Stopping a Virus Writer

[Tindala]

Suspect IDs:

hedgehog69
Hedgehogsrock88

The key is, he's found an ISP that's not "local" to him...so, just searching against all the Louisiana ISP's for hitoll and hedgiemommie...won't help.

[DjM]

And how do you ban? By nickname or IP or both? Every board has it's trolls, we have a bucket full here. They get banned, come back and get banned again (and so on and so on). I am not sure your going to be able to rid yourself of this troll (some are very determined) unless you can find his/her location. Did you check the header records of any of the infected emails (or do the viruses just get delivered via IM).

Cheers:

/Edit
Sorry darl'in, I got to go for now, meeting with my lawyers (don't ask). I am sure someone else here will pick-up on this thread and hopefully be of some help (tiger...you out there?). If, not I'll be back tomorrow and try to help (no guarantees ).

Cheers:

[Tindala]

DjM, thanks for the tips so far. I understand having to deal with lawyers...been there/done that.

I'm blocking IDs and IPs (xx.xx.xx.xx and xx.xx.xx) when there aren't more than 2 people impacted). IF I go up to xx.xx...I then catch too many of my regular users.

I've been lucky...no infected emails or IMs have gotten to me. I'll go ask those impacted if they have any printouts/captured data and report back.

Thanks for all the tips!

[Tiger Shark]

I've noticed a few things about this thread i think need looking at:-

1. Thread title - he's not a virus writer - see below.

2. The "virus" attacks AV software: This is pretty sophisticated considering most AV software is protected within the system.

3. NAV picked up one of the recent attempts to infect: If NAV picked it up on anything but the "Bloodhound Technology" then it is a known virus.

This all points to this person simply sending out a known virus and your users not having appropriately updated AV software. This is hardly unusual no matter how much they protest that it is.

You are in the classic situation of providing a _public_ service and having a malcontent screwing with you. You could block all the AOL netblocks but that will both kill your current users that come from AOL and it will not stop your little malcontent because he may be using someone elses computer as a zombie to enter through AOL... He could be on any ISP in the world - he could be using his local library....

Your only real course of action is to point out that hedgehog care does not require the transmittal of files - especially executables - between the users and as such _any_ file sent by anyone on the board must be considered suspect and deleted without opening it.

By the simple nature of the system you run you cannot stop him unless you can get him arrested. Since it will be extremely difficult for you to be able to show greater than $5000 loss to any individual or to the board itself law enforcement probably won't help you - unless you have a hedgehog keeping LEO on the board that would go to bat for you and convince someone that the aggregate cost exceeds $5000 - then you might be able to get them involved and track him for you....

I'm afraid that no matter how much information you show us here it is really not feasible for anyone here to be able to help you with the lag time in messages, (real time would be needed).

[Tindala]

Hi Tiger Shark,

<sigh> That's what I had figured...kinda like teens who steal all the straws/napkins at McDonalds...until you (1) catch them doing it and (2) prove it's valued at $X...not a damned thing you can do but refill the straw/napkin dispensers.

What I was really hoping to find out is if he was on a small enough ISP to call. AOHell isn't going to be of help (and thanks for that ph#...just not the right amount of damages here). There's 4 of us who are in essence stalking all newbies on our board to make sure they behave. At some point, I feel "ok" about them and quit "moderating" their posts. The thing is, he's keeping his ID close, and posting very little (if at all).

It's the attacks via IM (AIM, MSMessenger, Yahoo!) that have us concerned. He's sniping certain members, and then sending viri via a chat window. And that there's a common thread: all members of CnQ who have gone head-to-head with the original 2 IDs (hitoll and hedgiemommie). I guess I'm wanting to lash out in frustration after 3+ weeks of this hell.

[foxyloxley]

This all points to this person simply sending out a known virus and your users not having appropriately updated AV software. This is hardly unusual no matter how much they protest that it is.

any chance of 'capturing' the attachment [forward the mail] to someone here [volunteers ] to take a look at it, to prove Tiger~'s thoughts ?

OR
get someone who receives one to forward the mail to YOU ......... run full A/V against it to see what the beastie is.

[Tindala]

I could be game...but with Starband.net as my provider, they are trapping anything coming through before I even see it. And my alternate accounts are on gmail...I'm sure they are just making viri mail disappear.

Hmmmmmmmm, let me see if anyone's in a position to victimize me.

[Tindala]

Hi Sandra

My first one was from thehedgesbandb@aol.com It was titled jokes and said
something like here's some jokes. It gave me the W32/Mitglieder.cg virus.

This one is called Morphine. It gave me 5 different things.

thehedgieden@hotmail [1]. com->(morphine)
cmdrun.exe ->(Morphine)

No spaces in either of them and my virus program can't remove them but says it has
stopped them from accessing my computer.

The other 3 are security risks.

MediaAcc.dll -> (UPX) named W32/Windu.F

MediaAccess.exe ->(UPX) same name as above W32/Windu.F

MediaAcck.exe ->(UPX) Security risk W32/Windu.D

The virus program deleted them.

This second one came over msn from a Chad Cortese who is TucknRoll on here. Chad
hasn't got hedgies, I have his, so he doesn't come on anymore but I wonder if this
is coincidence that it came from another CnQ member. Ok, I'm getting paranoid.
lol

We went to the computer store where we got the computer and the guy there looked up
the two top ones and said they are nasty and partly undetectable which is why the
virus program can't delete them.

My husband went on some sites and they said they are low risk and easily removed.
Ya right, that's why I can't remove them. ARGHHHHH

It would be interesting to know which one Tawana got as she must be having real
problems.

I was talking to Blueberrybuds, Yeah I know unbelievable, lol She said she is
having wierd issues with her computer. She also said Hitol has told her he is
badmouthing her all over.

If I think of anything else I'll let you know.
Nancy

[Tiger Shark]

I have the horrible feeling that this isn't so much an attack as a viral infection amongst the members of the group....

Can you give any evidence to the contrary?

[foxyloxley]

a viral infection

Are you thinking that there WAS an infection, and it has just STAYED ?
posting itself around the forum ?

catching out members, never been caught AND sanitised ?