Thursday, July 16, 2009

Services Used By Malware...


A common misconception when working on removing malware from a computer is that the only place an infection will start from is in one of the entries enumerated by HijackThis. For the most part these entries are the most common, but it is not always the case. Lately there are more infections installing a part of themselves as a service. Some examples are and Home Search Assistant.
When cleaning a computer the standard approach is to clean up the Run entries and the other more common startup entries first. For the most part, that will be enough to remove the infection. The problem arises when the log looks clean and yet there are still problems. One place to continue looking for the infection is in the operating system's services to see if there is a service that does not belong there and could possibly be loading the infection. A service is a program that is automatically started by Windows NT/XP/2000/2003 on startup or through some other means and is generally used for programs that run in the background.

Service Configuration

A service is loaded on startup by either using svchost.exe or by windows directly launching the application. If a service is loaded directly by windows, the associated file name that launches the service can be found in the ImagePath value under the following registry entry


When the service is being launched by svchost.exe, it will be placed in a particular service group, which is then launched by svchost.exe. A listing of these groups and the services that are launched under them can be found here:


Under this key you will find various groups (netsvcs, LocalServices, etc) in which each contain multiple services that will be launched when the group is loaded by svchost.exe. These groups are loaded by the following command:

svchost.exe -k netsvcs

It will load all the services found under the netsvcs group in the above key and appear as one process under the process list. So each time a new group is loaded by svchost.exe, you will find a new svchost.exe process listed in memory. It is for this reason why there are multiple svchost.exe processes listed on a machine. If you are using Windows XP, as this command is not available on Windows 2000, you can see what services each svchost.exe process is controlling by running the following command from a command prompt: tasklist /SVC

When a service is launched in this way, the actual filename for the service can be found here:

The value of ServiceDLL is the actual service file that we want to be concerned with.

Listing and Analyzing the services

A simple batch file that I created uses the SysInternals PSSERVICE program to get a list of the services and open a notepad. Nothing fancy, but saves time when diagnosing.
This file can be found here:

To use the script, you simply unzip the file to your C: drive and you will now find a directory called c:\getservice. Inside that directory is a batch file called getservice.bat and the psservice.exe file. Simply double-click on the getservice.bat file and it will create a notepad containing a list of services installed on the computer you are running it on.
Note: You must be running as a user with Administrator privaleges or this script will either not work or not give enough information.

The output of the script will contain information about each service installed on your computer. The important information to look at in the service entries are::

SERVICE_NAME This is the name the service goes by and is what it is stored in the registry under.
BINARY_PATH_NAME This is the actual file that is being used to launch the service.
DISPLAY_NAME This is the name the service appears under in the services.msc in the control panel.
START_TYPE This tells you if the service is disabled, manually started, or automatically started.

Below are examples of how an entry would look for two different types of infections explanations of how to interpret the information given:

BINARY_PATH_NAME : C:\WINDOWS\system32\d3xi.exe /s
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Helper
Home Search Assistant Example

The Home Search Assistant uses a service, among standard Run entries, as part of its infection. The important attributes we can gather from the above information are as follow:
1. It's display name in the Services control panel is Remote Procedure Call (RPC) Helper
2. It has a service name of O? ’ŽrtñåȲ$.i in the registry.
3. It is started automatically on boot up
4. The file that starts this service is C:\WINDOWS\system32\d3xi.exe
Armed with this information we now know what registry entries the service is stored in and the file that is being used as part of the Home Search Assistant infection.
The next example is for the hijacker, but it is loaded in a slightly different way, causing us to work a little more in finding out what the infection file is.

Provides plug and play svc devices support
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k netsvcs
TAG : 0
DISPLAY_NAME : Plug and Play svc service
SERVICE_START_NAME: LocalSystem Example

The hijacker uses a service as part of its infection as well. The important attributes we can gather from the above information are as follow:
1. It's display name in the Services control panel is Plug and Play svc service
2. It has a service name of pnpsvc in the registry
3. It is started automatically on boot up
4. The file that starts this service is C:\WINNT\system32\svchost.exe -k netsvcs

Now this information, though helpful, is somewhat useless without digging around further in the registry. We know that the file that starts the service is svchost.exe, but that is a legitimate program, so we do not want to delete it. How then can we find the appropriate file to remove? Remember what we discussed above about how svchost.exe works?

From the BINARY_PATH_NAME we know that the file is part of the netsvcs group. That means that when svchost loads that group, which may contain many services, it will also load the file associated with this service. To find the actual file name for this particular service, we need to check the following registry key:


The value of the ServiceDLL key is the actual file that we want to get rid of.

In the next section we will discuss how to remove the service via deleting entries in the registry.

Removing a service

Removing a service manually requires removing entries from the registry. This can be a dangerous task for the health of your computer. If you do not feel comfortable doing this, then please ask someone else to help with this step of the cleanup procedure as making a mistake can cause the computer you are working on to not work properly.

Service entries are stored in the registry under a section called ControlSet. A ControlSet are located under the following key:


A ControlSet is a complete copy of the configuration that is used to successfully launch services and other critical files & drivers for Windows. When you look under the above key there will always be at least two ControlSets and one CurrentControlSet. For the sake of this tutorial I will use what I have on my machine, which is ControlSet1 and ControlSet2 (there may be more up to a maximum of 4). One of these numbered control sets refers to the default configuration that is used when the computers normally boots. The other numbered control set refers to the one used when you choose to boot up using the Last Known Good Configuration. The last one, CurrentControlSet, is an exact mirror of the ControlSet we had used to boot into Windows, so that if you make a change CurrentControlSet it will automatically appear in the ControlSet it is mirroring and vice-versa.
If you wanted to know for sure which ControlSet the CurrentControlSet is pointing to you can examine the following key:


This key gives us important information as to which ControlSet was used on the last boot, which is used by default, and which is designated for LastKnownGoodConfiguration. This key contains the following values:

Current:This will contain the number of the ControlSet that we are currently using and which CurrentControlSet points to.
Default:This will contain the number of the ControlSet that Windows uses by default when booting.
Failed: This will indicate with ControlSet was the one that failed on last boot. If it is 0, then there was no failures.
LastKnownGood: This will contain the number of the ControlSet that Windows uses when we choose the Last Known Good Configuration

If we wanted to manually remove a service from the registry we would only need to remove it from the numbered ControlSets (remember CurrentControlSet is a mirror of one of the numbered ones). For example, to remove the service for a hijacker on my computer, we would simply delete from the registry the following entries:


Once we reboot, these services will no longer be listed in the Services control panel.
At times though, the malware will also install itself under these keys:


as subkeys called LEGACY_svcname. These LEGACY_svcname entries should be deleted as well, but will usually require you to change the permissions on them in order to delete them. Simply change the security permissions on these keys to Everyone (Full) and then delete them.


Knowing how to diagnose a service running as a malware is an important part of fighting spyware. As more and more spyware and viruses use this technique , the understanding of how services work and are configured in the Registry will make the difference between fixing a computer and not fixing it.

Sunday, May 31, 2009

How to install and use the Recovery Console in Windows XP

How to install and use the Recovery Console in Windows XP

To recover your operating system when your computer does not start correctly or does not start at all, you may want to install and use the Windows Recovery Console. However, Microsoft recommends this method of system recovery for advanced users only. Also, learn about the Recovery Console command prompt, command actions, rules, how to remove the Recovery Console, and how to install it during an unattended installation.

Microsoft recommends that you use the Recovery Console only after Safe mode and other startup options do not work. The Recovery Console is recommended only if you are an advanced user who can use basic commands to identify and locate problem drivers and files. Additionally, you must be an administrator to use the Recovery Console.


How to install the Recovery Console

You can install the Recovery Console on your computer to make it available if you cannot restart Windows. You can then select the Recovery Console option from the list of available operating systems during startup. Install the Recovery Console on important servers and on the workstations of IT personnel. This article describes how to install the Recovery Console to your Microsoft Windows XP-based computer. To install the Recovery Console, you must be logged on as an administrator.

Although you can run the Recovery Console by starting directly from the Windows XP CD, it is generally more convenient to set it up as a startup option on your startup menu. To run the Recover Console directly from the CD, see the "How to use the Recovery Console" section.

To install the Recovery Console, follow these steps:

1. Insert the Windows XP CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive. In the case of 'Microsoft Windows XP Professional x64 Edition, typed:\amd64\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.
5. Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu.

Alternatively, you can use a Universal Naming Convention (UNC)-established connection to install the Recovery Console from a network share point.

How to use the Recovery Console

You can enable and disable services, format drives, read and write data on a local drive (including drives that are formatted to use the NTFS file system), and perform many other administrative tasks. The Recovery Console is particularly useful if you have to repair your computer by copying a file from a disk or CD-ROM to your hard disk, or if you have to reconfigure a service that is preventing your computer from starting correctly.

If you cannot start your computer, you can run the Recovery Console from the Microsoft Windows XP startup disks or the Windows XP CD-ROM. This article describes how to perform this task.

After Windows XP is installed on your computer, to start the computer and use the Recovery Console you require the Windows XP startup disks or the Windows XP CD-ROM.

Note To start the computer from the Windows XP CD-ROM, you must configure the basic input/output system (BIOS) of the computer to start from your CD-ROM drive.

To run the Recovery Console from the Windows XP startup disks or the Windows XP CD-ROM, follow these steps:

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
5. At the command prompt, type the appropriate commands to diagnose and repair your Windows XP installation.

For a list of commands that are available in Recovery Console, type recovery console commands or help at the command prompt, and then press ENTER.

For information about a specific command, type help commandname at the command prompt, and then press ENTER.
6. To exit the Recovery Console and restart the computer, type exit at the command prompt, and then press ENTER.

How to use the Recovery Console command prompt

When you use the Recovery Console, you are working at a special command prompt instead of the ordinary Windows command prompt. The Recovery Console has its own command interpreter. To enter this command interpreter, you are prompted by Recovery Console to type the local Administrator password.

When the Recovery Console starts, you can press F6 to install a third-party SCSI or RAID driver, in case you need such a driver to access the hard disk. This prompt works the same as it does during installation of the operating system.

The Recovery Console takes several seconds to start. When the Recovery Console menu appears, a numbered list of the Windows installations on the computer appears. (Generally, only c:\Windows exists.) Press a number before you press ENTER, even when only one entry appears. If you press ENTER without selecting a number, the computer restarts and begins the process again.

When you see the prompt for %SystemRoot% (generally C:\Windows), you can start using the available commands for the Recovery Console.

Command actions

The following list describes the available commands for the Recovery Console:
Attrib changes attributes on one file or subdirectory.
Batch executes commands that you specify in the text file, Inputfile. Outputfile holds the output of the commands. If you omit the Outputfile parameter, output appears on the screen.
Bootcfg modifies the Boot.ini file for boot configuration and recovery.
CD (Chdir) operates only in the system directories of the current Windows installation, removable media, the root directory of any hard disk partition, or the local installation sources.
Chkdsk The /p switch runs Chkdsk even if the drive is not flagged as dirty. The /rswitch locates bad sectors and recovers readable information. This switch implies /p. Chkdsk requires Autochk. Chkdsk automatically looks for Autochk.exe in the startup folder. If Chkdsk cannot find the file in the startup folder, it looks for the Windows 2000 Setup CD-ROM. If Chkdsk cannot find the installation CD-ROM, Chkdsk prompts the user for the location of Autochk.exe.
Cls clears the screen.
Copy copies one file to a target location. By default, the target cannot be removable media, and you cannot use wildcard characters. Copying a compressed file from the Windows 2000 Setup CD-ROM automatically decompresses the file.
Del (Delete) deletes one file. Operates within the system directories of the current Windows installation, removable media, the root directory of any hard disk partition, or the local installation sources. By default, you cannot use wildcard characters.
Dir displays a list of all files, including hidden and system files.
Disable disables a Windows system service or driver. The variable service_or_driver is the name of the service or driver that you want to disable. When you use this command to disable a service, the command displays the service's original startup type before it changes the type to SERVICE_DISABLED. Note the original startup type so that you can use the enable command to restart the service.
Diskpart manages partitions on hard disk volumes. The /add option creates a new partition. The /delete option deletes an existing partition. The variable device is the device name for a new partition (such as \device\harddisk0). The variable drive is the drive letter for a partition that you are deleting (for example, D). Partition is the partition-based name for a partition that you are deleting, (for example: \device\harddisk0\partition1) and can be used instead of the drive variable. The variable size is the size, in megabytes, of a new partition.
Enable enables a Windows system service or driver. The variable service_or_driver is the name of the service or driver that you want to enable, and start_type is the startup type for an enabled service. The startup type uses one of the following formats:

Exit quits the Recovery Console, and then restarts the computer.
Expand expands a compressed file. The variable source is the file that you want to expand. By default, you cannot use wildcard characters. The variable destination is the directory for the new file. By default, the destination cannot be removable media and cannot be read-only. You can use the attrib command to remove the read-only attribute from the destination directory. The option /f:filespec is required if the source contains more than one file. This option permits wildcard characters. The /y switch disables the overwrite confirmation prompt. The /d switch specifies that the files will not be expanded and displays a directory of the files in the source.
Fixboot writes a new startup sector on the system partition.
Fixmbr repairs the startup partition's master boot code. The variable device is an optional name that specifies the device that requires a new Master Boot Record. Omit this variable when the target is the startup device.
Format formats a disk. The /q switch performs a quick format. The /fs switch specifies the file system.
Help If you do not use the command variable to specify a command, help lists all the commands that the Recovery Console supports.
Listsvc displays all available services and drivers on the computer.
Logon displays detected installations of Windows and requests the local Administrator password for those installations. Use this command to move to another installation or subdirectory.
Map displays currently active device mappings. Include the arc option to specify the use of Advanced RISC Computing (ARC) paths (the format for Boot.ini) instead of Windows device paths.
MD (Mkdir) operates only within the system directories of the current Windows installation, removable media, the root directory of any hard disk partition, or the local installation sources.
More/Type displays the specified text file on screen.
Rd (Rmdir) operates only within the system directories of the current Windows installation, removable media, the root directory of any hard disk partition, or the local installation sources.
Ren (Rename) operates only within the system directories of the current Windows installation, removable media, the root directory of any hard disk partition, or the local installation sources. You cannot specify a new drive or path as the target.
Set displays and sets the Recovery Console environment variables.
Systemroot sets the current directory to %SystemRoot%.

Recovery Console rules

Several environment rules are in effect while you are working in the Recovery Console. Typeset to see the current environment. By default, these are the rules:

AllowAllPaths = FALSE prevents access to directories and subdirectories outside the system installation that you selected when you entered the Recovery Console.
AllowRemovableMedia = FALSE prevents access to removable media as a target for copied files.
AllowWildCards = FALSE prevents wildcard support for commands such as copy anddel.
NoCopyPrompt = FALSE means that you are prompted by the Recovery Console for confirmation when overwriting an existing file.

How to delete the Recovery Console

To delete the Recovery Console:
1. Restart your computer, click Start, click My Computer, and then double-click the hard disk where you installed the Recovery Console.
2. On the Tools menu, click Folder Options, and then click the View tab.
3. Click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.
4. At the root folder, delete the Cmdcons folder and the Cmldr file.
5. At the root folder, right-click the Boot.ini file, and then click Properties.
6. Click to clear the Read-only check box, and then click OK.

Warning: Modifying the Boot.ini file incorrectly may prevent your computer from restarting. Make sure that you delete only the entry for the Recovery Console. Also, change the attribute for the Boot.ini file back to a read-only state after you finish this procedure. Open the Boot.ini file in Microsoft Windows Notepad, and remove the entry for the Recovery Console. It looks similar to this:

C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

7. Save the file and close it.

How to install Recovery Console during an unattended installation

To install the Recovery Console during the unattended installation of Windows, you must use the [GuiRunOnce] section of the unattend.txt file.
Command1="path\winnt32 /cmdcons /unattend"
For more information about how to use the Unattend.txt file, see the Deployment Planning Guideof the Windows 2000 Server Resource Kit.

Friday, April 10, 2009


This article describes how to convert a FAT16 file system or a FAT32 file system to an NTFS file system in Microsoft Windows XP. The requirements or the conditions for converting your file system are explained first to minimize problems. A troubleshooting section is provided at the end of the article in case you experience any problems while trying the conversion.


Microsoft Windows XP supports the following three file systems for fixed disks:
• FAT16
• FAT32
We recommend that you use NTFS with Windows XP because of its advanced performance, security, and reliability features. This article describes how to convert a FAT16 volume or a FAT32 volume to NTFS.


Before you start to convert a FAT volume or a FAT32 volume to NTFS, consider the following limitations and requirements:
• UDF and CDFS are only used with optical media and cannot be converted to NTFS.
• FAT12 is the only format used on floppy diskettes.
• Some earlier programs that were not written for Microsoft Windows NT 4.0 or for Microsoft Windows 2000 may exhibit slow performance after you convert the FAT32 file system to NTFS. This issue does not occur on a clean partition of NTFS.
• You can use the convert command (Convert.exe) to convert an existing FAT volume or FAT32 volume to NTFS. Because this conversion retains all your files (unlike a format operation), use Convert.exe when you want to keep existing files on your volumes intact.
• The conversion to NTFS is a one-way process. After you convert a drive or a partition to NTFS, you cannot convert it back to FAT or to FAT32. To restore the volume to the previous file system, you must reformat it as FAT or as FAT32. This action erases all existing data including your programs and personal files. In this case, you must either restore your data from a backup, or reinstall your operating system and programs.
• Convert.exe requires that you have some free space on the drive or on the partition to convert it. If Convert.exe determines that there is not sufficient free space on the volume, it does not convert the volume.
• If you run other Microsoft Windows operating systems on your computer in addition to Windows XP, note the following issues:
o Only Windows 2000 and Windows XP have full access to files on an NTFS volume.
o Windows NT 4.0 Service Pack 4 (SP4) or later can access files on an NTFS volume. However, there are some limitations with files that are stored by using features from the latest version of NTFS.
o Microsoft Windows Millennium Edition (Me), Microsoft Windows 98 Second Edition and earlier, and MS-DOS cannot access files on an NTFS volume.

How to convert a FAT volume or a FAT32 volume to NTFS

Note Although the chance of corruption or data loss during the conversion is minimal, we recommend that you perform a backup of the data on the volume that you want to convert before you start the conversion.

To convert an existing FAT or FAT32 volume to NTFS, follow these steps:

1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
2. At the command prompt, type the following, where drive letter is the drive that you want to convert:
convert drive letter: /fs:ntfs
For example, type the following command to convert drive E to NTFS:
convert e: /fs:ntfs

Note If the operating system is on the drive that you are converting, you will be prompted to schedule the task when you restart the computer because the conversion cannot be completed while the operating system is running. When you are prompted, click YES.
3. When you receive the following message at the command prompt, type the volume label of the drive that you are converting, and then press ENTER:
The type of the file system is FAT.
Enter the current volume label for drive drive letter
4. When the conversion to NTFS is complete, you receive the following message at the command prompt:
Conversion complete
5. Quit the command prompt.

• When you try to convert a volume to NTFS, you receive the following error message at the command prompt:
Convert cannot gain exclusive access to the drive letter drive, so it cannot convert it now. Would you like to schedule it to be converted the next time the system restarts?
This issue occurs when the volume that you are trying to convert is in use, for example, if the drive that you want to convert is the same drive where Windows XP is running.

To resolve this issue, type Y at the command prompt. The volume or drive is converted to NTFS the next time that you start your computer.
• When you try to convert a volume to NTFS, you receive the following error message at the command prompt:
Convert cannot run because the volume is in use by another process. Convert may run if this volume is dismounted first. ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID. Would you like to force a dismount on this volume?
This issue occurs when there are files that are being used on the volume that you are trying to convert. This includes files that are accessed by users over the network.

To resolve this issue, use one of the following methods:
o Quit all the programs that are using the files on the drive, and then type y at the command prompt to convert the drive to NTFS.
o At the command prompt, type Y.
You receive the following error message:
Convert cannot gain exclusive access to the drive letter drive, so it cannot convert it now. Would you like to schedule it to be converted the next time the system restarts?
Type Y at the command prompt. The volume or drive is converted to NTFS the next time that you start your computer.

For more information about Convert.exe, follow these steps to view a list of command line parameters:
1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
2. At the command prompt, type help convert, and then press ENTER.
A list of command line parameters for Convert.exe appears. For more information about how much free space is required to convert FAT to NTFS, click the following article number to view the article in the Microsoft Knowledge Base: 156560 Free space required to convert FAT to NTFS

• Microsoft Windows XP Home Edition
• Microsoft Windows XP Professional

Wednesday, April 8, 2009

How To Use the Debug Command

P a r a m e t e r s

NOTE: Parameters listed in brackets ( [ ] ) are optional. Optional parameters usually indicate there are a number of different ways that a command can be used. I've listed the meanings of all the parameters here for you:

address - Memory location specified in hexadecimal. You can use either a simple Offset all by itself (in which case, the present CS 'Code Segment' will be assumed), or you can enter the full Segment:Offset location using either all hex numbers or substituting the name of a segment register for a number. Leading zeros are not required; thus 1F all by itself would be the location 'CS:001F' ( CS meaning whatever the CS happened to be at the time you entered this ). Examples:
100 DS:12 SS:0 198A:1234
For a detailed discussion, see: Segment:Offset notation.

range - Two hexadecimal addresses separated by a single space. They may be listed as either full Segment:Offset pairs or just an Offset alone ( in which case, the Segment is assumed to be that of the present CS or "Code Segment" ). NOTE: Some commands, such as Compare (C), may require that the second address be given only as an offset.

list - A string of Hexadecimal bytes separated by a space, or ASCII data enclosed within single or double quote marks. You can list any number of bytes from a single one up whatever number fits on the line before having to press the Enter key. A single byte, such as 00 is most often used with the FILL (f) command whereas an ENTER (e)command will most likely have a string of many hex bytes or ASCII characters per line; for example:
e 100 31 C0 B4 09 BA 50 02 CD 21 B8 4C 00 CD 21

e 250 'This is an ASCII data string.$'
number - Remember that all numbers and values used in any DEBUG commands are understood as being Hexadecimal only! That includes the number of sectors in the LOAD or WRITE commands and even the number of instructions you want DEBUG to step through in the TRACE or PROCEED commands. It's all HEX all the time in here!

A Simple DEBUG Tutorial
Details of each Command

NOTE: In the Examples below, commands which are entered by a user are shown in bold type; data displayed in response by DEBUG is in normal type. DEBUG (from MS-DOS 5.0 or later (which is true for the DEBUG version used by Windows™ XP) will display the following usage message, if you enter debug /? at a DOS prompt:
C:\WINDOWS>debug /?
Runs Debug, a program testing and editing tool.

DEBUG [[drive:][path]filename [testfile-parameters]]

[drive:][path]filename Specifies the file you want to test.
testfile-parameters Specifies command-line information required by
the file you want to test.

Quit: Q
Immediately quits (exits) the Debug program! No questions ever asked... should be the first command you remember along with the "?" command.

Hex: H value1 value2
A very simple (add and subtract only) Hex calculator. Never forget that all numbers inside of DEBUG are always Hexadecimal. Enter two Hex values (no more than four digits each) and DEBUG shows first the SUM, then the DIFFERENCE of those values. Examples:
-h aaa 531 -h fff 3 -h dbf ace
0FDB 0579 1002 0FFC 188D 02F1
- - -
Differences are always the second value subtracted from the first; AAA - 531 = 579. There are no carries past four digits.
Two's Complement arithmetic is always used in this calculator, so think of it as being limited to a maximum of plus7FFFh (+ 32,767) or a minimum of minus 8000h (- 32,768). Positive values are represented by exactly the same digits as their numbers for 0000h through 7FFFh. A minus 7FFFh, however, is represented by the Hex digits 8001, and aminus 1h (-1) is represented by the Hex digits FFFF. Thus, the output of DEBUG after entering "h 4 fffc" would be azero and an 8, because FFFC represents a minus 4h (-4) and 4 - (-4) = 8. Examples:
-h 4 fffc -h 100 123 -h 7fff 8000
0000 0008 0223 FFDD FFFF FFFF
- - -
Notice that the difference between 100h and 123h is FFDD; what does that represent? To find the numerical value of a Two's Complement number, first invert every bit (or find its logical inverse); that would be 0022, then add 1. So, this represents a negative 23h. Both the sum and the difference of 7FFFh and 8000h are a negative 1 (or FFFF). You can, of course, think of the sums as having nothing to do with a Two's Complement notation; thus 7FFFh + 8000h = FFFFh (32,767 + 32,768 = 65,535). This will even hold true for the differences if the second value is less than the first. But as soon as the difference produces a negative number, it must be represented in Two's Complement.

Dump: D [range]
D [address] [length]
Displays the contents of a block of memory. The Memory locations near the beginning of Segment C000 (even under Windows 2000/XP) should display information about the kind of video card installed on your PC. The first example below shows what a Matrox video card on our system displayed.

-d c000:0010
C000:0010 24 12 FF FF 00 00 00 00-60 00 00 00 00 20 49 42 $.......`.... IB
C000:0020 4D 20 43 4F 4D 50 41 54-49 42 4C 45 20 4D 41 54 M COMPATIBLE MAT
C000:0030 52 4F 58 2F 4D 47 41 2D-47 31 30 30 20 56 47 41 ROX/MGA-G100 VGA
C000:0040 2F 56 42 45 20 42 49 4F-53 20 28 56 31 2E 32 20 /VBE BIOS (V1.2
C000:0050 29 00 87 DB 87 DB 87 DB-87 DB 87 DB 87 DB 87 DB )...............
C000:0060 50 43 49 52 2B 10 01 10-00 00 18 00 00 00 00 03 PCIR+...........
C000:0070 40 00 12 10 00 80 00 00-38 37 34 2D 32 00 FF FF @.......874-2...
C000:0080 E8 26 56 8B D8 E8 C6 56-74 22 8C C8 3D 00 C0 74 .&V....Vt"..=..t
-d 100 130
xxxx:0100 EB 24 0D 0A 54 68 69 73-20 69 73 20 6D 79 20 66 .$..This is my f
xxxx:0110 69 72 73 74 20 44 45 42-55 47 20 70 72 6F 67 72 irst DEBUG progr
xxxx:0120 61 6D 21 0D 0A 24 B4 09-BA 02 01 CD 21 B4 00 CD am!..$......!...
xxxx:0130 21 !
The last example above, is what you'd see after entering the code under the Assemble command. We could just as easily have used the length option with the command 'd 100 l31' (that's an 'L' in front of the "31") to produce the same results above. The following example shows only the '$'-terminated display string, which has a length of 24h bytes (remember numbers in DEBUG are always hexadecimal); so, that's 36 in decimal:
-d 102 l24
xxxx:0100 0D 0A 54 68 69 73-20 69 73 20 6D 79 20 66 ..This is my f
xxxx:0110 69 72 73 74 20 44 45 42-55 47 20 70 72 6F 67 72 irst DEBUG progr
xxxx:0120 61 6D 21 0D 0A 24 am!..$

Search: S range list
Searches within a range of addresses for a pattern of one or more byte values given in a list. The list can be comprised of numbers or character strings enclosed by matching single or double quote marks. [ NOTE: In the examples below, if you do find the same data on your computer, the locations could easily vary from ours! ]
-s fe00:0 ffff "BIOS"

-d fe00:0
FE00:0000 41 77 61 72 64 20 53 6F-66 74 77 61 72 65 49 42 Award SoftwareIB
FE00:0010 4D 20 43 4F 4D 50 41 54-49 42 4C 45 20 34 38 36 M COMPATIBLE 486
FE00:0020 20 42 49 4F 53 20 43 4F-50 59 52 49 47 48 54 20 BIOS COPYRIGHT
FE00:0030 41 77 61 72 64 20 53 6F-66 74 77 61 72 65 20 49 Award Software I
FE00:0040 6E 63 2E 6F 66 74 77 61-72 65 20 49 6E 63 2E 20 nc.oftware Inc.
FE00:0050 41 77 03 0C 04 01 01 6F-66 74 77 E9 12 14 20 43 Aw.....oftw... C
FE00:0060 1B 41 77 61 72 64 20 4D-6F 64 75 6C 61 72 20 42 .Award Modular B
FE00:0070 49 4F 53 20 76 34 2E 35-31 50 47 00 DB 32 EC 33 IOS v4.51PG..2.3

-s 0:0 dff 'A20'

-d 0:c40
0000:0C40 0D 0A 41 32 30 20 68 61-72 64 77 61 72 65 20 65 ..A20 hardware e
0000:0C50 72 72 6F 72 2E 20 20 43-6F 6E 74 61 63 74 20 74 rror. Contact t
0000:0C60 65 63 68 6E 69 63 61 6C-20 73 75 70 70 6F 72 74 echnical support
0000:0C70 20 74 6F 20 69 64 65 6E-74 69 66 79 20 74 68 65 to identify the
0000:0C80 20 70 72 6F 62 6C 65 6D-2E 0D 0A 24 1A 00 BA F6 problem...$....

-s 0:0 dff 43 4f 4d

-d 0:770
0000:0770 7A 02 A6 02 43 4F 4D 31-20 20 20 20 8E 00 70 00 z...COM1 ..p.
0000:0780 C0 A0 7A 02 91 02 4C 50-54 31 20 20 20 20 A0 00 ..z...LPT1 ..
0000:0790 70 00 C0 A0 7A 02 98 02-4C 50 54 32 20 20 20 20 p...z...LPT2
0000:07A0 2D 01 70 00 C0 A0 7A 02-9F 02 4C 50 54 33 20 20 -.p...z...LPT3
0000:07B0 20 20 11 EA 27 27 3F FD-CA 00 70 00 00 80 7A 02 ..''?...p...z.
0000:07C0 AC 02 43 4F 4D 32 20 20-20 20 DC 00 70 00 00 80 ..COM2 ..p...
0000:07D0 7A 02 B2 02 43 4F 4D 33-20 20 20 20 00 00 6B 03 z...COM3 ..k.
0000:07E0 00 80 7A 02 B8 02 43 4F-4D 34 20 20 20 20 E8 D2 ..z...COM4 ..

Compare: C range address
Compares two blocks of memory. If there are no differences, then DEBUG simply displays another prompt (-). Here's an example of what happens when there are differences:
-c 140 148 340
127D:0143 30 6D 127D:0343
127D:0146 10 63 127D:0346
127D:0148 49 30 127D:0348
The bytes at locations 140 through 148 are being compared to those at 340 ( through 348, implied ); the bytes are displayed side by side for those which are different (with their exact locations, including the segment, on either side of them).

Fill: F range list
This command can also be used to clear a whole segment of Memory as well as filling smaller areas with a continuously repeating phrase or single byte. Examples:
-f 100 12f 'BUFFER'
-d 100 12f
xxxx:0100 42 55 46 46 45 52 42 55-46 46 45 52 42 55 46 46 BUFFERBUFFERBUFF
xxxx:0110 45 52 42 55 46 46 45 52-42 55 46 46 45 52 42 55 ERBUFFERBUFFERBU
xxxx:0120 46 46 45 52 42 55 46 46-45 52 42 55 46 46 45 52 FFERBUFFERBUFFER

-f 100 ffff 0
This last example fills almost all of the assigned Segment with zero bytes (which can also be thought of as clearing the Segment). You should use this command whenever you want to be sure that the bytes you'll be looking at in DEBUG's Segment are those you've manually entered or loaded; not just previously used code in memory! If you want to examine a file from a disk in a 'clean' Segment, you'll first have to start DEBUG without any filename, clear the Segment using: f 100 ffff 0 and then finally load the file using the Name (n) and Load (L) commands in that order.
NOTE: Filling (clearing) any bytes in the area from 00h through FFh of the Segment used by DEBUG can sometimes lead to problems; especially when file I/O is involved. DEBUG stores data for its own use in those locations, so we recommend that you never overwrite bytes in that area; unless you know for sure they won't be necessary!
Example: A student in an Assembly class was told to enter a string of commands under DEBUG, the last one being: JMP 0 which he was supposed to Trace (T) to the next command and then execute it. He was told it would be an INT 20instruction. Well in most cases this is true, because DEBUG always sets the first two bytes of its working segment to "CD 20" for just this purpose. Let's test this out. First, open a new instance of DEBUG, then enter the following commands:
-f 100 ffff 0 [Zero-out 100 through FFFF]
-e 100 e9 fd fe [Enters a 'JMP 0' at 100]
-u 100 102 [Check for correct entry]
xxxx:0100 E9FDFE JMP 0000
AX=0000 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=xxxx ES=xxxx SS=xxxx CS=xxxx IP=0100 NV UP EI PL NZ NA PO NC
xxxx:0100 E9FDFE JMP 0000
-u 0 1
xxxx:0000 CD20 INT 20
If you don't see "INT 20" after entering "u 0 1", then restart DEBUG and try again.
-t [The "T"(Trace) command]

AX=0000 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=xxxx ES=xxxx SS=xxxx CS=xxxx IP=0000 NV UP EI PL NZ NA PO NC
xxxx:0000 CD20 INT 20
-p [Always make sure you use a "P"(Proceed) command for Interrupts!]

Program terminated normally
-q [Quit]
Well, this never worked for those students. Why? Because the teacher had mistakenly told them to Fill the whole segment with zero bytes (f 0 ffff 0), in essence telling them to delete the very instruction he'd wanted them to execute!

Enter: E address [list]
Used to enter data or instructions (as machine code) directly into Memory locations.
Example. First we'll change a single byte at location CS:FFCB from whatever it was before to D2 :
-e ffcb d2
The next two examples show that either single(') or double(") quote marks are acceptable for entering ASCII data. By allowing both forms, you can include the other type of quote mark within your entry string:
-e 200 'An "ASCII-Z string" is always followed by '
-e 22a "a zero-byte ('00h')." 00
Now let's examine a string of 11 hex bytes that you can enter into Memory at locations CS:0100 and following:
-e 100 B4 09 BA 0B 01 CD 21 B4 00 CD 21
This is actually machine code for a program that will display whatever ASCII characters it finds at locations CS:010B and following, until it encounters a byte value of 24h (a $ sign). If you really want to run this program, you should at least enter a 24h in the last byte of the Segment; that will make sure the program finally terminates there, if necessary! Just do the following:
-e ffff 24
-g =100
And sooner or later, you'll see: "Program terminated normally" on the display screen.
Here's something a bit more interesting for you to try out: It's essentially the same program, but the data includes all of the byte values from 00h through FFh; except for 24h which we placed at the end of the last line. The DEBUG prompt symbol, - , has been purposely excluded from the lines below, so you can copy and paste the whole block all at once into DEBUG in a DOS-Window (some Help on using DOS-Window controls is here if you needed):
e 100 B4 09 BA 0B 01 CD 21 B4 00 CD 21 0D 0A 0D 0A 00 01 02
e 112 03 04 05 06 07 08 09 20 0B 0C 20 0E 0F 10 11 12 13 14
e 124 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 20 25 26
e 136 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38
e 148 39 3A 3B 3C 3D 3E 3F 0D 0A 0D 0A 40 41 42 43 44 45 46
e 15a 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58
e 16c 59 5A 5B 5C 5D 5E 5F 60 61 62 63 64 65 66 67 68 69 6A
e 17e 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 7B 7C
e 190 7D 7E 7F 0D 0A 0D 0A 80 81 82 83 84 85 86 87 88 89 8A
e 1a2 8B 8C 8D 8E 8F 90 91 92 93 94 95 96 97 98 99 9A 9B 9C
e 1b4 9D 9E 9F a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aA aB aC aD aE
e 1c6 aF b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 bA bB bC bD bE bF 0D
e 1d8 0A 0D 0A c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 cA cB cC cD cE
e 1ea cF d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 dA dB dC dD dE dF e0
e 1fc e1 e2 e3 e4 e5 e6 e7 e8 e9 eA eB eC eD eE eF f0 f1 f2
e 20e f3 f4 f5 f6 f7 f8 f9 fA fB fC fD fE fF 0D 0A 0D 0A 24
The bytes 0Dh and 0Ah produce a Carriage Return and Linefeed on the display, so they were replaced by a 20h (a space) in the listing above. The 24h byte was, of course, moved to the end of the listing and its original location also turned into a space. A blank line was placed at the beginning of the output, and after every 64 bytes, by inserting the byte sequence '0D 0A 0D 0A' at those points in the listing above.
Therefore, when the program is run, we should see four separate lines of 64 characters each (a few of those being the blank spaces; as we mentioned above), right? Let's find out: Start DEBUG in a DOS-Window, copy and paste the lines above into DEBUG at its prompt symbol, - , then enter the following command:
g =100 ( 'g' followed by a SPACE, then '=100')
This will immediately run (see Go command) the program, displaying the lines mentioned above and lastly another line which states: "Program terminated normally" [ Do not exit DEBUG, and leave the DOS-Window open; we'll be making a 'patch' to this code below ].
Were you were surprised to find more than four spaces on the first line, or that there appear to be some missing characters at the end of that line? If so, then you might want to study about the Control Characters at the beginning of an ASCII chart. You'll also need to learn about Interrupts and what effect different BIOS and DOS Video Functions have on how the ASCII Characters are displayed. OK, I'll save you the time and tell you what happened:
First, the Zero byte displays as a blank space here. The 07 byte makes a beep or ding sound (but does not display anything), 08 performs a BACKSPACE (erasing the 06 byte character) and 09 is a TAB -- which may jump up to eight columns to the right before reaching the next 'Tab Stop.' But since it just happens to begin in column seven, it only moves one column to the right where our program places the blank space we substituted for 0Ah. Lastly, for some reason, when using Function 09 of INT 21h ("Display a string of characters until a '$' sign is encountered"), the ESC character (1Bh; 27 decimal) doesn't display or do anything either. So, after reaching the end of the first line, it appears as if five of the characters were never displayed.

Now enter the following two lines into DEBUG (which contain more blank-space substitutions) and run the program again, you'll see all of the displayable characters output on the first line in their correct positions:
e 10F 00 01 02 03 04 05 06 20 20 20 20 0B 0C 20
e 11D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 20
And all four rows should display evenly in size, including the last one, because the FFh (255 decimal) displays as a blank space! You can prove this by inserting another byte such as 2Eh (a period '.') right after the FFh byte. Since DEBUG can only overwrite a byte, not insert one, here's another patch which effectively moves the remainder of the program bytes (after the FFh) up by one location:

e 21b 2e 0d 0a 0d 0a 24

After patching and running it again, the program output should look like this :

You can save this program to your hard drive, by first giving it a path and filename (such as, C:\TEMP\ASCIIDSP.COM; see 'N' Name command) and writing the bytes (see 'W' Write command) to a file like this:
-n c:\temp\
:121 [ Program Length = 220h - 100h + 1 = 121h ]
If you check the file properties of ASCIIDSP.COM, its size should be 289 bytes.

Go: G [=address] [addresses]
Go is used to run a program and set breakpoints in the program's code.

As we saw in an Example for the ENTER command, the '=address' option is used to tell DEBUG a starting location. If you use 'g' all by itself, execution will begin at whatever location is pointed to by the CS:IP registers. Optionalbreakpoints ( meaning the program will HALT before executing the code at any of these locations) of up to any ten addresses may be set by simply listing them on the command line.

Requirements: Breakpoints can only be set at an address containing the first byte of a valid 8088/8086 Opcode. So don't be surprised if picking some arbitrary address never halts the program; especially if you're trying to DEBUG a program containing opcodes DEBUG can't understand (that's anything 'requiring' a CPU above an 8088/8086)!

CAUTION: DEBUG replaces the original instructions of any listed breakpoint addresses with CCh (an INT 3). The instructions at these locations are restored to their originals ONLY if one of the breakpoints is encountered... If DEBUG does not HALT on any breakpoint, then all your breakpoints are still enabled! So, don't ever save the code as is, unless you're sure that DEBUG has hit one of your breakpoints! ( Saving to a backup copy before ever using breakpoints is often a better way. )

Back to TOC

Assemble: A [address]
Creates machine executable code in memory beginning at CS:0100 (or the specified address) from the 8086/8088 (and 8087) Assembly Language instructions which are entered. Although no Macro instructions nor labels are recognized, you can use the pseudo-instructions 'DB' and 'DW' (so you can use the DB opcode to enter ASCII data like this: DB 'This is a string',0D,0A ).
The 'A' command remembers the last location where any data was assembled, so successive 'A' commands (when no address is specified) will always begin at the next address in the chain of assembled instructions. This aspect of the command is similar to the Dump command which remembers the location of its last dump (if no new address is specified).

The assembly process will stop after you ENTER an empty line.

Example; you ENTER the characters in bold type; you do not need to enter the comments after the semi-colon ( ; ) symbols :
-a 100
xxxx:0100 jmp 126 ; Jump over data that follows:
xxxx:0102 db 0d,0a,"This is my first DEBUG program!"
xxxx:0123 db 0d,0a,"$"
xxxx:0126 mov ah,9 ; Function 09 of Int 21h:
xxxx:0128 mov dx,102 ; DS:DX -> $-terminated string.
xxxx:012B int 21 ; Write String to STD Output.
xxxx:012D mov ah,0 ; Function 00 of Int 21h:
xxxx:012F int 21 ; Terminate Program.
-g =100

This is my first DEBUG program!

Program terminated normally

NOTE: You can pipe simple 8086/8088 Assembly Language "scripts" into DEBUG (You can even include a semi-colon ';' followed by comments on most of its lines. For some odd reason though, these comments are not allowed on DB/DW lines!). For example, you can copy and paste the following into the DEBUG program (after entering the "a" command) and obtain the same results as above:
jmp 126 ; Jump over data that follows:
db 0d,0a,"This is my first DEBUG program!"
db 0d,0a,"$"
; End of string marker above: "$"=24h
mov ah,9 ; Function 09 of Int 21h:
mov dx,102 ; DS:DX -> $-terminated string.
int 21 ; Write String to STD Output.
mov ah,0 ; Function 00 of Int 21h:
int 21 ; Terminate Program.
• DEBUG uses the convention of enclosing operands which refer to Memory locations in square brackets '[ ]' (as opposed to an immediate value as an operand).

• DEBUG may require you to explicitly tell it whether or not an operand refers to a word or byte in Memory! In such cases, the data type must be stated using the prefixes 'WORD PTR' or 'BYTE PTR'

• For all 8087 opcodes, the WAIT or FWAIT prefix must be explicitly specified.

Unassemble: U [range]
Disassembles machine instructions into 8086 Assembly code. Without the optional [range], it uses Offset 100 as its starting point, disassembles about 32 bytes and then remembers the next byte it should start with if the command is used again. ( The word 'about' was used above, because it may be necessary to finish with an odd-number of bytes greater than 32, depending upon the last type of instruction DEBUG has to disassemble. )

NOTE: The user must decide whether the bytes that DEBUG disassembles are all 8086 instructions, just data or any of the newer x86 instructions (such as those for the 80286, 80386 on up to the lastest CPU from Intel; which are all beyond the ability of DEBUG to understand)!

-u 126 12F
xxxx:0126 B409 MOV AH,09
xxxx:0128 BA0201 MOV DX,0102
xxxx:012B CD21 INT 21
xxxx:012D B400 MOV AH,00
xxxx:012F CD21 INT 21

Input: I port
The use of I/O commands while running Windows™9x/Me is just plain unreliable! This is especially true when trying to directly access hard disks! Under Win NT/2000/XP, the I/O commands are only an emulation; so don't trust them. Though the example below still works under Win2000/XP, it's most likely using some WinAPI code to show what's in the Windows clock area; not directly from an RTC chip.
Long ago (when DOS was the only OS for PCs), there were dozens of BASIC programs that used I/O commands for handling tasks through parallel and serial ports (e.g., to change the font used by a printer or values in a modem's control registers). Under real DOS, they can still be used for direct communications with keyboards or a floppy drive's control chips along with many other hardware devices.
Here's an example of how to read the hours and minutes from a computer's "real time clock" (RTC):
-o 70 04 <-- Check the hours.
-i 71
18 <----- 18 hours (or 6 p.m.)
-o 70 02 <-- Check the minutes.
-i 71
52 <----- 52 minutes
The first space isn't necessary under most versions of DEBUG; so you can try to get away with just "o70" and "i71" instead. Here's a page of more complex examples dealing with hard drives and the ATA commands for reading info directly from a disk controller!

Output: O port byte
See comments under the Input command.

L [address] [drive] [firstsector] [number]
or program! (See the N command for more on this)
This command will LOAD the selected number of sectors from any disk's Logical Drive under the control of MS-DOS or Windows into Memory. The address is the location in Memory the data will be copied to (use only 4 hex digits to keep it within the memory allocated to DEBUG), the drive number is mapped as: 0=A:, 1=B:, 2=C:, etc., firstsector counts from ZERO to the largest sector in the volume and finally number specifies in hexadecimal the total number of sectors that will be copied into Memory (so a floppy disk with 0 through 2,879 sectors would be: 0 through B3F in Hex).
The terms 'Volume' or 'Logical Drive' used in the definition above mean that you can not use the 'L' command to load or examine the MBR, or any other sectors outside of the Primary Volumes or Logical Drive Letters assigned by DOS or Windows! For example (under Windows™ 9x/ME), if you enter the command: L 100 2 0 1 in DEBUG, instead of seeing the very first sector on that hard disk (the MBR), you'll see the first sector of the Boot Record for the Logical drive C: instead (the first partition that can accessed by a compatible MS-DOS or Windows OS). This and the following comments about diskettes, show that DEBUG has always been quite limited compared to a good disk editor or the UNIX 'dd' program.
Load can still be useful in examining Floppy Disks even under Windows™ 2000/XP, but (unfortunately), only if the disk can be read by MS-DOS or Windows. Once again, this shows how limited DEBUG is compared to any utility that can view the raw data on either a hard drive or diskette. (For those of you who wish to examine the actual contents of a hard disk under Windows™XP, there are free disk editors, such as HxD, which allow you to do so.)
Unlike hard disks, the very first sector on a floppy disk is an OS Boot sector. Here's what you might see from a Logical disk sector and some dumps from a couple floppy disks.

-l 100 2 0 1 [ the C: drive. ]
-d 100 10f
xxxx:0100 EB 58 90 4D 53 57 49 4E-34 2E 31 00 02 08 20 00 .X.MSWIN4.1... .
-d 280 2ff
xxxx:0280 01 27 0D 0A 49 6E 76 61-6C 69 64 20 73 79 73 74 .'..Invalid syst
xxxx:0290 65 6D 20 64 69 73 6B FF-0D 0A 44 69 73 6B 20 49 em disk...Disk I
xxxx:02A0 2F 4F 20 65 72 72 6F 72-FF 0D 0A 52 65 70 6C 61 /O error...Repla
xxxx:02B0 63 65 20 74 68 65 20 64-69 73 6B 2C 20 61 6E 64 ce the disk, and
xxxx:02C0 20 74 68 65 6E 20 70 72-65 73 73 20 61 6E 79 20 then press any
xxxx:02D0 6B 65 79 0D 0A 00 00 00-49 4F 20 20 20 20 20 20 key.....IO
xxxx:02E0 53 59 53 4D 53 44 4F 53-20 20 20 53 59 53 7E 01 SYSMSDOS SYS~.
xxxx:02F0 00 57 49 4E 42 4F 4F 54-20 53 59 53 00 00 55 AA .WINBOOT SYS..U.
-l 100 0 0 1 [ a floppy in the A: drive. ]
-d 100 13d
xxxx:0100 EB 3C 90 29 47 38 71 33-49 48 43 00 02 01 01 00 .<.)G8q3IHC.....
xxxx:0110 02 E0 00 40 0B F0 09 00-12 00 02 00 00 00 00 00 ...@............
xxxx:0120 00 00 00 00 00 00 29 40-16 D8 13 4E 4F 20 4E 41 ......)@...NO NA
xxxx:0130 4D 45 20 20 20 20 46 41-54 31 32 20 20 20 ME FAT12
-l 100 0 0 1 [ a different floppy in the A: drive. ]
-d 100 13d
xxxx:0100 EB 3C 90 53 59 53 4C 49-4E 55 58 00 02 01 01 00 .<.SYSLINUX.....
xxxx:0110 02 E0 00 40 0B F0 09 00-12 00 02 00 00 00 00 00 ...@............
xxxx:0120 00 00 00 00 00 00 29 7E-CF 55 3C 20 20 20 20 20 ......)~.U<
xxxx:0130 20 20 20 20 20 20 46 41-54 31 32 20 20 20 FAT12
-d 2d0 2ff
xxxx:02D0 42 3B 16 1A 7C 72 03 40-31 D2 29 F1 EB A7 42 6F B;..|r.@1.)...Bo
xxxx:02E0 6F 74 20 66 61 69 6C 65-64 0D 0A 00 00 00 00 4C ot failed......L
xxxx:02F0 44 4C 49 4E 55 58 20 53-59 53 F4 3C 82 3A 55 AA DLINUX SYS.<.:U.
Note that the Linux Boot disk above (note the word: SYSLINUX) is the kind formatted as an MS-DOS diskette and not with a true Linux file system (such as ext2 or ext3). If it had been formatted with some other kind of file system, or had a faulty boot sector, then MS-DEBUG would not be able to read it! Instead you'd see that old "General failure reading drive A / Abort, Retry, Fail?" error message! And when you had finally cleared away that error message, you'd be greeted by DEBUG's "Disk error reading drive A" error message. This makes DEBUG almost worthless as far as trying to fix an error in a floppy disk's boot sector! However, if you keep a binary copy of agood floppy disk Boot Sector somewhere, you could use DEBUG to overwrite whatever's on a faulty floppy disk's first sector (see Write command). But if you really want to see what's in such a Boot sector (that keeps DEBUG from recognizing it as valid), you'll need to use a disk editor such as Symantec's Norton DiskEdit (in Physical disk Mode only).
NOTE: Just because a floppy disk can't be read by DOS or opened in DEBUG does NOT necessarily mean it's defective. It might simply have been formatted with a file system it cannot recognize (such as Linux's ext2) and could easily boot-up on its own; this is a very good reason for labeling your disks! (CAUTION: Never try booting your system with a disk you're not 100% sure of; unless you disconnect all hard disks and don't have any flash BIOS, since it might contain a nasty boot virus! )
[ Many floppy disks have the letters IHC in their OEM ID field. What kind of OEM Name is that? None. Someone at Microsoft decided that this was where they'd place a new pseudo-random type of identification to make sure that any information cached by 'Windows 9x' from one disk wouldn't be mixed up with info from a different one if you swapped disks. The whole string begins with five pseudo-random hex bytes, and always ends with the characters IHC. All floppy diskettes that are not write-protected will have any original OEM ID overwritten. Once Windows has written this string, it will remain the same for any future disk reads or writes. However, performing even aquick format under Windows, will change the five hex bytes every time.
Some have concluded that the characters 'IHC' are the first three letters of the word "Chicago" in reverse order, since Chicago was the 'code name' for Windows 95™ before it was ever released (it would have appeared as ' OGACIHC' on the hypothetical disk). Although certainly a possibility, I have no proof of that. Due to my interest in some very old Greek Manuscripts, I still can't help seeing the 3 characters 'IHC' as an Iota, Eta and old style Sigma since this combination of letters was often used as an abbreviation for the Greek word IHSUS. Just another one of those coincidences of life.
REMEMBER: If you really want to preserve all of the contents of an important diskette, you can't even perform a simple Directory read under a Windows OS, UNLESS it is 'write-protected' and you know the drive's write-protect system is functioning correctly! ]

Move: M range address
This command should really be called: COPY (not Move) as it actually copies all the bytes from within the specifiedrange to a new address.

1) -m 7c00 7cff 600
Copies all the bytes between Offset 7C00 and 7CFF (inclusive) to Offset 0600 and following...
2) -m 100 2ff 70
This second example shows that it's very easy to overwrite most of the source you're copying from using the Movecommand. Apparently, DEBUG stores the source bytes elsewhere before writing them; otherwise, this example would cause a problem when it started overwriting what it hadn't copied yet! This copies the 512 bytes between Offsets 100h and 2FFh (inclusive) to Offset 0070 overwriting the first 368 bytes in the process.

Name: N [pathname] [arglist]
This command can be used to load files into DEBUG's Memory after you have started the program, but it's main function is to create a new file under control of the Operating System which DEBUG can WRITE data to.
Normally, when you want to 'debug' a file, you'd start DEBUG with a command like this: C:\WINDOWS>debug . But it's also possible to load a file into DEBUG's Memory from within DEBUG itself by using the 'N' command and then the 'L' command (with no parameters) like this:
-n c:\temp\
which will load the file into DEBUG's Memory starting at location CS:0100 (you cannot specify any other location when using the L command like this!).
The 'N' command makes it quite easy to save data or an Assembly program created in DEBUG to a file on your hard drive!
For example, these commands (in bold; along with DEBUG's reponses):
-n c:\temp\
-a 100
cs:0100 jmp 138
cs:0102 db 0d,0a,"It's OK to run this "
cs:0118 db "program under DOS or Windows!"
cs:0135 db 0d,0a,24
cs:0138 mov dx,102
cs:013B mov ah,9
cs:013D int 21
cs:013F mov ax,4c01
cs:0142 int 21
CX 0000
Writing 00044 bytes [ 68 bytes in decimal ]
will create a 68-byte file called DOSWINOK.COM in the C:\TEMP folder; even when running DEBUG in a DOS-window. The file names, however, are still limited to DOS's eight characters plus three for the extension (an 8.3 filename as it's often called)!
Note: Unlike the other programs listed on this page, this one uses Function 4Ch instead of Function 00 of Interrupt 21h to terminate its execution. This is the preferred termination function for most DOS programs, because it can not only send a "Return Code" (an ERRORLEVEL value; of whatever is in the AL register), but will also close all open files and free all memory belonging to the process. When you use this function to terminate a program running under DEBUG though, it has a tendency to also terminate DEBUG itself; thus our reason for rarely using it here!
Homework: Follow the steps above to Assemble and save this program under DEBUG, then use DEBUG to debug it!Use the P(roceed) command to step through most of the instructions, since this will keep you from accidentallystepping into an INT(errupt) instruction! If you ever do use the T(race) command on an INT, you'll end up inside nests ofBIOS routines which often crashes DEBUG!

Register: R [register]
Entering ' r ' all by itself will display all of the 8086 register's contents and the next instruction which the IP register points to in both machine code and an unassembled (Assembly Language) form. For example, if you start DEBUG in a Windows 95B DOS-box with the command line:
>debug c:\windows\command\
and then enter an ' r ' at the first DEBUG prompt, DEBUG will display someting similar to this:
AX=0000 BX=0000 CX=1437 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
0ED8:0100 E90E01 JMP 0211
For an explanation of the names of the registers (AX, BX, CX, etc. and the Flag symbols: NV UP EI PL NZ NA PO NC), see the Appendix (The 8086 CPU Registers). The last line shows that the next CPU instruction (actually the first in this case) to be executed, begins at memory location 100 hex (the Offset) in Segment ED8 hex (0ED8:0100) and that the Hex bytes E90E01 represent the actual binary machine code of the CPU instruction (JMP 0211 in Assembly language) thatwould be executed by DEBUG if you entered a Trace (t) or Proceed (p) command.

If you enter the ' r ' followed by the abbreviation for an 8086 register, such as: ' rcx ', then DEBUG will display only the contents of that register followed by a line with a colon symbol (:) on which you can enter a hex number to change the contents of that register. If you simply press the ENTER key, the contents remain the same. For example:

CX 0100

means that the Register command was used to change the contents of the CX register from 0100 to 0273. The command ' rcx ' could be used again to verify that the change had indeed taken place. If you type the letter f after an r: ' rf ', this commands DEBUG to display all of the FLAG register bits with a prompt on the same line which allows you to change any or none of the individual flag bits. For example, here's how you would display the flags and change just the Zero Flag bit from being cleared (a 0 bit) to being set (a 1 bit):

As you can see above the Zero Flag was changed from NZ (cleared) to ZR (set). See the Appendix The FLAGS Registerbelow for an explanation of all the Flag abbreviations.
Back to TOC

Trace: T [=address] [number]
The T command is used to trace (step through) CPU instructions one at a time. If you enter the T command all by itself, it will step through only ONE instruction beginning at the location specified by your CS:IP registers, halt program execution and then display all the CPU registers plus an unassembled version of the next instruction to be executed; this is the 'default' mode of the TRACE command. Say, however, you wanted DEBUG to trace and execute seven instructions beginning at address CS:0205; to do so, you would enter:

-t =205 7

Remember that the value for the number of instructions to execute must be given in hexadecimal just as all other values used in DEUBG. (Since the T command uses the "hardware trace mode" of the CPU, it's possible to step through instructions in a ROM - Read Only Memory - chip.)

Proceed: P [=address] [number]
Proceed acts exactly the same as Debug's T (Trace) command for most types of instructions... EXCEPT: Proceed will immediately execute ALL the instructions (rather than stepping through each one) inside any Subroutine CALL, a LOOP, a REPeated string instruction or any software INTerrupts. This means that you do not have to single-step through any of the code contained in a Subroutine or INT call if you use the Proceed (P) command.
This means Proceed will be the command you use most often to debug programs, and Trace will only be used to step into a Subroutine or possibly check the logic of the first few iterations of a LOOP or REP instruction.

W [address] [drive] [firstsector] [number]
Do NOT experiment with the W - write command in DEBUG. It can be used effectively to create new files on your hard drive, but only if you use it properly. Trying to write directly to a sector on a hard disk would very RARELY be considered proper use of this command!

Trying to write directly to a hard disk using sector numbers will most likely result in loss of data or even a corrupted hard drive!
The WRITE (W) command is often used to save a program to your hard disk from within DEBUG. But the only safe way to do so, especially under Windows, is by allowing the OS to decide where to physically create that file on the disk. This is done by first using the Name (N) command to set up an optional path and filename for the new file (or to overwrite one that already exists). DEBUG will automatically begin saving program or data bytes from Offset 0100 of the 64 KiB Segment that the OS allocated for it. The only other requirement is to set the size of the file you wish to write by placing the total number of bytes in the combined BX and CX registers* before executing the WRITE command. The Register command is used to change the value in the CX register in the following example from our own MyMBR Batch/Debug Script Program.

After creating and running a small program inside of DEBUG which copies the Master Boot Record (MBR) to Offset0000h through 01FFh, these DEBUG commands save the MBR to a file on the hard disk:
-n mymbr.bin
CX 0001
-w 0
Writing 00200 bytes [ 512 bytes in decimal ]
The BX register had already been set to zero by a previous instruction, so the CX register was simply set to 200 and the WRITE command executed with an address of 0 (if no address is used, the Write command starts saving bytes atOffset 100).

The WRITE command can, however, be used in a relatively safe manner with Floppy disks. For example, you could use the Load (L) command:
l 7c00 0 0 1
to load the first sector of an MS-DOS or Windows floppy disk into DEBUG's memory at location 7C00, change some of the code and/or messages (if you know how to do so) and then use the 'W' command:
w 7c00 0 0 1
to write the changes back to the floppy disk's first sector.
*Although the BX and CX registers are often referenced in books on Assembly as BX:CX when they discuss the write command, NOTE that these registers are not being used like Segment:Offset pairs in this case! They are a true combination of higher and lower bytes which form a 'double word' for a theoretical total of four Gigabytes (FFFF FFFFh = 4,294,967,295 bytes) that could be written to a file! I'm not sure if this has always been true of DEBUG, but under DOS 7.1 (sometimes called Windows 98), I've been able to load image files of several hundreds of KB and then write the whole file to a new location!
For example, if I load a 360 KB image file into DEBUG at a DOS prompt, then check the registers, BX will equal 0005 andCX will contain A000. The major problem here though is the fact that DEBUG uses CONVENTIONAL MEMORY, so trying to load an image file greater than about 400KB or so is bound to elicit an "Insufficient Memory" error!

Thursday, March 12, 2009

Trojan Ports Used By Intruders

TCP 1 Breach.2001, SocketsDeTroie.230, SocketsDeTroie.250
TCP 28 Amanda.200
TCP 31 MastersParadise.920
TCP 68 Subseven.100
TCP 142 NetTaxi.180
TCP 146 Infector.141, Intruder.100, Intruder.100
TCP 171 ATrojan.200
TCP 285 WCTrojan.100
TCP 286 WCTrojan.100
TCP 334 Backage.310
TCP 370 NeuroticKat.120, NeuroticKat.130
TCP 413 Coma.109
TCP 420 Breach.450
TCP 555 Id2001.100, PhaseZero.100, StealthSpy.100
TCP 623 Rtb666.160
TCP 660 Zaratustra.100
TCP 661 Noknok.800, Noknok.820
TCP 666 BackConstruction.210, BackConstruction.250, Bla.100, Bla.200, Bla.400, Bla.503, Cain.150, Dimbus.100, Noknok.820, Ripper.100, SatansBackdoor.100, SatansBackdoor.101, SatansBackdoor.102, Unicorn.100, Unicorn.101, Unicorn.110
TCP 667 SniperNet.210, Snipernet.220
TCP 668 Unicorn.101, Unicorn.110
TCP 680 Rtb666.160
TCP 777 Tiny.100, Undetected.230, Undetected.300, Undetected.310, Undetected.320, Undetected.330, Undetected.331, Undetected.332
TCP 785 NetworkTerrorist.100
TCP 800 NeuroticKitten.010
TCP 831 NeuroticKat.100, NeuroticKat.120, NeuroticKat.130
TCP 901 NetDevil.130, NetDevil.140
TCP 1000 DerSpaeher.200
TCP 1001 Silencer.100
TCP 1008 AutoSpy.100
TCP 1010 DerSpaeher.200
TCP 1015 Doly.150
TCP 1111 TPort.100
TCP 1130 Noknok.800, Noknok.820
TCP 1207 SoftWAR.100
TCP 1243 Subseven.100, SubSeven.110, SubSeven.180, SubSeven.190, Subseven.200
TCP 1245 VoodooDoll.006
TCP 1269 Matrix.130
TCP 1480 RemoteHack.130
TCP 1568 RemoteHack.100, RemoteHack.110
TCP 1600 DirectConnection.100
TCP 1601 DirectConnection.100
TCP 1602 DirectConnection.100
TCP 1634 NetCrack.100
TCP 1784 Snid.120, Snid.212
TCP 1999 TransmissionScout.100, TransmissionScout.110
TCP 2000 ATrojan.200, InsaneNetwork.400
TCP 2001 DIRT.220, TrojanCow.100
TCP 2003 TransmissionScout.100, TransmissionScout.110
TCP 2023 RipperPro.100
TCP 2040 InfernoUploader.100
TCP 2115 Bugs.100
TCP 2140 DeepThroat.100, DeepThroat.200, DeepThroat.310
TCP 2332 SilentSpy.202
TCP 2589 Dagger.140
TCP 2600 DigitalRootbeer.100
TCP 2989 Rat.200
TCP 3128 MastersParadise.970
TCP 3129 MastersParadise.920, MastersParadise.970
TCP 3150 DeepThroat.100, DeepThroat.200, DeepThroat.310, MiniBacklash.110
TCP 3215 BlackStar.100, Ghost.230
TCP 3333 Daodan.123
TCP 3410 OptixPro.100, OptixPro.110
TCP 3456 Force.155, TerrorTrojan.100
TCP 3505 AutoSpy.130, AutoSpy.140
TCP 3586 Snid.120, Snid.212
TCP 3700 PortalOfDoom.100
TCP 3723 Mantis.100
TCP 3800 Eclypse.100
TCP 3996 RemoteAnything.364
TCP 4000 SkyDance.220, SkyDance.229
TCP 4201 Wartrojan.160, Wartrojan.200
TCP 4225 SilentSpy.202
TCP 4321 Bobo.100
TCP 4444 AlexTrojan.200, Crackdown.100
TCP 4488 EventHorizon.100
TCP 4523 Celine.100
TCP 4545 InternalRevise.100, RemoteRevise.150
TCP 4567 FileNail.100
TCP 4666 Mneah.100
TCP 4950 ICQTrojan.100
TCP 5005 Aladino.060
TCP 5025 Keylogger.WMRemote.100
TCP 5031 NetMetro.104
TCP 5032 NetMetro.104
TCP 5033 NetMetro.104
TCP 5050 RoxRat.100
TCP 5151 OptixLite.020, OptixLite.030, OptixLite.040
TCP 5190 MBomber.100
TCP 5277 WinShell.400
TCP 5343 WCRat.100
TCP 5400 BackConstruction.120, BackConstruction.150, BladeRunner.080, DeepThroat.300
TCP 5401 BackConstruction.120, BackConstruction.150, BackConstruction.210, BackConstruction.250, BladeRunner.080, DeepThroat.300, Mneah.100
TCP 5402 BackConstruction.210, BackConstruction.250, BladeRunner.080, DeepThroat.300, Mneah.100
TCP 5534 TheFlu.100
TCP 5550 XTCP.200, XTCP.201
TCP 5555 Noxcape.100, Noxcape.200
TCP 5695 Assassin.100
TCP 5714 WinCrash.100
TCP 5741 WinCrash.100
TCP 5742 WinCrash.103
TCP 5802 Y3KRat.160
TCP 5810 Y3KRat.160
TCP 5838 Y3KRat.170
TCP 5858 Y3KRat.110, Y3KRat.120, Y3KRat.140
TCP 5880 Y3KRat.140
TCP 5881 Y3KRat.110, Y3KRat.120, Y3KRat.140
TCP 5882 Y3KRat.100, Y3KRat.110, Y3KRat.120, Y3KRat.140, Y3KRat.150
TCP 5883 Y3KRat.110, Y3KRat.140
TCP 5884 Y3KRat.140, Y3KRat.150
TCP 5885 Y3KRat.110, Y3KRat.120, Y3KRat.140
TCP 5886 Y3KRat.120, Y3KRat.140
TCP 5887 Y3KRat.110, Y3KRat.120, Y3KRat.140
TCP 5888 Y3KRat.100, Y3KRat.110, Y3KRat.120, Y3KRat.140, Y3KRat.150
TCP 5889 Y3KRat.100, Y3KRat.110, Y3KRat.120, Y3KRat.140, Y3KRat.150
TCP 5890 Y3KRat.140
TCP 6400 Thething.100, Thething.150
TCP 6556 AutoSpy.120, AutoSpy.122
TCP 6655 Aqua.020
TCP 6660 LameSpy.095
TCP 6666 LameRemote.100, ProjectMayhem.100
TCP 6669 Vampire.100
TCP 6670 DeepThroat.200, DeepThroat.210
TCP 6671 DeepThroat.310
TCP 6699 HostControl.101
TCP 6711 DeepThroat.300, Noknok.820, SubSeven.180, SubSeven.190
TCP 6712 Subseven.100
TCP 6713 Subseven.100
TCP 6767 NTRC.120
TCP 6776 SubSeven.180, SubSeven.190, Subseven.200
TCP 6789 Doly.200
TCP 6796 SubSeven.214
TCP 6912 ShitHeep.100
TCP 6939 Indoctrination.100
TCP 6953 Lithium.100
TCP 6969 2000Cracks.100, Bigorna.100, Danton.110, Danton.210, Danton.220, Danton.310, Danton.320, Danton.330, GateCrasher.110, NetController.108, Sparta.110, VagrNocker.120
TCP 6970 Danton.330
TCP 7001 Freak88.100
TCP 7119 Massaker.100
TCP 7200 Massaker.110
TCP 7300 Coced.221
TCP 7301 Coced.221
TCP 7306 NetSpy.200, NetSpy.200
TCP 7410 Phoenix.190, Phoenix.200
TCP 7511 Genue.100
TCP 7609 Snid.120, Snid.212
TCP 7614 Wollf.130
TCP 7648 BlackStar.100, Ghost.230
TCP 7788 Last.2000, Matrix.200
TCP 7826 MiniOblivion.010, Oblivion.010
TCP 7887 SmallFun.110
TCP 7891 Revenger.100
TCP 7979 VagrNocker.200
TCP 7997 VagrNocker.200
TCP 8000 XConsole.100
TCP 8011 Way.240
TCP 8012 Ptakks.215, Ptakks.217
TCP 8110 LoseLove.100
TCP 8111 LoseLove.100
TCP 8301 LoseLove.100
TCP 8302 LoseLove.100
TCP 8372 NetBoy.100
TCP 8720 Connection.130
TCP 8734 AutoSpy.110
TCP 8811 Force.155
TCP 8899 Last.2000
TCP 9000 Aristotles.100
TCP 9301 LoseLove.100
TCP 9400 InCommand.100, InCommand.110, InCommand.120, InCommand.130, InCommand.140, InCommand.150, InCommand.153, InCommand.160, InCommand.167, InCommand.170
TCP 9401 InCommand.100, InCommand.110, InCommand.170
TCP 9402 InCommand.100, InCommand.110
TCP 9561 CRatPro.110
TCP 9563 CRatPro.110
TCP 9580 TheefLE.100
TCP 9696 Danton.210, Ghost.230
TCP 9697 Danton.320, Danton.330, Ghost.230
TCP 9870 R3C.100
TCP 9872 PortalOfDoom.100
TCP 9873 PortalOfDoom.100
TCP 9874 PortalOfDoom.100
TCP 9875 PortalOfDoom.100
TCP 9876 Rux.100, SheepGoat.100
TCP 9877 SmallBigBrother.020
TCP 9878 SmallBigBrother.020, TransmissionScout.100, TransmissionScout.110, TransmissionScout.120
TCP 9879 SmallBigBrother.020
TCP 9999 ForcedEntry.100, Infra.100, Prayer.120, Prayer.130, TakeOver.200, TakeOver.300
TCP 10001 DTr.130, DTr.140
TCP 10013 Amanda.200
TCP 10067 PortalOfDoom.100
TCP 10100 Gift.240
TCP 10101 NewSilencer.100
TCP 10167 PortalOfDoom.100
TCP 10528 HostControl.100, HostControl.260
TCP 10607 Coma.109
TCP 10666 Ambush.100
TCP 11011 Amanda.200
TCP 11050 HostControl.101
TCP 11051 HostControl.100, HostControl.260
TCP 11223 AntiNuke.100, Progenic.100, Progenic.110
TCP 11225 Cyn.100, Cyn.103, Cyn.120
TCP 11306 Noknok.800, Noknok.820
TCP 11831 Katux.200, Latinus.140, Latinus.150, Pest.100, Pest.400
TCP 11991 PitfallSurprise.100
TCP 12043 Frenzy.2000
TCP 12345 Fade.100, Netbus.160, Netbus.170, VagrNocker.400
TCP 12346 Netbus.160, Netbus.170
TCP 12348 Bionet.210, Bionet.261, Bionet.280, Bionet.302, Bionet.305, Bionet.311, Bionet.313, Bionet.316, Bionet.317
TCP 12349 Bionet.084, Bionet.261, Bionet.280, Bionet.302, Bionet.305, Bionet.311, Bionet.313, Bionet.314, Bionet.316, Bionet.317, Bionet.401, Bionet.402
TCP 12389 KheSanh.210
TCP 12478 Bionet.210
TCP 12623 Buttman.090, Buttman.100
TCP 12624 Buttman.090, Buttman.100
TCP 12625 Buttman.100
TCP 12904 Akropolis.100, Rocks.100
TCP 13473 Chupacabra.100
TCP 13753 AFTP.010
TCP 14100 Eurosol.100
TCP 14194 CyberSpy.840
TCP 14286 HellDriver.100
TCP 14500 PCInvader.050, PCInvader.060, PCInvader.070
TCP 14501 PCInvader.060, PCInvader.070
TCP 14502 PCInvader.050, PCInvader.060, PCInvader.070
TCP 14503 PCInvader.050, PCInvader.060, PCInvader.070
TCP 14504 PCInvader.050, PCInvader.060
TCP 15092 HostControl.100, HostControl.260
TCP 15382 SubZero.100
TCP 15432 Cyn.210
TCP 15555 ICMIBC.100
TCP 16322 LastDoor.100
TCP 16484 MoSucker.110
TCP 16661 Dfch.010
TCP 16969 Progenic.100
TCP 16982 AcidShiver.100
TCP 17300 Kuang.200
TCP 17499 CrazzyNet.370, CrazzyNet.375, CrazzyNet.521
TCP 17500 CrazzyNet.370, CrazzyNet.375, CrazzyNet.521
TCP 17569 Infector.141, Infector.160, Infector.170, Infector.180, Infector.190, Infector.200, Intruder.100, Intruder.100
TCP 17593 AudioDoor.120
TCP 19191 BlueFire.035, BlueFire.041
TCP 19604 Metal.270
TCP 19605 Metal.270
TCP 19991 Dfch.010
TCP 20000 Millenium.100
TCP 20001 Millenium.100, PshychoFiles.180
TCP 20002 AcidKor.100, PshychoFiles.180
TCP 20005 MoSucker.200, MoSucker.210, MoSucker.220
TCP 21212 Schwindler.182
TCP 21554 Exploiter.100, Exploiter.110, Girlfriend.130, GirlFriend.135
TCP 21579 Breach.2001
TCP 21584 Breach.2001
TCP 21684 Intruse.134
TCP 22068 AcidShiver.110
TCP 22115 Cyn.120
TCP 22222 Prosiak.047, Ruler.141, Rux.300, Rux.400, Rux.500, Rux.600
TCP 22223 Rux.400, Rux.500, Rux.600
TCP 22456 Bla.200, Bla.503
TCP 22457 AcidShiver.120, Bla.200, Bla.503
TCP 22784 Intruzzo.110
TCP 22845 Breach.450
TCP 22847 Breach.450
TCP 23005 Infinaeon.110, NetTrash.100, Oxon.110, WinRat.100
TCP 23006 Infinaeon.110, NetTrash.100, Oxon.110, WinRat.100
TCP 23032 Amanda.200
TCP 23432 Asylum.010, Asylum.012, Asylum.013, Asylum.014, MiniAsylum.110
TCP 23456 EvilFTP.100, VagrNocker.400
TCP 23476 DonaldDick.153, DonaldDick.154, DonaldDick.155
TCP 23477 DonaldDick.153
TCP 24000 Infector.170
TCP 24307 Wildek.020
TCP 25386 MoonPie.220
TCP 25486 MoonPie.220
TCP 25555 FreddyK.100, FreddyK.200
TCP 25556 FreddyK.100
TCP 25685 MoonPie.010, MoonPie.012, MoonPie.130, MoonPie.220, MoonPie.240, MoonPie.400
TCP 25686 MoonPie.135, MoonPie.200, MoonPie.400
TCP 25982 MoonPie.135, MoonPie.200
TCP 26274 Delta.050
TCP 27160 MoonPie.135, MoonPie.200
TCP 27184 Alvgus.100, Alvgus.800
TCP 27374 Muerte.110, Subseven.210, SubSeven.213
TCP 28429 Hack'a'Tack.2000
TCP 28430 Hack'a'Tack.2000
TCP 28431 Hack'a'Tack.2000
TCP 28432 Hack'a'Tack.2000
TCP 28433 Hack'a'Tack.2000
TCP 28434 Hack'a'Tack.2000
TCP 28435 Hack'a'Tack.2000
TCP 28436 Hack'a'Tack.2000
TCP 29559 DuckToy.100, DuckToy.101, Katux.200, Latinus.140, Latinus.150, Pest.100, Pest.400
TCP 29891 Unexplained.100
TCP 30000 Infector.170
TCP 30001 Error32.100
TCP 30003 LamersDeath.100
TCP 30029 AOLTrojan.110
TCP 30100 NetSphere.127, NetSphere.130, NetSphere.131
TCP 30101 NetSphere.127, NetSphere.130, NetSphere.131
TCP 30102 NetSphere.127, NetSphere.130, NetSphere.131
TCP 30103 NetSphere.131
TCP 30947 Intruse.134
TCP 31320 LittleWitch.400, LittleWitch.420
TCP 31337 BackOrifice.120, Khaled.100, OPC.200
TCP 31415 Lithium.101
TCP 31416 Lithium.100, Lithium.101
TCP 31557 Xanadu.110
TCP 31631 CleptoManicos.100
TCP 31745 Buschtrommel.100, Buschtrommel.122
TCP 31785 Hack'a'Tack.100, Hack'a'Tack.112
TCP 31787 Hack'a'Tack.100, Hack'a'Tack.112
TCP 31789 Hack'a'Tack.100, Hack'a'Tack.112
TCP 31791 Hack'a'Tack.100, Hack'a'Tack.112
TCP 31887 BDDT.100
TCP 31889 BDDT.100
TCP 32100 ProjectNext.053
TCP 32418 AcidBattery.100
TCP 32791 Akropolis.100, Rocks.100
TCP 33291 RemoteHak.001
TCP 33333 Blackharaz.100, Prosiak.047, SubSeven.214
TCP 33577 SonOfPsychward.020
TCP 34324 TelnetServer.100
TCP 34763 Infector.180, Infector.190, Infector.200
TCP 35000 Infector.190, Infector.200
TCP 35600 Subsari.140
TCP 36794 BugBear.100
TCP 37237 Mantis.020
TCP 37651 YAT.210
TCP 37653 YAT.310
TCP 40308 Subsari.140
TCP 40412 TheSpy.100
TCP 40421 MastersParadise.970
TCP 40422 MastersParadise.970
TCP 40999 DiemsMutter.110, DiemsMutter.140
TCP 41626 Shah.100
TCP 44444 Prosiak.070
TCP 45673 Akropolis.100, Rocks.100
TCP 47262 Delta.050
TCP 48006 Fragglerock.200
TCP 49683 HolzPferd.210
TCP 50000 Infector.180
TCP 50130 Enterprise.100
TCP 50766 Fore.100
TCP 51234 Cyn.210
TCP 51966 Cafeini.080, Cafeini.110
TCP 54321 PCInvader.010
TCP 57341 NetRaider.100
TCP 57922 Bionet.084
TCP 58008 Tron.100
TCP 58009 Tron.100
TCP 59090 AcidReign.200
TCP 59211 DuckToy.100, DuckToy.101
TCP 59345 NewFuture.100
TCP 60000 DeepThroat.300, MiniBacklash.100, MiniBacklash.101, MiniBacklash.101
TCP 60411 Connection.100, Connection.130
TCP 60412 Connection.130
TCP 60552 RoxRat.100
TCP 63536 InsaneNetwork.500
TCP 63878 AphexFTP.100
TCP 63879 AphexFTP.100
TCP 64969 Lithium.100
TCP 65000 Socket.100
UDP 1 SocketsDeTroie.250
UDP 666 Bla.200, Bla.400, Bla.503, Noknok.820
UDP 1130 Noknok.800, Noknok.820
UDP 2140 DeepThroat.100, DeepThroat.200, DeepThroat.310
UDP 2989 Rat.200
UDP 3128 MastersParadise.970
UDP 3129 MastersParadise.920, MastersParadise.970
UDP 3150 DeepThroat.100, DeepThroat.200, DeepThroat.310, MiniBacklash.110
UDP 3333 Daodan.123
UDP 3800 Eclypse.100
UDP 3996 RemoteAnything.364
UDP 4000 RemoteAnything.364
UDP 5555 Daodan.123
UDP 5881 Y3KRat.110, Y3KRat.140
UDP 5882 Y3KRat.100, Y3KRat.110, Y3KRat.120, Y3KRat.140, Y3KRat.150
UDP 5883 Y3KRat.110, Y3KRat.140
UDP 5884 Y3KRat.140, Y3KRat.150
UDP 5885 Y3KRat.110, Y3KRat.120, Y3KRat.140
UDP 5886 Y3KRat.120, Y3KRat.140
UDP 5887 Y3KRat.110, Y3KRat.120, Y3KRat.140
UDP 5888 Y3KRat.100, Y3KRat.110, Y3KRat.120, Y3KRat.150
UDP 6953 Lithium.100
UDP 8012 Ptakks.217
UDP 10067 PortalOfDoom.100
UDP 10167 PortalOfDoom.100
UDP 10666 Ambush.100
UDP 11225 Cyn.100, Cyn.103, Cyn.120
UDP 11306 Noknok.800, Noknok.820
UDP 12389 KheSanh.210
UDP 12623 Buttman.090, Buttman.100
UDP 12625 Buttman.100
UDP 14100 Eurosol.100
UDP 23476 DonaldDick.155
UDP 26274 Delta.050
UDP 27184 Alvgus.100
UDP 28431 Hack'a'Tack.2000
UDP 28432 Hack'a'Tack.2000
UDP 28433 Hack'a'Tack.2000
UDP 28434 Hack'a'Tack.2000
UDP 28435 Hack'a'Tack.2000
UDP 28436 Hack'a'Tack.2000
UDP 29891 Unexplained.100
UDP 30103 NetSphere.131
UDP 31320 LittleWitch.400, LittleWitch.420
UDP 31337 BackOrifice.120, OPC.200
UDP 31416 Lithium.100, Lithium.101
UDP 31789 Hack'a'Tack.100, Hack'a'Tack.112
UDP 31791 Hack'a'Tack.100, Hack'a'Tack.112
UDP 33333 Blackharaz.100
UDP 47262 Delta.050
UDP 49683 HolzPferd.210
UDP 60000 MiniBacklash.100

Technology Definitions


Active Directory Service Interfaces is developed by Microsoft and gives developers access to multiple directory service providers through an open set of interfaces. Applications written to ADSI will work with any directory service that offers an ADSI provider.


Asynchronous JavaScript and XML is a web development technique for creating interactive web applications using a combination of web document formats, styles and models to exchange data asynchronously with web servers.


Active Server Pages (ASP) is the way for programmers to link and build web applications. The scripts are embedded in HTML forms and can be written in any language allowing for versatility for development. The use of ASP allows the pages to be dynamic, which means the page can be completely customizable for the user. The client is not able to see the ASP script because it is executed on the server side.


ASP.NET is A set of web development technologies that enable programmers to build web applications and XML web services.


Active Template Library is a set of prepackaged program routines for use when creating Active Server Page code and other Active X program components with C++.


C is a low-level standardized programming language for use on the UNIX operating system. It has since spread to many other operating systems, and is one of the most widely used programming languages.


This object-oriented programming (OOP) language is the best language for creating large-scale applications. C++ is a superset of the C language.


C# is an ECMA-compliant programming language deisgned to support .NET development.


Cascading Style Sheets is a standard stylesheet language for describing the presentation of a document written in a markup language like HTML or XHTML. CSS can be applied to any application of XML as well, such as SVG or XUL. The CSS specifications are maintained by the World Wide Web Consortium (W3C).


Component Object Model is an open standard that specifies how components work together and interoperate. COM is used as the basis for Active X and OLE. The use of the COM API ensures that a software object can be launched within an application using a wide variety of programming languages.


COM+ is an extension of COM. COM+ introducs an improved version of SPM (In-Memory Database). It also provides an asynchronous event service for generating events in multiple clients. And it uses the MSMQ services more transparently. It also automates load balancing when multiple servers are involved in an application.

Crystal Reports

Crystal Reports is a business intelligence application used to design and generate reports based on a wide scale of data sources like Microsoft SQL Server, Microsoft Access, MySQL and Oracle, Microsoft Excel, text files, groupware applications and other data source accessible through ODBC or OLAP.


Distributed Component Object Model is an addition to COM that facilitates the transparent distribution of objects over networks and over the Internet.


Dynamic HTML is a technique of creating web page interaction and design elements by using a combination of the static markup language like HTML, JavaScript, CSS and/or the Document Object Model.

HP Openview

IT os resource management software from Hewlett Packard. It is similar to IBM's Tivoli.


Hypertext Markup Language (HTML) is a coded format language used for creating hypertext documents on the World Wide Web. HTML is a set of ?markup? symbols inserted in a file that tells the web browser how to display a Web page?s format. Almost every Web page is coded with HTML.


Hypertext Transfer Protocol over Secure Socket Layers (HTTPS) is a protocol developed to enable secure e-commerce transactions. High Grade RC4 128 Bit Encryption Technology allows credit card data and other sensitive information to be transferred over the World Wide Web safely.

IBM Lotus Notes

Lotus Notes is a proprietary, client-server collaborative database and email system.

IBM Tivoli

Tivoli is a systems management platform from IBM which allows for remote system administration, configuration, and software installation.


Internet Message Access Protocol is an application layer Internet protocol used for accessing email on a remote server from a local client.


Javascript is a scripting language from Netscape. It is not the same as Java and was only designed to resemble Java. JavaScript is intended to be a fast and simple language for enhancing Web pages and servers. It is built into the browser to provide a simple means of adding interactivity to web pages. Javascript is supported by recent browsers from Netscape and Microsoft, but sometimes runs into difficulty on other browsers.


JavaServer Pages (JSP) allows for rapid web development that is dynamic, easily maintainable, and full of information. JSP separates the user interface from content generation, which leaves the ability to change page output while maintaining the underlying dynamic content.


The Java 2 Platform, Enterprise Edition (J2EE) defines the standard for developing multitier enterprise applications.

The J2EE platform simplifies enterprise applications by basing them on standardized, modular components, by providing a complete set of services to those components, and by handling many details of application behavior automatically, without complex programming. The J2EE platform takes advantage of many features of the Java 2 Platform, Standard Edition (J2SE), such as "Write Once, Run Anywhere" portability, JDBC API for database access, CORBA technology for interaction with existing enterprise resources, and a security model that protects data even in internet applications. Building on this base, the Java 2 Platform, Enterprise Edition adds full support for Enterprise JavaBeans components, Java Servlets API, JavaServer Pages and XML technology. The J2EE standard includes complete specifications and compliance tests to ensure portability of applications across the wide range of existing enterprise systems capable of supporting the J2EE platform. In addition, the J2EE specification now ensures Web services interoperability through support for the WS-I Basic Profile.


LDAP is the IETF designed and specified the Lightweight Directory Access Protocol makes use of X.500 directories and defines a relatively simple protocol for updating and searching directories running over TCP/IP.

Lotus Notes API

Provides a platform and version independent method of accessing Notes data and services.

Macromedia Flash

Macromedia Flash is an application published by the Macromedia Company. It is a popular authoring software and is used to create vector graphics-based animation programs with full-screen navigation interfaces and illustrations. Macromedia Flash gives much more creative room than HTML, but requires a Flash plug-in on the computer running it. Most newer browsers automatically come with Flash.


Messaging Application Programming Interface allows client programs to become (electronic mail) messaging-enabled, -aware, or -based by calling MAPI subsystem routines that interface with certain messaging systems and message stores.


Microsoft Foundation Class Library is a collection of generalized definitions used in object-oriented programming that can be used in building application programs.

Microsoft Exchange

Microsoft Exchange Server is a collaborative software server. The use of Microsoft Exchange is very widespread in large corporations using Microsoft infrastructure solutions.

Microsoft Access

Access is a database software provided by Microsoft and is the bestselling database in the world because it comes bundled in Microsoft Office? Products. Access is noted for its friendly user interface and ease of use. It is great for working on small to medium size applications.


Multipurpose Internet Mail Extensions is an Internet Standard for the format of e-mail. Virtually all Internet e-mail is transmitted via SMTP in MIME format.


MySQL or ?My Structured Query Language? is a relational database language. MySQL is the most popular open source language in the world for adding, accessing, and processing data in a database. It is extremely fast, easy to customize and reliable due to its structure though most agree that it works best when managing content and not executing transactions.


Microsoft® .NET is a set of Microsoft software technologies for connecting information, people, systems, and devices. It enables a high level of software integration through the use of Web services?small, discrete, building-block applications that connect to each other as well as to other, larger applications over the Internet.

.NET is infused into the products that make up the Microsoft platform, providing the ability to quickly and reliably build, host, deploy, and utilize connected solutions using Web services, all with the protection of industry-standard security technologies.

Active X

Active X is a Microsoft technology for software componentry. It is used to enable cross-software communication.


Oracle is a relational database management system developed and copyrighted by the Oracle Corporation. An Oracle database, is a collection of data managed by an Oracle database management system or DBMS.


Post Office Protocol is an application layer Internet standard protocol used to retrieve email from a remote server to a local client over a TCP/IP connection. Nearly all individual Internet service provider email accounts are accessed via POP3.


Relational Database Management System that is based on the relational model as introduced by Edgar F. Codd.


Simple Mail Transfer Protocol is the de facto standard for email transmission across the Internet.


Structured Query Language is a standard interactive and programming language for getting information from and updating a database.

Windows API

Windows API is a set of application programming interfaces available in the Microsoft Windows operating systems.


Extensible Markup Language is a simple, very flexible text format derived from SGML (ISO 8879). Originally designed to meet the challenges of large-scale electronic publishing, XML is also playing an increasingly important role in the exchange of a wide variety of data on the Web and elsewhere.


XML Schema Definition is an instance of an XML schema written in the XML Schema language. An XSD defines a type of XML document in terms of constraints upon what elements and attributes may appear, their relationship to each other, what types of data may be in them, and other things.


Extensible Style Language is a style sheet language aimed at activities such as rearranging the document that are not supported by CSS, though XSL and CSS share the same underlying concepts. XSL can be used to style XML documents u sing sets of rules and definitions of actions to be applied. XSL is a specification from the W3C.


Extensible Style Language Transformations is an XML-based language used in conjunction with specialized processing software, for the transformation of XML documents.