Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

IRC Virii

  • 11-12-2003 10:10pm
    #1
    Registered Users, Registered Users 2 Posts: 3,945 ✭✭✭


    Yo,

    Recently i've been bombarded with viruii from irc. Theres been two occastions where i've had to format and reinstall. Which písses me off to no end.

    Anyway i've got my zonealarm and my avg installed but they don't do squat. Fair enough avg warns me of these two viruii that i get. The randi.h virus and the some other one. There both fairly harmless to my system but the randi.h one is used by someone to steal cd keys for games. Which is highly gay.

    So is there anyway to fully block these basterds from doing it?


Comments

  • Closed Accounts Posts: 1,006 ✭✭✭theciscokid


    Yes stop using winblows


  • Closed Accounts Posts: 7,230 ✭✭✭scojones


    what theciscokid said, with lots of !!!!! after it.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    I think there are a couple of faults in recent versions of mIRC and Internet Explorer that have facilitated the spread of this stuff. Make sure that those pieces of software (and ideally your entire system) is up to date.

    After that, don't click on URLs or accept files from individuals you don't trust.


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭Cr8or




  • Closed Accounts Posts: 1,637 ✭✭✭joePC


    Get blackICE firwall, Here

    Stops most attacks & are you not running a AV??

    Thanks joePC


  • Advertisement
  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    In the case of the IE problem, which allowed some scripting code to download
    executable to any path on the users computer.

    Say for example, the IE users root drive was C:\, given write access,
    a hacker could place an executable there with the name explorer.exe

    When someone were logging on to system, lets say on NT

    The malicious explorer.exe C:\ would get executed before C:\windows\explorer.exe on Win9x or C:\WINNT\explorer.exe on NT

    Same situation with DLL files that load...KERNEL32.DLL/WS2_32.DLL..etc

    Problem is, anyone with write access to C:\ could place an image to carry
    out a..task only permitted by ADMINISTRATOR

    Then it could simply run the proper explorer.exe and exit without the
    ADMINISTRATOR knowing what happened.

    Thats just as an example..add normal user to ADMINISTRATOR group

    install logging utilities to capture passwords..anything i suppose.


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    I forgot to mention a little thing too about firewalls which some of
    you might find a little interesting.

    I saw about 4 year ago, a virus that would terminate firewalls/anti-virus
    software, anything that could stop it functioning properly using
    the PostMessage api specifying WM_QUIT/WM_DESTROY or WM_CLOSE.

    This was effective on Win9x..and some software on NT.

    Now, that most users of Win9x are upgrading to XP or NT
    it allows for more interesting way of avoiding detection of malicious code
    without terminating application.

    If you are a frequent user of internet browser ..lets say Microsoft Internet Explorer
    And, as an assumption you have a firewall rule to ALWAYS allow connections
    outward by Internet Explorer...

    In the window title, you see "Internet Explorer"

    If code were to enumerate all windows using EnumWindows and then
    using GetWindowText

    Compare text with "Internet Explorer", if it is equal, allocate
    memory there using VirtualAllocEx, inject relocatable TCP/IP code
    using WriteProcessMemory and finally execute with CreateRemoteThread.

    This goes unoticed by some firewalls like Zonealarm..perhaps any windows
    firewall.

    I've seen this done, and yes, it works perfectly, although its not been
    mentioned much.


  • Registered Users, Registered Users 2 Posts: 907 ✭✭✭tibor


    This is a fairly common technique, another one used by a lot of Adware/Spyware is simply to install itself as a Browser Helper Object. As well as being able to freely send/recieve data through your firewall they'll have access to all Windows Messages passed through the browser.


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    Access to all messages as in.. message hook, using SetWindowsHookEx
    or API hook?
    Replacing functions.
    I'm not aware of any spyware/adware that uses relocatable TCP/IP code
    in order to bypass a firewall.
    Although, it could debug a process, duplicating a socket handle..maybe.


  • Registered Users, Registered Users 2 Posts: 907 ✭✭✭tibor


    Originally posted by Average Joe
    Access to all messages as in.. message hook, using SetWindowsHookEx
    or API hook?
    Replacing functions.

    My bad; events, not messages. This explains the methods used a lot better than I could.

    I'm not aware of any spyware/adware that uses relocatable TCP/IP code
    in order to bypass a firewall.
    Although, it could debug a process, duplicating a socket handle..maybe.

    Shouldv've been a full-stop there - meant in viruses - although I do remember some spyware samples doing it, I can't remember names. Some viruses that use the technique are W32.HLLW.Lovgate.G@mm, W32.Randex.E,
    Backdoor.EggDrop, and Backdoor.Spotcom,.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 11,987 ✭✭✭✭zAbbo


    And check here


Advertisement