From: "FromTheRafters" erratic on
"John Slade" <hhitman86(a)pacbell.net> wrote in message
news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...

[...]

>>> I don't know why you would find it funny because a virus writer will use
>>> anything to hide a virus. What smarter way is to hide them in each and
>>> every folder in "system volume information"?

> I didn't know Dustin Cook existed until he responded for you. But I've
> been reading some in alt.comp.viruses and I find it well...interesting...
> If he wrote viruses then he more than anyone should know that what I said
> happened is indeed possible.

Because he understands true viruses, he knows that they don't need to hide
themselves in folders.

I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.

Some malware sorta infests the "System Volume Information" folder - what
actually happens is that when the AV requests deletion of a detected malware
file, the OS makes a copy and stores it there just in case you didn't
*really* want it deleted.


From: David H. Lipman on
From: "FromTheRafters" <erratic @nomail.afraid.org>

| "John Slade" <hhitman86(a)pacbell.net> wrote in message
| news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...

| [...]

>>>> I don't know why you would find it funny because a virus writer will use
>>>> anything to hide a virus. What smarter way is to hide them in each and
>>>> every folder in "system volume information"?

>> I didn't know Dustin Cook existed until he responded for you. But I've
>> been reading some in alt.comp.viruses and I find it well...interesting...
>> If he wrote viruses then he more than anyone should know that what I said
>> happened is indeed possible.

| Because he understands true viruses, he knows that they don't need to hide
| themselves in folders.

| I don't think he would have said what he said if you had said worms, or
| malware, instead of viruses.

| Some malware sorta infests the "System Volume Information" folder - what
| actually happens is that when the AV requests deletion of a detected malware
| file, the OS makes a copy and stores it there just in case you didn't
| *really* want it deleted.


It doesn't really have to do with an anti malware application deleting a file. That the
Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin.

In this case the OS will take executable binaries and other OS related files and place
copies in the System Restore Cache. All I have to do is download and EXE or DLL and it
will be in the cache and reference the location of where it was in the OS. And it doesn't
really infest the "System Volume Information\_restore" folder. It lays dormant in there
until the user decides to restore a break point. Then it will take the executable binary
and other OS related files and place them back in the original location thus reviving them
from dormancy. However malware is not know to "hide" itself in "System Volume
Information" while operating within the OS.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: David Kaye on

Please stop this nonsense already. I got the answers I needed. All you're
doing is making yourselves look like fools.

From: John Slade on
On 8/1/2010 6:57 PM, FromTheRafters wrote:
> "John Slade"<hhitman86(a)pacbell.net> wrote in message
> news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...
>
> [...]
>
>>>> I don't know why you would find it funny because a virus writer will use
>>>> anything to hide a virus. What smarter way is to hide them in each and
>>>> every folder in "system volume information"?
>
>> I didn't know Dustin Cook existed until he responded for you. But I've
>> been reading some in alt.comp.viruses and I find it well...interesting...
>> If he wrote viruses then he more than anyone should know that what I said
>> happened is indeed possible.
>
> Because he understands true viruses, he knows that they don't need to hide
> themselves in folders.
>
> I don't think he would have said what he said if you had said worms, or
> malware, instead of viruses.

Well "virus" is a generic term these days. I was talking
about worms and/or trojans, I was using "virus" as a generic
term. I guess that clears it up.

John

From: John Slade on
On 8/1/2010 7:13 PM, David H. Lipman wrote:
> From: "FromTheRafters"<erratic @nomail.afraid.org>
>
> | "John Slade"<hhitman86(a)pacbell.net> wrote in message
> | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...
>
> | [...]
>
>>>>> I don't know why you would find it funny because a virus writer will use
>>>>> anything to hide a virus. What smarter way is to hide them in each and
>>>>> every folder in "system volume information"?
>
>>> I didn't know Dustin Cook existed until he responded for you. But I've
>>> been reading some in alt.comp.viruses and I find it well...interesting...
>>> If he wrote viruses then he more than anyone should know that what I said
>>> happened is indeed possible.
>
> | Because he understands true viruses, he knows that they don't need to hide
> | themselves in folders.
>
> | I don't think he would have said what he said if you had said worms, or
> | malware, instead of viruses.
>
> | Some malware sorta infests the "System Volume Information" folder - what
> | actually happens is that when the AV requests deletion of a detected malware
> | file, the OS makes a copy and stores it there just in case you didn't
> | *really* want it deleted.
>
>
> It doesn't really have to do with an anti malware application deleting a file. That the
> Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin.
>
> In this case the OS will take executable binaries and other OS related files and place
> copies in the System Restore Cache. All I have to do is download and EXE or DLL and it
> will be in the cache and reference the location of where it was in the OS. And it doesn't
> really infest the "System Volume Information\_restore" folder. It lays dormant in there
> until the user decides to restore a break point. Then it will take the executable binary
> and other OS related files and place them back in the original location thus reviving them
> from dormancy. However malware is not know to "hide" itself in "System Volume
> Information" while operating within the OS.
>

As far as you know, no malware writer used that method.
Nobody knows everything.

John