Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: John Slade on 1 Aug 2010 00:09 On 7/31/2010 4:21 PM, Dustin wrote: > John Slade<hhitman86(a)pacbell.net> wrote in > news:L0p4o.32466$OU6.4877(a)newsfe20.iad: > >> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>> From: "John Slade"<hhitman86(a)pacbell.net> >>> >>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>> >>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>> > >> You should know there is malware out there that will >> trash the registry and it's backup. It will require some sort of >> reinstall to get the system back working. I found it very rare >> that I need to do a full reformat and reinstall because of >> malware. Some malware will also corrupt system files and when >> you remove them with scanners, it will make the installation >> unbootable. This is yet another reason professionals will make a >> backup if possible before removing infections. > > What software do you use for the backup? I will either use Acronis' or Paragon's backup software depending on the situation. > Are you storing the backup on > read only media or a hard drive that could fail for any reason? You mean WORM(Write Once/Read Many) media don't you? That media can fail also. No media is perfect. I store the backup on business or enterprise grade HDs and will transfer to other media if the customer wants that backup. If it's a large backup they will have to pay me for it. Tell me what software and hardware would you use to backup your customer's HD before you start removing malware? > >> I know there are a lot of fly-by-night computer repair >> people who are just there to do a quick fix and get paid, I find >> myself cleaning up after a lot of them. > > I've encountered a few of those in my time as well.... I enjoy the work > they provide me tho. Me too. I especially get a kick out of the ones who don't do backups and leave various screws out. > Tell me something, John, as a PROFESSIONAL, have > you written any of the tools you use for cleanup; or do you use the > work others have written, such as myself, David lipman and many others? > For the record, I'm not trying to get into some pissing contest. I was just making a suggestion as to how to fix the problem laid out in the OP. I use software others have written. I'm not a software engineer. I'm a professional computer repair person. I find that competence in one profession such as software engineering doesn't translate into something else like tech support. I've been repairing computers for close to 25 years and have learned a lot. One thing I've learned is a backup saves a lot of trouble and allows for different approaches to be tried. So tell me what products have you and David Lipman written and where can I check them out? John
From: Dustin on 1 Aug 2010 11:24 John Slade <hhitman86(a)pacbell.net> wrote in news:i32s10$653$1(a)news.eternal-september.org: > On 7/31/2010 4:21 PM, Dustin wrote: >> John Slade<hhitman86(a)pacbell.net> wrote in >> news:L0p4o.32466$OU6.4877(a)newsfe20.iad: >> >>> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>> >>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>> >>>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>>> > >> >>> You should know there is malware out there that will >>> trash the registry and it's backup. It will require some sort of >>> reinstall to get the system back working. I found it very rare >>> that I need to do a full reformat and reinstall because of >>> malware. Some malware will also corrupt system files and when >>> you remove them with scanners, it will make the installation >>> unbootable. This is yet another reason professionals will make a >>> backup if possible before removing infections. >> >> What software do you use for the backup? > > I will either use Acronis' or Paragon's backup software > depending on the situation. > >> Are you storing the backup on >> read only media or a hard drive that could fail for any reason? > > You mean WORM(Write Once/Read Many) media don't you? That > media can fail also. No media is perfect. I store the backup on > business or enterprise grade HDs and will transfer to other > media if the customer wants that backup. If it's a large backup > they will have to pay me for it. Tell me what software and > hardware would you use to backup your customer's HD before you > start removing malware? I haven't heard the acronym WORM in years... Damn, you have been around a long time. :) I was thinking of cd-r or perhaps dvd-r material. It depends. When I was working at a computer shop; I'd either use norton ghost corp edition or the hardware drive cloning device we had at the time. I really didn't see much point in cloning a malware drive for malware removal; I wasn't stupid enough to trash my backups of the registry or important files. besides, I wrote several utilities to assist me in verifying various windows dll/exe files were still intact and okay for reuse. We would typically reserve cloning drives for hardware failure signs. Although, a customer could have us clone a drive for a malware issue if they so desired. By default, we always copied docs, favorites, emails etc before doing anything... But, you know, different places have different policies. Why do you spend the additional time to clone an entire drive for a malware removal job? >> >>> I know there are a lot of fly-by-night computer repair >>> people who are just there to do a quick fix and get paid, I find >>> myself cleaning up after a lot of them. >> >> I've encountered a few of those in my time as well.... I enjoy the >> work they provide me tho. > > Me too. I especially get a kick out of the ones who don't > do backups and leave various screws out. Or, use the wrong screws and strip one of the drives :) >> Tell me something, John, as a PROFESSIONAL, have >> you written any of the tools you use for cleanup; or do you use the >> work others have written, such as myself, David lipman and many >> others? >> > > For the record, I'm not trying to get into some pissing > contest. I was just making a suggestion as to how to fix the > problem laid out in the OP. I understand. It just seemed as if you were being a wiseass towards David, from my POV. I didn't personally see any need in doing that. We can all be professional and civil here. > I use software others have written. I'm not a software > engineer. I'm a professional computer repair person. I find that > competence in one profession such as software engineering > doesn't translate into something else like tech support. I've > been repairing computers for close to 25 years and have learned > a lot. One thing I've learned is a backup saves a lot of trouble > and allows for different approaches to be tried. Well, a backup is a good way of having an escape route should something go wrong. :) From a software aspect tho, I haven't really encountered much malware that would justify the time I spent on imaging the drive first. I wasn't in charge of billing tho, so that may have played a part in that. > So tell me what products have you and David Lipman > written and where can I check them out? I've written all kinds of old utility style apps, as you've been around so long you might know a few of them.. Cmoscon, encode, delock, and various others. If your into crypto/security, you might even know the old dos file/freespace wiping app called NuKE and/or possibly CryptX. In more recent times, I developed an antimalware scanner (that's why I found your description on how they worked amusing. hehehe) called BugHunter. I did a stint as a malware researcher for an app called Malwarebytes antimalware.. Like yourself, I've been repairing pcs professionally for over 15 years now; you have ten years on me, but I have programming skills on you. *g*. -- "I like your Christ. I don't like your Christians. They are so unlike your Christ." - author unknown.
From: John Slade on 1 Aug 2010 15:17 On 8/1/2010 8:24 AM, Dustin wrote: > John Slade<hhitman86(a)pacbell.net> wrote in > news:i32s10$653$1(a)news.eternal-september.org: > >> On 7/31/2010 4:21 PM, Dustin wrote: >>> John Slade<hhitman86(a)pacbell.net> wrote in >>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad: >>> >>>> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>> >>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>> >>>>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>>>> >> >>> >>>> You should know there is malware out there that will >>>> trash the registry and it's backup. It will require some sort of >>>> reinstall to get the system back working. I found it very rare >>>> that I need to do a full reformat and reinstall because of >>>> malware. Some malware will also corrupt system files and when >>>> you remove them with scanners, it will make the installation >>>> unbootable. This is yet another reason professionals will make a >>>> backup if possible before removing infections. >>> >>> What software do you use for the backup? >> >> I will either use Acronis' or Paragon's backup software >> depending on the situation. >> >>> Are you storing the backup on >>> read only media or a hard drive that could fail for any reason? >> >> You mean WORM(Write Once/Read Many) media don't you? That >> media can fail also. No media is perfect. I store the backup on >> business or enterprise grade HDs and will transfer to other >> media if the customer wants that backup. If it's a large backup >> they will have to pay me for it. Tell me what software and >> hardware would you use to backup your customer's HD before you >> start removing malware? > > I haven't heard the acronym WORM in years... Damn, you have been around > a long time. :) I was thinking of cd-r or perhaps dvd-r material. It would be OK for DVD-R if the backup is small. But swapping 20 or more DVDs is a pain. > > It depends. When I was working at a computer shop; I'd either use > norton ghost corp edition or the hardware drive cloning device we had > at the time. I rarely use Ghost these days, it used to be the only thing I ever used. > I really didn't see much point in cloning a malware drive > for malware removal; I wasn't stupid enough to trash my backups of the > registry or important files. besides, I wrote several utilities to > assist me in verifying various windows dll/exe files were still intact > and okay for reuse. > Yea that's good for you, but when you're working for someone else and they have important data they want to save, I will backup. Most of the time the customer doesn't have a backup. A lot of times the customer has a HD that's five or six years old and they really need a backup done. Then there are the times when I'm working for a young person and they don't want a backup they just want the drive wiped and they want the OS installed. > We would typically reserve cloning drives for hardware failure signs. > Although, a customer could have us clone a drive for a malware issue if > they so desired. By default, we always copied docs, favorites, emails > etc before doing anything... But, you know, different places have > different policies. I work mostly with home users and small businesses and a lot of times they have personal stuff they want to save. So I'll do a quick backup of that data and then I'll do the full backup. Sometimes they just want a reinstall. There are times when they tell me not to backup because the data isn't important. In David's response he seems worried about saving data so I wondered why he wouldn't backup. > > Why do you spend the additional time to clone an entire drive for a > malware removal job? It doesn't take that long most of the time and it's a lot safer for the user's data. In most cases it actually takes longer to install, upgrade and reinstall software for the customer. Most of the time I backup less than 150GB. > >>> >>>> I know there are a lot of fly-by-night computer repair >>>> people who are just there to do a quick fix and get paid, I find >>>> myself cleaning up after a lot of them. >>> >>> I've encountered a few of those in my time as well.... I enjoy the >>> work they provide me tho. >> >> Me too. I especially get a kick out of the ones who don't >> do backups and leave various screws out. > > Or, use the wrong screws and strip one of the drives :) > >>> Tell me something, John, as a PROFESSIONAL, have >>> you written any of the tools you use for cleanup; or do you use the >>> work others have written, such as myself, David lipman and many >>> others? >>> >> >> For the record, I'm not trying to get into some pissing >> contest. I was just making a suggestion as to how to fix the >> problem laid out in the OP. > > I understand. It just seemed as if you were being a wiseass towards > David, from my POV. I didn't personally see any need in doing that. We > can all be professional and civil here. David was being a wiseass himself and I can understand why he didn't respond. He seemed worried about losing data by simply removing the system restore points so I naturally wondered why, a backup can solve this problem. I guess he realized it was a good idea so then he got snippy. > >> I use software others have written. I'm not a software >> engineer. I'm a professional computer repair person. I find that >> competence in one profession such as software engineering >> doesn't translate into something else like tech support. I've >> been repairing computers for close to 25 years and have learned >> a lot. One thing I've learned is a backup saves a lot of trouble >> and allows for different approaches to be tried. > > Well, a backup is a good way of having an escape route should something > go wrong. :) From a software aspect tho, I haven't really encountered > much malware that would justify the time I spent on imaging the drive > first. I wasn't in charge of billing tho, so that may have played a > part in that. I don't work for any company I work freelance. Like I said most backups are small and usually take from 20 minutes to a couple of hours. I don't charge by the hour I charge by the job. > >> So tell me what products have you and David Lipman >> written and where can I check them out? > > I've written all kinds of old utility style apps, as you've been around > so long you might know a few of them.. Cmoscon, encode, delock, and > various others. If your into crypto/security, you might even know the > old dos file/freespace wiping app called NuKE and/or possibly CryptX. > I've heard of some of those. > In more recent times, I developed an antimalware scanner (that's why I > found your description on how they worked amusing. hehehe) called > BugHunter. I did a stint as a malware researcher for an app called > Malwarebytes antimalware.. > I don't know why you would find it funny because a virus writer will use anything to hide a virus. What smarter way is to hide them in each and every folder in "system volume information"? I do believe that what the system had was a variant of the Virtumonde trojan. If you did research on malware then you know virus writers will take existing malware and modify it. I found one thing to be true in the world of malware, NOBODY knows everything about every malware variant out there. You can believe me or not, it doesn't matter. John
From: ~BD~ on 1 Aug 2010 17:46 John Slade wrote: > On 8/1/2010 8:24 AM, Dustin wrote: >> John Slade<hhitman86(a)pacbell.net> wrote in >> news:i32s10$653$1(a)news.eternal-september.org: >> >>> On 7/31/2010 4:21 PM, Dustin wrote: >>>> John Slade<hhitman86(a)pacbell.net> wrote in >>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad: >>>> >>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>> >>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>> >>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>>>>> >>> >>>> >>>>> You should know there is malware out there that will >>>>> trash the registry and it's backup. It will require some sort of >>>>> reinstall to get the system back working. I found it very rare >>>>> that I need to do a full reformat and reinstall because of >>>>> malware. Some malware will also corrupt system files and when >>>>> you remove them with scanners, it will make the installation >>>>> unbootable. This is yet another reason professionals will make a >>>>> backup if possible before removing infections. >>>> >>>> What software do you use for the backup? >>> >>> I will either use Acronis' or Paragon's backup software >>> depending on the situation. >>> >>>> Are you storing the backup on >>>> read only media or a hard drive that could fail for any reason? >>> >>> You mean WORM(Write Once/Read Many) media don't you? That >>> media can fail also. No media is perfect. I store the backup on >>> business or enterprise grade HDs and will transfer to other >>> media if the customer wants that backup. If it's a large backup >>> they will have to pay me for it. Tell me what software and >>> hardware would you use to backup your customer's HD before you >>> start removing malware? >> >> I haven't heard the acronym WORM in years... Damn, you have been around >> a long time. :) I was thinking of cd-r or perhaps dvd-r material. > > It would be OK for DVD-R if the backup is small. But swapping 20 or more > DVDs is a pain. > >> >> It depends. When I was working at a computer shop; I'd either use >> norton ghost corp edition or the hardware drive cloning device we had >> at the time. > > I rarely use Ghost these days, it used to be the only thing I ever used. > > >> I really didn't see much point in cloning a malware drive >> for malware removal; I wasn't stupid enough to trash my backups of the >> registry or important files. besides, I wrote several utilities to >> assist me in verifying various windows dll/exe files were still intact >> and okay for reuse. >> > > Yea that's good for you, but when you're working for someone else and > they have important data they want to save, I will backup. Most of the > time the customer doesn't have a backup. A lot of times the customer has > a HD that's five or six years old and they really need a backup done. > Then there are the times when I'm working for a young person and they > don't want a backup they just want the drive wiped and they want the OS > installed. > >> We would typically reserve cloning drives for hardware failure signs. >> Although, a customer could have us clone a drive for a malware issue if >> they so desired. By default, we always copied docs, favorites, emails >> etc before doing anything... But, you know, different places have >> different policies. > > I work mostly with home users and small businesses and a lot of times > they have personal stuff they want to save. So I'll do a quick backup of > that data and then I'll do the full backup. Sometimes they just want a > reinstall. There are times when they tell me not to backup because the > data isn't important. In David's response he seems worried about saving > data so I wondered why he wouldn't backup. > >> >> Why do you spend the additional time to clone an entire drive for a >> malware removal job? > > It doesn't take that long most of the time and it's a lot safer for the > user's data. In most cases it actually takes longer to install, upgrade > and reinstall software for the customer. Most of the time I backup less > than 150GB. > >> >>>> >>>>> I know there are a lot of fly-by-night computer repair >>>>> people who are just there to do a quick fix and get paid, I find >>>>> myself cleaning up after a lot of them. >>>> >>>> I've encountered a few of those in my time as well.... I enjoy the >>>> work they provide me tho. >>> >>> Me too. I especially get a kick out of the ones who don't >>> do backups and leave various screws out. >> >> Or, use the wrong screws and strip one of the drives :) >> >>>> Tell me something, John, as a PROFESSIONAL, have >>>> you written any of the tools you use for cleanup; or do you use the >>>> work others have written, such as myself, David lipman and many >>>> others? >>>> >>> >>> For the record, I'm not trying to get into some pissing >>> contest. I was just making a suggestion as to how to fix the >>> problem laid out in the OP. >> >> I understand. It just seemed as if you were being a wiseass towards >> David, from my POV. I didn't personally see any need in doing that. We >> can all be professional and civil here. > > David was being a wiseass himself and I can understand why he didn't > respond. He seemed worried about losing data by simply removing the > system restore points so I naturally wondered why, a backup can solve > this problem. I guess he realized it was a good idea so then he got snippy. > >> >>> I use software others have written. I'm not a software >>> engineer. I'm a professional computer repair person. I find that >>> competence in one profession such as software engineering >>> doesn't translate into something else like tech support. I've >>> been repairing computers for close to 25 years and have learned >>> a lot. One thing I've learned is a backup saves a lot of trouble >>> and allows for different approaches to be tried. >> >> Well, a backup is a good way of having an escape route should something >> go wrong. :) From a software aspect tho, I haven't really encountered >> much malware that would justify the time I spent on imaging the drive >> first. I wasn't in charge of billing tho, so that may have played a >> part in that. > > I don't work for any company I work freelance. Like I said most backups > are small and usually take from 20 minutes to a couple of hours. I don't > charge by the hour I charge by the job. > >> >>> So tell me what products have you and David Lipman >>> written and where can I check them out? >> >> I've written all kinds of old utility style apps, as you've been around >> so long you might know a few of them.. Cmoscon, encode, delock, and >> various others. If your into crypto/security, you might even know the >> old dos file/freespace wiping app called NuKE and/or possibly CryptX. >> > > I've heard of some of those. > >> In more recent times, I developed an antimalware scanner (that's why I >> found your description on how they worked amusing. hehehe) called >> BugHunter. I did a stint as a malware researcher for an app called >> Malwarebytes antimalware.. >> > > I don't know why you would find it funny because a virus writer will use > anything to hide a virus. What smarter way is to hide them in each and > every folder in "system volume information"? I do believe that what the > system had was a variant of the Virtumonde trojan. If you did research > on malware then you know virus writers will take existing malware and > modify it. I found one thing to be true in the world of malware, NOBODY > knows everything about every malware variant out there. You can believe > me or not, it doesn't matter. > > John You do appreciate that Dustin Cook was once a virus writer himself, don't you, John? There is school of thought that suggests that once a computer has been compromised, one can never be *certain* that it is clean - and that it is always best to re-install the operating system ...... on a formatted hard disk, wiping out all partitions first. I'm just a user - but that's how I think too! ;-) -- Dave - I've enjoyed reviewing John's posts!
From: ~BD~ on 1 Aug 2010 17:51
~BD~ forgot to add the link showing support for his view! http://technet.microsoft.com/en-us/library/cc512587.aspx |