
Lots of resources on the web for those interested
#1
Posted 26 July 2008 - 09:39 AM
I thought this article from 2002 was interesting - 9 pages! includes material about Kazaa, Gator, and their ilk. You may want to skip to page 3. http://www.sitepoint...efinitive-guide
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE
#2
Posted 12 August 2008 - 01:07 PM
http://www.wildersse...ead.php?t=15983
as a means to identify the first malwares using randomized filenames or needing special removal instructions.
Remeber LOP, RapidBlaster, Peper, PurityScan etc.


Some of them are still active (with "improved" versions)
#3
Posted 13 August 2008 - 12:42 AM
IRC trojan that attaches itself to the System(32) folder using a random filename.
AFlooder
Log example:
O4 - HKLM\..\Run: [leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
O4 - HKLM\..\RunOnce: [*leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
The name consist of seven letters (a-z)
Special instructions
Click "Start" > "Run" > type or copy&paste rundll32 <path to this DLL>,Uninstall > "OK"
I remember that one.... it's the reason Merijn wrote ADS Spy... and later incorporated it in HT. The very first wild nasty using an ADS. Interesting, I'd been looking for reference about that specific one for a while. Thanks.

'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'
RIP Blacksheep - I love you!
#4
Posted 13 August 2008 - 07:17 AM
Thanks for the link to your excellent thread, Pieter!
You revised it it September 2006, I don't know if you want to keep it uptodate, if so, you should change the URL of Merijn's tutorial to http://www.merijn.or...logtutorial.php in "Merijn has written a tutorial on what to remove with HijackThis." as well as Computercops' links to CastleCops'


Has SWI saved your system? Please, consider making a donation!
#5
Posted 13 August 2008 - 11:52 AM
I remember that one very well, because for quite a while we were only able to remove it with the Uninstall switch.
Can't remember who it was, that found a paper about a proof of concept, to attach an ADS stream to a folder.
I always wondered if it was luck that the viruswriter copied the uninstall routine as well, or if it was because they didn't understand how the whole thing worked either. :-D
Gérard,
I would have a hard time keeping all my posts updated. I'm glad I can keep up with my websites.

I think that thread is exactly what we are talking about here, history.

#6
Posted 13 August 2008 - 06:14 PM
LOL I can guess it easily!...
I would have a hard time keeping all my posts updated...



Has SWI saved your system? Please, consider making a donation!