ircbrute

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View



   I just destroyed a USB fob because I found IRCBUTE/Taquito on it.
I am trying to find out if it got there from a browser (likeliest
suspect) or from opening PDF files. Can it just get there by using the
file system? I believe I got it by downloading two zip files (my own
files) using a browser at a public library.



                    - = -
 Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
   http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
  ---{Nothing herein constitutes advice.  Everything fully disclaimed.}---
   [Homeland Security means private firearms not lazy obstructive guards]
 [Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]



Re: ircbrute



Quoted text here. Click to load it

It probably happened as soon as you plugged it into the library
computer.

There was no need to destroy the fob.



Re: ircbrute




So IRCBRUTE works through the file system?

*+-There was no need to destroy the fob.

I agree, but no one was willing to help me fix it.

                    - = -
 Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
   http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
  ---{Nothing herein constitutes advice.  Everything fully disclaimed.}---
   [Homeland Security means private firearms not lazy obstructive guards]
 [Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]




Re: ircbrute





| So IRCBRUTE works through the file system?

| *+-There was no need to destroy the fob.

| I agree, but no one was willing to help me fix it.

It loaded via an AutoRun worm.
That's why you should disable AutoPlay/AutoRun on a PC where you use
random-read/random-write media.




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute




*+-It loaded via an AutoRun worm.

Oh, shoot! If a CD doesn;t have any suspicious AUTORUN on it, is it
safe to assume it is clean?

So How can I be sure it came from the library (ie Yesterday) and I
wasn't carrying it around longer? I have a few CDs I wrote from that
FOB in December.  I used Adobe Acrobat on that fob in January, to
bring home files I got scanned outside. I also used MS Access in
October.


                    - = -
 Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
   http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
  ---{Nothing herein constitutes advice.  Everything fully disclaimed.}---
   [Homeland Security means private firearms not lazy obstructive guards]
 [Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]




Re: ircbrute





| *+-It loaded via an AutoRun worm.

| Oh, shoot! If a CD doesn;t have any suspicious AUTORUN on it, is it
| safe to assume it is clean?

| So How can I be sure it came from the library (ie Yesterday) and I
| wasn't carrying it around longer? I have a few CDs I wrote from that
| FOB in December.  I used Adobe Acrobat on that fob in January, to
| bring home files I got scanned outside. I also used MS Access in
| October.

There have been instances of malware infected CDROMS.  But a very rare case.
Much higher
for USB "Masss Storage Devices".

One of the cases I have heard is for CD/DVD ROMs associated with an AutoRun worm
was a
deliberate spearphishing attack.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute



There is a CLAMWIN machine that hasn't updated since the summer.  WIll
that machine be secure? When did clamwin learn about ircbrute?



                    - = -
 Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
   http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
  ---{Nothing herein constitutes advice.  Everything fully disclaimed.}---
   [Homeland Security means private firearms not lazy obstructive guards]
 [Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]




Re: ircbrute




| There is a CLAMWIN machine that hasn't updated since the summer.  WIll
| that machine be secure? When did clamwin learn about ircbrute?

N O !




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute




Quoted text here. Click to load it

Hold down right shift key when inserting your media if you don't know or
cannot disable the autorun. This will do it for you, but ONLY for that
go around.


--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh..
nudge this boulder right down a cliff." - Goblin Warrior


Re: ircbrute



Now we have all the possible souces of infection claiming it couldn't
possibly be their machines because they have the latest antivirus
software



                    - = -
 Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
   http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
  ---{Nothing herein constitutes advice.  Everything fully disclaimed.}---
   [Homeland Security means private firearms not lazy obstructive guards]
 [Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]




Re: ircbrute




| Now we have all the possible souces of infection claiming it couldn't
| possibly be their machines because they have the latest antivirus
| software



The False Negative syndrome.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute



Hi David,

14 Mar 10, David H. Lipman writes to All:

 >| Now we have all the possible souces of infection claiming
 >| it couldn't possibly be their machines because they have
 >| the latest antivirus software

 > The False Negative syndrome.

My life story, not viral on my network. <grin>

Hay David, thanks for pointing me to fidolook. I use it on my server all the
time now, and it helped me set "TZ" variables on my network via it's header
info. See my time is correct now.

        Gufus

--
K Klement

Enhance your marketing at   http://www.gypsy-designs.com
                           mailto:info@gypsy-designs.com
Gypsy Designs                        Fax: (403) 242-3221

... You are too narrowminded if you can see through a keyhole with both eyes.

Re: ircbrute




| Hi David,

| 14 Mar 10, David H. Lipman writes to All:

Quoted text here. Click to load it


| My life story, not viral on my network. <grin>

| Hay David, thanks for pointing me to fidolook. I use it on my server all the
| time now, and it helped me set "TZ" variables on my network via it's header
| info. See my time is correct now.

|         Gufus

Excellent !  :-)

You can even take advantage of its yEnc decoding as well as using an X-Face.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute



Hi David,

15 Mar 10, David H. Lipman writes to All:

 > Excellent !  :-)

<smile>

 > You can even take advantage of its yEnc decoding as well as
 > using an X-Face.

Funny you should say that, I just emailed you on that subject, like how do I
setup X-Face in fidolook? I tried everything.

We can take it to email, if you wish, just use "gbbsg@shaw.ca (gufus)". I
don't know if your newsgroup email address is valid.

        Gufus


--
K Klement

Enhance your marketing at   http://www.gypsy-designs.com
                           mailto:info@gypsy-designs.com
Gypsy Designs                        Fax: (403) 242-3221

... If a cow laughs hard does milk come out its nose?

Re: ircbrute




| Hi David,

| 15 Mar 10, David H. Lipman writes to All:

Quoted text here. Click to load it

| <smile>

Quoted text here. Click to load it

| Funny you should say that, I just emailed you on that subject, like how do I
| setup X-Face in fidolook? I tried everything.

| We can take it to email, if you wish, just use "gbbsg@shaw.ca (gufus)". I
| don't know if your newsgroup email address is valid.

|         Gufus

My email address is obfuscated with;  ~nospam~

I'll email you.

It is too bad that the Fidolook news group is defunct on Gmane.Org  :-(


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute

Hi David,

Monday March 15 2010, David H. Lipman writes to All:

 > My email address is obfuscated with;  ~nospam~

Me too. :)

 > I'll email you.

'k ... no rush bro!

 > It is too bad that the Fidolook news group is defunct on
 > Gmane.Org  :-(

Ah... didn't even try.

        Gufus


--
K Klement

Enhance your marketing at   http://www.gypsy-designs.com
                           mailto:info@gypsy-designs.com
Gypsy Designs                        Fax: (403) 242-3221

... Gentlemen, start your debuggers.

Re: ircbrute




| Hi David,

| Monday March 15 2010, David H. Lipman writes to All:

Quoted text here. Click to load it

| Me too. :)

Quoted text here. Click to load it

| 'k ... no rush bro!

Quoted text here. Click to load it

| Ah... didn't even try.

|         Gufus


Done !

Most don't know about the Gmane NNTP service.  Many good Open Source projects
there and
others.  The group; gmane.network.fidolook that existed until a little over a
year ago.
Its complicated as many groups are actually emails lists done via Google.
Google killed
the list and thus the group  :-(


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute



            News: alt.comp.anti-virus [Tue, 16 Mar 2010 14:41:03 -0600]
            Subject: Re: ircbrute

                  News: alt.comp.anti-virus [Tue, 16 Mar 2010
14:38:54 -0600]
                  Subject: Re: ircbrute

                        News: alt.comp.anti-virus [Mon, 15 Mar 2010
      20:22:42 -0400]
                        From: David H. Lipman [DHL]
      *
                        Comment to: Gufus
                        Subject: Re: ircbrute

                  Hello, David!

                  You wrote in conference alt.comp.anti-virus to Gufus on
Mon, 15
      Mar
            2010 20:22:42 -0400:

      DHL> Done !

            Got it, see my X-Face now, kinna cool.

            Say, can I use my own editor in Fidolook?

                Gufus

                  With best regards, Kevin Klement.  E-mail:
      info@gypsy-designs.com
                  --- Fidolook 2007 (HV) 6.0.6000.97 - 24/12/2008 20:32:05
                  * Origin: DHL

                  Message-ID: hnmj0j07ap@news3.newsguy.com

            --- Fidolook 2007 (HV) 6.0.6000.97 - 24/12/2008 20:32:05
            * Origin: Gypsy Designs Inc.

      --- Fidolook 2007 (HV) 6.0.6000.97 - 24/12/2008 20:32:05
      * Origin: Gypsy Designs Inc.




Re: ircbrute






|             Got it, see my X-Face now, kinna cool.

|             Say, can I use my own editor in Fidolook?

|                 Gufus

|                   With best regards, Kevin Klement.  E-mail:


The formatting came out a bit weird but, yep, I see your X-Face !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: ircbrute



            News: alt.comp.anti-virus [Tue, 16 Mar 2010 15:25:11 -0600]
            Comment to: David H. Lipman
            Subject: Re: ircbrute

                  News: alt.comp.anti-virus [Tue, 16 Mar 2010
17:18:02 -0400]
*
                  Comment to: Kevin Klement
                  Subject: Re: ircbrute

            Hello, David!

            You wrote to Kevin Klement on Tue, 16 Mar 2010 17:18:02 -0400:

      ??|>             Got it, see my X-Face now, kinna cool.

      ??|>             Say, can I use my own editor in Fidolook?

      ??|>                 Gufus

      ??|>                   With best regards, Kevin Klement.  E-mail:

      DHL> The formatting came out a bit weird but, yep, I see your X-Face
      !

            Really, looks ok here.

            Should I use multlline?

            -- cut here --
            #"DtK&7^5P|u6yesiHW<_YTpWs>V8v|7J%W[b6O~emUr??J}9>jRP`j"a7j
             aE,2>V.`kdX53n;0L;z[Y*]80/iO&<i;24h%Itp9753ciK?c=8KyBp0
            -- cut here--

            With best regards, Gufus.  E-mail: info@gypsy-designs.com
            --- Fidolook 2007 (HV) 6.0.6000.97 - 24/12/2008 20:32:05
            * Origin: DHL

            Message-ID: hnosib021c7@news3.newsguy.com

      --- Fidolook 2007 (HV) 6.0.6000.97 - 24/12/2008 20:32:05
      * Origin: Gypsy Designs Inc.




Site Timeline