New Variant of Gpcode Found

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Has everyone heard about this one?

 From ZDNet
"Virus analysts at Kaspersky Lab have intercepted a new variant of
Gpcode, a malicious virus that encrypts important files on an infected
desktop and demands payment for a key to recover the data."

http://blogs.zdnet.com/security/?p=1251&tag=nl.e539

max
--
Virus Removal http://max.shplink.com/removal.html
I block all spam/googlegroupers-you can too!
http://improve-usenet.org/index.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: New Variant of Gpcode Found

"What's in a Name?" wrote in

Quoted text here. Click to load it


NOTE: Inappropriate use of FollowUp-To header was ignored.  Original
list of newsgroups was used for this reply.


--- Rant on inappropriate use of the FollowUp-To header ---

Don't use the FollowUp-To header.  Posting to, say, 3 newsgroups but
moving replies to just 1 of them or to a completely different one means
you disconnect the visitors of those other 2 (or 3) newsgroups from the
rest of the discussion.  If a newsgroup is appropriate for your post
then it is also appropriate for the replies.  Or, converserly, if the
continued discussion of your post is not appropriate in all the
newsgroups to which you cross-posted then you should not have posted to
those other newsgroups in the first place.  You are using the
FollowUp-To header to move replies to YOUR "home" newsgroup but which
the users of the other newsgroups may not visit.  After all, if you
cross-post and include your "home" newsgroup then you'll see all those
replies in your home newsgroup and meanwhile all the other users can
still see the replies in their newsgroup where you decided to also
publish your post.

In http://www.faqs.org/faqs/usenet/primer/part1 /, it says, "For a
cross-post, you may want to set the Followup-To: header line to the most
suitable group for the rest of the discussion".  Read another way, that
means you disconnect the discussion from all the visitors of the other
newsgroups to which you decided to publish your post.  Why did you
publish to those other newsgroups if you are going to yank the
discussion away from those users and perhaps even from the respondents
you were attempting to elicit?  It is exasperating to post a reply and
never see it in the newsgroup where you read the original post.  If your
post was appropriate for all the groups to which you cross-posted then
why wouldn't those same groups be appropriate for the replies?  To yank
away the discussion to your "home" group is rude since that is probably
not the "home" group for your respondents.  You wanted replies which may
require further replies but now your respondents no longer see the
thread in the newsgroup that they visit to where you published your
post.  Also, the respondents may not know if their reply is appropriate
in the "home" group that you happen to choose.  In general, malcontents
and spammers use the FollowUp-To header to hide negative replies to
their flame or spam posts, often sending the replies off to a *.test
newsgroup.  Is that the company of users to which you want to be
associated?

There are some cases where FollowUp-To should be used.  For example, say
a newsgroup is supposed to only get used for citing the content of a
spam e-mail.  Discussions about that spam are not supposed to be
published in that citing newsgroup.  Just the exhibits are published
there.  If someone wants to discuss that particular spam, their replies
should go into a different newsgroup meant for those discussions.  I
believe that is how some of the NANAE newsgroups operate but the
principle may apply elsewhere; however, it is rare few newsgroups where
FollowUp-To is appropriate.  For the vast majority of newsgroups,
FollowUp-To is *not* appropriate.  If you do not want continue the
discussion in the other newsgroups then don't cross-post over there to
only then use FollowUp-To to yank away the continued discussion.  If the
discussion is not appropriate in those other newsgroups then it seems
you have self-nominated your post to be off-topic and hence spam.

If you do use the FollowUp-To header, you are expected per netiquette to
alert the readers of your post that you used that header.  Be polite and
add a note (at the start of your post) saying that you used the header
(ex., "WARNING: FollowUp-To was used and points to <newsgroup>".  You
might also want to explain why you consider any further discussion in
the other newsgroups is inappropriate despite your rudeness in posting
to those other newsgroups.  Many times respondents wonder where their
reply post went because they expect to see it in the group they visited
and where they read your post.  Not all NNTP clients alert the user that
the poster used the FollowUp-To header.  Think about it: you post to
multiple newsgroups but yank the replies to a different newsgroup than
where your respondents visited, then you need more help and reply to
those replies but which are now only in your "home" newsgroup, but the
respondents won't see their posts nor will they see your replies to them
asking for more help.  FollowUp-To is not required when you cross-post
since your "home" newsgroup should be one those that were specified in
the list of newsgroups.  You'll watch the discussion in your home
newsgroup and the respondents or lurkers can watch that same discussion
in their own newsgroup.  If you don't want replies to show up in all the
newsgroups to which you cross-posted then don't cross-post over there in
the first place!

When crossposting, there are not multiple copies of your post that
wastes bandwidth for each to get them propagated to other NNTP servers
and there aren't multiple copies of your post consuming disk space.  A
single copy gets sent to the other NNTP servers and a single copy
resides on each NNTP server with pointers to it to make it show up in
multiple newsgroups.  You aren't saving bandwidth or disk space by
redirecting replies for a cross-posted message to a single newsgroup.
You are just being rude to the visitors of the other newsgroups to which
you cross-posted but tried to yank away the discussion.

--- End of rant ---

Re: New Variant of Gpcode Found


On 6/9/2008 6:37 PM, VanguardLH after much thought,came up with this jewel:

Note: a.p.s. removed from reply and follow-up reinstated just for Van
(for maximum confusion)
Quoted text here. Click to load it

So if you knew I would be checking a.p.s. and not the others, why did
you feel it necessary to rant in all 3 groups?

i still have a lot to learn. Will multi-post more in the future.
See you then.
--
Virus Removal http://max.shplink.com/removal.html
I block all spam/googlegroupers-you can too!
http://improve-usenet.org/index.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: New Variant of Gpcode Found

"What's in a Name?" wrote in

NOTE: Original newsgroups in reply were reinstated to maintain access to
this discussion in the newsgroups to which the author chose to include
his discussion.

Quoted text here. Click to load it

So all visitors to the other groups from which you yanked away the
discussion would know what happened, and so you couldn't hide the
negative reply regarding your behavior which is typical of spammers and
malcontents.  I doubt you want to be likened to those types of users.

YOU were the one that chose that the groups to which you cross-posted
were related to each other regarding the topic of your post.  I wasn't
arguing with your choice of groups, only in your choice to use the
FollowUp-To header to hide any continued discussion.

Apparently now your decision is that alt.privacy.spyware was not an
appropriate group to include your discussion.  That again was YOUR
choice as to which groups are appropriate for your discussion.  However,
in your reply, you included 2 groups but again attempted to force follow
ups to only 1 group and thus rudely yank the conversation away from
those you chose to expose your post in the other group, so I again
reinstated the original groups (as per YOUR decision in your reply) and
ignored your lame attempt to use FollowUp-To.

Quoted text here. Click to load it

Multi-posting isn't the solution, either.  Cross-post when the
newsgroups are related (usually keeping the count to under 4) but do
NOT use the FollowUp-To header.  If you cross-post to a newsgroup, YOU
have deemed your discussion is appropriate over there, so don't be rude
by yanking that discussion away from those you impinged with your post
in trying to elicit responses from over there. If later it is deemed
that your discussion is off-topic, you can always change the Newsgroups
header to omit the unrelated group - but whether you use FollowUp-To or
change the Newsgroups header, you should notify of such in the body of
your post (which you did in your reply - sort of).

However, thanks for the heads up on the link to the article.  It's a bit
terse to do anything about it or to provide any direction for a user to
commit protections against it, so it will be interesting to see what
comes of it.

Re: New Variant of Gpcode Found


On 6/10/2008 12:13 AM, VanguardLH after much thought,came up with this
jewel:

Note: I'm sure there will be more rants to follow.....a.s.p. added back
for anyone who cares.
Quoted text here. Click to load it

I got it the first time. I'm sorry you have a sense of humor.
Quoted text here. Click to load it

I misunderstood  the use of the follow-up and therefore misused it.
I wasn't hiding anything....would you like me to include a.u.k. for you?
They might enjoy your ranting. Your like a woman-give em a word and they
hand you back a story.
Quoted text here. Click to load it

I didn't attempt anything
Quoted text here. Click to load it

It was humor- but you didn't get it
Quoted text here. Click to load it

I don't think a solution will be found soon....
--
Virus Removal http://max.shplink.com/removal.html
I block all spam/googlegroupers-you can too!
http://improve-usenet.org/index.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: New Variant of Gpcode Found

"What's in a Name?" wrote in

Quoted text here. Click to load it

If true, yep, I didn't get it.

Re: New Variant of Gpcode Found

VanguardLH wrote:
Quoted text here. Click to load it

Exactly. He did the right thing.

Quoted text here. Click to load it

In your not-humble, ignorant opinion.

<snipped evidence that Vanguard has way too much time on his hands and a
boulder on his shoulder>

You're a control freak.

Now say something about my sig.

--
Rhonda Lea Kirk Fries

If a man is offered a fact which goes against his instincts, he will
scrutinize it closely, and unless the evidence is overwhelming, he will
refuse to believe it. If, on the other hand, he is offered something
which affords a reason for acting in accordance to his instincts, he
will accept it even on the slightest evidence. The origin of myths is
explained in this way. - Bertrand Russell



Re: New Variant of Gpcode Found


On Tue, 10 Jun 2008 09:33:40 -0400, "Rhonda Lea Kirk Fries"

Quoted text here. Click to load it

I agree with Mr Vanguard. The FAQ is wrong (if that's what it actually
still says).



Jim.


Re: New Variant of Gpcode Found

James Egan wrote:
Quoted text here. Click to load it

http://www.cs.tut.fi/~jkorpela/usenet/xpost.html

See the last paragraph.

http://www.cybernothing.org/faqs/net-abuse-faq.html#2.3


We just disagree on this. What Max did is still the standard, regardless
of opinions to the contrary.

--
Rhonda Lea Kirk Fries

If a man is offered a fact which goes against his instincts, he will
scrutinize it closely, and unless the evidence is overwhelming, he will
refuse to believe it. If, on the other hand, he is offered something
which affords a reason for acting in accordance to his instincts, he
will accept it even on the slightest evidence. The origin of myths is
explained in this way. - Bertrand Russell



Re: New Variant of Gpcode Found

"Rhonda Lea Kirk Fries" wrote in

Quoted text here. Click to load it

You can't even follow the logic, can you?  What the hell do you think
happens when the FollowUp-To header is used (and obeyed)?

Those FAQs regurgitate netiquette that is over 20 years old and were
based on NNTP clients actually notifying their users that a FollowUp-To
header had been used or it could be seen in the console-mode NNTP client
when it displayed the headers.  Some NNTP clients will show the
FollowUp-To header and some even alert that a post used it when you
reply.  Many NNTP clients provide no such information.  Also, you will
notice that those FAQs never qualify why they are recommending that
behavior.  They just regurgitate what they read somewhere else.  

If someone told you that you needed their fantastic memory
defragmentation program without explaining why, would you actually get
it despite that memory access is random, anyway?

Quoted text here. Click to load it

I didn't realize that I had such a huge virtual gun pointed at his and
your heads that you considered my replies as anything other than a
strong suggestion regarding netiquette.  Obviously you're too lazy to
figure out the logic in the use of that header and are some lemming that
follows what someone wrote in a "FAQ".  Okay, so continue being a
lemming and follow my "FAQ".  Duh!  Like anyone can prevent you from
making your own anarichal choices in Usenet, uh huh.  

Apparently you can't even figure out that you are spewing your own
opinion regarding the use of this header.  Gee, then you must be a
control freak, too.  (rolls eyes)

Re: New Variant of Gpcode Found

VanguardLH wrote:
Quoted text here. Click to load it

Which ones?

I'm using OE, and I can see the follow-ups just fine.

Can't get much more crappy a newsreader than that.

If people aren't going to compensate for a newsreader that doesn't meet
the GNKSA standard, that's too bad for them.

Quoted text here. Click to load it

Well, then, write an RFD.

Quoted text here. Click to load it

And your point is?

Quoted text here. Click to load it

It's your posting style, obviously.

Quoted text here. Click to load it

I didn't come up with what I wrote out of thin air, either.

--
Rhonda Lea Kirk Fries

If a man is offered a fact which goes against his instincts, he will
scrutinize it closely, and unless the evidence is overwhelming, he will
refuse to believe it. If, on the other hand, he is offered something
which affords a reason for acting in accordance to his instincts, he
will accept it even on the slightest evidence. The origin of myths is
explained in this way. - Bertrand Russell



Re: New Variant of Gpcode Found

"Rhonda Lea Kirk Fries" wrote in

Quoted text here. Click to load it

It's been a couple months since I stopped using Outlook Express.  I
don't recall that it ever showed the FollowUp-To header, or allowing the
user to configure which headers to show, in the preview pane "header"
section.  You have to view the raw source of the message to see the
header.  It might show more headers if you open (double-click on) a
message to show in its own window but I never used it in that nuisance
mode.  Of course, if you are wary and watch what were the newsgroups to
which the original post was submitted and then to which newsgroups you
end up replying to by default then you'll notice there was a change in
that list of newsgroups.

Quoted text here. Click to load it

And which RFD did you quote to substantiate your stance?

Quoted text here. Click to load it

That you simply follows someone else's unsubstantiated and unexplained
viewpoint and adopt it as your own which means your viewpoint is just as
unsubstantiated and unexplained.  So far, you have bothered to explain
why YOU think using the FollowUp-To is valid and polite to those in the
newsgroups from which the discussion is getting yanked.

Quoted text here. Click to load it

Based after analyzing what effects the uneducated use of the FollowUp-To
has havoced upon the threads that have used it.

Quoted text here. Click to load it

You didn't bother to walk through any logic or analysis on WHY that
viewpoint was proffered, either.  Someone said it, put "FAQ" on their
web page, and you adopted it without investigating whether or not it
should be adopted.  So far, you have not disqualified my claim that the
use of the FollowUp-To is deliterious to a discussion by yanking it away
from the groups to which it was posted and also being rude to those
visitors of the other groups from which the discussion is being yanked
away.  
  
Of course, being rude has become prevalent on their anarchy known as
Usenet; however, it really shouldn't be promoted, especially by "FAQs"
which are, after all and by your own submission, their proselytization
of what is proper netiquette.  Yes, it is MY opinion that the use of
FollowUp-To is degenerative to the purpose of cross-posting (so why
cross-post at all?) and rude.  At least I have some reasons to back up
my opinion versus just spitting it out unsubstantiated.

Do you disagree that the FollowUp-To results in disconnecting the users
of the other cross-posted groups to which the message was originally
posted?  If not, just what do you think is the action of the
FollowUp-Too header?

Do you think it is polite to submit your post in a group but then yank
away the discussion to another group that those respondents may not
visit?

Do you think it is polite to use the FollowUp-To header or alter the
list of newsgroups (to which respondents will reply) without providing
notification of such in the body of your post?

In YOUR opinion, what is the purpose of cross-posting to multiple groups
but attempt to force the discussion to continue in only one of them or
perhaps in a totally different group?  That is, why cross-post to the
other groups if you don't want to actually elicit a discussion over
there?

Yes, I'm spouting MY opinion regarding the *lazy* use of this header,
lazy in that users aren't considering the effect of using it.  The point
is to make users actually engage another brain cell and take some
initiative to cogitate whether or not they comply with what someone
regurgitated in a FAQ but failed to substantiate why.  Without an
impetus, people don't bother to learn, analysis, agree or disagree,
debate, or substantiate their viewpoint(s).

You've seen my arguments why the vast majority of use of the FollowUp-To
header is inappropriate.  Other than quoting someone else's FAQ, create
your own WITH substantiation to your viewpoint.  Let's hear your
arguments for why its use is beneficial to the discussion, why yanking
it out of the other groups is good, and why abandoning respondents in
the other groups is considered polite.

Re: New Variant of Gpcode Found

VanguardLH wrote:
Quoted text here. Click to load it

There's no such thing. It was a typo. RFC is the correct acronym.

And I don't recall quoting an RFC. I do recall posting two links about
netiquette.

Please to cite some support for your position.

Quoted text here. Click to load it

Your viewpoint is an opinion. That's not how you presented it.

Quoted text here. Click to load it

I didn't say "post," I said "posting style."

Quoted text here. Click to load it

Y'know, it's not just you're a control freak. It's that you're a a
control freak with way too much time on your hands.

Sheesh.

(I quit reading after my last response. It's not worth it.)

P.S. The only thing Max could have done better was to make note of the
fact that he had set follow-ups. That is the convention. You could've
made a better argument if you'd focused on that aspect rather than
trying to be a net-nanny.

--
Rhonda Lea Kirk Fries

If a man is offered a fact which goes against his instincts, he will
scrutinize it closely, and unless the evidence is overwhelming, he will
refuse to believe it. If, on the other hand, he is offered something
which affords a reason for acting in accordance to his instincts, he
will accept it even on the slightest evidence. The origin of myths is
explained in this way. - Bertrand Russell



Re: New Variant of Gpcode Found

"Rhonda Lea Kirk Fries" wrote in

Quoted text here. Click to load it

Reminds me of the old joke:

Fat lady is in the bakery.  Another fat lady walks in.  First fat lady
berates the first by saying, "Everytime I'm in here I see you here."
Well, the first fat lady just berated herself, too.

("fat lady" can be replaced with "fat man" implying the consumption of
too many bakery goods ["fat person" just doesn't make the joke sing], or
even replace with "cop" due to the stereotyping)

You insulted yourself by your own logic.  Okay.

Quoted text here. Click to load it

Ah, so you cannot defend you stance on using that header.

Re: New Variant of Gpcode Found

VanguardLH wrote:
Quoted text here. Click to load it

Fallacy. Tu quoque.

Quoted text here. Click to load it

You snipped the rest of what I wrote...for this?

Setting follow-ups is the convention. If you want to go out and campaign
for a new convention, feel free, but bitching at Max for following the
accepted convention is kinda like defending top-posting.

In other words, you may think there are good reasons for your opinion,
but it's still just your opinion.

P.S. RFC 1855, RFC 1036, RFC 2076. You might also want to see Son of
1036. I'll take Henry Spencer over you, any day of the week.

<plonk>

--
Rhonda Lea Kirk Fries

If a man is offered a fact which goes against his instincts, he will
scrutinize it closely, and unless the evidence is overwhelming, he will
refuse to believe it. If, on the other hand, he is offered something
which affords a reason for acting in accordance to his instincts, he
will accept it even on the slightest evidence. The origin of myths is
explained in this way. - Bertrand Russell



Re: New Variant of Gpcode Found

"Rhonda Lea Kirk Fries" wrote in

Quoted text here. Click to load it

Yep, that's what I thought.  Tested.  She failed.
Shades of Alan Connor.

Re: New Variant of Gpcode Found


| "Rhonda Lea Kirk Fries" wrote in
|
Quoted text here. Click to load it
|
| It's been a couple months since I stopped using Outlook Express.  I
| don't recall that it ever showed the FollowUp-To header, or allowing the
| user to configure which headers to show, in the preview pane "header"
| section.  You have to view the raw source of the message to see the
| header.  It might show more headers if you open (double-click on) a
| message to show in its own window but I never used it in that nuisance
| mode.  Of course, if you are wary and watch what were the newsgroups to
| which the original post was submitted and then to which newsgroups you
| end up replying to by default then you'll notice there was a change in
| that list of newsgroups.
|

It does.  To set Follow-Ups you have to select;  view --> all headers

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: New Variant of Gpcode Found

"What's in a Name?" wrote in

Quoted text here. Click to load it

NOTE: FollowUp-To ingored.  Reply posted to original list of newsgroups.


From a cursory scan of the articles and the ones to which is linked, and
from the dearth of information provided there, the pest infilitrates a
system and then encrypts files to hold them ransom until the user pays
to get a utility to decrypt them.  The pest itself is not encrypted (as
something would have to unencrypted to decrypt it to run that executable
but that that other program is the pest).  So the pest itself would
still be detectable even if morphed (since polymorphism for a large
number of variants will vaporize when the program gets loaded into
memory).  So the anti-malware products could still alert on the pest
based on signature and definitely on heuristics if loaded (by watching
which apps use the crypto API).  

Maybe this threat will make some users realize that they really should
be doing regular backups.

Site Timeline