearance, in 1986, of a new breed of malicious code generically called “Trojan Horse”, or simply “Trojan”. This first Trojan was called PC-Write and tried to pass itself off as the shareware version of a text processor. When run, the Trojan displayed a functional text processor on screen. The problem was that, while the user wrote, PC-Write deleted and corrupted files on the computers’ hard disk.

After PC-Write, this type of malicious code evolved very quickly to reach the stage of present-day Trojans. Today, many of the people who design Trojans to steal data cannot be considered virus writers but simply thieves who, instead of using blowtorches or dynamite have turned to viruses to commit their crimes. Ldpinch.W or the Bancos or Tolger families of Trojans are examples of this


part 5


Even though none of them can be left aside, some particular fields of computer science have played a more determinant role than others with regard to the evolution of viruses. One of the most influential fields has been the development of programming languages.

These languages are basically a means of communication with computers in order to tell them what to do. Even though each of them has its own specific development and formulation rules, computers in fact understand only one language called “machine code”.

Programming languages act as an interpreter between the programmer and the computer. Obviously, the more directly you can communicate with the computer, the better it will understand you, and more complex actions you can ask it to perform.

According to this, programming languages can be divided into “low and high level” languages, depending on whether their syntax is more understandable for programmers or for computers. A “high level” language uses expressions that are easily understandable for most programmers, but not so much for computers. Visual Basic and C are good examples of this type of language.

On the contrary, expressions used by “low level” languages are closer to machine code, but are very difficult to understand for someone who has not been involved in the programming process. One of the most powerful, most widely used examples of this type of language is “assembler”.

In order to explain the use of programming languages through virus history, it is necessary to refer to hardware evolution. It is not difficult to understand that an old 8-bit processor does not have the power of modern 64-bit processors, and this of course, has had an impact on the programming languages used.

In this and the next installments of this series, we will look at the different programming languages used by virus creators through computer history:

– Virus antecessors: Core Wars

As was already explained in the first chapter of this series, a group of programs called Core Wars, developed by engineers at an important telecommunications company, are considered the antecessors of current-day viruses. Computer science was still in the early stages and programming languages had hardly developed. For this reason, authors of these proto-viruses used a language that was almost equal to machine code to program them.

Curiously enough, it seems that one of the Core Wars programmers was Robert Thomas Morris, whose son programmed -years later- the “Morris worm”. This malicious code became extraordinarily famous since it managed to infect 6,000 computers, an impressive figure for 1988.

– The new gurus of the 8-bits and the assembler language.

The names Altair, IMSAI and Apple in USA and Sinclair, Atari and Commodore in Europe, bring memories of times gone by, when a new generation of computer enthusiasts “fought” to establish their place in the programming world. To be the best, programmers needed to have profound knowledge of machine code and assembler, as interpreters of high-level languages used too much run time. BASIC, for example, was a relatively easy to learn language which allowed users to develop programs simply and quickly. It had however, many limitations.

This caused the appearance of two groups of programmers: those who used assembler and those who turned to high-level languages (BASIC and PASCAL, mainly).

Computer aficionados of the time enjoyed themselves more by programming useful software than malware. However, 1981 saw the birth of what can be considered the first 8-bit virus. Its name was “Elk Cloner”, and was programmed in machine code. This virus could infect Apple II systems and displayed a message when it infected a computer.



part 6


Computer viruses evolve in much the same way as in other areas of IT. Two of the most important factors in understanding how viruses have reached their current level are the development of programming languages and the appearance of increasingly powerful hardware.

In 1981, almost at the same time as Elk Kloner (the first virus for 8-bit processors) made its appearance, a new operating system was growing in popularity. Its full name was Microsoft Disk Operating System, although computer buffs throughout the world would soon refer to it simply as DOS.

DOS viruses

The development of MS DOS systems occurred in parallel to the appearance of new, more powerful hardware. Personal computers were gradually establishing themselves as tools that people could use in their everyday lives, and the result was that the number of PCs users grew substantially. Perhaps inevitably, more users also started creating viruses. Gradually, we witnessed the appearance of the first viruses and Trojans for DOS, written in assembler language and demonstrating a degree of skill on the part of their authors.

Far less programmers know assembler language than are familiar with high-level languages that are far easier to learn. Malicious code written in Fortran, Basic, Cobol, C or Pascal soon began to appear. The last two languages, which are well established and very powerful, are the most widely used, particularly in their TurboC and Turbo Pascal versions. This ultimately led to the appearance of “virus families”: that is, viruses that are followed by a vast number of related viruses which are slightly modified forms of the original code.

Other users took the less ‘artistic’ approach of creating destructive viruses that did not require any great knowledge of programming. As a result, batch processing file viruses or BAT viruses began to appear.

Win16 viruses

The development of 16-bit processors led to a new era in computing. The first consequence was the birth of Windows, which, at the time, was just an application to make it easier to handle DOS using a graphic interface.

The structure of Windows 3.xx files is rather difficult to understand, and the assembler language code is very complicated, as a result of which few programmers initially attempted to develop viruses for this platform. But this problem was soon solved thanks to the development of programming tools for high-level languages, above all Visual Basic. This application is so effective that many virus creators adopted it as their ‘daily working tool’. This meant that writing a virus had become a very straightforward task, and viruses soon appeared in their hundreds. This development was accompanied by the appearance of the first Trojans able to steal passwords. As a result, more than 500 variants of the AOL Trojan family -designed to steal personal information from infected computers- were identified.

part 7

This seventh edition on the history of computer viruses will look at how the development of Windows and Visual Basic has influenced the evolution of viruses, as with the development of these, worldwide epidemics also evolved such as the first one caused by Melissa in 1999.

While Windows changed from being an application designed to make DOS easier to manage to a 32-bit platform and operating system in its own right, virus creators went back to using assembler as the main language for programming viruses.

Versions 5 and 6 of Visual Basic (VB) were developed, making it the preferred tool, along with Borland Delphi (the Pascal development for the Windows environment), for Trojan and worm writers. Then, Visual C, a powerful environment developed in C for Windows, was adopted for creating viruses, Trojans and worms. This last type of malware gained unusual strength, taking over almost all other types of viruses. Even though the characteristics of worms have changed over time, they all have the same objective: to spread to as many computers as possible, as quickly as possible.

With time, Visual Basic became extremely popular and Microsoft implemented part of the functionality of this language as an interpreter capable of running script files with a similar syntax.

At the same time as the Win32 platform was implemented, the first script viruses also appeared: malware inside a simple text file. These demonstrated that not only executable files (.EXE and .COM files) could carry viruses. As already seen with BAT viruses, there are also other means of propagation, proving the saying “anything that can be executed directly or through a interpreter can contain malware.” To be specific, the first viruses that infected the macros included in Microsoft Office emerged. As a result, Word, Excel, Access and PowerPoint become ways of spreading ‘lethal weapons’, which destroyed information when the user simply opened a document.

Melissa and self-executing worms

The powerful script interpreters in Microsoft Office allowed virus authors to arm their creations with the characteristics of worms. A clear example is Melissa, a Word macro virus with the characteristics of a worm that infects Word 97 and 2000 documents. This worm automatically sends itself out as an attachment to an e-mail message to the first 50 contacts in the Outlook address book on the affected computer. This technique, which has unfortunately become very popular nowadays, was first used in this virus which, in 1999, caused one of the largest epidemics in computer history in just a few days. In fact, companies like Microsoft, Intel or Lucent Technologies had to block their connections to the Internet due to the actions of Melissa.

The technique started by Melissa was developed in 1999 by viruses like VBS/Freelink, which unlike its predecessor sent itself out to all the contacts in the address book on the infected PC. This started a new wave of worms capable of sending themselves out to all the contacts in the Outlook address book on the infected computer. Of these, the worm that most stands out from the rest is VBS/LoveLetter, more commonly known as ‘I love You’, which emerged in May 2000 and caused an epidemic that caused damage estimated at 10,000 million euros. In order to get the user’s attention and help it to spread, this worm sent itself out in an e-mail message with the subject ‘ILOVEYOU’ and an attached file called ‘LOVE-LETTER-FOR-YOU.TXT.VBS’. When the user opened this attachment, the computer was infected.

As well as Melissa, in 1999 another type of virus emerged that also marked a milestone in virus history. In November of that year, VBS/BubbleBoy appeared, a new type of Internet worm written in VB Script. VBS/BubbleBoy was automatically run without the user needing to click on an attached file, as it exploited a vulnerability in Internet Explorer 5 to automatically run when the message was opened or viewed. This worm was followed in 2000 by JS/Kak.Worm, which spread by hiding behind Java Script in the auto-signature in Microsoft Outlook Express, allowing it to infect computers without the user needing to run an attached file. These were the first samples of a series of worms, which were joined later on by worms capable of attacking computers when the user is browsing

Installing Apache on Windows

Installing Apache on Windows, why? Because let’s face it Windows
is easy, and well Apache sure beats using IIS. This tutorial is meant for the person who would like to set up there own little
web server. It’s not meant for the IT Person running a fortune 500 company. But hey if you want go ahead.
Instalation:
First thing you need is to download the webserver. Now for windows
users your gonna want to go download the .exe . The apache website is http://www.apache.org Your gonna wanna head to the apache
binaries sections for Win32 I believe it is at http://www.apache.org/dist/httpd/binaries/win32/
There you will be able to download a version of apache.

Now before you download it you gonna want to make a folder. This folder is
where your gonna server your root directory. Now if you don’t want to do
this it’s ok. You can use the default path if you want. Put usually this helps
in setting up other things like php, and MySQL. Most people do is they create
a folder in the C:\ directory called WWW or somthin. You can name it whatever you want.

Ok so have downloaded the Apache Web Server. Your ready to go with the setup.
No the version I have downloaded was apache_2.0.36-win32-x86-no_ssl.msi This
was a newer version and supposedly supposed to be more secure. The first screen you get when your in the setup is The welcome screen we don’t care much about that
but owell so hit next. The next screen is the terms and service. And yes
your going to agree to the terms duh. The next screen is some documentation.
I never really read it but if you want go ahead and do it. Once your done
hit next again. Know we see a screen that says enter a network domain. Erase what is ever in there and type localhost. Now the next box says
Servername, erace what is ever in the box and put in localhost.
The next is Administrators e-mail address. Go ahead and fill that in.
But make sure to change it. Now there are 2 little radio buttons.
Pick the one that best suites your needs. Now that we got that all
filled out. Hit Next and you’ll go to a screen that asks you which
type of install you want to do. Then hit next.

If you wanted to server out of your one special folder. Change the
file location of were your gonna install apache. Or just leave it at the default path. Click install and it should be on
it’s way. Once it’s done installing hit the finish button.
The test:
First were gonna check to see if Apache installed correctly.
This is how we do it. Open up Internet Explorer and type in ” http://localhost&#8221; . If everything went smooth then you should
be seeing a message that looks like this” Seeing this instead of the website you expected?” Yippee!!!
Apache is working. See now wasnt’ that really simple. Ok now were gonna
do some fun stuff.
Alright now that we got or test done lets move on to changing some of this
stuff that apache did on default. In Internet Explorer if you installed
on the deafult path. Make your way to C:\Program Files\Apache Group\Apache2
This is your Main Apache Directory were you can find everything. If you want
take a short break and run around. There are some cool things there. Don’t
worry if you don’t understand what’s in these files just yet.
Break Time:
Go take a leak, get some pepsi and somthin to eat. If you got smokes light
them up in your new found glory.

Alright so now you’ve got apache installed and your about to start dishing out
your web pages that you took so much time on to build. Head to the folder called
htdocs, this is your main folder. There should be a whole bunch of pages What i do
is i select them all and move them to another folder. The htdocs folder is the best
folder in the world. It’s gonna be one of the places you spend most of your time
dishing out content for the world. Ok so get rid of all that stuff that is in your
htdocs folder. And move all your great content inside replacing it. Alright so now
once we moved all are content inside the htdocs folder and we tested it to make
sure it was there. http://localhost remember. Now let’s get out of there. Go to
Apache’s main directory. Now just to be aware of what is going on and get a good
example of how Apache Functions head off to a folder called “conf” This is the
configuration files Apache Uses. If you ever wanted to install php and other
server side scripting languages this is where you would do it. Now you get 2 copys
Use 1 as a backup and never edit it at all. Go ahead and open the folder and open
“httpd.conf” Read it very carefully cause in this tutorial were not gonna read
about it. I just want you to know it’s there. Anytime you edit the httpd.conf file
you must re-start apache in order for it to work. Another good tip for you new people
to apache is you may notice the log files. Yes there great and make sure to make backups
of the logs they will come in handy. As security precautions. I also recommend getting
a firewall set up. There are lots of great security features that apache has but this
is a tutorial to installing apache.

Alright so now you’ve got your webpages up. But the only way people will be able to view
your pages is my typing in your ip address. This is a bumper. Lets look at some free
re-directories. http://www.n2v.net, This is a cool one. You sign up put your ip adress of your
new webserver in and whalla your done. Type in www. .n2v.net and it goes to your server
and brings up your super nice webpages. Now if you go to google and search for free
domain names or re-directors you should come up with alot. Many People already know
about the http://www.dot.tk one of the coolest things in the world. Free .tk very simple
That’s all you need. It works perfect for my webserver and I’ve got around 3,000 hits
so it’s working good. If you don’t wanna do it you don’t have to. But it just
makes it simple.

Alright that comes to the conclusion of installing Apache Win32 for WINDOWS users.
Very easy. One last thing Please Read more of the Apache
Documentation either on there website or in your Apache2
directory. If you liked reading this tutorial on how to setup Apache check my
website for others at http://www.bonfire.tk . Yes there will be follow ups. I’ll be
writing another apache tutorail soon so you can set up PHP. The most awesome
scripting language ever built. And also another on how to secure Apache and yes
ALL FOR WINDOWS!! .

What is the Registry?

The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.
The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file, while under Windows NT/2000 the files are contained seperately in the %SystemRoot%\System32\Config directory. You can not edit these files directly, you must use a tool commonly known as a “Registry Editor” to make any changes (using registry editors will be discussed later in the article).
The Structure of The Registry
The Registry has a hierarchal structure, although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer.
Each main branch (denoted by a folder icon in the Registry Editor, see left) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD – the use of these depends upon the context.
There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

* HKEY_CLASSES_ROOT – This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
* HKEY_CURRENT_USER – This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
* HKEY_LOCAL_MACHINE – This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
* HKEY_USERS – This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
* HKEY_CURRENT_CONFIG – This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
* HKEY_DYN_DATA – This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.


Each registry value is stored as one of five main data types:

* REG_BINARY – This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
* REG_DWORD – This type represents the data by a four byte number and is commonly used for boolean values, such as “0” is disabled and “1” is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
* REG_EXPAND_SZ – This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string “%SystemRoot%” will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)
* REG_MULTI_SZ – This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)
* REG_SZ – This type is a standard string, used to represent human readable text values.


Other data types not available through the standard registry editors include:

* REG_DWORD_LITTLE_ENDIAN – A 32-bit number in little-endian format.
* REG_DWORD_BIG_ENDIAN – A 32-bit number in big-endian format.
* REG_LINK – A Unicode symbolic link. Used internally; applications should not use this type.
* REG_NONE – No defined value type.
* REG_QWORD – A 64-bit number.
* REG_QWORD_LITTLE_ENDIAN – A 64-bit number in little-endian format.
* REG_RESOURCE_LIST – A device-driver resource list.


Editing The Registry
The Registry Editor (REGEDIT.EXE) is included with most version of Windows (although you won’t find it on the Start Menu) it enables you to view, search and edit the data within the Registry. There are several methods for starting the Registry Editor, the simplest is to click on the Start button, then select Run, and in the Open box type “regedit”, and if the Registry Editor is installed it should now open and look like the image below.
An alternative Registry Editor (REGEDT32.EXE) is available for use with Windows NT/2000, it includes some additional features not found in the standard version, including; the ability to view and modify security permissions, and being able to create and modify the extended string values REG_EXPAND_SZ & REG_MULTI_SZ.
Create a Shortcut to Regedit
This can be done by simply right-clicking on a blank area of your desktop, selecting New, then Shortcut, then in the Command line box enter “regedit.exe” and click Next, enter a friendly name (e.g. ‘Registry Editor’) then click Finish and now you can double click on the new icon to launch the Registry Editor.
Using Regedit to modify your Registry
Once you have started the Regedit you will notice that on the left side there is a tree with folders, and on the right the contents (values) of the currently selected folder.
Like Windows explorer, to expand a certain branch (see the structure of the registry section), click on the plus sign [+] to the left of any folder, or just double-click on the folder. To display the contents of a key (folder), just click the desired key, and look at the values listed on the right side. You can add a new key or value by selecting New from the Edit menu, or by right-clicking your mouse. And you can rename any value and almost any key with the same method used to rename files; right-click on an object and click rename, or click on it twice (slowly), or just press F2 on the keyboard. Lastly, you can delete a key or value by clicking on it, and pressing Delete on the keyboard, or by right-clicking on it, and choosing Delete.
Note: it is always a good idea to backup your registry before making any changes to it. It can be intimidating to a new user, and there is always the possibility of changing or deleting a critical setting causing you to have to reinstall the whole operating system. It’s much better to be safe than sorry!
Importing and Exporting Registry Settings
A great feature of the Registry Editor is it’s ability to import and export registry settings to a text file, this text file, identified by the .REG extension, can then be saved or shared with other people to easily modify local registry settings. You can see the layout of these text files by simply exporting a key to a file and opening it in Notepad, to do this using the Registry Editor select a key, then from the “Registry” menu choose “Export Registry File…”, choose a filename and save. If you open this file in notepad you will see a file similar to the example below:
Quote:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
“SetupType”=dword:00000000
“CmdLine”=”setup -newsetup”
“SystemPrefix”=hex:c5,0b,00,00,00,40,36,02

The layout is quite simple, REGEDIT4 indicated the file type and version, [HKEY_LOCAL_MACHINE\SYSTEM\Setup] indicated the key the values are from, “SetupType”=dword:00000000 are the values themselves the portion after the “=” will vary depending on the type of value they are; DWORD, String or Binary.
So by simply editing this file to make the changes you want, it can then be easily distributed and all that need to be done is to double-click, or choose “Import” from the Registry menu, for the settings to be added to the system Registry.
Deleting keys or values using a REG file
It is also possible to delete keys and values using REG files. To delete a key start by using the same format as the the REG file above, but place a “-” symbol in front of the key name you want to delete. For example to delete the [HKEY_LOCAL_MACHINE\SYSTEM\Setup] key the reg file would look like this:
Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\Setup]

The format used to delete individual values is similar, but instead of a minus sign in front of the whole key, place it after the equal sign of the value. For example, to delete the value “SetupType” the file would look like:
Quote:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
“SetupType”=-

Use this feature with care, as deleting the wrong key or value could cause major problems within the registry, so remember to always make a backup first.
Regedit Command Line Options
Regedit has a number of command line options to help automate it’s use in either batch files or from the command prompt. Listed below are some of the options, please note the some of the functions are operating system specific.

* regedit.exe [options] [filename] [regpath]
* [filename] Import .reg file into the registry
* /s [filename] Silent import, i.e. hide confirmation box when importing files
* /e [filename] [regpath] Export the registry to [filename] starting at [regpath]
e.g. regedit /e file.reg HKEY_USERS\.DEFAULT
* /L:system Specify the location of the system.dat to use
* /R:user Specify the location of the user.dat to use
* /C [filename] Compress (Windows 98)
* /D [regpath] Delete the specified key (Windows 98)
Maintaining the Registry
How can you backup and restore the Registry?
Windows 95
Microsoft included a utility on the Windows 95 CD-ROM that lets you create backups of the Registry on your computer. The Microsoft Configuration Backup program, CFGBACK.EXE, can be found in the \Other\Misc\Cfgback directory on the Windows 95 CD-ROM. This utility lets you create up to nine different backup copies of the Registry, which it stores, with the extension RBK, in your \Windows directory. If your system is set up for multiple users, CFGBACK.EXE won’t back up the USER.DAT file.
After you have backed up your Registry, you can copy the RBK file onto a floppy disk for safekeeping. However, to restore from a backup, the RBK file must reside in the \Windows directory. Windows 95 stores the backups in compressed form, which you can then restore only by using the CFGBACK.EXE utility.
Windows 98
Microsoft Windows 98 automatically creates a backup copy of the registry every time Windows starts, in addition to this you can manually create a backup using the Registry Checker utility by running SCANREGW.EXE from Start | Run menu.
What to do if you get a Corrupted Registry
Windows 95, 98 and NT all have a simple registry backup mechanism that is quite reliable, although you should never simply rely on it, remember to always make a backup first!
Windows 95
In the Windows directory there are several hidden files, four of these will be SYSTEM.DAT & USER.DAT, your current registry, and SYSTEM.DA0 & USER.DA0, a backup of your registry. Windows 9x has a nice reature in that every time it appears to start successfully it will copy the registry over these backup files, so just in case something goes wrong can can restore it to a known good state. To restore the registry follow these instruction:
[list=1]
* Click the Start button, and then click Shut Down.
* Click Restart The Computer In MS-DOS Mode, then click Yes.
* Change to your Windows directory. For example, if your Windows directory is c:\windows, you would type the following:
cd c:\windows
* Type the following commands, pressing ENTER after each one. (Note that SYSTEM.DA0 and USER.DA0 contain the number zero.)
attrib -h -r -s system.dat
attrib -h -r -s system.da0
copy system.da0 system.dat
attrib -h -r -s user.dat
attrib -h -r -s user.da0
copy user.da0 user.dat
* Restart your computer.


Following this procedure will restore your registry to its state when you last successfully started your computer.
If all else fails, there is a file on your hard disk named SYSTEM.1ST that was created when Windows 95 was first successfully installed. If necessary you could also change the file attributes of this file from read-only and hidden to archive to copy the file to C:\WINDOWS\SYSTEM.DAT.
Windows NT
On Windows NT you can use either the “Last Known Good” option or RDISK to restore to registry to a stable working configuration.
How can I clean out old data from the Registry?
Although it’s possible to manually go through the Registry and delete unwanted entries, Microsoft provides a tool to automate the process, the program is called RegClean. RegClean analyzes Windows Registry keys stored in a common location in the Windows Registry. It finds keys that contain erroneous values, it removes them from the Windows Registry after having recording those entries in the Undo.Reg file.

viruses


What is a Computer Virus ?
A potentially damaging computer programme capable of reproducing itself causing great harm to files or other programs without permission or knowledge of the user.
Types of viruses :-
The different types of viruses are as follows-

1) Boot Sector Virus :- Boot sector viruses infect either the master boot record of the hard disk or the floppy drive. The boot record program responsible for the booting of operating system is replaced by the virus. The virus either copies themaster boot program to another part of the hard disk or overwrites it. They infect a computer when it boots up or when it accesses the infected floppy disk in the floppy drive. i.e. Once a system is infected with a boot-sector virus, any non-write-protected disk accessed by this system will become infected.

Examples of boot- sector viruses are Michelangelo and Stoned.

2) File or Program Viruses :- Some files/programs, when executed, load the virus in the memory and perform predefined functions to infect the system. They infect program files with extensions like .EXE, .COM, .BIN, .DRV and .SYS .

Some common file viruses are Sunday, Cascade.

3) Multipartite Viruses :- A multipartite virus is a computer virus that infects multiple different target platforms, and remains recursively infective in each target. It attempts to attack both the boot sector and the executable, or programs, files at the same time. When the virus attaches to the boot sector, it will in turn affect the system’s files, and when the virus attaches to the files, it will in turn infect the boot sector.
This type of virus can re-infect a system over and over again if all parts of the virus are not eradicated.

Ghostball was the first multipartite virus, discovered by Fridrik Skulason in October 1989.
Other examples are Invader, Flip, etc.

4) Stealth Viruses :- These viruses are stealthy in nature means it uses various methods for hiding themselves to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection by antivirus. They are somewhat difficult to detect. When an antivirus program tries to detect the virus, the stealth virus feeds the antivirus program a clean image of the file or boot sector.

5) Polymorphic Viruses :- Polymorphic viruses have the ability to mutate implying that they change the viral code known as the signature each time they spread or infect. Thus an antivirus programwhich is scanning for specific virus codes unable to detect it’s presense.

6) Macro Viruses :- A macro virus is a computer virus that “infects” a Microsoft Word or similarapplication and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless.A macro virus is often spread as an e-mail virus. Well-known examples are Concept Virus and Melissa Worm.

Some Hacking Terms


Vulnerability
The term vulnerability is used to describe weaknesses in software or hardware arising out of a programming flaw which gives way to the access of computers by people with malicious intent. Vulnerabilities are used by people with malicious intent to wipe, steal, and change the data oninformation systems or to attack other systems.

Bot
The word ‘bot’ is generated from ‘Robot’. A bot program can independently work out automatic processes. Bots can be as innocent as those used in search engines and in getting information about websites. But bots can be used for the performance of other more different and malicious acts too. Bots for instance, can be used in accessing all the data on your computer and in fraudulent acts against other individuals or organizations.

Botnet
If your computer is infected by bot, this frequently means that you are a part of a big scale worldwide bot network. Such bot networks are called botnet. A botnet can be centrally controlled by a single person. Botnets could be used or rented out by their owners for purposes of fraud.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks hamper the service of information systems. DDoS attacks are realized by sending e-mails to a system from various computers, and by routing certain network traffic. Under the circumstances, your internet connection or server cannot cope with such heavy traffic and comes to a standstill. Sometimes, hundreds of thousands computers can be attackers.
SPAMs
Unsolicited bulk e-mail is called SPAM. Unsolicited e-mails are generally sent for advertisementpurposes. Content of these messages is not important but their being sent in very large numbers is.
Keyboard Recorder
The keyboard recorder is a program recording keystrokes. Advanced keyboard recorders can record mouse actions and screen images as an image file. The keyboard recorder later sends the records it keeps to people of malicious intent by e-mail or through other channels. Keyboard recorders are a type of spy software.
Phishing
These are acts to gather personal information. Personal information gathered in this way is used in fraudulent acts in banking transactions and doing bulk shopping by using credit cards.

Man-in-the-Middle Attack 
This is an attack type where the attacker is positioned between the client and server. In such attacks the attacker is identified by the client as the serves; and by the server as the client. By positioning in the middle, the attacker is able to spy on or change the data flow between client and server.

Port Scanning
A port scan is a check made on each computer port to quickly learn which computer network services the computer provides. This can be accomplished in a short time through automatic software. At the end of the scanning process, the attacker gets information about which vulnerabilities can be used on the computer.
Adware
Adware is a small programs installed in your computer without your knowledge. It can be contained infree software. Adware allows pop-up advertisement to appear on your screen and tracks your internet activity. Adware records all the pages you surf on the internet. This information is regularly sent to the adware program vendor and used in sending you advertisements which might be of particular interest to you.
Zero Day Vulnerability
These are vulnerabilities contained in any product without the knowledge of the product vendor or other individuals and organizations involved in computer security; but known and used by attackers.
Worm
A worm is a self-replicating program designed to send copies of itself to as many computers as possible. A worm is different from a virus in that it does not need to attach itself to an existing program in order to spread.
Scam
The term scam is used to describe computer fraud to steal money from people.
Trojan horse
A Trojan horse is a seemingly innocent and legal program but includes malicious functions. For instance, when you run a seemingly innocent game program or image file, you can play the game or watch the image to your expectations. But the vendor or distributor of the game program or image file can take over or give harm to your computer.
Virus
A virus is software acting secretly without the knowledge of the computer owner. Viruses are sometimes innocent but generally they act maliciously like spreading your confidential files. The difference between a virus and other malicious software is that a virus infects files and copies itself as soon as the attacker releases it.
Malware
This is a common term used for all malicious software. Viruses, worms, keyboard recorders, spy software and adware are all malicious software.
Zombie Computer
Computers infected by bot are called zombie computers. These computers are a part of botnet and used in internet offences.