About 15 years ago during Windows 95 era, there were a lot of “winnukes” which can cause Windows
to blue screen. Microsoft did release patches to fix those bugs but during that time Internet was still very new and not many people know that there are updates to fix those problems. There was no Windows Update to scan what your system needed to update. Then came Windows 98 and most of the winnukes were patched. However I still remembered that a team called X-Coders has came up with IGMP nukes which can also crashes Windows 98.
Finally XP came and it is considered to be one of the most stable Windows that Microsoft ever released! As stable as it is, hackers still able to find flaw in their system. That time there was another nuker called SMBDie which crashes Windows XP computers by sending a specially crafted SMB request.
It definitely worked because I was pretty much “abusing” it with my childish teenager mindset. I didn’t crash just anyone but only to a particular guy who was downloading a lot with Limewire
and hogging the Internet connection until none of the housemates can use the Internet. If I am not wrong, that bug was patched in SP1.
Just when we thought the latest Windows Vista and 7 is safe, Laurent Gaffié discovered an exploit that can cause a remote computer to get a bluescreen of death and released a proof of concept on 9th September. I only got to know about it few days ago because on the day the exploit was released, I was busy packing my bags and getting ready for my honeymoon.
I found 2 compiled version of the exploit and this is how it looks like. This one has an interface for you to enter the victim’s IP address and clicking the OK button will send a specially crafted packet to the remote computer.
The second one is command line application. Just enter the IP address after the program to launch the attack.
I’ve tried to attack my own computer running Windows Vista SP1 and the computer shows a blue screen and auto rebooted. When Windows is booted up, I got a notification window that says “Window has recovered from an unexpected shutdown” with the problem event name “BlueScreen”.
The good news is Windows Firewall is able to block this attack. Thank God that all Windows Firewall
is turned on by default or else a lot of people will get nuked by another wave of SMBDie. Looks like Windows Firewall is not so useless after all… Windows XP and 2000 are NOT affected as they don’t have the SMB2.0 driver. You can also update your Windows to be patched from this exploit. If you take a look at this video, Immunity Inc has made a working exploit of SMBv2 that can run commands on the remote system!
New & Update
About Me
SMBv2 Nuke Crashes Windows Vista, 7 and Server 2008 with BlueScreen of Death
Uninstall Programs Packaged with Windows Installer in Safe Mode
Whenever you install a software in Windows, most of the time it will come with an uninstaller that allows you to safely remove the program from your computer. This is because software nowadays are very complex and requires registering of OCX or DLL files, registry changes, dropping of files in appropriate places and etc. There are many types of installers and one of the popular one is Windows Installer and Kaspersky uses it to pack their software for users to install and uninstall.
If you’ve installed a software and suddenly Windows has stopped working, the logical way is to boot Windows in Safe Mode and then try to uninstall. Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. Unfortunately by default you can’t uninstall a software that is packaged with Windows Installer in Safe Mode. If you try to uninstall, you will get the error “The Windows Installer service is not accessible in Safe Mode. Please try again when your computer is not in Safe Mode or you acn use System Restore to return your machine to a previous good state.”
There is a Windows Installer (msiserver) service in Services and if you attempt to manually start it in Safe Mode, you should get an error that says “Windows could not start the Windows Installer service on Local Computer. Error 1084: This service cannot be started in Safe Mode.”
To start the Windows Installer service in Safe Mode so that you can uninstall programs, all you need to do is add a new MSIServer registry key. Simply follow the step-by-step instructions below:
1. Hit Win+R, type regedit and click OK.
2. Navigate to the following location in registry editor
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
3. Right click at Minimal and select New > Key and name it as MSIServer
4. The (Default) data for MSIServer should show (value not set). Double click on (Default) and type Service in the value data. Close the Registry Editor.
5. Again hit Win+R, type services.msc and click OK.
6. Look for Windows Installer on the list, double click on it and click Start.
You can now uninstall programs that is packed using Windows Installer in Safe Mode. Alternatively, you can also do all the steps above by typing two command lines below in command prompt or at the Run window.
As you can see the first command line is pretty long which I don’t think many people are willing to memorize it. Remember, editing the Windows registry is a risky business and you can end up with more problems rather than fixing it if you do it wrongly. Hence, I’d personally prefer to learn how to do it the long way.
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
net start msiserver
Remove Fake Antivirus and Fake Antispyware Automatically
Fake or rogue antivirus has been around for a long time and they are still not giving up trying to cheat computer users. Normally this is how you will “suddenly” have a rogue antivirus or antispyware installed without you even knowing it. You visit a website and you get a warning message that is very convincing and looks like its coming from Windows telling you that you have a virus/spyware. You click on a button and it will auto install. Here comes the worst part, it then downloads viruses to your computer and the rogue antivirus will find the virus. If you want to clean the virus using the fake antivirus which you just downloaded, you’ll have to purchase the software license.
1. Cyber Security
2. Alpha Antivirus
3. Braviax
4. Windows Police Pro
5. Antivirus Pro 2010
6. PC Antispyware 2010
7. FraudTool.MalwareProtector.d
8. Winshield2009.com
9. Green AV
10. Windows Protection Suite
11. Total Security 2009
12. Windows System Suite
13. Antivirus BEST
14. System Security
15. Personal Antivirus
16. System Security 2009
17. Malware Doctor
18. Antivirus System Pro
19. WinPC Defender
20. Anti-Virus-1
21. Spyware Guard 2008
22. System Guard 2009
23. Antivirus 2009
24. Antivirus 2010
25. Antivirus Pro 2009
26. Antivirus 360
27. MS Antispyware 2009
For testing purposes, I’ve installed Antivirus Pro 2010 on my computer. Then it reports that there are 33 useless and unwanted files on my computer. 21 are critical privacy compromising content, 9 contains medium privacy threats and 3 are junk. At first I thought they were real virus but when I randomly uploaded 3 files to VirusTotal to have it scanned with 41 different antivirus, surprisingly no threats were detected! To remove Antivirus Pro 2010, I ran RemoveFakeAntivirus.exe, waited for a few seconds and after a reboot, Antivirus Pro 2010 has been removed.
Although Antivirus Pro 2010 gave fake reports, but I am pretty sure that there are some fake antivirus that will drop in real trojan/virus/worm on your computer. Be sure to scan your computer with a reputable antivirus such as Kaspersky, Norton, Avira or BitDefender after removing the rogue antivirus with Remove Fake Antivirus. I personally believe the list of supported rogue AVs will most likely continue to grow if Olzen manage to get more samples of the fake antiviruses. Olzen, the author of Remove Fake Antivirus is 26 years old and he’s from Malaysia too!
[ Download Remove Fake Antivirus ]
