Win32/RAMNIT.A Anyone?
in [Anti-Virus]
|
From: "FromTheRafters" erratic on 1 Aug 2010 21:57 "John Slade" <hhitman86(a)pacbell.net> wrote in message news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... [...] >>> I don't know why you would find it funny because a virus writer will use >>> anything to hide a virus. What smarter way is to hide them in each and >>> every folder in "system volume information"? > I didn't know Dustin Cook existed until he responded for you. But I've > been reading some in alt.comp.viruses and I find it well...interesting... > If he wrote viruses then he more than anyone should know that what I said > happened is indeed possible. Because he understands true viruses, he knows that they don't need to hide themselves in folders. I don't think he would have said what he said if you had said worms, or malware, instead of viruses. Some malware sorta infests the "System Volume Information" folder - what actually happens is that when the AV requests deletion of a detected malware file, the OS makes a copy and stores it there just in case you didn't *really* want it deleted.
From: David H. Lipman on 1 Aug 2010 22:13 From: "FromTheRafters" <erratic @nomail.afraid.org> | "John Slade" <hhitman86(a)pacbell.net> wrote in message | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... | [...] >>>> I don't know why you would find it funny because a virus writer will use >>>> anything to hide a virus. What smarter way is to hide them in each and >>>> every folder in "system volume information"? >> I didn't know Dustin Cook existed until he responded for you. But I've >> been reading some in alt.comp.viruses and I find it well...interesting... >> If he wrote viruses then he more than anyone should know that what I said >> happened is indeed possible. | Because he understands true viruses, he knows that they don't need to hide | themselves in folders. | I don't think he would have said what he said if you had said worms, or | malware, instead of viruses. | Some malware sorta infests the "System Volume Information" folder - what | actually happens is that when the AV requests deletion of a detected malware | file, the OS makes a copy and stores it there just in case you didn't | *really* want it deleted. It doesn't really have to do with an anti malware application deleting a file. That the Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin. In this case the OS will take executable binaries and other OS related files and place copies in the System Restore Cache. All I have to do is download and EXE or DLL and it will be in the cache and reference the location of where it was in the OS. And it doesn't really infest the "System Volume Information\_restore" folder. It lays dormant in there until the user decides to restore a break point. Then it will take the executable binary and other OS related files and place them back in the original location thus reviving them from dormancy. However malware is not know to "hide" itself in "System Volume Information" while operating within the OS. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: David Kaye on 2 Aug 2010 01:16 Please stop this nonsense already. I got the answers I needed. All you're doing is making yourselves look like fools.
From: John Slade on 2 Aug 2010 14:04 On 8/1/2010 6:57 PM, FromTheRafters wrote: > "John Slade"<hhitman86(a)pacbell.net> wrote in message > news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... > > [...] > >>>> I don't know why you would find it funny because a virus writer will use >>>> anything to hide a virus. What smarter way is to hide them in each and >>>> every folder in "system volume information"? > >> I didn't know Dustin Cook existed until he responded for you. But I've >> been reading some in alt.comp.viruses and I find it well...interesting... >> If he wrote viruses then he more than anyone should know that what I said >> happened is indeed possible. > > Because he understands true viruses, he knows that they don't need to hide > themselves in folders. > > I don't think he would have said what he said if you had said worms, or > malware, instead of viruses. Well "virus" is a generic term these days. I was talking about worms and/or trojans, I was using "virus" as a generic term. I guess that clears it up. John
From: John Slade on 2 Aug 2010 14:06
On 8/1/2010 7:13 PM, David H. Lipman wrote: > From: "FromTheRafters"<erratic @nomail.afraid.org> > > | "John Slade"<hhitman86(a)pacbell.net> wrote in message > | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad... > > | [...] > >>>>> I don't know why you would find it funny because a virus writer will use >>>>> anything to hide a virus. What smarter way is to hide them in each and >>>>> every folder in "system volume information"? > >>> I didn't know Dustin Cook existed until he responded for you. But I've >>> been reading some in alt.comp.viruses and I find it well...interesting... >>> If he wrote viruses then he more than anyone should know that what I said >>> happened is indeed possible. > > | Because he understands true viruses, he knows that they don't need to hide > | themselves in folders. > > | I don't think he would have said what he said if you had said worms, or > | malware, instead of viruses. > > | Some malware sorta infests the "System Volume Information" folder - what > | actually happens is that when the AV requests deletion of a detected malware > | file, the OS makes a copy and stores it there just in case you didn't > | *really* want it deleted. > > > It doesn't really have to do with an anti malware application deleting a file. That the > Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin. > > In this case the OS will take executable binaries and other OS related files and place > copies in the System Restore Cache. All I have to do is download and EXE or DLL and it > will be in the cache and reference the location of where it was in the OS. And it doesn't > really infest the "System Volume Information\_restore" folder. It lays dormant in there > until the user decides to restore a break point. Then it will take the executable binary > and other OS related files and place them back in the original location thus reviving them > from dormancy. However malware is not know to "hide" itself in "System Volume > Information" while operating within the OS. > As far as you know, no malware writer used that method. Nobody knows everything. John |