Jump to content


Photo

Lots of resources on the web for those interested


  • Please log in to reply
5 replies to this topic

#1 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 26 July 2008 - 09:39 AM

Google finds a lot of historical material - http://www.google.co...GGGL_en___US231

I thought this article from 2002 was interesting - 9 pages! includes material about Kazaa, Gator, and their ilk. You may want to skip to page 3. http://www.sitepoint...efinitive-guide
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#2 Metallica

Metallica

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 849 posts

Posted 12 August 2008 - 01:07 PM

I remember starting this thread
http://www.wildersse...ead.php?t=15983
as a means to identify the first malwares using randomized filenames or needing special removal instructions.

Remeber LOP, RapidBlaster, Peper, PurityScan etc. :bangbang: :evilgrin:
Some of them are still active (with "improved" versions)

MVP Windows Security 2003-2015 mvp2.gif

Remove and prevent spyware


#3 Galadriel

Galadriel

    CEO - Chief Elvish Officer

  • Retired Staff
  • PipPipPip
  • 152 posts

Posted 13 August 2008 - 12:42 AM

Thanks for posting that Pieter.

IRC trojan that attaches itself to the System(32) folder using a random filename.

AFlooder

Log example:
O4 - HKLM\..\Run: [leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
O4 - HKLM\..\RunOnce: [*leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1

The name consist of seven letters (a-z)

Special instructions

Click "Start" > "Run" > type or copy&paste rundll32 <path to this DLL>,Uninstall > "OK"


I remember that one.... it's the reason Merijn wrote ADS Spy... and later incorporated it in HT. The very first wild nasty using an ADS. Interesting, I'd been looking for reference about that specific one for a while. Thanks. :)
I amar prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel

'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'


RIP Blacksheep - I love you!

#4 ipl_001

ipl_001

    Security Admin at Zebulon.fr

  • Ambassador
  • PipPipPipPipPip
  • 646 posts

Posted 13 August 2008 - 07:17 AM

Hi cnm, Galadriel, Pieter, hi everyone,

Thanks for the link to your excellent thread, Pieter!
You revised it it September 2006, I don't know if you want to keep it uptodate, if so, you should change the URL of Merijn's tutorial to http://www.merijn.or...logtutorial.php in "Merijn has written a tutorial on what to remove with HijackThis." as well as Computercops' links to CastleCops'
Gérard MS_MVP-1.gif asap2.gif Don't give up... that is what they want us to do... Budfred
Has SWI saved your system? Please, consider making a donation!

#5 Metallica

Metallica

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 849 posts

Posted 13 August 2008 - 11:52 AM

Galadriel,

I remember that one very well, because for quite a while we were only able to remove it with the Uninstall switch.
Can't remember who it was, that found a paper about a proof of concept, to attach an ADS stream to a folder.
I always wondered if it was luck that the viruswriter copied the uninstall routine as well, or if it was because they didn't understand how the whole thing worked either. :-D

Gérard,

I would have a hard time keeping all my posts updated. I'm glad I can keep up with my websites. ;)
I think that thread is exactly what we are talking about here, history. :)

MVP Windows Security 2003-2015 mvp2.gif

Remove and prevent spyware


#6 ipl_001

ipl_001

    Security Admin at Zebulon.fr

  • Ambassador
  • PipPipPipPipPip
  • 646 posts

Posted 13 August 2008 - 06:14 PM

Pieter,

...
I would have a hard time keeping all my posts updated...

LOL I can guess it easily! :D
Gérard MS_MVP-1.gif asap2.gif Don't give up... that is what they want us to do... Budfred
Has SWI saved your system? Please, consider making a donation!




Member of ASAP and UNITE
Support SpywareInfo Forum - click the button