How To Remove Skype Virus (dsc027.scr or wndrivsd32.exe)

One of the computers in my house was just infected by a virus that is spreading through Skype. Since I wasn’t the one using the computer at that time, I do not know exactly what or how it happened. All I know is that there was a message received by one of the people in the contact list with some message and a file. My guess is that the file name should be dsc027.scr (I could be wrong). The computer is infected once the file is opened.

Some of the symptoms that I experienced include:

  • Unable to open skype even though the program is already running
  • Internet browser closes automatically when entering certain websites (especially skype forums)

After checking the list of processes running from the task manager, I managed to identify an alien process — wndrivsd32.exe. Sure enough, that was the culprit. Below are the steps I took to remove the virus.

  1. Open up task manager (right click on the taskbar and select “Task Manager”)
  2. Select the “Processes” tab
  3. Click on the process name called “wndrivsd32.exe” and click on the “End Process” button
  4. Quickly run the regedit program (Start menu .. Run .. type “regedit” and click the OK button)
  5. If the Registry Editor closes automatically, you need to repeat step 3 again. Do it quicker this time.
  6. Go through the folders HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->Current Version->RunOnce
  7. Delete the key that holds the value C:\Windows\System32\mshtmlsh32.exe
  8. Open up this file C:\Window\System32\Drivers\etc\hosts with a word editor like notepad. It will be filled with “garbage” inside. Just empty the whole file (delete everything in the file) and save it.
  9. Delete this file (if it exist) C:\Windows\System32\wndrivsd32.exe.
  10. Restart the computer and run Skype again. Play around with your computer. If everything is normal (including Skype), the virus is gone.

Delete the mshtmlsh32.exe string in the registry

Empty the hosts file and save it

I found two other sources that helped me removed the virus that has slightly different steps. Some of the files they instructed to remove don’t exist in my computer. If they exist in yours, remove them as well. Check them out.

Protect Your Gmail Account From Hackers

At the recent Black Hat security convention, Robert Graham, the CEO of errata security demonstrated on camera how he hijacked a Gmail session and read the victim’s emails. He sniffed the Wi-Fi network for cookies and copied them into his notebook using his self-made tool, Hamster. The hack doesn’t need the victim’s username or password to work. It only requires an IP address.

This hack has been reported to work on almost any cookie-based web application. Therefore, other web-based email services Yahoo Mail and Hotmail is vulnerable as well.

The good news is that this hack can be easily prevented with the use of SSL or any other types of encryption. However, it is reported that Internet users seldom use these form of security measures when accessing the emails thus putting them at risk.

For example, accessing Gmail from http://mail.google.com will lead you to an SSL page where you insert your username and password. However, you will then be redirected to a non-SSL page to access your emails which puts you in a vulnerable situation.

Accessing Gmail without using SSL

On the other hand, accessing Gmail from https://mail.google.com (doesn’t work for me that’s why I’m using https://mail.google.com/mail?tab=wm instead) forces Gmail to redirect you to an SSL page after login.

Accessing Gmail using SSL

There are some photos of the hacking demonstration available. Remember to always use an SSL page (https) whenever there is such an option. Protect yourself online.

IPhone Is Vulnerable To Hack Attacks!

A team from Independent Security Evaluators did some security tests on the iPhone and has found a vulnerability in it. The vulnerability enables hackers to retrieve personal information of an unsuspecting victim that is stored in the memory of the phone.

According to the article, those personal informations include “log of SMS messages, the address book, the call history, and the voicemail data”. However, the code used to exploit the iPhone can also be modified to retrieve other sensitive informations like “user’s mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker”.

The hacker strikes by inserting the malicious codes in a web page and lure his victims to it. Such attempts include:

  1. An attacker controlled wireless access point.
  2. A misconfigured forum website.
  3. A link delivered via e-mail or SMS.

The Independent Security Evaluators team advices all iPhone users to follow the steps below to protect themselves from such vulnerabilities:

  1. Only visit sites you trust.
  2. Only use WiFi networks you trust.
  3. Don’t open web links from emails.

A preliminary version of the attack papers is available for download. The complete version will be presented at BlackHat on 2/8/2007.

If you have an iPhone, make sure you update the software on the next security update.

Change Your Password ASAP If You Used Blockoo.com

After my review on blockoo.com, I received a feedback that suggests blockoo.com is indeed “not as safe as it should be”. Even the co-founder of the company mentioned that they were approached by two antivirus firms to reveal their source code or risk blacklisted.

It doesn’t matter if they are able to prove (using their source codes) that they do not store user’s passwords in their database. I raised a question to the founder of blockoo.com as to why did they store the user’s email and password in a cookie. That question is left unanswered up to this point.

So far, their arguments are based on trust. They bought an SSL certificate, reveal their source code to the public, boast over their “more than 350,000 users” and proudly declare that “no one saying that their password was stolen”.

I don’t buy it because of two reasons. Firstly, even though they have purchased the SSL certificate, it is not utilized at all. Traffic to their website is not automatically redirected to https://www.blockoo.com. Data transmitted is only encrypted if the user goes through the https part of the website. Therefore, their purpose of buying an SSL certificate but not fully utilizing it at all is a perfect example of Lanpah-pahlan.

Secondly, why do they need to store the user’s password in a cookie? That is simply bad practice. The password in the cookie is not encrypted at all. Therefore, it is vulnerable to outside attacks. Storing the password in the cookie is totally unnecessary. If the user wants to recheck the block list, they can easily re-enter their password.

Based on the reasons above, I join Azmeen and PsyCHZZZ’s call to urge those who have used blockoo.com’s service to change their passwords IMMEDIATELY! I am not saying that they stole your passwords but the way they handled your passwords (ie. storing your password in a cookie) means that it is possible that your password has been stolen by a third party, with or without their knowledge.

Once again I would like to add, blockoo.com is a nice service to have (for some), but has started off on the wrong foot. They should have concentrated more in building a system where user’s vital information (eg. passwords) are safely guarded.

This is not the first system that I reviewed that posses a threat to user’s password security. Well, it ain’t my password that is vulnerable. To change, or not to change, is totally up to you.