21: What's it made of?
Most laptop cases are still made from molded plastic, but you can find some encased
in metal, which dissipates heat better. Look for models made from light, strong
metal alloys. If you're in the market for a desktop replacement, check that the
case has adequate ventilation for the powerful (and hot-running) components inside.
22: Fixed or swappable
Less-expensive notebooks have fixed drives, meaning the optical and hard drives
can't be removed. Some, though, have a swappable-drive bay, letting you change out
an optical drive for a hard drive or extra battery--or just a spacer module so you
can shed some travel weight.
23: Are you the Tablet type?
Comparable in size and weight to ultraportable notebooks, tablet PCs occupy a
different niche. They're available in two basic designs: Convertibles, which have
displays that swivel and fold flat facing outwards, and slates, which have no
attached keyboards. (Some slates offer optional wired or wireless keyboards.) All
Tablet PCs use a special version of Windows XP that works in tandem with the
display for navigating and entering data using a stylus. Until recently, these
units were primarily used in specialised fields, such as health care, insurance,
and real estate, but sexier models with new software are slowly reaching a broader
audience.
24: Going for the perfect drive
Optical drives of all kinds are available for laptops--from basic DVD/CD-RW combo
drives to double-layer DVD±RWs. We like DVD writer drives for notebooks; they burn
CDs and play both CDs and DVDs. If you want to splurge, a DVD recorder is handy
for backing up as much as 8.5GB of important files at a time.
25: Don't forget to shop for Apples
It's no secret Apple makes some phenomenal notebooks. If you're considering one,
make sure all the specialty software apps you need to run are available for the
Mac platform. Also, factor in what's required to incorporate your new Mac into
your home network.
CNets Asia
Sunday, January 27, 2008
Tips To Buy Perfect Notebook For You (4)
16: Modern conveniences
Some common desktop features have made their way into notebooks. Quick-launch keys
are a perfect example. You can program these buttons to launch your favourite apps,
turn on your wireless radio, or switch to a power-saving mode. A few of our other
favourite luxuries are built-in TV tuners, and, for photo junkies, multiformat
memory-card readers.
17: Turn on, tune out--instantly
Want to listen to music or watch a DVD without having to wait for your notebook to
power up? An instant-on feature lets you do just that, so you can get right down
to, um, business, without the boot time. Plus, going this route usually helps
extend battery life. Although this isn't a necessary feature, it can come in handy
on long flights.
18: Connect the docks
A docking station quickly turns your notebook into a desktop. You connect your
peripherals (monitor, keyboard, mouse, and serial devices) to the dock, which
stays at your desk. Simply attach the notebook to the dock, and you instantly get
the conveniences of a desktop without having to unplug everything when it's time
to go.
Another advantage of a docking station is its inclusion of legacy ports many newer
notebooks leave out, such as parallel, serial, and PS/2 ports. If you don't need
all the features of a dock, but could still use the extra connectivity, check
whether the notebook maker offers a port replicator, which is basically a
pared-down version of a dock.
19: When good notebooks go bad
Every notebook is susceptible to accidents and system failures. We recommend
paying for a good three-year warranty with express service. If you can afford it,
get coverage for damage caused by spills, drops, electrical surges, or any other
accident.
20: Essential accessories
When pricing a notebook, set aside cash for important extras. These include a
laptop bag, an extra battery, a mouse and keyboard, and software for office work,
Internet security, and system maintenance. You may even want to consider an
external hard drive for backup.
CNets Asia
Some common desktop features have made their way into notebooks. Quick-launch keys
are a perfect example. You can program these buttons to launch your favourite apps,
turn on your wireless radio, or switch to a power-saving mode. A few of our other
favourite luxuries are built-in TV tuners, and, for photo junkies, multiformat
memory-card readers.
17: Turn on, tune out--instantly
Want to listen to music or watch a DVD without having to wait for your notebook to
power up? An instant-on feature lets you do just that, so you can get right down
to, um, business, without the boot time. Plus, going this route usually helps
extend battery life. Although this isn't a necessary feature, it can come in handy
on long flights.
18: Connect the docks
A docking station quickly turns your notebook into a desktop. You connect your
peripherals (monitor, keyboard, mouse, and serial devices) to the dock, which
stays at your desk. Simply attach the notebook to the dock, and you instantly get
the conveniences of a desktop without having to unplug everything when it's time
to go.
Another advantage of a docking station is its inclusion of legacy ports many newer
notebooks leave out, such as parallel, serial, and PS/2 ports. If you don't need
all the features of a dock, but could still use the extra connectivity, check
whether the notebook maker offers a port replicator, which is basically a
pared-down version of a dock.
19: When good notebooks go bad
Every notebook is susceptible to accidents and system failures. We recommend
paying for a good three-year warranty with express service. If you can afford it,
get coverage for damage caused by spills, drops, electrical surges, or any other
accident.
20: Essential accessories
When pricing a notebook, set aside cash for important extras. These include a
laptop bag, an extra battery, a mouse and keyboard, and software for office work,
Internet security, and system maintenance. You may even want to consider an
external hard drive for backup.
CNets Asia
Thursday, January 24, 2008
Tips To Buy Perfect Notebook For You (3)
11: Go wireless
Integrated wireless networking (Wi-Fi) has become an indispensable feature. Most
notebooks ship with a choice of 802.11b/g or 802.11a/b/g. Capable of data
throughput of 11Mbps, 802.11b is fine for ordinary use. Public hotspots typically
use 802.11b or 802.11g. (The latter is backward-compatible with 802.11b.) Unless
you're in and out of office environments, don't worry about support for 802.11a.
Santa Rosa-based notebooks have the option of the fastest Wi-Fi standard to date,
the 802.11n radio which is suppose to give ten times more bandwidth than the
previous 802.11g standard.
12: Power without the plug
Lithium-ion batteries have all but replaced nickel-cadmiums because they're
lighter, have a higher energy density, and don't suffer from recharge-inhibiting
memory effect. So-called "smart" lithium-ions give feedback to the laptop about
their remaining power, so the computer can conserve as necessary.
Two more specs to look for in laptop batteries are capacity (measured in milliamp
hours, or mAh), and the number of cells. Typical batteries have a mAh rating
between 2,000mAh and 6,000mAh; higher is better. Cells are the actual compartments
where power is produced and can range from four to 12; the more the better.
13: What's in a name?
Intel loves its code-names. In the mobile arena, the company's Centrino mobile
technology tops the list. The Centrino platform, which arrived in early 2003,
combines Intel's Pentium M or Core Duo/Solo CPU, Intel chipset, and Pro/Wireless
Wi-Fi circuitry. A notebook must have all three parts to be a Centrino notebook.
A newer version of Centrino, the Core platform (previously codenamed Santa Rosa),
arrived this year. It features Intel's 965 chipset and adds support for HDMI and
800MHz dual-channel DDR3 memory to laptops. What does all this mean? Dual-core or
even future quad-core processing, faster graphics and multitasking, plus increased
battery life over older models. The best news: We expect prices on older--but
still excellent--Centrino models to fall a bit.
14: Tiny, tinny sound
Notebooks are notorious for having terrible speakers. Our recommendation: Get a
good set of headphones, or a stereo or three-piece speaker set.
Laptops generally lack the sound-processing abilities to use surround-sound
speakers, but you can add it. Creative's Sound Blaster Audigy 2 ZS Notebook slides
into a PC Card slot, providing support for up to eight-channel surround sound.
15: It's not just size that matters
Notebook hard drives start at 80GB. Form factor may restrict your options, but if
possible, go for at least 120GB or 160GB if you'll be storing lots of image or
music files. Capacity isn't the only issue. If you have a choice, select a drive
with a rotational speed of at least 5,400rpm. The faster it spins, the faster
you'll get your files.
From : CNet Asia
Integrated wireless networking (Wi-Fi) has become an indispensable feature. Most
notebooks ship with a choice of 802.11b/g or 802.11a/b/g. Capable of data
throughput of 11Mbps, 802.11b is fine for ordinary use. Public hotspots typically
use 802.11b or 802.11g. (The latter is backward-compatible with 802.11b.) Unless
you're in and out of office environments, don't worry about support for 802.11a.
Santa Rosa-based notebooks have the option of the fastest Wi-Fi standard to date,
the 802.11n radio which is suppose to give ten times more bandwidth than the
previous 802.11g standard.
12: Power without the plug
Lithium-ion batteries have all but replaced nickel-cadmiums because they're
lighter, have a higher energy density, and don't suffer from recharge-inhibiting
memory effect. So-called "smart" lithium-ions give feedback to the laptop about
their remaining power, so the computer can conserve as necessary.
Two more specs to look for in laptop batteries are capacity (measured in milliamp
hours, or mAh), and the number of cells. Typical batteries have a mAh rating
between 2,000mAh and 6,000mAh; higher is better. Cells are the actual compartments
where power is produced and can range from four to 12; the more the better.
13: What's in a name?
Intel loves its code-names. In the mobile arena, the company's Centrino mobile
technology tops the list. The Centrino platform, which arrived in early 2003,
combines Intel's Pentium M or Core Duo/Solo CPU, Intel chipset, and Pro/Wireless
Wi-Fi circuitry. A notebook must have all three parts to be a Centrino notebook.
A newer version of Centrino, the Core platform (previously codenamed Santa Rosa),
arrived this year. It features Intel's 965 chipset and adds support for HDMI and
800MHz dual-channel DDR3 memory to laptops. What does all this mean? Dual-core or
even future quad-core processing, faster graphics and multitasking, plus increased
battery life over older models. The best news: We expect prices on older--but
still excellent--Centrino models to fall a bit.
14: Tiny, tinny sound
Notebooks are notorious for having terrible speakers. Our recommendation: Get a
good set of headphones, or a stereo or three-piece speaker set.
Laptops generally lack the sound-processing abilities to use surround-sound
speakers, but you can add it. Creative's Sound Blaster Audigy 2 ZS Notebook slides
into a PC Card slot, providing support for up to eight-channel surround sound.
15: It's not just size that matters
Notebook hard drives start at 80GB. Form factor may restrict your options, but if
possible, go for at least 120GB or 160GB if you'll be storing lots of image or
music files. Capacity isn't the only issue. If you have a choice, select a drive
with a rotational speed of at least 5,400rpm. The faster it spins, the faster
you'll get your files.
From : CNet Asia
Tips To Buy Perfect Notebook For You (2)
6. Finger fitting
As notebooks shrink in size, so do their keyboards. If possible, try some simple
typing exercises before you buy. The smaller the keyboard, the more creative the
vendor may have gotten with key size and placement. Pay particular attention to the
spacebar, Shift, Ctrl, and Backspace/Delete keys. Be sure all are in a good
location for your hand size and typing style.
7: Touchy, touchy
Computing today relies a lot on mousing. With a notebook, all you get is a touch
pad or pointing stick. Unless you plan on traveling with a mouse, test the
notebook's input device for comfort and responsiveness. Some touch pads include
extra features, such as a dedicated area for scrolling. We've never been big fans
of those little pointing sticks tucked in the middle of the keyboard, because
precision is tough and the little nubs wear off, requiring replacement.
8: Vying for video RAM
If you're not planning on doing much graphics work or playing 3D games, shared
memory should be fine. But if you have a choice, aim for a graphics chipset that
shares at least 384MB of system memory. You may not find it in an ultraportable,
but other notebook types may offer more robust graphics chipsets. In fact, many
high-end notebooks have discrete graphics subsystems with dedicated high-speed
video memory. If gaming or intensive graphics work is on the agenda, look for 512MB
or 1GB of dedicated memory.
9: A slot for all reasons
Like a PCI slot in a desktop, a PC Card (or PCMCIA) slot in a notebook provides
expansion opportunities. Additional USB and FireWire ports, wired and wireless
modems, and wireless LAN radios are all available in PC Card form. PC Cards and
slots come in three sizes: Type I, II, and III. Type I cards are normally used for
memory, Type II for input/output devices, and Type III for mass storage and
firewalls. The very latest notebooks include the ExpressCard slot which is set to
replace the PCMCIA card format in the long run.
10: Get connected
Ports, especially USB and FireWire, are necessities, but on notebooks they're
usually in short supply. At a minimum, look for two USB ports, and if you have any
legacy devices, such as parallel printers, look for those ports, too. If you'd like
to use a digital camcorder or iPod with your notebook, make sure the notebook has a
FireWire (IEEE 1394) port. Connecting a monitor will require a VGA port. (If you'll
be giving presentations, a VGA port is also where you'll connect a projector.) And
if you want to output video to a television, find a notebook with an S-Video out.
From : CNet Asia
As notebooks shrink in size, so do their keyboards. If possible, try some simple
typing exercises before you buy. The smaller the keyboard, the more creative the
vendor may have gotten with key size and placement. Pay particular attention to the
spacebar, Shift, Ctrl, and Backspace/Delete keys. Be sure all are in a good
location for your hand size and typing style.
7: Touchy, touchy
Computing today relies a lot on mousing. With a notebook, all you get is a touch
pad or pointing stick. Unless you plan on traveling with a mouse, test the
notebook's input device for comfort and responsiveness. Some touch pads include
extra features, such as a dedicated area for scrolling. We've never been big fans
of those little pointing sticks tucked in the middle of the keyboard, because
precision is tough and the little nubs wear off, requiring replacement.
8: Vying for video RAM
If you're not planning on doing much graphics work or playing 3D games, shared
memory should be fine. But if you have a choice, aim for a graphics chipset that
shares at least 384MB of system memory. You may not find it in an ultraportable,
but other notebook types may offer more robust graphics chipsets. In fact, many
high-end notebooks have discrete graphics subsystems with dedicated high-speed
video memory. If gaming or intensive graphics work is on the agenda, look for 512MB
or 1GB of dedicated memory.
9: A slot for all reasons
Like a PCI slot in a desktop, a PC Card (or PCMCIA) slot in a notebook provides
expansion opportunities. Additional USB and FireWire ports, wired and wireless
modems, and wireless LAN radios are all available in PC Card form. PC Cards and
slots come in three sizes: Type I, II, and III. Type I cards are normally used for
memory, Type II for input/output devices, and Type III for mass storage and
firewalls. The very latest notebooks include the ExpressCard slot which is set to
replace the PCMCIA card format in the long run.
10: Get connected
Ports, especially USB and FireWire, are necessities, but on notebooks they're
usually in short supply. At a minimum, look for two USB ports, and if you have any
legacy devices, such as parallel printers, look for those ports, too. If you'd like
to use a digital camcorder or iPod with your notebook, make sure the notebook has a
FireWire (IEEE 1394) port. Connecting a monitor will require a VGA port. (If you'll
be giving presentations, a VGA port is also where you'll connect a projector.) And
if you want to output video to a television, find a notebook with an S-Video out.
From : CNet Asia
Tuesday, January 22, 2008
Tips To Buy Perfect Notebook For You (1)
1. Choose Your Form
We divide notebook into 4 form ( thin-light, ultraportable, mainstream, desktop
replacement ). Decide which form is suit for you.
-> Thin-light if you need balance between size, battery and power. This form is
suit with students or bussinessman. Their larger screens (14-15) and it's
roomier keyboard makes it better for longer usage
-> Ultraportable, if you will use your notebook on the road (mobile). This form has
small size, that's make it easy to bring. Finally, tiny tech comes with higher
price.
-> Mainstream, if you need laptops for daily usage. Although they don't have small
size ( 14' screen or larger, big keyboard, and standard ports ), they still
offer portability. So, this form just like budget desktop's : they good for
general tasks but won't win any contests for their performance or features.
-> Desktop Replacement, if you need desktop power. With screen size between 15-17',
travel weights, and longer battery life (Upto 3 hours). They offer wide range
performance, but decreased a little portability.
2. The CPU
For CPU you should choose the fastest you can afford. You have a lot options.
Intel's Centrino is good, but if you prefer one which has affordable price you can
choose AMD. But AMD is still behind Intel's (based on CNet mobilemark test).
3. Screen
Wide screen offers sharper and better image, they are great for watching DVD's or
you can open two documents side by side. A spacious 17-inch wide-screen laptop is a
nice luxury if you're not planning on traveling with it.
4. The (not-so) great outdoors
Sunlight is not ideal for computing -- specifically, for seeing the screen. If you
want to work outdoors, you have options, but most consumer models have what are
known as transmissive screens. These screens are lit from behind, and despite what
you've seen in the commercials, they're virtually invisible on a bright, sunny day.
Reflective LCDs, which light the screen's pixels from the front and reflect
polarised light from the environment, are much better for outdoor work, but their
screens look dim indoors. What's more, they're mostly reserved for vertical-market
notebook models and are pretty tough to come by.
5. Memory
Having enough memory is vital to system performance, and lots of RAM lets you run
more applications simultaneously. Sufficient RAM is also necessary for graphics
work, image editing, and video editing, and crucial for 3D gaming. This is
especially true in notebooks, because notebook graphics processors frequently have
little or no memory of their own and share the main system RAM.
1GB: Good for basic office apps, running one at a time.
1.5GB: Adequate for running several programs at once, photo editing, and basic 3D
gaming.
2GB or more: Recommended for high-performance 3D gaming, demanding graphics work,
and video editing.
From : CNet Asia
We divide notebook into 4 form ( thin-light, ultraportable, mainstream, desktop
replacement ). Decide which form is suit for you.
-> Thin-light if you need balance between size, battery and power. This form is
suit with students or bussinessman. Their larger screens (14-15) and it's
roomier keyboard makes it better for longer usage
-> Ultraportable, if you will use your notebook on the road (mobile). This form has
small size, that's make it easy to bring. Finally, tiny tech comes with higher
price.
-> Mainstream, if you need laptops for daily usage. Although they don't have small
size ( 14' screen or larger, big keyboard, and standard ports ), they still
offer portability. So, this form just like budget desktop's : they good for
general tasks but won't win any contests for their performance or features.
-> Desktop Replacement, if you need desktop power. With screen size between 15-17',
travel weights, and longer battery life (Upto 3 hours). They offer wide range
performance, but decreased a little portability.
2. The CPU
For CPU you should choose the fastest you can afford. You have a lot options.
Intel's Centrino is good, but if you prefer one which has affordable price you can
choose AMD. But AMD is still behind Intel's (based on CNet mobilemark test).
3. Screen
Wide screen offers sharper and better image, they are great for watching DVD's or
you can open two documents side by side. A spacious 17-inch wide-screen laptop is a
nice luxury if you're not planning on traveling with it.
4. The (not-so) great outdoors
Sunlight is not ideal for computing -- specifically, for seeing the screen. If you
want to work outdoors, you have options, but most consumer models have what are
known as transmissive screens. These screens are lit from behind, and despite what
you've seen in the commercials, they're virtually invisible on a bright, sunny day.
Reflective LCDs, which light the screen's pixels from the front and reflect
polarised light from the environment, are much better for outdoor work, but their
screens look dim indoors. What's more, they're mostly reserved for vertical-market
notebook models and are pretty tough to come by.
5. Memory
Having enough memory is vital to system performance, and lots of RAM lets you run
more applications simultaneously. Sufficient RAM is also necessary for graphics
work, image editing, and video editing, and crucial for 3D gaming. This is
especially true in notebooks, because notebook graphics processors frequently have
little or no memory of their own and share the main system RAM.
1GB: Good for basic office apps, running one at a time.
1.5GB: Adequate for running several programs at once, photo editing, and basic 3D
gaming.
2GB or more: Recommended for high-performance 3D gaming, demanding graphics work,
and video editing.
From : CNet Asia
Monday, January 21, 2008
How To Remove Some Stuff On Start
When you click on task bar (windows logo), you can see on start bar like RUN, NETWORK CONNECTION,etc. You feel bored of that ?
Then you can try this :
Click RUN, then type gpedit.msc
Then choose User Configuration -> Administrative Templates -> Start Menu and Taskbar.
There you can see a lot of things, for example "Remove Network Connection from Start Menu".
Then double click it to open it's properties, and choose enable.
Then click Run and type gpupdate, then check it out....
Then you can try this :
Click RUN, then type gpedit.msc
Then choose User Configuration -> Administrative Templates -> Start Menu and Taskbar.
There you can see a lot of things, for example "Remove Network Connection from Start Menu".
Then double click it to open it's properties, and choose enable.
Then click Run and type gpupdate, then check it out....
Saturday, January 19, 2008
Is Microsoft Cracking Down on DVD Ripping?
Is Microsoft trying to thwart DVD-ripping on PCs using Windows Vista with the new beta of Vista Service Pack 1?
As I tested the public beta release of Vista SP1, I noticed the update crippled a popular DVD cracking program called DVD43.
DVD43 is a free utility that disables a DVD's Content Scramble System (CSS) copy protection technology. Once a DVD's copy protection is disabled, you can copy its content using one of several third-party programs. You may be using DVD43 and not realize it, because it often is the engine of other ripping programs.
When I updated my Windows Vista operating system with the beta of Vista SP1, DVD43 wouldn't load. Instead, I saw an error message about a missing driver--even after I uninstalled and then reinstalled DVD43. A colleague of mine had a similar experience on a PC that also had been updated with the latest beta release of Vista SP1.
Stripping DVD copy protection (CSS) from a DVD is illegal but many people do it.
I've made formal requests for comment from Microsoft and the company behind DVD43. So far, I've heard nothing back. I'll let you know what either say, if and when they reply.
Intentional?
It's hard to say whether Microsoft is intentionally disabling DVD43. Certainly the software giant doesn't mention anything about DVD copying in its documentation for the beta of Vista SP1. But given Microsoft's interest in making friendly with Hollywood movie studios, it wouldn't surprise me if Microsoft intentionally disabled a popular and free tool that aids in ripping DVDs.
DVD43--and programs like it--have long been a thorn in the side for Hollywood, as DVD-ripping is one of the first steps in cracking and distributing copyright-protected movies online.
Despite the Motion Picture Association of America's efforts to crack down on DVD-ripping and despite U.S. copyright laws that make it illegal, sales of software that bypass DVD copy protection continue online and at retail stores.
Many of these DVD programs have been, and still are, sold by major retailers. However, when purchased, some of the programs can't copy DVDs equipped with copy protection. You must use an Internet search engine to find and download a program, such as DVD43, that empowers your DVD copy program to duplicate the contents of any CSS-protected DVD.
It's my experience in reporting past stories on DVD-ripping that many DVD-ripping programs recommend DVD43 to their customers. DVD43.com, a Web site that lists download sites for DVD43 as well as the DVD-ripping packages it works with, is owned by a company based in Beijing, China, according to Internet domain registration records.
In further tests, I did find that at least one other popular DVD utility, AnyDVD, which promises to "unprotect encrypted movie DVDs," did work with the beta of Vista SP1 installed--as its product description asserts. However, this is not free software: It will cost you 49 Euros, or about $72.
At least for now, it appears that casual DVD rippers will be stymied if they choose to update their Vista PCs with the Vista SP1 beta--and that those who want SP1 and copies of their Hollywood DVDs will have to pay up to keep ripping.
From : PC Wolrd
As I tested the public beta release of Vista SP1, I noticed the update crippled a popular DVD cracking program called DVD43.
DVD43 is a free utility that disables a DVD's Content Scramble System (CSS) copy protection technology. Once a DVD's copy protection is disabled, you can copy its content using one of several third-party programs. You may be using DVD43 and not realize it, because it often is the engine of other ripping programs.
When I updated my Windows Vista operating system with the beta of Vista SP1, DVD43 wouldn't load. Instead, I saw an error message about a missing driver--even after I uninstalled and then reinstalled DVD43. A colleague of mine had a similar experience on a PC that also had been updated with the latest beta release of Vista SP1.
Stripping DVD copy protection (CSS) from a DVD is illegal but many people do it.
I've made formal requests for comment from Microsoft and the company behind DVD43. So far, I've heard nothing back. I'll let you know what either say, if and when they reply.
Intentional?
It's hard to say whether Microsoft is intentionally disabling DVD43. Certainly the software giant doesn't mention anything about DVD copying in its documentation for the beta of Vista SP1. But given Microsoft's interest in making friendly with Hollywood movie studios, it wouldn't surprise me if Microsoft intentionally disabled a popular and free tool that aids in ripping DVDs.
DVD43--and programs like it--have long been a thorn in the side for Hollywood, as DVD-ripping is one of the first steps in cracking and distributing copyright-protected movies online.
Despite the Motion Picture Association of America's efforts to crack down on DVD-ripping and despite U.S. copyright laws that make it illegal, sales of software that bypass DVD copy protection continue online and at retail stores.
Many of these DVD programs have been, and still are, sold by major retailers. However, when purchased, some of the programs can't copy DVDs equipped with copy protection. You must use an Internet search engine to find and download a program, such as DVD43, that empowers your DVD copy program to duplicate the contents of any CSS-protected DVD.
It's my experience in reporting past stories on DVD-ripping that many DVD-ripping programs recommend DVD43 to their customers. DVD43.com, a Web site that lists download sites for DVD43 as well as the DVD-ripping packages it works with, is owned by a company based in Beijing, China, according to Internet domain registration records.
In further tests, I did find that at least one other popular DVD utility, AnyDVD, which promises to "unprotect encrypted movie DVDs," did work with the beta of Vista SP1 installed--as its product description asserts. However, this is not free software: It will cost you 49 Euros, or about $72.
At least for now, it appears that casual DVD rippers will be stymied if they choose to update their Vista PCs with the Vista SP1 beta--and that those who want SP1 and copies of their Hollywood DVDs will have to pay up to keep ripping.
From : PC Wolrd
MacBook Air: How Incomplete Is It?
Steve Jobs is, among many other things, the great denier. Second mouse buttons, floppy drives, 56-kbps modems--for decades, he has been perfectly willing to release products lacking one or more features that are standard equipment on everyone else's computers, if he thinks they're unnecessary or they offend his design principles or aesthetic sense.
Typically, the news that a new Mac is missing a feature is met by yelps of protest. But then, sooner or later, the rest of the industry follows Jobs's lead. (Okay, usually--I haven't seen any one-button mouses on PCs lately.) Jobs, in other words, tends to figure out that we can live without something before the rest of the world does.
I'm not sure if he has ever denied Apple customers as many features as he will with the MacBook Air, the superthin notebook that he unveiled at this morning's Macworld Expo keynote. In introducing the Air, Jobs said that manufacturers of other thin-and-light laptops made too many compromises to make their machines sleek, like using small keyboards and screens and wimpy CPUs. But nobody else in the industry would dream of making some of the compromises that the Air makes.
So what's missing? And how big a deal is it?
An optical drive
Mildly annoying omission
This is the one thing everybody assumed the Air would leave out, although I was holding out hope that Apple would take its cue from Toshiba's optical-drive-bearing featherweight Portege 500. There's a long history of subnotebooks skipping the optical drive to shave off weight and space, so the Air's doing so won't strike anyone as shocking. And Jobs is right in that a lot of things people do with optical drives--such as watch movies and install software--can be done these days without one. (Apple's new Remote Disc feature will help in the latter instance.)
Me, I mostly use my MacBook's Superdrive for two things: ripping CDs into MP3s and making data CDs and DVDs to distribute files to friends and colleagues. I guess I could do the former on another computer and then move the MP3s to an Air--sorry, Steve, I'm not ready to buy all my music from iTunes. And cheap thumb drives can probably do the trick when I want to hand out copies of files. Still, if I were to buy an Air, I suspect I'd spring for the $99 external Superdrive.
Ethernet
Seriously annoying omission
In the old days, no notebook had built-in ethernet; you had to futz with external adapters. Then it became standard equipment. The fact that the Air lacks it makes the machine a throwback.
Jobs spoke of the Air as a machine built to be used wirelessly. But most of the hotels I stay in assume that my computer has ethernet. It's also damn handy at work. I can't imagine there are that many people who can spring for a $1799 Air who won't need ethernet at least from time to time. Apple sells an external adapter, but if I traveled with an Air, I'd probably just toss my Airport Express travel router into my briefcase, giving me a form of ethernet compatibility that doesn't actually make me plug an ethernet cable into the Air.
Multiple USB ports
Mildly annoying omission
I'm not sure when I last owned a computer with only one USB port, but it's been a very, very long time. On the other hand, it's rare that I want to plug two USB devices into my MacBook at once, and at least one of the ones I use (a SanDisk MicroMate card reader) blocks access to both of the MacBooks ports when I use it anyhow. So I wouldn't not buy an Air because of its solo USB.
Typically, the news that a new Mac is missing a feature is met by yelps of protest. But then, sooner or later, the rest of the industry follows Jobs's lead. (Okay, usually--I haven't seen any one-button mouses on PCs lately.) Jobs, in other words, tends to figure out that we can live without something before the rest of the world does.
I'm not sure if he has ever denied Apple customers as many features as he will with the MacBook Air, the superthin notebook that he unveiled at this morning's Macworld Expo keynote. In introducing the Air, Jobs said that manufacturers of other thin-and-light laptops made too many compromises to make their machines sleek, like using small keyboards and screens and wimpy CPUs. But nobody else in the industry would dream of making some of the compromises that the Air makes.
So what's missing? And how big a deal is it?
An optical drive
Mildly annoying omission
This is the one thing everybody assumed the Air would leave out, although I was holding out hope that Apple would take its cue from Toshiba's optical-drive-bearing featherweight Portege 500. There's a long history of subnotebooks skipping the optical drive to shave off weight and space, so the Air's doing so won't strike anyone as shocking. And Jobs is right in that a lot of things people do with optical drives--such as watch movies and install software--can be done these days without one. (Apple's new Remote Disc feature will help in the latter instance.)
Me, I mostly use my MacBook's Superdrive for two things: ripping CDs into MP3s and making data CDs and DVDs to distribute files to friends and colleagues. I guess I could do the former on another computer and then move the MP3s to an Air--sorry, Steve, I'm not ready to buy all my music from iTunes. And cheap thumb drives can probably do the trick when I want to hand out copies of files. Still, if I were to buy an Air, I suspect I'd spring for the $99 external Superdrive.
Ethernet
Seriously annoying omission
In the old days, no notebook had built-in ethernet; you had to futz with external adapters. Then it became standard equipment. The fact that the Air lacks it makes the machine a throwback.
Jobs spoke of the Air as a machine built to be used wirelessly. But most of the hotels I stay in assume that my computer has ethernet. It's also damn handy at work. I can't imagine there are that many people who can spring for a $1799 Air who won't need ethernet at least from time to time. Apple sells an external adapter, but if I traveled with an Air, I'd probably just toss my Airport Express travel router into my briefcase, giving me a form of ethernet compatibility that doesn't actually make me plug an ethernet cable into the Air.
Multiple USB ports
Mildly annoying omission
I'm not sure when I last owned a computer with only one USB port, but it's been a very, very long time. On the other hand, it's rare that I want to plug two USB devices into my MacBook at once, and at least one of the ones I use (a SanDisk MicroMate card reader) blocks access to both of the MacBooks ports when I use it anyhow. So I wouldn't not buy an Air because of its solo USB.
Thursday, January 17, 2008
Macworld 2008 Impression
The Macworld 2008 keynote is now behind us and it left a really bad taste for some of us. I think most existing iPod Touch users are a little upset with a couple of the announcements yesterday. The first announcement which I thought was good turned out to be sour. Steve Jobs said they will be adding five “new” apps to the iPod Touch, this includes: Mail, Maps, Stocks, Weather, & Notes. My initial thought was, “About time!”. Then that is when he said existing iPod Touch owners will have to pay $19.99. However, anyone buying a new iPod Touch yesterday and onward will have the five “new” apps already installed at the same price I paid a few months ago. I’m hoping Apple will see all the complaints and do the right thing by offering the five apps for free.
You can watch the keynote here
Here is what Macworld 2008 announced:
-> MacBook Air
-> iPhone Enhancements
-> iPod Touch (Five “new” Apps - Firmware 1.1.3)
You can watch the keynote here
Here is what Macworld 2008 announced:
-> MacBook Air
-> iPhone Enhancements
-> iPod Touch (Five “new” Apps - Firmware 1.1.3)
Latest Vista SP1 Beta Opened Up to Public
Microsoft has reversed field and opened public access to the latest beta build of Vista Service Pack 1. Users can now download
Vista SP1 RC Refresh from Microsoft's Web site.
Users can install the beta via Windows Update, but Microsoft is providing a list of procedures users should follow to avoid problems.
Microsoft originally released the Refresh beta on Jan. 9 to approximately 15,000 beta testers that included corporate customers, consumer enthusiasts, software and hardware vendors, and others, according to a company spokesman.
The spokesman said on Jan. 10 Microsoft decided to make the beta open to everyone with an interest via its TechNet Web site. Microsoft said its intention was to get the widest and deepest feedback it can before releasing the software.
The spokesman said Vista SP1 is still slated for release before the end of March.
More Popular in Businesses?
The beta news comes on the heels of the third phase of a year-long study conducted by Walker Information for IT services and product supplier CDW, which shows Vista gaining popularity in the business market. The study shows that 48% of respondents are using or evaluating Windows Vista -- up from 29% in the previous poll from February 2007 and from 12% in the first poll taken in October 2006.
Microsoft first made Windows Vista SP1 RC Preview available on Nov. 14 to 15,000 testers as part of its private beta program. In December, the company opened the beta to the public.
Microsoft hopes to align SP1's availability with Windows Server 2008, which Microsoft hopes to ship on or before its Feb. 27, 2008 launch event in Los Angeles.
Vista SP1 will include a number of bug fixes and performance enhancements but no new features, Microsoft said. Microsoft also is updating its set of Vista migration tools, including the Application Compatibility Toolkit 5.0, Windows Vista Hardware Assessment 2.1 solution accelerator (formerly called Business Desktop Deployment), and Microsoft User State Migration Tools 3.0.
Microsoft officials said the Vista SP1 RC includes changes that streamline setup and installation. It also includes all previously released updates since RTM, performance and reliability improvements such as file copy, network browsing and improved response time to resume from sleep, and change to administration features, including changes to BitLocker that allow encryption for multiple volumes.
Over the years, SP1 versions of any Microsoft products have become a traditional milestone that some corporate users wait for before they even consider rolling out the software.
Uptake of Vista has been slow by corporate users, many of whom have standardized on XP and are reluctant to undertake another migration.
Vista SP1 RC Refresh from Microsoft's Web site.
Users can install the beta via Windows Update, but Microsoft is providing a list of procedures users should follow to avoid problems.
Microsoft originally released the Refresh beta on Jan. 9 to approximately 15,000 beta testers that included corporate customers, consumer enthusiasts, software and hardware vendors, and others, according to a company spokesman.
The spokesman said on Jan. 10 Microsoft decided to make the beta open to everyone with an interest via its TechNet Web site. Microsoft said its intention was to get the widest and deepest feedback it can before releasing the software.
The spokesman said Vista SP1 is still slated for release before the end of March.
More Popular in Businesses?
The beta news comes on the heels of the third phase of a year-long study conducted by Walker Information for IT services and product supplier CDW, which shows Vista gaining popularity in the business market. The study shows that 48% of respondents are using or evaluating Windows Vista -- up from 29% in the previous poll from February 2007 and from 12% in the first poll taken in October 2006.
Microsoft first made Windows Vista SP1 RC Preview available on Nov. 14 to 15,000 testers as part of its private beta program. In December, the company opened the beta to the public.
Microsoft hopes to align SP1's availability with Windows Server 2008, which Microsoft hopes to ship on or before its Feb. 27, 2008 launch event in Los Angeles.
Vista SP1 will include a number of bug fixes and performance enhancements but no new features, Microsoft said. Microsoft also is updating its set of Vista migration tools, including the Application Compatibility Toolkit 5.0, Windows Vista Hardware Assessment 2.1 solution accelerator (formerly called Business Desktop Deployment), and Microsoft User State Migration Tools 3.0.
Microsoft officials said the Vista SP1 RC includes changes that streamline setup and installation. It also includes all previously released updates since RTM, performance and reliability improvements such as file copy, network browsing and improved response time to resume from sleep, and change to administration features, including changes to BitLocker that allow encryption for multiple volumes.
Over the years, SP1 versions of any Microsoft products have become a traditional milestone that some corporate users wait for before they even consider rolling out the software.
Uptake of Vista has been slow by corporate users, many of whom have standardized on XP and are reluctant to undertake another migration.
CES 2008: Intel Debuts 16 New Processors
We knew they were coming…just not this many. Intel kicked off this year's CES in a big way, introducing 16 new processors all based on the chipmaker's 45 nanometer (nm) process technology. We've been hearing a lot about 45 nm lately and, admittedly, it's kind of hard to get excited about semiconductor fabrication -- especially when there's all manner of shiny new gizmos vying for your attention. (For a layman's overview of 45 nm, see the company's somewhat creepy video,Intel's 45nm Secret 'Revealed' ) But make no mistake, the debut of these new processors is a big deal.
First, it marks Intel's considerable lead over rival AMD. While AMD is expected to move the 45 nm sometime in the second half of 2008, Intel began mass-producing these chips in November 2007. In a general sense, 45 nm fans the flames of Moore's law , allowing Intel to double the number of transistors in the same silicon space. According to the chipmaker, it also allows the company squeeze more performance out of smaller transistors and increases the overall energy efficiency of a given processor. How small are we talking about? Well, there are 1 billion nanometers (nm) in one meter. And while the original Bell Labs transistor could be held in your hand, you can actually fit hundreds of 45nm transistors on the surface of a single red blood cell. So, yeah, small.
One of the other noteworthy aspects about Monday's announcement is the fact that more than a quarter of these new processors are aimed at the mobile arena. Anyone who's been following Intel knows the company is keen on expanding more into this space, both with its continued WiMax push and in the form of its newfound love of the mobile internet device (MID). And with five new 45nm dual core mobile processors slated for release this month that are (in some cases) up to 25 percent smaller, you can not only expect new notebooks equipped with these processors, but also new form factors.
In fact, Intel says it's also planning on using these new teeny tiny transistors and manufacturing advances to spur on this MID category of small form-factor, low-powered devices later in the year.
In the end, Intel's focus on mobility is understandable. With 30 percent annual growth, the laptop market is consistently exceeding expectations. During a pre-CES briefing, the company reiterated that notebooks alone are expected to start outselling desktops for the first time on a worldwide basis in 2009. And with these new processors being absorbed into its Centrino lineup, you'll see better performance and better battery life.
If you're interested in hearing more about Intel's mobile push, CEO Paul Otellini's keynote is scheduled for 4:30 this afternoon. You'll likely get the WiMax spiel again and hear more about these so-called MIDs and "internet in your pocket." Oh, and there will also be some sort of virtual Smash Mouth jam. You won't want to miss that...
Tuesday, January 15, 2008
How To Run Vista Legally Without Activation for a Year
A security expert says Windows Vista can be run for at least a year without being activated, but Microsoft calls the process an antipiracy 'hack'.
Windows Vista can be run for at least a year without being activated, a serious end run around one of Microsoft's key antipiracy measures, Windows expert Brian Livingston said Thursday.
Livingston, who publishes the Windows Secret newsletter, said that a single change to Vista's registry lets users put off the operating system's product activation requirement an additional eight times beyond the three disclosed last month. With more research, said Livingston, it may even be possible to find a way to postpone activation indefinitely.
"The [activation] demands that Vista puts on corporate buyers is much more than on XP," said Livingston. "Vista developers have [apparently] programmed in back doors to get around time restrictions for Vista activation."
Microsoft Calls it a Hack
Microsoft promptly labeled the registry change a "hack," a loaded word that is usually synonymous with "illegal."
"Recently it has been reported that an activation hack for Microsoft's Windows Vista operating system has been identified," said David Lazar, the director of the company's Genuine Windows program, in an e-mail. "Although these reports are purely speculative at the moment, we are actively monitoring attempts to steal Microsoft intellectual property."
"This is not a hack," Livingston shot back when Lazar's e-mail was read to him. "This is a documented feature of the operating system." To back up his view, Livingston pointed out links to online support documents where Microsoft spells out the pertinent registry key. Nor is it speculative; Livingston demonstrated the procedure live via a Web conference session Thursday and claimed "we have run this dozens of times."
Postpone Activation
Livingston last month revealed that a one-line command lets users postpone Vista activation up to three times. Combined with Vista's initial 30-day grace period, that meant users could run Vista for as long as 120 days before they had to activate the OS. At the time, Microsoft seemed unconcerned with the disclosure, and flatly stated that using it would not violate the Vista End User License Agreement (EULA).
"The feature that I'm revealing today shows that Microsoft has built into Vista a function that allows anyone to extend the operating system's activation deadline not just three times, but many times," Livingston said.
Microsoft documented the key on its support site in a description of what it calls "SkipRearm". In it, Microsoft explains that "rearming a computer restores the Windows system to the original licensing state. All licensing and registry data related to activation is either removed or reset. Any grace period timers are reset as well."
By changing the SkipRearm key's value from the default "0" to "1," said Livingston, the earlier-revealed "slmgr -rearm" command can be used over and over.
In tests with several editions of Vista purchased at different times, Livingston found that copies of Vista Ultimate and Vista Home Premium obtained at the end of January would accept the SkipRearm change only eight times. Together with the three postponements made possible with slmgr -rearm and the opening 30-day grace period, that would give users nearly a year (360 days) of activation-free use. A copy of Vista Home Basic bought March 14, however, ignored the SkipRearm registry change.
"Microsoft has slipstreamed something into Home Basic and Home Premium," Livingston said. "But from my reading of the support documents, Microsoft needs to keep this feature in its business editions, Vista Business, Enterprise and Ultimate. It seems that Microsoft is sympathetic to enterprises' difficulty in rolling out Vista within the activation deadlines."
Lazar did not answer several questions e-mailed to him Thursday, including one that asked why Microsoft had included the SkipRearm feature in the first place. However, he indicated that the feature could be blocked if Microsoft desired. "It is important to note that these hacks are, at best, temporary. Microsoft has systems in place to detect and block piracy."
The following describes the Registry key that's involved.
Step 1. While running a copy of Windows Vista that hasn't yet been activated, click the Start button, type regedit into the Search box, then press Enter to launch the Registry Editor.
Step 2. Explore down to the following Registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SL
Step 3. Right-click the Registry key named SkipRearm and click Edit. The default is a Dword (a double word or 4 bytes) with a hex value of 00000000. Change this value to any positive integer, such as 00000001, save the change, and close the Registry Editor.
Step 4. Start a command prompt with administrative rights. The fastest way to do this is to click the Start button, enter cmd in the Search box, then press Ctrl+Shift+Enter. If you're asked for a network username and password, provide the ones that log you into your domain. You may be asked to approve a User Account Control prompt and to provide an administrator password.
Step 5. Type one of the following two commands and press Enter:
slmgr -rearm
or
rundll32 slc.dll,SLReArmWindows
Either command uses Vista's built-in Software Licensing Manager (SLMGR) to push the activation deadline out to 30 days after the command is run. Changing SkipRearm from 0 to 1 allows SLMGR to do this an indefinite number of times. Running either command initializes the value of SkipRearm back to 0.
Step 6. Reboot the PC to make the postponement take effect. (After you log in, if you like, you can open a command prompt and run the command slmgr -xpr to see Vista's new expiration date and time. I explained the slmgr command and its parameters in my Feb. 15 article.)
Step 7. To extend the activation deadline of Vista indefinitely, repeat steps 1 through 6 as necessary.
Any crooked PC seller with even the slightest technical skill could easily install a command file that would carry out steps 1 through 6 automatically. The program could run slmgr -rearm three times, 30 days apart, to postpone Vista's activation deadline to 120 days. It could then run skip -rearm every 30 days, for a period of months if not years, by first resetting the SkipRearm key.
The program could be scheduled to check Vista's activation deadline during every reboot, and to remind the user to reboot once a month if a deadline was nearing. The buyer of such a PC would never even see an activation reminder, much less be required to go through the activation process.
If you happen to buy a Vista PC from a little-known seller, and the price was too good to be true, use Vista's search function to look for the string SkipRearm in files. You may discover that your "bargain" computer will mysteriously start demanding activation in a year or two — but your product key won't be valid.
I asked Microsoft why SkipRearm is included in Vista if it can be used to create machines that appear not to need activation for long periods. A Microsoft spokewoman replied, "I connected with my colleagues and learned, unfortunately, we do not have information to share at this time." (I can't identify the speaker because the policy of Waggener Edstrom, Microsoft's public-relations firm, prohibits the naming of p.r. spokespersons.)
In my testing of Microsoft's back-door loophole, I've found that the technique can be used to postpone the activation deadline one year or longer. It may or may not, however, work forever, as I describe below.
Activation Deadline Extensions
"This is somewhat of a threat to Microsoft," Livingston said. "But the extent to what it can retroactively patch, I don't know. Maybe they will want to change this. But that would only call more attention to activation, and perhaps reveal the mechanism Vista is using to count SkipRearm."
Livingston has not been able to find where Vista stores the SkipRearm count; conceivably, that count is what restricts its use to a maximum of eight. If someone was to find the count location, however, and manage to change that as well as the SkipRearm registry key, users might be able to postpone activation forever, said Livingston.
"The problem I see with this is that unscrupulous system builders will use it [to install counterfeit copies of Vista], but that Vista will start demanding activation a year or more out, when the guy is long gone with your money," said Livingston. "And then the activation key wouldn't work, because he would have used it on hundreds or even thousands of systems and Microsoft would have blocked it."
Background
Microsoft introduced product activation in 2001's Office XP and also used it in that year's Windows XP. Activation was toughened up for Vista, however; After the grace period, nonactivated PCs running Vista drop into what Microsoft calls "reduced functionality" mode. In reduced mode, users can only browse the Web with Internet Explorer, and then only for an hour before being forced to again log on.
Livingston's work-around, however, may do away with activation altogether. "[Activation] has become so convoluted, the way Microsoft has implemented it, that it's more of an irritation to legitimate users than a worthwhile antipiracy measure," Livingston concluded.
Naturally, Microsoft's Lazar sees it differently. "The new anti-piracy technologies in Windows Vista are designed to protect customers and prevent the software from working correctly when it is not genuine and properly licensed," he said. "Systems utilizing these hacks will not provide the benefits of genuine Windows, nor will they work as expected."
Computer Works
Windows Vista can be run for at least a year without being activated, a serious end run around one of Microsoft's key antipiracy measures, Windows expert Brian Livingston said Thursday.
Livingston, who publishes the Windows Secret newsletter, said that a single change to Vista's registry lets users put off the operating system's product activation requirement an additional eight times beyond the three disclosed last month. With more research, said Livingston, it may even be possible to find a way to postpone activation indefinitely.
"The [activation] demands that Vista puts on corporate buyers is much more than on XP," said Livingston. "Vista developers have [apparently] programmed in back doors to get around time restrictions for Vista activation."
Microsoft Calls it a Hack
Microsoft promptly labeled the registry change a "hack," a loaded word that is usually synonymous with "illegal."
"Recently it has been reported that an activation hack for Microsoft's Windows Vista operating system has been identified," said David Lazar, the director of the company's Genuine Windows program, in an e-mail. "Although these reports are purely speculative at the moment, we are actively monitoring attempts to steal Microsoft intellectual property."
"This is not a hack," Livingston shot back when Lazar's e-mail was read to him. "This is a documented feature of the operating system." To back up his view, Livingston pointed out links to online support documents where Microsoft spells out the pertinent registry key. Nor is it speculative; Livingston demonstrated the procedure live via a Web conference session Thursday and claimed "we have run this dozens of times."
Postpone Activation
Livingston last month revealed that a one-line command lets users postpone Vista activation up to three times. Combined with Vista's initial 30-day grace period, that meant users could run Vista for as long as 120 days before they had to activate the OS. At the time, Microsoft seemed unconcerned with the disclosure, and flatly stated that using it would not violate the Vista End User License Agreement (EULA).
"The feature that I'm revealing today shows that Microsoft has built into Vista a function that allows anyone to extend the operating system's activation deadline not just three times, but many times," Livingston said.
Microsoft documented the key on its support site in a description of what it calls "SkipRearm". In it, Microsoft explains that "rearming a computer restores the Windows system to the original licensing state. All licensing and registry data related to activation is either removed or reset. Any grace period timers are reset as well."
By changing the SkipRearm key's value from the default "0" to "1," said Livingston, the earlier-revealed "slmgr -rearm" command can be used over and over.
In tests with several editions of Vista purchased at different times, Livingston found that copies of Vista Ultimate and Vista Home Premium obtained at the end of January would accept the SkipRearm change only eight times. Together with the three postponements made possible with slmgr -rearm and the opening 30-day grace period, that would give users nearly a year (360 days) of activation-free use. A copy of Vista Home Basic bought March 14, however, ignored the SkipRearm registry change.
"Microsoft has slipstreamed something into Home Basic and Home Premium," Livingston said. "But from my reading of the support documents, Microsoft needs to keep this feature in its business editions, Vista Business, Enterprise and Ultimate. It seems that Microsoft is sympathetic to enterprises' difficulty in rolling out Vista within the activation deadlines."
Lazar did not answer several questions e-mailed to him Thursday, including one that asked why Microsoft had included the SkipRearm feature in the first place. However, he indicated that the feature could be blocked if Microsoft desired. "It is important to note that these hacks are, at best, temporary. Microsoft has systems in place to detect and block piracy."
The following describes the Registry key that's involved.
Step 1. While running a copy of Windows Vista that hasn't yet been activated, click the Start button, type regedit into the Search box, then press Enter to launch the Registry Editor.
Step 2. Explore down to the following Registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SL
Step 3. Right-click the Registry key named SkipRearm and click Edit. The default is a Dword (a double word or 4 bytes) with a hex value of 00000000. Change this value to any positive integer, such as 00000001, save the change, and close the Registry Editor.
Step 4. Start a command prompt with administrative rights. The fastest way to do this is to click the Start button, enter cmd in the Search box, then press Ctrl+Shift+Enter. If you're asked for a network username and password, provide the ones that log you into your domain. You may be asked to approve a User Account Control prompt and to provide an administrator password.
Step 5. Type one of the following two commands and press Enter:
slmgr -rearm
or
rundll32 slc.dll,SLReArmWindows
Either command uses Vista's built-in Software Licensing Manager (SLMGR) to push the activation deadline out to 30 days after the command is run. Changing SkipRearm from 0 to 1 allows SLMGR to do this an indefinite number of times. Running either command initializes the value of SkipRearm back to 0.
Step 6. Reboot the PC to make the postponement take effect. (After you log in, if you like, you can open a command prompt and run the command slmgr -xpr to see Vista's new expiration date and time. I explained the slmgr command and its parameters in my Feb. 15 article.)
Step 7. To extend the activation deadline of Vista indefinitely, repeat steps 1 through 6 as necessary.
Any crooked PC seller with even the slightest technical skill could easily install a command file that would carry out steps 1 through 6 automatically. The program could run slmgr -rearm three times, 30 days apart, to postpone Vista's activation deadline to 120 days. It could then run skip -rearm every 30 days, for a period of months if not years, by first resetting the SkipRearm key.
The program could be scheduled to check Vista's activation deadline during every reboot, and to remind the user to reboot once a month if a deadline was nearing. The buyer of such a PC would never even see an activation reminder, much less be required to go through the activation process.
If you happen to buy a Vista PC from a little-known seller, and the price was too good to be true, use Vista's search function to look for the string SkipRearm in files. You may discover that your "bargain" computer will mysteriously start demanding activation in a year or two — but your product key won't be valid.
I asked Microsoft why SkipRearm is included in Vista if it can be used to create machines that appear not to need activation for long periods. A Microsoft spokewoman replied, "I connected with my colleagues and learned, unfortunately, we do not have information to share at this time." (I can't identify the speaker because the policy of Waggener Edstrom, Microsoft's public-relations firm, prohibits the naming of p.r. spokespersons.)
In my testing of Microsoft's back-door loophole, I've found that the technique can be used to postpone the activation deadline one year or longer. It may or may not, however, work forever, as I describe below.
Activation Deadline Extensions
"This is somewhat of a threat to Microsoft," Livingston said. "But the extent to what it can retroactively patch, I don't know. Maybe they will want to change this. But that would only call more attention to activation, and perhaps reveal the mechanism Vista is using to count SkipRearm."
Livingston has not been able to find where Vista stores the SkipRearm count; conceivably, that count is what restricts its use to a maximum of eight. If someone was to find the count location, however, and manage to change that as well as the SkipRearm registry key, users might be able to postpone activation forever, said Livingston.
"The problem I see with this is that unscrupulous system builders will use it [to install counterfeit copies of Vista], but that Vista will start demanding activation a year or more out, when the guy is long gone with your money," said Livingston. "And then the activation key wouldn't work, because he would have used it on hundreds or even thousands of systems and Microsoft would have blocked it."
Background
Microsoft introduced product activation in 2001's Office XP and also used it in that year's Windows XP. Activation was toughened up for Vista, however; After the grace period, nonactivated PCs running Vista drop into what Microsoft calls "reduced functionality" mode. In reduced mode, users can only browse the Web with Internet Explorer, and then only for an hour before being forced to again log on.
Livingston's work-around, however, may do away with activation altogether. "[Activation] has become so convoluted, the way Microsoft has implemented it, that it's more of an irritation to legitimate users than a worthwhile antipiracy measure," Livingston concluded.
Naturally, Microsoft's Lazar sees it differently. "The new anti-piracy technologies in Windows Vista are designed to protect customers and prevent the software from working correctly when it is not genuine and properly licensed," he said. "Systems utilizing these hacks will not provide the benefits of genuine Windows, nor will they work as expected."
Computer Works
How To Download From Multiply
Now way to download from multiply has revealed !!!
First, browse for song that u looking for like usual.
Then, u can find them in song list. Then play that playlist (use option that already given there). Use winamp to play them....
Right klik on file that u want to download then choose view file info. Copy paste link that will shown on the top of new window (view file info window). Paste that link on your internet browser. And start downloading.
You also can use notepad or edit plus to reveal link of the song, but you can't sure which one is it.
Enjoy your music !!
First, browse for song that u looking for like usual.
Then, u can find them in song list. Then play that playlist (use option that already given there). Use winamp to play them....
Right klik on file that u want to download then choose view file info. Copy paste link that will shown on the top of new window (view file info window). Paste that link on your internet browser. And start downloading.
You also can use notepad or edit plus to reveal link of the song, but you can't sure which one is it.
Enjoy your music !!
Sunday, January 13, 2008
How To Get 4 Desktop In Your Computer
If you want 4 dekstop that you can rotate, check this out !
Open then search "YODM" then choose the first result ( YODM 3D Free Download ). Open the site and download the program.
After you install it, you can customize your computer with 4 rotateable desktop.
Enjoy it !
Open then search "YODM" then choose the first result ( YODM 3D Free Download ). Open the site and download the program.
After you install it, you can customize your computer with 4 rotateable desktop.
Enjoy it !
How To Get 4 Desktop In Your Computer
If you want 4 dekstop that you can rotate, check this out !
Open then search "YODM" then choose the first result ( YODM 3D Free Download ). Open the site and download the program.
After you install it, you can customize your computer with 4 rotateable desktop.
Enjoy it !
Open then search "YODM" then choose the first result ( YODM 3D Free Download ). Open the site and download the program.
After you install it, you can customize your computer with 4 rotateable desktop.
Enjoy it !
Friday, January 11, 2008
Windows Short Keys
Alt + Tab Switch quickly between open applications.
Alt + Shift + Tab Switch backwards between open applications.
Ctrl + Esc Bring Up Start button.
Alt + Esc Switch Between open applications on taskbar.
F2 Renames selected file or icon.
F3 Starts Find option.
F4 Opens the drive selection when browsing.
F5 Refresh Contents
Alt + F4 or
Ctrl + w Closes current open program or window.
Ctrl + F4 Closes a window in Program
Alt + Enter Opens properties window of Selected icon or program.
Shift + F10 Simulates right click on selected item.
Shift + Del Permanently deletes a file without moving it to
Recycle Bin.
Holding Shift Boot safe mode or by pass system files.
Holding Shift When putting in an audio cd will prevent CD Player from playing.
Crtl + Alt + Delete Brings up task manager in Windows. (Use this option
when a program stops running and you need to close
it.)
Windows Key* + m Minimizes all windows
Alt + Shift + Tab Switch backwards between open applications.
Ctrl + Esc Bring Up Start button.
Alt + Esc Switch Between open applications on taskbar.
F2 Renames selected file or icon.
F3 Starts Find option.
F4 Opens the drive selection when browsing.
F5 Refresh Contents
Alt + F4 or
Ctrl + w Closes current open program or window.
Ctrl + F4 Closes a window in Program
Alt + Enter Opens properties window of Selected icon or program.
Shift + F10 Simulates right click on selected item.
Shift + Del Permanently deletes a file without moving it to
Recycle Bin.
Holding Shift Boot safe mode or by pass system files.
Holding Shift When putting in an audio cd will prevent CD Player from playing.
Crtl + Alt + Delete Brings up task manager in Windows. (Use this option
when a program stops running and you need to close
it.)
Windows Key* + m Minimizes all windows
Basic Short Keys
BASIC SHORTCUT KEYS
Alt + F File menu options in current program.
Alt + E Edit options in current program
F1 Universal Help in 90% of Windows programs.
Ctrl + A* Select all text.
Ctrl + X* Cut selected item.
Shift + Del Cut selected item.
Ctrl + C* Copy selected item.
Ctrl + Ins Copy selected item
Ctrl + V* Paste
Ctrl + F Find (or Find and Replace) dialogue box will pop up. Use
this to search a document or web page for a specific word or
phrase.
Shift + Ins Paste
Home Goes to beginning of current line.
Ctrl + Home Goes to beginning of document.
End Goes to end of current line.
Ctrl + End Goes to end of document.
Shift + Home Highlights from current position to beginning of line.
Shift + End Highlights from current position to end of line.
Ctrl + Left arrow Moves one word to the left at a time.
Ctrl + Right arrow Moves one word to the right at a time.
Ctrl + Backspace Delete word to the left of cursor.
Ctrl + Del Delete word to the right of cursor.
Alt + F File menu options in current program.
Alt + E Edit options in current program
F1 Universal Help in 90% of Windows programs.
Ctrl + A* Select all text.
Ctrl + X* Cut selected item.
Shift + Del Cut selected item.
Ctrl + C* Copy selected item.
Ctrl + Ins Copy selected item
Ctrl + V* Paste
Ctrl + F Find (or Find and Replace) dialogue box will pop up. Use
this to search a document or web page for a specific word or
phrase.
Shift + Ins Paste
Home Goes to beginning of current line.
Ctrl + Home Goes to beginning of document.
End Goes to end of current line.
Ctrl + End Goes to end of document.
Shift + Home Highlights from current position to beginning of line.
Shift + End Highlights from current position to end of line.
Ctrl + Left arrow Moves one word to the left at a time.
Ctrl + Right arrow Moves one word to the right at a time.
Ctrl + Backspace Delete word to the left of cursor.
Ctrl + Del Delete word to the right of cursor.
What I Should Do If My Computer is Slow
*Empty Your Recycle Bin Regularly*
One important thing to remember is to empty your recycle bin/garbage can. Whenever you delete a file isn't actually deleted. It's stored in your recycle bin and saved in short term memory, using up RAM that your programs may need to run efficiently.
*Clean Unneeded Files Using the Windows Disk Cleanup Accessory*
Use the accessory that comes with most Windows operating systems called "Disk Cleanup". Go to the Start Button menu, choose Programs (or All Programs), Accessories, System Tools, Disk Cleanup.This program (shown to the right) will delete Temporary Internet Files, Downloaded Programs (which may have been installed, but the original downloaded file that is no longer needed is still taking up space), the Recycle Bin (garbage can), and Temporary files (files the computer saves automatically during some task, but which are not needed anymore). As you highlight each one, it will give you a quick explanation. This image shows what it says for Temporary Internet Files.
*Check For Operating System Critical Updates*
Verify manually that your operating system doesn't have any critical updates that need to be applied. Go to http://windowsupdate.microsoft.com and check for updates. Do this even if you think you have set your computer to apply updates automatically. This is a checkup, remember? You are doing it to make sure that nothing is wrong and one thing that could go wrong is your setting for automatic updates. This site automatically looks at your computer and then suggests high priority and optional updates specific to your operating system and your computer.
*Check Your Antivirus Software*
Check your antivirus software. Usually you can do that by clicking, double clicking, or right clicking on the little icon in the task tray. Check the date of the last virus definition file. If it has a red exclamation mark next to it is definitely out of date. Also if it isn't recent (within the last week) you probably don't have automatic updates turned on and should turn this feature on. (Automatic updates will update your virus definitions every time you connect to the Internet. Virus definitions are the files used by your antivirus software to prevent viruses.) Don't have antivirus software? Well then get some! Invest in some sort of Antivirus program like Norton Antivirus or McAfee VirusScan and update it regularly to prevent future problems and worries. A free and quick virusscan tool put out by McAfee is Stinger (http://vil.nai.com/vil/stinger/) . It will help with certain most common viurus types and is free. However they still recommend getting a full virusscan program.
*Run Defrag Regularly- especially after deleting lots of files.*
Defrag is a command that reorganizes your files. It is has the same effect as reorganizing your closet to use the space more efficiently after getting rid of a bunch of old things. Files are saved by the computer by breaking them down into little pieces (bytes) and saving these in lots of locations on your hard drive. When you delete files it leaves lots of little holes that aren't always used again. By running defrag you are pushing all the data together to fill in these holes, leaving more big empty spaces to fill later. This helps your computer run more efficiently as well, because these big empty spaces are utilized whenever a task takes more memory than you have in RAM (short term storage).
Before you begin Defrag, close all open programs, including e-mail, files, etc. and turn off your screensaver (click once on your desktop anywhere there are no icons, choose Properties, click on the Screen Saver tab, and click on the drop down arrow and choose None).
One important thing to remember is to empty your recycle bin/garbage can. Whenever you delete a file isn't actually deleted. It's stored in your recycle bin and saved in short term memory, using up RAM that your programs may need to run efficiently.
*Clean Unneeded Files Using the Windows Disk Cleanup Accessory*
Use the accessory that comes with most Windows operating systems called "Disk Cleanup". Go to the Start Button menu, choose Programs (or All Programs), Accessories, System Tools, Disk Cleanup.This program (shown to the right) will delete Temporary Internet Files, Downloaded Programs (which may have been installed, but the original downloaded file that is no longer needed is still taking up space), the Recycle Bin (garbage can), and Temporary files (files the computer saves automatically during some task, but which are not needed anymore). As you highlight each one, it will give you a quick explanation. This image shows what it says for Temporary Internet Files.
*Check For Operating System Critical Updates*
Verify manually that your operating system doesn't have any critical updates that need to be applied. Go to http://windowsupdate.microsoft.com and check for updates. Do this even if you think you have set your computer to apply updates automatically. This is a checkup, remember? You are doing it to make sure that nothing is wrong and one thing that could go wrong is your setting for automatic updates. This site automatically looks at your computer and then suggests high priority and optional updates specific to your operating system and your computer.
*Check Your Antivirus Software*
Check your antivirus software. Usually you can do that by clicking, double clicking, or right clicking on the little icon in the task tray. Check the date of the last virus definition file. If it has a red exclamation mark next to it is definitely out of date. Also if it isn't recent (within the last week) you probably don't have automatic updates turned on and should turn this feature on. (Automatic updates will update your virus definitions every time you connect to the Internet. Virus definitions are the files used by your antivirus software to prevent viruses.) Don't have antivirus software? Well then get some! Invest in some sort of Antivirus program like Norton Antivirus or McAfee VirusScan and update it regularly to prevent future problems and worries. A free and quick virusscan tool put out by McAfee is Stinger (http://vil.nai.com/vil/stinger/) . It will help with certain most common viurus types and is free. However they still recommend getting a full virusscan program.
*Run Defrag Regularly- especially after deleting lots of files.*
Defrag is a command that reorganizes your files. It is has the same effect as reorganizing your closet to use the space more efficiently after getting rid of a bunch of old things. Files are saved by the computer by breaking them down into little pieces (bytes) and saving these in lots of locations on your hard drive. When you delete files it leaves lots of little holes that aren't always used again. By running defrag you are pushing all the data together to fill in these holes, leaving more big empty spaces to fill later. This helps your computer run more efficiently as well, because these big empty spaces are utilized whenever a task takes more memory than you have in RAM (short term storage).
Before you begin Defrag, close all open programs, including e-mail, files, etc. and turn off your screensaver (click once on your desktop anywhere there are no icons, choose Properties, click on the Screen Saver tab, and click on the drop down arrow and choose None).
How To Search Aplication Crack Using Google
For example you want to search crack for Corel Draw X3...
Then you type "crack: corel draw X3"
After that u will see lists of result of your search..
Easy right...?
Then you type "crack: corel draw X3"
After that u will see lists of result of your search..
Easy right...?
Sunday, January 6, 2008
Beat back that Trojan horse
Like its mythical namesake (dramatized in Lego), whatever crawls out of a digital Trojan horse will be a nasty surprise. A Trojan horse usually takes the form of an innocuous software program that unleashes a flood of malware or viruses after it's installed and run. Since attacks and ease of removal vary--an ad generator is easier to remove than a stealth rootkit--there's no one-size-fits-all solution. However, there are some common techniques for picking your way through the wreckage.
Reboot Windows in Safe Mode
What is Safe Mode?
Safe Mode is a diet version of the Standard Mode of Windows that your computer ordinarily runs. Rebooting in Safe Mode loads minimal programs and disables most device drivers that manage hardware like CD drives and printers. The result is a more stable iteration of the Windows operating system that's better suited for disabling malware while you perform a system scan.
How do you use it?
If you can, follow the necessary steps for a safe shutdown process and then reboot. When you restart Windows, as the screen begins to load, press F8 repeatedly until the Windows booting options appear. Select "Boot in Safe Mode" from the menu of options. Once in Safe Mode, you should be able to run your installed antispyware software with less interference from the malicious software that the Trojan brought onto your system.
System Restore
What is System Restore?
System Restore strings out a safety net if everything goes kaput. Under default Window settings, System Restore saves a snapshot of your computer configuration once a day and on major upgrades that can be used to replace corrupted files. In the event of a Trojan attack, System Restore can revert Windows to a previous, uninfected state. It won't restore everything, like changes to your user profile, but it does reinstate biggies like your Registry and DLL cache.
When do you use it?
When purging your computer of spyware, System Restore has an optimal time and place. You wouldn't want your computer including corrupted files as the reference point of the day, so it's important to disable System Restore before you start cleaning. You can reactivate it once your system is spick-and-span.
How do you use it?
The paths for accessing System Restore differ by operating system. In Windows XP, disable System Restore by right-clicking My Computer and selecting Properties. Under the Performance tab, select File System, then the Troubleshooting tab, and finally check Disable System Restore. You'll be prompted to reboot. Follow these steps to uncheck the box before restoring your system.
To use System Restore after scrubbing your computer, choose Accessories from the program list in the Start menu. You'll find System Restore under System Tools.
This comprehensive article from TechRepublic demonstrates how to create and use System Restore in Windows Vista.
Scan with antivirus/antispyware apps
Downloading diagnostic and removal tools with an infected computer is a huge time sink--spyware can cripple your speed and Internet access. The Trojan's payload could prevent EXE files from downloading or launching. Also, malware can affect the performance of installed security software on your PC. If you store your antivirus/antispyware programs on a CD or flash drive, however, those malware-busting apps can commence their swashbuckling unhindered.
Advanced users can save some time by creating a bootable DOS virus scanner that runs off a flash drive (tutorial from Ask the Geek).
Which antivirus software should you get?
Some of our favorite intrusion-repellants include Kaspersky Anti-Virus 6, which is worth the price (full review); Webroot SpySweeper and Spyware Doctor (the free versions identify but don't remove malware); AdAware and SpyCatcher Express (free spyware removal); and HijackThis (aggressive diagnostic tool). While none of these are Vista-compatible yet, Kaspersky and Ad-Aware plan to release Vista-ready updates in 2007.
HijackThis is a powerful tool that monitors the critical areas of your computer for any significant changes. Many forums administrators will want to analyze your HijackThis log before recommending a removal plan. However, the program requires a bit of learning before you can use it effectively. You'll want to read our HijackThis tutorial before getting started.
Disk reformatting
What is it?
Unlike a system restore, which rolls your operating system back to a previous configuration, disk reformatting requires you to reinstall Windows, plus all your data and applications, from scratch. This method is used to disable malware by overwriting corrupted files, replacing them with the default operating system.
Disk reformatting is a time-consuming measure, and one we at CNET Download.com recommend you try after scanning and restoring your system.
How do you reformat your hard disk?
There are several ways to overwrite the operating system, some more complex than others. Start by backing up irreplaceable files; when they're gone, they're gone. The most traditional way to reformat the hard disk is by using a boot disk or boot CD to work around your troubled operating system and load into DOS. From there you can use a combination of command prompts (like C> format) and DOS formatting tools like Fdisk and DELpart to reinstate a clean operating system. Many of these tools will delete corrupted files from the hard disk, so they will no longer be recoverable. This useful thread on CNET's forums explores some step-by-step reformatting options.
BootDisk.com provides free disk information for the gamut of Windows operating systems ("W2K" denotes Windows 2000.) Click on "DOS — Windows 9X/NT4/2000/XP Excellent Bootdisks," and then download the "custom" version of your operating system where possible. Apps like Nero and Roxio (free trials) are convenient for quickly setting up the requisite boot CD from the EXE boot file. You'll want to make sure your BIOS is set to read off the CD drive before you begin reformatting. If you've never worked with BIOS and DOS before, we recommend that you get help from someone with advanced knowledge.
For a less thorough workaround, you can try reinstalling the operating system. It's a simpler approach than reformatting with DOS, but it may not be able to disable fierce malware, such as a well-developed rootkit. Begin by feeding the original installation disk for your operating system into the CD-ROM. Choose to overwrite if you're given the option, but don't choose to make repairs.
Reboot Windows in Safe Mode
What is Safe Mode?
Safe Mode is a diet version of the Standard Mode of Windows that your computer ordinarily runs. Rebooting in Safe Mode loads minimal programs and disables most device drivers that manage hardware like CD drives and printers. The result is a more stable iteration of the Windows operating system that's better suited for disabling malware while you perform a system scan.
How do you use it?
If you can, follow the necessary steps for a safe shutdown process and then reboot. When you restart Windows, as the screen begins to load, press F8 repeatedly until the Windows booting options appear. Select "Boot in Safe Mode" from the menu of options. Once in Safe Mode, you should be able to run your installed antispyware software with less interference from the malicious software that the Trojan brought onto your system.
System Restore
What is System Restore?
System Restore strings out a safety net if everything goes kaput. Under default Window settings, System Restore saves a snapshot of your computer configuration once a day and on major upgrades that can be used to replace corrupted files. In the event of a Trojan attack, System Restore can revert Windows to a previous, uninfected state. It won't restore everything, like changes to your user profile, but it does reinstate biggies like your Registry and DLL cache.
When do you use it?
When purging your computer of spyware, System Restore has an optimal time and place. You wouldn't want your computer including corrupted files as the reference point of the day, so it's important to disable System Restore before you start cleaning. You can reactivate it once your system is spick-and-span.
How do you use it?
The paths for accessing System Restore differ by operating system. In Windows XP, disable System Restore by right-clicking My Computer and selecting Properties. Under the Performance tab, select File System, then the Troubleshooting tab, and finally check Disable System Restore. You'll be prompted to reboot. Follow these steps to uncheck the box before restoring your system.
To use System Restore after scrubbing your computer, choose Accessories from the program list in the Start menu. You'll find System Restore under System Tools.
This comprehensive article from TechRepublic demonstrates how to create and use System Restore in Windows Vista.
Scan with antivirus/antispyware apps
Downloading diagnostic and removal tools with an infected computer is a huge time sink--spyware can cripple your speed and Internet access. The Trojan's payload could prevent EXE files from downloading or launching. Also, malware can affect the performance of installed security software on your PC. If you store your antivirus/antispyware programs on a CD or flash drive, however, those malware-busting apps can commence their swashbuckling unhindered.
Advanced users can save some time by creating a bootable DOS virus scanner that runs off a flash drive (tutorial from Ask the Geek).
Which antivirus software should you get?
Some of our favorite intrusion-repellants include Kaspersky Anti-Virus 6, which is worth the price (full review); Webroot SpySweeper and Spyware Doctor (the free versions identify but don't remove malware); AdAware and SpyCatcher Express (free spyware removal); and HijackThis (aggressive diagnostic tool). While none of these are Vista-compatible yet, Kaspersky and Ad-Aware plan to release Vista-ready updates in 2007.
HijackThis is a powerful tool that monitors the critical areas of your computer for any significant changes. Many forums administrators will want to analyze your HijackThis log before recommending a removal plan. However, the program requires a bit of learning before you can use it effectively. You'll want to read our HijackThis tutorial before getting started.
Disk reformatting
What is it?
Unlike a system restore, which rolls your operating system back to a previous configuration, disk reformatting requires you to reinstall Windows, plus all your data and applications, from scratch. This method is used to disable malware by overwriting corrupted files, replacing them with the default operating system.
Disk reformatting is a time-consuming measure, and one we at CNET Download.com recommend you try after scanning and restoring your system.
How do you reformat your hard disk?
There are several ways to overwrite the operating system, some more complex than others. Start by backing up irreplaceable files; when they're gone, they're gone. The most traditional way to reformat the hard disk is by using a boot disk or boot CD to work around your troubled operating system and load into DOS. From there you can use a combination of command prompts (like C> format) and DOS formatting tools like Fdisk and DELpart to reinstate a clean operating system. Many of these tools will delete corrupted files from the hard disk, so they will no longer be recoverable. This useful thread on CNET's forums explores some step-by-step reformatting options.
BootDisk.com provides free disk information for the gamut of Windows operating systems ("W2K" denotes Windows 2000.) Click on "DOS — Windows 9X/NT4/2000/XP Excellent Bootdisks," and then download the "custom" version of your operating system where possible. Apps like Nero and Roxio (free trials) are convenient for quickly setting up the requisite boot CD from the EXE boot file. You'll want to make sure your BIOS is set to read off the CD drive before you begin reformatting. If you've never worked with BIOS and DOS before, we recommend that you get help from someone with advanced knowledge.
For a less thorough workaround, you can try reinstalling the operating system. It's a simpler approach than reformatting with DOS, but it may not be able to disable fierce malware, such as a well-developed rootkit. Begin by feeding the original installation disk for your operating system into the CD-ROM. Choose to overwrite if you're given the option, but don't choose to make repairs.
Virus History Summary
Narrative histories of the early years by Dr. Alan Solomon and Robert M. Slade are available. Below is an expanded summary.
1981 - The First Virus In The Wild
As described in Robert Slade's history, the first virus in the wild actually predated the experimental work that defined current-day viruses. It was spread on Apple II floppy disks (which contained the operating system) and reputed to have spread from Texas A&M. [Side note: Thanks to a pointer from anti-virus pioneer Fridrik Skulason we know the virus was named Elk Cloner and displayed a little rhyme on the screen:
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
For more info on Elk Cloner see http://www.skrenta.com/cloner/
1983 - The First Documented Experimental Virus
Fred Cohen's seminal paper Computer Viruses - Theory and Experiments from 1984 defines a computer virus and describes the experiments he and others performed to prove that the concept of a computer virus was viable. From the paper...
On November 3, 1983, the first virus was conceived of as an experiment to be presented at a weekly seminar on computer security. The concept was first introduced in this seminar by the author, and the name 'virus' was thought of by Len Adleman. After 8 hours of expert work on a heavily loaded VAX 11/750 system running Unix, the first virus was completed and ready for demonstration. Within a week, permission was obtained to perform experiments, and 5 experiments were performed. On November 10, the virus was demonstrated to the security seminar.
1986 - Brain, PC-Write Trojan, & Virdem
The common story is that two brothers from Pakistan analyzed the boot sector of a floppy disk and developed a method of infecting it with a virus dubbed "Brain" (the origin is generally accepted but not absolutely). Because it spread widely on the popular MS-DOS PC system this is typically called the first computer virus; even though it was predated by Cohen's experiments and the Apple II virus. That same year the first PC-based Trojan was released in the form of the popular shareware program PC-Write. Some reports say Virdem was also found this year; it is often called the first file virus.
1987 - File Infectors, Lehigh, & Christmas Worm
The first file viruses started to appear. Most concentrated on COM files; COMMAND.COM in particular. The first of these to infect COMMAND.COM is typically reported to be the Lehigh virus. At this time other work was done to create the first EXE infector: Suriv-02 (Suriv = Virus backward). (This virus evolved into the Jerusalem virus.) A fast-spreading (500,000 replications per hour) worm hit IBM mainframes during this year: the IBM Christmas Worm.
1988 - MacMag, Scores, & Internet Worm
MacMag, a Hypercard stack virus on the Macintosh is generally considered the first Macintosh virus and the Scores virus was the source of the first major Macintosh outbreak. The Internet Worm (Robert Morris' creation in November) causes the first Internet crisis and shut down many computers. CERT is created to respond to such attacks.
1989 - AIDS Trojan
This Trojan is famous for holding data hostage. The Trojan was sent out under the guise of an AIDS information program. When run it encrypted the user's hard drive and demanded payment for the decryption key.
1990 - VX BBS & Little Black Book (AT&T Attack)
The first virus exchange (VX) BBS went online in Bulgaria. Here virus authors could trade code and exchange ideas. Also, in 1990, Mark Ludwig's book on virus writing (The Little Black Book of Computer Viruses) was published. While there is no proof, hackers are suspected of taking down the AT&T long-distance switching system.
1991 - Tequila
Tequila was the first polymorphic virus; it came out of Switzerland and changed itself in an attempt to avoid detection.
1992 - Michelangelo, DAME, & VCL
Michelangelo was the first media darling. A wordwide alert went out with claims of massive damage predicted. Actually, little happened. The same year the Dark Avenger Mutation Engine (DAME) became the first toolkit that could be used to turn any virus into a polymorphic virus. Also that year the Virus Creation Laboratory (VCL) became the first actual virus creation kit. It had pull-down menus and selectable payloads (though it's reported to not have worked very well).
1993 - Stealth_boot PMBS
Stealth_boot PMBS used a unique technique to operate. You caught it by booting from an infected floppy disk. Once installed, Stealth_Boot would install itself in extended memory, switched the computer into protected mode, and then ran a virtual V86 machine which DOS and programs would use. Basically, the virus existed between the operating system and the hardware.
1995 - Year of the Hacker
Hackers attacked Griffith Air Force Base, the Korean Atomic Research Institute, NASA, Goddard Space Flight Center, and the Jet Propulsion Laboratory. GE, IBM, Pipeline and other companies were all hit by the "Internet Liberation Front" on Thanksgiving.
1995 - Concept
The first macro virus to attack Word, Concept, is developed.
1996 - Boza, Laroux, & Staog
Boza is the first virus designed specifically for Windows 95 files. Laroux is the first Excel macro virus. And, Staog is the first Linux virus (written by the same group that wrote Boza).
1998 - Strange Brew & Back Orifice; JetDB
Strange Brew is the first Java virus. Back Orifice is the first Trojan designed to be a remote administration tool that allows others to take over a remote computer via the Internet. Access macro viruses start to appear (JetDB).
1999 - Melissa, Corner, Win95.SK, Tristate, Infis, & Bubbleboy
Melissa is the first combination Word macro virus and worm to use the Outlook and Outlook Express address book to send itself to others via E-mail. It arrived in March. Corner is the first virus to infect MS Project files. Win95.SK, in April 1999, is believed to be the first viral HLP file infector. Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files. Infis installs itself as an NT driver and then takes over some undocumented functions. Bubbleboy is the first worm that would activate when a user simply opened and E-mail message in Microsoft Outlook (or previewed the message in Outlook Express). No attachment necessary. Bubbleboy was the proof of concept; Kak spread widely using this technique.
2000 - DDoS, Love Letter, Timofonica, Liberty (Palm), Stream, & Pirus
The first major distributed denial of service attacks shut down major sites such as Yahoo!, Amazon.com, and others. In May the Love Letter worm became the fastest-spreading worm (to that time); shutting down E-mail systems around the world. June 2000 saw the first attack against a telephone system. The Visual Basic Script worm Timofonica tries to send messages to Internet-enabled phones in the Spanish telephone network (later in 2000 another Trojan attacked the Japanese emergency phone system). August 2000 saw the first Trojan developed for the Palm PDA. Called Liberty and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. When it was accidentally released to the wider public Ardiri helped contain its spread. Stream became the first proof of concept NTFS Alternate Data Stream (ADS) virus in early September. As a proof of concept, Stream has not circulated in the wild (as of this writing) but as in all such cases a circulating virus based on the model is expected. Pirus is another proof of concept for malware written in the PHP scripting language. It attempts to add itself to HTML or PHP files. Pirus was discovered 9 Nov 2000.
2001 - Gnuman, Winux Windows/Linux Virus, LogoLogic-A Worm, AplS/Simpsons Worm, PeachyPDF-A, Nimda
Gnuman (Mandragore) showed up the end of February. This worm cloaked itself from the Gnutella file-sharing system (the first to specifically attack a peer-to-peer communications system) and pretended to be an MP3 file to download. In March a proof of concept virus designed to infect both Windows and Linux (and cross between them) was released. Winux (or Lindose depending on who you talk to) is buggy and reported to have come from the Czech Republic. On 9 April a proof of concept Logo Worm was released which attacked the Logotron SuperLogo language. The LogoLogic-A worm spreads via MIRC chat and E-mail. May saw the first AppleScript worm. It uses Outlook Express or Entourage on the Macintosh to spread via E-mail to address book entries. Early August, the PeachyPDF-A worm became the first to spread using Adobe's PDF software. Only the full version, not the free PDF reader, was capable of spreading the worm so it did not go far. September, the Nimda worm demonstrated significant flexibility in its ability to spread and used several firsts. While not new in concept, a couple of worms created a fair amount of havoc during the year: Sircam (July), CodeRed (July & August), and BadTrans (November & December).
2002 - LFM-926, Donut, Sharp-A, SQLSpider, Benjamin, Perrun, Scalper
Early in January LFM-926 showed up as the first virus to infect Shockwave Flash (.SWF) files. It was named for the message it displays while it's infecting: "Loading.Flash.Movie...". It drops a Debug script that produces a .COM file which infects other .SWF files. Also in early January Donut showed up as the first worm directed at .NET services. In March, the first native .NET worm written in C#, Sharp-A was announced. Sharp-A was also unique in that it was one of the few malware programs reportedly written by a woman. Late May the Javascript worm SQLSpider was released. It was unique in that it attacked installations running Microsoft SQL Server (and programs that use SQL Server technology). Also in late May the Benjamin appeared. Benjamin is unique in that it uses the KaZaa peer-to-peer network to spread. Mid-June the press went wild over the proof-of-concept Perrun virus because a portion of the virus attached itself to JPEG image files. Despite the hype, JPEG files are still safe as you must have a stripper program running on your system in order to strip the virus file off the image file (see 2004 for another JPEG attack). On 28 June the Scalper worm was discovered attacking FreeBSD/Apache Web servers. The worm is designed to set up a flood net (stable of zombies which could be used to overwhelm one or more systems).
2003 - Sobig, Slammer, Lovgate, Fizzer, Blaster/Welchia/Mimail
Sobig, a worm that carried its own SMTP mail program and used Windows network shares to spread started the year. Sobig variants continued to multiply throughout the year. Slammer, exploiting vulnerabilities in Microsoft's SQL 2000 servers, hit Super Bowl weekend. Its spreading technique worked so well that for some period of time all of South Korea was effectively eliminated from the Internet (obscured). It received significant media coverage. The unique entry that February saw was Lovgate. This was unique as it was a combination of a Trojan and a worm; two pieces of malware that generally don't get combined. Starting in early May Fizzer spread via usual E-mail methods but also used the KaZaa peer-to-peer network to spread. While generally not unique types, August is (in)famous for a combination of Sobig.F, Blaster (also known as Lovsan and MSBlast), Welchia (or Nachi), and Mimail; all spreading rapidly through a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. 2003 also saw what appeared to be a use of worm-like techniques used in the spreading of spam. Sobig dropped a component that could later be used by spammers to send mail through infected machines. The social engineering techniques used by virus/worm writers improved dramatically as well. Some of the malware this year was accompanied by very realistic graphics and links in an attempt to make you think the mail actually came from the likes of Microsoft or Paypal.
2004 - Trojan.Xombe, Randex, Bizex, Witty, MP3Concept, Sasser, Mac OS X, W64.Rugrat.3344, Symb/Cabir-A, JS/Scob-A, WCE/Duts-A, W32/Amus-A, WinCE/Brador-A, JPEG Weakness, SH/Renepo-A, Bofra/IFrame, Santy
Year 2004 started where 2003 left off with social engineering taking the lead in propagation techniques. Trojan.Xombe was sent out to a wide audience. It posed as a message from Microsoft Windows Update asking you to run the attached revision to XP Service Pack 1. (This, and like messages that "phish" for personal information, are expected to take a lead role in 2004 -- and, yes, phish is the correct term for a message designed to "fish" for personal information; the technique is called phishing.) In February it was demonstrated that virus writers were starting to ply their craft for money. A German magazine managed to buy a list of infected IP addresses from a distributor of the virus Randex. These IP addresses were for sale to spammers who could use the infected machines as mail zombies. The end of February saw Bizex go after ICQ users through an HTML link that downloaded an infected SCM (Sound Compressed Sound Scheme) file. The weekend of 20/21 March introduced Witty, the first worm to attack security software directly (some Internet Security Systems' RealSecure, Proventia and BlackICE versions). The worm was malicious in that it erased portions of the hard drive while sending itself out. A Mac OS X scare in the form of MP3Concept was announced 8 April. Said to be a benign Trojan, MP3Concept turned out to be nothing more than a bad proof-of-concept that never made it into the wild. The end of April saw the Sasser worm which is the first to effectively use the LSASS Windows vulnerability; a vulnerability that allowed the worm to spread via an open FTP port instead of through E-mail (even though Microsoft had already issued a patch for the vulnerability -- yet another example of people not paying attention to operating system security updates). Toward the end of May Apple issued critical patches to OS X when a vulnerability that could spread via E-mail and mal-formed Web pages was found. The vulnerability would allow AppleScript scripts to run unchecked; even to the point of deleting the home directory. The proof-of-concept Worm W64.Rugrat.3344 showed up the end of May. This is claimed to be the first malware that specifically attacks 64-bit Windows files only (it ignores 32-bit and 16-bit files). It was created using IA64 (Intel Architecture) assembly code. In June Symb/Cabir-A appeared to infect Nokia Series 60 mobile phones. The worm is designed to spread to nearby Bluetooth-enabled devices. JS/Scob-A appeared in the last half of June. It was special in that it used Javascript to infect Microsoft's IIS Server HTML files through an unpatched vulnerability. User's visiting infected sites were then infected via a download from a Russian site (which was quickly closed down) using an unpatched vulnerability in the IE browser. Mid-July WCE/Duts-A showed up. This was another crude proof-of-concept virus relating to the PocketPC. The virus writer was apparently trying for attention as this text is in the virus: "This is proof of concept code. Also, i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR file had to end ..." Early September saw W32/Amus-A show up. The only thing that qualified this beast to even be mentioned here was that it uses the Microsoft Speech engine in Windows to read out loud: "hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." where "Gule" is Turkish for "Bye" and "Hamsi" is a small fish found in the Black Sea. August saw WinCE/Brador-A, a backdoor for PocketPC devices. On 14 September that paragon of virus-free file type, the JPEG image, came under attack. To be accurate, the image file itself is not so much to blame as a Microsoft common .DLL file that processes the image file type and has a buffer overrun error that could allow someone to add malicious code to a JPEG image which can then open holes in an attacked system. Shortly after, some Trojan exploits started to appear. In Mid-October SH/Renepo-A showed up on Macintosh OS X systems. This is a shell script worm that installs itself to /System/Library/StartupItems and other sites and can make files on the system vulnerable to further exploitation. Bofra/IFrame made history over the 20/21 November weekend by becoming the first malware to be placed into Internet ads. It is a MyDoom variant that made its way into AdSolution ad serving software. A hacker broke into the system and inserted the malware into served ads until it was noticed and shut down after about 12 hours. Just before Christmas the Santy worm showed up. The unique thing about this beast was that it used Google to find its victims. The worm used a phpBB vulnerability to deface vulnerable sites running that popular bulletin board software and queried Google to find the sites. The worm was of no danger to users of the sites; it just defaced the sites.
2005 - Bropia, Troj/BankAsh, Commwarrior, Chod, PSPBrick, DSTahen, MSIL/Idonus, Troj/Stinx-E
In 2005 the end of January saw the Bropia Worm which targets MSN Messenger for spreading. A bit later the "F" version of this worm became popular because of the sexy.jpg file that spread with it. The 9th of February then saw Troj/BankAsh, the first Trojan to attack the new (still in beta) Microsoft AntiSpyware product. This Trojan also was reported to go after various British on-line banking services. The start of March saw distribution of another mobile phone worm: Commwarrior, which spread via MMS messaging. The end of March/start of April saw variants of Chod appear. This is a sophisticated worm that spreads via E-mail and the MSN Messaging client. Its messages are very close to what a real user would send and, for the first time, attempts to spoof the return address as being from an anti-virus company (Trend or Symantec, and Microsoft, although coming from Microsoft has been a social engineering ploy for some time now). 6 Oct brought the first Playstation Portable Trojan, PSPBrick. This malware does not spread by itself but comes disguised as a MOD for the PSP. When placed on the PSP the MOD erases a number of system files that prevent the PSP from being restarted and basically turns it into a brick; thus the name. And, not to be outdone, on 12 Oct the Trojan DSTahen showed up which basically does the same thing for the Nintendo DS system. Install the Trojan and you end up with a brick. 14 Oct saw MSIL/Idonus which the maker wanted to be the first Vista virus but because it uses NET 2.0 and other systems that can be installed on earlier operating systems it wasn't; but it is unique none-the-less. The 10th of November Troj/Stinx-E Trojan horse appeared with a trick that hid itself beneath the Sony DRM software on systems with that software installed. The DRM software is designed to protect copyrighted audio but, in hiding itself, it provided an opportunity for malware to hide behind that software in the hope to avoid detection. Not something new but just to note that during the year Creative Labs shipped 3,700 Zen MP3 players carrying the Wullik-B virus.
2006 - OSX/Leap-A, OSX/Inqtana.A, Redbrowser.A, Icabdi.A, SubVirt, Bagoly, Yhoo32.explr, Stardust.A, Yamanner.A, W32.Chamb, OSX/Macarena, Grey Goo Attack, iAdware, JS/Quickspace.A
The first beast of 2006 that uses a previously unused attack vector appeared mid-February. OSX/Leap-A attacks the Macintosh OS/X system instead of Windows. The worm spreads via the iChat instant messaging system, forwarding itself as a file called LATESTPICS.TGZ to contacts on the infected users' buddy list. The executable inside is disguised by a JPEG image icon to trick people into clicking on the executable file. The very next day (17 Feb) another new Mac worm appeared: OSX/Inqtana.A. This is a proof-of-concept worm that uses a Bluetooth OBEX Push transfer to move between machines. 28 Feb saw Redbrowser.A. While a Trojan, this appears to be the first J2ME (Java 2 Mobile Edition) malware and the first mobile malware that tries to steal money. Initial releases targeted only Russian users. On 7 March Icabdi.A became the first virus to infect a Microsoft Infopath .XSN file. As usual with firsts, this was a proof-of-concept beast that is a Trojan dropper. Mid-March Microsoft, of all people, along with the University of Michigan developed the proof-of-concept SubVirt rootkit. SubVirt would live as a virtualization layer between the hardware and the "real" operating system and present its own operating system to the user; effectively taking over the computer. They developed the software to better understand how to attack their own software in order to better defend it [eWeek article]. On 22 April f-secure announced a proof of concept virus called Bagoly that infects MATLAB m-file source files. The code is prepended to the start of the m-file. Around 19 May a unique Yahoo! IM malware called yhoo32.explr appeared. The unique thing this beast does is to install its own Web browser (called "Safety Browser") which has an icon that looks like IE. This browser takes people to sites that load the system with other malware. The end of May a proof of concept macro virus called Stardust.A appeared. The unique thing about this macro virus was that it was directed toward attacking StarOffice/OpenOffice documents instead of Word documents. This is the first known attack on this alternate office suite. The 12th of June the Yamanner.A Javascript worm appeared as the first known exploit of the Yahoo! E-mail system. This was a zero-day exploit of the Yahoo! system and the worm spread automatically if you simply opened an infected message using Internet Explorer. No attachment was necessary. August 1st Symantec reported the appearance of W32.Chamb, a proof of concept infector of .CHM help files. 31 October saw the appearance of OSX/Macarena, the first infector of Macintosh OS X Mach-O files. Macarena was able to directly infect the program code and did not need to rely on a resource fork like Leap before it. Around 19 November a bunch of self-replicators appeared in Second Life, the multiplayer game. These were rings scripted with the Linden Scripting Language and, in general, called a Grey Goo attack. Late November saw the introduction of iAdware, the first spyware program for Mac OS X. It was proof-of-concept but indicates some attention is being given to the Macintosh platform. On 2 December there were reports of a Quicktime exploit affecting Myspace profiles. Called JS/Quickspace.A, the infected MOV file contains Javascript that will download a Javascript file which will modify your Myspace profile so that all who visit your Myspace profile will get infected as well. More on that here. Of interest, but maybe not really historic, in November Spybot.ACYR showed up to exploit Symantec's Anti-Virus program. It used a hole discovered and patched some six months earlier but still managed to spread via careless users and other methods built into the malware. The distribution of malware with products continued into 2006 when McDonald's in Japan gave out MP3 players containing the QQpass spyware Trojan and Apple sent out some video iPods with the RavMonE.exe virus on them. Google also distributed some E-mails to the Google Video Blog group containing W32/Kapser.A@mm; a mass mailing worm. Finally, on 29 December an unnamed proof-of-concept exploit against region tags in MMS SMIL which are vulnerable to buffer overflow causing arbitrary code execution was published. The IPAQ 6315 and i-mate PDA2k are affected and it's unknown if patches are available at the time of this writing.
2007 - Agent.BKY, iPod Linux Virus, TI.Tigraa.a, SB.Badbunny, WH/Vred.A, Zhelatin/Storm, IM-Worm:W32/Skipi.A, MSN Trojan
March 30th brought an animated cursor vulnerability which, two days later, was exploited by the Trojan downloader worm Agent.BKY. This beast infects HTML and other similar files and these, when viewed, download other malicious software. April 5th brought the announcement of a proof-of-concept (very buggy and unnamed) virus for the iPod; specifically for the iPod Linux operating system. On 29 May Viruslist.com posted the proof of concept TI.Tigraa.a memory resident 492 byte Trojan for the TI-89 graphing calculator line. It won't spread but introduces another device to malware. SB.Badbunny was reported out by Symantec on 7 June. The thing that makes this beast interesting is the fact that it's spreads over multiple operating systems (including the Macintosh) using multiple languages (JavaScript on Windows, Ruby on the Mac, and Python on Linux) and OpenOffice macros while it attempts to spread via Instant Messaging. The middle of June F-Secure announced WH/Vred.A which is a proof-of-concept virus infecting WinHex scripts; the first to do so. While not new, the social engineering of the Zhelatin/Storm Trojan series was quite effective. As an example, in August the gang started sending messages indicating the receiver had applied to various sites and their temporary login name/password were included along with a link. At the link the well-designed page said a sign-in applet had to be downloaded. That applet contained the Trojan which then infected the machine. The messages were quite convincing to many. September saw the introduction of a Skype worm called IM-Worm:W32/Skipi.A. It spread via Skype's instant messaging and pointed people to what looked like a JPEG image but, instead, was a page with a malicious automatic download and just an image from a standard Windows screensaver. October saw a number of Trojan exploits of a PDF vulnerability. While a patch was available for the vulnerability, many were affected because they did not update their PDF reading software and Microsoft delayed getting a Windows patch out. November 18th a new MSN IM Trojan surfaced which was unique in its scan for VNC (Virtual Network Computing) instances. In December a Trojan that hijacks Google ads on Web pages was report. One example would be Trojan.Qhost.WU. The Trojan is not on the Website but, instead, on your computer and intercepts requests for Google ads and serves ads from other sources where the Trojan writer can get the income. It's also possible the sites directed to will also contain malware to further infect your computer.
1981 - The First Virus In The Wild
As described in Robert Slade's history, the first virus in the wild actually predated the experimental work that defined current-day viruses. It was spread on Apple II floppy disks (which contained the operating system) and reputed to have spread from Texas A&M. [Side note: Thanks to a pointer from anti-virus pioneer Fridrik Skulason we know the virus was named Elk Cloner and displayed a little rhyme on the screen:
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
For more info on Elk Cloner see http://www.skrenta.com/cloner/
1983 - The First Documented Experimental Virus
Fred Cohen's seminal paper Computer Viruses - Theory and Experiments from 1984 defines a computer virus and describes the experiments he and others performed to prove that the concept of a computer virus was viable. From the paper...
On November 3, 1983, the first virus was conceived of as an experiment to be presented at a weekly seminar on computer security. The concept was first introduced in this seminar by the author, and the name 'virus' was thought of by Len Adleman. After 8 hours of expert work on a heavily loaded VAX 11/750 system running Unix, the first virus was completed and ready for demonstration. Within a week, permission was obtained to perform experiments, and 5 experiments were performed. On November 10, the virus was demonstrated to the security seminar.
1986 - Brain, PC-Write Trojan, & Virdem
The common story is that two brothers from Pakistan analyzed the boot sector of a floppy disk and developed a method of infecting it with a virus dubbed "Brain" (the origin is generally accepted but not absolutely). Because it spread widely on the popular MS-DOS PC system this is typically called the first computer virus; even though it was predated by Cohen's experiments and the Apple II virus. That same year the first PC-based Trojan was released in the form of the popular shareware program PC-Write. Some reports say Virdem was also found this year; it is often called the first file virus.
1987 - File Infectors, Lehigh, & Christmas Worm
The first file viruses started to appear. Most concentrated on COM files; COMMAND.COM in particular. The first of these to infect COMMAND.COM is typically reported to be the Lehigh virus. At this time other work was done to create the first EXE infector: Suriv-02 (Suriv = Virus backward). (This virus evolved into the Jerusalem virus.) A fast-spreading (500,000 replications per hour) worm hit IBM mainframes during this year: the IBM Christmas Worm.
1988 - MacMag, Scores, & Internet Worm
MacMag, a Hypercard stack virus on the Macintosh is generally considered the first Macintosh virus and the Scores virus was the source of the first major Macintosh outbreak. The Internet Worm (Robert Morris' creation in November) causes the first Internet crisis and shut down many computers. CERT is created to respond to such attacks.
1989 - AIDS Trojan
This Trojan is famous for holding data hostage. The Trojan was sent out under the guise of an AIDS information program. When run it encrypted the user's hard drive and demanded payment for the decryption key.
1990 - VX BBS & Little Black Book (AT&T Attack)
The first virus exchange (VX) BBS went online in Bulgaria. Here virus authors could trade code and exchange ideas. Also, in 1990, Mark Ludwig's book on virus writing (The Little Black Book of Computer Viruses) was published. While there is no proof, hackers are suspected of taking down the AT&T long-distance switching system.
1991 - Tequila
Tequila was the first polymorphic virus; it came out of Switzerland and changed itself in an attempt to avoid detection.
1992 - Michelangelo, DAME, & VCL
Michelangelo was the first media darling. A wordwide alert went out with claims of massive damage predicted. Actually, little happened. The same year the Dark Avenger Mutation Engine (DAME) became the first toolkit that could be used to turn any virus into a polymorphic virus. Also that year the Virus Creation Laboratory (VCL) became the first actual virus creation kit. It had pull-down menus and selectable payloads (though it's reported to not have worked very well).
1993 - Stealth_boot PMBS
Stealth_boot PMBS used a unique technique to operate. You caught it by booting from an infected floppy disk. Once installed, Stealth_Boot would install itself in extended memory, switched the computer into protected mode, and then ran a virtual V86 machine which DOS and programs would use. Basically, the virus existed between the operating system and the hardware.
1995 - Year of the Hacker
Hackers attacked Griffith Air Force Base, the Korean Atomic Research Institute, NASA, Goddard Space Flight Center, and the Jet Propulsion Laboratory. GE, IBM, Pipeline and other companies were all hit by the "Internet Liberation Front" on Thanksgiving.
1995 - Concept
The first macro virus to attack Word, Concept, is developed.
1996 - Boza, Laroux, & Staog
Boza is the first virus designed specifically for Windows 95 files. Laroux is the first Excel macro virus. And, Staog is the first Linux virus (written by the same group that wrote Boza).
1998 - Strange Brew & Back Orifice; JetDB
Strange Brew is the first Java virus. Back Orifice is the first Trojan designed to be a remote administration tool that allows others to take over a remote computer via the Internet. Access macro viruses start to appear (JetDB).
1999 - Melissa, Corner, Win95.SK, Tristate, Infis, & Bubbleboy
Melissa is the first combination Word macro virus and worm to use the Outlook and Outlook Express address book to send itself to others via E-mail. It arrived in March. Corner is the first virus to infect MS Project files. Win95.SK, in April 1999, is believed to be the first viral HLP file infector. Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files. Infis installs itself as an NT driver and then takes over some undocumented functions. Bubbleboy is the first worm that would activate when a user simply opened and E-mail message in Microsoft Outlook (or previewed the message in Outlook Express). No attachment necessary. Bubbleboy was the proof of concept; Kak spread widely using this technique.
2000 - DDoS, Love Letter, Timofonica, Liberty (Palm), Stream, & Pirus
The first major distributed denial of service attacks shut down major sites such as Yahoo!, Amazon.com, and others. In May the Love Letter worm became the fastest-spreading worm (to that time); shutting down E-mail systems around the world. June 2000 saw the first attack against a telephone system. The Visual Basic Script worm Timofonica tries to send messages to Internet-enabled phones in the Spanish telephone network (later in 2000 another Trojan attacked the Japanese emergency phone system). August 2000 saw the first Trojan developed for the Palm PDA. Called Liberty and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. When it was accidentally released to the wider public Ardiri helped contain its spread. Stream became the first proof of concept NTFS Alternate Data Stream (ADS) virus in early September. As a proof of concept, Stream has not circulated in the wild (as of this writing) but as in all such cases a circulating virus based on the model is expected. Pirus is another proof of concept for malware written in the PHP scripting language. It attempts to add itself to HTML or PHP files. Pirus was discovered 9 Nov 2000.
2001 - Gnuman, Winux Windows/Linux Virus, LogoLogic-A Worm, AplS/Simpsons Worm, PeachyPDF-A, Nimda
Gnuman (Mandragore) showed up the end of February. This worm cloaked itself from the Gnutella file-sharing system (the first to specifically attack a peer-to-peer communications system) and pretended to be an MP3 file to download. In March a proof of concept virus designed to infect both Windows and Linux (and cross between them) was released. Winux (or Lindose depending on who you talk to) is buggy and reported to have come from the Czech Republic. On 9 April a proof of concept Logo Worm was released which attacked the Logotron SuperLogo language. The LogoLogic-A worm spreads via MIRC chat and E-mail. May saw the first AppleScript worm. It uses Outlook Express or Entourage on the Macintosh to spread via E-mail to address book entries. Early August, the PeachyPDF-A worm became the first to spread using Adobe's PDF software. Only the full version, not the free PDF reader, was capable of spreading the worm so it did not go far. September, the Nimda worm demonstrated significant flexibility in its ability to spread and used several firsts. While not new in concept, a couple of worms created a fair amount of havoc during the year: Sircam (July), CodeRed (July & August), and BadTrans (November & December).
2002 - LFM-926, Donut, Sharp-A, SQLSpider, Benjamin, Perrun, Scalper
Early in January LFM-926 showed up as the first virus to infect Shockwave Flash (.SWF) files. It was named for the message it displays while it's infecting: "Loading.Flash.Movie...". It drops a Debug script that produces a .COM file which infects other .SWF files. Also in early January Donut showed up as the first worm directed at .NET services. In March, the first native .NET worm written in C#, Sharp-A was announced. Sharp-A was also unique in that it was one of the few malware programs reportedly written by a woman. Late May the Javascript worm SQLSpider was released. It was unique in that it attacked installations running Microsoft SQL Server (and programs that use SQL Server technology). Also in late May the Benjamin appeared. Benjamin is unique in that it uses the KaZaa peer-to-peer network to spread. Mid-June the press went wild over the proof-of-concept Perrun virus because a portion of the virus attached itself to JPEG image files. Despite the hype, JPEG files are still safe as you must have a stripper program running on your system in order to strip the virus file off the image file (see 2004 for another JPEG attack). On 28 June the Scalper worm was discovered attacking FreeBSD/Apache Web servers. The worm is designed to set up a flood net (stable of zombies which could be used to overwhelm one or more systems).
2003 - Sobig, Slammer, Lovgate, Fizzer, Blaster/Welchia/Mimail
Sobig, a worm that carried its own SMTP mail program and used Windows network shares to spread started the year. Sobig variants continued to multiply throughout the year. Slammer, exploiting vulnerabilities in Microsoft's SQL 2000 servers, hit Super Bowl weekend. Its spreading technique worked so well that for some period of time all of South Korea was effectively eliminated from the Internet (obscured). It received significant media coverage. The unique entry that February saw was Lovgate. This was unique as it was a combination of a Trojan and a worm; two pieces of malware that generally don't get combined. Starting in early May Fizzer spread via usual E-mail methods but also used the KaZaa peer-to-peer network to spread. While generally not unique types, August is (in)famous for a combination of Sobig.F, Blaster (also known as Lovsan and MSBlast), Welchia (or Nachi), and Mimail; all spreading rapidly through a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. 2003 also saw what appeared to be a use of worm-like techniques used in the spreading of spam. Sobig dropped a component that could later be used by spammers to send mail through infected machines. The social engineering techniques used by virus/worm writers improved dramatically as well. Some of the malware this year was accompanied by very realistic graphics and links in an attempt to make you think the mail actually came from the likes of Microsoft or Paypal.
2004 - Trojan.Xombe, Randex, Bizex, Witty, MP3Concept, Sasser, Mac OS X, W64.Rugrat.3344, Symb/Cabir-A, JS/Scob-A, WCE/Duts-A, W32/Amus-A, WinCE/Brador-A, JPEG Weakness, SH/Renepo-A, Bofra/IFrame, Santy
Year 2004 started where 2003 left off with social engineering taking the lead in propagation techniques. Trojan.Xombe was sent out to a wide audience. It posed as a message from Microsoft Windows Update asking you to run the attached revision to XP Service Pack 1. (This, and like messages that "phish" for personal information, are expected to take a lead role in 2004 -- and, yes, phish is the correct term for a message designed to "fish" for personal information; the technique is called phishing.) In February it was demonstrated that virus writers were starting to ply their craft for money. A German magazine managed to buy a list of infected IP addresses from a distributor of the virus Randex. These IP addresses were for sale to spammers who could use the infected machines as mail zombies. The end of February saw Bizex go after ICQ users through an HTML link that downloaded an infected SCM (Sound Compressed Sound Scheme) file. The weekend of 20/21 March introduced Witty, the first worm to attack security software directly (some Internet Security Systems' RealSecure, Proventia and BlackICE versions). The worm was malicious in that it erased portions of the hard drive while sending itself out. A Mac OS X scare in the form of MP3Concept was announced 8 April. Said to be a benign Trojan, MP3Concept turned out to be nothing more than a bad proof-of-concept that never made it into the wild. The end of April saw the Sasser worm which is the first to effectively use the LSASS Windows vulnerability; a vulnerability that allowed the worm to spread via an open FTP port instead of through E-mail (even though Microsoft had already issued a patch for the vulnerability -- yet another example of people not paying attention to operating system security updates). Toward the end of May Apple issued critical patches to OS X when a vulnerability that could spread via E-mail and mal-formed Web pages was found. The vulnerability would allow AppleScript scripts to run unchecked; even to the point of deleting the home directory. The proof-of-concept Worm W64.Rugrat.3344 showed up the end of May. This is claimed to be the first malware that specifically attacks 64-bit Windows files only (it ignores 32-bit and 16-bit files). It was created using IA64 (Intel Architecture) assembly code. In June Symb/Cabir-A appeared to infect Nokia Series 60 mobile phones. The worm is designed to spread to nearby Bluetooth-enabled devices. JS/Scob-A appeared in the last half of June. It was special in that it used Javascript to infect Microsoft's IIS Server HTML files through an unpatched vulnerability. User's visiting infected sites were then infected via a download from a Russian site (which was quickly closed down) using an unpatched vulnerability in the IE browser. Mid-July WCE/Duts-A showed up. This was another crude proof-of-concept virus relating to the PocketPC. The virus writer was apparently trying for attention as this text is in the virus: "This is proof of concept code. Also, i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR file had to end ..." Early September saw W32/Amus-A show up. The only thing that qualified this beast to even be mentioned here was that it uses the Microsoft Speech engine in Windows to read out loud: "hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." where "Gule" is Turkish for "Bye" and "Hamsi" is a small fish found in the Black Sea. August saw WinCE/Brador-A, a backdoor for PocketPC devices. On 14 September that paragon of virus-free file type, the JPEG image, came under attack. To be accurate, the image file itself is not so much to blame as a Microsoft common .DLL file that processes the image file type and has a buffer overrun error that could allow someone to add malicious code to a JPEG image which can then open holes in an attacked system. Shortly after, some Trojan exploits started to appear. In Mid-October SH/Renepo-A showed up on Macintosh OS X systems. This is a shell script worm that installs itself to /System/Library/StartupItems and other sites and can make files on the system vulnerable to further exploitation. Bofra/IFrame made history over the 20/21 November weekend by becoming the first malware to be placed into Internet ads. It is a MyDoom variant that made its way into AdSolution ad serving software. A hacker broke into the system and inserted the malware into served ads until it was noticed and shut down after about 12 hours. Just before Christmas the Santy worm showed up. The unique thing about this beast was that it used Google to find its victims. The worm used a phpBB vulnerability to deface vulnerable sites running that popular bulletin board software and queried Google to find the sites. The worm was of no danger to users of the sites; it just defaced the sites.
2005 - Bropia, Troj/BankAsh, Commwarrior, Chod, PSPBrick, DSTahen, MSIL/Idonus, Troj/Stinx-E
In 2005 the end of January saw the Bropia Worm which targets MSN Messenger for spreading. A bit later the "F" version of this worm became popular because of the sexy.jpg file that spread with it. The 9th of February then saw Troj/BankAsh, the first Trojan to attack the new (still in beta) Microsoft AntiSpyware product. This Trojan also was reported to go after various British on-line banking services. The start of March saw distribution of another mobile phone worm: Commwarrior, which spread via MMS messaging. The end of March/start of April saw variants of Chod appear. This is a sophisticated worm that spreads via E-mail and the MSN Messaging client. Its messages are very close to what a real user would send and, for the first time, attempts to spoof the return address as being from an anti-virus company (Trend or Symantec, and Microsoft, although coming from Microsoft has been a social engineering ploy for some time now). 6 Oct brought the first Playstation Portable Trojan, PSPBrick. This malware does not spread by itself but comes disguised as a MOD for the PSP. When placed on the PSP the MOD erases a number of system files that prevent the PSP from being restarted and basically turns it into a brick; thus the name. And, not to be outdone, on 12 Oct the Trojan DSTahen showed up which basically does the same thing for the Nintendo DS system. Install the Trojan and you end up with a brick. 14 Oct saw MSIL/Idonus which the maker wanted to be the first Vista virus but because it uses NET 2.0 and other systems that can be installed on earlier operating systems it wasn't; but it is unique none-the-less. The 10th of November Troj/Stinx-E Trojan horse appeared with a trick that hid itself beneath the Sony DRM software on systems with that software installed. The DRM software is designed to protect copyrighted audio but, in hiding itself, it provided an opportunity for malware to hide behind that software in the hope to avoid detection. Not something new but just to note that during the year Creative Labs shipped 3,700 Zen MP3 players carrying the Wullik-B virus.
2006 - OSX/Leap-A, OSX/Inqtana.A, Redbrowser.A, Icabdi.A, SubVirt, Bagoly, Yhoo32.explr, Stardust.A, Yamanner.A, W32.Chamb, OSX/Macarena, Grey Goo Attack, iAdware, JS/Quickspace.A
The first beast of 2006 that uses a previously unused attack vector appeared mid-February. OSX/Leap-A attacks the Macintosh OS/X system instead of Windows. The worm spreads via the iChat instant messaging system, forwarding itself as a file called LATESTPICS.TGZ to contacts on the infected users' buddy list. The executable inside is disguised by a JPEG image icon to trick people into clicking on the executable file. The very next day (17 Feb) another new Mac worm appeared: OSX/Inqtana.A. This is a proof-of-concept worm that uses a Bluetooth OBEX Push transfer to move between machines. 28 Feb saw Redbrowser.A. While a Trojan, this appears to be the first J2ME (Java 2 Mobile Edition) malware and the first mobile malware that tries to steal money. Initial releases targeted only Russian users. On 7 March Icabdi.A became the first virus to infect a Microsoft Infopath .XSN file. As usual with firsts, this was a proof-of-concept beast that is a Trojan dropper. Mid-March Microsoft, of all people, along with the University of Michigan developed the proof-of-concept SubVirt rootkit. SubVirt would live as a virtualization layer between the hardware and the "real" operating system and present its own operating system to the user; effectively taking over the computer. They developed the software to better understand how to attack their own software in order to better defend it [eWeek article]. On 22 April f-secure announced a proof of concept virus called Bagoly that infects MATLAB m-file source files. The code is prepended to the start of the m-file. Around 19 May a unique Yahoo! IM malware called yhoo32.explr appeared. The unique thing this beast does is to install its own Web browser (called "Safety Browser") which has an icon that looks like IE. This browser takes people to sites that load the system with other malware. The end of May a proof of concept macro virus called Stardust.A appeared. The unique thing about this macro virus was that it was directed toward attacking StarOffice/OpenOffice documents instead of Word documents. This is the first known attack on this alternate office suite. The 12th of June the Yamanner.A Javascript worm appeared as the first known exploit of the Yahoo! E-mail system. This was a zero-day exploit of the Yahoo! system and the worm spread automatically if you simply opened an infected message using Internet Explorer. No attachment was necessary. August 1st Symantec reported the appearance of W32.Chamb, a proof of concept infector of .CHM help files. 31 October saw the appearance of OSX/Macarena, the first infector of Macintosh OS X Mach-O files. Macarena was able to directly infect the program code and did not need to rely on a resource fork like Leap before it. Around 19 November a bunch of self-replicators appeared in Second Life, the multiplayer game. These were rings scripted with the Linden Scripting Language and, in general, called a Grey Goo attack. Late November saw the introduction of iAdware, the first spyware program for Mac OS X. It was proof-of-concept but indicates some attention is being given to the Macintosh platform. On 2 December there were reports of a Quicktime exploit affecting Myspace profiles. Called JS/Quickspace.A, the infected MOV file contains Javascript that will download a Javascript file which will modify your Myspace profile so that all who visit your Myspace profile will get infected as well. More on that here. Of interest, but maybe not really historic, in November Spybot.ACYR showed up to exploit Symantec's Anti-Virus program. It used a hole discovered and patched some six months earlier but still managed to spread via careless users and other methods built into the malware. The distribution of malware with products continued into 2006 when McDonald's in Japan gave out MP3 players containing the QQpass spyware Trojan and Apple sent out some video iPods with the RavMonE.exe virus on them. Google also distributed some E-mails to the Google Video Blog group containing W32/Kapser.A@mm; a mass mailing worm. Finally, on 29 December an unnamed proof-of-concept exploit against region tags in MMS SMIL which are vulnerable to buffer overflow causing arbitrary code execution was published. The IPAQ 6315 and i-mate PDA2k are affected and it's unknown if patches are available at the time of this writing.
2007 - Agent.BKY, iPod Linux Virus, TI.Tigraa.a, SB.Badbunny, WH/Vred.A, Zhelatin/Storm, IM-Worm:W32/Skipi.A, MSN Trojan
March 30th brought an animated cursor vulnerability which, two days later, was exploited by the Trojan downloader worm Agent.BKY. This beast infects HTML and other similar files and these, when viewed, download other malicious software. April 5th brought the announcement of a proof-of-concept (very buggy and unnamed) virus for the iPod; specifically for the iPod Linux operating system. On 29 May Viruslist.com posted the proof of concept TI.Tigraa.a memory resident 492 byte Trojan for the TI-89 graphing calculator line. It won't spread but introduces another device to malware. SB.Badbunny was reported out by Symantec on 7 June. The thing that makes this beast interesting is the fact that it's spreads over multiple operating systems (including the Macintosh) using multiple languages (JavaScript on Windows, Ruby on the Mac, and Python on Linux) and OpenOffice macros while it attempts to spread via Instant Messaging. The middle of June F-Secure announced WH/Vred.A which is a proof-of-concept virus infecting WinHex scripts; the first to do so. While not new, the social engineering of the Zhelatin/Storm Trojan series was quite effective. As an example, in August the gang started sending messages indicating the receiver had applied to various sites and their temporary login name/password were included along with a link. At the link the well-designed page said a sign-in applet had to be downloaded. That applet contained the Trojan which then infected the machine. The messages were quite convincing to many. September saw the introduction of a Skype worm called IM-Worm:W32/Skipi.A. It spread via Skype's instant messaging and pointed people to what looked like a JPEG image but, instead, was a page with a malicious automatic download and just an image from a standard Windows screensaver. October saw a number of Trojan exploits of a PDF vulnerability. While a patch was available for the vulnerability, many were affected because they did not update their PDF reading software and Microsoft delayed getting a Windows patch out. November 18th a new MSN IM Trojan surfaced which was unique in its scan for VNC (Virtual Network Computing) instances. In December a Trojan that hijacks Google ads on Web pages was report. One example would be Trojan.Qhost.WU. The Trojan is not on the Website but, instead, on your computer and intercepts requests for Google ads and serves ads from other sources where the Trojan writer can get the income. It's also possible the sites directed to will also contain malware to further infect your computer.
How Viruses Infect (2)
Multipartite Virus
Some viruses can be all things to all machines. Depending on what needs to be infected, they can infect system sectors or they can infect files. These rather universal viruses are termed multipartite (multi-part).
Sometimes the multipartite virus drops a system sector infector; other times a system sector infector might also infect files.
Multipartite viruses are particularly nasty because of the number of ways they can spread. Fortunately, a good one is hard to write.
Summary
• Multipartite viruses have dual capabilities and typically infect both system sectors and files.
Spacefiller (Cavity) Virus
Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.
A spacefiller (cavity) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A spacefiller virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a spacefiller virus.
Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare...however... A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more.
Summary
• A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting.
• In the past this was difficult to do properly, but new file formats make it easier.
Tunneling Virus
One method of virus detection is an interception program which sits in the background looking for specific actions that might signify the presence of a virus. To do this it must intercept interrupts and monitor what's going on. A tunneling virus attempts to backtrack down the interrupt chain in order to get directly to the DOS and BIOS interrupt handlers. The virus then installs itself underneath everything, including the interception program. Some anti-virus programs will attempt to detect this and then reinstall themselves under the virus. This might cause an interrupt war between the anti-virus program and the virus and result in problems on your system.
Some anti-virus programs also use tunneling techniques to bypass any viruses that might be active in memory when they load.
Summary
* A tunneling virus attempts to bypass activity monitor anti-virus programs by following the interrupt chain back down to the basic DOS or BIOS interrupt handlers and then installing itself.
Camouflage Virus
You don't hear much about this type of virus. Fortunately it is rare and, because of the way anti-virus programs have evolved, is unlikely to occur in the future.
When anti-virus scanners were based completely on signatures there was always the possibility of a false alarm when the signature was found in some uninfected file (a statistical possibility). Further, with several scanners circulating, each had their own signature database and when scanned by another product may indicate infection where there was none simply because of the inclusion of the virus identification string. If this happened often, the public would get understandably annoyed (and frightened). In response, a scanner might therefore implement logic that, under the right circumstances, would ignore a virus signature and not issue an alarm.
While this "skip it" logic would stop the false alarms, it opened a door for virus writers to attempt to camouflage their viruses so that they included the specific characteristics the anti-virus programs were checking for and thus have the anti-virus program ignore that particular virus. Fortunately, this never became a serious threat; but the possibility existed.
Today's scanners do much more than simply look for a virus signature string. In order to identify the specific virus variant they also check the virus code and even checksum the virus code to identify it. With these cross-checks it would be extremely difficult for a virus to camouflage itself and spoof a scanner.
However, it should be understood that even with these precautions, false alarms continue to now and again occur. The anti-virus fixes when this happens, however, are such that a virus should not be able to piggyback onto the false alarm fix.
Summary
* In the past it was possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore.
* Because of scanner technology evolution this type of virus would be very difficult to write today.
NTFS ADS Viruses
The NT File System (NTFS) contains within it a system called Alternate Data Streams (ADS). This subsystem allows additional data to be linked to a file. The additional data, however, is not always apparent to the user. Windows Explorer and the DIRectory command do not show you the ADS; other file tools (e.g., COPY and MOVE) will recognize and process the attached ADS file.
The basic notation of an ADS file is:. A simple example that creates an ADS file is probably the best way to illustrate this. At the system prompt use the ECHO command to create a file and then you can also use ECHO to create an ADS attachment to that file (if doing this, create a directory/folder specifically for the test).
ECHO "This is the test file" > testfile.txt
You should now have a file called TESTFILE.TXT in your test directory. The TYPE, EDIT, and NOTEPAD commands should be able to access this file and show you its contents and a directory command will show it to be about 23 bytes long. The TESTFILE.TXT file was created in what's called the "named stream" portion of the file system. Now create an alternate data stream file:
ECHO "This is text in the ADS file" > testfile.txt:teststream1.txt
Note that this new file is in the format described above::.
But, now try to find this new file. A directory command does not show it; the TYPE and EDIT commands won't find it. The command...
NOTEPAD testfile.txt:teststream1.txt
...will bring it into the editing area; but even NOTEPAD will only read the file; you can't do a File|SaveAs and try to create an ADS file with NOTEPAD. Most other programs will not see the ADS file at all. You should also note that you've added about 30 bytes to the original file but a directory command on testfile.txt only shows the original size. The ADS file is effectively hidden from view.
Further, an alternate stream file can be created that has no normal stream file association. Here is why it's suggested you try these experiments in a test directory. Try:
ECHO "This is a really invisible stream file." > :invisible.txt
This file will be created but will be completely invisible to any directory commands or Windows Explorer.
Finally, you may have some trouble trying to delete the stream files you just created. The DEL command does not work with ADS files so DEL :invisible.txt, for example, does not work. The main way to delete alternate stream files associated with a normal stream file is to delete the normal stream file. All ADS files associated with that file will also be deleted. So DEL testfile.txt would have to be used for the first test file created. The :invisible.txt file will be deleted when the directory the file is in is removed (now you see why CKnow said to use a new directory for your testing).
If you need to keep the main file but delete the stream(s) attached to it there are two ways to proceed:
* Copy the file to a FAT or FAT32 partition and then back again to the NTFS partition. This effectively strips the ADS files off of the primary file.
* Use the NT Resource Kit CAT utility. You'll have to rename the file, use CAT on it, and then delete the temporary file you created. The syntax would be:
REN needtokeep.exe temp.exe
CAT temp.exe > needtokeep.exe
DEL temp.exe
Note: Alternate Data Streams can attach to a directory as well as a file. Some rootkits (e.g., Mailbot) establish themselves in this way.
Virus Use
An alternate stream file can be an executable and executed in a variety of ways. For our purposes here the files can be exploited by viruses that make their way into files saved as part of the normal stream. In one such exploit the virus (Streams) creates a copy of itself as a temporary EXE file and then copies the original EXE file as an ADS file attached to the temporary EXE file. The temporary EXE file is then renamed to the original EXE name. Now, when the user tries to run the original file they actually run the virus which does its thing and then sends the original program file to the operating system which then runs the program. The only thing you might see is a slight delay in program start.
For a virus like Streams you should not just delete an infected file. If you do the original file will also be lost as it's attached. If your anti-virus software does not provide a recovery utility you will have to use the CAT utility in a manner similar to that described above:
CAT filename.exe:STR newname.exe (this copies the original file to "newname.exe")
COPY /B newname.exe filename.exe (this copies "newname.exe" back to its original name and overwrites the virus)
The virus can be operating system specific. Streams, for example, checks for Windows 2000 and only runs if it's found.
There are other ways a virus might use an alternate data stream. It could, for example, hide most of its code attached to files not normally scanned by virus scanners (e.g., INI or other text files). Only a small executable that extracts the virus would have to be visible and might be easier to hide. There are more malicious things a virus could do as well (please don't ask).
Summary
* The NT File System allows alternate data streams to exist attached to files but invisible to some normal file-handling utilities.
* Viruses can exploit the NTFS ADS system in a variety of ways.
Some viruses can be all things to all machines. Depending on what needs to be infected, they can infect system sectors or they can infect files. These rather universal viruses are termed multipartite (multi-part).
Sometimes the multipartite virus drops a system sector infector; other times a system sector infector might also infect files.
Multipartite viruses are particularly nasty because of the number of ways they can spread. Fortunately, a good one is hard to write.
Summary
• Multipartite viruses have dual capabilities and typically infect both system sectors and files.
Spacefiller (Cavity) Virus
Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.
A spacefiller (cavity) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A spacefiller virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a spacefiller virus.
Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare...however... A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more.
Summary
• A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting.
• In the past this was difficult to do properly, but new file formats make it easier.
Tunneling Virus
One method of virus detection is an interception program which sits in the background looking for specific actions that might signify the presence of a virus. To do this it must intercept interrupts and monitor what's going on. A tunneling virus attempts to backtrack down the interrupt chain in order to get directly to the DOS and BIOS interrupt handlers. The virus then installs itself underneath everything, including the interception program. Some anti-virus programs will attempt to detect this and then reinstall themselves under the virus. This might cause an interrupt war between the anti-virus program and the virus and result in problems on your system.
Some anti-virus programs also use tunneling techniques to bypass any viruses that might be active in memory when they load.
Summary
* A tunneling virus attempts to bypass activity monitor anti-virus programs by following the interrupt chain back down to the basic DOS or BIOS interrupt handlers and then installing itself.
Camouflage Virus
You don't hear much about this type of virus. Fortunately it is rare and, because of the way anti-virus programs have evolved, is unlikely to occur in the future.
When anti-virus scanners were based completely on signatures there was always the possibility of a false alarm when the signature was found in some uninfected file (a statistical possibility). Further, with several scanners circulating, each had their own signature database and when scanned by another product may indicate infection where there was none simply because of the inclusion of the virus identification string. If this happened often, the public would get understandably annoyed (and frightened). In response, a scanner might therefore implement logic that, under the right circumstances, would ignore a virus signature and not issue an alarm.
While this "skip it" logic would stop the false alarms, it opened a door for virus writers to attempt to camouflage their viruses so that they included the specific characteristics the anti-virus programs were checking for and thus have the anti-virus program ignore that particular virus. Fortunately, this never became a serious threat; but the possibility existed.
Today's scanners do much more than simply look for a virus signature string. In order to identify the specific virus variant they also check the virus code and even checksum the virus code to identify it. With these cross-checks it would be extremely difficult for a virus to camouflage itself and spoof a scanner.
However, it should be understood that even with these precautions, false alarms continue to now and again occur. The anti-virus fixes when this happens, however, are such that a virus should not be able to piggyback onto the false alarm fix.
Summary
* In the past it was possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore.
* Because of scanner technology evolution this type of virus would be very difficult to write today.
NTFS ADS Viruses
The NT File System (NTFS) contains within it a system called Alternate Data Streams (ADS). This subsystem allows additional data to be linked to a file. The additional data, however, is not always apparent to the user. Windows Explorer and the DIRectory command do not show you the ADS; other file tools (e.g., COPY and MOVE) will recognize and process the attached ADS file.
The basic notation of an ADS file is
ECHO "This is the test file" > testfile.txt
You should now have a file called TESTFILE.TXT in your test directory. The TYPE, EDIT, and NOTEPAD commands should be able to access this file and show you its contents and a directory command will show it to be about 23 bytes long. The TESTFILE.TXT file was created in what's called the "named stream" portion of the file system. Now create an alternate data stream file:
ECHO "This is text in the ADS file" > testfile.txt:teststream1.txt
Note that this new file is in the format described above:
But, now try to find this new file. A directory command does not show it; the TYPE and EDIT commands won't find it. The command...
NOTEPAD testfile.txt:teststream1.txt
...will bring it into the editing area; but even NOTEPAD will only read the file; you can't do a File|SaveAs and try to create an ADS file with NOTEPAD. Most other programs will not see the ADS file at all. You should also note that you've added about 30 bytes to the original file but a directory command on testfile.txt only shows the original size. The ADS file is effectively hidden from view.
Further, an alternate stream file can be created that has no normal stream file association. Here is why it's suggested you try these experiments in a test directory. Try:
ECHO "This is a really invisible stream file." > :invisible.txt
This file will be created but will be completely invisible to any directory commands or Windows Explorer.
Finally, you may have some trouble trying to delete the stream files you just created. The DEL command does not work with ADS files so DEL :invisible.txt, for example, does not work. The main way to delete alternate stream files associated with a normal stream file is to delete the normal stream file. All ADS files associated with that file will also be deleted. So DEL testfile.txt would have to be used for the first test file created. The :invisible.txt file will be deleted when the directory the file is in is removed (now you see why CKnow said to use a new directory for your testing).
If you need to keep the main file but delete the stream(s) attached to it there are two ways to proceed:
* Copy the file to a FAT or FAT32 partition and then back again to the NTFS partition. This effectively strips the ADS files off of the primary file.
* Use the NT Resource Kit CAT utility. You'll have to rename the file, use CAT on it, and then delete the temporary file you created. The syntax would be:
REN needtokeep.exe temp.exe
CAT temp.exe > needtokeep.exe
DEL temp.exe
Note: Alternate Data Streams can attach to a directory as well as a file. Some rootkits (e.g., Mailbot) establish themselves in this way.
Virus Use
An alternate stream file can be an executable and executed in a variety of ways. For our purposes here the files can be exploited by viruses that make their way into files saved as part of the normal stream. In one such exploit the virus (Streams) creates a copy of itself as a temporary EXE file and then copies the original EXE file as an ADS file attached to the temporary EXE file. The temporary EXE file is then renamed to the original EXE name. Now, when the user tries to run the original file they actually run the virus which does its thing and then sends the original program file to the operating system which then runs the program. The only thing you might see is a slight delay in program start.
For a virus like Streams you should not just delete an infected file. If you do the original file will also be lost as it's attached. If your anti-virus software does not provide a recovery utility you will have to use the CAT utility in a manner similar to that described above:
CAT filename.exe:STR newname.exe (this copies the original file to "newname.exe")
COPY /B newname.exe filename.exe (this copies "newname.exe" back to its original name and overwrites the virus)
The virus can be operating system specific. Streams, for example, checks for Windows 2000 and only runs if it's found.
There are other ways a virus might use an alternate data stream. It could, for example, hide most of its code attached to files not normally scanned by virus scanners (e.g., INI or other text files). Only a small executable that extracts the virus would have to be visible and might be easier to hide. There are more malicious things a virus could do as well (please don't ask).
Summary
* The NT File System allows alternate data streams to exist attached to files but invisible to some normal file-handling utilities.
* Viruses can exploit the NTFS ADS system in a variety of ways.
How Viruses Infect ( 1)
Polymorphic Viruses
To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. One virus author even created a tool kit called the "Dark Avenger's Mutation Engine" (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by most of the existing scanners.
Virus Tool Kits
Besides the mutation engine, there are also now several tool kits available to help people create viruses. Several of these programs allow someone who has no knowledge of viruses to create their own "brand new" virus. One of these tool kits even has a very slick user interface with pull down menus and on-line help. You just pick your choices from the various menus and in a flash you've created your very own virus. While this sounds like a pretty ominous development for scanning technology, it's not as bad as it sounds. All the existing tool kits (such as VCS, VCL and MPC) create viruses that can be detected easily with existing scanner technology. The danger with these tool kits lies in the fact it's possible to create such a tool kit that could create viruses that really are unique. Fortunately, this hasn't been done yet, but it's only a matter of time before such a tool kit will be created. The conflict between virus writers and anti-virus researchers continues.
Summary
• Polymorphic viruses change with each infection. They do this in an attempt to defeat scanners.
Stealth Viruses and Rootkits
A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.
A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk or CD. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.
Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS/Windows will not recognize what's in the partition table and can't access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).
• Virus writing tool kits have been created to "simplify" creation of new viruses.
Rootkits
Under Windows, installing a rootkit is a new way of creating a form of stealth virus or other malware. Rootkits are usually installed via a Trojan but once installed can hide most any type of malware.
Rootkits are programs that typically replace kernel programs and DLL files with malware. Since it's a system file that has been replaced it's much easier to mask and hide the malware process from anti-virus software. Indeed, some anti-virus and anti-spyware/adware software has taken on some of the characteristics of a rootkit in order to find other rootkits that might be running. This, itself, can create problems (see the acronym ADVEIS: Anti-Virus Dependent Vulnerabilities in E-mail Infrastructure Security).
Rootkits can also establish themselves in alternate data streams. The spambot Mailbot is one example of a rootkit that establishes itself in an alternate data stream associated with a system directory (yes, alternate data streams can attach to a directory as well as a file).
Probably the most famous rootkit incident in 2005 was the Sony CD incident where Sony installed a rootkit onto music CD-ROMs. When the music CDs were played on a computer, the rootkit installed in order to provide digital rights management for the music on the CD. The problem was that the rootkit itself was not secure and it allowed other malware to piggyback onto it and also install onto a user's computer. An embarrassed Sony recalled a large number of music CDs and reissued them without the digital rights rootkit.
Summary
• In order to infect, a virus must change something.
• A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.
• To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk or CD and avoid using generic DOS commands to try to fix them. Use anti-virus software to handle these viruses.
Fast and Slow Infectors
The term fast or slow when dealing with viruses pertains to how often and under what circumstances they spread the infection.
Typically, a virus will load itself into memory when an infected program is run. It sits there and waits for other programs to be run and infects them at that time.
A fast infector infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. By its nature, anti-virus software (a scanner, in particular) opens each file on a disk being checked in order to determine if a virus is present. A fast infector that has not been found in memory before the scanning starts will spread itself quickly throughout the disk.
A slow infector does just the opposite. A slow infector will only infect files when they are created or modified. Its purpose is to attempt to defeat integrity checking software by piggybacking on top of the process which legitimately changes a file. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. By its nature (and because executable code is not usually changed) a slow infector does not spread rapidly and if the integrity checker has a scanning component it will likely be caught. Also, an integrity checker that is run on a computer booted from a known-clean floppy disk will be able to defeat a slow infector.
Summary
• A fast infector infects programs when they are accessed, not just when run. This type of virus is designed to ride on the back of anti-virus scanners and can quickly infect an entire disk if not found before the scan is performed.
• A slow infector infects programs only when they are created or modified. This type of virus is designed to defeat integrity checkers but can usually be found if the checker has a scanner component or is started properly.
Sparse Infectors
In order to spread widely, a virus must attempt to avoid detection. To minimize the probability of its being discovered a virus could use any number of different techniques. It might, for example, only infect every 20th time a file is executed; it might only infect files whose lengths are within narrowly defined ranges or whose names begin with letters in a certain range of the alphabet. There are many other possibilities.
A virus which uses such techniques is termed a sparse infector.
Summary
• A wide variety of techniques can be used to help a virus avoid detection of its activity.
Armored Virus
Armored is a class that overlaps other classes of viruses; maybe multiple times.
Basically, an armored virus uses special "tricks" designed to foil anti-virus researchers. Any anti-virus researcher who wants to find out how a virus works must follow the instruction codes in the virus. By using a variety of methods, virus writers can make this disassembly task quite a bit more difficult. This usually make the virus larger as well.
Such a virus can be said to be armored.
An early virus, Whale, made extensive use of these techniques but, at the same time, was a very large virus..
Summary
• An armored virus attempts to make disassembly difficult.
To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. One virus author even created a tool kit called the "Dark Avenger's Mutation Engine" (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by most of the existing scanners.
Virus Tool Kits
Besides the mutation engine, there are also now several tool kits available to help people create viruses. Several of these programs allow someone who has no knowledge of viruses to create their own "brand new" virus. One of these tool kits even has a very slick user interface with pull down menus and on-line help. You just pick your choices from the various menus and in a flash you've created your very own virus. While this sounds like a pretty ominous development for scanning technology, it's not as bad as it sounds. All the existing tool kits (such as VCS, VCL and MPC) create viruses that can be detected easily with existing scanner technology. The danger with these tool kits lies in the fact it's possible to create such a tool kit that could create viruses that really are unique. Fortunately, this hasn't been done yet, but it's only a matter of time before such a tool kit will be created. The conflict between virus writers and anti-virus researchers continues.
Summary
• Polymorphic viruses change with each infection. They do this in an attempt to defeat scanners.
Stealth Viruses and Rootkits
A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.
A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk or CD. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.
Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS/Windows will not recognize what's in the partition table and can't access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).
• Virus writing tool kits have been created to "simplify" creation of new viruses.
Rootkits
Under Windows, installing a rootkit is a new way of creating a form of stealth virus or other malware. Rootkits are usually installed via a Trojan but once installed can hide most any type of malware.
Rootkits are programs that typically replace kernel programs and DLL files with malware. Since it's a system file that has been replaced it's much easier to mask and hide the malware process from anti-virus software. Indeed, some anti-virus and anti-spyware/adware software has taken on some of the characteristics of a rootkit in order to find other rootkits that might be running. This, itself, can create problems (see the acronym ADVEIS: Anti-Virus Dependent Vulnerabilities in E-mail Infrastructure Security).
Rootkits can also establish themselves in alternate data streams. The spambot Mailbot is one example of a rootkit that establishes itself in an alternate data stream associated with a system directory (yes, alternate data streams can attach to a directory as well as a file).
Probably the most famous rootkit incident in 2005 was the Sony CD incident where Sony installed a rootkit onto music CD-ROMs. When the music CDs were played on a computer, the rootkit installed in order to provide digital rights management for the music on the CD. The problem was that the rootkit itself was not secure and it allowed other malware to piggyback onto it and also install onto a user's computer. An embarrassed Sony recalled a large number of music CDs and reissued them without the digital rights rootkit.
Summary
• In order to infect, a virus must change something.
• A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.
• To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk or CD and avoid using generic DOS commands to try to fix them. Use anti-virus software to handle these viruses.
Fast and Slow Infectors
The term fast or slow when dealing with viruses pertains to how often and under what circumstances they spread the infection.
Typically, a virus will load itself into memory when an infected program is run. It sits there and waits for other programs to be run and infects them at that time.
A fast infector infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. By its nature, anti-virus software (a scanner, in particular) opens each file on a disk being checked in order to determine if a virus is present. A fast infector that has not been found in memory before the scanning starts will spread itself quickly throughout the disk.
A slow infector does just the opposite. A slow infector will only infect files when they are created or modified. Its purpose is to attempt to defeat integrity checking software by piggybacking on top of the process which legitimately changes a file. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. By its nature (and because executable code is not usually changed) a slow infector does not spread rapidly and if the integrity checker has a scanning component it will likely be caught. Also, an integrity checker that is run on a computer booted from a known-clean floppy disk will be able to defeat a slow infector.
Summary
• A fast infector infects programs when they are accessed, not just when run. This type of virus is designed to ride on the back of anti-virus scanners and can quickly infect an entire disk if not found before the scan is performed.
• A slow infector infects programs only when they are created or modified. This type of virus is designed to defeat integrity checkers but can usually be found if the checker has a scanner component or is started properly.
Sparse Infectors
In order to spread widely, a virus must attempt to avoid detection. To minimize the probability of its being discovered a virus could use any number of different techniques. It might, for example, only infect every 20th time a file is executed; it might only infect files whose lengths are within narrowly defined ranges or whose names begin with letters in a certain range of the alphabet. There are many other possibilities.
A virus which uses such techniques is termed a sparse infector.
Summary
• A wide variety of techniques can be used to help a virus avoid detection of its activity.
Armored Virus
Armored is a class that overlaps other classes of viruses; maybe multiple times.
Basically, an armored virus uses special "tricks" designed to foil anti-virus researchers. Any anti-virus researcher who wants to find out how a virus works must follow the instruction codes in the virus. By using a variety of methods, virus writers can make this disassembly task quite a bit more difficult. This usually make the virus larger as well.
Such a virus can be said to be armored.
An early virus, Whale, made extensive use of these techniques but, at the same time, was a very large virus..
Summary
• An armored virus attempts to make disassembly difficult.
Subscribe to:
Posts (Atom)