D [KHATRA] VIRUS**

khatra.exe is a worm.It Make a lot of files ,links and folder in infected system
as below:
--------------------------------------------
Creates copies of itself in addresses below by different names (I suppose windows
is installed in C:\):

C:\KHATRA.exe
C:\Windows\K.Backup
C:\Windows\KHATARNAKH.exe
C:\Windows\Xplorer.exe
C:\Windows\inf\Autoplay.inF
C:\Windows\system\gHost.exe
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\System32\KHATRA.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\winxp.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
--------------------------------------------

It adds keys below in registry:

HKEY_CURRENT_USER\Software\Nico Mak Computing
HKEY_LOCAL_MACHINE\SOFTWARE\KHATRA

Makes entries below on registry (for automatic startup any time system starts):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = "%System%\KHATRA.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\R ​un
G_Host = "%Windows%\system\gHost.exe" /Reproduce"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Xplorer = "%Windows%\Xplorer.exe" /Windows"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
load = "%System%\KHATRA.exe"

--------------------------------------------
And make changes in many places of registry for example:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = "Internet Exploiter"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
AtTaskMaxHours = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fir ​ewallPolicy\StandardProfile\Author

izedApplications\
List
%System%\KHATRA.exe = "%System%\KHATRA.exe:*:Enabled:System"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun = "dword:000000ff"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerAdvanced\Fo ​lder\Hidden\SHOWALL
CheckedValue = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
------------------------------------------------

It scans the folders in removable drives, then drop copies of itself using the file names of
the folders located, as {folder name}.exe.

It drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The said .INF file contains the following strings:

[Autorun]
Open=KHATRA.exe /OpenDrive
ShellExecute=KHATRA.exe /OpenDrive
Shell\Open\Command=KHATRA.exe /OpenDrive
Shell\Open\Default=1
Shell\Explore\Command=KHATRA.exe /ExploreDrive
Shell\Scan for viruses=KHATRA.exe
Shell=Open

----------------------------------------
Cleaning the infected system by user is a litle bit difficult but any way you can do as below:


_ Disable System Restore in your computer.


_ Boot by 3rd party tool and Delete files i said above.

_ Delelet the entries made by worm in registry.

_ Change the changed registry values to difult value.

D ZERO-DAY ATTACK & Exploits!!

A zero day attack, also known as a zero hour attack, takes advantage of computer vulnerabilities that do not currently have a solution. Typically, a software company will discover a bug or problem with a piece of software after it has been released and will offer a patch — another piece of software meant to fix the original issue. A zero day attack will take advantage of that problem before a patch has been created. It is named zero day because it occurs before the first day the vulnerability is known.
A zero day exploit is a piece of malicious code which takes advantage of a vulnerability in a piece of software which has not yet been discovered by the vendor. This code can do a great deal of damage before the vendor realizes the problem and develops a patch or a new version of the software, and many vendors test their programs rigorously before release with zero day exploits in mind. Because this type of malicious code relies on vulnerabilities which aren't widely known yet, it can be difficult for computer users to protect themselves from it.

In a simple example of a zero day exploit, a hacker might realize that the new version of an Internet browser has a security flaw which could potentially allow a hacker to insert malicious software onto the user's computer. He or she would write the code to install the software, and plant it on websites or in email, so that when users came into contact with the code, they would be infected with it. Eventually, the software vendor would realize that there was a problem, and issue a patch to fix the problem and address the zero day exploit.

The general rule of thumb in the computing community is that if someone notices a security vulnerability or flaw which could be an issue, he or she should report it to the vendor. Most ethical computer scientists and people who work with computers do just that. However,hackers, producers of malware, and other less friendly members of the community usually do not, because they want to take advantage of the vulnerability before the vendor realizes it exists. In fact, some people specialize in uncovering vulnerabilities and selling them.

From a hacker's point of view, the best zero day exploit is deployed before the vendor sees a problem. In other cases, the exploit may be released during the vulnerability window, the period of time between the discovery of the issue and the development of a patch to address it. Vulnerability windows can vary in length, depending on the vendor, the program, and the nature of the problem. The term "zero day exploit" references the idea that the code is released on "day zero," before the vendor has recognized an issue