'anyone ever heard about this one?

View Poll Results: number of posts and AntiPoints of thread starters...good or bad?

Voters
6. You may not vote on this poll
  • Good idea

    3 50.00%
  • Bad idea

    3 50.00%
Results 1 to 6 of 6

Thread: 'anyone ever heard about this one?

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    118

    'anyone ever heard about this one?

    While working the other day (I work at Staples, heaven help me......), someone mentioned to me that he had acquired a virus the hard way. That is, his system was infected.

    The charactaristics he described were interesting--whenever the user attempts to delete a file, the virus program copies the file. And also, this virus will work eratically, retreating to dormancy for periods of time.

    This gentleman told me that he had talked to the Norton Antivirus people about the problem; they had told him that they could not write anything to fix it until Microsoft gave them permission to poke around in sections of code. From what I understand, this virus infects the macros.

    My question to everybody is: is this really a legitamite virus? What is it called?

    It sounds, from what I've heard, to be a clever piece of coding.....I'd like to take a look at it, if only to try to figure out what makes it tick......
    Got Root?



    This user powered by Linux.
    Share on Google+

  2. #2
    Member
    Join Date
    Sep 2001
    Posts
    89
    I cant say ive even heard of those particular symptoms...
    So i cant give you information specific to that virus.

    But i can give you some info that is specific to almost every virus.

    You see, i dont use a virus scanner on my system.
    They use alot of resources, and its more fun to hunt down the virus by hand.

    Anyhow, the idea behind this is that the virus has to be loaded from somewhere, and it has to be resident somewhere.

    Poorly made or high-level viruses like trojans almost always load from the registry. They key to look at is:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    and

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    You can just delete the keys from there.
    Or you could download system mechanic by iolo, and use their startup manager options to disable things until the virus goes away.

    You can also check win.ini for the LOAD comment and then a filename.

    However, if the virus is lol-level, then this isnt the way to kill it.
    Those viruses are very common to be found in the
    "No-Man's Land"
    If you have the balls for it then you can use a dos-based hex editor like Norton Diskedit and clear any data you find in this range:

    between Cylinder 0, Side 0, Sector 2
    and Cylinder 0, Side 0, Sector 63

    That's inclusive as well.

    If you mess this up then dont get mad at me!
    Remember, on one side of this is your partition table, and on the other is usually your boot sector.

    This is how we kill un-named viruses
    and things that go *bump* on the net

    -8trak
    F0 0F C7 C8
    Share on Google+

  3. #3
    Member
    Join Date
    Sep 2001
    Posts
    89
    That is, if he actually sent it in for servicing...
    F0 0F C7 C8
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    No, at least not here......the subject came up in the midst of a discussion on various reasons why one would have to reformat a hard drive.....

    I didn't know about that particular spot on the drive, though........Hrm.......maybe I should have used Diskedit more often when I still ran Windows.........
    Got Root?



    This user powered by Linux.
    Share on Google+

  5. #5
    Member
    Join Date
    Sep 2001
    Posts
    89
    Yeah, that was a really stupid thing that happened with the introduction of FAT and fdisk...

    Instead of starting data in the middle of the first side, they left almost an entire side (62 out of 63 sectors) or about 32kb of empty space that isnt supposed to be used... yeah... right.

    -8trak
    F0 0F C7 C8
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    Typical M$ trick to pull, by the looks of it......

    Thank goodness for the ext2 filesystem.........
    Got Root?



    This user powered by Linux.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides