 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
 Posted: Tue May 18, 2004 11:42 am Post subject: Nasty new parasite discovered.swi,nl |
 |
|
hello
i,m not quite sure where to put this so i put it here and in the virus forum.
this has all the worst features in trojin scum ware spyware that i,ve seen yet. beware!
Nasty new parasite discovered
Permalink | Top
An Israeli programmer who hangs out in SpywareInfo's chat room has been tearing apart a new parasite recently. I don't know very many details about it but this is a very nasty little bugger.
There are two files loaded into memory and a third element involved which I don't want to discuss publicly. It is nearly impossible to force these files out of memory. If you remove any one or two elements, one of the other two will reload them into memory. While you can see these files running with a process manager, somehow they hide their files and parent directory from the operating system, making it difficult to find them on the hard drive.
If the infected computer is using the FAT32 file system, you can use a DOS window to enter the directory and find the files. Unfortunately, you cannot remove the parent directory (c:windowssystem32f0r0r) and the files are reinstalled as soon as the computer reboots.
The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.
This is a very clever piece of programming that someone spent a significant amount of time working on. It is nearly impossible to detect and nearly impossible to remove. How it installs is a mystery, for the moment. Possibly it infects unpatched Windows machines through one of the RPC flaws discovered recently in Microsoft Windows.
You can tell if your machine is infected if you can change to c:windowssystem32f0r0r in a DOS or CMD window with this command: cd c:windowssystem32f0r0r (that's a zero, not an "o"). If your hard drive is FAT32, you can boot into MS-DOS and delete the directory from outside of Windows and that should remove the infection (no guarantees here). To my knowledge, no antivirus or antispyware products detects this parasite.
If anything new is discovered, I'll let you know.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
 |
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
member