Virus Warning

[Richard]

Kaspersky Anti-Virus found a nasty in a file that may have been
recommended here (I can't remember where I heard of it).

The downloaded file was "setup_service_controller_XPv2.2.61.zip ",
which supposedly allowed user management of Windows services.
Kaspersky idenitified it as TrojanDropper.Win32.Small.gt.

You probably got the file here

http://www.gratilog.net/anglais/systeme/

I downloaded it also. I have scanned it with
Norton, AVG, and Anti-Vir and none of them
find a virus. Perhaps it is a false alarm.

Richard

 

[omega]

Vrodok the Troll <[email protected]>:

[Snip]

Let's decapitate off that ill-conceived tangent.

Replace with a new subject:

I do very-much like "discombooberating" files which are suspect, to find out what
makes them "tick".

Here is a gift, from me to you, which will screw up your computer.

http://www.redshift.com/~omega/2004/var/tmp/mal/

From all I can tell, its effect is only temporary. Yet it is a bad enough
effect that it requires a reboot. Launching the ftping.exe there, the effect
is that all icons throughout your system, they are immediately wiped out.

The lack of the icons, a correspondent effect is that you lose drag-drop
ability for file system objects. Not sure what else, as I went ahead and
rebooted almost immediately following the several times I'd launched it.

I have not investigated this thoroughly. Casual AV & Trojan scans, it was
never flagged. OTOH, I never got around to turning on the most liberal
heuristics settings, and pointing the scanners at this file.

I feel that it might be only a programming bug in ftping itself, and not
intended as malware. Yet even then, the effect at least (even if not the
intention) -- it's mal, in the same profile of "joke trojans."

Perhaps you want to do some investigation on that file? I'd be curious
for explanation, or at least theory, on its story.

__________
Btw, please grab it early. I plan to delete it from webspace after today.
Temporary upload only, as a compromise in my not being familiar with the
standards of decent behavior for knowingly making public programs with
ill effect like this one.

 

[Vrodok the Troll]

One of the weirdest trools I've ever paid attention to, named "the
Entity," it did that weird mix. There were two people, sharing posting
for a pair of primary personas. Then one of those two people used about
four additional minor personas. Then one of those minor personas, it was
such a compelling character (an "evil church lady"), that there became an
unclear number of other people who posted using its identity. It was all
very confusing, of course. And strange. The main redeeming factor was that
the Entity spent most of its energies within a newsgroup dedicated to
supporting those sorts of pastimes...

Ever more confuzling. Or something like that.

 

[Alan]

Vrodok the Troll <[email protected]>:

[Snip]

Let's decapitate off that ill-conceived tangent.

Replace with a new subject:

I do very-much like "discombooberating" files which are suspect, to find out what
makes them "tick".

Here is a gift, from me to you, which will screw up your computer.

http://www.redshift.com/~omega/2004/var/tmp/mal/

From all I can tell, its effect is only temporary. Yet it is a bad enough
effect that it requires a reboot. Launching the ftping.exe there, the effect
is that all icons throughout your system, they are immediately wiped out.

The lack of the icons, a correspondent effect is that you lose drag-drop
ability for file system objects. Not sure what else, as I went ahead and
rebooted almost immediately following the several times I'd launched it.

I have not investigated this thoroughly. Casual AV & Trojan scans, it was
never flagged. OTOH, I never got around to turning on the most liberal
heuristics settings, and pointing the scanners at this file.

I feel that it might be only a programming bug in ftping itself, and not
intended as malware. Yet even then, the effect at least (even if not the
intention) -- it's mal, in the same profile of "joke trojans."

Perhaps you want to do some investigation on that file? I'd be curious
for explanation, or at least theory, on its story.

__________
Btw, please grab it early. I plan to delete it from webspace after today.
Temporary upload only, as a compromise in my not being familiar with the
standards of decent behavior for knowingly making public programs with
ill effect like this one.

Beta software could have programming errors which would explain the
results that you experienced. Have you tried the latest version? The
latest versions executable is 40kb larger, so I would hope that the
problem has since been resolved.

 

[omega]

[rearranging quoted text, for my convenience]

Have you tried the latest version? The latest versions executable is 40kb larger,
so I would hope that the problem has since been resolved.

<http://www.pjfdata.se>
Just now downloaded and launched the one you refer to (same version, diff
size, later date). Same problem. Time to reboot. :<

Beta software could have programming errors which would explain the
results that you experienced.

Since now the download source is confirmed to be the developer's own site,
your point about the beta resolves this story to my satisfaction. An issue
alone of buggy/bad coding, which lives separate from the range of malware
scanning...

 

[Vrodok the Troll]

Vrodok the Troll <[email protected]>:

[Snip]

Let's decapitate off that ill-conceived tangent.

Replace with a new subject:

I do very-much like "discombooberating" files which are suspect, to find out what
makes them "tick".

Here is a gift, from me to you, which will screw up your computer.

Not yet (then again, I didn't double-click upon it). Checked w/perhaps 6
anti-vir/troj programs, also Hex Workshop 4.23, Peek 1.1, & Resource Hacker
3.4.0.79.

http://www.redshift.com/~omega/2004/var/tmp/mal/

From all I can tell, its effect is only temporary. Yet it is a bad enough
effect that it requires a reboot. Launching the ftping.exe there, the effect
is that all icons throughout your system, they are immediately wiped out.

The lack of the icons, a correspondent effect is that you lose drag-drop
ability for file system objects. Not sure what else, as I went ahead and
rebooted almost immediately following the several times I'd launched it.

I have not investigated this thoroughly. Casual AV & Trojan scans, it was
never flagged. OTOH, I never got around to turning on the most liberal
heuristics settings, and pointing the scanners at this file.

I feel that it might be only a programming bug in ftping itself, and not
intended as malware. Yet even then, the effect at least (even if not the
intention) -- it's mal, in the same profile of "joke trojans."

Perhaps you want to do some investigation on that file? I'd be curious
for explanation, or at least theory, on its story.

__________
Btw, please grab it early. I plan to delete it from webspace after today.
Temporary upload only, as a compromise in my not being familiar with the
standards of decent behavior for knowingly making public programs with
ill effect like this one.

Thank you for the "heads' up".

Courtesy of "Resource Hacker" (free program; was a subject of
considerable-discussion in this group not too long ago), I noticed a few
short/small strings, the characters of which appeared rather unfamiliar. R-A
was the only prog which showed these charac's. Something to keep in mind,
perhaps.

 

[Vrodok the Troll]

You probably got the file here

http://www.gratilog.net/anglais/systeme/

I downloaded it also. I have scanned it with
Norton, AVG, and Anti-Vir and none of them
find a virus. Perhaps it is a false alarm.

Richard

Kaspersky 5.0.156 (Personal) also claims it as free of nasty things.

 

[jo]

The main redeeming factor was that
the Entity spent most of its energies within a newsgroup dedicated to
supporting those sorts of pastimes...

I used to do a lot of morphing in silly groups. Getting the headers
right; making sure there were no IP clues, keeping the posting style
different...
Daft amount of work just to be silly

 

[omega]

I used to do a lot of morphing in silly groups. Getting the headers
right; making sure there were no IP clues, keeping the posting style
different...

In some groups, I used to have my agent.ini set with NNTP-posting-host
in the NewsBaseFields=, since that had more immediate meaning than the
constantly morphing From: fields. Of course, yep, reading headers doesn't
take care of the more sophisticated morphers.

I'm fairly okay at recognizing "voice," and I've been able to ID individuals
successfully on that basis, outside of headers, on occasion. Yet when
they're deliberately maintaining special characters, and they've a little
talent, then that poses an extra challenge.

If they're furthermore strategic about their timing and similar (namely,
being careful of the common give-away of having sock puppets who only roll
for the function of supporting one particular poster whenever they get backed
into a corner during a flamewar), then their chance of getting caught out
is really tiny.

The aforementioned Entity, it took an entire mailing list, as a thinktank,
and a couple of years collective effort, to be able to half-validly piece
together the workings behind its puppet shows. It was justifiably one vewwwy
proud Troll. (The Entity used to regularly piss me off. The yob of a good
troll. Now these years later, I have to concede credit to its talents where
due.)

Daft amount of work just to be silly

One of my heroes, for being the greatest of the Usenet Performance Artists,
and equally the most devoted and dedicated to the craft, that would be Raoul
Xemblinosky III. You know, I'd sort of assumed he retired. Assumption because
of not being near his playgrounds in such a long time.

It was back in the 90's when I used to follow some of the plays in nanau &
nosers and the others. My netnews reading has not roamed much at all over
these past 4-5 years. On occasional bouts for reminiscing, it included visits
to Xemblinsosky's homepage <http://member.newsguy.com/~shpxurnq/> -- and that
appeared to be basically an historical document.

Then tonight, on thinking about it, I checked groups.google.com. And wow,
he does seem to be still active. Naturally the first interpretation of
seeing recent hits, it would be that it was nothing other than evidence
that others had adopted his famous nym (as per tradition). Reading a few
of the posts, however, I do imagine that I am accurately recognizing his
voice. That it's not this time one of the headers morph things....

Ok, Jo, it might be a daft amount of work, but that sure doesn't stop the
Usenet feature of some amazingly indefatigable characters, who demonstrate
the most formidable commitment to the pursuit of the silly....

 

[jo]

In some groups, I used to have my agent.ini set with NNTP-posting-host
in the NewsBaseFields=, since that had more immediate meaning than the
constantly morphing From: fields. Of course, yep, reading headers doesn't
take care of the more sophisticated morphers.

I used to put my own NNTP-posting-host into Agent sometimes...

I'm fairly okay at recognizing "voice," and I've been able to ID individuals
successfully on that basis, outside of headers, on occasion. Yet when
they're deliberately maintaining special characters, and they've a little
talent, then that poses an extra challenge.

Changing, and maintaining a different 'voice' is a bit fun

If they're furthermore strategic about their timing and similar (namely,
being careful of the common give-away of having sock puppets who only roll
for the function of supporting one particular poster whenever they get backed
into a corner during a flamewar), then their chance of getting caught out
is really tiny.

Yep; I used to flame my socks sometimes. Those were the days. *sigh*

One of my heroes, for being the greatest of the Usenet Performance Artists,
and equally the most devoted and dedicated to the craft, that would be Raoul
Xemblinosky III. You know, I'd sort of assumed he retired. Assumption because
of not being near his playgrounds in such a long time.

I always had a bit of affection for Menjy who used to hang out in flonk;
dunno if he's still about...

Ok, Jo, it might be a daft amount of work, but that sure doesn't stop the
Usenet feature of some amazingly indefatigable characters, who demonstrate
the most formidable commitment to the pursuit of the silly....

I must have had a lot more leisure time in those days...

 

[Raoul Xemblinosky III]

In some groups, I used to have my agent.ini set with NNTP-posting-host
in the NewsBaseFields=, since that had more immediate meaning than the
constantly morphing From: fields. Of course, yep, reading headers doesn't
take care of the more sophisticated morphers.

I'm fairly okay at recognizing "voice," and I've been able to ID individuals
successfully on that basis, outside of headers, on occasion. Yet when
they're deliberately maintaining special characters, and they've a little
talent, then that poses an extra challenge.

If they're furthermore strategic about their timing and similar (namely,
being careful of the common give-away of having sock puppets who only roll
for the function of supporting one particular poster whenever they get backed
into a corner during a flamewar), then their chance of getting caught out
is really tiny.

The aforementioned Entity, it took an entire mailing list, as a thinktank,
and a couple of years collective effort, to be able to half-validly piece
together the workings behind its puppet shows. It was justifiably one vewwwy
proud Troll. (The Entity used to regularly piss me off. The yob of a good
troll. Now these years later, I have to concede credit to its talents where
due.)


One of my heroes, for being the greatest of the Usenet Performance Artists,
and equally the most devoted and dedicated to the craft, that would be Raoul
Xemblinosky III. You know, I'd sort of assumed he retired. Assumption because
of not being near his playgrounds in such a long time.

It was back in the 90's when I used to follow some of the plays in nanau &
nosers and the others. My netnews reading has not roamed much at all over
these past 4-5 years. On occasional bouts for reminiscing, it included visits
to Xemblinsosky's homepage <http://member.newsguy.com/~shpxurnq/> -- and that
appeared to be basically an historical document.

Then tonight, on thinking about it, I checked groups.google.com. And wow,
he does seem to be still active. Naturally the first interpretation of
seeing recent hits, it would be that it was nothing other than evidence
that others had adopted his famous nym (as per tradition). Reading a few
of the posts, however, I do imagine that I am accurately recognizing his
voice. That it's not this time one of the headers morph things....

Ok, Jo, it might be a daft amount of work, but that sure doesn't stop the
Usenet feature of some amazingly indefatigable characters, who demonstrate
the most formidable commitment to the pursuit of the silly....

Thanks for the kind compliments, Karen! Rumors of my demise are indeed
largely exaggerated.

 

[Raoul Xemblinosky III]

I used to put my own NNTP-posting-host into Agent sometimes...

Changing, and maintaining a different 'voice' is a bit fun


Yep; I used to flame my socks sometimes. Those were the days. *sigh*


I always had a bit of affection for Menjy who used to hang out in flonk;
dunno if he's still about...


I must have had a lot more leisure time in those days...

I *know* I did.