From: Whoever on
"FromTheRafters" <erratic(a)> wrote in

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:i2vted07ul(a)
>> From: "Virus Guy" <Virus(a)>
>> | FromTheRafters wrote:
>>>> When the most up-to-date removal tools don't get the job done,
>>>> you may want to resort to this:
>> | We are sorry, the page you requested cannot be found.
>> ditto
> I didn't watch it yet, but this may be it.
> spx

Looks like it has been removed. Here is a page that lists a number of his

Many of them are still available, though you need to use IE with
Silverlight installed in order to view them.

Don't bother trying to
contact me via email.
From: Ant on
"David H. Lipman" wrote:

> Thank you Ant.
> You 'da man! :-)

As long as it's not a dot-net executable!

From: Ant on
"David Kaye" wrote:

> Thank you, Ant! This appears to be exactly the situation. There is the
> Microsoft directory (in this case it's under Program Files) and the executable
> is the same. The vbs was also there, which I found out about on a hunch when
> I disabled the vb scripting engine and watched error messages come up left and
> right.
> What a nasty nasty infection.

Yes, nasty. It infects all candidate files on all drives with some
exceptions. However, it should be possible for a good AV to disinfect
files because it doesn't damage existing code.

More info on the infection mechanism...

It does NOT infect:-

1) Files in the windows directory and its subdirectories.

2) Any file or directory named "RMNetwork" (case sensitive).

3) Executables with a ".rmnet" section (this is the infection marker).

4) Executables which do not import the API functions "LoadLibraryA"
and "GetProcAddress". I don't know the reason for this but it means a
few will be left alone and all dot-net executables will be untouched.
Probably a larger percentage of DLLs will also be ok.

Otherwise it infects all files with the extension "exe", "dll", "html"
and "htm".

It creates hidden autorun.inf files on removeable drives only and
drops the infector (which autorun will launch) in a subdirectory of
RECYCLER. e.g, for a floppy drive:


The ## should probably be 2 random digits but in my test they were
invalid characters.

If the registy key HKEY_LOCAL_MACHINE\Software\WASAntidot is present
and has a value named "disable" it will skip the infection process and
pop up a messagebox: "Antidot is activate". However, it will still try
to call home and possibly download stuff.

A view of processes say, in Task Manager, on an infected system should
show an instance of your internet browser even if your browser is not
running. This is really the malicious code and injected DLL. The way
it achieves this is weird!

From: Dustin on
John Slade <hhitman86(a)> wrote in

> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>> From: "John Slade"<hhitman86(a)>
>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>> From: "John Slade"<hhitman86(a)>
>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net
>>>>>> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
>>>>>> news:i2o47d0214h(a)
>>>>>> From:
>>>>>> "russg"<russgilb(a)<mailto:russgilb(a)sbcglobal.n
>>>>>> et>>
>>>>>> | snip stuff about experienced posters only.
>>>>>> | I come here to learn, and there are some experts here.
>>>>>> | The OP considers himself an expert and only wants
>>>>>> | talk to experts. I would say his final approach of
>>>>>> | wiping and re- installing the OS (which he didn't
>>>>>> | mention), but first trying to save .docs, mp3 and other
>>>>>> | important files, is the only solution. I learned that
>>>>>> | RAMNIT.A is a PE infector, infects other known files,
>>>>>> | like IE. Here's some info at
>>>>>> |
>>>>>> atchedi.html?_log_ from=
>>>>>> | rss
>>>>>> | The OP knows the name of the malware, so he must have
>>>>>> | submitted a sample somewhere.
>>>>>> From Dave's first post...
>>>>>> "Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm
>>>>>> having a devil of a
>>>>>> time removing it. The only tool the detects it
>>>>>> consistently is MS Security
>>>>>> Essentials, and MSSE keeps counting it and "disinfecting"
>>>>>> it."
>>>>>> He didn't submit a sample somewhere, MSE scanned the
>>>>>> system, detected it
>>>>>> (Win32/RAMNIT.A ), but MSE failed to full remove and
>>>>>> clean the system of it. Dave also
>>>>>> indicated he tried Avast to no avail.
>>>>>> --
>>>>>> Dave
>>>>>> Multi-AV -
>>>>>> Having cast my eye through this post, I think I would
>>>>>> have given PrevX a go :-)
>>>>>> ...and having read
>>>>>> d=2008-011517-3725-99
>>>>>> ...I think (seeing as Sophos is armed against it), I'd
>>>>>> try Sophos CLS from Bart PE cd :-)
>>>>>> regards, Richard
>>>> | It seems the information I found on this worm is that it
>>>> | probably hides in the "system volume information" folder that
>>>> | is "read only" and "hidden" by default. The worm just keeps
>>>> | getting reinstalled and can't be cleaned unless the permissions
>>>> | are changed for that folder. The information on this site links
>>>> | to instructions for cleaning RAMNIT.A.
>>>> |
>>>> | This links to information on how to disable "system
>>>> | restore" in order to remove the infection. It may be possible
>>>> | to use some offline scanner like BitDefender to remove the worm
>>>> | but it's better done in Windows.
>>>> Sorry, you are mis-interpreting the information.
>>>> Malware doesn't "hide" in the "system volume information" folder.
>>>> That is where the System Resore cache resides. What they are
>>>> talking about is removing restore points such
>>>> that you won't re-infect the PC if you restore the PC from a
>>>> restore point that had made
>>>> in an infected condition.
>> | Some malware specifically uses the "system volume
>> | information" folder to reinfect the computer. It will infect
>> | multiple restore points even those that were there before the
>> | particular worm was introduced. I've had some experience with
>> | these.
>>>> Howver, I have learned that ist is NOT a good idea to dump the
>>>> System Restore cache while
>>>> cleaning a PC. It is better to have an infected, working, PC
>>>> than to have a a PC that may
>>>> be unstable and you can't restore the PC to a stable but infected
>>>> condition. Once the PC
>>>> is thouroughly cleaned and verified and is stable then you you
>>>> can dump the System Restore
>>>> cache.
>> | This is one reason us PROFESSIONALS do a complete drive
>> | backup before we remove the infection in this way. That way if
>> | something goes wrong, you can always go back to the beginning.
>> | It's possible to allow writing to the folder in question.
>> | I have cleaned a few computers in this way and I usually find
>> | that the restore points are not worth saving. I've had
>> | absolutely no systems lost due to cleaning out the system
>> | restore points. Never lost one and never needed to use the
>> | backup on these types of infections. I find it better to have a
>> | professional do the malware removal than someone who risks
>> | loosing everything because they're afraid to remove the restore
>> | caches.
>> | John
>> You said...
>> "Some malware specifically uses the "system volume information"
>> folder to reinfect the computer."
> Yes that's exactly what I said. One think I've noticed
> from 25 years of seeing malware is that the writers of malware
> will use anything and everything to infect a system. They will
> make it hard as possible to remove them too.
>> Since you also stated " PROFESSIONALS...".
> The professional thing to do is make a backup so you can
> do what needs to be done to repair the system. I don't usually
> hear other professionals say afraid to do something as simple as
> removing restore points to repair a system.
>> What is that malware spaecifically. You should know it or it
>> should be in your notes.
> I don't remember the exact name of the worms and trojans
> as it was over a year ago when I removed the last one. There are
> so many variants of existing malware and new malware out there.
> As for my notes, I don't need notes on specific malware I just
> do what it takes to remove whatever it is. My notes deal mostly
> with behavior of the malware and what it takes to remove it.
> However I still have the scanner logs I did then and I'll look
> through them. You should also know that scanners can find
> malware and not give it a name because it detects signatures and
> behavior. The particular malware may not be in the database as yet.

Wow. I had no idea.. /sarcasm.

> You should know there is malware out there that will
> trash the registry and it's backup. It will require some sort of
> reinstall to get the system back working. I found it very rare
> that I need to do a full reformat and reinstall because of
> malware. Some malware will also corrupt system files and when
> you remove them with scanners, it will make the installation
> unbootable. This is yet another reason professionals will make a
> backup if possible before removing infections.

What software do you use for the backup? Are you storing the backup on
read only media or a hard drive that could fail for any reason?

> I know there are a lot of fly-by-night computer repair
> people who are just there to do a quick fix and get paid, I find
> myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy the work
they provide me tho. Tell me something, John, as a PROFESSIONAL, have
you written any of the tools you use for cleanup; or do you use the
work others have written, such as myself, David lipman and many others?

"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: Dustin on
TBerk <bayareaberk(a)> wrote in

> On Jul 29, 12:46�am, sfdavidka...(a) (David Kaye) wrote:
> <snip>
>> In over 8 years doing this full time I've only had to reformat
>> maybe 4 ti
> mes. �
>> I've had to reinstall the OS about 10 times. �But this one really
>> caugh
> t me by
>> surprise.
> Lets see...
> CP/M
> 8" floppy disks
> 5 1/4" floppies, but with Hard Sector holes cut in them
> Data Storage on Cassette Tape
> Soldering together your own Serial Cable to make sure you got the
> Handshaking right.
> Eight years, heh heh. (Not flam'n,) just ruminating nostalgically.
> Hell, 'the Cuckoo's Egg' for that matter.
> TBerk
> Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers'
> double bill...

Which did you find to be more realistic for it's time? Sneakers or

"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.