Jump to content


Photo

The worst trojan on the net


  • This topic is locked This topic is locked
141 replies to this topic

#101 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 06 October 2004 - 03:33 AM

you could post them on some free webspace.

incidentally,

rundll32.exe newdev.dll,ClientSideInstall \\.\pipe\PNP_Device_Install_Pipe_0{00E97B7C-E2A4-4C68-B560-781B48AC9928}

relates to a common error that shows up in a number of places (most commonly in a SetupAPI Log). The error relates to botched installs / uninstalls of printers and / or printer drivers / software.

I'm also wondering why no-one else who has had this thing has mentioned up to this point that it uses a (very obvious) install process - not exactly the stealth assassin of ubertrojans, is it?

Edited by paperghost, 06 October 2004 - 04:02 AM.


#102 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 09 October 2004 - 03:46 PM

mabey they didnt look hard enough....
installed
Posted Image
process that is message box prompt
Posted Image

and not that anyone cares but apparently some archives are infected with a email which has netsky.z@mm

btw you can thank this virus's easy install to microsofts plug n' pray
get rid of this mostly useless and easily exploitable crap here

while your at getting rid of bad things take a look at
Shoot The Messenger
and
DCOMbobulator

also as a note to others who have been affected by this bug...
the virus 'installs' several exploits that have been fixed by micro$oft patches...
Windows Media Player play script...
DSO Exploit : allows web pages to run code without permission

use zonelabs pestpatrol or spybot to fix these, they may periodicly be re-applied

Edited by awuh0, 09 October 2004 - 06:41 PM.


#103 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 10 October 2004 - 12:46 AM

The DSO exploit is a bug in spybot.

#104 Methusala

Methusala

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 October 2004 - 12:11 AM

Hmmm ... reply attached to wrong thread ... no way to delete ...
Sorry for the newbie-ism ...

Edited by Methusala, 23 October 2004 - 12:15 AM.


#105 vibe666

vibe666

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 October 2004 - 03:55 AM

my god.

and not my god this thing is going to kill us all, but "my god, you really are a bunch of gullible idiots".

ask yourself this. where is the proof that this thing exists? nowhere. not here anyway.

if any one of the people who claimed to have this thing were smart enough to find it when none of the anti-virus companies were able to, and can afford to go around randomly changing parts here and there to try and fix it then they'd be smart enough to put one of these systems (or an infected component) in a box and send it to an AV company (or a few of them).

Over a year? get a grip. not possible in the least.

nearly all the PC's that come into your shop? right yeah, of course.

let me reiterate: THIS THING IS A FAKE, NOT REAL, BOGUS, A CON!

nobody has provided any proof that it exists or even that they have contracted it (or anything else for that matter), and of all the so called 'experts' who've miraculously 'discovered' this thing, not a single one of them has done a thing about it apart from posting stories here.

if this thing actually existed and could do half of what you people (or or multiple personalitied person, as is much more likely) then simply taking it to an AV company in your car would make you world famous overnight for discovering such a serious threat.

again, for the slow people at the back: THIS THING IS A FAKE, NOT REAL, BOGUS, A CON!

do not believe a thing in this thread. it is not real, and never will be. not with technology at the level it is nowe anyway.

Edited by vibe666, 29 October 2004 - 03:55 AM.


#106 Malleable

Malleable

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 29 October 2004 - 07:28 AM

Come on guys, everyone knows the Illuminati have developed a Super Trojan that allows them to control everyones computer at any time. They know anything and everything. And awuh0's box on "Systems Setting Change" has an inadequate number of spaces after the period of the third sentence. "The Man" didnt adequately proof read.


Mal

#107 bowwow

bowwow

    Remove the fly, I mean spy!

  • Full Member
  • Pip
  • 77 posts

Posted 29 October 2004 - 08:39 AM

Listen Pillo,
I believe much on Swami because my computer teacher,who is a real computer geniues,had one of his friends infected with such kind of things.For your information,his friend was also a computer genius but he actually didnt even know when this all happened.such thing was sent to him through chatting to a person who sent him a file to open with a sweet heading.
What I believe is that its not a trojan my friend,its a malicious software that automatically runs when you open the file is stored in.

As for the buddy,he opened his computer,had his motherboard checked,and it was literally fused out as if someone burnt it.
And to tell you,it happened four years back.

I wonder why are there so less the posts from the experts here,maybe they know any cure or protection against it.



It seems hard to believe for the rest of us too Pillo79, but that does not mean it is impossible. :)

I see you have some experience with computers! :lol:

Now, if he booted from a floppy, where did this ramdisk come from?
(Not the usual ramdisk you get with an fdisk boot, gathering from the other information he has given us.)

Good question. In fact, I would really like to see the dmesg output from the Linux kernel, as it shows all kinds of devices being recognized with great detail. But what I don't understand is where the virus stores all its data, as it would need a lot of nonvolatile space... and assuming it is not the harddrive, which was deeply formatted and replaced ... very little remains... :scratchhead:
You must also think that there is no way to distinguish used firmware space from free space, from outside it's all ones and zeroes, so it's -very- risky to try to write to these areas, and the ways to write are soo many... and to top it off, most systems have protection against this kind of attack by having checksums computed at boot.

Adding items to an uninfected machine until it gets infected is a sure but costly solution. But could someone detail a bit more what are the symptoms? And also, how to find it out before windows is installed...

<edit>
Sorry Swami, I did not read your posts so carefully.

On the new machine i did not even install an OS ... i just used a Linux disk that runs of the cd. But i have seen the install screen a billion times in the last month or more to know that as soon as i see: installing on shared memory and rpm overides by ACPI warnings that its alive and well. In Linux just open up a console and hit "w" without the quotes and it will tell you how many users are currently on your machine ... I always have 2 users listed ... me and a duplicate of me and under the logged in time it shows a "?" question mark for my duplicate. Nightmare City.

I didn't understand this sentence: "as i see: installing on shared memory and rpm overides by ACPI warnings that its alive and well". Could you please say it again?
As for the "w" thing, I believe it is a quirk of your particular Linux CD. (And BTW, I'm curious to know which one is that :)). If your PC was booted from a CD, without any network connection, come on, nobody -could- have logged in except you. No firmware on Earth is able to ask Linux to log on after having stolen your password... of this I am reasonably certain. Which TTY does the "w" command report the logon?
</edit>

... and if it never became infected, Swami would have to buy a truckload of beer for the people in this thread :)

Yes, definitely; I believe it is written in the forum's agreement :deal:! :lol:

<edit> Sorry for the multiple edits, we cross-posted in a few minutes...

it even poped up a message telling me I failed to get rid of it ... again

It's nice (in a certain sense) to see that Swami is not the only one to have experienced this. Please explain in much detail this sentence! This is really driving me mad... :wtf:
</edit>

View Post


Edited by bowwow, 29 October 2004 - 08:45 AM.


#108 vibe666

vibe666

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 November 2004 - 11:33 AM

seriously, why is this thread still open?

it's not a real threat, it never was, and for a very long time to come it never will be.

use your brains people and stop believing every little bit of crap you are fed on the net, and try and think for yourselves.

either that, or go and read this very informative online newspaper. you'll be amazed at the 'truths' it tells. www.theonion.com

as for the 'computer geniuss' out there, well.... the less said about them the better.

'computer genius' is a term used by people who know nothing about computers to describe people who do.

stop it.

seriously.

#109 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 01 November 2004 - 12:49 PM

Strange how people are eager to make themselves feel smart by pointing out that there is no evidence for this thing :)

If you have followed the thread, you will notice that the "computer geniuses" have exhibited a healthy dose of scepticism, and all along treated it more as an academic excercise than anything else.

The only ones working themselves into a frenzy are people claiming to have been infected or people like yourselves. No offense. :)

#110 carnuck

carnuck

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 November 2004 - 07:12 PM

Just a newbie at computers, so forgive my ignorance, but I had a boot virus that several Dell techs tried for almost 2 years to get rid of (my computer couldn't get online for long in all that time w/o freezing and it finally took a Linux tech from Boeing to help me eradicate it by hand rewriting the boot and wiping out everything to install XP home edition "upgrade")
There was an NVidia bug called nwiz.exe at the root of a lot of it. I got rid of that recently, but now have something worse (which I'll be posting questions on the other part of the board later) Wincomm.exe that scans as HKey {9F1C11AA-197B-4942-BA54-47A8489BB47F} (a Win V4 update with no documentation that was downloaded through Windows automatic update) and it also hides under program files (I can't delete the file because I get "Access denied") and PCCillin Internet Security 2004 (with auto-updates) recognizes it as worm ADW_SYNCHROAD.A (I renamed the application from wincomm.exe to shit.exe, hoping to confuse it temporarily)

Attached Thumbnails

  • 727_trans_and_junk_026.jpg


#111 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 02 November 2004 - 02:20 AM

Nwiz.exe is the control applet for your Nvidia graphics card.
As for Wincomm.exe, update your antivirus program and run it.

If you don't have an antivirus program, get one.
Until you do, you can visit www.trendmicro.com and run an online virus scan.

#112 vibe666

vibe666

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 November 2004 - 03:37 AM

one of the worst things out there at the moment is misinformation, and you are spreading it around in a forum filled with inexperienced people looking for help. this thread will do more damage than good by staying open regardless of it's (very limited) value as an 'academic excercise'.

okay, so lets pretend for a moment that this thing exists [IT DOESN'T IN CASE ANYONE IS IN ANY DOUBT!].

1. IF this thing exists and any single one of you people who claim to have it know how to spot it's presence when not a single AV company in the world has even the faintest idea of it's presence in the world the for fucks sake tell other people how to find it so someone somewhere can do something about it instead of just talking about how amazing/deadly/annoying it is.

2. IF this thing exists then for fucks sake, just take it to someone who can do something about it (An AV company prehaps) instead of pretending you're all l33t hax0rs and that you know what you're talking about.

I do IT support/admin on a campus of over 1500 PC's, I've been working in the IT sector for the last 10 years, and I was tinkering with PC's for 10 odd years before that, right back to the original Apple PC (I'm not boasting, I just want you to know, I'm not just some spotty 16 year old kid who know's nothing about PC's), and I just happen to work 100 yards from a large Symantec office, so by all means send this thing to me, and I'll pop it in their mailbox on my way home.

or alternatively, stop spreading mis-information in a place that's supposed to be here to help people.

Edited by vibe666, 02 November 2004 - 03:53 AM.


#113 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 02 November 2004 - 06:19 AM

Wincomm.exe is related to Agobot. There are plenty of tools out there that can sort this particular infection out.

#114 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 02 November 2004 - 07:07 AM

There are plenty of admins who frequent this forum, Vibe.

If any of them feel the thread causes more harm than good, I'm sure one of them will delete it ;)

#115 vibe666

vibe666

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 November 2004 - 07:10 AM

There are plenty of admins who frequent this forum, Vibe.

If any of them feel the thread causes more harm than good, I'm sure one of them will delete it ;)

View Post



i just don't see the point in keeping this open.

Posted ImagePosted ImagePosted ImagePosted ImagePosted ImagePosted ImagePosted Image

and on that note, I'll shut up about it.

Edited by vibe666, 03 November 2004 - 07:11 AM.


#116 Outlander

Outlander

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 November 2004 - 09:47 AM

Well Swami this is not good.
I left a post here at this site concerning the svc.host.
It sounds to me like we may have both been hit by this.
No matter what I do I can not get rid of this dam thing it just seems to come back.
Well I am still trying if I am successful I will post here what I did.
Oh yea as for Vibe well when I figure out just what is going on I will post it here.
I am in contact with Symantec and Microsoft about the problem I am having.
I personaly believe I am being hacked.
But we will see what happens from here.
I figured I would check around the net to see if maybe someone else had any clue.
One more thing I was running Spybot ,Adaware, Nortons and Spysweeper when I got hit and yes all are updated.

Edited by Outlander, 03 November 2004 - 09:59 AM.


#117 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 03 November 2004 - 10:18 AM

I am in contact with Symantec and Microsoft


Who did you contact in Microsoft? I'd be quite interested to see some of their responses to this problem.

Edited by paperghost, 03 November 2004 - 10:19 AM.


#118 vibe666

vibe666

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 November 2004 - 04:54 AM

ditto for symantec too.

if you've been in contact with them then let's see what they have to say about this.

#119 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 10 November 2004 - 11:06 AM

seriously, why is this thread still open?

it's not a real threat, it never was, and for a very long time to come it never will be.

use your brains people and stop believing every little bit of crap you are fed on the net, and try and think for yourselves.

either that, or go and read this very informative online newspaper.  you'll be amazed at the 'truths' it tells. www.theonion.com

as for the 'computer geniuss' out there, well.... the less said about them the better.

'computer genius' is a term used by people who know nothing about computers to describe people who do.

stop it.

seriously.

View Post

I trust that the people with actual problems are starting their own topics and getting help in the Malware Removal or PC Troubleshooting forums..

This thread is just a sort of lint collector.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#120 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 15 November 2004 - 11:55 PM

I nailed the bug... or so far so good... see my new thread...
http://www.spywarein...showtopic=34481

oh and uh up yours paperghost and friends, thanks for all the negative work you so generously contributed

all I can do is hope your infected with it and my advise disinfects you and you could do something nice like say oh wow that was one seriously messed up virii thank god you squashed it..

-EOF

#121 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 16 November 2004 - 06:15 AM

To test / fix install redhat or another linux distro (knoppix if possible) and do the following;
1) open a terminal
2) fdisk /dev/hda
3) p

if you see something along the lines of Novell Netware 386
and messages that say Partion does not end on cylinder boundary
You may have the same problem...


The version of fdisk that comes with many Linux systems creates
partitions that fail its own validity checking
.

This is more commonly seen relating to the well known dual boot problem that have arisen as of late with regards certain installs of both Fedora and Mandrake running alongside Windows XP, but is also known to affect many popular versions of Linux without Windows being involved.

There is no evidence to say that this message indicates "the worst Trojan on the net", but plenty of evidence to say that this simply relates to botched installs. Bugzilla had this thing all over it a good while back. If you're saying that this error message does relate to a Trojan infection then you really need to provide solid proof as to why this is the case, otherwise you're panicking other end users needlessly and this is totally irresponsible.

lets look at your solution to - remember - the worst trojan on the net.

you....ran fdisk, pressed p to see what partition action was going on and then
you - oh my goodness! - advised to format the disk and reinstall.

And this is the solution to the "worst infection on the net"?

Please.

i thought this thing existed in the very air we breathe, given the previous 10 or so pages of horror stories we were seeing. Maybe its power to hurt diminishes as the amount of people who believe in it dwindle. Either way, there's still no proof it ever existed, no files have been submitted to anyone here who asked for them and your magic solution for removing this supposed electronic satan is somewhat underestimating the incredible power of this awful trojan, wouldn't you say? Not to mention jumping on a fairly common error message and turning it into yet another Internet bogeyman.

#122 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 16 November 2004 - 10:43 PM

Ahhhh.... Newly-arrived sycophant vibe666 fails to shame this thread into submission, and Paperghost connects the dots thusly:

The version of fdisk that comes with many Linux systems creates
partitions that fail its own validity checking.

This is more commonly seen relating to the well known dual boot problem that have arisen as of late with regards certain installs of both Fedora and Mandrake running alongside Windows XP, but is also known to affect many popular versions of Linux without Windows being involved.


Er... Sounds accurate, Paperghost, but perhaps you overlooked the words

...Novell Netware 386...

in awuh0's post. Please provide a single Bugzilla (or any other source you can cough up) that shows Linux FDISK validity checking errors will result in error messages referring to network operating systems. What on EARTH does the flaky Linux FDISK or partition table information have to do with the network? You don't seem the least bit surprised (or even mildly curious) why this appears for awuh0. To simply ignore that refrence and focus on the partition error, dismissing his/her entire post as a widely-known Linux bug is... well, disappointing.

It's clear why you must repeatedly butress your 'selective' logic by taking every opportunity to suggest that everyone having similar problems must be curled up in a fetal position in a corner of their basement under a heavy piece of furniture - twitching and frothing at the mouth - in utter terror of "...the worst trogan on the net." Oh, I forgot your insistance on bolding worst just so we know how stupid we are for even posting here to begin with.

In the mean time, maybe you can check out how easy it is to interfere with the boot handler and make almost anything on the pci bus look like a bootable block device which, when shadowed in RAM, is vulnerable to an entirely different set of exploits. DO let us know if bugzilla can shed some light as well.

Let me borrow your words for a minute: If

you're saying that this error message does

NOT

relate to a Trojan infection then you really need to provide solid proof as to why this is the case, otherwise you're

inferring no threat could possibly exist

to other end users needlessly and this is totally irresponsible.



#123 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 17 November 2004 - 12:47 AM

I think paperghost just got his panties all in a wad 'cause he was wrong
end of the flames now...

#124 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 17 November 2004 - 01:22 AM

Please provide a single Bugzilla (or any other source you can cough up) that shows Linux FDISK validity checking errors will result in error messages referring to network operating systems. What on EARTH does the flaky Linux FDISK or partition table information have to do with the network? You don't seem the least bit surprised (or even mildly curious) why this appears for awuh0.


Maybe he should check with his network engineer.

The fact remains, if you're going to start jumping on any, and i mean any error message that appears on your system and claim its GOT to be a result of this trojan - SPECIFICALLY, this trojan - then real, analytical proof, virus isolation, dissection and analysis conclusion needs to be there. Not just hey, i had this message and although i have absolutely no basis in fact for saying this, im going to say it anyway.

He needs to lay down the exact reasoning for connecting the dots, not me.

I don't really see what your point is regarding fdisk on the network - if fdisk is available and causing new, screwy messages then those messages need to be examined in the right way - not just blamed on some phantom trojan. I included the word "Linux" despite the fact that he said Novell because its most commonly known as a Linux problem. That doesnt mean it cant exist elsewhere. And anyway -

From ARS Technica:

http://www.novell.co...11/pr03069.html

Novell announced its acquisition of SUSE for US$210 million in cash on Tuesday, marking another step in Novell's effort to transform itself into a "Linux company." The deal includes a US$50 million investment by IBM, which was involved with SUSE in prior deals regarding IBM's software and server hardware.

Earlier in the year Novell announced that future Netware releases would run Linux as well as their proprietary kernel. [...]


So Linux could have a LOT do do with his setup involving Novell - even if it hasn't, its not my fault if he hasn't said one way or the other exactly what he's using in conjunction with his Novell services. I'm simply telling him what that error message means, not running a full analysis of what he is or isn't running. He needs to take away whatever information is provided here or elsewhere, look at it, think about it for a while and apply it to his individual situation.

Just like its not my fault that after he threw in a token comment about the Spybot DSO bug relating to this trojan and had that idea rebuffed, he didn't mention it again. Not to mention the error message
rundll32.exe newdev.dll,ClientSideInstall \\.\pipe\PNP_Device_Install_Pipe_0{00E97B7C-E2A4-4C68-B560-781B48AC9928} which relates to botched installs / uninstalls of printers and / or printer drivers / software
. Strangely, he didn't come back on that point either. Hey, there's lots of error messages here relating to unrelated botched installs. Maybe he just can't install things properly?

Whatever you say or however you try to twist it, that specific error message - that exact line of ASCII showing up on his screen - is because many versions of fdisk create partitions that fail their own validity checking. Whatever system you are running, whatever network you are on, that is what it means. If its showing up somewhere it shouldn't be, or on a system that shouldn't normally show it, or in an environment where it shouldn't make any difference, then it needs investigating and raising with the appropriate channels so it can be investigated and resolved.

If he is saying it now means its as a result of a Trojan, prove it.


Its funny how his early posts say that this thing lurks in every part of his system, is impossible to remove etc - and then it goes with a simple format.

It's clear why you must repeatedly butress your 'selective' logic by taking every opportunity to suggest that everyone having similar problems must be curled up in a fetal position in a corner of their basement under a heavy piece of furniture - twitching and frothing at the mouth - in utter terror of "...the worst trogan on the net."


Excuse me, but isn't that what this thread is called??

Isn't that what all the supposed victims have said about their infections? Looks like it to me.

The burden is not on me to prove anything - its on him. He said he got this error message and now pins it on his trojan. fair enough - but for gods sake, prove it or call it a day. And where is this feedback from microsoft and the AV vendors that the other guy promised? Not going to put in an appearance, I imagine. And after his wonderful "Up yours Paperghost" line, excuse me for sounding like i don't actually care. Any discussion that can't have two viewpoints (or even more than that) without the protagonist (because I assume I'm the antagonist, right?) simply insulting people doesn't deserve any help. If he does have the worst trojan ever onboard, you have my sincere apologies.

Now prove it.

Edited by paperghost, 17 November 2004 - 05:46 AM.


#125 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 17 November 2004 - 11:29 AM

paperghost stfu. You should be asking more questions and be less quick to disprove everything someone else has said.
For your info this drive was format from my Windows box, at home no network novell network here
I only mounted it in Linux so I could actually analyze the partition table without interference.
Just because you can reference a bunch of links that have NOTHING TO DO with whats going on isn't going to make your dumb ass any more knowledgeable about fixing this.

here is the partition info... finally got ex-emacs to work

Disk /dev/sda1: 255 heads, 63 sectors, 15016 cylinders
Units = cylinders of 16065 * 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1p1 ? 46390 152334 850999312 65 Novell Netware 386
Partition 1 does not end on cylinder boundary:
phys=(100, 109, 32) should be (100, 254, 63)
/dev/sda1p2 ? 48229 117156 553649047 6e Unknown
Partition 2 does not end on cylinder boundary:
phys=(107, 121, 32) should be (107, 254, 63)
/dev/sda1p3 ? 193979 209336 123360830+ 49 Unknown
Partition 3 does not end on cylinder boundary:
phys=(83, 90, 32) should be (83, 254, 63)
/dev/sda1p4 ? 23815 23815 3302+ ac Unknown
Partition 4 does not end on cylinder boundary:
phys=(885, 132, 0) should be (885, 254, 63)

Partition table entries are not in disk order

keep in mind this is ONE partition, fat32, made on win xp

If someone other than paperghost has anything to add I would like to here it cause i kinda want to get this data back to my computer without infecting it again...

Just like its not my fault that after he threw in a token comment about the Spybot DSO bug relating to this trojan and had that idea rebuffed, he didn't mention it again. Not to mention the error message
rundll32.exe newdev.dll,ClientSideInstall \\.\pipe\PNP_Device_Install_Pipe_0{00E97B7C-E2A4-4C68-B560-781B48AC9928} which relates to botched installs / uninstalls of printers and / or printer drivers / software. Strangely, he didn't come back on that point either. Hey, there's lots of error messages here relating to unrelated botched installs. Maybe he just can't install things properly?


did it ever occur to you that it might install itself as a printer driver? AS I didn't have a printer attached to my FRESH INSTALL or winxp computer at that point...

So Linux could have a LOT do do with his setup involving Novell - even if it hasn't, its not my fault if he hasn't said one way or the other exactly what he's using in conjunction with his Novell services. I'm simply telling him what that error message means, not running a full analysis of what he is or isn't running. He needs to take away whatever information is provided here or elsewhere, look at it, think about it for a while and apply it to his individual situation.

again I will stain NO Novell services sorry I don't use dated software that was designed for a 386. my network consists of a router, a hub, 4 windows box's and 1 Linux box.
just a connection to the Internet shared via router, sorry you cant blame a corporate Novell network for this one
drive is formated as a fat32 and shows up that way in windows (infected edition of course)

you want me to prove something? walk me through how to copy a partition in Linux as I am relatively new to it, then i can attach it here and you can cry to your hearts content.
Oh and make sure you tell me to get the right one, ther are 4 of them...

And where is this feedback from microsoft and the AV vendors that the other guy promised?


maybe microsoft and AV vendors do not want to inform people that there product is so easily infected / useless??? I think this gives me a slight case of déjà vu... like microsoft never covered up the fact that it has security problems.

Its funny how his early posts say that this thing lurks in every part of his system, is impossible to remove etc - and then it goes with a simple format.

try low level, and a motherboard with BIOS jumper protection.


He needs to lay down the exact reasoning for connecting the dots, not me.

Normally I would go into detail about something like this but...
A) Its very complex
B) I dont have that kind of time
C) I really dont want to write a thesis about a virus, at least not right now.

If he is saying it now means its as a result of a Trojan, prove it.

again, please tell me how I would be very happy to get this to an AV or someone who could make a fix.

Edited by awuh0, 17 November 2004 - 11:59 AM.


#126 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 17 November 2004 - 12:17 PM

sorry you cant blame a corporate Novell network for this one


i don't believe i did, as i did mention Linux with regards your fdisk fiasco. it was the other guy who jumped on the fact that you mentioned Novell, i wasn't fussed either way. So go have a pop at him.

Normally I would go into detail about something like this but...
A) Its very complex
B) I dont have that kind of time
C) I really dont want to write a thesis about a virus, at least not right now.


Again - if you don't want to invest the time to explain your reasoning for labelling a fairly common error message as a dire warning that a trojan is on board, you shouldn't bother in the first place. How many people could have seen your post and started panicking needlessly? Irresponsible, especially when you're being so heavy handed in your certainty that its an infection.

Just because you can reference a bunch of links that have NOTHING TO DO with whats going on...


A bunch of links? A bunch? Wow - here was me thinking that there was only one.

One.

One that mentioned the connection between Novell and Linux systems. I'll try harder to stay fixed on the post immediately above my own next time. Please note this doesn't include your bizarre ramble about flames.

again, please tell me how I would be very happy to get this to an AV or someone who could make a fix.


If you still have your infection, take your entire machine, put it in a box and have it delivered to an AV company. If you're deadly serious and this is "the worst infection ever", then i'm sure an AV company on the recieving end would be ecstatic at the extra amount of busines such a fix would drum up and compensate you for you postage. I have numerous friends in AV companies, I could have had a word with them if you'd liked...

Except i'm not going to, as your insults continue in a very childish fashion. I disagree with many of the other posters points, but at least it was a grown up discussion.

I'm going to have to disappoint you now - this will be my last post in this thread as

A) I'm very busy
B) I dont have any more time to waste
C) I really dont want to write a thesis about another Jdbgmgr hoax.

Edited by paperghost, 17 November 2004 - 12:49 PM.


#127 killer4prez

killer4prez

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 19 November 2004 - 11:22 PM

If this virus does exist (And i dont see how it could) I think all these companies would love to find a solution to getting rid of the "Worst Trojan on the net"

McAfee Inc.
http://www.lavasofthelp.com/submit/
http://securityrespo...ter/submit.html
http://www.esafe.com...srt/vsubmit.asp
http://www.ravantivi...submit-file.php
http://www.quickheal.com/newvir.htm
http://www.kaspersky....asp?chapter=26

Hell If you want you could email me this virus at Email address deleted. Not a good idea to post it in a public forum.

#128 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 November 2004 - 12:03 AM

Well, since you've already confused virus and trojan, it's no wonder that you can't "see how it could" exist. Second of all, not one person posting here claims it's a general, widespread or imminent threat to the entire internet. "Worst" simply means it was extremely difficult for *those of us who had it* to get rid of it from an infected machine. Since so few people have had 'it' or something like it (judging by the handful of postings like this on the internet) I'm sure the AV companies out there have very little interest and could care less about wasting their time on a solution. Last of all, NO AV company is going to rewrite their windows AV code to look for BIOS or PCI Device ROM exploits that attempt to boot something like Syslinux off of a protected area of a hard disk. If anyone with half a brain wanted to write a real trojan, the first thing they would probably look to do anyway is take over the disk or file system silently before Windows even started. Kind of hard for the AV programs to scan something neither they nor the OS can even see.

#129 killer4prez

killer4prez

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 November 2004 - 01:23 AM

Let me first say i want to see proof of this program.

Kind of hard for the AV programs to scan something neither they nor the OS can even see.

Okay smartass if the anti virus companies can not see the trojan how can the people on this board?

I'm sure the AV companies out there have very little interest and could care less about wasting their time on a solution.

I have a friend who works for A anti virus company and he would love to see this Super Trojan

#130 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 23 November 2004 - 12:06 AM

I have a friend who works for A anti virus company and he would love to see this Super Trojan


PM me his email, maybe we can work together to get him a sample and the rest of us a solution...

for the record I have removed this from my desktop pc but as of now my laptop remains infected

Edited by awuh0, 23 November 2004 - 12:10 AM.


#131 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,290 posts

Posted 13 December 2004 - 03:19 AM

There is a site known as www.piaodown.net (linked to Spywareblaster to prevent accidental infection) It supports many cracks and serial codes sites. Luckily, Firefox is not infected by this trojan.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='http://www.kaspersky.com' target='_blank'><i>Kaspersky</i></a>, <a href='http://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='http://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='http://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='http://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='http://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='http://www.merijn.or.../hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='http://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='http://www.mvps.org/...p2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiu...ww/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='http://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='http://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='http://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#132 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 13 December 2004 - 02:31 PM

How is the piaodown site related, LostAccount?

#133 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,290 posts

Posted 14 December 2004 - 01:29 AM

Hi All,
I'm not coming here for help (it's too late for that) but i want to warn everyone about a new trojan/virus that is out in the wild and has claimed at least one victim already.

It has the full package, a real trojan's trojan including: a Keylogger, a virus that attacks .exe, .com, and .vbs files, the hidden server, the ability to create ISO files (using exe2bin.exe), and the topper is a hidden "read only" file system containing a boot image and hidden modules that are embedded into your systems ramdisk (BIOS), and infects Windows on every re-install also any hard drive that is connected to the mainboard (before or after infection).

TROJAN INFO-
It attempts to phone home to 239.255.255.250 (a bogus IP) on port TCP 1900 as an instance of svc.host ... has language support for Korean, Japanese, and Chinese...I found 3 website URL's as well, piaodown.net and piaodown.com and a crsky.net ... all out of China.

piaodown.net = [ 218.30.29.186 ]
  Registrant:
  liwenquan (ODCIORZQDD)
    harbin
    harbin  Heilongjiang 150070
    CN

piaodown.com = [ 218.30.29.186 ]
  Registrant:
  wenquan  li (CDXHQTKOFD)
    daoliqushangjiangtoudaojie2hao3-2-2-3shi
    haerbin  Heilongjiang 150070
    CN

crsky.net = [ 218.92.244.234 ] 
  Domain Name: crsky.net
  Registrant:
  jian pan
  RM.502 NO.11 PUHUA ALLEY BAIXIA DISTRICT NANJING CHN
  210002


I am no stranger to trojans ... this one is one high tech piece of code. It seems to use a flaw that Microsoft supposedly fixed and that is faking Microsoft digitally signed certificates for drivers (like i386.cab) and it also creates a multitude of hash rules for all group and local policy settings on the victims PC (essentially taking ownership).

It also controls your disk controller (unfortunantly mine was built-in) so you can't use your Floppy or CD-Rom drives to try and combat the trojan, and sets up an ADMIN account.

To make an even longer story a bit shorter ... It can infect AT LEAST Windows XP Home/Pro w/SP1 and most of the pre-sp2 patches installed, and no scanner (TDS-3, Tauscan, NOD32, Sophos, Hi-Jack This, Kaspersky, Trojan Hunter, Spybot, or Trojan Remover to name a few :) even detects it at all in the slightest fashion. I am working on getting Gavin from DCS the makers of TDS-3 the files from this thing for study when i get going again.

You may wonder how i found it then ... well that is a long story, but it basically started with finding some strange files and file exstensions and ended up with me looking at all the hidden modules and the bootloader and failing to be able to remove anything without the password, at which it then retaliated and filled my drive up to the MAX with temp files (and locked it) forcing a Windows re-install and a re-infection ... this time it would not allow any AV's, Firewall's, or Disk Cleaner's to be installed.

I just bought a new board on E-bay today to replace this trojanized board and some new memory just to be extra safe ... But right now i am using a very weak backup PC and i am not too happy with the money it's costing me.

View Post


It is related by the underlined lines.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='http://www.kaspersky.com' target='_blank'><i>Kaspersky</i></a>, <a href='http://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='http://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='http://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='http://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='http://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='http://www.merijn.or.../hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='http://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='http://www.mvps.org/...p2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiu...ww/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='http://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='http://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='http://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#134 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 14 December 2004 - 02:55 PM

Doh! I'm starting to forget about good 'ol Swami's original post! I don't recall my machine trying to get to those particular sites, but it might be worth a try downloading some of the garbage on that site to my test box to see if I can get it reinfected. Of course, the trojan (or whatever) may not have originated on that site - it may just be notifying someone there that it found a host -or- may just be the action of a follow-on infection.

And I'm not sure if it applies to anyone else with the problem, but I eventually ended up here [Spywareinfo.com forums] after investigating and attempting to 'clean' whatever was causing unusual disk activity and network traffic on one of my boxes. Yes, I used all the popular AV/Trojan scanners but they found nothing. I could not see any XP process that explained any of it using the various sysinternals.com utilities. I could not identify the source process, nor monitor/log the unexplained activity. It appeared something was working 'outside' of XP; like XP was running inside some kind of shell or something was filtering/redirecting calls that XP thought were going directly to the hardware.

In any case, putting a clean load of XP PRO with almost all services disabled on a single new partition of a freshly-wiped disk - no other drives/usb devices, no non-native XP drivers - should NOT result in tftp connections anywhere (3C905 network cards - no ROM). Re-flashing the motherboard, hard disk, sound video and network card firmware seemed to get rid of it for me. I just came here trying to find out what the deal was.

#135 Malleable

Malleable

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 10 January 2005 - 08:28 AM

I dont know why we are suprised by this. We all know the Chinese government has been working on developing a Super Bug. Symantec was only given rights to sell there product in China after providing the government with 300 (if I recall correctly) viruses varients.

Mal

#136 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 13 January 2005 - 11:53 AM

Malleable - Perhaps... but the same 'Super Bug' development speculation regularly appears for a long list of governments, organizations, corporations, etc. I'm much more terrified of either U.S. Homeland Security's feeble Stazi-like attempts to 'protect' me or Microsoft's eternal stream of buggy patches than I am of any crumbling government headed for the history books. And I have not yet seen *any* government or organization capable of out-programming a bored 17-year-old hacker. I guess it's possible...

Funny you should mention China though. There are very few components in my computer - including the motherboard - that do not display a 'made in China' label. In spite of this, most complex chips are not designed there and the firmware isn't necessarily coded there. But it's really a stretch to believe that China or anyone else would seriously consider such easily traceable malware.

I would have to believe the behavior of any malicious OEM components or firmware (as shipped) no matter how well hidden from detection engines,would eventually be spotted by a good network administrators and eventually associated with particular components. If the issue was noted by several admins and publicly know, then the branding company would be forced to respond. If they didn't respond to the satisfaction of the market (lack of, weak, unbelievable, marketspeak, etc.) then their products become known as 'suspicious', infected, buggy or just plain junk.

This would be an intstant kiss-of-death for the OEMer of that component and anyone associated with them. In addition, the damage to any market brands using that OEM would be immense. I'll trust at least some minimal 'protection' offered via market-share-driven paranoia of greedy companies to keep an eye on as-shipped components and firmware. This isn't any sort of 'guarantee' by any means - I will allways wonder about the suspicious DeskStar debacle that forced IBM out of the hard drive business.

It's clear that this is NOT the issue here. Whatever was affecting our machines is/was not widespread and - as far as we know - can't be identified with any particular common component. I suspect that exploited firmware was partially to blame, but - as repeatedly pointed out by others - have no evidence for this. The other issue is whether it's even technically *possible* to infect ROMs or firmware allowing a trojan to somehow reinstall itself on a wiped and reloaded machine witout detection. The posters dismissing this possibility point to the lack of either code capture in the wild or a proof-of-concept example.

Chinese Super-Bug, urban-myth virus, unnecessarily panic-invoking imaginary "Worst Trojan on the Net", crack-induced paranoia... whatever. I didn't care at the time - I just wanted it off my machine and had VERY little interest in shipping my computer to an AV company to 'prove' it existed. I still think the topic is interesting and worthy of serious academic discussion on a security forum. Apparently not here, though.

#137 gobolts

gobolts

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 February 2005 - 10:25 AM

After spending an hour reading this thread I'm moved to post something, anyway :blink:
If the original Swami guy wasn't a scammer, he played nearly every trump scam card in the old scammer deck. I'm a little slow, but when someone starts suggesting the possibility that evil bugs are hiding in their cpu, monitor, etc., well that's a pretty strong indication that either a) they aren't as knowledgeable as they make out to be or, b) they're trying to scare someone who isn't very knowledgeable.

Look at his first two posts: in the first he says:
"You may wonder how i found it then ... well that is a long story, but it basically started with finding some strange files and file exstensions"

:p Then, in the next he reveals this gem:
"lets just say i like movies and i also occasionally downloaded them (never again) ... my browser (Opera) warned me that i was connecting to a site with a username and not a web address - i figured its probably this dudes personal server ... it was and it served me up nicely with a fireball straight to the heart of my PC..."

His info about it trying to phone home on a bogus IP, which was SSDP, was icing on the cake.

He talks a lot about computers and virii, but he never really says anything, you know. Except how terrible the virus is. :glare:

It's garbage and a waste of time to read it. It should all be deleted.

#138 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 February 2005 - 11:18 AM

It's garbage and a waste of time to read it. It should all be deleted.

View Post

I figure it has entertainment value, and also is a sort of fly trap for conspiracy thinkers. ;)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#139 niceguy

niceguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 February 2005 - 03:49 AM

It's garbage and a waste of time to read it. It should all be deleted.

View Post

I figure it has entertainment value, and also is a sort of fly trap for conspiracy thinkers. ;)

View Post



Yes, conspiricy theories do have entertainment value, regardless if there are a real conspiricy or not. Heck there are even several magazines filled with the stuff. I used to be amazed each time a buddy of mine bought one of thease... Browsing through them I would say that at least 90% of what was in them was a absolute inpossibillity. The rest 10% seemed genuine but that's hardly enough to fill more then the "fun page" in a genuine paper. Now we can even se the stuff on TV as well, and I am sorry to say, Discovery channel have lost some of it's credability by aring some things they shouldn't have.

So does this super infection exist? I don't know but it has been an entertaining read and it could at the very least be used as a plot in a B-rated conspiracy movie....

For some additonal fun, try this: http://www.sjgames.com/illuminati/

I myself are not going to make any claims of being anything but a somewhat experienced user. I am in no way a computer geek. I do however know how to take advice from the experts when I have problems. The main problem for people like me are often to identify who really are an expert on a topic and who is just claiming to be one. I just wish that people would avoid panic and take what they hear with a grain of salt. Especially when there is a real danger. Panic can often do more harm then the threat that caused the panic.

#140 CyberRaptor

CyberRaptor

    Move Zig

  • Full Member
  • PipPipPip
  • 161 posts

Posted 19 February 2005 - 11:46 AM

AHHHH DEUS EX RIPOFF!!!!!

#141 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 19 February 2005 - 10:43 PM

I noticed I never posted in this topic. I guess I must have missed this topic, during my readings. :)
Do I really have to read and translate all 141 posts to become smarter ?
I prefer to skip it, but I joined at least the party (don't want to be impolite) and my post proves I was here.
Weird that topics like this one, have so many readings, while more important posts have only a few readings. :)
ErikAlbert
Simplicity is always brilliant.

#142 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 February 2005 - 11:38 PM

Well, now that ErikAlbert's finally here I guess I should close this interminable time waster. :D

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button