Good luck to your website!

http://www.gayward-concepts.com/difference-between-yakju-and-yakjuxw/

http://www.2shared.com/file/7mEQQBs6/HTC_Dream-G1_EUROPEAN-UPDATE.html

Alert level
Worm:Win32/Morto.A

Encyclopedia entry
Updated: Aug 29, 2011 | Published: Aug 28, 2011

Aliases

*
* Trojan horse Generic24.OJQ (AVG) Trojan.DownLoader4.48720 (Dr.Web)
* Win-Trojan/Helpagent.7184 (AhnLab)
* Troj/Agent-TEE (Sophos)
* Backdoor:Win32/Morto.A (Microsoft)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.111.915.0
Released: Aug 28, 2011 Detection initially created:
Definition: 1.111.868.0
Released: Aug 27, 2011

On this page
Summary|Symptoms|Technical Information|Prevention|Recovery

Summary
Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.

Top

Symptoms
System changes

The following system changes may indicate the presence of this malware:

* The presence of the following files:

%Windows%\clb.dll
%Windows%\clb.dll.bak
%windows%\temp\ntshrui.dll
\sens32.dll
c:\windows\offline web pages\cache.txt
* The presence of the following registry modifications:

In subkey: HKLM\SYSTEM\Wpa
Sets value: it
Sets value: id
Sets value: sn
Sets value: ie
Sets value: md
Sets value: sr

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: “NoPopUpsOnBoot”
With data: “1″

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: “ServiceDll”
With data: “%windir%\temp\ntshrui.dll”

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: “Description”
With data: “0″

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: “DependOnService”
With data: “0″

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: “ServiceDll”
With data: “\sens32.dll”

Top

Technical Information (Analysis)

Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
Installation

The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.

When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.

The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLL has encrypted configuration information appended to it in order to download and execute new components.

The following files are also created by the malware:

* %windows%\temp\ntshrui.dll
* \sens32.dll
* c:\windows\offline web pages\cache.txt

The following registry modifications are made to load the DLLs as services upon system boot:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: “ServiceDll”
With data: “%windir%\temp\ntshrui.dll”

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: “Description”
With data: “0″

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: “DependOnService”
With data: “0″

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: “ServiceDll”
With data: “\sens32.dll”

Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:

* c:\windows\offline web pages\cache.txt

and replace sens32.dll via a value in the following registry subkey:

* HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).
Spreads via…

Compromising Remote Desktop connections on a network: Port 3389 (RDP)

Worm:Win32/Morto.A cycles through IP addresses on the affected computer’s subnet and attempts to connect to located systems as administrator using passwords from the following list:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the \\tsclient\a share).

The file r.reg, contains the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
“ConsentPromptBehaviorAdmin”=dword:0
“EnableLUA”=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
“c:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”
“d:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”
“e:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”
“f:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”
“g:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”
“h:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”
“i:\\windows\\system32\\rundll32.exe”=”RUNASADMIN”

“c:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”
“d:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”
“e:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”
“f:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”
“g:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”
“h:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”
“i:\\windows\\SysWOW64\\rundll32.exe”=”RUNASADMIN”

“c:\\winnt\\system32\\rundll32.exe”=”RUNASADMIN”
“c:\\win2008\\system32\\rundll32.exe”=”RUNASADMIN”
“c:\\win2k8\\system32\\rundll32.exe”=”RUNASADMIN”
“c:\\win7\\system32\\rundll32.exe”=”RUNASADMIN”
“c:\\windows7\\system32\\rundll32.exe”=”RUNASADMIN”

The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware’s DLL, clb.dll does too.
Payload

Contacts remote host

Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:

210.3.38.820
74.125.71.104
jifr.info
jifr.co.cc
jifr.co.be
qfsl.net
qfsl.co.cc
qfsl.co.be

Newly downloaded components are downloaded to a filename that uses the following format:

~MTMP<4 digits 0-f>.exe

Performs Denial of Service attacks

Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.

Terminates processes

Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu
Additional information

Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:

HKLM\SYSTEM\Wpa\it
HKLM\SYSTEM\Wpa\id
HKLM\SYSTEM\Wpa\sn
HKLM\SYSTEM\Wpa\ie
HKLM\SYSTEM\Wpa\md
HKLM\SYSTEM\Wpa\sr

It also makes the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: “NoPopUpsOnBoot”
With data: “1″

Analysis by Matt McCormack

Top

Prevention
Follow these general security tips to better protect your system:

* Enable a firewall on your computer.
* Get the latest computer updates.
* Limit user privileges on the computer.
* Run an up-to-date scanning and removal tool.
* Use caution with attachments and file transfers.
* Use caution when clicking on links to webpages.
* Avoid downloading pirated software.
* Protect yourself against social engineering attacks.
* Use strong passwords.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

* How to turn on the Windows Firewall in Windows 7
* How to turn on the Windows Firewall in Windows Vista
* How to turn on the Windows firewall in Windows XP

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.Instructions on how to download the latest versions of some common software is available from the following:

* Microsoft Malware Protection Center – Updating Software

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

* How to turn on Automatic Updates in Windows 7
* How to turn on Automatic Updates in Windows Vista
* How to turn on Automatic Updates in Windows XP

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

* User Account Control in Windows 7
* User Account Control in Windows Vista
* Applying the Principle of Least Privilege in Windows XP
* More on User Account Control

Run an up-to-date scanning and removal tool

Most scanning and removal software can detect and prevent the installation of known malicious software and potentially unwanted software such as adware or spyware. You should frequently run a scanning and removal tool that is updated with the latest signature files. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a webpage with harmful content.
Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading “cracked” or “pirated” software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, please see our article ‘The risks of obtaining and using pirated software’.
Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker’s choice, it is known as ‘social engineering’. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article ‘What is social engineering?’.
Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.

Top

Recovery
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

* Microsoft Security Essentials
* Microsoft Safety Scanner

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Van harte gefeliciteerd met jullie verloving
Ik heb de mooie foto’s van de ringen bewonderd
Ik heb gezien dat het goed klikt tussen jullie en dat je samen gelukkig bent
Ik wens jullie toe dat jullie relatie zal groeien en zich zal verdiepen
waaraan je elke dag een beetje samen kunt bouwen
Ik wens jullie toe samen veel liefde en geluk
Ma