Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: John Slade on 1 Aug 2010 21:30 On 8/1/2010 3:04 PM, Dustin wrote: > John Slade<hhitman86(a)pacbell.net> wrote in > news:ILj5o.44119$4B7.2363(a)newsfe16.iad: > >> On 8/1/2010 8:24 AM, Dustin wrote: >>> John Slade<hhitman86(a)pacbell.net> wrote in >>> news:i32s10$653$1(a)news.eternal-september.org: >>> >>>> On 7/31/2010 4:21 PM, Dustin wrote: >>>>> John Slade<hhitman86(a)pacbell.net> wrote in >>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad: >>>>> >>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>>> >>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>>> >>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>>>>>> >>>> >>>>> >>>>>> You should know there is malware out there that will >>>>>> trash the registry and it's backup. It will require some sort of >>>>>> reinstall to get the system back working. I found it very rare >>>>>> that I need to do a full reformat and reinstall because of >>>>>> malware. Some malware will also corrupt system files and when >>>>>> you remove them with scanners, it will make the installation >>>>>> unbootable. This is yet another reason professionals will make a >>>>>> backup if possible before removing infections. >>>>> >>>>> What software do you use for the backup? >>>> >>>> I will either use Acronis' or Paragon's backup software >>>> depending on the situation. >>>> >>>>> Are you storing the backup on >>>>> read only media or a hard drive that could fail for any reason? >>>> >>>> You mean WORM(Write Once/Read Many) media don't you? That >>>> media can fail also. No media is perfect. I store the backup on >>>> business or enterprise grade HDs and will transfer to other >>>> media if the customer wants that backup. If it's a large backup >>>> they will have to pay me for it. Tell me what software and >>>> hardware would you use to backup your customer's HD before you >>>> start removing malware? >>> >>> I haven't heard the acronym WORM in years... Damn, you have been >>> around a long time. :) I was thinking of cd-r or perhaps dvd-r >>> material. >> >> It would be OK for DVD-R if the backup is small. But >> swapping 20 or more DVDs is a pain. >> >>> >>> It depends. When I was working at a computer shop; I'd either use >>> norton ghost corp edition or the hardware drive cloning device we >>> had at the time. >> >> I rarely use Ghost these days, it used to be the only >> thing I ever used. >> >> >>> I really didn't see much point in cloning a malware drive >>> for malware removal; I wasn't stupid enough to trash my backups of >>> the registry or important files. besides, I wrote several utilities >>> to assist me in verifying various windows dll/exe files were still >>> intact and okay for reuse. >>> >> >> Yea that's good for you, but when you're working for >> someone else and they have important data they want to save, I >> will backup. Most of the time the customer doesn't have a >> backup. A lot of times the customer has a HD that's five or six >> years old and they really need a backup done. Then there are the >> times when I'm working for a young person and they don't want a >> backup they just want the drive wiped and they want the OS >> installed. > > Theres your odd attitude again. What makes you think I wasn't working > for someone else when I did those things? Obviously since I didn't own > the shop, I was working for someone else. Well you made it sound like you were doing it for yourself. > > Btw, What certifications do you presently hold? I'm just lowly > A+/network+ (back when that stupid thing was still considered worth the > paper it's printed on). Are you MCSE? > I took courses and wound up teaching an A+ class. A+ is a good place to start for someone looking to get certified for work at some company that requires that cert. I view the MCSE certification as pretty much a money making scam. I look at MCSE certifications as a joke in many cases because some courses just teach people how to pass the certification test. I took a long MSCE certification course but I never needed to be certified as I went into business for myself. I found most of the things covered was knowledge I already had. I also found that many MSCE "certified" people don't know a lot. Well they do know how to pass that test! I don't need any of those certifications, it's a waste of money. >>> We would typically reserve cloning drives for hardware failure >>> signs. Although, a customer could have us clone a drive for a >>> malware issue if they so desired. By default, we always copied >>> docs, favorites, emails etc before doing anything... But, you know, >>> different places have different policies. >> >> I work mostly with home users and small businesses and a >> lot of times they have personal stuff they want to save. So I'll >> do a quick backup of that data and then I'll do the full backup. >> Sometimes they just want a reinstall. There are times when they >> tell me not to backup because the data isn't important. In >> David's response he seems worried about saving data so I >> wondered why he wouldn't backup. > > I see. It's the corp customers who can be.. a bit, on the anal side at > times. At the end of the day tho, you do whatever customer wants. > >>> >>> Why do you spend the additional time to clone an entire drive for a >>> malware removal job? >> >> It doesn't take that long most of the time and it's a lot >> safer for the user's data. In most cases it actually takes >> longer to install, upgrade and reinstall software for the >> customer. Most of the time I backup less than 150GB. > > I'm just wondering what you mean by safer for the users data then I > guess. If it's a malware issue, the users data itself shouldn't be > affected much if at all; it's the applications and little.. extras that > may be of concern. It's not JUST the malware issue, I already explained that often HDs I work on are pretty old. Also when you start cleaning files the system may not boot, data may be destroyed. There are lots of reasons to backup and that's what I learned over the years. > >>> I understand. It just seemed as if you were being a wiseass towards >>> David, from my POV. I didn't personally see any need in doing that. >>> We can all be professional and civil here. >> >> David was being a wiseass himself and I can understand why >> he didn't respond. He seemed worried about losing data by simply >> removing the system restore points so I naturally wondered why, >> a backup can solve this problem. I guess he realized it was a >> good idea so then he got snippy. > > Well, along with potentially good dlls you might want to use to avoid > having to reinstall; comes several stages of the systems registry > hives. All valuable if your into recovering the system, as opposed to > wiping and starting over. I see no reason to obliterate the restore > points right away; They still contain potentially useful data to me. > You may or may not have to delete restore points. It depends on the particular malware. > What seperates some professionals from others is the ability to restore > the system without resorting to wiping and reloading as really, anybody > could do that. In many cases, not all, but many, you don't have to wipe > and reload the entire system to get rid of the malware. Yea that's why I find making a backup allows me to make a mistake if removing the malware causes the installation to be trashed and it does happen. > > Could you imagine, reloading the system to get rid of antivirusxp2010? > You'd agree, that would be an incompetent action to take? I've removed that particular infection before and didn't need to reinstall anything. >>> >>>> So tell me what products have you and David Lipman >>>> written and where can I check them out? >>> >>> I've written all kinds of old utility style apps, as you've been >>> around so long you might know a few of them.. Cmoscon, encode, >>> delock, and various others. If your into crypto/security, you might >>> even know the old dos file/freespace wiping app called NuKE and/or >>> possibly CryptX. >>> >> >> I've heard of some of those. >> >>> In more recent times, I developed an antimalware scanner (that's >>> why I found your description on how they worked amusing. hehehe) >>> called BugHunter. I did a stint as a malware researcher for an app >>> called Malwarebytes antimalware.. >>> >> >> I don't know why you would find it funny because a >> virus writer will use anything to hide a virus. What smarter way >> is to hide them in each and every folder in "system volume >> information"? I do believe that what the system had was a >> variant of the Virtumonde trojan. If you did research on malware >> then you know virus writers will take existing malware and >> modify it. I found one thing to be true in the world of malware, >> NOBODY knows everything about every malware variant out there. >> You can believe me or not, it doesn't matter. > > Well, I found it funny from the point of view of a former virus writer > turned whitehat. Does that make any sense to you? > > Why would I spend the time to hide a virus in a folder, when I could > choose files? You could just delete me if I stored myself in a folder > in a binary format alone. If I reside in your files instead, I'm alot > harder to deal with. Well you could chose particular files in the restore point folders, you could tell it to create a restore point and infect the system files. The advantage is the malware scanner will not clean it because it's a read only folder by default. > > It's entirely possible the individual does have a virut varient, I > haven't seen the sample to confirm or deny that. Based only on what Ant > has written up about it tho, doesn't seem to indicate virut; but > something possibly forked from the same original codebase. > All I remember is that the many restore points were all infected with the same malware. Restore points that were there before the malware was installed by the user. The malware was in some pirated software that was installed a couple of days before I was called. John
From: "FromTheRafters" erratic on 1 Aug 2010 21:57 "John Slade" <hhitman86(a)pacbell.net> wrote in message news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... [...] >>> I don't know why you would find it funny because a virus writer will use >>> anything to hide a virus. What smarter way is to hide them in each and >>> every folder in "system volume information"? > I didn't know Dustin Cook existed until he responded for you. But I've > been reading some in alt.comp.viruses and I find it well...interesting... > If he wrote viruses then he more than anyone should know that what I said > happened is indeed possible. Because he understands true viruses, he knows that they don't need to hide themselves in folders. I don't think he would have said what he said if you had said worms, or malware, instead of viruses. Some malware sorta infests the "System Volume Information" folder - what actually happens is that when the AV requests deletion of a detected malware file, the OS makes a copy and stores it there just in case you didn't *really* want it deleted.
From: David H. Lipman on 1 Aug 2010 22:13 From: "FromTheRafters" <erratic @nomail.afraid.org> | "John Slade" <hhitman86(a)pacbell.net> wrote in message | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... | [...] >>>> I don't know why you would find it funny because a virus writer will use >>>> anything to hide a virus. What smarter way is to hide them in each and >>>> every folder in "system volume information"? >> I didn't know Dustin Cook existed until he responded for you. But I've >> been reading some in alt.comp.viruses and I find it well...interesting... >> If he wrote viruses then he more than anyone should know that what I said >> happened is indeed possible. | Because he understands true viruses, he knows that they don't need to hide | themselves in folders. | I don't think he would have said what he said if you had said worms, or | malware, instead of viruses. | Some malware sorta infests the "System Volume Information" folder - what | actually happens is that when the AV requests deletion of a detected malware | file, the OS makes a copy and stores it there just in case you didn't | *really* want it deleted. It doesn't really have to do with an anti malware application deleting a file. That the Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin. In this case the OS will take executable binaries and other OS related files and place copies in the System Restore Cache. All I have to do is download and EXE or DLL and it will be in the cache and reference the location of where it was in the OS. And it doesn't really infest the "System Volume Information\_restore" folder. It lays dormant in there until the user decides to restore a break point. Then it will take the executable binary and other OS related files and place them back in the original location thus reviving them from dormancy. However malware is not know to "hide" itself in "System Volume Information" while operating within the OS. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: David Kaye on 2 Aug 2010 01:16 Please stop this nonsense already. I got the answers I needed. All you're doing is making yourselves look like fools.
From: John Slade on 2 Aug 2010 14:04
On 8/1/2010 6:57 PM, FromTheRafters wrote: > "John Slade"<hhitman86(a)pacbell.net> wrote in message > news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... > > [...] > >>>> I don't know why you would find it funny because a virus writer will use >>>> anything to hide a virus. What smarter way is to hide them in each and >>>> every folder in "system volume information"? > >> I didn't know Dustin Cook existed until he responded for you. But I've >> been reading some in alt.comp.viruses and I find it well...interesting... >> If he wrote viruses then he more than anyone should know that what I said >> happened is indeed possible. > > Because he understands true viruses, he knows that they don't need to hide > themselves in folders. > > I don't think he would have said what he said if you had said worms, or > malware, instead of viruses. Well "virus" is a generic term these days. I was talking about worms and/or trojans, I was using "virus" as a generic term. I guess that clears it up. John |