Prev: wmi namespace ? virus
Next: this is really awesome
From: David H. Lipman on 13 Sep 2009 21:55 From: "JClark" <jclark(a)nomail.invalid> | That's what I want to think. Avira doesn't even list python in its | virus list. But the McAfee description just uses the word "python" to | describe all the bad stuff. Really scary. Take a look at the link: | http://vil.nai.com/vil/content/v_994.htm | I do appreciate your thoughts on this and former topics. | Jack And it discusses an ~15 year old file infecting virus. A true virus. But what's in a name ? Take the Jerusalem virus. Are you going to connect the city with a virus ? No. Pure coincidence of the Python virus vs. the Python interpreter. Nothing more, nothing less. Please don't try to connect the two. Then there's Monty Python. OMG they may have a viral video { LOL } -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: "nobody >" on 13 Sep 2009 21:59 JClark wrote: > On Sun, 13 Sep 2009 17:42:50 -0400, "FromTheRafters" > <erratic(a)nomail.afraid.org> wrote: > >> "JClark" <jclark(a)nomail.invalid> wrote in message >> news:6joqa59bm3j56nor5b8ek1jj8s1kha76s8(a)4ax.com... >>> I have conflicting reports on Python. >>> >>> According to McAfee: >>> >>> http://vil.nai.com/vil/content/v_994.htm >>> >>> "Python is a polymorphic, stealth, file infecting virus. It infects >>> .COM and .EXE files, including COMMAND.COM. >>> >>> Upon infection, this virus may becomes memory resident at the top of >>> system memory but below the 640K DOS boundary." >>> McAfee goes on to describe all the bad things it does. >>> >>> But.... there are other reports: >>> >>> Python is just a programming language: >>> >>> http://www.python.org/doc/faq/installed/ >>> >>> Or another source says it's a great language for writing viruses (nice >>> guy): >>> >>> http://vx.netlux.org/lib/vvx00.html >>> >>> In my own computer, a search for "python" brings up instances within >>> Roxio, Cyberlink-PowerDVD9, and Pinnacle Studio 12. There is a whole >>> subfolder "Python" under Roxio (c:\program files\common files\roxio >>> shared\media share 101\) >>> >>> Are these just innocent dll's and xml's? Or viruses? If they are >>> viruses why did not my antivirus programs find and remove them (Avira >>> and AVG)? >>> >>> Many thanks for any clarification of my confusion, and for any >>> suggestions about what, if anything, I should do. >> "Python" by itself is not a proper malware name. Sometimes, a malware >> (especially a virus) is named similarly to the programming language used >> to create it (for instance "delf"). Just because a program was written >> in such a language doesn't mean it is malware. >> > That's what I want to think. Avira doesn't even list python in its > virus list. But the McAfee description just uses the word "python" to > describe all the bad stuff. Really scary. Take a look at the link: > > http://vil.nai.com/vil/content/v_994.htm > > I do appreciate your thoughts on this and former topics. > > Jack From that webpage: "The Python virus was received in December, 1994" I vaguely remember having dealt with it "back in DOS days", but under a different name. I'm pretty sure that any AV program worth beans has had this one hardwired in since day 1.
From: David W. Hodgins on 13 Sep 2009 22:39 On Sun, 13 Sep 2009 21:54:10 -0400, JClark <jclark(a)nomail.invalid> wrote: > Many thanks for your input. The McAfee description keeps repeating the > simple word "python" which makes it so worrisome. According to mcafee, they gave the virus that name becuase the decrypted virus contains that word in text format. The word python is not used in the file name(s). What led you to the mcafee site about this ancient virus? Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
From: JClark on 14 Sep 2009 18:06 On Sun, 13 Sep 2009 22:39:59 -0400, "David W. Hodgins" <dwhodgins(a)nomail.afraid.org> wrote: >On Sun, 13 Sep 2009 21:54:10 -0400, JClark <jclark(a)nomail.invalid> wrote: > >> Many thanks for your input. The McAfee description keeps repeating the >> simple word "python" which makes it so worrisome. > >According to mcafee, they gave the virus that name becuase the decrypted >virus contains that word in text format. The word python is not used >in the file name(s). > >What led you to the mcafee site about this ancient virus? > >Regards, Dave Hodgins HI Dave, The McAfee site popped up on a google search by my son, who has become a bit obsessed, I fear, about the security of his computer. But I'm not virus knowlegeable enough to refute his fears. I posted details of this situation in this group on August 25 Message-ID: <c3l7951gr0vcod4mc414nmvc9asumtcm97(a)4ax.com> Since then he's stopped using the Dell laptop and I put together a desktop system for him, doing the same things I did for the Dell: Short and flash the BIOS, wipe the HD with WipeDrive in DOS, partition with FDISK, format as NTFS and reinstall Windows XP. But he's searching all over the drive, findings scripts, dlls with funny lines in them, the WMI jargon regarding "impersonate" etc. He finds things he thinks are viruses. Even though I put the premium version of Avira on the system and ran a full system check before taking it over to him. He has Online Armor full version firewall. I also put a Linksys router between his new cable modem (changed the default router password.) He sent me some files he's worried about tonight: 1. a DCOM log from wbemprox.log (Mon Sep 14 13:07:37 2009.81109) : Using the principal -RPCSS/asuscf- (Mon Sep 14 13:07:42 2009.86500) : Using the principal -RPCSS/asuscf- (Mon Sep 14 13:07:42 2009.86562) : ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x0 many more lines 2. Framework log (GLUE-1) Login Warning - provider with that name already existed, overridden with latest provider login (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) 09/01/2009 15:02:38.265 thread:864 [d:\xpsprtm\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252] 3. A long script from pickletester, which I won't copy here. 4. httpserver.py etc etc Dave, I appreciate your help or any suggestions. Again, I'm having a hard time believing there is any threat in this new system, but although I am reasonably computer literate, I'm virus-ignorant. Jack
From: JClark on 14 Sep 2009 18:40
On Mon, 14 Sep 2009 18:06:25 -0400, JClark <jclark(a)nomail.invalid> wrote: >On Sun, 13 Sep 2009 22:39:59 -0400, "David W. Hodgins" ><dwhodgins(a)nomail.afraid.org> wrote: > >>On Sun, 13 Sep 2009 21:54:10 -0400, JClark <jclark(a)nomail.invalid> wrote: >> >>> Many thanks for your input. The McAfee description keeps repeating the >>> simple word "python" which makes it so worrisome. >> >>According to mcafee, they gave the virus that name becuase the decrypted >>virus contains that word in text format. The word python is not used >>in the file name(s). >> >>What led you to the mcafee site about this ancient virus? >> >>Regards, Dave Hodgins >HI Dave, > >The McAfee site popped up on a google search by my son, who has become >a bit obsessed, I fear, about the security of his computer. But I'm >not virus knowlegeable enough to refute his fears. > >I posted details of this situation in this group on August 25 >Message-ID: <c3l7951gr0vcod4mc414nmvc9asumtcm97(a)4ax.com> > >Since then he's stopped using the Dell laptop and I put together a >desktop system for him, doing the same things I did for the Dell: >Short and flash the BIOS, wipe the HD with WipeDrive in DOS, partition >with FDISK, format as NTFS and reinstall Windows XP. But he's >searching all over the drive, findings scripts, dlls with funny lines >in them, the WMI jargon regarding "impersonate" etc. He finds things >he thinks are viruses. Even though I put the premium version of Avira >on the system and ran a full system check before taking it over to >him. He has Online Armor full version firewall. I also put a Linksys >router between his new cable modem (changed the default router >password.) >He sent me some files he's worried about tonight: >1. a DCOM log from wbemprox.log > >(Mon Sep 14 13:07:37 2009.81109) : Using the principal -RPCSS/asuscf- >(Mon Sep 14 13:07:42 2009.86500) : Using the principal -RPCSS/asuscf- >(Mon Sep 14 13:07:42 2009.86562) : ConnectViaDCOM, CoCreateInstanceEx >resulted in hr = 0x0 >many more lines > >2. Framework log (GLUE-1) > Login Warning - provider with that name already existed, overridden >with latest provider login >(root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) >09/01/2009 15:02:38.265 thread:864 >[d:\xpsprtm\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252] > >3. A long script from pickletester, which I won't copy here. > >4. httpserver.py etc etc > >Dave, I appreciate your help or any suggestions. Again, I'm having a >hard time believing there is any threat in this new system, but >although I am reasonably computer literate, I'm virus-ignorant. > >Jack > Here's a recent transmission from my son, with his concerns. Again, I don't know enough to tell him he's over his head: (Apologies for caps, his original email) PLEASE SEE ATTACHED. YES IT DOES HAVE AN ANTIVIRUS "MUK" PROGRAM. YES, IT WRITES A FILE THAT MAKES BACKUPS AND RESTORES USELESS. ONE EASY TEST FOR YOUR PC.... "UNLOCK" TASK BAR, AUTOHIDE IT, THEN REBOOT A FEW TIMES. YOU WILL DEFAULT TO LOCKED UNHIDDEN. IT HAS TROUBLE EXACTLY MIRRORING THE NUANCES EACH WIN VER - NT 2K 98 XP AND I ASSUME VISTA. LIKELY WHY YOUR VEIW AS LIST REGEDIT DID NOT TAKE... DEAREST FATHER: I THINK THIS WILL ASSURE YOU THAT I AM ON A "REDIRECTED MIRROR/SHELL SITE". AND NOT THE RR SITE. EVENTUALLY THIS PC WILL HAVE THE FATE OF MY LAPTOP. I HAVE EXPERIECED THIS FOR MONTHS AND IT IS HARD TO ITERATE ITS COMPLEXITY. I FOUND 100'S OF HIDDEN FILES ON THE NEW PC WITH "JEFF C. LAPTOP" DIRECTORIES ... IN UNNAMED SUB DIRECTORIES. I ASSUME THAT IS WHERE THE INFECTION ORIGIONATED. YOU LIKELY (AND UNDERSTANDABLTY) USED SOME OLD SOFTWARE ... OPEN OFFICE PERHAPS. WE LIKELY HAVE SCREEN READERS... SO ...BE CAUTI0US WITH PERSONAL AND FINANCIAL STUFF. U USE AN AX CARD FOR AMROUR? U MAY WANT 2 CHANGE THE NUMBER. I FOUND THE BELOW EVIDENCE (IT HAS BEEN HARD, BECAUSE SHELL BLOCKS U OUT OF THE EVIDENCE), U FIND THIS BY RUNNING "IN NETWORK CONNECTIONS" (FOUND IN THE CONTROL PANEL) IN SAFE MODE WITHOUT INTERNET CABLE PLUGGED IN (IF YOU HAVE NO "ONBOARD WIRELESS" ). THE FIELD IS STILL "SHELLED" BUT YOU CAN BREAK IT BY CHANGING THE DISPLAY OF MONITOR, IE: RED WITH ALL THE OPTIONS ..THEN OPEN UP A FEW MEDIA PLAYERS (U MAY WANT TO CHECK FOR PYTHONS .. I BELIEVE THEY ARE **PY.LNK IN THE DORMANT STATE). THEN CLICK ON THE PROPERTY'S OBJECT SEVERAL TIMES, CUT/SELECT ALL EVEN IF YOU SEE NOTHING. PLEASE SEE BELOW: !@! I JUST GOT A "PICKLE" IN THIS DOCUMENT ... IS WAS A VERY LIGHT ABBERATION INBETWEEN A WORD I COULD NOT CUT AND PASTE THE IT. .... I CHECKED THE FILE SIZE FROM THE BACK UP AND THE FILE WAS ABOUT 1500 KB BIGGER... GUESS I SAW IT BECAUSE I HAVE THE DISPLAY SO MESSED UP... I AM TENATIOUSLY BACKING UP. COINICEDENTALLY MY EVIDENCE GETS CHANGED OR DISAPEARS. THUS, I WAS WORRIED ABOUT MY MENTALL HEALTH! MIRROR SITE FROM "IN NETWORK CONNECTIONS" 1)ADDRESS/URL: MS-ITS:C:\WINDOWS\Help\netcfg.chm::/EXEC=,control.exe, netconnections CHM=ntshared.chm FILE=alt_url_windows_component.htm 2)GENERAL: EXEC=,control.exe, netconnections CHM=ntshared.chm FILE=alt_url_windows_component.htm THIS IS FROM MY "BROWSER ADDRESS BOX" 1)REDIRECT (UNVERIFIED, JUST LOOK) TO A FAKE MS SITE: http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=home FINALLY, I HOPE TO GET ON-LINE AND ASK OPEN OFFICE ABOUT THEIR SOFTWARE PLATFORM. IN THE INTERIM, AND IF YOU HAVE THE INTEREST, MY "PYTHON FOLDER" HAS A ENTIRE TEST SITE. IT IS ONE \ FOLDER UNDER THE PYYTHON FOLDER. THE PROGRAMS ARE "INFANTS' AND HAVE CODE EXPLANATIONS. OBVIOUSLY, THE INF, COM, HML, ARE EASIER TO READ; BUT THE DLL HAVE SOME MEAT. READ THE BOTTOM OF THE DLL FIRST. I AM PRETTY SURE YOU HAVE THE VIRUS. SORRY, I KNOW YOU WERE TRYING TO HELP AND THE TENACITY OF THE BUG IS AMAZING... GIVE ME A CALL THIS WEEK AND TELL ME IF I NEED A STRAIGHT JACKET. -- JC PS: I COULD GO ON FOR HOURS... IT LIKES TO PICLKLE IMAGES, RECORDINGS, ETC. I THINK IT IS EASIER. I HAS A PREFERENCES PROGRAM TO TRACK YOU...IT DOES HAVE CODE THAT IMPRESONATES REGISTRATION OF SOFTWARE, LOG ONS, ETC. I T ALSO HIDES BY CALLING A RESPECABLE PROGRAM WHICH IN TURN CALLS A PYTHON SYSTEM PROGRAM (USUALLY HAS A *32* OR *NT32*). IT USES THE WMI NAMESPACE, REMOTE ACCESS - EARLY ON IT MAKES WINXP (OR YOUR OS) THINK YOU ARE ASKING FOR HELP FROM THE ABOVE SITE. IT REQUESTS FROM YOUR COMPUTER REMOTE ASSISTANCE. ONCE THAT IS DONE IT IS OVER. IT DOWNLOADS A SERIES OF PROGRAMS, MAINLY DLLS RAN AS APPS .. I CAN PRETTY MUCH LIST THE PROGRESSION FOR YOU ..MSVCRT (MAKE PROXY MIRROR CONNECTION) REGVR32 (REGEDIT OR SERVER I FORGET) ADVAPI32...RPCRT4 (?).. USER32 ...GDI32.. OLE32, HIMENG, ACGINARL, WINMA (?) .. OLEAVT32... SACM32......AND SO ON. EVENTUALLY YOUR ENTIRE OS IS NT32 WITH A WINXP/98/ETC SHELL AND ...............YOU ARE NO LONGER IN KANSAS DORTHY.......... I have no idea what all of this means, if anything. Again, I appreciate any advice the group can give me. Jack |