Slashdot Mirror

Nothing is funnier than running these old DOS viruses such as walker and ambulance using vmware or virtual pc.

I suppose that if that kind of worm hasn't been around for a while, it's mainly because serious blackhat hackers prefer the infected computer alive with a backdoor than just plain dead. Very useful for installing spam relays.

Correct me if I'm wrong

Well, I think you are. At least CIH was a real virus, by your definition. Check the technical descripion here.
Nasty one, also - tries to re-flash the BIOS with garbage.

But generally speaking you're right, most of the so-called viruses are actually trojans these days.

Correct me if I'm wrong

Well, I think you are. At least CIH was a real virus, by your definition. Check the technical descripion here.
Nasty one, also - tries to re-flash the BIOS with garbage.

But generally speaking you're right, most of the so-called viruses are actually trojans these days.

Not sure if this is serious or not, but the following text is in the virus code itself:

(^.^) insert witty message here (^.^)

Link

-A

Sorry, but you're wrong. Windows NT has its architectural roots in VMS, not MS-DOS.

And since you're in need of a history lesson: the RTM worm spread via email (sort of) on Unix systems, and several Unix/Linux virus and worms have been discovered in the wild - Lion which spreads via a vulnerability in BIND, Bliss which infects ELF executables, Sadmind aka PoizonBox which targets both Solaris/sadmind and Windows/IIS, Staog, etc. Lindose can infect both ELF and PE executables but it's only a proof of concept.

Hell, there were even a few worms and trojans running around on VMS back in the day.

When written by noobs, virus/worms/trojans are a popularity contest, nothing more. When written by those skilled in the art, malicious mobile code is about risk management, engineering costs, and return on investment. Thus endeth the lesson.

*plonk*

(I was going to moderate this guy's post up, but since no one else has educated this newbie, I guess I'll have to leave the positive moderation to someone else.)

Sorry, but you're wrong. Windows NT has its architectural roots in VMS, not MS-DOS.

And since you're in need of a history lesson: the RTM worm spread via email (sort of) on Unix systems, and several Unix/Linux virus and worms have been discovered in the wild - Lion which spreads via a vulnerability in BIND, Bliss which infects ELF executables, Sadmind aka PoizonBox which targets both Solaris/sadmind and Windows/IIS, Staog, etc. Lindose can infect both ELF and PE executables but it's only a proof of concept.

Hell, there were even a few worms and trojans running around on VMS back in the day.

When written by noobs, virus/worms/trojans are a popularity contest, nothing more. When written by those skilled in the art, malicious mobile code is about risk management, engineering costs, and return on investment. Thus endeth the lesson.

*plonk*

(I was going to moderate this guy's post up, but since no one else has educated this newbie, I guess I'll have to leave the positive moderation to someone else.)

Sorry, but you're wrong. Windows NT has its architectural roots in VMS, not MS-DOS.

And since you're in need of a history lesson: the RTM worm spread via email (sort of) on Unix systems, and several Unix/Linux virus and worms have been discovered in the wild - Lion which spreads via a vulnerability in BIND, Bliss which infects ELF executables, Sadmind aka PoizonBox which targets both Solaris/sadmind and Windows/IIS, Staog, etc. Lindose can infect both ELF and PE executables but it's only a proof of concept.

Hell, there were even a few worms and trojans running around on VMS back in the day.

When written by noobs, virus/worms/trojans are a popularity contest, nothing more. When written by those skilled in the art, malicious mobile code is about risk management, engineering costs, and return on investment. Thus endeth the lesson.

*plonk*

(I was going to moderate this guy's post up, but since no one else has educated this newbie, I guess I'll have to leave the positive moderation to someone else.)

Sorry, but you're wrong. Windows NT has its architectural roots in VMS, not MS-DOS.

And since you're in need of a history lesson: the RTM worm spread via email (sort of) on Unix systems, and several Unix/Linux virus and worms have been discovered in the wild - Lion which spreads via a vulnerability in BIND, Bliss which infects ELF executables, Sadmind aka PoizonBox which targets both Solaris/sadmind and Windows/IIS, Staog, etc. Lindose can infect both ELF and PE executables but it's only a proof of concept.

Hell, there were even a few worms and trojans running around on VMS back in the day.

When written by noobs, virus/worms/trojans are a popularity contest, nothing more. When written by those skilled in the art, malicious mobile code is about risk management, engineering costs, and return on investment. Thus endeth the lesson.

*plonk*

(I was going to moderate this guy's post up, but since no one else has educated this newbie, I guess I'll have to leave the positive moderation to someone else.)

There were some really evil viruses back in the day. Fumble: This virus will generate typing errors, every now and then. That is, if you press the "R" key for example, it will occasionally insert another letter like "E" in the text instead. dBASE: The dBase virus is very rare, but rather curious. It is clearly intended to garble dBase files, or rather any file with a name that ends in .DBF.

If the virus is active in memory when a program writes to a .DBF file, it will garble all the outgoing data. However, when the data is read back later, the virus will correct the garbled data.

There is just one problem. If the virus is detected and removed, the data will be useless because the virus will not be present to "de-garble" it when it is read back.

There is a more harmful side to this virus. If an attempt is made to write to a .DBF file that is more that three months old, the virus will try to destroy the FAT and root directory on drives D:, E: .... Z: There is a bug in the code, however, so the destruction will be rather unpredictable. I have no idea why someone hasn't put an imaginatively evil payload in a modern virus.

There were some really evil viruses back in the day. Fumble: This virus will generate typing errors, every now and then. That is, if you press the "R" key for example, it will occasionally insert another letter like "E" in the text instead. dBASE: The dBase virus is very rare, but rather curious. It is clearly intended to garble dBase files, or rather any file with a name that ends in .DBF.

If the virus is active in memory when a program writes to a .DBF file, it will garble all the outgoing data. However, when the data is read back later, the virus will correct the garbled data.

There is just one problem. If the virus is detected and removed, the data will be useless because the virus will not be present to "de-garble" it when it is read back.

There is a more harmful side to this virus. If an attempt is made to write to a .DBF file that is more that three months old, the virus will try to destroy the FAT and root directory on drives D:, E: .... Z: There is a bug in the code, however, so the destruction will be rather unpredictable. I have no idea why someone hasn't put an imaginatively evil payload in a modern virus.

http://www.f-secure.com/v-descs/agobot_fo.shtml

NAME: Agobot.FO
ALIAS: Backdoor.Agobot.fo, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot
ALIAS: Phatbot, Phat

There's no need to make this stuff up - there is already more malware out there than is being analyzed. I often find trojans that are undetected by AV but were compiled 2 or 3 months before.

-Joe

there is a tool for checking your system. the link is supposedly in the article but I found it throug evilavatar.com.
anyway, here is the removal tool

They do now.

SOURCE

Actually, according to many sources Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new variant of Welchia that makes use of MyDoom backdoor and then tries to remove it.

Actually, according to many sources Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new variant of Welchia that makes use of MyDoom backdoor and then tries to remove it.

For the lazy/short-attention-span/ADDHD, here's a quick link to:
Screen shot of MyDoom.A source code (160 KB GIF).

If you have seen the source code, the programmer doesn't use the standard Windows (hungarian) notation. His coding style is more of a unix/linux programmer. Today SCO will use this as evidence that a linux programmer wrote the virus... There's a picture of parts of the code here if you don't have the source code.

Doomjuice distributes source code for MyDoom.A

Making this one of the first high-profile open-source viruses?

<zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>

Early articles had some speculation that it must have been written by the original author of Doomjuice. On the other hand, there are now two parasitic viruses out there (Doomjuice and Deadhat) taking over MyDoom-infected boxen, so it's probably easier than that security expert thought. And Deadhat (aka Vesser) kills off any anti-virus and firewall software it can find, leaving a properly encrypted backdoor for its own 0wner to use.

Unlike MyDoom, which is exploiting Microsoft weaknesses, the interesting thing about Doomjuice and Deadhat (aka Vesser) is that they're scanning for the back doors left by MyDoom.A and MyDoom.B and using them to take over. The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves. (That doesn't mean that these parasites have done that, but they can.) According to the article on F-Secure, Vesser / Deadhat turns off many kinds of anti-virus and firewall software, leaving the machine more vulnerable, and adding a backdoor of its own (but protecting it with crypto, which is the proper thing for an evil virus to do :-)

Curiously, this article seems to imply that there was a political agenda behind DDoSing SCO - but to quote Mikko Hypponen of F-secure a bit more:

"It's also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus - which is most likely included in order to facilitate sending of spam email messages."

Similiar, albeit longer, quote from him asserting that indeed spammers were behind this worm was in the local newspaper on Friday, but it's in Finnish and I'm too lazy to translate it. But the above quote can be found here.

• The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying. It may turn out to be true, but either you should personally verify it, or at least wait for ONE other person to verify it before you start conspiracy theories.
  
  
• Norton Antivirus believes the payload to be an active DDOS against www.sco.com. So does F-Secure. So does McAfee.
  
  
• You can look at the worm yourself and verify that it contains references to www.sco.com. Combine this with the fact that the worm is fairly small and is UPX compressed, you can conclude that the worm author took up space with the reference for a reason, either to create conspiracy theories (which would be unprecedented for a worm/virus I believe) or it's actually to DDOS a website (happens all the time with worms/viruses).
  
  
• The partial dissassembly that people have posted so far indicates that the worm does use the www.sco.com address while creating a thread, opening a socket, and send some data.

o Then some more weirdness: /abcd
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRSTU VWXYZ

I guess this cracker knows the alphabet. I am impressed!

Alright. Now listen up. Here's the deal....and I'm not accusing anyone...I'm just saying...

"The worm encrypts most of the strings in it's UPX-packed body with ROT13 method,"


I *KNOW* it was one of you fuckers...

F-Secure has a pdf file that shows the structure of the virus payload. The image looks like it's the output of some disassembler or debugger, but I haven't run across one that puts everything in nifty map like that. Does anyone here know what was used to create that pdf file?

As a gamer, I hated having NAV or McAfee VirusScan hog up 30MB of my memory, so I removed it. I make smart and conscious decisions, and have never had a virus on my computer for several years.

Looking at NAV CE 7.6 processes on my PC right now the largest memory size being used is around 1.2 megs...

I didn't think I had a virus either until one day I logged into my pc and got a bunch of red dots all over my screen - turned out to be this - that was an odd one mainly because mcaffee didn't detect it however nav did.

F-Secure detects it, since yesterday. There's a removal tool there too.

Bagle description

There are Kazaa viruses. So far, they've been dumb; they just create infected files shared by Kazaa. They don't exploit the system through which Brilliant can push programs onto client machines. Someday someone will write a worm that does that, and all Kazaa clients online will be infected within hours.

You mean like this? The vulnerability has been patched, but that doesn't mean the architecture isn't vulnerable to viruses anymore. Not to say that the administrator in question is the most brilliant guy in the world, but at least he stayed tuned in to his virus warnings.

Apparently, not one of those guys, as none on the Spamhaus page are French (scroll down the page to find the hidden text within the worm)

Ah, Cascade, which caused the letters on the DOS text screen to tumble down to the bottom. Not the first virus, and not the most damaging virus, but certainly one of the more amusing ones ;-)

Could this mean that Microsoft are, at long long last, taking security seriously?

Hahahaha! Tell me another one! That was GREAT.

Come on. "Trustworthy Computing" was supposed to be Microsoft's stab at taking security seriously - an initiative that, in two months, will be two years old. Not much has changed.

Trustworthy Computing was the launch of some kind of supposed effort by Microsoft to tighten down security in their products. That obviously failed. So now, rather than stomp out the bugs in their products, they figure they might have better success by simply eliminating those who exploit the bugs.

Some free, Free and not so free applications:

Webbrowser Mozilla Firebird (Win / linux)
Email Eudora (win) Evolution (linux)
Office suite OpenOffice.org 1.1 (win / linux)
SSH client putty (win) openssh (linux)
Videoplayer VLC (win / linux) or BSPlayer (win) and Xine (linux)
Editor Textpad (windows) Kate (linux)
Chat Jabber PSI (win / linux)
Firewall Kerio (win)
Anti virus F-Secure (not free) (win)

- Ost

And I'm getting fed up with people who seem to think infection vectors are a good way to classify malicious mobile code. Personally, I don't see much of a difference between viruses, worms, malware, spyware, etc. It's all basically "bad stuff running on your computer". Some are network aware, some hide in executables, all do bad things and are pretty pernicious.

Oh and by the way, you are wrong about there being no Linux viruses found in the wild. There are several: Staog, Bliss, and Etap (aka Metaphor).

And I'm getting fed up with people who seem to think infection vectors are a good way to classify malicious mobile code. Personally, I don't see much of a difference between viruses, worms, malware, spyware, etc. It's all basically "bad stuff running on your computer". Some are network aware, some hide in executables, all do bad things and are pretty pernicious.

Oh and by the way, you are wrong about there being no Linux viruses found in the wild. There are several: Staog, Bliss, and Etap (aka Metaphor).

And I'm getting fed up with people who seem to think infection vectors are a good way to classify malicious mobile code. Personally, I don't see much of a difference between viruses, worms, malware, spyware, etc. It's all basically "bad stuff running on your computer". Some are network aware, some hide in executables, all do bad things and are pretty pernicious.

Oh and by the way, you are wrong about there being no Linux viruses found in the wild. There are several: Staog, Bliss, and Etap (aka Metaphor).

Personally, I'd rather not throw kids in jail and ban them from computer usage once they get out - that's a good way to create a hardened criminal or a very bitter and suicidal geek.

There will always be someone writing viruses - whether for misguided political motivations, as a last gesture from a disgruntled employee, or for commercial interests. For example, there's a lot of speculation that SoBig is the work of a professional spammer.

But it would be good to take the kids out of the equation without destroying their futures.

And unfortunately, I'd hardly say that typical security has gotten much better since the Morris worm made its rounds years ago. It's still the same in most places - nonexistant. Places that hire good people to protect their systems improve every day, but for most companies they don't seem to think security is worth the salary a really competent sysadmin usually requires (or they simply can't afford it).

I don't think that's going to change until having a virus take down a company's servers has a larger chance of destroying the company rather than just inconveniencing it.

Like hell Macintosh and Linux users are unaffected. I've been getting hundreds of copies of these little motherfuckers per day for the past few days. The spamassassin mailing list has been deluged with requests and suggestions of rules to block the damned things (along with the usual idealist whining that viruses/worms are not spam and therefore outside spamassassin's scope-- sorry guys, but it's both prodigious and unwanted, therefore it's spam, albeit not of a commercial nature).

F-Secure's detailed write-up of Gibe/Swen includes examples of several of the worm's canned subject lines and body phrases (not only does the worm pretend to be a security patch from Microsoft, it also pretends to be a message being 'returned' to you in other copies). Bah. Outlook must die.

It offers multiple modes of infection, including email and Usenet (as a trojan), but also as a self-propogating worm via fileshare, Kazaa, and IRC.

RTFVD

emitters of radiation, one would think this wouldn't be a problem. ;>

Slapper
were the first two that came up in google for me, but there were quite a few more. Apache is a target because it has market share on web servers, just as MS is a target because it has market share on desktops.

Don't take this as Linux/Apache bashing... I'm all for open source, and I don't care at all for MS's business practices. But I do write Windows code for a living right now (love the life of a contractor.. ugh). I haven't been hit by a virus/worm in several years, and I host a web server from my home. I'm current on security patches, and most of them don't require a reboot. I just get torked off when spin gets added to news like this.

Now please, don't flame me as a fan of mainland China's repressive regime. But the Taiwanese government doesn't exactly have the world's best track record, as I recall. I hear occasional notes about "problems" with civil rights, and then there's the whole pirated anime problem.

So when I read this line:

"National intelligence has indicated that an army of hackers based in China..."

my BS-o-Meter starts clicking. Though the article is non-technical, it includes other notes that make the meter tick faster:

"...has successfully spread 23 different Trojan horse programs... 10 private high-tech companies... break into at least 30 different government agencies and 50 private companies," Cabinet Spokesman Lin Chia-lung said yesterday.

We have a lot of big, scary numbers... but no hard information about the programs, the companies, or the government agencies.

In fact, the "23 different Trojans" makes me think that the government cabinet member is talking out of his butt. More likely, nobody's been running virus protection, and those 24 Trojans are simply members of F-Secure's wildlist.

Then, there's this "helpful" suggestion:

"If there's any lesson from this experience, it is not to use software developed in China or hire Chinese computer programmers, because you're running the risk of having the software you use implanted with the Trojan-horse program," he said.

That sounds like nothing more than the usual tit-for-tat barbs that Taiwan and China have been throwing across the strait for decades. In fact, I suspect that's what this whole Trojan Horse issue is -- all bluster, no substance.

And finally, off the actual topic: let's watch the Slashdot effect in action! When I first hit the Taipei Times article, it included this text at the bottom:
This story has been viewed 1128 times.

By the time I typed this comment, the number had not changed, so I'm probably getting a cached copy. What did it show when you hit it?

I should have mentioned this in my last post... if you've got the SoBig.F virus, FSecure has posted a free fix here.

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.ex e

Starting from 16 of August machines infected with Lovsan will send massive amount of packets to windowsupdate.com. 40 byte packets are sent in 20 millisecond intervals to port 80. This might cause a Distributed Denial-of-Service attack on that website.

... on the Nokia 9210 (or 9290 for those in the US) for some time... both VNC and SSH ports have been available for (as far as I remember) over a year... ssh.com used to do a client too, but I can't see it on their site any more... I've found the ssh client very useful, e.g. it means I can set a task (e.g. a long compile) going, leave, then check up on it later from wherever I happen to be...

Don't forget my favorite - f-prot!

Works on most any platform, and is very good about catching viruses. Works well on our qmail and sendmail mail servers, with qmail-scanner and mailscanner, respectively.

-Ben

Did you know that the "q" in qmail stands for "queer"??? That's SO cool!!!

Top results for one-letter google searches as of Sat May 17
a : Apple
b : B'Tselem, The Israeli Information Center for Human Rights in the ...
c : CNET.com
d : D-Link Systems, Inc.
e : Welcome to E! Online
f : Welcome to F-Secure, Securing the Mobile Enterprise
g : G*Loomis
h : H-Net, Humanities & Social Sciences Online
i : Yahoo!
j : J-???
k : KDE Homepage - Conquer your Desktop!
l : LEXPRESS.fr : l'info au quotidien. L'actualité économique, ...
m : 3M Worldwide
n : SBC Pacific Bell Knowledge Network Explorer : Online Learning : ...
o : www.oreilly.com -- Welcome to O'Reilly & Associates -- computer ...
p : Alfred P. Sloan Foundation
q : Q4music.com - The World's Greatest Music Magazine Online
s : GNU's Not Unix! - the GNU Project and the Free Software ...
t : AT&T
u : The whatUseek Network
v : Welcome to Bobby WorldWide
w : Welcome to the White House
x : Netscape.com
y : Yahoo!
z : HealthAtoZ - Your Family Health Site

Through outlook, and by the user downloading warez from Kazaa.

See this f-secure article

Likewise, don't confuse a specific product with a class of products. If there's a market for it (especially a corporate market), there's probably a vendor selling something that will meet your needs.

Also, don't look at list prices and scream: when you're buying for a corporation, you're rarely paying list price (unless you're only purchasing a few licenses).