As the size of hard drives increase, more people are using partitions to separate and store groups of files.

XP uses the C:\Program Files directory as the default base directory into which new programs are installed. However, you can change the default installation drive and/ or directory by using a Registry hack.

Go to :-

- Start > Run

- Type “regedit” (without “” NOOBS!)

- Go to this directory…
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

- Look for the value named ProgramFilesDir. by default,this value will be C:\Program Files. Edit the value to any valid drive or folder and XP will use that new location as the default installation directory for new programs.

let's pretend you need a serial number for windows xp pro.Justify Full

in the search bar type in just like this - "Windows XP Professional" 94FBR

the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.

or if you want to find the serial for winzip 8.1 - "Winzip 8.1" 94FBR

just try it out, it's very quick and it works nicely..

-----------------------------------------------------------

here is another trick that works fairly decent for finding mp3's on the web (which is hard to do normally, to say the least)

say you want to get, for example, a Garth Brooks song. type this in the search bar - "index of/" "garth brooks" .mp3 the ones you want to check out first are the ones that say "Index of/" in the title of the search result. this technique allows you to easily pull up web folders with direct downloads. it will look the same as if you were logging into a ftp url.. i'm sure you can be pretty flexible on how you type that in, so long as you include "index of/"

i'm sure you can use this for more than just mp3's (it's not perfect but it has worked for me on a few occasions)

always make sure to use the quotations where i placed them. they help pinpoint the correct search results more accurately. just try it out, also if you want to learn how to do more with google look up "google hacks"

Just double-click on the FlashGetRegTweak.reg file to enter the tweak into the registry. This tweak will allow up to 100 simultaneous file downloads, each split into a max of 30 parts. Previous defaults were 8 & 10 respectively.

Note:

1. Works for dialup but not really advantageous.
2. Restart your computer to feel the full advantage of this tweak.

Download:
here it is
just copy to notepad
rename to Iwillsinglehandedlykillallthebandwidthfromtheserversidownloadfrom.reg


REGEDIT4

[HKEY_CURRENT_USER\Software\JetCar\JetCar\General]
"Max Parallel Num"="100"
"MaxSimJobs"="100"

Here is the best way to crack the bios password in win 95/98:

Follow the steps below:

1) Boot up windows.
2) go to dos-prompt or go to command prompt directly from the windows start up menu.

3) type the command at the prompt: "debug" (without quotes ninja.gif )
4) type the following lines now exactly as given.......
o 70 10
o 71 20
quit
exit

4) exit from the dos prompt and restart the machine


password protection gone!!!!!!!!!!!!! biggrin.gif

EnjoYYYYYYYYYY

PS: I tested this in Award Bios........
There seems to be some issue regarding display drivers on some machines if this is used. Just reinstall the drivers, Everything will be fine...........

I have not found any other trouble if the codes are used.

To be on safe side, just back up your data..........


The use of this code is entirely at ur risk.......... It worked fine for me..........

Tut On Cracking Zip Password Files..

What is FZC? FZC is a program that cracks zip files (zip is a method of compressing multiple files into one smaller file) that are password-protected (which means you're gonna need a password to open the zip file and extract files out of it). You can get it anywhere - just use a search engine such as altavista.com.
FZC uses multiple methods of cracking - bruteforce (guessing passwords systematically until the program gets it) or wordlist attacks (otherwise known as dictionary attacks. Instead of just guessing passwords systematically, the program takes passwords out of a "wordlist", which is a text file that contains possible passwords. You can get lots of wordlists at www.theargon.com.).
FZC can be used in order to achieve two different goals: you can either use it to recover a lost zip password which you used to remember but somehow forgot, or to crack zip passwords which you're not supposed to have. So like every tool, this one can be used for good and for evil.
The first thing I want to say is that reading this tutorial... is the easy way to learn how to use this program, but after reading this part of how to use the FZC you should go and check the texts that come with that program and read them all. You are also going to see the phrase "check name.txt" often in this text. These files should be in FZC's directory. They contain more information about FZC.
FZC is a good password recovery tool, because it's very fast and also support resuming so you don't have to keep the computer turned on until you get the password, like it used to be some years ago with older cracking programs. You would probably always get the password unless the password is longer than 32 chars (a char is a character, which can be anything - a number, a lowercase or undercase letter or a symbol such as ! or &) because 32 chars is the maximum value that FZC will accept, but it doesn't really matter, because in order to bruteforce a password with 32 chars you'll need to be at least immortal..heehhe.. to see the time that FZC takes with bruteforce just open the Bforce.txt file, which contains such information.
FZC supports brute-force attacks, as well as wordlist attacks. While brute-force attacks don't require you to have anything, wordlist attacks require you to have wordlists, which you can get from www.theargon.com. There are wordlists in various languages, various topics or just miscellaneous wordlists. The bigger the wordlist is, the more chances you have to crack the password.
Now that you have a good wordlist, just get FZC working on the locked zip file, grab a drink, lie down and wait... and wait... and wait...and have good thoughts like "In wordlist mode I'm gonna get the password in minutes" or something like this... you start doing all this and remember "Hey this guy started with all this bullshit and didn't say how I can start a wordlist attack!..." So please wait just a little more, read this tutorial 'till the end and you can do all this "bullshit".

We need to keep in mind that are some people might choose some really weird passwords (for example: 'e8t7@$^%*gfh), which are harder to crack and are certainly impossible to crack (unless you have some weird wordlist). If you have a bad luck and you got such a file, having a 200MB list won't help you anymore. Instead, you'll have to use a different type of attack. If you are a person that gives up at the first sign of failure, stop being like that or you won't get anywhere. What you need to do in such a situation is to put aside your sweet xxx MB's list and start using the Brute Force attack.
If you have some sort of a really fast and new computer and you're afraid that you won't be able to use your computer's power to the fullest because the zip cracker doesn't support this kind of technology, it's your lucky day! FZC has multiple settings for all sorts of hardware, and will automatically select the best method.

Now that we've gone through all the theoretical stuff, let's get to the actual commands.


--------------------------------------------------------------------------------
Bruteforce
--------------------------------------------------------------------------------


The command line you'll need to use for using brute force is:

fzc -mb -nzFile.zip -lChr Lenght -cType of chars

Now if you read the bforce.txt that comes with fzc you'll find the description of how works Chr Lenght and the Type of chars, but hey, I'm gonna explain this too. Why not, right?... (but remember look at the bforce.txt too)

For Chr Lenght you can use 4 kind of switches...

-> You can use range -> 4-6 :it would brute force from 4 Chr passwors to 6 chr passwords
-> You can use just one lenght -> 5 :it would just brute force using passwords with 5 chars
-> You can use also the all number -> 0 :it would start brute forcing from passwords with lenght 0 to lenght 32, even if you are crazy i don't think that you would do this.... if you are thinking in doing this get a live...
-> You can use the + sign with a number -> 3+ :in this case it would brute force from passwords with lenght 3 to passwords with 32 chars of lenght, almost like the last option...

For the Type of chars we have 5 switches they are:

-> a for using lowercase letters
-> A for using uppercase letters
-> ! for using simbols (check the Bforce.txt if you want to see what simbols)
-> s for using space
-> 1 for using numbers


Example:
If you want to find a password with lowercase and numbers by brute force you would just do something like:

fzc -mb -nzTest.zip -l4-7 -ca1

This would try all combinations from passwords with 4 chars of lenght till 7 chars, but just using numbers and lowercase.

*****
hint
*****

You should never start the first brute force attack to a file using all the chars switches, first just try lowercase, then uppercase, then uppercase with number then lowercase with numbers, just do like this because you can get lucky and find the password much faster, if this doesn't work just prepare your brain and start with a brute force that would take a lot of time. With a combination like lowercase, uppercase, special chars and numbers.


--------------------------------------------------------------------------------
Wordlis
--------------------------------------------------------------------------------

Like I said in the bottom and like you should be thinking now, the wordlist is the most powerfull mode in this program. Using this mode, you can choose between 3 modes, where each one do some changes to the text that is in the wordlist, I'm not going to say what each mode does to the words, for knowing that just check the file wlist.txt, the only thing I'm going to tell you is that the best mode to get passwords is mode 3, but it takes longer time too.
To start a wordlist attak you'll do something like.

fzc -mwMode number -nzFile.zip -nwWordlist

Where:

Mode number is 1, 2 or 3 just check wlist.txt to see the changes in each mode.
File.zip is the filename and Wordlist is the name of the wordlist that you want to use. Remember that if the file or the wordlist isn't in the same directory of FZC you'll need to give the all path.

You can add other switches to that line like -fLine where you define in which line will FZC start reading, and the -lChar Length where it will just be read the words in that char length, the switche works like in bruteforce mode.
So if you something like

fzc -mw1 -nztest.zip -nwMywordlist.txt -f50 -l9+

FZC would just start reading at line 50 and would just read with length >= to 9.

Example:

If you want to crack a file called myfile.zip using the "theargonlistserver1.txt" wordlist, selecting mode 3, and you wanted FZC to start reading at line 50 you would do:

fzc -mw3 -nzmyfile.zip -nwtheargonlistserver1.txt -f50





--------------------------------------------------------------------------------
Resuming
--------------------------------------------------------------------------------

Other good feature in FZC is that FZC supports resuming. If you need to shutdown your computer and FZC is running you just need to press the ESC key, and fzc will stop. Now if you are using a brute force attack the current status will be saved in a file called resume.fzc but if you are using a wordlist it will say to you in what line it ended (you can find the line in the file fzc.log too).
To resume the bruteforce attack you just need to do:

fzc -mr

And the bruteforce attack will start from the place where it stopped when you pressed the ESC key.
But if you want to resume a wordlist attack you'll need to start a new wordlist attack, saying where it's gonna start. So if you ended the attack to the file.zip in line 100 using wordlist.txt in mode 3 to resume you'll type

fzc -mw3 -nzfile.zip -nwwordlist.txt -f100

Doing this FZC would start in line 100, since the others 99 lines where already checked in an earlier FZC session.


Well, it looks like I covered most of what you need to know. I certainly hope it helped you... don't forget to read the files that come with the program

Requirements:
Serv-U
No-IP.com Website

Quote:
Step 1. Getting a static IP address.
Get a static address for your FTP server. You will want to do this as opposed to using your IP address for several reasons. First, it’s easier keeping up-to-date. Imagine having to change all of your setting every time your IP changed. With No-IP, the No-IP service runs in background on your computer and updates your current IP address with your FTP server’s URL (for example, you get ftp://rkchoolie.serveftp.com). Second reason, you don’t want your IP address posted out there for everyone to see.

1. Go to www.No-IP.com to create a new user account.
2. Fill in the information that is required and the click Register button.
3. Your account has now been created and your account password has been emailed to you.
4. Check your email mailbox and wait for the mail that contains your password
5. Go back to www.No-IP.com and type your email address and password to login to your account.
6. Once in your account, click on Add a host in the left menu
7. Type in the Hostname you want (example: rkchoolie) and pick a Domain from the list (example: ftpserve.com)
8. Check Allow Wildcards and click the Submit button
9. You now have your static address (example: rkchoolie.serveftp.com)
10. Click on your OS link in the Dyn-Update Client in the bottom right menu and follow links to download the client
11. Once downloaded, install the software and type in your email address and password when asked.
12. Finally tick the checkbox near your static address.

You now have a static web address .


Quote:
Step 2. Installing and setting the FTP server
1. Install Serv-U 4.0.
2. Start Serv-U and use the wizard to setup your ftp.
3. Click next until you're asked for an IP address, leave it blank and then click next.
4. Type the domain name you've just registered above (example: preacher.serveftp.com) in the domain name field and then click Next.
5. You are asked if you want to allow anonymous access, select No and then click next.
6. You are then asked to create a named account, check yes and then click next.
7. Type in the user name you wish for this account (example: Harrie) and click next.
8. Type a password for this account (example: $p3c1aL). For security reasons, try to create a password with some letters, numbers and special characters. Then click next.
9. You will then be asked for the Home directory of the account you just created. Select the directory and then click next.
10. Select yes to lock this account to the Home directory. You want to do this so that the user can not go any further up that his home directory. Click next.
11. The account is now set so click finish.

Quote:
Step 3. Configuring user accounts
1. In the left tree-menu, select the account you've just created and then click on the General tab.
2. Check Hide ‘Hidden’ Files.
3. Check Allow only and enter the number one in the box.
4. Set the Max. download speed to what ever you want. If this is an account that many will be using, set it low to save on your bandwidth. I usually have mine set between 10 – 20. If you leave it blank, users will be able to download from you at full bandwidth.
5. Set the Max no. of users to how many you want to be able to log on at one time. This depends on your connection speed but try these (56 - 1, ISDN - 3, ADSL or cable - 5-6 users.)
6. Now, click on the Dir Access tab.
7. You should see the home folder in there. Highlight it and make your permissions.
8. If you only want users to be able to download check only Read, List, & Inherit.
9. If you want users to be able to upload, but to only one particular folder but not download, click the add button and then select that folder. Now highlight the folder and set these permissions on that folder. Check Write, Append, List, Create, & Inherit. Once you have made the permissions click on the up arrow that is located at the bottom right-hand corner. You want this special upload folder to be list first, before the home folder.
10. If there is a folder that you don’t want anyone to have access to, but it is inside the home folder, then click the add button and then select that folder. Now highlight the folder and make sure that all checkboxes are left. Once you have made the permissions click on the up arrow that is located at the bottom right-hand corner. You want this no access folder to be listed at the very top.
11. There are many other different sets of permissions you can play with. I just covered your basics.
12. Your server is now set!
13. Try logging on with the username and password and see if it works.

Before you edit the registry, export the keys in the registry that you plan to edit, or back up the whole registry. If a problem occurs, you can then follow the steps how-to restore the registry to its previous state.


How to Export Registry Keys

Click Start, and then click Run.

In the Open box, type regedit, and then click OK.

On the File menu, click Export.

In the Save in box, select the boxs at the bottom the bottom according to weather you want to export all or only selected branches of the registry.

Next select a location in which to save the backup .reg file. In the File name box, type a file name, and then click Save.


How to Restore the Registry

To restore registry keys that you exported, double-click the .reg file that you saved.

part 1


Like any other field in computer science, viruses have evolved -a great deal indeed- over the years. In the series of press releases which start today, we will look at the origins and evolution of malicious code since it first appeared up to the present.

Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann described self-replicating programs which could resemble computer viruses as they are known today. However, it was not until the 60s that we find the predecessor of current viruses. In that decade, a group of programmers developed a game called Core Wars, which could reproduce every time it was run, and even saturate the memory of other players’ computers. The creators of this peculiar game also created the first antivirus, an application named Reeper, which could destroy copies created by Core Wars.

However, it was only in 1983 that one of these programmers announced the existence of Core Wars, which was described the following year in a prestigious scientific magazine: this was actually the starting point of what we call computer viruses today.

At that time, a still young MS-DOS was starting to become the preeminent operating system worldwide. This was a system with great prospects, but still many deficiencies as well, which arose from software developments and the lack of many hardware elements known today. Even like this, this new operating system became the target of a virus in 1986: Brain, a malicious code created in Pakistan which infected boot sectors of disks so that their contents could not be accessed. That year also saw the birth of the first Trojan: an application called PC-Write.

Shortly after, virus writers realized that infecting files could be even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However, the worst was still to come: 1988 set the date when the “Morris worm” appeared, infecting 6,000 computers.

From that date up to 1995 the types of malicious codes that are known today started being developed: the first macro viruses appeared, polymorphic viruses … Some of these even triggered epidemics, such as MichaelAngelo. However, there was an event that changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by little, viruses started adapting to this new situation until the appearance, in 1999, of Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for computer viruses.



part 2


This second installment of ‘The evolution of viruses’ will look at how malicious code used to spread before use of the Internet and e-mail became as commonplace as it is today, and the main objectives of the creators of those earlier viruses.
Until the worldwide web and e-mail were adopted as a standard means of communication the world over, the main mediums through which viruses spread were floppy disks, removable drives, CDs, etc., containing files that were already infected or with the virus code in an executable boot sector.

When a virus entered a system it could go memory resident, infecting other files as they were opened, or it could start to reproduce immediately, also infecting other files on the system. The virus code could also be triggered by a certain event, for example when the system clock reached a certain date or time. In this case, the virus creator would calculate the time necessary for the virus to spread and then set a date –often with some particular significance- for the virus to activate. In this way, the virus would have an incubation period during which it didn’t visibly affect computers, but just spread from one system to another waiting for ‘D-day’ to launch its payload. This incubation period would be vital to the virus successfully infecting as many computers as possible.

One classic example of a destructive virus that lay low before releasing its payload was CIH, also known as Chernobyl. The most damaging version of this malicious code activated on April 26, when it would try to overwrite the flash-BIOS, the memory which includes the code needed to control PC devices. This virus, which first appeared in June 1998, had a serious impact for over two years and still continues to infect computers today.

Because of the way in which they propagate, these viruses spread very slowly, especially in comparison to the speed of today’s malicious code. Towards the end of the Eighties, for example, the Friday 13th (or Jerusalem) virus needed a long time to actually spread and continued to infect computers for some years. In contrast, experts reckon that in January 2003, SQLSlammer took just ten minutes to cause global communication problems across the Internet.

Notoriety versus stealth

For the most part, in the past, the activation of a malicious code triggered a series of on screen messages or images, or caused sounds to be emitted to catch the user’s attention. Such was the case with the Ping Pong virus, which displayed a ball bouncing from one side of the screen to another. This kind of elaborate display was used by the creator of the virus to gain as much notoriety as possible. Nowadays however, the opposite is the norm, with virus authors trying to make malicious code as discreet as possible, infecting users’ systems without them noticing that anything is amiss.



pat 3


This third installment of ‘The evolution of viruses’ will look at how the Internet and e-mail changed the propagation techniques used by computer viruses.

Internet and e-mail revolutionized communications. However, as expected, virus creators didn’t take long to realize that along with this new means of communication, an excellent way of spreading their creations far and wide had also dawned. Therefore, they quickly changed their aim from infecting a few computers while drawing as much attention to themselves as possible, to damaging as many computers as possible, as quickly as possible. This change in strategy resulted in the first global virus epidemic, which was caused by the Melissa worm.

With the appearance of Melissa, the economic impact of a virus started to become an issue. As a result, users -above all companies- started to become seriously concerned about the consequences of viruses on the security of their computers. This is how users discovered antivirus programs, which started to be installed widely. However, this also brought about a new challenge for virus writers, how to slip past this protection and how to persuade users to run infected files.

The answer to which of these virus strategies was the most effective came in the form of a new worm: Love Letter, which used a simple but effective ruse that could be considered an early type of social engineering. This strategy involves inserting false messages that trick users into thinking that the message includes anything, except a virus. This worm’s bait was simple; it led users to believe that they had received a love letter.

This technique is still the most widely used. However, it is closely followed by another tactic that has been the center of attention lately: exploiting vulnerabilities in commonly used software. This strategy offers a range of possibilities depending on the security hole exploited. The first malicious code to use this method –and quite successfully- were the BubbleBoy and Kakworm worms. These worms exploited a vulnerability in Internet Explorer by inserting HTML code in the body of the e-mail message, which allowed them to run automatically, without needing the user to do a thing.

Vulnerabilities allow many different types of actions to be carried out. For example, they allow viruses to be dropped on computers directly from the Internet -such as the Blaster worm-. In fact, the effects of the virus depend on the vulnerability that the virus author tries to exploit.



part 4


In the early days of computers, there were relatively few PCs likely to contain “sensitive” information, such as credit card numbers or other financial data, and these were generally limited to large companies that had already incorporated computers into working processes.

In any event, information stored in computers was not likely to be compromised, unless the computer was connected to a network through which the information could be transmitted. Of course, there were exceptions to this and there were cases in which hackers perpetrated frauds using data stored in IT systems. However, this was achieved through typical hacking activities, with no viruses involved.

The advent of the Internet however caused virus creators to change their objectives, and, from that moment on, they tried to infect as many computers as possible in the shortest time. Also, the introduction of Internet services -like e-banking or online shopping- brought in another change. Some virus creators started writing malicious codes not to infect computers, but, to steal confidential data associated to those services. Evidently, to achieve this, they needed viruses that could infect many computers silently.

Their malicious labor was finally rewarded with the appearance, in 1986, of a new breed of malicious code generically called “Trojan Horse”, or simply “Trojan”. This first Trojan was called PC-Write and tried to pass itself off as the shareware version of a text processor. When run, the Trojan displayed a functional text processor on screen. The problem was that, while the user wrote, PC-Write deleted and corrupted files on the computers’ hard disk.

After PC-Write, this type of malicious code evolved very quickly to reach the stage of present-day Trojans. Today, many of the people who design Trojans to steal data cannot be considered virus writers but simply thieves who, instead of using blowtorches or dynamite have turned to viruses to commit their crimes. Ldpinch.W or the Bancos or Tolger families of Trojans are examples of this


part 5


Even though none of them can be left aside, some particular fields of computer science have played a more determinant role than others with regard to the evolution of viruses. One of the most influential fields has been the development of programming languages.

These languages are basically a means of communication with computers in order to tell them what to do. Even though each of them has its own specific development and formulation rules, computers in fact understand only one language called "machine code".

Programming languages act as an interpreter between the programmer and the computer. Obviously, the more directly you can communicate with the computer, the better it will understand you, and more complex actions you can ask it to perform.

According to this, programming languages can be divided into "low and high level" languages, depending on whether their syntax is more understandable for programmers or for computers. A "high level" language uses expressions that are easily understandable for most programmers, but not so much for computers. Visual Basic and C are good examples of this type of language.

On the contrary, expressions used by "low level" languages are closer to machine code, but are very difficult to understand for someone who has not been involved in the programming process. One of the most powerful, most widely used examples of this type of language is "assembler".

In order to explain the use of programming languages through virus history, it is necessary to refer to hardware evolution. It is not difficult to understand that an old 8-bit processor does not have the power of modern 64-bit processors, and this of course, has had an impact on the programming languages used.

In this and the next installments of this series, we will look at the different programming languages used by virus creators through computer history:

- Virus antecessors: Core Wars

As was already explained in the first chapter of this series, a group of programs called Core Wars, developed by engineers at an important telecommunications company, are considered the antecessors of current-day viruses. Computer science was still in the early stages and programming languages had hardly developed. For this reason, authors of these proto-viruses used a language that was almost equal to machine code to program them.

Curiously enough, it seems that one of the Core Wars programmers was Robert Thomas Morris, whose son programmed -years later- the "Morris worm". This malicious code became extraordinarily famous since it managed to infect 6,000 computers, an impressive figure for 1988.

- The new gurus of the 8-bits and the assembler language.

The names Altair, IMSAI and Apple in USA and Sinclair, Atari and Commodore in Europe, bring memories of times gone by, when a new generation of computer enthusiasts "fought" to establish their place in the programming world. To be the best, programmers needed to have profound knowledge of machine code and assembler, as interpreters of high-level languages used too much run time. BASIC, for example, was a relatively easy to learn language which allowed users to develop programs simply and quickly. It had however, many limitations.

This caused the appearance of two groups of programmers: those who used assembler and those who turned to high-level languages (BASIC and PASCAL, mainly).

Computer aficionados of the time enjoyed themselves more by programming useful software than malware. However, 1981 saw the birth of what can be considered the first 8-bit virus. Its name was "Elk Cloner", and was programmed in machine code. This virus could infect Apple II systems and displayed a message when it infected a computer.



part 6


Computer viruses evolve in much the same way as in other areas of IT. Two of the most important factors in understanding how viruses have reached their current level are the development of programming languages and the appearance of increasingly powerful hardware.

In 1981, almost at the same time as Elk Kloner (the first virus for 8-bit processors) made its appearance, a new operating system was growing in popularity. Its full name was Microsoft Disk Operating System, although computer buffs throughout the world would soon refer to it simply as DOS.

DOS viruses

The development of MS DOS systems occurred in parallel to the appearance of new, more powerful hardware. Personal computers were gradually establishing themselves as tools that people could use in their everyday lives, and the result was that the number of PCs users grew substantially. Perhaps inevitably, more users also started creating viruses. Gradually, we witnessed the appearance of the first viruses and Trojans for DOS, written in assembler language and demonstrating a degree of skill on the part of their authors.

Far less programmers know assembler language than are familiar with high-level languages that are far easier to learn. Malicious code written in Fortran, Basic, Cobol, C or Pascal soon began to appear. The last two languages, which are well established and very powerful, are the most widely used, particularly in their TurboC and Turbo Pascal versions. This ultimately led to the appearance of “virus families”: that is, viruses that are followed by a vast number of related viruses which are slightly modified forms of the original code.

Other users took the less ‘artistic’ approach of creating destructive viruses that did not require any great knowledge of programming. As a result, batch processing file viruses or BAT viruses began to appear.

Win16 viruses

The development of 16-bit processors led to a new era in computing. The first consequence was the birth of Windows, which, at the time, was just an application to make it easier to handle DOS using a graphic interface.

The structure of Windows 3.xx files is rather difficult to understand, and the assembler language code is very complicated, as a result of which few programmers initially attempted to develop viruses for this platform. But this problem was soon solved thanks to the development of programming tools for high-level languages, above all Visual Basic. This application is so effective that many virus creators adopted it as their ‘daily working tool’. This meant that writing a virus had become a very straightforward task, and viruses soon appeared in their hundreds. This development was accompanied by the appearance of the first Trojans able to steal passwords. As a result, more than 500 variants of the AOL Trojan family -designed to steal personal information from infected computers- were identified.

part 7

This seventh edition on the history of computer viruses will look at how the development of Windows and Visual Basic has influenced the evolution of viruses, as with the development of these, worldwide epidemics also evolved such as the first one caused by Melissa in 1999.

While Windows changed from being an application designed to make DOS easier to manage to a 32-bit platform and operating system in its own right, virus creators went back to using assembler as the main language for programming viruses.

Versions 5 and 6 of Visual Basic (VB) were developed, making it the preferred tool, along with Borland Delphi (the Pascal development for the Windows environment), for Trojan and worm writers. Then, Visual C, a powerful environment developed in C for Windows, was adopted for creating viruses, Trojans and worms. This last type of malware gained unusual strength, taking over almost all other types of viruses. Even though the characteristics of worms have changed over time, they all have the same objective: to spread to as many computers as possible, as quickly as possible.

With time, Visual Basic became extremely popular and Microsoft implemented part of the functionality of this language as an interpreter capable of running script files with a similar syntax.

At the same time as the Win32 platform was implemented, the first script viruses also appeared: malware inside a simple text file. These demonstrated that not only executable files (.EXE and .COM files) could carry viruses. As already seen with BAT viruses, there are also other means of propagation, proving the saying "anything that can be executed directly or through a interpreter can contain malware." To be specific, the first viruses that infected the macros included in Microsoft Office emerged. As a result, Word, Excel, Access and PowerPoint become ways of spreading ‘lethal weapons’, which destroyed information when the user simply opened a document.

Melissa and self-executing worms

The powerful script interpreters in Microsoft Office allowed virus authors to arm their creations with the characteristics of worms. A clear example is Melissa, a Word macro virus with the characteristics of a worm that infects Word 97 and 2000 documents. This worm automatically sends itself out as an attachment to an e-mail message to the first 50 contacts in the Outlook address book on the affected computer. This technique, which has unfortunately become very popular nowadays, was first used in this virus which, in 1999, caused one of the largest epidemics in computer history in just a few days. In fact, companies like Microsoft, Intel or Lucent Technologies had to block their connections to the Internet due to the actions of Melissa.

The technique started by Melissa was developed in 1999 by viruses like VBS/Freelink, which unlike its predecessor sent itself out to all the contacts in the address book on the infected PC. This started a new wave of worms capable of sending themselves out to all the contacts in the Outlook address book on the infected computer. Of these, the worm that most stands out from the rest is VBS/LoveLetter, more commonly known as ‘I love You’, which emerged in May 2000 and caused an epidemic that caused damage estimated at 10,000 million euros. In order to get the user’s attention and help it to spread, this worm sent itself out in an e-mail message with the subject ‘ILOVEYOU’ and an attached file called ‘LOVE-LETTER-FOR-YOU.TXT.VBS’. When the user opened this attachment, the computer was infected.

As well as Melissa, in 1999 another type of virus emerged that also marked a milestone in virus history. In November of that year, VBS/BubbleBoy appeared, a new type of Internet worm written in VB Script. VBS/BubbleBoy was automatically run without the user needing to click on an attached file, as it exploited a vulnerability in Internet Explorer 5 to automatically run when the message was opened or viewed. This worm was followed in 2000 by JS/Kak.Worm, which spread by hiding behind Java Script in the auto-signature in Microsoft Outlook Express, allowing it to infect computers without the user needing to run an attached file. These were the first samples of a series of worms, which were joined later on by worms capable of attacking computers when the user is browsing the Internet.

i was recently playing games and this nasty windos logo key keep annoying me , cause i often accidently clicked it , and i start to search a solution to solve my problem, and found the following article in microsfot website, and it did work, hope this helps, thanks!

CODE
http://support.microsoft.com/?kbid=181348


or in other articles, u can copy the following messages into ur notepad and save as *.reg, and use it..

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,5b,e0,00,00,5c,e0,\
00,00,00,00

Most programs run properly on Windows XP. The exceptions are some older games and other programs that were written specifically for an earlier version of Windows. To run your program on Windows XP, you can try the following, Run the Program Compatibility Wizard. As an alternative, you can set the compatibility properties manually. Update your program, drivers, or hardware. These options are covered in detail below.

The Program Compatibility Wizard
This wizard prompts you to test your program in different modes (environments) and with various settings. For example, if the program was originally designed to run on Windows 95, set the compatibility mode to Windows 95 and try running your program again. If successful, the program will start in that mode each time. The wizard also allows you to try different settings, such as switching the display to 256 colors and the screen resolution to 640 x 480 pixels. If compatibility problems prevent you from installing a program on Windows XP, run the Program Compatibility Wizard on the setup file for the program. The file may be called Setup.exe or something similar, and is probably located on the Installation disc for the program. To run the Program Compatibility Wizard click Start, click Help and Support, click Find compatible hardware and software for Windows XP, and then, under See Also in the navigation pane, click "Program Compatibility Wizard."

Set the compatibility properties manually
As an alternative to running the Program Compatibility Wizard, you can set the compatibility properties for a program manually. The settings are the same as the options in the Program Compatibility Wizard. To set the compatibility properties for a program manually Right-click the program icon on your desktop or the shortcut on the Start menu for the program you want to run, and then click Properties. Click the Compatibility tab, and change the compatibility settings for your program.

The Compatibility tab is only available for programs installed on your hard drive. Although you can run the Program Compatibility Wizard on programs or setup files on a CD-ROM or floppy disk, your changes will not remain in effect after you close the program. For more information about an option on the Compatibility tab, right-click the option and then click "What's This."

Update your program or drivers
If your program does not run correctly after testing it with the Program Compatibility Wizard, check the Web for updates or other fixes, as follows:

Check the Web site of the program's manufacturer to see if an update or patch is available.
Check Windows Update to see if a fix is available for the program.
Click Home on the menu bar of Help and Support Center, then click Windows Update in the right pane.

If the program is a game that uses DirectX, ensure that you are using the latest version of DirectX. In addition, check the Web site of the manufacturer of your video card or sound card to see if newer drivers are available for either of them.

If you want to use Norton Ghost 2003 to create an image of a PC's primary partition you will find it has 2 serious limitations:
1- The USB support driver they use (from Iomega) can only be installed in USB1 or USB2 mode (not both), and it is not universal - it didn't recognize my external USB IBM mobile HD .
2- You can't create a Ghost bootable CD - only a floppy. How can you clone a newly bought laptop, most of which don't have a floppy anymore?
Here's How to:
1- create a Ghost floppy with USB support (1 or 2 - it won't matter later)
2- download 2 files kxlrw40an.exe and mhairu.zip
CODE

http://panasonic.co.jp/pcc/products/drive/cdrrw/kxlrw40an/driver/kxlrw40an.exe


CODE

http://www.stefan2000.com/darkehorse/PC/DOS/Drivers/USB/mhairu.zip


From the first file (Panasonic driver for a USB CDRW) you will need the file usbaspi.sys found under "F2H" sub directory after extraction of the downloaded archive. From the second archive you need di1000dd.sys
3- Copy these 2 files to the USB folder on the Ghost floppy, and delete any other files in that folder. Also delete the file guest.exe from the floppy's root.
4- And finaly:
edit the AUTOEXEC.BAT file - delete the line: guest.exe
and edit CONFIG.SYS - delete all entries and enter:
device=usb\USBASPI.SYS /v /e /o /u
device=usb\Di1000dd.SYS
LASTDRIVE = Z

That's it. You can now boot with this floppy and have full USB support so you can create the image on an external USB drive.

If you want to create a bootable CD you can use Nero:
Choose to create a "CD-ROM (boot)" from the wizard, under Boot tab leave the default "bootable logical drive: as A:\ . Insert your Ghost floppy to the drive, drag all the files from the floppy to "New compilation" and burn. You now have a bootable Ghost CD that even Symantec doesn't have..

PS if you need Norton Ghost 2003 get the full retail here:
CODE

http://soft.zmdinfo.ha.cn/system/Norton.Ghost.2003%E6%AD%A3%E5%BC%8F%E9%9B%B6%E5%94%AE%E7%89%88.iso.rar

Here's how you verify system uptime:

Click Start | Run and type cmd to open a command prompt.
At the prompt, type systeminfo

Scroll down the list of information to the line that says System Up Time.

This will tell you in days, hours, minutes and seconds how long the system has been up.

Note that this command only works in XP Pro, not in XP Home. You can, however, type net statistics workstation at the prompt in Home. The first line will tell you the day and time that the system came online.

Things you will need:
QUOTE
1. Photoshop or Paintshop (any versions)
2. Xara3D 5.xx
3. Jasc animation shop 3.xx
4. DUH!! A pic you want as a logo LOL

Things you MIGHT need:
1. a computer
2. Internet connection
3. consciousness
4. corn on the cob

Here they are for your convinience:
Adobe Photoshop CS v8.0 thanx to TheCollector
http://www.shareordie.com/index.php?showto...85&hl=Photoshop

Jasc Paint Shop Pro 9.0 Retail thanx to arclite
http://www.shareordie.com/index.php?showto...&hl=Jasc&st=100

Xara3D 5.02 thanx to Zabref
http://www.shareordie.com/index.php?showtopic=6512&hl=XARA

Jasc Animation Shop 3.11 thanx to sev7en
http://www.shareordie.com/index.php?showtopic=34928&hl=


Steps:
1. Using your photo editor fix/touch up you pic/logo to your liking….too easy(example bellow)
user posted image

2. Save it some where easy to find, for example “C:\pictures” or “C:\Windows\thecenterofhell\system\system32\system64\system128\???” although I don’t recommend the second one.

3.Open Xara3D 5.xx, press “Alt+T” or click on the “T” button on the LEFT PANEL erase all of the text in the window that pops up then press ok.
user posted image
user posted image

4. Press “Alt+U” or click on the yellow “U” surrounded in gray on the LEFT PANEL, check the “button” box and select a desire button type and leave this option window open you will need it again.
user posted image

5. Press the “At+X” or click the black “X” on the LEFT PANEL, click “load texture” in the pop up window, find the picture you made/adjusted and highlight it then click open or just double-click it. Use the “size, x, y, angle” sliders to adjust the picture or “texture” and in the “button options” windows use the “stretch, corners”(corners, only if using this option you can adjust) to adjust the button size.
user posted image

6. Press “Alt+A” or click the black “A” on the LEFT PANEL with what looks like to me is a half-halo with an arrow tip!? Anyway, here is a quick rundown on what the options here do: (BY THE WAY TO ACTIVATE OR “PREVIEW ANIMATION” PRESS “Ctrl+spacebar”).
user posted image


A. Frames per cycle: This is the number of frames for each complete cycle through the animation sequence. The greater the number of frames the smoother the animation. The drawback is that the file is bigger - this is a big disadvantage for web graphics. You may need to try different values to get the best results.
B. Frames per second: The animation speed. Slow speeds can give jerky movement. High speeds can also give jerky movement as the program displaying the animation may not be able to keep up. Again you may need to try different values.
C. Pause: This pauses the first frame before continuing the rest of the animation. Type in a value in centiseconds (1/100ths of a second) - a 2 second pause is 200 cs. Note that this applies only to the first frame; use Frames per cycle and Frames per second to control the overall speed of the animation.
D. Loop Value: Unchecked is Infinite, Any other value see for yourself. Lmao
E. Loop: This lets you specify how many times the animation should repeat itself. Note that some browsers take any value other than 1 to mean 'loop forever'. Therefore, your animation either plays once or forever.
F. Style: This controls the type of animation:
Rotate 1 rotates all the text as one; Rotate 2 rotates each character. (Buttons have a single Rotate option.) Rotate text/Rotate lights - select whether you want the text to rotate or the lights or both. You cannot rotate the shadow as this would create very large files. Direction - selects the direction of rotation.

Swing options: Swing 1 swings all the text as one; Swing 2 swings each character. (Buttons have a single Swing option.) Angle - how much you want the heading to swing.

Pulsate options: Pulsate 1 pulsates all the text as one; Pulsate 2 pulsates each character. (Buttons have a single Pulsate option.) Minimum text size - how far back to pulsate the text. Shrink+Grow & Grow+Shrink - only have an effect if you Pause the animation. These options select the starting point for the animation (maximum or minimum.)

Fade options: Fade in - the heading emerges from the background color. Fade out - the heading merges into the background color. SO AFTER PICKING ONE………………..


7. On the top left go to FILE>>>EXPORT ANIMATION or press “Ctrl+Shift+X” and save in desired location.
user posted image

8. When the next window pops up (Export as animated gif save location then options): Experiment with each one to get it right, but remember the SoD rules about Siggys and Avatars.
user posted image
user posted image


Because Animated GIFs can be quite large, you may find that a 16 or 32 color, optimized palette per frame, produces the best results for the smallest file size. However you might need to experiment.
Dithering always makes GIFs look better, but also makes them larger. When outputting at 256 colors you may find that there is no need to turn dithering on.
Current Window Size lets you export just the area surrounding the text (Crop on) or the entire window area (Crop off.)
User Defined lets you specify the dimensions of the bitmap.

When you open Windows Explorer (by choosing the Window key and "E" simultaneously or by choosing Start, all Programs, Accessories, Windows Explorer), you can change the directory that appears by default. If you choose Start, all Programs, Accessories, and then right-click on Windows Explorer and choose Properties, you can modify the "Target" directory. To go to your C: drive, type simply C:\ in the Target box and choose OK. You can also enter a shortcut key on this screen, telling Windows the character or combination of characters you want to type to automatically open Windows Explorer. You can even change the icon or specify that you always want Explorer to open up in full-screen mode.

You may not realize it, but your computer and your car have something in common: they both need regular maintenance. No, you don't need to change your computer's oil. But you should be updating your software, keeping your antivirus subscription up to date, and checking for spyware. Read on to learn what you can do to help improve your computer's security.


Getting started

Here are some basics maintenance tasks you can do today to start improving your computer's security. Be sure you make these part of your ongoing maintenance as well.

* Sign up for software update e-mail notices. Many software companies will send you e-mail whenever a software update is available. This is particularly important for your operating system (e.g., Microsoft VV!|VD0VV$® or Macintosh), your antivirus program, and your firewall.
* Register your software. If you still have registration forms for existing software, send them in. And be sure to register new software in the future. This is another way for the software manufacturer to alert you when new updates are available.
* Install software updates immediately.
When you get an update notice, download the update immediately and install it. (Remember, downloading and installing are two separate tasks.)
An ounce of prevention

A few simple steps will help you keep your files safe and clean.

* Step 1: Update your software
* Step 2: Backup your files
* Step 3: Use antivirus software and keep it updated
* Step 4: Change your passwords


Developing ongoing maintenance practices

Now that you've done some ground work, it's time to start moving into longer term maintenance tasks. These are all tasks that you should do today (or as soon as possible) to get started. But for best results, make these a part of a regular maintenance schedule. We recommend setting aside time each week to help keep your computer secure.

* Back up your files. Backing up your files simply means creating a copy of your computer files that you can use in the event the originals are lost. (Accidents can happen.) To learn more read our tips for backing up information.


* Scan your files with up to date antivirus software. Use your antivirus scan tool regularly to search for potential computer viruses and worms. Also, check your antivirus program's user manual to see if you can schedule an automatic scan of your computer. To learn more, read our tips for reducing your virus risk
.
* Change your passwords. Using the same password increases the odds that someone else will discover it. Change all of your passwords regularly (we recommend monthly) to reduce your risk. Also, choose your passwords carefully. To learn more, read our tips for creating stronger passwords
.

Making a schedule

One of the best ways to help protect your computer is to perform maintenance regularly. To help you keep track, we suggest making a regular "appointment" with your computer. Treat it like you would any other appointment. Record it in your datebook or online calendar, and if you cannot make it, reschedule. Remember, you are not only helping to improve your computer, you are also helping to protect your personal information.

To disable the stupid feature in WinXP which tries to send a report to microsoft every time a program crashes you will have to do this:


Open Control Panel
Click on Preformance and Maintenance.
Click on System.
Then click on the Advanced tab
Click on the error reporting button on the bottom of the windows.
Select Disable error reporting.
Click OK
Click OK

Grab your registry editor and join in

Why Doesn't Windows Remember My Folder View Settings?

If you've changed the view settings for a folder, but Windows "forgets" the settings when you open the folder again, or if Windows doesn't seem to remember the size or position of your folder window when you reopen it, this could be caused by the default limitation on storing view settings data in the registry; by default Windows only remembers settings for a total of 200 local folders and 200 network folders.

To work around this problem, create a BagMRU Size DWORD value in both of the following registry keys, and then set the value data for both values to the number of folders that you want Windows to remember the settings for. For example, for Windows to remember the settings for 5000 local folders and 5000 network folders, set both values to 5000.

Here is how:

Follow these steps, and then quit Registry Editor:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type BagMRU Size, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 5000, and then click OK.

AND:

1. Locate and then click the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
2. On the Edit menu, point to New, and then click DWORD Value.
3. Type BagMRU Size, and then press ENTER.
4. On the Edit menu, click Modify.
5. Type 5000, and then click OK.

Note:

When you use roaming user profiles, registry information is copied to a server when you log off and copied to your local computer when you log on. Therefore, you may have performance issues if you increase the BagMRU Size values for roaming user profiles.

Debug is a program that comes with modern versions of DOS (I do not know when I started shipping out with DOS). Anyway, all Windows users should have it already.

It's a great tool for debuging programs, unassembling and cracking, and reading "hidden" memory areas like the boot sector, and much more.

The following was copied from an assembly tutorial who's author we cannot credit, because we have no idea who he is.

Get into DOS and type "debug", you will get a prompt like this:
-

now type "?", you should get the following response:
assemble A [address]
compare C range address
dump D [range]
enter E address [list]
fill F range list
go G [=address] [addresses]
hex H value1 value2
input I port
load L [address] [drive] [firstsector] [number]
move M range address
name N [pathname] [arglist]
output O port byte
proceed P [=address] [number]
quit Q
register R [register]
search S range list
trace T [=address] [value]
unassemble U [range]
write W [address] [drive] [firstsector] [number]
allocate expanded memory XA [#pages]
deallocate expanded memory XD [handle]
map expanded memory pages XM [Lpage] [Ppage] [handle]
display expanded memory status XS

Lets go through each of these commands:
Assemble:

-a
107A:0100

At this point you can start assembling some programs, just like using a assembler. However the debug assembler is very limited as you will probably notice. Lets try to enter a simple program:

-a
107A:0100 MOV AH,02
107A:0102 MOV DL,41
107A:0104 INT 21
107A:0106 INT 20
-g
A

Program terminated normally

That's the same program we did at the end of the previous chapter. Notice how you run the program you just entered with "g", and also notice how the set-up part is not there? That's because debug is just too limited to support that.
Another thing you can do with assemble is specify the address at which you want to start, by default this is 0100 since that's where all .COM files start.
Compare:

Compare takes 2 block of memory and displays them side by side, byte for byte. Lets do an example. Quite out of debug if you haven't already using "q". Now type "debug c:\command.com"

-c 0100 l 8 0200
10A3:0100 7A 06 10A3:0200

This command compared offset 0100 with 0200 for a length of 8 bytes. Debug responded with the location that was DIFFERENT. If 2 locations were the same, debug would just omit them, if all are the same debug would simply return to the prompt without any response.
Dump:

Dump will dump a specified memory segment. To test it, code that assembly program again:

C:\>debug
-a
107A:0100 MOV AH,02
107A:0102 MOV DL,41
107A:0104 INT 21
107A:0106 INT 20
-d 0100 l 8
107A:0100 B4 02 B2 41 CD 21 CD 20
...A.!.

The "B4 02 B2 41 CD 21 CD 20" is the program you just made in machine language.

B4 02 = MOV AH,02
B2 41 = MOV DL,41
CD 21 = INT 21
CD 20 = INT 20

The "...A.!." part is your program in ASCII. The "." represent non-printable characters. Notice the A in there.
Enter:

This is one of the hard commands. With it you can enter/change certain memory areas. Lets change our program so that it prints a B instead of an A.
-e 0103 <-- edit program at segment 0103
107A:0103 41.42 <-- change 41 to 42
-g
B

Program terminated normally
-
Wasn't that amazing?
Fill:

This command is fairly useless, but who knows....
It fills the specified amount of memory with the specified data. Lets for example clear out all memory from segment 0100 to 0108, which happens to be our program.
-f 0100 l 8 0 <-- file offset 0100 for a length of 8 bytes with 0
-d 0100 l 8 <-- verify that it worked
107A:0100 00 00 00 00 00 00 00 00 .......
Yep, it worked.
Go:

So far we used go (g) to start the program we just created. But Go can be used for much more. For example, lets say we want to execute a program at 107B:0100:
-r CS <-- set the CS register to point to 107B
CS 107A
:107B
-g =100

You can also set breakpoints.
-a <-- enter our original program so we have something
107A:0100 MOV AH,02 to work with
107A:0102 MOV DL,41
107A:0104 INT 21
107A:0106 INT 20
-g 102 <-- set up a break point at 107A:0102

At this point the program will stop, display all registers and the current instruction.
Hex:

This can be very useful. It subtracts and adds two hexadecimal values:
-h 2 1
0003 0001 <-- 2h + 1+ = 3h and 2h - 1h = 1h

This is very useful for calculating a programs length, as you will see later.
Input:

This is one of the more advanced commands, and I decided not to talk about it too much for now. It will read a byte of data from any of your computers I/O ports (keyboard, mouse, printer, etc).

-i 3FD
60
-

Your data may be different.
In case you want to know, 3FD is Com port 1, also known as First Asynchronous Adapter.
Load:

This command has 2 formats. It can be used to load the filename specified with the name command (n), or it can load a specific sector.

-n c:\command.com
-l

This will load command.com into debug. When a valid program is loaded all registers will be set up and ready to execute the program.
The other method is a bit more complicated, but potential also more usefull. The syntax is

L

-l 100 2 10 20

This will load starting at offset 0100 from drive C (0 = A, 1 = B, 2 = C, etc), sector 10h for 20h sectors. This can be useful for recovering files you deleted.
Move:

Move takes a byte from the starting address and moves it to the destination address. This is very good to temporary move data into a free area, than manipulate it without having to worry about affecting the original program. It is especially useful if used in conjunction with the r command to which I will get later. Lets try an example:
-a <-- enter our original program so we have something
107A:0100 MOV AH,02 to work with
107A:0102 MOV DL,41
107A:0104 INT 21
107A:0106 INT 20
-m 107A:0100 L 8 107B:0100 <-- more 8 bytes starting from 107A:0100 into 107B:0100
-e 107B:0103 <-- edit 107B:0103
107B:0103 41.42 <-- and change it 42 (
-d 107A:0100 L 8 <-- make sure it worked
107A:0100 B4 02 B2 41 CD 21 CD 20 ...A.!.
-d 107B:0100 L 8
107A:0100 B4 02 B2 42 CD 21 CD 20 ...B.!.
-m 107B:0100 L 8 107A:0100 <-- restore the original program since we like the changes.
Name:

This will set debug up with a filename to use for I/O commands. You have to include the file extension, and you may use addition commands:

-n c:\command.com
Output:

Exactly what you think it is. Output sends stuff to an I/O port. If you have an external modem with those cool lights on it, you can test this out. Find out what port your modem is on and use the corresponding hex number below:

Com 1 = 3F8 - 3FF (3DF for mine)
Com 2 = 2F8 - 2FF
Com 3 = ??? - ??? (if someone knows, please let me know)

Now turn on the DTA (Data Terminal Ready) bit by sending 01h to it:
-o XXX 1 <-- XXX is the com port in hex

As soon as you hit enter, take a look at your modem, you should see a light light up. You can have even more fun with the output command. Say someone put one of those BIOS passwords on "your" computer. Usually you'd have to take out the battery to get rid of it, but not anymore:

MI/AWARD BIOS
-o 70 17
-o 71 17

QPHOENIX BIOS
-o 70 FF
-o 71 17

QGENERIC
-o 70 2E
-o 71 FF

These commands will clear the BIOS memory, thus disabling the password.
Proceed:

Proceeds in the execution of a program, usually used together withy Trace, which I will cover later. Like the go command, you can specify an address from which to start

using =address
-p 2

Debug will respond with the registers and the current command to be executed.
Quite:

This has got to be the most advanced feature of debug, it exits debug!

-q
Register:

This command can be used to display the current value of all registers, or to manually set them. This is very useful for writing files as you will see later on.

-r AX
AX: 011B
:5
-
Search:

Another very useful command. It is used to find the occurrence of a specific byte, or series of bytes in a segment. The data to search for can by either characters, or a hex value. Hex values are entered with a space or comma in between them, and characters are enclosed with quotes (single or double). You can also search for hex and characters with the same string:
-n c:\command.com <-- load command.com so we have some data to search in
-l
-s 0 l 0 "MS-DOS" <-- search entire memory block for "MS-DOS"
10A3:39E9 <-- found the string in 10A3:39E9

NOTE: the search is case sensitive!
Trace:

This is a truly great feature of debug. It will trace through a program one instruction at a time, displaying the instruction and registers after each. Like the go command you can specify where to start executing from, and for how long.
-a <-- yes, this thing again
107A:0100 MOV AH,02
107A:0102 MOV DL,41
107A:0104 INT 21
107A:0106 INT 20
-t =0100 8

If you leave out the amount of instructions that you want to trace, you can use the proceed (p) to continue the execution as long as you want.
Unassemble:

Unassembles a block of code. Great for debugging (and cracking)
-u 100 L 8 <-- unassembles 8 bytes starting at offset 100
107A:0100 MOV AH,02 <-- debut's response
107A:0102 MOV DL,41
107A:0104 INT 21
107A:0106 INT 20
Write:

This command works very similar to Load. It also has 2 ways it can operate: using name, and by specifying an exact location. Refer to back to Load for more information.

NOTE: The register CX must be set the file size in order to write!
NOTE: Write will not write .EXE or .HEX files.[SIZE=7][SIZE=14]

Your hard drive must be formatted with a file system such as FAT, FAT32 or NTFS so that Windows can be installed on to it. This system determines how files are named, organised and stored on the drive. If you’re not using it already, NTFS (New Technology File System) is recommended for Windows XP because of the additional functionality it offers. If your PC came with Windows XP pre-installed then there’s a chance that you’re already using NTFS. If you’ve upgraded from Windows 98 or Windows Me you may still be using FAT or FAT 32. The option to change over to NTFS would have been available during the upgrade process. Don’t worry if you skipped this as it’s possible to convert at any time from within Windows XP without losing any data.


The recommended option
There are a number of features in Windows XP that will only work if the NTFS file system is present, which is why it’s suggested you make use of it. File and folder permissions, encryption and privacy options are just some of those you’ll be able to access. In particular, those of you who have set up user accounts will find NTFS invaluable. For instance, if you continue to use FAT or FAT32 anyone with physical access to the drive will be able to access the files and folders that are stored there. However, with NTFS you’ll be able to use a level of encryption (Professional Edition only) that will enable you to protect your data.

You’ll also find NTFS more reliable in that it’s more able to recover from disk errors than its FAT or FAT32 counterparts. A log of all disk activity is kept so should a crash occur, Windows XP can use this information to repair the file system when your PC boots up again. To find out what file system you’re using, open My Computer, right-click your main hard drive and choose Properties. Take a look at the General tab to see confirmation of the file system that’s in use.

Convert now
You can use the convert tool in Windows XP to change the file system on your hard disk from FAT or FAT32 to NTFS. The whole process is safe and your existing data won’t be destroyed. To begin, click Start -> Run, type cmd and press [Return]. At the command prompt type convert c: /fs:ntfs and press [Return] (where ‘c’ is the letter of the drive you’re converting). When you try and run the convert utility, it’s likely that Windows XP will be using your paging file so the process won’t be completed immediately. Therefore, you’ll see a brief message on screen informing you that the conversion will take place instead the next time Windows starts up. Having restarted, the Check Disk utility will run, the conversion will be performed automatically and you may find that your PC will reboot twice more.

The benefits
With your drive now running NTFS, it’s time to take advantage of the new options that are available. Having created a number of different user accounts you can now control the level of access that’s granted to individual users. For example, there are going to be certain files and folders that you’ll want some users to be able to access but not others. If you have Windows XP Professional Edition you can do this immediately.

Right-click any file or folder, choose Properties and select the Security tab. A dialog will be displayed showing the names of all your users. Alongside will be two columns which enable you to select levels of access for each of them, the permissions include Full Control, Modify, Read and Write. You can then check the appropriate box to determine whether or not to Allow or Deny a particular permission. For Windows XP Home Edition users, the Security tab won’t be immediately available. To access this option you’ll need to restart your PC, pressing [F8] until a menu appears. Next select Safe Mode and wait for Windows XP to start up. You can then set your options in the same way.

Another feature is NTFS compression. It’s quick and seamless as your file or folder is decompressed automatically when you access it. (Don’t confuse this with a Zip compression utility where the files need to be extracted before they can be accessed.) Although you may have used NTFS compression on a file or folder, there’s no way of telling just by looking at it. To remedy this, open My Computer, click Tools -> Folder Options and select the View tab. Under Advanced settings, scroll down and check the option ‘Show encrypted or compressed NTFS files in color’, then click Apply and OK. Take a look at your compressed items in My Computer and you’ll see the text label has changed from black to blue. Something else that’s exclusive to Professional Edition users is the Encrypting File System (EFS). You can use this to protect your important data so that no one else can read it. Your encrypted files and folders will only be accessible when you have logged into your user account successfully.

Introduction

This paper assumes a working knowledge of basic shellcoding techniques, and x86 assembly, I will not rehash these in this paper. I hope to teach you some of the lesser known shellcoding techniques that I have picked up, which will allow you to write smaller and better shellcodes. I do not claim to have invented any of these techniques, except for the one that uses the div instruction.



The multiplicity of mul

This technique was originally developed by Sorbo of darkircop.net. The mul instruction may, on the surface, seem mundane, and it's purpose obvious. However, when faced with the difficult challenge of shrinking your shellcode, it proves to be quite useful. First some background information on the mul instruction itself.

mul performs an unsigned multiply of two integers. It takes only one operand, the other is implicitly specified by the %eax register. So, a common mul instruction might look something like this:

movl $0x0a,%eax
mul $0x0a

This would multiply the value stored in %eax by the operand of mul, which in this case would be 10*10. The result is then implicitly stored in EDX:EAX. The result is stored over a span of two registers because it has the potential to be considerably larger than the previous value, possibly exceeding the capacity of a single register(this is also how floating points are stored in some cases, as an interesting sidenote).

So, now comes the ever-important question. How can we use these attributes to our advantage when writing shellcode? Well, let's think for a second, the instruction takes only one operand, therefore, since it is a very common instruction, it will generate only two bytes in our final shellcode. It multiplies whatever is passed to it by the value stored in %eax, and stores the value in both %edx and %eax, completely overwriting the contents of both registers, regardless of whether it is necessary to do so, in order to store the result of the multiplication. Let's put on our mathematician hats for a second, and consider this, what is the only possible result of a multiplication by 0? The answer, as you may have guessed, is 0. I think it's about time for some example code, so here it is:

xorl %ecx,%ecx
mul %ecx

What is this shellcode doing? Well, it 0's out the %ecx register using the xor instruction, so we now know that %ecx is 0. Then it does a mul %ecx, which as we just learned, multiplies it's operand by the value in %eax, and then proceeds to store the result of this multiplication in EDX:EAX. So, regardless of %eax's previous contents, %eax must now be 0. However that's not all, %edx is 0'd now too, because, even though no overflow occurs, it still overwrites the %edx register with the sign bit(left-most bit) of %eax. Using this technique we can zero out three registers in only three bytes, whereas by any other method(that I know of) it would have taken at least six.


The div instruction

Div is very similar to mul, in that it takes only one operand and implicitly divides the operand by the value in %eax. Also like, mul it stores the result of the divide in %eax. Again, we will require the mathematical side of our brains to figure out how we can take advantage of this instruction. But first, let's think about what is normally stored in the %eax register. The %eax register holds the return value of functions and/or syscalls. Most syscalls that are used in shellcoding will return -1(on failure) or a positive value of some kind, only rarely will they return 0(though it does occur). So, if we know that after a syscall is performed, %eax will have a non-zero value, and that the instruction divl %eax will divide %eax by itself, and then store the result in %eax, we can say that executing the divl %eax instruction after a syscall will put the value 1 into %eax. So...how is this applicable to shellcoding? Well, their is another important thing that %eax is used for, and that is to pass the specific syscall that you would like to call to int $0x80. It just so happens that the syscall that corresponds to the value 1 is exit(). Now for an example:


xorl %ebx,%ebx
mul %ebx
push %edx
pushl $0x3268732f
pushl $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al #execve() syscall, doesn't return at all unless it fails, in which case it returns -1
int $0x80

divl %eax # -1 / -1 = 1
int $0x80

Now, we have a 3 byte exit function, where as before it was 5 bytes. However, there is a catch, what if a syscall does return 0? Well in the odd situation in which that could happen, you could do many different things, like inc %eax, dec %eax, not %eax anything that will make %eax non-zero. Some people say that exit's are not important in shellcode, because your code gets executed regardless of whether or not it exits cleanly. They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit() isn't worth keeping. However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rather odd error, and will be logged by the system. So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can't wipe all the logs, at least this part of your presence will be clear.



Unlocking the power of leal

The leal instruction is an often neglected instruction in shellcode, even though it is quite useful. Consider this short piece of shellcode.

xorl %ecx,%ecx
leal 0x10(%ecx),%eax

This will load the value 17 into eax, and clear all of the extraneous bits of eax. This occurs because the leal instruction loads a variable of the type long into it's desitination operand. In it's normal usage, this would load the address of a variable into a register, thus creating a pointer of sorts. However, since ecx is 0'd and 0+17=17, we load the value 17 into eax instead of any kind of actual address. In a normal shellcode we would do something like this, to accomplish the same thing:

xorl %eax,%eax
movb $0x10,%eax

I can hear you saying, but that shellcode is a byte shorter than the leal one, and you're quite right. However, in a real shellcode you may already have to 0 out a register like ecx(or any other register), so the xorl instruction in the leal shellcode isn't counted. Here's an example:

xorl %eax,%eax
xorl %ebx,%ebx
movb $0x17,%al
int $0x80

xorl %ebx,%ebx
leal 0x17(%ebx),%al
int $0x80

Both of these shellcodes call setuid(0), but one does it in 7 bytes while the other does it in 8. Again, I hear you saying but that's only one byte it doesn't make that much of a difference, and you're right, here it doesn't make much of a difference(except for in shellcode-size pissing contests =p), but when applied to much larger shellcodes, which have many function calls and need to do things like this frequently, it can save quite a bit of space.



Conclusion

I hope you all learned something, and will go out and apply your knowledge to create smaller and better shellcodes. If you know who invented the leal technique, please tell me and I will credit him/her.

With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked.

This manual is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.

Open Ports: A Threat to Security?

In the Netstat Tutorial we had discussed how the netstat -a command showed the list of open ports on your system. Well, anyhow, before I move on, I would like to quickly recap the important part. So here goes, straight from the netstat tutorial:

Now, the ??a? option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.

For Example,

C:\windows>netstat -a

Active Connections


Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.in:pop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*


Now, let us take a single line from the above output and see what it stands for:

Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED

Now, the above can be arranged as below:

Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)

Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)

Local Port opened and being used by this connection: 1031

Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)

Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)

State of Connection: ESTABLISHED

?Netstat? with the ??a? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ?Scan? button and let some software do it.

The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.



Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice

For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/trojans.txt
----

Now, the above tutorial resulted in a number of people raising questions like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:

Now, the thing to understand here is that, Port numbers are divided into three ranges:

The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!

The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networking utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.

If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transfering packets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.

The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts their RPC ports at 32768.
So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:

1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a trojan Removal and remove the trojan.

2. If it doesn't or if the Trojan Remover says: No trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.

***********************
HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at:

http://domain.com:8080 instead of
http://domain.com:80

The idea behind Port Remapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.

The ports used for remapping are usually pretty easy to remember. They are choosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of the following: 1010, 11000, 1111 etc etc

Some sysadmins also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.
************************


Firewalls

Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?

Well, in non-geek language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network(or systen) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire.

Now, for a better 'according to the bible' defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from the untrusted network (The Internet.)

NOTE: This was a very brief desciption of what a firewall is, I would not be going into the details of their working in this manual.

Anyway,the term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.

Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installing a firewall pose a threat to the security of your system?

You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.

Finding out someone'e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. Infact finding out the IP Address of a specific person is not always the priority of some hackers.

What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.

The most common scanners look for systems with RAT's or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds.

Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guarding the front door.

You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system.

*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transportmaking any connected system visible to scanners?and attackers.
*******************

So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicitated connection probes, scans, attacks.

They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.

Most Personal Firewalls have extensive logging facilities which allows you to track down the attackers. Some popular firewalls are:

1.BlackICE Defender : An IDS for PC's. It's available at http://www.networkice.com.

2. ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com

Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a details description of these two, read on.

Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them?
Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete.

You might even get a message like: Such and Such IP is trying to initaite a Netbios Session on Port X. This again is extrememly common. The following is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.

What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:

DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server

Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.

(Side note: User's sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).

The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.

Breaking Through Firewalls

Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.)

If one uses port 67 as the source port of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.

Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:

nmap -g67 -P0 -p130-140 -sU 192.168.128.88

(Notice the -g67 which specifies source port).

TCP Scan:
You can use NMap to port scan the host with the following command line:

nmap -g67 -P0 -p130-140 -sS 192.168.128.88

(Notice the -g67 which specifies source port).