# Viruses, Trojans and SPAM/Scam watch [Archived].

Discussion in 'Computer Science & Culture' started by Xerxes, Feb 5, 2003.

Not open for further replies.
1. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
actually M$'s use of RESTORE has been a problem many a time, you just have to note that when you eventually get to the place where restore can be turned off. Although all the other boxes are boolean with the use of a cross for making it so, and a blank box default. The restore box uses a cross and a Tick, this means that you have to get it to be a TICK for it to Disable, not a Cross. (Many people have had problems I guess due to the M$ mix-up with box coding)

Restore is used by the system to take "Snapshots" of your system, and allow you to on occasion "Restore" when you need to roll back your system to a previous setup.

This might be handy to a novice, but to some it's just a pure pain in the butt. Viruses are regularly trapped in the RESTORE folder heirarchy, and due to the nature of the restore function they can not be deleted. (unless RESTORE is disabled).

RESTORE also notible "Consumes harddrive space" since it seems that it's always taking snapshots and is not very intelligent at deleting old backups.

A machine running for a year can eat over 500mb's with just the restore folder.

Personally I disable it, and delete the folder to regain space, it does mean I run the risk the system could go down badly, but my antivirus program is happy.

3. ### Red DevilBorn Again AthiestRegistered Senior Member

Messages:
1,996
Buggar! My restore has been off nearly two weeks!!!

5. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
It's been a while, but a newish one has caught my attention (Probably because every address at vt.edu seemed to be sending me it, which is odd since the virus has been designed not to attack .edu)

The virus in Question is an I-worm called "Novarg", or "MyDoom", it's been spreading like wildfire, I've had about 90 copies sent to me in the past couple of hours.

The virus/trojan is a regular swiss-army knife, in the sense that it can spread through kazaa, searching for e-mail addresses in specific files and send itself off to infect more machines. The intension of the virus is focused at www.SCO.com, where on the 1st of February it will attempt to DoS attack that site every 1024 milliseconds (I guess based on CPU speed) It also creates a trojan server that will listen to a particular port range.

However on the brightside, it seems to be a Kamikaze virus, in the sense that it will stop spreading on the 12th of February (however any system exposed I guess will still have the backdoor in it)

7. ### Red DevilBorn Again AthiestRegistered Senior Member

Messages:
1,996
Thanks Stryder for that info. Something tried to come in via my daughters setup only yesterday but Norton caught it cold and killed it.

8. ### Fukushi-meta consciousness-Registered Senior Member

Messages:
1,231
And I'm running win98, I have a D-Link router, I recentely switched to Opera7 browser and now I'm stuck with this fuckin W32.Klez.H@mm Virus,...

I ran the tool in safe mode just as symantec website tells me to and nothing,...it didn't even detect it, while minutes before,...my F-prot DID detect W32.Klez.H@mm in a mail that was linked somhow with opera-browser,...

So If you would like to post a way for me to delete the entry in the registry I would be verry greatfull to you! (unlike most of you guys, I'm not a programmer, I don't even know html)

I know I have the virus, cause it sends itself to spam-adresses,...so funny this is,...I get no-return messages from these fake e-mail adresses,..

anyway,...W32.Klez.H@mm is bugging me and other people around the world,...I think NONE of the security company's is doing enough, neither do goverments around the world to prevent the spam msg's where it was send with in the first place,...

Is this a trick to hook people to a security-platform,...to force them to BUY a virus scanner,...they promise a lot,...but when it comes down to it,...we are left to the virusses that swarm the net.

Also: McSoft DOES offer spam blocker,...wich do work,...it separates these stupid spam from the rest of my mails,...but the trial has ended,...so now I wonder if they try to hook them to their software this way,...

Anyway: I would be much obliged Zion, or Stryder,..if you could help me out here (W32.Klez.H@mm)

Thx,
Fukushi

9. ### Mr. ChipsBannedBanned

Messages:
954
Boy, if I had been following zion's advice, I would of been in deep doodoo numerous times as Avast antivirus software has caught many viruses trying to enter my system from email and downloaded files over the last year or so.

I am very happy with Avast, using it for more than a year, free of charge for non-commercial use. You can get it at http://www.avast.com/i_idt_1016.html

According to Avast's web site, http://www.avast.com/i_idt_1.html , the current version detects and deletes W32.Klez.H@mm as well as some variants of it.

10. ### Mr. ChipsBannedBanned

Messages:
954
Hey, Stryder! According to numerous sites on the web, dictionaries, encyclopedias, etc. "virii" is not a word. "Viruses" is the plural of virus. Having that non-word in the title of this thread has bugged me for a while now.

All in all though, I appreciate the work you've put into helping others with their machines here, Stryder. Keep it up and thanks!

Last edited: Jan 31, 2004
11. ### Red DevilBorn Again AthiestRegistered Senior Member

Messages:
1,996
McAfee or Symantec have a downloadable killer online, so do CNET I think.

12. ### RickॐValued Senior Member

Messages:
3,336
Mr Chips,

I admonish people from using the Anti-Virus Softwares because of my own Personal experiences.I am a legal user of Norton for so many years.I bought the software for 69\$ as far as i can remember.Being a man of Rectitude(i was...believe it or not

),i used it scrupulously for years.But it was useless.The system scan virtually took all the resources,but it was a trade off for Bastion like security.Anyways,When Mellisa was released,my system sucked up.Norton couldnt delete the virus while in quarantine.The Computer stopped working after 1 boot and logon.This incident happened after my system got infected with other worm.This is because when a new virus is released,its patch comes up only after a while,in the meanwhile virus sucks the whole damm system and this Imbecile s/w is unable to even detect the virus.

bye!

13. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
Mr. Chips
Actually, Virii has been discussed before and pointed out as not being a work, although the English language is about a constant number of words being added to it through popular use. This means that albeit now there is no such word, there could very well be in the future. However, Thanks for trying to correct my previous error.

As for the current state of the world:
Admittedly there are lots of things that virus companies could do around the world, take for instance in the US they was the originally proposed "Firewalling of the whole country", which people fought because they believed it would inhibit their Freedom of Speech and undermine their "privacy".

The current infestations however could be slowed up if Anti-Virus companies were to place their software on the "gateways" in and out of the differing countries on the planet. For instance there is an Atlantic Fibre connection from the UK to the US, which Europe does use to connect through.

It would be possible to place Anti-Virus software on both ends of this connection, which have the ability to communicate with each other. The reason for the communication is that it can block before it goes through to the other country, and potentially capture anything incoming that was missed by the otherside.

Although the problem here is that Anti-virus companies wouldn't want to generate this methodology of stopping viruses spreading between companies because they want to capitalise on your systems suffering from the infestations. This is why nobody does anything to prevent the viruses from spreading. (If this was an Airborn virus in the real world, airports and roads would be closed to contain it from spreading.)

This would stop virus infestation and potential DoS attacks. For instance the MyDoom one intends to attack SCO.com tomorrow, however all the infected systems in the UK could potentially be stopped from sending DoS attempts through the Atlantic Fibre.

Another method of stopping those attacks involves the use of CACHES at ISPs, which has been increasing over the years. This means that the ISP deals with the requests for the attacked site and serves CACHED pages rather than actually directing them to the site.

Lastly you have to realise the original nature of the internet was to give "freedom" to all those that had access to it, this is why certain countries try their best to stop the common everyday man from having use of it, because they might feel "freedom" undermines their Dictatorship.

This "Freedom" has come at a cost of having no form of "Universal" policing on the internet. It's all very well for different countries to pass different laws, but what the internet would truly need is a system that is a global one, and would not be undermined by a singular government.

The nearest things currently in this world would be Interpol and the UN, although neither have been followed 100% of the time by other countries who have their own agendas.

14. ### immane1Registered Senior Member

Messages:
306
To all,

Norton AV sucks donkey dick! Like some have said, it takes too long to do a scan, consumes way too much of the processor time, and simply blows at detecting, much less deleting viruses. Take a look at Hauri Vi Robot (goofy name, I know). It is superior to any greater know AV software in every way. Quick scans, low overhead, and fantastic at actually fixing the computer after an infection. I use it, and all of the machines I build have it loaded. No problems yet. BTW, it is from South Korea. It's pretty big over there in Asia, but catching on fast here in the US. If you do purchase, get it from the HauriUSA site. I mistakenly once purchased from the Korean site. They never sent it and their customer service is severely crappy.

15. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
I watched a virus infestation occur first hand that gave an explanation to why some anti-virus companies just can't seem to deal with new strains.

What occured was I have two people that I talk to via e-mail, both of them are involved in a project one is the owner of the e-mail boxes and in Germany and the other is an Australian to which has been given one of the e-mail boxes.

I started getting some rather bizarre e-mails with attachments wen't along the lines of:

Code:
Your computer has been detected outputting a virus, please use this free
anti-viral removing tool for security use this password "111751" with the attached
At the time I was using a Swiss/Austrian Anti-virus package that didn't detect what the payload was, but investigating the e-mail headers I found that it originated from an Australian IP address and contained a header of the domain name the German guy owns.

This made me realise that the German guy allowing an Australian an E-mail box, was helping to propagate a Virus that seems to be in the South Pacific (Australia).
It meant although Australian Anti-Viral Firms problem had it Identified the European ones hadn't yet.

I'm sure eventually the anti-virus firms catch up (after a couple of days) but by then the virus is out in the wild.

As mentioned in my previous post on this thread, all the firms have to do is create Antivirus packet watching at the main bandwidth points in and out of countries (notibly the smaller islands would be easier than continents but it would slow the spread if not halt the spread of Viruses)

16. ### immane1Registered Senior Member

Messages:
306
It's much easier than that, Stryder. All we need is authentication.

17. ### immane1Registered Senior Member

Messages:
306
Oh, and you might want to add authentication to your almanac. Keep up the good work.
~cheers

18. ### Fukushi-meta consciousness-Registered Senior Member

Messages:
1,231
I switched to Avast and haven't got any troubles anymore, Norton or Mc.Affy both suck ass indeed.

19. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
How do you mean by authentication?

I ask because it doesn't matter if you authenticate what you send especially if it's in plain text, the overall message could be "temporarily stored" on a proxy, in which time a process could cut it into pieces, add a payload and put it all together and resend without the destination being any the wiser.

You could say that you could send an MD5 string representing some information about the message length, but again it can be altered since MD5 is in widespread use.

Perhaps you mean a handshake form, where the person you are sending the message to has to be able to accept it when they are questioned to accept. The point here is that you end up with a P2P method of shifting a mail between the systems, and as proven by IRC and the many worms/viruses that exist on it, it doesn't necessarily work.

You could place everybodies e-mails into their own privatised encrypted format, that have their own identity key used in the de-encryption process. However many of the governments around 1999 passed alot of laws to deal with encryption on the internet. (If I remember correctly the US government was allowed to place spyware on peoples computers, and the UK government would only be happy if people Gave them their Encryption keys if asked for them.)

Originally I think the focus was quitely on terrorism networks and how they shift information about, however their are so many different ways to hide messages up and encrypt them, that spying is bound to be the only sure source of getting an unencoded/unhidden format.

[I'm not going to list methods of how to hide things]

The only real sure method of catching viruses that spread is to place ISP firewall/Anti-virus scans on every connection. However you can guess that would be costly.

20. ### immane1Registered Senior Member

Messages:
306
Stryder,

The following is from an article that MIKE MULLINS from Tech Republic wrote. Seems simple to me.

"SMTP authentication

The industry is reviewing SMTP authentication as a means to combat the global spam problem. Modifying the SMTP protocol to allow e-mail servers to confirm that a message arriving from somecompany.com actually came from the somecompany.com mail server would practically eliminate worms and viruses transmitted via e-mail.

The reasoning is simple. The most successful e-mail worms use their own SMTP servers as a reliable and fast method for distribution.

Worm authors spoof addresses of legitimate servers to avoid detection and prosecution. If SMTP servers authenticated the traffic, they would easily reject spoofed traffic and log a visible trail right back to the author. "

What do you think?

21. ### Dumb_MarklarRegistered Member

Messages:
3
I've gotten 9 emails all with the same w32.netsky.D@mm virus in the last 10 days. They all read to be from completely different email address at different domains. Blocking either of those won't help. These are too random to block... Might as well block everything. Plus it seems they are using my email address to send virus out also.

The thing is they all come from the same IP address. (appear to at least)

Now that is what we need. A way to block out IP addresses. If these people could be easily shut out maybe just maybe..... (Aw never mind... they'd probably just find some other thing to mess with and screw up)

Btw: That is my task for the day. Does anyone know how to do that -- block an IP that is?

22. ### DreamwalkerWhateverValued Senior Member

Messages:
4,205
To block one? Yes, that is somehow possible. But it also depends on the provider and your e-mail programm. I simply have an option for it, just take a look. I can just enter the IP from which I longer want to receive mails at my provider user settings.

(hehe, you could also try kill off the computer when you got the IP and it is not secure enough.

)

Last edited: Apr 30, 2004
23. ### Dumb_MarklarRegistered Member

Messages:
3
Yes, since I have their IP I suppose I could really play havock with there system. I'd never do it and don't know how anyway.

Beside its just somebody that got this virus and don't know it. I would like to know why they have my email addy on their computer. This email address is only 2 weeks old.

I wish I had there email so I could tell them they have a virus and to please remove it.