From: John Navas on
On Tue, 10 Aug 2010 17:14:36 -0400, in <i3sh5907nh(a)news6.newsguy.com>,
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>From: "John Navas" <spamfilter1(a)navasgroup.com>
>
>| On Tue, 10 Aug 2010 07:45:46 -0400, in
>| <i3re5e$jkc$1(a)news.eternal-september.org>, "FromTheRafters"
>| <erratic(a)nomail.afraid.org> wrote:
>
>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>>>news:utd1665r4ab04coghfdir9rsn06cc3f5m8(a)4ax.com...
>>>> On Mon, 9 Aug 2010 20:39:32 -0400, in
>>>> <i3q747$ago$1(a)news.eternal-september.org>, "FromTheRafters"
>>>> <erratic(a)nomail.afraid.org> wrote:
>
>>>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>>>>>news:8a5166l8harrijvc3lh42u24s9h0b8r01h(a)4ax.com...
>
>>>>>> I thought "this class of virus" would be specific enough,
>>>>>> but you're right that I should have been clearer,
>>>>>> and I thank you for the clarification.
>
>>>>>Just curious, what did you mean by 'this class of virus' and the
>>>>>infection of possibly needed executables?
>
>>>> I meant the class of virus that implants its own executable files,
>>>> and protects them from most methods of removal. Sorry for not being
>>>> more clear.
>
>>>That's okay. You are correct that self-contained replicator files can be
>>>deleted outright - there is nothing there that needs to be salvaged, but
>>>Ramnit.a actually modifies (infects/trojanizes) preexisting program
>>>files (although not with a replicant).
>
>| That depends on the actual problem, what the anti-virus system is or is
>| not able to remove and disinfect on its own. According to this report:
>| <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044>
>| Win32/RAMNIT.A modifies few essential executables. My own experience
>| with Microsoft Security Essentials (cf OP) is that only non-essential
>| files are missed in this case. Do you have experience to the contrary?
>
>That ThreatExpert report is insuficient.
>
>Go back and read Ant's analysis based upon the Ramnit samples I provided him with.

In which of the 184 messages in this thread would those specifics be?

--
John

"Assumption is the mother of all screw ups."
[Wethern�s Law of Suspended Judgement]
From: David H. Lipman on
From: "John Navas" <spamfilter1(a)navasgroup.com>

>>That ThreatExpert report is insuficient.

>>Go back and read Ant's analysis based upon the Ramnit samples I provided him with.

| In which of the 184 messages in this thread would those specifics be?

Message-ID: <Z6mdnSdGNvB-rc_RnZ2dnUVZ8uCdnZ2d(a)brightview.co.uk>

Message-ID: <R_udnfUgK5IE2snRnZ2dnUVZ8jMAAAAA(a)brightview.co.uk>


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: John Navas on
On Tue, 10 Aug 2010 17:22:28 -0400, in <i3shk1080j(a)news6.newsguy.com>,
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>From: "John Navas" <spamfilter1(a)navasgroup.com>
>
>>>That ThreatExpert report is insuficient.
>
>>>Go back and read Ant's analysis based upon the Ramnit samples I provided him with.
>
>| In which of the 184 messages in this thread would those specifics be?
>
>Message-ID: <Z6mdnSdGNvB-rc_RnZ2dnUVZ8uCdnZ2d(a)brightview.co.uk>
>Message-ID: <R_udnfUgK5IE2snRnZ2dnUVZ8jMAAAAA(a)brightview.co.uk>

Thank you. That would seem to confirm what I wrote:

It does NOT infect:-
1) Files in the windows directory and its subdirectories.

--
John

"Assumption is the mother of all screw ups."
[Wethern�s Law of Suspended Judgement]
From: FromTheRafters on
"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
news:3dp2669is92a9f58ai7nih728pi8164jpf(a)4ax.com...
> On Tue, 10 Aug 2010 07:45:46 -0400, in
> <i3re5e$jkc$1(a)news.eternal-september.org>, "FromTheRafters"
> <erratic(a)nomail.afraid.org> wrote:
>
>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>>news:utd1665r4ab04coghfdir9rsn06cc3f5m8(a)4ax.com...
>>> On Mon, 9 Aug 2010 20:39:32 -0400, in
>>> <i3q747$ago$1(a)news.eternal-september.org>, "FromTheRafters"
>>> <erratic(a)nomail.afraid.org> wrote:
>>>
>>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>>>>news:8a5166l8harrijvc3lh42u24s9h0b8r01h(a)4ax.com...
>>>
>>>>> I thought "this class of virus" would be specific enough,
>>>>> but you're right that I should have been clearer,
>>>>> and I thank you for the clarification.
>>>>
>>>>Just curious, what did you mean by 'this class of virus' and the
>>>>infection of possibly needed executables?
>>>
>>> I meant the class of virus that implants its own executable files,
>>> and protects them from most methods of removal. Sorry for not being
>>> more clear.
>>
>>That's okay. You are correct that self-contained replicator files can
>>be
>>deleted outright - there is nothing there that needs to be salvaged,
>>but
>>Ramnit.a actually modifies (infects/trojanizes) preexisting program
>>files (although not with a replicant).
>
> That depends on the actual problem, what the anti-virus system is or
> is
> not able to remove and disinfect on its own. According to this
> report:
> <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044>
> Win32/RAMNIT.A modifies few essential executables. My own experience
> with Microsoft Security Essentials (cf OP) is that only non-essential
> files are missed in this case. Do you have experience to the
> contrary?

No, but I think I understand what you are saying now.


From: John Navas on
On Tue, 10 Aug 2010 20:44:55 -0400, in
<i3srqb$fkc$1(a)news.eternal-september.org>, "FromTheRafters"
<erratic(a)nomail.afraid.org> wrote:

>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>news:3dp2669is92a9f58ai7nih728pi8164jpf(a)4ax.com...
>> On Tue, 10 Aug 2010 07:45:46 -0400, in
>> <i3re5e$jkc$1(a)news.eternal-september.org>, "FromTheRafters"
>> <erratic(a)nomail.afraid.org> wrote:
>>
>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>>>news:utd1665r4ab04coghfdir9rsn06cc3f5m8(a)4ax.com...
>>>> On Mon, 9 Aug 2010 20:39:32 -0400, in
>>>> <i3q747$ago$1(a)news.eternal-september.org>, "FromTheRafters"
>>>> <erratic(a)nomail.afraid.org> wrote:
>>>>
>>>>>"John Navas" <spamfilter1(a)navasgroup.com> wrote in message
>>>>>news:8a5166l8harrijvc3lh42u24s9h0b8r01h(a)4ax.com...
>>>>
>>>>>> I thought "this class of virus" would be specific enough,
>>>>>> but you're right that I should have been clearer,
>>>>>> and I thank you for the clarification.
>>>>>
>>>>>Just curious, what did you mean by 'this class of virus' and the
>>>>>infection of possibly needed executables?
>>>>
>>>> I meant the class of virus that implants its own executable files,
>>>> and protects them from most methods of removal. Sorry for not being
>>>> more clear.
>>>
>>>That's okay. You are correct that self-contained replicator files can
>>>be
>>>deleted outright - there is nothing there that needs to be salvaged,
>>>but
>>>Ramnit.a actually modifies (infects/trojanizes) preexisting program
>>>files (although not with a replicant).
>>
>> That depends on the actual problem, what the anti-virus system is or
>> is
>> not able to remove and disinfect on its own. According to this
>> report:
>> <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044>
>> Win32/RAMNIT.A modifies few essential executables. My own experience
>> with Microsoft Security Essentials (cf OP) is that only non-essential
>> files are missed in this case. Do you have experience to the
>> contrary?
>
>No, but I think I understand what you are saying now.

I understood what I was saying in the first post, thank you very much.

--
John

"Never argue with an idiot. He'll drag you down to his level
and then beat you with experience." -Dr. Alan Zimmerman