From: Dustin on
John Slade <hhitman86(a)pacbell.net> wrote in
news:8ND5o.33941$o27.31443(a)newsfe08.iad:

> On 8/1/2010 6:57 PM, FromTheRafters wrote:
>> "John Slade"<hhitman86(a)pacbell.net> wrote in message
>> news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...
>>
>> [...]
>>
>>>>> I don't know why you would find it funny because a virus writer
>>>>> will use anything to hide a virus. What smarter way is to hide
>>>>> them in each and every folder in "system volume information"?
>>
>>> I didn't know Dustin Cook existed until he responded for you.
>>> But I've
>>> been reading some in alt.comp.viruses and I find it
>>> well...interesting... If he wrote viruses then he more than anyone
>>> should know that what I said happened is indeed possible.
>>
>> Because he understands true viruses, he knows that they don't need
>> to hide themselves in folders.
>>
>> I don't think he would have said what he said if you had said
>> worms, or malware, instead of viruses.
>
> Well "virus" is a generic term these days. I was talking
> about worms and/or trojans, I was using "virus" as a generic
> term. I guess that clears it up.

virus isn't a generic term, then or now. As a professional, I think it
unwise of you to generalize what might be ailing the patient.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: David H. Lipman on
From: "John Slade" <hhitman86(a)pacbell.net>

| On 8/1/2010 6:57 PM, FromTheRafters wrote:
>> "John Slade"<hhitman86(a)pacbell.net> wrote in message
>> news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...

>> [...]

>>>>> I don't know why you would find it funny because a virus writer will use
>>>>> anything to hide a virus. What smarter way is to hide them in each and
>>>>> every folder in "system volume information"?

>>> I didn't know Dustin Cook existed until he responded for you. But I've
>>> been reading some in alt.comp.viruses and I find it well...interesting...
>>> If he wrote viruses then he more than anyone should know that what I said
>>> happened is indeed possible.

>> Because he understands true viruses, he knows that they don't need to hide
>> themselves in folders.

>> I don't think he would have said what he said if you had said worms, or
>> malware, instead of viruses.

| Well "virus" is a generic term these days. I was talking
| about worms and/or trojans, I was using "virus" as a generic
| term. I guess that clears it up.

The term "malware" is generic.
The term "virus" is quite specific.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: David H. Lipman on
From: "John Slade" <hhitman86(a)pacbell.net>


| That's all well and good but as you know there are strains
| of trojans and worms that are unknown. It may or may not have
| been Virtumonde or a version of it, it very well may have been
| some other malware that dropped Virtumonde. I'm sure you know
| there is malware out there that will drop multiple trojans and
| worms on a system. But whatever it was, I was never afraid to do
| what it took to get rid of it. That's why I make a backup before
| I clean badly infected systems.

| I can tell you this, after I got rid of all the system
| restore points, some malware looked for files in the restore
| folders and couldn't find them. I got the popup saying the files
| were not found in that directory. I did a final scan and when I
| removed the malware this time it stayed gone. The system ran
| with no problems until the teenager put something else on it
| months later.

I agree, there are "...strains of trojans and worms that are unknown."
However there is a relatively finite capability that they employ. Usually one repeats the
success of another and builds upon that success. What becomes new is not what they do
within the file system, it is what they do in the Registry or employing different
programmng techniques and Kernel constructs.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: FromTheRafters on
"John Slade" <hhitman86(a)pacbell.net> wrote in message
news:TOD5o.33942$o27.7240(a)newsfe08.iad...
> On 8/1/2010 7:13 PM, David H. Lipman wrote:
>> From: "FromTheRafters"<erratic @nomail.afraid.org>
>>
>> | "John Slade"<hhitman86(a)pacbell.net> wrote in message
>> | news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...
>>
>> | [...]
>>
>>>>>> I don't know why you would find it funny because a virus writer
>>>>>> will use
>>>>>> anything to hide a virus. What smarter way is to hide them in
>>>>>> each and
>>>>>> every folder in "system volume information"?
>>
>>>> I didn't know Dustin Cook existed until he responded for you.
>>>> But I've
>>>> been reading some in alt.comp.viruses and I find it
>>>> well...interesting...
>>>> If he wrote viruses then he more than anyone should know that what
>>>> I said
>>>> happened is indeed possible.
>>
>> | Because he understands true viruses, he knows that they don't need
>> to hide
>> | themselves in folders.
>>
>> | I don't think he would have said what he said if you had said
>> worms, or
>> | malware, instead of viruses.
>>
>> | Some malware sorta infests the "System Volume Information" folder -
>> what
>> | actually happens is that when the AV requests deletion of a
>> detected malware
>> | file, the OS makes a copy and stores it there just in case you
>> didn't
>> | *really* want it deleted.
>>
>>
>> It doesn't really have to do with an anti malware application
>> deleting a file. That the
>> Recycle Bin and only the OS Shell (explorer) will place the files in
>> the Recycle Bin.
>>
>> In this case the OS will take executable binaries and other OS
>> related files and place
>> copies in the System Restore Cache. All I have to do is download and
>> EXE or DLL and it
>> will be in the cache and reference the location of where it was in
>> the OS. And it doesn't
>> really infest the "System Volume Information\_restore" folder. It
>> lays dormant in there
>> until the user decides to restore a break point. Then it will take
>> the executable binary
>> and other OS related files and place them back in the original
>> location thus reviving them
>> from dormancy. However malware is not know to "hide" itself in
>> "System Volume
>> Information" while operating within the OS.
>>
>
> As far as you know, no malware writer used that method. Nobody
> knows everything.

Now, you're just being silly.


From: FromTheRafters on
"John Slade" <hhitman86(a)pacbell.net> wrote in message
news:8ND5o.33941$o27.31443(a)newsfe08.iad...
> On 8/1/2010 6:57 PM, FromTheRafters wrote:
>> "John Slade"<hhitman86(a)pacbell.net> wrote in message
>> news:Xyo5o.41721$OU6.25986(a)newsfe20.iad...
>>
>> [...]
>>
>>>>> I don't know why you would find it funny because a virus writer
>>>>> will use
>>>>> anything to hide a virus. What smarter way is to hide them in each
>>>>> and
>>>>> every folder in "system volume information"?
>>
>>> I didn't know Dustin Cook existed until he responded for you.
>>> But I've
>>> been reading some in alt.comp.viruses and I find it
>>> well...interesting...
>>> If he wrote viruses then he more than anyone should know that what I
>>> said
>>> happened is indeed possible.
>>
>> Because he understands true viruses, he knows that they don't need to
>> hide
>> themselves in folders.
>>
>> I don't think he would have said what he said if you had said worms,
>> or
>> malware, instead of viruses.
>
> Well "virus" is a generic term these days. I was talking about
> worms and/or trojans, I was using "virus" as a generic term. I guess
> that clears it up.

Yep, clear as rain. You don't know the terminology, don't care, yet we
are supposed to believe that you know what you are talking about.

That's it, huh?