Undergoing MyBlogLog Verification

Thursday, January 29, 2009

SEO pdf collection

Copy and paste the links in the address bar

Google's Search Engine Optimization Starter Guide:

SEO Basics:

SEO Fundamentals:

SEO in the Web 2.0 Era:

Server Speed and SEO White Paper:

RankQuest SEO PDF:


seo - search engine optimisation choosing the right provider

Microsoft PowerPoint - SEO Strategy

SEO for Web 2.0

Wednesday, January 21, 2009

Conficker - Downadup

Conficker or Downadup : Removal Tool

Overview -

This detection is for a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files onto the affected system.


  • Worm:Win32/Conficker.A (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • W32.Downadup (Symantec)
  • Worm:Win32/Conficker.B (Microsoft)
  • WORM_DOWNAD.A (Trend Micro)


Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

  • hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.


Symptoms -

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Users being locked out of directory

Access to admin shares denied

Scheduled tasks being created

Access to security related web sites is blocked.

Method of Infection

Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.

Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.

Scheduled tasks have been seen to be created on the system to re-activate the worm.

Autorun.inf files have been seen to be used to re-activate the worm

Download Removal Tool