Category Archives: Windows

Dissecting a Windows malware (Part 2)

Today I looked a bit closer at the response sent from to the request of the malware. The malware connects to Port 8080, most likely because the “malware webservice” runs on another HTTP server instance (the headers state nginx, while the main page is supposedly running Apache on a Ubuntu server). I figured out that the first¬†22152 bytes contains a bitmap. This bitmap is later on saved to the users temporary path (on Windows 7 to C:\Users\$USERNAME\AppData\Local\Temp\32239.bmp).

Desktop wallpaper after infection

Desktop wallpaper after infection

The image length also matches the header “ACC”, which states 22152. Although, the length of a bitmap is also available from its header, which would make the server code a bit easier, maybe something for their next version ūüėČ

However, after the bitmap, there are still 493 bytes left. This should be either the encryption key or the message in the AlertEncryptor.txt files…. Read more »

Dissecting a Windows malware Screenshot

Through a friend of my I got to this seemingly fresh malware named GoogleChromeUpdater.exe. The page (URL see at the end of the post) claims to distribute a important Chrome Update. However, the malware encrypt files and left an E-Mail address, the classic file kidnapping along with blackmailing.

Note: If you are infected by this malware your chances are bad to get back your data. The encryption key is likely only stored on the attackers server. Unless somebody breaks the encryption, you cannot restore your data. And of course, you should not feed criminals! ūüôā

I could not resist and had to have a closer look at the malware…

Read more »

Database Mail issues on SQL Server 2008

On a SQL Server 2008 (SP3) Express Edition I tried sending an E-Mail using the Database Mail feature. I kept getting an error message in the Server Logs (use Management Studio and browse to Management\Server Logs in the Object Explorer on the left side) when trying to send an E-Mail:

Exception Type: Microsoft.SqlServer.Management.SqlIMail.Server.Common.BaseException
Message: The read on the database failed. Reason: Fehler beim Laden von 'Msxmlsql.dll'.
Data: System.Collections.ListDictionaryInternal
TargetSite: Microsoft.SqlServer.Management.SqlIMail.Server.Objects.QueueItem GetQueueItemFromCommand(System.Data.SqlClient.SqlCommand)
HelpLink: NULL
Source: DatabaseMailEngine

I could resolve this issue by coping the files …\Microsoft SQL Server\msxmlsql.dll and¬†Microsoft SQL Server\Resources\1033\msxmlsql.rll to the SQL Server instance folder¬†Microsoft SQL Server\MSQL10.[INSTANCE]\MSSQL\Binn.

Switching Windows 7 and Ubuntu to UEFI



After upgrading my hard disk on my Laptop I planned to switch to a GPT (GUID Partition Table). But since I’ve a Windows 7 installation as well¬†I had to switch to UEFI boot mode because Windows 7 does not support booting from GPT using the old BIOS/MBR bootmanager/bootloader (You can find a good Q&A about GPT support of Windows at MSDN). Luckily my old HP Elitebook 8530w¬†already¬†includes an UEFI enabled BIOS (without Secure Boot). It supports (like many others)¬†the old boot mode as well as the new UEFI boot mode. By selecting the “UEFI” entry in the boot menu one can make sure that the UEFI boot mode is enabled. After reading some documentation (especially the once from¬†Roderick W. Smith) I decided to use the rEFInd boot manager and the kernel provided EFI stub bootloader¬†(part of the mainline kernel since 3.3.0). I’m using Ubuntu 12.10 which comes with Linux 3.5 and enabled EFI stub bootloader in the stock kernel… Read more »

Samsung Series 9 13.3″ Ultrabook (NP900X3D) Review

Samsung NP900X3D

Samsung NP900X3D

This week I got myself a¬†Christmas¬†gift: A shiny Samsung Series 9 Ultrabook (or Notebook, what they call it). My device came with a Sandisk SSD U100 128GB, 4GB Memory, HM75 Chipset and the Intel Core i5 3317U Processor.¬†The device looks very nice and feels solid. I like the non reflecting screen very much, the resolution of 1600×900 feels right for the screen size (13.3″) with default DPI settings. Finger prints don’t remain on the outside of the device, but you can make them out on the keyboard. The lid shuts very well, but its a bit hard to get a grip on it to open again. The track pad is big, scrolling using multitouch gestures is very nice to use. Sometimes the track pad fires a click when I just try to move the cursor… Nevertheless, really solid hardware!

Windows 8 and some additional Software was preinstalled. After clicking through the Installer my PC was ready for the first real boot test: Boot time is really incredible, something more than 4 seconds after pressing the power button and the lock screen is visible. Well, it takes another two second to access the desktop, but still, very fast! Since I never worked with Windows 8 so far, I was happy that Samsung provided a nice Quick Start leaflets, so I know now how to access and name the new Windows 8 menues ūüėČ Read more »

MUI on Windows Server 2008 R2

Today I tried to install a Language Pack (KB974587) on a Windows Server 2008 R2. This failed silently, but I found a hint in the Logfiles (C:\Windows\Logs\CBS\CBS.log):

2012-07-28 18:24:50, Info                  CSI    000005f7 Begin executing advanced installer phase 34 (0x00000022) index 4105 (0x0000000000001009) (sequence 4137)
    Old component: [l:0]""
    New component: [ml:324{162},l:322{161}]"Microsoft-Windows-WCFCoreComp.Resources, Culture=de-de, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS"
    Install mode: install
    Installer ID: {d82eedee-854e-4f9a-b458-ae1bc62a0e6b}
    Installer name: [16]"LodCtr Installer"
2012-07-28 18:24:50, Error                 CSI    00000022 (F) Logged @2012/7/28:16:24:50.996 : [ml:456{228},l:454{227}]"Cannot open actual INI file "C:\Windows\inf\ServiceModelService\_ServiceModelServicePerfCounters.ini" referenced in "C:\Windows\inf\ServiceModelService\0407\_ServiceModelServicePerfCounters_D.ini", error code 2."

The ServiceModelService belongs to the WCF part of the .NET Framework. In the Server Manager under Features I found the “WCF-Activation” option. So I activated this option (with “Non-HTTP Activation”). Afterwards, the file in Question existed and the installation of the Language Pack succeeded!

Convert VMware growable, splitted and snapshoted disks

In the last weeks I started to migrate my virtual machines to KVM. Until now, I used on two Servers VMware Server 2.0 on Ubuntu, which caused many problems with Disk I/O’s and performance problems. Either way, I prefer Open Source software whenever possible. KVM and libvirt, which I use to manage KVM, is in a quite mature state nowadays.

To convert the VMware images I used this How-To. This worked quite well for most of my Virtual Machines. But several had snapshots or were split into 2GB files. This cant be handled by qemu-img. I converted the files to single, flat disk file first using vmware-vdiskmanager. In the end, I wanted to have pre-allocated (single file) anyway, because it provides best performance:

$ vmware-vdiskmanager -r Ubuntu.vmdk -t 0 Ubuntu-copy.vmdk

Read more »

ISO-Dateien Booten

Vor kurzem habe ich bei meinem Laptop eine Intel SSD Harddisk eingebaut, und deswegen mein CD-Rom ausgebaut. Dies hab ich ohnehin selten bebraucht, aber es gibt Situationen, in denen es wirklich praktisch ist, zum Beispiel um CD’s zu booten. Ubuntu hat daf√ľr ein Tool, um Ubuntu-CD’s auf USB-Sticks zu schreiben. Dies brauche ich auch √∂fters und funktioniert ganz ordentlich. Jedoch gibts manchmal auch andere ISO-Dateien die ich booten m√∂chte. Daf√ľr hab ich nun eine L√∂sung gefunden: Es wird ein Linux mit einem angepassten GRUB-Bootloader auf einen Memorystick geschrieben. Dieser Bootloader kann dan die ISO-Datei direkt vom USB-Stick booten. Wirklich sehr praktisch, allerdings funktioniert die Anleitung nur unter Windows…

VirtualBox 3.1 Performancevergleich

Gestern wurde VirtualBox 3.1 freigegeben. Im ChangeLog steht, dass die Performance erheblich verbessert wurde. Dies wollte ich einmal auf den Pr√ľfstand stellen, und habe ein paar Messungen auf meinem Notebook gemacht (HP EliteBook 8530w, Core 2 Duo T9400, 4 GB Ram mit Ubuntu Karmic 64-Bit). Dazu habe ich die Boot-Zeit zweier virtuellen Maschinen gemessen. Daf√ľr habe ich die Maschine zuerst einmal gestartet, so dass alle Daten im Ram vorhanden sein sollten. Dannach habe ich zwei Durchl√§ufe gestoppt, jeweils vom Startklick bis zum Login-Bildschirm. Die erste Maschine im Test war Windows 7 Ultimate 64-Bit von meiner SSD (Intel SSD 80GB X18-M G2), die zweite Maschine Windows XP Professional 32-Bit von meiner Magnetplatte (Seagate Momentus 320GB 7200upm). Beiden Maschinen sind mit S-ATA und Hardwarevirtualisierung konfiguriert. Die Resultate finden Sie nach dem Sprung. Read more »

Error 80070005 bei Windowsupdate unter Windows Vista

Seit l√§ngerem habe ich gesch√§ftlich Windows Vista Enterprise im Einsatz. Leider funktionierte Windowsupdate schon nach kurzer Zeit nicht mehr. Es erschien immer der Fehler 80070005, mit welchem auch Google nicht viel anzufangen wusste. Heute habe ich mich deshalb nochmals mit diesem Thema befasst, und fand √ľber heraus dass es sich um ein Registry-Problem handelt. Grunds√§tzlich bedeutet der Code ‚ÄúPermission Denied‚ÄĚ, wobei diese Zugriffsverletzung von einem Registryzugriff her r√ľhrt. Mit dem von Microsoft zur Verf√ľgung gestellten Tool ‚ÄúProcess Monitor‚ÄĚ (ehemals Sysinternals) kann dieser Zugriff sichtbar gemacht werden. Bei mir wurde der Fehler vom Prozess TrustedInstaller.exe ausgel√∂st. Ich musste daraufhin bei einigen Registryeintr√§ge die Berechtigung f√ľr den Benutzer ‚ÄúSYSTEM‚ÄĚ neu setzten, worauf es dann wieder funktionierte!

Zwischendurch hatte ich noch den Fehler 80242014, welcher legedlich einen Neustart fordert… Dannach werden die Updates wieder installiert…