New trojan masquerades as Microsoft enforcement-ware...Threatens to destroy everything and sue the remains

Malware-makers have created a strain of ransomware Trojan which masquerades as a Microsoft utility.

The Ransom-AN Trojan claims that a user's Windows machine is running an unlicensed copy of Windows and threatens to cripple the victim's computer unless marks pay €100 to obtain an unlock code, which can be purchased via credit card via a scam website. The malware attempts to spook intended victims with entirely bogus claims that a criminal prosecution will be launched unless payment is received within 48 hours. In addition, the Trojan says that all data and applications on targeted systems will be "permanently lost".

The malware, which targets German-speaking users , is being distributed via spam and P2P downloads. Panda Software, the Spanish net security firm which detected the threat, warned that the Trojan is difficult to remove manually.

Screenshots for the Forgery Malware:

Code to deactivate the Malware S/w : QRT5T5FJQE53BGXT9HHJW53YT

Doing that your computer will be restarted and the registry key created by this malware (detected as Ransom.AN) will be removed, as well as the malware file.

"These types of Trojans are very dangerous because once they infect the computer it is extremely difficult to remove them manually, forcing users to pay the ransom or reformat their devices," said Luis Corrons, technical director of AV Lab. "In addition, because Ransom.AN appears to come from Microsoft and threatens actions from authorities, many users believe what the Trojan says and make the payment out of fear."

Previous ransomware strains have encrypted files in a bid to force users into paying for getting infected. The tactics used by Ransom-AN Trojan are a more aggressive extension of the basic scam, using threats of prosecution and outwardly convincing screenshots supposedly from Microsoft to peddle the ruse.

What's a QR code?

A QR code (Quick Response Code) is a specific matrix barcode (or two-dimensional code) that is machine readable and designed to be read by smartphones. The code consists of black modules arranged in a square pattern on a white background. The information encoded may be text, a URL, or other data.

Common in Japan, where it was created by Toyota subsidiary Denso Wave in 1994, the QR code is one of the most popular types of two-dimensional barcodes. The QR code was designed to allow its contents to be decoded at high speed. (Source: Wikipedia)

Basically, a QR code is a sophisticated bar code. So what makes QR codes different than the typical bar codes you see on food products and other items?Typical bar codes are linear one-dimensional codes and can only hold up to 20 numerical digits, whereas QR codes are two-dimensional (2D) matrix barcodes that can hold thousands of alphanumeric characters of information.

In fact, it's their ability to hold significantly more information, as well as their user-friendliness which makes QR codes practical for individuals and businesses of all sizes.QR codes can be scanned and read by camera-equipped smartphones via software that's already installed on your phone, or with an application that you download such as Lynkee Reader or i-nigma Reader , which are compatible with a wide variety of modern smartphones including iPhone, Blackberry, Sony Ericsson, HTC, Motorola and Nokia. The readers/scanners give smartphone users the ability to read a QR code without special equipment.

For example, you could walk into a store, use your smartphone to scan an item that has a QR code on it, and have immediate access to the information.

FDIC notification malware attack spammed out | Naked Security

FDIC notification malware attack spammed out | Naked Security:

'via Blog this'

Malware attack : Your Credit Card is Blocked.

Cybercriminals have spammed out emails which claim to be a warning that your credit card has been blocked, but in reality contain a malicious attachment designed to infect your computer.

Be on your guard if you receive an unexpected email claiming that your credit card is blocked.

The dangerous emails use subject lines including

Your credit card is blocked

and

Your credit card has been blocked

A typical email looks like the following:

Dear Customer,
Your credit card is blocked!

Your credit card was withdrawn $ XXXX,XX
Possibly illegal operation!

More information in the attached file.

Immediately contact your bank .

Best regards, MASTERCARD.com Customer Services.

Here’s another version:

Dear User,
Your credit card is blocked!

With your credit card was removed $ XXXX,XX

Possibly illegal operation!
More details in the attached file.

Instantly contact your bank .

Best Wishes, MASTERCARD Customer Services.

Note that although the examples above refer to MasterCard, there are other versions which reference Visa, for instance.

The filenames and sums of money mentioned can vary from email to email, as does the wording in the message body. Presumably this was done by the cybercriminals in an attempt to avoid detection by security products.

Unfortunately, the bad guys have succeeded in their motive except for some of the Anti-Virus in action to detect such mail as Mal/RarMal-C and Troj/Bredo-IZ, protecting your system.

If you receive an email claiming that your credit card has been blocked – treat it with suspicion.

If you’re concerned that the email might be true, contact your bank directly (ensuring that you use a trusted point of contact – rather than believe the phone number or website offered to you by a spammed-out email!).

First malware using Android Gingerbreak root exploit

It did not take too long to find out about the discovery of Gingermaster, the first Android malware to use theGingerbreak exploit, to acquire a sample which was still available from a Chinese alternative Android Marketplace.

The package downloaded uses the following permissions:

android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGES

It was quite interested to find out how and why the Gingerbreak privilege escalation exploit, also known asCVE-2011-1823 is used.

Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: It had no trouble installing it on test rig and in the Android emulator.

The malware purports to be an application which displays “Beauty of the day” pictures. The content is downloaded from a website, not packaged with the application.

(When I carried out my tests, the list of beauties also included photos of Lady Gaga – some celebrities seem to be truly global.)

Apart from displaying the photos, Gingermaster creates a service that steals information from your device, sending it out to a remote website in an HTTP POST request. The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time.

The server responds with the various configuration parameters including the update frequency and the update URL. The responses are just simple JSON objects.

In the assets folder of the APK file, Gingermaster includes three ELF executables and one shell script, all with the file name extension .png, presumably to make the exploit code slightly less obvious. The file names are gbfm.png, install.png, installsoft.png and runme.png. The malware also creates a file calledgbfm.sh. This contains the the actual Gingerbreak exploit code, launched in a separate thread.

Gingermaster also generates an output log, called logcat, which contains information about what the malware has done so far:

If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality.

One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.

This is an interesting technique which we have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the “uses-permission” INSTALL_PACKAGESin the Android manifest file.

Of course, once a malicious process gets root, its powers are potentially unlimited.

The Android malware writing scene is heating up as the season of summer holidays is coming to its end.

Hopefully, we will have enough time to document the more interesting ones and share them with you on our Blog.

If you are an Android user, here are some security hints:

* Avoid alternative Android Marketplaces unless you have strong evidence they are trustworthy.

* Avoid applications which request more permissions than they need.

(Gingermaster claims to be an application which downloads “beauty of the day” pictures of celebrities from a website. Why would it need permissions such as WRITE_USER_DATA and MOUNT_UNMOUNT_FILESYSTEMS?)

* Email your vendor to urge them to update the OS on your device if they have not yet done so.

Google pulls out malicious apps from Android Market

Google has removed at least 10 applications from its Android Market after it detected malicious code in the guise of add ons to one of its popular apps. Most of the infected apps posed as add ons or cheats to Angry Birds, a popular mobile applications developed by Rovio. The apps were spotted and reported by Xuxian Jiang, an assistant professor of computer science at North Carolina State University. According to Jiang, several apps included a stealthy spyware called as Plankton.

Plankton works like a parasite: latching onto its host applications as a background service which has no affect on that apps intended purpose. When a user runs an infected application on their Android phone, Plankton collects information such as the device ID and list of granted permissions and sends them via HTTP POST message to a remote update server, the NC State researchers found.

That remote server returns a URL pointing to an executable file for the device to download. Once downloaded, the jar file is dynamically loaded. In this way, the payload evades static analysis and is difficult to detect.

Analysis of the payload shows that the virus does not provide root exploits, but supports a number of bot-related commands. One interesting function is that the virus can be used collect information on users’ accounts.

The spyware reportedly uploads data such as browser bookmarks and browser history by connecting to the remote server.

A new malware called DroidKungFu was also detected.

In Android versions 2.2 (Froyo) and earlier,DroidKungFu takes advantage of two vulnerabilities in the platform software to install a backdoor that gives hackers full control of your phone. Not only do they have access to all of your user data, but they can turn your phone into a bot – and basically make your smartphone do anything they want.

According to reports, the malware is already being circulated outside the Android market. It is said that the high end malware is capable of bypassing anti-virus and installs itself in backdoor allowing hackers to take the control of the device.

This is just the latest in a series of apps being removed from the Android Market. Google recently pulled out more than two dozen apps from the Android Market over malware infection. In early March, Google was compelled to remotely delete apps from users' phones due to malware called as DroidDream. The search engine giant also issued a security update to rectify the malady.

Android Market is pretty popular among developers as here they get ample freedom which is not available at any other retail outlets. Contrary to Apple's iPhone, Android Market publishes the apps almost instantaneously. There are hundreds of free apps that are downloaded and installed daily. This freedom has certainly made the Android Market popular. But the popularity comes at cost like these vulnerabilities. Google does not monitor the apps that are launched in the Android Market but responds only to complaints.

View more articles from: Internet

Rootkit

A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of the changes to the actual accounts on the system.

Rootkit.TDSS

Rootkit.TDSS is a rogue rootkit application that has the backdoor ability to permit an attacker to gain remote unauthorized access. Rootkit.TDSS conceals its presence in the user’s computer system which makes it unable to be detected by security software and applications. Rootkit.TDSS is a serious threat that could result in identity theft and financial loss.

 

How To Remove Rootkit.TDSS

STEP 1 : USE WINDOWS TASK MANAGER TO REMOVE ROOTKIT.TDSS PROCESSES

Remove the "Rootkit.TDSS" processes files:
RkLYLyoM.exe podmena.exe file.exe ~.exe 7-v3av.exe csrssc.exe 72631899.exe 1776260179.exe ucxmykkc.exe

 

STEP 2 : USE WINDOWS COMMAND PROMPT TO UNREGISTER ROOTKIT.TDSS DLL FILES

Search and unregister "Rootkit.TDSS" DLL files:
UACyylfjdaa.dll TDSSnrsr.dll tdssserf.dll TDSSriqp.dll TDSSciou.dll TDSSoexh.dll

 

STEP 3 : DETECT AND DELETE OTHER ROOTKIT.TDSS FILES

Remove the "Rootkit.TDSS" processes files:
UACyylfjdaa.dll TDSSnrsr.dll TDSSmaxt.sys tdssserf.dll TDSSriqp.dll TDSSciou.dll TDSSoexh.dll tdidrv2.sys RkLYLyoM.exe podmena.exe tdssserv.sys file.exe ~.exe 7-v3av.exe csrssc.exe 72631899.exe 1776260179.exe ucxmykkc.exe

Rootkit.Win32.Agent.gpe

The purpose of this trojan is to hide processes and files and is known to be distributed with various W32/Sdbot.worm variants.

 

Win32.Agent.P Aliases

Trojan.Win32.Rootkit.l (Kaspersky Lab), NTRootKit-J (McAfee), TROJ_ROOTKIT.E (Trend), Trojan.Cachecachekit (Symantec), BackDoor.IRC.Sdbot.55 (Doctor Web), Troj/Rootkit-X (Sophos), TROJ_ROOTKIT.E (Trend Micro), TR/Rootkit.L (H+BEDV), Trojan.Rootkit.L (SOFTWIN), Trojan.Rootkit.C (ClamAV), Hacktool/Rootkit.L (Panda), Win32/Rootkit.I (Eset), Win32.Efewe.E (CA)

 

How To Remove Win32.Agent.P

REMOVE PROCESS FILES

Remove the Rootkit.Win32.Agent.p processes files:
%system%\rdriv.sys

REMOVE REGISTRY ENTRIES

Remove the Rootkit.Win32.Agent.gpe registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV]

Rootkit.Win32.Agent.gpe

Rootkit.Win32.Agent.gpe is a rogue rootkit application that has the backdoor ability to permit an attacker to gain remote unauthorized access. Rootkit.Win32.Agent.gpe conceals its presence in the user’s computer system which makes it unable to be detected by security software and applications. This Rootkit is a serious threat that could result in identity theft and financial loss.

How To Remove Win32.Agent.gpe

REMOVE PROCESS FILES

Remove the Rootkit.Win32.Agent.gpe processes files:

UACyylfjdaa.dll
Tsenekaddipwvik.sys

Agent.NAG

Agent.NAG can be used to hide files, Windows Registry entries or processes, either its own or those of other programs.
In this way, even when a user looks for these items on a computer, they won’t be able to see them.

Rootkit Symptoms

A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of the changes to the actual accounts on the system.

Source : http://i-data-recovery.com

Check the Android with Emulator...

-Android SDK Emulator Download: 

• Download the software emulator for android from below link:

               http://developer.android.com/sdk/index.html 

• Here's an overview of the steps you must follow to set up the Android SDK:

1. Prepare your development computer and ensure it meets the system requirements.
2. Install the SDK starter package from the table above. (If you're on Windows, download the installer for help with the initial setup.)
3. Install the ADT Plugin for Eclipse (if you'll be developing in Eclipse).
4. Add Android platforms and other components to your SDK.
5. Explore the contents of the Android SDK (optional).

          To get started, download the appropriate package from the table above, then read the guide to Installing the SDK.

-How To Create Android Emulator:- 

1. Open Android folder run SDK Manager.exe..

2. Close downloading window "Refresh Source". As there is no use of that.. (It will take time to close. So Wait for some time)

3. Now You Will Find "Android SDK and AVD Manager" window.

4. In left pane you will find some Options. Click on "Virtual Devices".

5. Here In Right pane 

Click on New. > Name: {Type Device name} > Target: {Select OS: from 2.1 to 3.0 (anyone)} > SD Card: {Type Size e.g. 1000 MiB (1 GB)} > Skin : Click on resolution (400*600) > Hardware : Click "New" Select "SD Card Support" OK..

6. Click On Create AVD & Wait..

7. Now Select Your Device From List Click On START..

8. In Launch Option. Click LAUNCH..

Wait Till Device Starts..

Open CMD

Go to location :

CD :\android-sdk_r11-windows1\android-sdk-windows\platform-tools

Type the following commands..

> adb.exe start-server

>adb.exe install c:\mobsec.apk (Here, make sure your Mobsec.apk file should be on C drive OR You have to change location)

Close CMD after this process..

DONE.. 

Enjoy working with Android Simulation and check the Functionality...

XP Antivirus 2012 Spyware Removal...

XP Antivirus 2012 is a deceptive and quite sophisticated rogue anti-spyware program(which in real is fake Anti-spyware) which applies the basic tricks of scams from this category. Though it declares to be a powerful virus remover, keep in mind that this program is the only one that needs to be eliminated because it reports invented viruses. To be more precise, XP Antivirus 2012 firstly will create numerous harmless files that it will drop in the infected computer’s system. Then this will Scan your computer and immediately will report numerous viruses that in reality are nothing else but these earlier created files. Some of its alerts may state about Trojan-BNK.Win32.Keylogger.gen threat for making you scared to death and push into purchasing its license which will be offered additionally. Pay attention to the fact, that XP Antivirus 2012 is dangerous and has nothing to do with computer’s protection!

XP Antivirus 2012 program has been manipulating people into believing as genuine software. However, this rogue anti-spyware mostly penetrates into a random computer system without the user’s knowledge and approval and opens the backdoor of the system(may be port 514 RPC Backdoor) to let more threats or allow the scammers to reach your personal information. All this is done with a help of Trojans that infect vulnerable systems through fake video codecs and flash updates. As you can see, you should not believe XP Antivirus 2012 and its detection reports as they are fabricated and have in fact nothing to do with the true condition of machine. Remove this software asap without purchasing it. 

XP Antivirus 2012 manual removal:

Kill processes:

kdn.exe

Delete registry values:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

Delete files:

%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h %LocalAppData%\kdn.exe %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h %Temp%\u3f7pnvfncsjk2e86abfbj5h %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

Source : http://www.2-spyware.com/

The Registry

DEFINITION: The Windows 9x/NT/2000/ME/XP Registry is a complex, unified, system wide, continually referenced during operation database, used for centrally storing, locating, editing and administering system, hardware, software and user configuration information, following a hierarchical structure.

It was introduced to replace the text/ASCII based MS -DOS configuration (.BAT, .SYS) and MS Windows initialization (.INI) files.

Structure of Registry in windows 9X is Different from that of Windows NT,2000 and XP.

Windows 95/98/ME :In these operating systems Registry is stored in these 5 files, with the Hidden, Read-only attributes for write-protection purposes, usually located in the %WinDir% folder (default is C:\Windows) .

· SYSTEM.DAT = stores persistent hardware and software settings related to the system it resides on, contained in the (HKEY_CLASSES_ROOT = Windows 95 and 98 only) and HKEY_LOCAL_MACHINE Hive keys.

· USER.DAT = stores user specific and software settings contained in the HKEY_CURRENT_USER Hive key. If more than one user, then multiple user profiles enable each user to have their own separate USER.DAT file, located in %WinDir%\Profiles\%UserName%. When a user logs on, Windows OS (down)loads both USER.DAT files: the one from the local machine %WinDir% (global user settings), and the most recent one from the local machine %WinDir%\Profiles\%UserName%, or from the central (host) server if user profiles reside on a network (local user settings).

· CLASSES.DAT = stores persistent data contained in the HKEY_CLASSES_ROOT Hive key, found only on Windows ME.

· SYSTEM.DA0 and USER.DA0 = automatically created backups of SYSTEM.DAT and USER.DAT from the last successful Windows GUI startup, and found only on Windows 95

Windows NT/2000/XP :Registration Database is contained in these 5 files located in the %SystemRoot%\System32\Config folder (default is C:\Winnt\System32\Config for Windows NT/2000 or C:\Windows\System32\Config for Windows XP):

· DEFAULT = stores the HKEY_USERS\.Default key.

· SAM = stores the HKEY_LOCAL_MACHINE\Sam key.

· SECURITY = stores the HKEY_LOCAL_MACHINE\Security key.

· SOFTWARE = stores the HKEY_LOCAL_MACHINE\Software key.

· SYSTEM = stores the HKEY_LOCAL_MACHINE\System key and the HKEY_CURRENT_CONFIG Hive key,

these files located in the %SystemRoot%\Profiles\%UserName% folder:

· NTUSER.DAT and USRCLASS.DAT (Windows XP only) = store the HKEY_CURRENT_USER Hive key,

Editing Registry

Always make sure that you know what you are doing when changing the registry or else just one little mistake can crash the whole system. That's why it's always good to back it up!

To view the registry (or to back it up), you need to use the Registry Editor tool. There are two versions of Registry Editor:

:To modify the Registry, you need to use a Registry Editor:

· Regedit.exe (Windows 95/98/ME/NT/2000/XP) = located in %WinBootDir% (%SystemRoot%) has the most menu items and more choices for the menu items. You can search for keys and subkeys in the registry.

· Regedt32.exe (Windows NT/2000/XP) = located in %SystemRoot%\System32,enables you to search for strings, values, keys, and subkeys. This feature is useful if you want to find specific data.

Registry Structure

For ease of use, the Registry is divided into five separate structures that represent the Registry database in its entirety. These five groups are known as Keys, and are discussed below:

HKEY_CURRENT_USER
This registry key contains the configuration information for the user that is currently logged in. The users folders, screen colors, and control panel settings are stored here. This information is known as a User Profile.

HKEY_USERS
In windowsNT 3.5x, user profiles were stored locally (by default) in the systemroot\system32\config directory. In NT4.0, they are stored in the systemroot\profiles directory. User-Specific information is kept there, as well as common, system wide user information.

HKEY_LOCAL_MACHINE
This key contains configuration information particular to the computer. This information is stored in the systemroot\system32\config directory as persistent operating system files, with the exception of the volatile hardware key.

HKEY_CLASSES_ROOT
The information stored here is used to open the correct application when a file is opened by using Explorer and for Object Linking and Embedding. It is actually a window that reflects information from the HKEY_LOCAL_MACHINE\Software subkey.

HKEY_CURRENT_CONFIG
The information contained in this key is to configure settings such as the software and device drivers to load or the display resolution to use. This key has a software and system subkeys, which keep track of configuration information.

REG Files

.REG file, which can be in:

· plain text/ASCII format in Windows 95/98/ME and NT/2000/XP or

· binary format in Windows 2000/XP.

Text .REG files can be easily viewed/created/edited by hand using any text/ASCII editor, like Notepad

Their purpose is to add, modify or delete Registry (Sub)Keys and/or Values.