Hi.
I just came across a forum where someone claimed that spyware is a far bigger problem than viruses.This is what he says:
I find spyware is more of a problem than virii nowadays. The only virus I ever had was back before the Internet was popular, it killed my doublespace file and hence required a reformat of the HD... that was back when HD sizes were smaller than the average amount of memory now :-)

That makes me wonder which is really a bigger problem?Spyware,or viruses?

I think the biggest problem is the end user. If more people would use a little common sense, many of the problems could at least be held to a minimum.

I agree with devpon, nowadays computer noobs have irresisting urge to open every file attachment he gets through email, even from people they dont even know, I dont know why, but its true lol. So if your a computer noob, then I'd say virri are by far more of a problem, but for people who know what happens when you download unknown file attachments I would have to say spyware is the bigger problem. So your question is pretty much answered, it all depends on what kind of computer user you are lol.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256844#post737579) by devpon
I think the biggest problem is the end user. If more people would use a little common sense, many of the problems could at least be held to a minimum.

I second that.

However, I was reading an article the other day that makes me think that spyware may be a bigger problem. IMO- Most people have been bitten by a virus and learned from their mistake of not having antivirus.

Spyware is just annoying... and people don't really know about them as much as they do viruses.

The average computer is crammed with nearly 28 pieces of spyware, according to a report released this week by Atlanta-based ISP EarthLink andWebRoot Software, a message privacy and protection provider.

Over the three-month period from 1 January 2004 to 31 March, EarthLink's and WebRoot's spyware and adware detection software sniffed through over a million systems and found more than 29 million instances of spyware.
http://www.itnews.com.au/storycontent.asp?ID=9&Art_ID=19182

I've taken home people's PCs (people from work's home computers) and found that most of the time... there is more spyware than anything. They haven't a clue what it is. But, in most cases... these people had updated antivirus. I do send out emails stressing the importance of antivirus and warnings of new viruses and the like. I don't do the same for spyware...

Newbies have what I call the 'click' syndrome. They love to just click click click on everything. I have worked on 10 computers in the past week, and all contained spyware and adware. There are several "free" programs available to help remove and prevent the installation of these threats. Some examples are: Spybot, Ad-aware, SpywareGuard, SpywareBlaster, Keylogger Hunter. But the most impressive program of all time bar none, and is free: COMMON SENSE.

If security is a huge issue as it is with myself, you may follow my choices, as I have Never had a threat make it onto my box: Two Linksys routers (different models), ZoneAlarm Pro, Norton 2004, Sygate free, and all the above free anti-spyware and anti-adware programs. I update them everyday, run them everyday, and use common sense.

I would say that spyware/adware is more likely to be a problem to private and home office users, particularly ones who are not clued up.

Viruses/worms are the greater problem to business/corporate users as they can be very disruptive and cost them serious money.

Remember that Corporations frequently have properly configured firewalls and block a lot of spam and non-business web access, and do not allow viewing of private e-mail accounts. This tends to reduce the exposure to spyware/adware.

On the other hand, they have a lot of machines, are bound to have their quota of id10ts, and tend to have their machines on longer than the average home user. They also run networks which allows network aware stuff to spread rapidly.

Just a slightly different slant?

Cheers

Grim_reaper1, lol I like that term you used..."click syndrome" haha, Im going to start using that one. Good analysis on the subject Nihil, I forgot all about the business/corpoprate world!! They definitly have it bad with virri.

I must ad two things to my previous statement.
1). Simply installing any of the above programs will not do. They must be configured properly.
2). I agree with nihil in that each domain(home/corporate) has it's own advantages and disadvantages. Home users are more at risk for spyware and adware. Businesses are more at risk from DoS attacks through email exploits and viruses, and are breeding grounds for DDoS attacks as well.

Ask yourself this simple question....what will shut down your computer, destroy data & keep you off line in some cases?
But really, the original question is quite vague in it's current state.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256844#post737626) by !mitationRust
Ask yourself this simple question....what will shut down your computer, destroy data & keep you off line in some cases?
But really, the original question is quite vague in it's current state.

I see your point.. but:

I've seen spyware keep a computer offline. In some cases I'd clasify spyware as a virus.
I've had to completely reload systems that were FULL of spyware/adware.

Viruses shouldn't be a huge problem for corp systems. I haven't had a virus infection on my work network in over 2.5 years. The layered defense that I use works quite well. Scan all incoming mail, and norton corp. av on each of my clients updated daily... sometimes more than once a day.

I don't have a catch all for spyware/adware...

Speaking of which... are there corporate solutions for spyware/adware?

You guys are missing the point. The reason why we think spyware is a bigger problem then virri is because it is so much easier to defend against virri then it is against spyware. Spyware even fuels spam, and after all, spam is what we all hate the most right? lol ;)

I never got a single virus in my lifetime of computers, because I know what to look out for and act smart. Even with the smartest thinking, Spyware gets on your computer (porn). ;)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256844#post737636) by The Duck
You guys are missing the point. The reason why we think spyware is a bigger problem then virri is because it is so much easier to defend against virri then it is against spyware. Spyware even fuels spam, and after all, spam is what we all hate the most right? lol ;)
A few quips for that, learn to configure here through the search feature & learn to handle your resouces properly. ;)

!mitationRust , I dont even know what the heck you just said lol, you gotta speak less intelligent for me to understand lol.

Specialist, I know exactly what you mean, but dont you think that the amount of virri and the amount of people affected by virri would be reduced significantly?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256844#post737641) by The Duck
!mitationRust , I dont even know what the heck you just said lol, you gotta speak less intelligent for me to understand lol.

Why, are you lol ? Why don't you check what forum you are in?

Yes but im tired of everyone saying staying away from downloads and updateing thier AV (always will keep peaple safe...) this only makes the end user want to click URLs instead of attachments and update AV rather than patch up on vulnerabilities which will end up giveing them ten times more trouble... re-occureing trouble in the future.

Why is it that Worms/Virus do over 100 billion in economic damage a year?! If you all remember Klez it did 15 billion in damage. Spyware in some cases is over ruled.

Its the boost in network traffic... if a company gets a worm and it starts scanning, sending, & stuff then things could eventually lead down to a form of a dDoS. If a company is down for even a hour then the big wig company types go crazy about it. Not to mention this means they get 1 less of a hours worth of pay from sponsors. Also If your doing buisness online who is going to bother argueing or trying to prove how many would-be customers they lost anyways.

Also most peaple just send thier computer off to some place for repairs... even for minor stuff. So they also lose money while AVers, tech-supporters, and repair dudes gain from it.

You Warn end users about the traps and pitfalls..

and what happens..

1/ they do exactly what you tell them what to do..
or
2/ they are so shit scared that they never want to go near the internet..

or the very few will understand what you tell them.. and be aware..

My view.. inlight of the ****tard ppl from Cool Web Search.. Adware and Viruses are one and the same.. they are all Malware..

1/ They generaly are to do something of a malicious nature (not in the best interests of the end user)
...... Spy on the user in one form or another.. be it keylogging, surfing details, or pc usage
........Use the computer for a purpose other than what the user originaly thought the softwares were for.
........
2/ The Malware used either a social engineering or an exploite to enter the users pc.. hey mate yer clock is wrong.. D/l my crap dit a warez and it'll fix ya up..ok... or Hey dude ya'all no tha M$ is crap.. here is bit of shit prog that will fix ya all up.... or the mouse trap in an email titled "Your ebay Account"

Many users are idiots .. and will never learn.. bit like a fellow I know.. He is ace with pc's leaves me for dead.. but he don't know jack about maintaining his car.. blown 2 motors in the past 5 years.. now he is an idiot..
Or my mate the Automotive tech.. yep no probs with cars.. and fairly good with PC's but an idiot when it comes to Balancing his cheque book..
me .. well.. i won't say.. but what about you?..

We Repair dudes hate the lot of it.. It is nice distraction once or twice a week.. but all day everyday .. I have better things and more profitable things to do than be fixing Malware all day eveyday.. I am on my 36hrs away from the saltmine and have had 4 urgent jobs to deal with.. were the users idiots?... NO.. just doing their jobs and too busy to notice an error.. or to check what that silly error message was..

No ADWare is worse.. it is from commercial companies that ****en well should know better and should have their arses kicked into the next millenium for the time and hasselles thay are causing.. As for Misrocoft... here is a what if.. What if Apple never lost the lions share of the market.. the PC never realy took off.. Would we be cursing Woznak and Jobs instead?

oops the alarmm.. My allocated 35mins in 12hrs.. have to let the family know I do still exist..

Cheers

The reason why companies are more at risk is because there will always be at least one moron in every company that will do something stupid that causes him to download a virus and before you know it every computer on the network will be infected. Well, I dont know about you guys, but I think most people on this board who know what they're doing will have more of a problem with spyware then virii.

girl for tech, I still dont know whats going on lol

Porn, porn sites, pictures, video clips, etc... are all major platforms for spreading spyware, adware, malicious code and scripts, and yes, mp3's have even started showing up carrying destructive payloads. I also have never had anything make it onto my personal box, but I service many clients who are not so fortunate. You must educate yourself in order to protect yourself. You may feel free to visit my website, currently undergoing some new renovations and additions @ www.centcomcomputers.net.

I hope you can find something there that will help, and more info to come later.

UGH.. you need a better colour scheme.. ((that is a bit of the Pot calling the Kettle Black)

A lot of the Adware crap Is NOT comming from Porn sites, while the Virii are comming from email and p2p downloads.. a very small number of the recent removals I have done are not Porn site related.. ie dialers..

Could you send me a active-Virus infected picture please.. haven't seen one yet..
well one that didnt need an active decoder prog on the recipients machine..

BTW.. what has happened to Gator? I havent seen it on a system this week..

Cheers

I don't know, I kinda like the color scheme I chose. Anyway, I could send you a virus infected picture in any of several formats, but I refuse to do so due to the fact that I have a business to run and my integrity means everything to me. But, let me explain how this new threat is being done. A program called binder can 'bind' two files together, and can institute any attribute to either file. The malicious file is bound with the carrier file or host file, which can be of any file type, and when the host file is opened, it executes the malicious code. This is all done in the background, hidden. I have tested this on several test rigs and so far, it has gone undetected by every single anti-virus software program out, from the free AVG to Panda, Norton, McAfee, etc... I must state again, the host file does not have to be an executable, it can be a .gif, a
.jpeg, anything, and when opened, can do anything the malicious file is designed to do.

This is somewhat similar to the new Netsky.V variant which does not even need to be an attachment to run on an unsuspecting person's computer.

I was going to say the same thing, your choosing of colors is bad.

Gater...lol...now that brings back some memories, I actually havent seen it in a while myself. Nowadays I just see bad cookies.

I have to agree with Und3ertak3r, most people who make porn sites arent smart enough to figure out how to configure there site to force maleware into peoples' computers lol.

Wow grim, thanks for the heads up on this new form of attack.

ummm no... I have never heard of malware under those formats. Of course there are always buffer overflows but come on... this did happend but was under MIDI not MP3 this was well over a few years ago but agian because of unchecked buffers in the programs that ran these files. It didn't really have much of a impact infact most malware under that format never even made it very far out of the VX labs. Im not saying its impossable... I just don't think you fully understand how this would work in the real world and I just dissagree with your "major platform for spreading malware".

[edited]
Netsky? Most browser based exploits are nearly same. You base64 encode your executable files, place it on the system, then find a way to execute it. Which this time its exploiting the XML Page Object Type Validation vulnerability in order to execute it I beleave. Actually I think you'd find that XSS has more in common with buffer overflows than this...

grim_reaper1

A program called binder can 'bind' two files together, and can institute any attribute to either file. The malicious file is bound with the carrier file or host file, which can be of any file type, and when the host file is opened, it executes the malicious code.

yes i know that but I asked:

Could you send me a active-Virus infected picture please.. haven't seen one yet..
well one that didnt need an active decoder prog on the recipients machine..



What I meant.. that didn't need the binding prog.. the decoder.. when did we read about it? 18months ago.. so you have encountered it fine.. but you havent seen one that executes ONLY from the Picture file..

And you are behind the times

Netsky.V variant which does not even need to be an attachment to run on an unsuspecting person's computer.

Check out Klez/elkern.. they depend on a vulnerability that has, what 1 or 2, patches over the past 2 years.. yes klez is atleast that old now.. but then I suppose it isnt supprising that many people are still unpatched after that time..

I refuse to do so due to the fact that I have a business to run and my integrity means everything to me
What do you think.. I will sue your arse off.. perhaps? zip it and lock the file.. send the key in another message.. forwarding a infected file to other professionals is part of my daytoday.. it has a lot to do with my integrity.. That being, being sure that i have done all that i can to have my customers clean of their infections..... see what may be detected by the various AV scann as nesky.q.. may infact be netsky W or X or Y or Z.. and the difference maybe a backdoor component that may not be removed and worse..

So do i take it you Trust 100% what the AV companies tell you?

I just use them as a guide..

As for the colours.. you do want YOUR customers to read the information on your site..don't you?.. What age group will most of them be in? 12 to 19? or 30 to 45? It's not about what colours you like.. it is more what your clients find easy to read.. Your webpage will most likely be their first port of call..before ringing ypu.. but with very bad Font/colour selection.. it will be a click on their way to someone else..

Cheers

I have to agree with undertaker, me being a web designer/developer myself, it really doesnt matter what color scheme YOU want it to be, it's whats easy and professional for the customers.

Undertaker, your leaning more towards agreeing that there is a way to do this, or at least has an open mind to this attack.

Specialist, you say it mostl likely cant be done and if it can it wouldnt be a real threat.

So which is it???

My understanding of viruses that might be in the form of .gif or .jpeg or which have you...

The image may be infected but unless there is a program loaded to actually execute the code in the image, it won't do anything. So, the image would have to exploit a bug in some program for it to run? IE, mspaint, macromedia fireworks, photoshop, gimp, whatever.

Or, there must be a completely different program loaded that will inspect the image being opened/viewed and then execute the code if the image is infected.

grim_reaper1 I'd (along with many others here) be very interested in learning more about what you're claiming. Which methods did you use (I know a binder... thats not new) and in which environment? Which viewer allowed the execution of the virus? Does it work just on m$ platforms? (guess this depends on which platform the virus is designed )

If you don't want the everyone to know... open up a Private Conference Rooms and invite who you want. http://www.antionline.com/confroom.php?s=

OK, let me explain a little bit better. Using the binder prog, the pic wouldn't need to be 'executed', only viewed, using any prog, even microsoft fax and picture viewer. When it binds the two progs together, you can choose to run the malicious file hidden when the host file is open, and choose which directory the malicious file sends itself to. Such as Windows dir, or System dir. If anyone would like an example for TESTING purposes, I will mail out test files upon request.

Specialist, you say it mostl likely cant be done and if it can it wouldnt be a real threat.

Ummm... no duck, I explained how someone could make it work. Meanwhile he claims to explain stuff that only adds more flaws into what he said. Like the first time around what he was basicly saying was that this was a current threat and a major platform for virii... so popular infact that no one has heard of it. Well the thing about buffer overflows is... for this kinda thing you going to need to exploit explorer, netscape, paint, microsoft fax/picture viewer, & the countless *.gif editors out there. These are all different programs therefore they would need various styles of overflows in one file to work for *cough ("everything?"). Besides overflows you could rename a file to executable.rtf then have a entirely seperate program/script to tweak a few things for example file associations or rename it back to executable.exe or whatever.

But if this guy were serious he would have already walked the talk by now... Email is a private thing. Make this public if you have it show it. I even gave a few examples of how under the right kinda things you could make it work. But then he makes posts like the one above and basicly repeats what has already been said only he adds flaws in his comments that clearly shows he has no ****ing idea what he's saying except for the parts where he says: "I got l33t skiddie progs". So grim, I hope by now you are at the very least knowledgeable enought to understand why no one takes you seriously. Or you could just argue with yourself and show how confused you are intil the end of time.

Well, I'm not going to get into a childish pissing contest with some self-proclaimed professional know-it-all who has managed to get themselves banned as a noob. You can flame me as much as you like, but you're not as up to date and on top of things as you think specialist.

First of all,

You seem to have examples of the "JPG Viruses", Yes?.. I Asked if you could send a copy.. Yes send it out so we can examin the toy..Please..

When the news of this type of virus broke there were discussions about it on many forums including here.. I have given up looking for it here.. But to date i haven't seen an example of either a "infected Picture" or the decoder/extractor program.. and I have examined pictures from suspect sites in extreem detail.. searching for examples. but some one else has had better luck.


A News Artical at the time of announcment (http://www.canoe.ca/CNEWSTechNews0206/13_virus-ap.html)

The Decoder/Extractor/Binder HAS to be running on the victims computer when the image file is opened.

(this is for anyone else who is watching)
If you think that It is impossable to place code in a JPG file.. then just go and read about Steganography..

My original reply to GR was his post gave the impression that the Picture files contained "Active" Viruses.. that is a When the Image is viewed.. regardless of the Viewing program.. will execute the viral code..Without the Binding/decoder/extractor prog.

Don't confuse this with the double extension trick.(Picture.jpg.pif).. and dont forget that there is also a triple extension trick as well.. or one that came with a version of netsky.Q ..Important.TXT .pif...


Cheers

I can imagine a .exe writing a .jpeg in the same location, and opening a default viewer to view that .jpeg, but as for code embedded in the jpeg through stegenography (or any other method) triggering buffer overflows in any software that it is opened by is "impossible". A buffer overflow is program specific... it can't be universal like you described. (unless its smart, but will start to get pretty large, and the picture would get ugly :p),

Stick around and defend your case, post the name and author of this program if possible... If you post one of these viruses with HUGE BOLD letters for warning I'm sure you won't get in trouble. If you bring a underground virus public I'm sure that can only help your reputation.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256844#post737647) by TheSpecialist
Its the boost in network traffic... if a company gets a worm and it starts scanning, sending, & stuff then things could eventually lead down to a form of a dDoS. If a company is down for even a hour then the big wig company types go crazy about it. Not to mention this means they get 1 less of a hours worth of pay from sponsors. Also If your doing buisness online who is going to bother argueing or trying to prove how many would-be customers they lost anyways.

Also most peaple just send thier computer off to some place for repairs... even for minor stuff. So they also lose money while AVers, tech-supporters, and repair dudes gain from it.

I agree with this except you forgot to mention that one major reason why businesses lose so much money is also because the internal IT staff of any particular company that's got more than 20 people has to immediately go into overtime cleaning everything, issuing verified patches (some of which have to go through strenuous checks to make sure the business won't lose their ass by installing something wrong or have conflicts) as well as make visits to every machine because every person's calling for IT help at that time.

All because some idiot decided to clicky-clicky on a new_screensaver.scr or whatever and immediately, the business' email server is trenched because of the address book abuse.

Common sense and education of what is good to do and what is not good to do is invaluable but there lies the problem. People want to learn...a little bit. It takes quite a bit to become a fairly savvy and educated "end user" and most don't want to do that at all. They want it to work now, not later, now...and if they have to double-click the same icon for program X to open, they will. Even if it results in 19 windows opening up when the processor finally gets around to processing the requests.

Spyware is less than virii, in my opinion because you can easily get rid of it with scheduled runs of updated progs like Ad-Aware and while it can do some things that are annoying, viruses like the latest Netsky.V is downright scary because it doesn't even have an attachment! Anything like that, which will launch DOS attacks at a list of known sites through ports 5556 and 5557, is way worse than some dropped off cookie that I got from surfing through www.lotsofpornogfraphy.com or whatever.

Vorlin, thats exaclty what I was talking about, except you explained it more in detail ;).

For the rest of you, So basically everyone is saying that an infected picture will only run the virus if you have the binder program running at the same time, or whatever. And you guys are sticking to this conclusion unless GR can prove it otherwise by giving you a example picture that will cause a virus to run right when you view the picture??

Until they come out with a report stating the damage that the new netsky.v virus has done (which im sure will be huge damage), I am sticking to spyware being more of a hassel then virii, especially for computer savvy people

Duck: Yup... the picture can only execture code if it is embedded in a way that will cause a buffer overflow in the program that opens it. A .txt file can be a virus in this way givin a program like notepad can be exploited through this overflow. Lets say that overflow exists... you make a gigantic text file, and at the end of it you write a bit of code. The overflow disregards the huge amount of text, and runs the code because of poor programming in notepad. Same idea with a .jpeg, but GR is saying it can be executed without this overflow, on ANY program. This is hard to believe, because all programs are written differently. It would be new.

OK ppl, I have sent Undertaker two examples about 5 hours ago. When he returns, he can update you on the status. Again, I will not make this readily available in the forum, online, etc...that is not how discovery is done. This entire example has already been submitted to the ICSA, who are the proper authorities on virus dissection. From there, this will be distributed to all the major AV vendors so they can adapt their AV scanning engines to detect the threat. Until then, let's hear what Undertaker says upon his return.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256844#post737753) by grim_reaper1
who has managed to get themselves banned as a noob. You can flame me as much as you like, but you're not as up to date and on top of things as you think specialist.

Once agian the things comeing out of your mouth is either not very detailed, inaccurate, or something you clearly know absolutly nothing about. Most members includeing a few seniors never even got the full story as to what happend.

Up to date and on top of things? Oh and let me guess and you are? Every time you open your mouth I or someone else finds a need to correct what you said or ask of you to go further into detail on things but instead of doing that you just take a additude and make a bigger ass out of yourself. I mean shit how else do you expect peaple to respond to this or take you seriously. Oh yeah sure... and im "flameing" you. Dude... you haven't seen me flame peaple yet. Ask around.

ok 5 hrs ago GR posted that 5 hrs b4 the examples had been sent.. I was at work at that time.. so I hope the email addy wasn't mistyped.. i have sent you a direct message from that account.. i hope you follow my instructions and zip and password the file/s ..

cheers

Und3ertak3r is quite right, the subject of "picture viruses" has been discussed here before, most recently I believe in the context of what is a "safe" file/extension.

I seem to recall reading about picture viruses about 3 years ago and I think it was called "one off" "run once" or something like that. The actual virus code was embedded in a picture, in a type of steganograpy approach, and there was an extractor program.

I never saw a detailed analysis as I believe it was a "proof of concept" virus that someone had sent to McAfee or one of the other AV houses (from who I remember I was getting bulletins from at the time that would be either Symantec or Panda)

The points I recall thinking at the time were that:

1. it was really only standard malware disguised by steganography
2. it required a specific program to extract and run it, which meant that a separate executable was required.
3. it would not run if the picture was opened in regular picture viewing/manipulating applications.

The only reason I vaguely remember it is because it was unusual. :)

Cheers

Well, I think Denial-of-Service is a bigger problem than both. DoS is much easier to execute then virii. One thing to bear in mind is that virii are used mostly by crackers whereas spyware is used by inscrupuolous advertisers for the most part. Most virus coders nowadays use Visual Basic, as opposed to ASM like they used to. Just an interesting trend.....

I think spyware is worse.

not in damage systemwise or economicly. But a virus is yust something that damages is most
of the cases. Spyware and stuff like that violate my privacy, slow down my computer(I'm a gamer performance is everything), create network traffic thus steal bandwith(although virii do also).

And most inportant, spyware and adware and things like that are being developped by company's
who choose to do so. We are not talking about some skiddy with a new script. We are talking about someone making a profit out of this stuff. And then when it has been develop another company or site goes and uses this stuff. Again that is a choice to do so and it's not like there playing with it or some 13 year old kid that wants to see what happens when he DDoses yahoo.

It gives me the creeps.

-MoonWolf

Actually thats only because the boxes that are in play have already been compromised. The reason why dDoS is even possable is because why? Well usually because of worms/trojans on computers first of all which aid in dDoS attacking for starters. Visual Basic, as opposed to ASM like they used to?

Actually if you hang around a few VX boards and read a few e-zines you'll find that there are MANY peaple still into assembly. You could maybe make a worm or virus in VB, sure. But it sucks when you need to create a dropper that checks for runtimes, if they aren't around then install them before droping your trojan or (ect).

To Undertaker, the email you gave seems to not be working. I sent it twice and nothing. Email me back with either another email or try to give it to me again. I typed exactly what you gave me before. I'll wait till then to resend it.

grim_reaper1.. Last email i recieved.. you asked for my email addy.. I take it you have not recieved my reply? that from my yahoo account?

I will send an alt addy

cheers

PM'd the addy.. 1 min after the original post of this reply..
I hope you didn't title them "Banged in the Back Seat" they were the most popular mails removed from the bulk mail folder..on Yahoo..
just for the record.. the first address.. undertaker_0_2 at yahoo dot com

hey Soda.. you getting bored?
Got a back log of PC's with various Malware and user problems


Oh yeh: bigest virus I used to have .. was "usr.IDtenT.xxx" .. normaly noticed after the user cleared some hdd space, or removed some unwanted programs.. or the good ol "somtin is fill'n me hdd" when the user thinks that removing the Start menu entries is the deletion or removal of progs..

GR.... mcgoo32 at yahoo dot com

others can email to confirm its existence, if you're bored.

GR.... mcgoo32 at yahoo dot com

others can email to confirm its existence, if you're bored.

Hey were's my reply, i've been waiting and waiting and still no reply.

That's false advertisement, i wanted confirmation that it existed.










































Me still waiting.

cheers
f2b:.

Dude, why'd you have to do that? you know... put all those spaces there?? It's kind of annoying ;).

So what's the latest news?? Did he send the "infected" pics??? If so, is it legit?

Moonwolf, your absolutly right, im a gamer myself, performance is everything! lol.

Hey front ta back... you didn't send nuttin... :p

Grim... yeah im bored

GR.. recieved your .jpeg, and it nothing happened. No changes to my system, just a error, with 3 different picture progs... including fax viewer. Maybe you can hint us to the symptoms? It sounded like it would crash... :p

Opening the file in notepad as well gave me some juicy keywords.


This program must be run under Win32
CODE DATA ÀPD BSS À.idata À.tls À.rdata P.reloc P.rsrc kernel32.dll DeleteCriticalSection LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetCurrentThreadId GetStartupInfoA GetModuleFileNameA GetLastError GetCommandLineA FreeLibrary CreateDirectoryA ExitProcess WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle user32.dll GetKeyboardType MessageBoxA CharNextA advapi32.dll RegQueryValueExA RegOpenKeyExA RegCloseKey kernel32.dll TlsSetValue TlsGetValue LocalAlloc GetModuleHandleA kernel32.dll GetWindowsDirectoryA GetSystemDirectoryA DeleteFileA CopyFileA CompareStringA user32.dll CharUpperBuffA shell32.dll ShellExecuteA UTypes ÇSystem �SysInit ¸untPos KWindows +untExtras yFrEaK_ReadWrite This program cannot be run in DOS mode.Rich PE .text.data À.rsrc MSVBVM60.DLLBKPs DRR Form1 DRR 2004 Form1 TahomaD Command1 Text1 Welcome to DRR 2004An unknown error has now occured in order to remove this error then please restart your computer.

Image1 D : \ M y P r o g r a m s VB5 DRR Drr 2004 DRR D:\My Programs\Darkside\DRR 2004\Project1.vbp
Network\SRemoteAccess\ControlPanel\AppEvents\Config\Hardware\System\.DEFAULT\Display\PSystem\CurrentControlSet\Control\Update\,ControlPanel\Colours\*RemoteAccess\Profile\0Software\Microsoft\IEAK\Software\Yahoo\JSoftware\Microsoft\InternetExplorer\.Software\Microsoft\IE4\HSoftware\Microsoft\InternetDomains\\Software\Microsoft\InternetConnectionWizard\Software\Kazaa\SOFTWARE\KAZAA\HSoftware\Microsoft\MessengerService\@Software\Microsoft\MSNMessenger\$Software\Symantec\$SOFTWARE\Symantec\4Software\Microsoft\Office\Software\Adobe\SOFTWARE\Adobe\>Software\Microsoft\MediaPlayer\`System\CurrentControlSet\Control\Print\Printers\xConfig\0001\System\CurrentControlSet\Control\Print\Printers\BControlPanel\Appearance\Schemes\4Software\Microsoft\Telnet\@Software\Microsoft\TelnetServer\DSoftware\Yahoo\AudioConferencing\*Software\Yahoo\Pager\6Software\Yahoo\YFriendsBar\.Software\Yahoo\YServer\xSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\lSoftware\Microsoft\WindowsNT\CurrentVersion\Policies\Network\Logon\__vbaStrToAnsi__vbaOnErrordSYSTEM\ControlSet001\Services\RemoteAccess\Policy\$SOFTWARE\Policies\$Software\Policies\tSoftware\Microsoft\Windows\CurrentVersion\Policies\System\VBA6.DLL__vbaFreeStr__vbaSetSystemError__vbaFreeObj__vbaHresultCheckObj__vbaObjSetAddref__vbaNew2˜v@ä£@
Error"HKEY_CLASSES_ROOT"HKEY_CURRENT_USER$HKEY_LOCAL_MACHINEHKEY_USERS*HKEY_PERFORMANCE_DATA&HKEY_CURRENT_CONFIGHKEY_DYN_DATABTheRegistryDatabaseiscorrupt!BadKeyNameCan'tOpenKeyCan'tReadKey8AccesstothiskeyisdeniedCan'tWriteKeyOutofmemory"InvalidParameter|Thereismoredatathanthebufferhasbeenallocatedtohold..UndefinedErrorCode:\
HKEY_"IncorrectFormat:__vbaVarAdd__vbaStrVarMove__vbaVarCmpEq__vbaVarCmpNe__vbaVarOr__vbaBoolVarNull__vbaInStr__vbaErrorOverflow__vbaStrCat__vbaStrCmp__vbaStrCopy__vbaFreeStrList__vbaStrI2__vbaAryUnlock__vbaAryLock__vbaVarForNext__vbaStrMove__vbaUI1I2__vbaGenerateBoundsError__vbaI4Var__vbaVarForInit__vbaRedim__vbaLenBstr__vbaVarCopy__vbaVarMove__vbaFreeVar__vbaFreeVarList__vbaStrToUnicodeMSVBVM60.DLL__vbaStrI2_CIcos_adj_fptan__vbaVarMove__vbaFreeVar__vbaLenBstr__vbaStrVarMove__vbaFreeVarList_adj_fdiv_m64_adj_fprem1__vbaStrCat__vbaVarCmpNe__vbaSetSystemError__vbaHresultCheckObj_adj_fdiv_m32__vbaVarForInit__vbaOnError_adj_fdiv_m16i__vbaObjSetAddref_adj_fdivr_m16i__vbaBoolVarNull_CIsin__vbaChkstkEVENT_SINK_AddRef__vbaGenerateBoundsError__vbaStrCmpDllFunctionCall__vbaVarOr_adj_fpatan__vbaRedimEVENT_SINK_Release__vbaUI1I2_CIsqrtEVENT_SINK_QueryInterface__vbaExceptHandler__vbaStrToUnicode_adj_fprem_adj_fdivr_m64__vbaFPException_CIlog__vbaErrorOverflow__vbaInStr__vbaNew2_adj_fdiv_m32i_adj_fdivr_m32i__vbaStrCopy__vbaFreeStrList_adj_fdivr_m32_adj_fdiv_r__vbaI4Var__vbaVarCmpEq__vbaAryLock__vbaVarAdd__vbaStrToAnsi__vbaVarCopy_CIatan__vbaStrMove_allmul_CItan__vbaAryUnlock__vbaVarForNext_CIexp__vbaFreeObj__vbaFreeStrVS_VERSION_INFO½ïþ

DVarFileInfo$Translation °€

StringFileInfo\

040904B0,
CommentsDRR2004(
CompanyNameDRR4
ProductNameDRR2004,

FileVersion2.000

ProductVersion2.00(
InternalNameDRR8
OriginalFilenameDRR.exeDRR.exe

Thats some text I was able to pull out of the file. The "binder" was written is the leetest language ever, VB. I think its called DRR, or something

Welcome to DRR 2004


Any thoughts, GR?
:D

edit-
stuff attached.... supposedly a virus, open at risk

Hmm...that's a pretty hard question. If we're talking within the context of the question, and the question only, then i would have to say that i consider virii as a more dangerous threat to users. Isnt it sometimes a virus can also act as spyware in some sense? Like when it sends information from the infected computer to a remote terminal, in some ways, that alone is already an act of spying...similar to what spyware would do. Well, at least that's my view... :) Of course, each one of us has different views and opinions this this is a highly debatable topic... ;) I've read through the other replies though, and i believe that most if not all also have merit...like i said, this is a highly debatable topic. :rolleyes:

hey soda..

there is a DRR Software company who have a DRR Basic. can't answer the VB6 calls

cheers

Hi Folks,

IT IS A VIRUS!!!

Well it is an attempt at one:

"PictureCrash.JPG is
Win32.Interlaced.10.B.Dropper"

I am afraid it did not survive the electrified fence, led alone get smothered in a sandpit or fall into the jaws of the rabid pack of script stranglers.................and the rest of the gang are still asleep in the bunker :D

The virus appears to be new, as the AV only spotted the dropper mechanism................as an aside, it did not let me download UPX (the actual packing tool) the other day, so I guess the AV is looking for "tools & mechanisms", as well as patterns and behaviour.

It is e-trust (Vet?) the mob that Microsoft bought.

I will now have to try to download it onto a labrat, as the ARV will obviously have nothing to do with it.

Nice One! very interesting...............but I am going to have more work to try to get it to infect ........I am thinking of loading a collection of picture viewers and editors onto the labrat?

Cheers for now


EDIT: I just had a quick scroll through the .txt version and saw this:


SOFTWARE\Borland\Delphi\RTL FPUMaskValue


I wondered why it seemed so bloated, and I do not see any evidence of an actual picture there, so I am suspecting a "social engineering" approach and a circumvention of the usual double extension "giveaway".......................but how to get it to run? that is the question.

So now we have the virus and we have some info about it and its a new type of virus attack. With this information in mind, how much at risk is the internet community?

Both are big problems, of course. But spyware has become way more popular than the old-fashioned virus. Viruses are effective, no doubt. When it comes to control and power like most hackers want, they turn to spyware and/or trojans.

I just wanted everyone to be aware that this was not bullshit. The original picture may not have been such a good choice, and I can always try to resend this, but again, my ISP is blocking certain things right now, and may have a problem doing so. Yes, the original malicious part of this is named DRR, but if you Google it as I have, all you get is the company. I have not found the program anywhere, and DRR company is not it. Yes, the binder prog was Interlaced 2, it allows you to bind a host file with a hidden file that is malicious. Sorry to Undertaker whose emails were blocked by my ISP.

I can't remember where I got the origianl DRR file from, but I did download it and have it saved on disc for future ref. The Interlaced 2 prog I also dl'ed and again, can't remember where from. I do know it wasn't from anywhere big like Sub7 or Hacktivismo, or CultDeadCow. If I remember, I will let the community know.

Hmmm,

I think that it is a virus or an attempt. I think that a part of it is VB and probably the core is Borland Delphi, not sure about the rest of it, as I am waiting to get my hands on it...........on the labrat.

What I do not see is how opening an image file (single extension) will actually launch the executable?

My particular query is that image files probably have the greatest variety of default launching programs, as you seem to get a fresh one with each digital cam, web cam, photo manipulation package etc?............?

Any thoughts?

Blah... Windows95, with regprot, and a few other programs monitoring startup methods... many are my own creation it would be very hard disableing those. Ran it and took a look into it through a more NT based enviroment. Ran it... and under as many image viewers as I possably could. Nada NOTHING... Took it appart with WDASM you all can sort through it better with that. The only thing related to images and this file as far as I can tell is its own damn goofy icon. Sure it might be malware but from the looks of it its just a *.exe renamed and given another file exstension.

i think spyware is more of a problem, virii can mess ur comp up, but just the idea of those spyware companies knowing my secret gay kiddie porn habits is frightening :eek:. j/k :D

Phonedog911

"Well... what can you expect from a slave-banging, Hitler-loving, queer like Thomas Jefferson?"


errrr.................FIVE THOUSAND DOLLARS?

:cool:

Here it is ppl. Have at it. One thing:

OPEN AT YOUR OWN RISK. I ACCEPT NO LIABILITY

If this is a virus what does it do?

I mean i don't understand half of it but looking at the code,
it should popup a window with some text asking to restart computer. And then do stuff with regkey's.

But I don't understand enough assmbler to figure out wat it does.

And the picture does not work. Not on my home comp using 6 picture viewers and faxviewer.
and at school tried it in win 98, 95, me, nt4, 2000 all using the same 6 viewers and knoppix 3.2. with no result (no real suprise).

So I think the binding stuff is crap. Unless someone else did manage to make it work. Or the virus can hide itself REALLY wel, but i don't think that's it because it should pop up a window.


grim_reaper if it really is supposed to work tell us what it's does and how you tested it.

I would say they were both equal. Some that were spyware before are now counted among the viruses and they are still out there. One is Sir Search. I remember when it was just spyware. Look at what they do now. Highjack your browser. Sir Search also has the Flow Go Bar which is their spyware. So I guess what I am trying to say is that Sir Search is both spyware and a virus.

well now i'm brand new to this site, and its actually spyware that brought me here. and just the amount of ppl that are trying to hack into systems. it amazes me (and of course alot of them are bring viruses with them, i just had to bring my computer back to its original state because of infections in my registry from spies). so i've been fighting with the evil aol about how safe am i with their protection? well they assure me - oh i'm safe - well i've got their (aol)version of mcafee virus protection and firewall. its ok, but i'm still not sure. and i'm really irritated (don't like aol or mcafee) because with my aol 'firewall' - the technology of it is as good as a bought mcafee wall, but i can't sent out info on ip addresses of ppl trying to get in or block them (well i can block them, but have to go into my system to do it)......just new to this whole scene and i'm like obsessed with it....its bad out here...