BIOS infection - an item for discussion
in [Viruses]
|
From: David H. Lipman on 23 Jun 2010 16:42 From: "~BD~" <BoaterDave.(a)hotmail.co.uk> | Thank you for your comments, FTR. What you say makes sense. | You will have realised long ago that I'm just an ordinary guy, not a | computer expert. I did send various items to the police for examination | but their overall reaction seemed to be that, as I'd eventually got my | money back, no *real* crime had been committed! <shrug> The HTCU was | under-resourced and had bigger fish to fry! | Paying for private forensic examination of the machine didn't, at that | time, seem appropriate. In fact I'm sure it would have cost many times | more than a new machine! ;-) | Now, almost 6 years later, I'm still wondering what might have been | found! Oh well - we'll never know now! | Thanks you for helping me better understand all manner of things. It is | appreciated. :) | Take care. | -- | Dave Here's a Virus Total report on this Java Exploit... http://www.virustotal.com/analisis/dc417d13a76244738f847018dde7af2e7f57b1f31b46836025c9fffd9299e670-1277325646 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: ~BD~ on 23 Jun 2010 16:43 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:hvtslf0goe(a)news6.newsguy.com... > From: "~BD~" <BoaterDave.(a)hotmail.co.uk> > > | Thank you for your comments, FTR. What you say makes sense. > > | You will have realised long ago that I'm just an ordinary guy, not a > | computer expert. I did send various items to the police for > examination > | but their overall reaction seemed to be that, as I'd eventually got > my > | money back, no *real* crime had been committed! <shrug> The HTCU was > | under-resourced and had bigger fish to fry! > > | Paying for private forensic examination of the machine didn't, at > that > | time, seem appropriate. In fact I'm sure it would have cost many > times > | more than a new machine! ;-) > > | Now, almost 6 years later, I'm still wondering what might have been > | found! Oh well - we'll never know now! > > | Thanks you for helping me better understand all manner of things. It > is > | appreciated. :) > > | Take care. > > | -- > | Dave > > > Here's a Virus Total report on this Java Exploit... > > http://www.virustotal.com/analisis/dc417d13a76244738f847018dde7af2e7f57b1f31b46836025c9fffd9299e670-1277325646 > Thank you for taking the time and trouble to post that item, David. I'm a little surprised that the exploit is still active *and* that less than one third of the AV programmes catch it! BD
From: David H. Lipman on 23 Jun 2010 17:11
From: "~BD~" <BoaterDave.(a)hotmail.co.uk> | Thank you for taking the time and trouble to post that item, David. | I'm a little surprised that the exploit is still active *and* that less | than one third of the AV programmes catch it! | BD When I first starting laerning about it that was my response. I have now come to understand that this ByteVerify Exploit is an overarching concept and thus there are always new techniques to the exploitation. Thus there are always new variants. You'll find these exploits in .CLASS files in Java Jars. A Java Jar is actulally a PKZip type file with the extention .JAR The actual compiled script is embedded in the .JAR file and has a .CLASS extension. In this case, the file was called; AppleT.class I received a sample in a file called; 3cad5568-7a29185e (no extension) I examined the file and I saw the first two characters were; PK This is indicative of being a PKZip type file so I renamed; 3cad5568-7a29185e to; 3cad5568-7a29185e.zip And there was; AppleT.class I submitted it to VT and got the report and thought I should point you to it. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |