Perl Programming Part I :: Perl Data Types

Monday, April 12, 2010 Posted by Kanishka Dilshan 0 comments

Type Identifier Containable Data
Scalar
$
Number or string
Array
@
List of values indexed by number
Hash
%
Group of values indexed by string
Subroutine
&
Subroutine callable by Perl
References
\
References to anything of that name

Scalar Data Types
In Perl the scalar data type is used in 3 contexts.
  1. String context
  2. Numeric context
  3. Miscellaneous context
String Context
  1. $name = "Kanishka" ;

Numeric Context
  1. $height = 34 ;

Miscellaneous Context
  1. $temperature = 31.47;


Array Data Types
An array in Perl can contain number of scalar variables.  The containing scalars may be related to different contexts. for example the same array can contain numeric data as well as string data.
Declaring an array
  1. @myArr=("Kaniskha",21,"Galle");

in above code an array called myArr is created and. 3 different data are stored inside it.
  1. @myArr=();

above code makes the myArr empty.
Note : Arrays in perl is not fixed. so the programmer can expand the size of any array when he/she need.
perl arrays are zero based.
Assigning Values to Arrays
arrays can be assigned in 2 ways. Either assign at once  or assign individually. This is up to the programmer.

Assigning an array at once
  1. @myArr=("Kaniskha",21,"Galle");

Assigning an array individually
  1. @myArr=();
  2. $myArr[0]="Kaniskha";
  3. $myArr[1]=21;
  4. $myArr[2]="Galle";

Hash Data Types
In Perl Hash data type is an unordered set of scalar data indexed by string scalar data item. If you are familiar with PHP you may be heared  about associative arrays. The hash data type in perl is identical to an associative array. Perl provides this hash data type using a hash table algorithm.
Like the standard array hash also can be populated individually.

Declaring a Hash ( Associative Array )
  1. %fruits = ( "O" => "Orange" , "A" => "Apple" , "B" => "Banana");

Please note that the => operator is equivalent to a comma. The main purpose of =>  operator is make association between pairs.
So we can write above code segment as following statement also.
  1. %fruits = ( "O" ,"Orange" , "A" , "Apple" , "B" , "Banana");

Like standard array , hash also can be populated by individually.
  1. $fruits{"O"}="Orange";
  2. $fruits{"A"}="Apple";
  3. $fruits{"B"}="Banana";
Labels:

Systems Programming :: System Calls For Process Management II

Sunday, April 4, 2010 Posted by Kanishka Dilshan 0 comments
fork() and wait() system calls

fork() system call
using fork system call we can create new child processes. Though we call fork() once it returns twice! once per processes (at parent process and child process). At parent process it returns PID of the child process. At child process it returns 0. Using this feature we can identify parent and child processes separately.
lets see an example to understand the behaviour of fork() system call
example 1:


 1: #include <stdio.h>
 2: 
 3: int main()
 4: {
 5:  printf("Parent says \t: Parent process started...\n");
 6:  int PID=fork();
 7:  if(PID==0)
 8:  {
 9:   //this code block is executed by the child process
10:   int childPID=getpid();
11:   int parentPID=getppid();
12:   printf("Child says \t: Child PID -> %d \n",  childPID);
13:   printf("Child says \t: My Parent's PID -> %d \n",  parentPID);
14:  }
15:  else
16:  {
17:   //this code block is executed by the parent process (PID!=0)
18:   int parentPID=getpid();
19:   printf("Parent says \t: my Child's PID %d \n",PID);
20:   printf("Parent says \t: my PID -> %d \n",parentPID);
21:  }
22:  
23:  printf("Both say \t: This statement is executed by child and parent \n");
24:  return 0; //end of the program
25: }


output 1:
Labels:

Systems Programming :: System Calls For Process Management I

Posted by Kanishka Dilshan 0 comments
Process Management System Calls

A process can be either program or a command. To perform a task process need CPU time, memory(address space), files & I/O devices. Every process is comprised of 4 attributes
  1. code (instructions)
  2. data
  3. stack
  4. unique process ID (PID)
getpid(), getppid() system calls

getpid() system call returns the process ID of the current process.
getppid() system call returns the parent's process ID of the current process

Sample program to demonstrate getpid() and getppid() functions



 1: #include <stdio.h>
 2: 
 3: int main()
 4: {
 5:  int pid=getpid(); //get current process ID
 6:  int ppid=getppid(); //get parent process ID
 7:  printf("PID (Current process ID) -> %d \n",pid);
 8:  printf("PPID (Parent process ID) -> %d \n",ppid);
 9:  return 0;
10: }

Output :



PPID is always greater than the PID.
The parent of all process is the init process its ID is always 1
to realize this execute following command and see the output
 ps -eo user,pid,ppid,stat,args
Output :
USER       PID  PPID STAT COMMAND
root         1     0 Ss   /sbin/init
root         2     0 S<   [kthreadd]
root         3     2 S<   [migration/0]
root         4     2 S<   [ksoftirqd/0]
root         5     2 S<   [watchdog/0]
root         9     2 S<   [events/0]
root        11     2 S<   [khelper]
root        12     2 S<   [kstop/0]
root        14     2 S<   [kintegrityd/0]
root        16     2 S<   [kblockd/0]
root        18     2 S<   [kacpid]
root        19     2 S<   [kacpi_notify]
root        20     2 S<   [cqueue]
root        21     2 S<   [ata/0]
...............................................


system() Library function and execl() system call
there is a considerable difference in between system() library function and execl() system call. when system() is executed a new process is created. But when execl() is executed the memory and instructions of original process is replaced by the new process and continues. So any instruction of original process will not be executed after the execl().

Lets consider following programs to identify the different between system() library function and execl() system call.

Program1: (system() library function)


1: #include <stdio.h>
2: 
3: int main()
4: {
5:  system("date");
6:  printf("I am here!\n");
7: }


Output 1:

Program 2: (execl() library function)


1: #include <stdio.h>
2: 
3: int main()
4: {
5:  execl("/bin/date","date",0);
6:  printf("I am here! \n");
7: }


Output 2:

When compare both output you can see the the  "I am here!" line is not printed in the output 2. The reason is execl() replaced the memory area and instructions of original process by the date utilities instructions and memory.

Note : you can use gcc or cc utilities (GNU C Compilers) to compile above examples. I've used gcc to compile above programs.

Labels:

Systems Programming :: System Calls

Saturday, April 3, 2010 Posted by Kanishka Dilshan 0 comments
Operating system divides the system memory(RAM) into two parts.
  • Kernel Space 
  • User Space
The memory area reserved for kernel is used by device drivers and kernel extensions only.
The user space is the reserved memory area for user mode applications. User space can be swapped out to disk when necessary. Normally the kernel space is not swapped out to disk.

The kernel provides important services for the user mode applications.
  • Opening files
  • Reading files
  • Writing to files
  • Making network connections
  • Making new processes
System calls are used to make use of these services.
Relation between kernel space and the user space
Note:  I have used open() system call for this demontration.

void main()
{
    printf("This is a user mode application\n");
    ......................................
    ......................................
    ......................................
    int FD=open("MyFile.txt",0);
    ......................................
    ......................................
}
                                             User Space
_______________________________________________________
                                          
                                           Kernel Space
int open(char *_fileName, int mode)
{
        ......................................
        ......................................
        push    dword mode
        push    dword flags
        push    dword _fileName
        mov eax, 5
        add esp, byte 12
        ......................................
        ......................................
        ......................................
}


Difference between Library Functions and System Calls
  • System calls
           Executed by the OS
           Generally performs an single specific operation
  • Library Functions
           Executed in the user program
           May call system calls
           May perform more than one task
           More reliable than system calls

The relationship between system calls and library functions can be depicted as follows.

Library Functions System Calls
fopen() create(),open(),close()
fclose() read(),write()
system() chmod(),chown()
malloc() fork()
getc() unlink()

Refer following web site for more C library functions.
Labels:

Raidhost(¥¶¾³¿¸¤£ù²¯².exe ) Virus Report and Recover Tool

Friday, November 27, 2009 Posted by Kanishka Dilshan 0 comments
hott raidhost update
Imago Labs Comment
Anti-virus Tool
raidhost.exe (CRC32 : D8AB4DA6) is a backdoor virus. It supports to create a bot net. raidhost.exe is the parent virus. when it is executed it downloads other viruses from its master servers. In Imago labs we detected the servers are 64.131.83.170 on port 80 and 216.17.104.155 on port 51987. It downloads a malcious file dl.exe from above servers and executes it. Then dl.exe download another malcious file update.exe .
"Raidhost" use autorun.inf to propagate himself. It creates a system folder called cold. Inside cold directory it creates a system folder hott which appears as a recycle bin.then it copies its clone (¥¶¾³¿¸¤£ù²¯².exe and ¥¶¾³¿¸¤£ù²¯² ) into hott directory.
raidhost.exe resides in %system drive% \ Windows. dl.exe and update.exe resides on the root of the system drive.
File Details
Size: 425984 Bytes
Version: 2.0.133.0
CRC-32: D8AB4DA6
MD5: 6A1120F815EEA114A79EB1789E6C6D00
SHA1: 3C12CEC16915560A65E8BA00C15F5D5EAF881182
Read only: Yes
Hidden: Yes
System file: Yes
Directory: No
Archive: Yes
Symbolic link: No
Values Added To The Registry:(12)
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP Default 0x00000000 1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP DllFile %SystemRoot%\system32\iedkcs32.dll 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP FileExtensions .ins 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG Default 0x01000000 1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG DllFile %SystemRoot%\system32\jsproxy.dll 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG FileExtensions .pac;.jvs;.js 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG Flags 0x01000000 1
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML Extension .htm 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager CriticalSectionTimeout 2592000 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run raidhost raidhost.exe
Values Modified In The Registry:(n) [Original Value Value = Green , Modified Value = Red]
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings info ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths info Directory C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths info Paths 4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\Administrator\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\Administrator\Local Settings\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ info IntranetName 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ info ProxyBypass 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ info UNCAsIntranet 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings info MigrateProxy 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings info ProxyEnable 0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections info SavedLegacySettings 0x3c0000000500000009000000000000000000000000000000000000000000
Created Files:(7)
%system drive% \ Windows\raidhost.exe
%system drive% \dl.exe
%system drive% \update.exe
%removable drives% \cold\hott\¥¶¾³¿¸¤£ù²¯².exe
%removable drives% \cold\hott\¥¶¾³¿¸¤£ù²¯²
%removable drives% \cold\hott\desktop.ini
%removable drives% \auTORUN.inf
Files Deleted:(0)
No file deletions were detected.
Files Modified:(0)
No folder deletions were detected.
Network Activities:(n)
Sends following HTTP headers to the server 64.131.83.170 on port 80
Sent:
Request: GET /index.html?x=0x11223344
Response: 200 "OK"

Received
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Fri, 20 Nov 2009 14:28:31 GMT
Accept-Ranges: bytes
ETag: "76dc15bced69ca1:0"
Server: Microsoft-IIS/7.0
Date: Tue, 24 Nov 2009 17:14:22 GMT
Content-Length: 67
Connection: close
Age: 0


Another Packets to 216.17.104.155 on port 51987 over TCP with length 122, 143, 23, 41, 85, 89, 20, 19.....
Then 216.17.104.155 sents malcious files to the infected machine.
ex:
Sent:
10:55:10.6863440 PM raidhost.exe 644 TCP Send imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 19
10:56:40.6660112 PM raidhost.exe 644 TCP Send imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 19
10:50:35.4783041 PM raidhost.exe 644 TCP Send imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 23

Received:
10:55:03.3958241 PM raidhost.exe 644 TCP Receive imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 143
10:53:59.8657657 PM raidhost.exe 644 TCP Receive imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 123
10:56:07.6358705 PM raidhost.exe 644 TCP Receive imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 74
More Info :( )
Autorun file








Abuser's Details (Please Report This Person) 
More Details
Location :US, United States
City Falls: Church, VA 22043
Organization: Minh Nguyen
ISP : ServInt Corp.
OrgID: SRVN
Address: 6861 Elm Street
Address: 4th Floor
City: McLean
StateProv: VA
PostalCode: 22101
AS Number: AS25847
Country: US
RAbuseHandle: NO178-ARIN
RAbuseName: ServInt Engineering
RAbusePhone: +1-703-847-1381
RAbuseEmail: ipdept@servint.com
OrgAbuseHandle: ABUSE2161-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-847-1381
OrgAbuseEmail: abuse@servint.com
Please report about the IP 216.17.104.155 to poc@a1colo.com
Please report about the IP 64.131.83.170 to abuse@servint.com and ipdept@servint.com

Anti-virus Tool
For more info visit my website
Tell A Friend

Labels:

LoveCalculator.exe Virus Report(Imago Labs)

Saturday, November 21, 2009 Posted by Kanishka Dilshan 0 comments
Imago-Labs Comment : on LoveCalculator.exe

LoveCalculator.exe is a simple virus writtem in C/C++ and Java. It can be introducesd as a Trojan Horse. When it is executed it generates two files LoveVirus.jar(MD5:6E760653F2E90720D04F0DE1251F21DD) and i4jdel0.exe(MD5:D6C9003CF1B2223FE28C06AACFF9E11F). Then it executes LoveVirus.jar using JavaRuntime environment. LoveVirus.jar is consists of two class files Main.class and CopyFile.class.This virus has no ability to spread itself(Not a worm).
CopyFile.class is responsible for copying LoveCalculator.exe to targeted locations. In main method CopyFile class is implemented to do following things.
  1. It copies LoveCalculator.exe to the all drives from C: to P: (C:\ , D:\,.....,P:\) if the drive is available.
  2. Then it copies LoveCalculator.exe to C:\Documents and Settings\All Users\Start Menu\Programs\Startup to run windows startup.
  3. At the windows start up it forces windows to shutdown by using following java code.





    • static String command = "shutdown -s" ;
      static String command1 = "shutdown -f" ;
    • .........................................
      Runtime.getRuntime().exec(command1) ;
      Runtime.getRuntime().exec(command) ;






  4. At each restart it shows





    • " You are a FOOL , Calculate Love Next Time ....... or Visit < WWW.SORRY.COM > for more details . "



Removal Instructions:
  1. Power on your PC.
  2. After BIOS screen press F8 key and select Safe Mode
  3. After windows loads in Safe Mode goto start button->All Programs->Startup.
  4. Delete the file LoveCalculator.exe in the startup folder
  5. Then Delete all LoveCalculator.exe files in the roots of the partitions(C:, D:....)





    • Tip : Use windows search tool if you prefer.





  6. Finally restart your computer and let windows to load in normal mode.
File Details : LoveCalculator.exe
Size       : 309248 Bytes
Version    :
CRC-32     : 77D4FB12
MD5        : 4087E11BFCC8ADB4076ECB7AA6B16590
SHA1       : 9CB1860BAD7BE1D8840094B1EF6137FD43B6247A
Read only  : Yes
Hidden     : No
System file: No
Directory  : No
Archive    : Yes
Symbolic link: No

Values Added To The Registry:(2)
HKU\S-1-5-21-606747145-1580818891-1343024091-1003\Software\ej-technologies\exe4j\jvms\c:/program files/java/jre6/bin/java.exe\LastWriteTime: 00 0D A0 D8 0C 6A CA 01

HKU\S-1-5-21-606747145-1580818891-1343024091-1003\Software\ej-technologies\exe4j\jvms\c:/program files/java/jre6/bin/java.exe\Version: "1.6.0_17"

Values Modified In The Registry:(0) [Original Value Value = Green , Modified Value = Red]
No registry modification. But add above mentioned registry entries to the registry.
Created Files:(4)
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoveCalculator.exe
c:\Documents and Settings\Kanishka\Local Settings\Temp\i4jdel0.exe
c:\LoveCalculator.exe , d:\LoveCalculator.exe , ....., p:\LoveCalculator.exe
c:\Documents and Settings\Kanishka\Local Settings\Temp\LoveVirus.jar

Files Deleted:(0)
No file deletion were detected.
Files Modified:(0)
No file modifications.
Network Activities:( )
We do not identified any network activity of this file.
More Info :( )
Java Imports
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintStream;
import java.awt.Component;
import javax.swing.JOptionPane;
import javax.swing.UIManager;

For more info visit my website
Tell A Friend
Labels:

MaHasona Recovery Report

Posted by Kanishka Dilshan 0 comments
Imago Labs Roport on MaHasona.exe


MaHasona.exe (CRC-32: FD9B090B) is a virus which can be categorized as a worm. It spreads through removable drives. Careless of computer users is the main reason to spread this kind of viruses. If user open removable drives using command prompt this viruses can not be executed. This virus uses AutoIt script as its core. Once the virus is executed it copies its clone to the Windows System32 directory as explorar.exe (see the difference between explorer.exe and explorar.exe). Since it uses this kind of fake name it is difficult to detect this virus manually. It creates a registry entry to get the ability to be executed automatically when windows starts. MaHasona.exe changes attributes of directories(folders) to Hidden and clone it as the folder name. MaHasona.exe is not visible at task list(Program list) in the task manager. It runs as a process.(Process name : explorar.exe (CRC-32: FD9B090B)).
Tip : Use this way to open removable drives safely.
start -> All Programs -> Accessories -> Command Prompt and type the following command.
explorer [drive letter of pen drive]: and press enter
ex : explorer h:

File Details : MaHasona.exe
Size       : 686077 Bytes
Version    : 3.3.0.0
CRC-32     : FD9B090B
MD5        : 9F5A508D6725EB6FB11B445274BA9A52
SHA1       : 97AA99152245D7ECE159225C03C246608114BDBE
Read only  : Yes
Hidden     : Yes
System fil : Yes
Archive    : Yes
Symbolic link : No

Values Added To The Registry:(2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS1: "C:\WINDOWS\system32\explorar.exe"

HKU\S-1-5-21-329068152-1060284298-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Kanishka\Desktop\VHome\MaHasona.exe: "MaHasona"
Values Modified In The Registry:(0) [Original Value Value = Green , Modified Value = Red]
No registry modification. But add above mentioned registry entries to the registry.
Created Files:(5)
C:\WINDOWS\system32\explorar.exe
C:\WINDOWS\autorun.inf(copied to the root of removable drive as soon as it detected a pen.)
e:\MaHasona.exe
e:\Docs.exe (Docs.exe is a file which is created by extracting folder names in the pen drive)
e:\autorun.inf(this file is used to achieve the warm ability)

Note -> e: is a removable drive(Pen Drive)
Files Deleted:(0)
No file deletion were detected.
Files/Folders Modified:(n)
MaHasona.exe modifies the attributes of all folders(sets to be hidden)
Network Activities:( )
We do not identified any network activity of this file.
More Info :( )
Autorun file
[autorun]
open=MaHasona.exe
Icon=MaHasona.exe,0
shellexecute=MaHasona.exe
shell\Explore\command=
MaHasona.exe
shell\Open\command=
MaHasona.exe
shell=
Explore
By K_ZONE

For more info visit my website
Tell A Friend

Labels: