Microsoft: piracy is getting virusy - Page 4

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Microsoft: piracy is getting virusy

"Bast" wrote:

Quoted text here. Click to load it

Yes, despite my reply not recognising it in the quoted text, both of
those appeared as the same name: "simplexe.txt" in your post.

Quoted text here. Click to load it

Perhaps not but it is listed as an application rather than a text
document. It also gets weird if you try to rename a file like that in
Explorer. The cursor appears in the middle of the name (after the 'L'
even if you press "end") and the cursor keys and backspace move in the
opposite direction in the text after the invisible RLO character.

Quoted text here. Click to load it

It appears to work only in newer versions of Explorer where "newer" is
some time after Win2k. The RLO character has no effect on the name in
older versions and appears as a small black rectangle.

Quoted text here. Click to load it

If the file is named simpl[RLO]txt.exe where [RLO] is the override
character it will be treated as an executable no matter how it appears
in an Explorer window; e.g. as simplexe.txt.



Re: Microsoft: piracy is getting virusy



Ant wrote:
Quoted text here. Click to load it



Even in windows 8, it can only work if extensions are ignored.
I hate to say this but some people just beg for problems, when they think
putting their faith in dumbed down operating systems is a good idea.
With a bit of common sense, you don't have those problems.

Of course, the I-phone generation is also often stupid enough to text while
walking and step right out in front of cars. So perhaps some people just
shouldn't own computers either



Re: Microsoft: piracy is getting virusy

"Bast" wrote:

Quoted text here. Click to load it

This is nothing to do with whether extensions are hidden or not. It's
about using the right-to-left override unicode character in a filename
to make it appear to have an extension it does not have. It works when
extensions for registered file types are not hidden.



Re: Microsoft: piracy is getting virusy

on 10/15/2012, Ant supposed :
Quoted text here. Click to load it

MesNews has an interesting display when you highlight sequentially from
left to right. When you get to the rlo character it inserts a space and
reverses the remainder of the string - then the space progresses
through the rest of the string with each step.
Quoted text here. Click to load it

I've read somewhere that one needs to edit the registry so as to allow
creation of filenames with such characters. If so, I'm wondering if the
same disallowance applies to such files extracted from archive files. I
have only ever seen these where the name actually comes from within an
archive file.
Quoted text here. Click to load it

More on this here:

http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks /
Quoted text here. Click to load it

I reposted those names in another subthread by using OE because I
wasn't sure that MesNews would show the behavior in a Usenet post.
Apparently it does.



Re: Microsoft: piracy is getting virusy

"FromTheRafters" wrote:

Quoted text here. Click to load it

Only if you're using the keyboard. I wrote a test program using the
CreateFileW function. The ending 'W' means a unicode string is
required for the filename so I could be sure I was using the correct
character.

Quoted text here. Click to load it

No, it doesn't. Any program can create a file with a unicode name
irrespective of registry settings. After all, the native Windows API
uses unicode exclusively. My test program gave the expected visual
result on XP but not on Win2k (in neither case was the registry value
set), so the older Explorer GUI did not recognise the RLO character.
However, my W2k is so heavily tweaked that it's possible something
else is preventing it from working!



Re: Microsoft: piracy is getting virusy

Ant used his keyboard to write :
Quoted text here. Click to load it

Thanks Ant, now I don't have to wonder about that anymore. I have heard
(or read) Unicode characters being referred to as "wide" characters
which is likely what the "W" means in the CreateFileW function.



Re: Microsoft: piracy is getting virusy

"FromTheRafters" wrote:

Quoted text here. Click to load it

Yep, 'W' is wide, meaning unicode (why didn't they use 'U'?) and 'A'
is normal, meaning ANSI (how it looks depends on your language
settings). The suffixes apply to Win API functions that have strings
as parameters. Normally you omit them (e.g. use CreateFile) and the
correct version is substituted, depending on your compiler settings.



Re: Microsoft: piracy is getting virusy

Ant wrote:
Quoted text here. Click to load it

Excuse me butting in Ant, but I'd very much like your opinion on what
was said about file names by a clever fellow when I was posting in the
Kaspersky forums.

To save reinventing the wheel, please look here: Message-ID:

http://al.howardknight.net/msgid.cgi?STYPE=msgid&A=0&MSGI=%3CwfqdnX669MFX6BzNnZ2dnUVZ8tmdnZ2d%40bt.com%3E

Does the post made by Paul (aka p2U) make good sense to you?

Maybe you feel he was mistaken, perhaps.

My thanks in anticipation of your help. :-)


Re: Microsoft: piracy is getting virusy

"David_B" wrote:

Quoted text here. Click to load it
http://al.howardknight.net/msgid.cgi?STYPE=msgid&A=0&MSGI=%3CwfqdnX669MFX6BzNnZ2dnUVZ8tmdnZ2d%40bt.com%3E
Quoted text here. Click to load it

He's talking about MalwareBytes detection of some files by name only
being a bad idea. While names can be an indication of malware, a
scanner ought to look deeper. Most malware uses randomly generated
names so it's pointless adding such a name to a list of bad actors.
However, it may be that a particular malware reliably uses the same
path and name which the scanner authors feel can be removed without
further inspection. I don't know if that's the case here. Obviously
such a method will cause problems if a legitimate application using
that name is installed.



Re: Microsoft: piracy is getting virusy

Ant wrote:
Quoted text here. Click to load it

Many thanks for your comments, Ant.

Much appreciated! :-)


Re: Microsoft: piracy is getting virusy

Quoted text here. Click to load it

I didn't see the expected RLO demonstration in MesNews, so I decided to post
with Outlook Express. I couldn't find the post I really wanted to reply to
while in OE so I replied here. Sorry for any confusion.
simplexe.txt
simpl?txt.exe



Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it
-
Quoted text here. Click to load it
and
browser.

Due to some badly written players, one could corrupt the tag and cause a
code execution via buffer overrun exploit, yes.

AVis and mp3s did have this issue at one point. It wasn't just making
your browser open a webpage all the time.
 



--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.




Re: Microsoft: piracy is getting virusy

On Friday, October 12, 2012 2:13:59 AM UTC+3, Dustin wrote:
Quoted text here. Click to load it

You still here?  I thought we ran your sorry lying ass out of this forum bozo.

RL

Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

I'm not going anyplace. Who's we? And what was I lying about? if I didn't
author Irok, how come you've not been able to find the full source code
elsewhere?

Speaking of that, if I stole those assembler samples; why can't you find
those sources either? LOLz

You're barely! a programmer Ray, but you're in way over your poor wittle
head with me. [g]

Come back when you've learned how a prepender works, you stupid fuck.


--
There ain't no rest for the wicked. Money don't grow on trees. I got bills
to pay. I got mouths to feed. Ain't nothing in this world for free. Oh No.
I can't slow down, I can't hold back though you know I wish I could. Oh no
there ain't no rest for the wicked, until we close our eyes for good.




Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

Hello Ray Lopez. I don't know Dustin very well but I have seen how sometimes
he can be unnecessarily negatory towards people (including me).

Presumably you have had some encounter with him in the past.

Jax
--
Bear Bottoms
http://bearware.info

Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

You don't realize this, but you are setting yourself up for another
education from me. [g]

Ray asked rudimentary questions about viruses. He asked for evidence as
to who I have claimed to be and my "real" knowledge concerning the
subject. Others he supposedly respects now vouched for me.

So umm, Ray's basically a full of shit wannabe poser who got called out.


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.




Re: Microsoft: piracy is getting virusy

On Saturday, October 13, 2012 9:36:33 PM UTC+3, Bear wrote:
 
Quoted text here. Click to load it
 
Yes.  But he loves the attention, the little boy that he is.  Kiddie scripter
and wannabe con artist.

RL

Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

http://www.f-secure.com/v-descs/irok.shtml


Summary
Irok is a virus-worm created by RaiD/SLAM which spreads via IRC and
Microsoft Outlook. The worm is 10001 bytes long DOS-based program that
is heavily packed and encrypted with a protective envelope that uses
anti-debugging tricks.


Additional Details
When run, the worm copies itself to C:\Windows\System\ and C:\Mirc\
folders as IROK.EXE and drops WINRDE.DLL to the \Windows\System\ folder.
This file is not a Windows DLL, it is a data file. The worm also
replaces SCRIPT.INI file in the C:\Mirc\ folder with its own script that
sends the IROK.EXE file to everyone on the IRC channel to which the
infected user joins. The worm finally drops a Visual Basic script file
IROKRUN.VBS to the Windows Startup directory. This script will be
executed next time the system is restarted.

During the next Windows startup, the IROKRUN.VBS script will be
executed. It uses Microsoft Outlook to send the worm executable as
IROK.EXE to 60 recipients whose addresses are taken from each of
Outlook's address books.

The message in which the worm spreads itself looks like this:

 Subject: I thought you might like to see this.



 Body:    I thought you might like this. I got it from paramount
pictures
             website. It's a startrek screen saver.


After every message is sent they are removed from the 'Sent Items'
folder. Finally the script file is removed from the Windows Startup
directory.

At the same time Irok is a non-resident virus, which scans directories
listed in PATH= variable for COM and EXE files and then infects them.
The virus is a very fast infector. It can infect up to 80 files at a
time. The virus is relocating type - it writes itself to the start of
the file and relocates the original 10kb of the file to the end. The
relocated part is encrypted. Infected files grow 10kb in size.

In some cases the virus can corrupt host programs. The virus has a bug
and it does not supply command line options to the host program
correctly, so every program that operates with command line parameters
will work incorrectly after infection.

The virus avoids infecting files that have extensions and/or their names
start with one of the following:

 dll spa man drv scr krnl 386 msc com exp mou gw go sta use gdi con



The virus also deletes the following files:

 anti-vir.dat  chklist.ms  chklist.cps  vs.vsn  ivb.ntz



When internal counters of the virus reach certain values, the virus
displays a message on the screen. Most of this message is taken from
lyrics of the song 'Aenema' by the band called 'Tool'. We will not
reproduce the message here as the song seriously needs the Parental
Advisory sticker for explicit lyrics.

 End of description.

Quite a virus for a script kiddy to have written, wouldn't you say Ray?
Let's humour your claim that I'm nothing more than a script kiddy. Why
is it then, I can write them, and you still don't have a clue how they
work? How did a "script kiddy" wind up 0wning your superior programming
ass? :)


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.




Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

Gee Dustin, can't we get away from that crummy virus you once wrote?

It was over a decade ago. Life moves on but you seem to be stuck in the
past!

Jax
--
Bear Bottoms
http://bearware.info

Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it


That's the point. I did something over a decade ago that you still can't
come close to doing today. :) My skills have only gotten better in that
decade, JaX. You really can't compete with me on an IT level.


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I
wish I could. Oh no there ain't no rest for the wicked, until we close
our eyes for good.




Site Timeline