Google finds a lot of historical material - http://www.google.co...GGGL_en___US231
I thought this article from 2002 was interesting - 9 pages! includes material about Kazaa, Gator, and their ilk. You may want to skip to page 3. http://www.sitepoint...efinitive-guide
Lots of resources on the web for those interested
Started by
cnm
, Jul 26 2008 09:39 AM
5 replies to this topic
#1
cnm
-
- Retired Staff
-
- 25,317 posts
Mother Lion of SWI
Posted 26 July 2008 - 09:39 AM
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE
#2
Metallica
-
- Retired Staff
-
- 849 posts
Forum Deity
Posted 12 August 2008 - 01:07 PM
I remember starting this thread
http://www.wildersse...ead.php?t=15983
as a means to identify the first malwares using randomized filenames or needing special removal instructions.
Remeber LOP, RapidBlaster, Peper, PurityScan etc.
Some of them are still active (with "improved" versions)
http://www.wildersse...ead.php?t=15983
as a means to identify the first malwares using randomized filenames or needing special removal instructions.
Remeber LOP, RapidBlaster, Peper, PurityScan etc.
Some of them are still active (with "improved" versions)
#3
Galadriel
-
- Retired Staff
-
- 152 posts
CEO - Chief Elvish Officer
Posted 13 August 2008 - 12:42 AM
Thanks for posting that Pieter.
I remember that one.... it's the reason Merijn wrote ADS Spy... and later incorporated it in HT. The very first wild nasty using an ADS. Interesting, I'd been looking for reference about that specific one for a while. Thanks.
IRC trojan that attaches itself to the System(32) folder using a random filename.
AFlooder
Log example:
O4 - HKLM\..\Run: [leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
O4 - HKLM\..\RunOnce: [*leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
The name consist of seven letters (a-z)
Special instructions
Click "Start" > "Run" > type or copy&paste rundll32 <path to this DLL>,Uninstall > "OK"
I remember that one.... it's the reason Merijn wrote ADS Spy... and later incorporated it in HT. The very first wild nasty using an ADS. Interesting, I'd been looking for reference about that specific one for a while. Thanks.
I amar prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'
RIP Blacksheep - I love you!
'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'
RIP Blacksheep - I love you!
#4
ipl_001
-
- Ambassador
-
- 646 posts
Security Admin at Zebulon.fr
Posted 13 August 2008 - 07:17 AM
Hi cnm, Galadriel, Pieter, hi everyone,
Thanks for the link to your excellent thread, Pieter!
You revised it it September 2006, I don't know if you want to keep it uptodate, if so, you should change the URL of Merijn's tutorial to http://www.merijn.or...logtutorial.php in "Merijn has written a tutorial on what to remove with HijackThis." as well as Computercops' links to CastleCops'
Thanks for the link to your excellent thread, Pieter!
You revised it it September 2006, I don't know if you want to keep it uptodate, if so, you should change the URL of Merijn's tutorial to http://www.merijn.or...logtutorial.php in "Merijn has written a tutorial on what to remove with HijackThis." as well as Computercops' links to CastleCops'
Gérard 
Don't give up... that is what they want us to do... Budfred
Has SWI saved your system? Please, consider making a donation!
Don't give up... that is what they want us to do... BudfredHas SWI saved your system? Please, consider making a donation!
#5
Metallica
-
- Retired Staff
-
- 849 posts
Forum Deity
Posted 13 August 2008 - 11:52 AM
Galadriel,
I remember that one very well, because for quite a while we were only able to remove it with the Uninstall switch.
Can't remember who it was, that found a paper about a proof of concept, to attach an ADS stream to a folder.
I always wondered if it was luck that the viruswriter copied the uninstall routine as well, or if it was because they didn't understand how the whole thing worked either. :-D
Gérard,
I would have a hard time keeping all my posts updated. I'm glad I can keep up with my websites.
I think that thread is exactly what we are talking about here, history.
I remember that one very well, because for quite a while we were only able to remove it with the Uninstall switch.
Can't remember who it was, that found a paper about a proof of concept, to attach an ADS stream to a folder.
I always wondered if it was luck that the viruswriter copied the uninstall routine as well, or if it was because they didn't understand how the whole thing worked either. :-D
Gérard,
I would have a hard time keeping all my posts updated. I'm glad I can keep up with my websites.
I think that thread is exactly what we are talking about here, history.
#6
ipl_001
-
- Ambassador
-
- 646 posts
Security Admin at Zebulon.fr
Posted 13 August 2008 - 06:14 PM
Pieter,
LOL I can guess it easily!...
I would have a hard time keeping all my posts updated...
Gérard Don't give up... that is what they want us to do... Budfred
Has SWI saved your system? Please, consider making a donation!
Don't give up... that is what they want us to do... BudfredHas SWI saved your system? Please, consider making a donation!
