From: Dave U. Random on 17 May 2010 11:07 ((How many priceless pic and other personal files did this sociopathic monster destroy of innocent computer users? Oh, gee, I forgot again. Raid/Dustin Cook doesn't believe in innocence in anyone. See, that's how a truly evil sociopath thinks. They simply cannot believe that everyone is not filled with as much hateful filth as are they.) http://www.f-secure.com/v-descs/irok.shtml F-Secure Virus Descriptions : Irok NAME: Irok ALIAS: I-Worm.Irok, HLLP.Irok, Irok.Trojan.Worm SIZE: 10001 Irok is a virus-worm created by RaiD/SLAM which spreads via IRC and Microsoft Outlook. The worm is 10001 bytes long DOS-based program that is heavily packed and encrypted with a protective envelope that uses anti-debugging tricks. When run, the worm copies itself to C:\Windows\System\ and C:\Mirc\ folders as IROK.EXE and drops WINRDE.DLL to the \Windows\System\ folder. This file is not a Windows DLL, it is a data file. The worm also replaces SCRIPT.INI file in the C:\Mirc\ folder with its own script that sends the IROK.EXE file to everyone on the IRC channel to which the infected user joins. The worm finally drops a Visual Basic script file IROKRUN.VBS to the Windows Startup directory. This script will be executed next time the system is restarted. During the next Windows startup, the IROKRUN.VBS script will be executed. It uses Microsoft Outlook to send the worm executable as IROK.EXE to 60 recipients whose addresses are taken from each of Outlook's address books. The message in which the worm spreads itself looks like this: Subject: I thought you might like to see this. Body: I thought you might like this. I got it from paramount pictures website. It's a startrek screen saver. After every message is sent they are removed from the 'Sent Items' folder. Finally the script file is removed from the Windows Startup directory. At the same time Irok is a non-resident virus, which scans directories listed in PATH= variable for COM and EXE files and then infects them. The virus is a very fast infector. It can infect up to 80 files at a time. The virus is relocating type - it writes itself to the start of the file and relocates the original 10kb of the file to the end. The relocated part is encrypted. Infected files grow 10kb in size. In some cases the virus can corrupt host programs. The virus has a bug and it does not supply command line options to the host program correctly, so every program that operates with command line parameters will work incorrectly after infection. The virus avoids infecting files that have extensions and/or their names start with one of the following: dll spa man drv scr krnl 386 msc com exp mou gw go sta use gdi con The virus also deletes the following files: anti-vir.dat chklist.ms chklist.cps vs.vsn ivb.ntz When internal counters of the virus reach certain values, the virus displays a message on the screen. Most of this message is taken from lyrics of the song 'Aenema' by the band called 'Tool'. We will not reproduce the message here as the song seriously needs the Parental Advisory sticker for explicit lyrics. The message ends with this text: ... People cry and people moan. look for a dry place to call their own, look for a dry place to rest there bones. Thanks for reading the text above, I've had enough time to remove the contents of your hard disk for you. :-) IRoK v1.1 - RaiD/SLAM[2000] And indeed, the virus has corrupted files on the hard drive during this event. The virus also has several internal text strings: IRoK v1.1 is initializing... Ok! Hey You! <----------- >>> Push enter stupid! RaiD/SLAM[2000] The Irok virus-worm will not spread itself via Outlook if Windows Scripting Host is not installed on the infected system. The worm will not work if Windows is installed in some other directory than C:\Windows\ and it will not spread itself via IRC if mIRC is installed in a directory other than C:\Mirc\. Regardless of software installed, the worm will infect COM and EXE files on the system it infects.
From: Peter Foldes on 17 May 2010 12:36 Aha. A new name. Why did you change it Chris. We were just getting to know you better -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. http://www.microsoft.com/protect "Dave U. Random" <anonymous(a)anonymitaet-im-inter.net> wrote in message news:e37355ef7d47f406144925c96c166982(a)anonymitaet-im-inter.net... > ((How many priceless pic and other personal files did this sociopathic > monster destroy of innocent computer users? Oh, gee, I forgot again. > Raid/Dustin Cook doesn't believe in innocence in anyone. See, that's how > a truly evil sociopath thinks. They simply cannot believe that everyone > is not filled with as much hateful filth as are they.) > > http://www.f-secure.com/v-descs/irok.shtml > > F-Secure Virus Descriptions : Irok > > NAME: Irok > ALIAS: I-Worm.Irok, HLLP.Irok, Irok.Trojan.Worm > SIZE: 10001 > > Irok is a virus-worm created by RaiD/SLAM which spreads via IRC and > Microsoft Outlook. The worm is 10001 bytes long DOS-based program that > is heavily packed and encrypted with a protective envelope that uses > anti-debugging tricks. > > When run, the worm copies itself to C:\Windows\System\ and C:\Mirc\ > folders as IROK.EXE and drops WINRDE.DLL to the \Windows\System\ folder. > This file is not a Windows DLL, it is a data file. The worm also > replaces SCRIPT.INI file in the C:\Mirc\ folder with its own script that > sends the IROK.EXE file to everyone on the IRC channel to which the > infected user joins. The worm finally drops a Visual Basic script file > IROKRUN.VBS to the Windows Startup directory. This script will be > executed next time the system is restarted. > > During the next Windows startup, the IROKRUN.VBS script will be > executed. It uses Microsoft Outlook to send the worm executable as > IROK.EXE to 60 recipients whose addresses are taken from each of > Outlook's address books. > > The message in which the worm spreads itself looks like this: > > Subject: I thought you might like to see this. > > Body: I thought you might like this. I got it from paramount pictures > website. It's a startrek screen saver. > > After every message is sent they are removed from the 'Sent Items' > folder. Finally the script file is removed from the Windows Startup > directory. > > At the same time Irok is a non-resident virus, which scans directories > listed in PATH= variable for COM and EXE files and then infects them. > The virus is a very fast infector. It can infect up to 80 files at a > time. The virus is relocating type - it writes itself to the start of > the file and relocates the original 10kb of the file to the end. The > relocated part is encrypted. Infected files grow 10kb in size. > > In some cases the virus can corrupt host programs. The virus has a bug > and it does not supply command line options to the host program > correctly, so every program that operates with command line parameters > will work incorrectly after infection. > > The virus avoids infecting files that have extensions and/or their names > start with one of the following: > > dll spa man drv scr krnl 386 msc com exp mou gw go sta use gdi con > > The virus also deletes the following files: > > anti-vir.dat chklist.ms chklist.cps vs.vsn ivb.ntz > > When internal counters of the virus reach certain values, the virus > displays a message on the screen. Most of this message is taken from > lyrics of the song 'Aenema' by the band called 'Tool'. We will not > reproduce the message here as the song seriously needs the Parental > Advisory sticker for explicit lyrics. > > The message ends with this text: > > ... > People cry and people moan. look for a dry place to call their > own, look for a dry place to rest there bones. > > Thanks for reading the text above, I've had enough time to > remove the contents of your hard disk for you. :-) > > IRoK v1.1 - RaiD/SLAM[2000] > > And indeed, the virus has corrupted files on the hard drive during this > event. > > The virus also has several internal text strings: > > IRoK v1.1 is initializing... Ok! > Hey You! <----------- >>> Push enter stupid! > RaiD/SLAM[2000] > > The Irok virus-worm will not spread itself via Outlook if Windows > Scripting Host is not installed on the infected system. The worm will > not work if Windows is installed in some other directory than > C:\Windows\ and it will not spread itself via IRC if mIRC is installed > in a directory other than C:\Mirc\. Regardless of software installed, > the worm will infect COM and EXE files on the system it infects. >
|
Pages: 1 Prev: Raid Threatens To Kill - A Text Book Sociopath Next: Raid/Dustin Cook's fame is spreads |