Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: John Slade on 2 Aug 2010 14:06 On 8/1/2010 7:13 PM, David H. Lipman wrote: > From: "FromTheRafters"<erratic @nomail.afraid.org> > > | "John Slade"<hhitman86(a)pacbell.net> wrote in message > | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... > > | [...] > >>>>> I don't know why you would find it funny because a virus writer will use >>>>> anything to hide a virus. What smarter way is to hide them in each and >>>>> every folder in "system volume information"? > >>> I didn't know Dustin Cook existed until he responded for you. But I've >>> been reading some in alt.comp.viruses and I find it well...interesting... >>> If he wrote viruses then he more than anyone should know that what I said >>> happened is indeed possible. > > | Because he understands true viruses, he knows that they don't need to hide > | themselves in folders. > > | I don't think he would have said what he said if you had said worms, or > | malware, instead of viruses. > > | Some malware sorta infests the "System Volume Information" folder - what > | actually happens is that when the AV requests deletion of a detected malware > | file, the OS makes a copy and stores it there just in case you didn't > | *really* want it deleted. > > > It doesn't really have to do with an anti malware application deleting a file. That the > Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin. > > In this case the OS will take executable binaries and other OS related files and place > copies in the System Restore Cache. All I have to do is download and EXE or DLL and it > will be in the cache and reference the location of where it was in the OS. And it doesn't > really infest the "System Volume Information\_restore" folder. It lays dormant in there > until the user decides to restore a break point. Then it will take the executable binary > and other OS related files and place them back in the original location thus reviving them > from dormancy. However malware is not know to "hide" itself in "System Volume > Information" while operating within the OS. > As far as you know, no malware writer used that method. Nobody knows everything. John
From: Dustin on 2 Aug 2010 14:27 John Slade <hhitman86(a)pacbell.net> wrote in news:8ND5o.33941$o27.31443(a)newsfe08.iad: > On 8/1/2010 6:57 PM, FromTheRafters wrote: >> "John Slade"<hhitman86(a)pacbell.net> wrote in message >> news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... >> >> [...] >> >>>>> I don't know why you would find it funny because a virus writer >>>>> will use anything to hide a virus. What smarter way is to hide >>>>> them in each and every folder in "system volume information"? >> >>> I didn't know Dustin Cook existed until he responded for you. >>> But I've >>> been reading some in alt.comp.viruses and I find it >>> well...interesting... If he wrote viruses then he more than anyone >>> should know that what I said happened is indeed possible. >> >> Because he understands true viruses, he knows that they don't need >> to hide themselves in folders. >> >> I don't think he would have said what he said if you had said >> worms, or malware, instead of viruses. > > Well "virus" is a generic term these days. I was talking > about worms and/or trojans, I was using "virus" as a generic > term. I guess that clears it up. virus isn't a generic term, then or now. As a professional, I think it unwise of you to generalize what might be ailing the patient. -- "I like your Christ. I don't like your Christians. They are so unlike your Christ." - author unknown.
From: David H. Lipman on 2 Aug 2010 14:57 From: "John Slade" <hhitman86(a)pacbell.net> | On 8/1/2010 6:57 PM, FromTheRafters wrote: >> "John Slade"<hhitman86(a)pacbell.net> wrote in message >> news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... >> [...] >>>>> I don't know why you would find it funny because a virus writer will use >>>>> anything to hide a virus. What smarter way is to hide them in each and >>>>> every folder in "system volume information"? >>> I didn't know Dustin Cook existed until he responded for you. But I've >>> been reading some in alt.comp.viruses and I find it well...interesting... >>> If he wrote viruses then he more than anyone should know that what I said >>> happened is indeed possible. >> Because he understands true viruses, he knows that they don't need to hide >> themselves in folders. >> I don't think he would have said what he said if you had said worms, or >> malware, instead of viruses. | Well "virus" is a generic term these days. I was talking | about worms and/or trojans, I was using "virus" as a generic | term. I guess that clears it up. The term "malware" is generic. The term "virus" is quite specific. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: David H. Lipman on 2 Aug 2010 15:15 From: "John Slade" <hhitman86(a)pacbell.net> | That's all well and good but as you know there are strains | of trojans and worms that are unknown. It may or may not have | been Virtumonde or a version of it, it very well may have been | some other malware that dropped Virtumonde. I'm sure you know | there is malware out there that will drop multiple trojans and | worms on a system. But whatever it was, I was never afraid to do | what it took to get rid of it. That's why I make a backup before | I clean badly infected systems. | I can tell you this, after I got rid of all the system | restore points, some malware looked for files in the restore | folders and couldn't find them. I got the popup saying the files | were not found in that directory. I did a final scan and when I | removed the malware this time it stayed gone. The system ran | with no problems until the teenager put something else on it | months later. I agree, there are "...strains of trojans and worms that are unknown." However there is a relatively finite capability that they employ. Usually one repeats the success of another and builds upon that success. What becomes new is not what they do within the file system, it is what they do in the Registry or employing different programmng techniques and Kernel constructs. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: FromTheRafters on 2 Aug 2010 17:44
"John Slade" <hhitman86(a)pacbell.net> wrote in message news:TOD5o.33942$o27.7240(a)newsfe08.iad... > On 8/1/2010 7:13 PM, David H. Lipman wrote: >> From: "FromTheRafters"<erratic @nomail.afraid.org> >> >> | "John Slade"<hhitman86(a)pacbell.net> wrote in message >> | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... >> >> | [...] >> >>>>>> I don't know why you would find it funny because a virus writer >>>>>> will use >>>>>> anything to hide a virus. What smarter way is to hide them in >>>>>> each and >>>>>> every folder in "system volume information"? >> >>>> I didn't know Dustin Cook existed until he responded for you. >>>> But I've >>>> been reading some in alt.comp.viruses and I find it >>>> well...interesting... >>>> If he wrote viruses then he more than anyone should know that what >>>> I said >>>> happened is indeed possible. >> >> | Because he understands true viruses, he knows that they don't need >> to hide >> | themselves in folders. >> >> | I don't think he would have said what he said if you had said >> worms, or >> | malware, instead of viruses. >> >> | Some malware sorta infests the "System Volume Information" folder - >> what >> | actually happens is that when the AV requests deletion of a >> detected malware >> | file, the OS makes a copy and stores it there just in case you >> didn't >> | *really* want it deleted. >> >> >> It doesn't really have to do with an anti malware application >> deleting a file. That the >> Recycle Bin and only the OS Shell (explorer) will place the files in >> the Recycle Bin. >> >> In this case the OS will take executable binaries and other OS >> related files and place >> copies in the System Restore Cache. All I have to do is download and >> EXE or DLL and it >> will be in the cache and reference the location of where it was in >> the OS. And it doesn't >> really infest the "System Volume Information\_restore" folder. It >> lays dormant in there >> until the user decides to restore a break point. Then it will take >> the executable binary >> and other OS related files and place them back in the original >> location thus reviving them >> from dormancy. However malware is not know to "hide" itself in >> "System Volume >> Information" while operating within the OS. >> > > As far as you know, no malware writer used that method. Nobody > knows everything. Now, you're just being silly. |