Re: Virus/Trojan Help Needed in Security

Re: Virus/Trojan Help Needed in Security http://www.dslreports.com/forum/r4539672 en Mon, 09 Nov 2009 01:50:58 EDT Mon, 09 Nov 2009 01:50:58 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4559073 sig : Perhaps checking if they're authorized by the VB to use the 100% VB logo on their site? Or if the VB has any restrictions regarding the use of their logo?

[text was edited by author 2002-09-28 22:34:17]
]]> http://www.dslreports.com/forum/remark,4559073 Sat, 28 Sep 2002 22:21:21 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4558110 CalamityJane :

quote:
That is despicable

And Name Game says he can't spell (heh, he got this one right...AND the right definition because typing write is not the same as spelling right, but who really cares?)

So, where is Quantic who removed his location hiding? It takes a whole day to read two threads? Or one whole day to "formulate" a response? I usually don't "formulate", I usually just respond.

Waiting for this answer and the one on the sister/brother thread
»eAnthology
--
It takes a disaster to make a woman out of a female]]> http://www.dslreports.com/forum/remark,4558110 Sat, 28 Sep 2002 20:28:53 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4553413 Name Game :

said by Name Game :
7.What is going on here at this link about your products?

Mysterious "spam"

»news.spamcop.net/pipermail/spamc···035.html

_____________________________

8. When people go here to read about your stop sign..why do they instantly get the popup in their face to download it 2 seconds later.

»www.stop-sign.com/?pg=eanthology···ne&clk=1

RE: Number 8.

To clear up any confusion..that link..is not any click through on anything... Nothing to do with their ad or the crazy little tests they have for you.

It came from the action of anyone just going to their Home page
»www.stop-sign.com/

Trying to find out what this thing is all about.

EANTHOLOGY SUPPORT SUBSCRIBE DOWNLOAD

Then hitting the TAB button on the top of that page called DOWNLOAD.

That's it. you get the popup to download and you can not even read the page called download and find out anything about the product. On that page they do have reference to DR WEB and some other info. But you can not read it becuase the Popup to download it is right in your face. If you do not hit the cancel button but rather the close X it will start download the whole thing on your system. Then you will see that on this page there is a download NOW button...too late..they have the page hooked to the click through.

That is despicable.

And if you hit the button called SUBSCRIBE..you get another Popup..you can not read about this product and find out what is all about to even subscribe..and that is why so many people still have questions in the other thread at this forum calle eAnthology. No one even knows what the whole program plan they offer is all about until you have a PC full of their downloads and then you have to struggle to clean them off. ]]> http://www.dslreports.com/forum/remark,4553413 Sat, 28 Sep 2002 08:52:28 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4551890 Ginger5 : Jane, stick a fork in me; I'm done :)
--
We tweak it because it's there.]]> http://www.dslreports.com/forum/remark,4551890 Sat, 28 Sep 2002 00:52:22 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4551871 Ginger5 : "Quantic
Posts: 13
Joined 09-23-2002

In response to Ginger: Good morning all. I want to thank you fgor the warm welcome I received yesterday but neglected to mention in my tired state. Now I am refreshed and it would appear time to answer some more concerns.

1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.

2) They see one of our banners,....

First - We use a 3rd party scanner engine...."

Mods (ahem) ??
--
We tweak it because it's there.]]> http://www.dslreports.com/forum/remark,4551871 Sat, 28 Sep 2002 00:49:34 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4539672 CalamityJane : Ginger,

The saga continues here (and has instructions by Name Game & Guycad on how to get OFF your friend's machine)
»eAnthology
--
It takes a disaster to make a woman out of a female]]> http://www.dslreports.com/forum/remark,4539672 Thu, 26 Sep 2002 20:15:16 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4539364 Ginger5 : Interesting...]]> http://www.dslreports.com/forum/remark,4539364 Thu, 26 Sep 2002 19:43:59 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4517577 CalamityJane : Gee...downloading your program and never even once said "Yes".

P.S. I recreated this event from the website she was at and got the popup ad. NEVER ONCE DID I HIT A SCAN NOW BUTTON....just the ad to close it.
--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-09-24 17:37:41]

]]> http://www.dslreports.com/forum/remark,4517577 Tue, 24 Sep 2002 17:23:45 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4517549 CalamityJane :

said by Quantic :

Concerning the question of how they get our software. There are only three ways they can get it. There are NO OTHER options.

1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.

2) They see one of our banners, click through, and it takes them to our download pages.

3) They visit other download sites where we have affiliates with, and they download from there.

Here's how my neighbor just got HIJACKED by one of your "banners". She was at a genealogy website "Find A Grave" (yes, one frequented by seniors).....Got a pop up ad. See picture one. See the little "x" to "close" the annoying ad? She click that and got....taken to your website instead
»defender.veloz.com/dlp_ban/dlp_b···=online

Ok- tried to use the back key to go back to the original Find A Grave site she was on and Voila, see picture #two. Before that could fully load, she got the following warning from her firewall (see my next post)
--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-09-24 18:13:53]

]]> http://www.dslreports.com/forum/remark,4517549 Tue, 24 Sep 2002 17:21:21 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4517221 davidovv : Hope you don't mind interfering here. As for Dr.Web, one should address first and foremost their actual home page:

»www.dials.ru/english/home.htm

No offense, Quantic - bit IMO that's where those interested in this AV should go to - the real source.

regards.

paul wilders

»www.wilders.org security]]> http://www.dslreports.com/forum/remark,4517221 Tue, 24 Sep 2002 16:50:07 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4516521 sig : Frankly, no that doesn't address my concern since your product still is not Dr. Web and has not received the VB 100% award. I've responded more fully in the other thread. ]]> http://www.dslreports.com/forum/remark,4516521 Tue, 24 Sep 2002 15:34:45 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4516016 Randy Bell : Apparently Quantic borrowed the description of trojan.apex.10 from Trend:

Aliases: WORM_APLORE.A, APLORE.A, Worm.PSecure, APLORE, Aphex, Apex

WORM_APLORE.A - Description and solution
»www.trendmicro.com/vinfo/virusen···APLORE.A

This UPX-compressed, mass-mailing worm uses Microsoft Outlook and Visual Basic Script (VBS) to propagate copies of itself via email. It originates from a malicious Web site that prompts a visiting user to download and execute its file, which is a malicious executable that displays a hoax message.

Upon execution, it creates an auto run key in the registry, drops other files, and copies itself into the System directory. Thereafter, it stays in memory and sends advertising messages to to users connected to the same Internet Relay Chat (IRC) channel as its infected user. :):)]]> http://www.dslreports.com/forum/remark,4516016 Tue, 24 Sep 2002 14:40:57 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4515961 Quantic : Sig:

The reference is the scanner engine we use. The Dr. Web scanner engine is made by Dialogue Science. They received the VB 100% award for the Dr. Web engine. We use that same engine and added some additional features and enhancements, but the core is the same. Hence the VB 100% award.

Does this explain your concern?]]> http://www.dslreports.com/forum/remark,4515961 Tue, 24 Sep 2002 14:33:15 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4515938 sig : En route to perfection in regards to your product (certainly something I would encourage) and given whatever bad press your company has received, you might also want to clarify on your site that the use of the Virus Bulletin 100 % logo on your subscribe/purchase pages does not imply that your product has received a VB 100% award. Unsophisticated and unknowing users might see that logo on your site and mistakenly infer that Stop-Sign has received such a performance rating or some other endorsement from the VB. Or, simply remove the VB logo and thus ensure no such mistaken inference is possible.

»eAnthology]]> http://www.dslreports.com/forum/remark,4515938 Tue, 24 Sep 2002 14:29:05 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4515722 Quantic : Good morning all.

I want to thank you fgor the warm welcome I received yesterday but neglected to mention in my tired state. Now I am refreshed and it would appear time to answer some more concerns.

First - We use a 3rd party scanner engine made by www.drweb32.com

Whatever terms they use for their viruses is entirely up to them. As Randy pointed out, even Symantec has troubles classifying the same things as other people. Here is an analogy, albeit maybe a bad one, but an analogy nonetheless.

The differences between GM cars in parts are negligent. Most are the exact same thing, the exact same part, but yet the GM makers have different names for each of them for each automobile maker. Think of this in terms of the AV side. The scanners all work in approximately same way, but we have different names for each of the viruses, and definitions. Bad analogy? Maybe.

Concerning the question of how they get our software. There are only three ways they can get it. There are NO OTHER options.

1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.

2) They see one of our banners, click through, and it takes them to our download pages.

3) They visit other download sites where we have affiliates with, and they download from there.

Concerning bad press: Yes we received quite a bit of bad press that we are reeling from, and working diligently to fix. We have made great strides in our software to ensure it works with every Windows OS, and is compatible with the competition. There are still a few bugs that needs to be worked out, but we know about most of them, and are making changes as we speak.

We are not perfect, but we have that goal in mind.]]> http://www.dslreports.com/forum/remark,4515722 Tue, 24 Sep 2002 14:01:33 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4513545 Name Game : Nice examples Randy...but we are talking about Aplore here and nothing else. They can call it Apex if they wish...but when a user or potential user of their product gets a message from this product or download it should be accurate in the wording it uses..to ask someone if the wish to clean off a trojan is a lot different than a virus or worm..unless we are going to start changing definitions of the terms..but the biggest problem is the way people have ended up with this software on their PC with the ad campaign and never wanted it in the first place.

I have no grudge against this venture personally..but I have many email from confused people who keep on asking me what this thing is all about..how did it get on their system..and what they should do because their own AV/AT tells them their PC is just fine..and working with them I have found that they are right. The other group are older people who are very confused and the feel intimidated..others helpless for they are trying to do the right thing to protect their PC and the friends they email with. I think it all very unfair.

These people only do email and do not visit many sites, are not into P2P or chats and their PC's have not been compromized.]]> http://www.dslreports.com/forum/remark,4513545 Tue, 24 Sep 2002 08:33:45 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4513103 Randy Bell :

said by Name Game:
is not Aplore a worm or is it a trojan?

I've noticed the same problem with some malware: there seems to be a fuzzy line between a worm and a trojan. One such example I came across was the nautical worm:

Symantec Security Response - W32.HLLW.Nautic
»securityresponse.symantec.com/av···ic.html

Also Known As: BKDR_NAUTIC.A [Trend], Worm.Win32.Nautical [AVP]

Note Trend's detection as BKDR_NAUTIC.A, suggesting a backdoor trojan. Computer Associates lists one alias as Backdoor/Nautical.Server, also suggesting a trojan.

Nautical comes in a zipfile package containing a "server" and "client" part: nautical.exe and client.exe. NAV detects the client part as Backdoor.Trojan.Client, suggesting that nautical is a trojan.

KAV detects both client and server parts as Worm.Win32.Nautical. eTrust detects the server as a worm named Win32.Calinaut. But F-Prot detects it as "security risk or backdoor/trojan".

Computer Associates (eTrust) states: Win32.Calinaut is a worm that spreads by creating network shares on the local machine and then offering itself enticingly. It can also exhibit backdoor like functionality.

So we get conflicting messages from the names and descriptions given this malware by various vendors. I'm wondering whether the same confusion applies here, with W32/Lastscene@mm TROJ_SCENES detected by Sophos.

If we call this thing a worm, note that it also apparently contains a dropper for two trojans, Troj/Optix-03-C and Troj/WebDL-E. So it contains the functionality of both a worm and a trojan, which is confusing. :):)

[text was edited by author 2002-09-24 06:49:33]]]> http://www.dslreports.com/forum/remark,4513103 Tue, 24 Sep 2002 05:55:33 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4513025 Name Game : I would also like to talk to you about the user who "had" QO WebDL on their system in this thread...I posted the definition of it in a previous post in this thread...you also then gave your understanding of it in your 2) above.

I question it..for it is not completely accurate..this is a better one. For Lastscene. But if you read the whole thing.

How could "Troj/WebDL-E" even have been on that person system????

Why did not your program just call it Lastscene????

Also..is not Aplore a worm or is it a trojan?

_____________________________________________

W32/Lastscene@mm TROJ_SCENES

Type
Visual Basic Script worm

Detection
Detected by Sophos Anti-Virus since January 2002.

Description
VBS/RTF-Senecs arrives in an email message with the following characteristics:

Subject: Scene from last weekend
Message: Please do not forward
Attachment: scenes.zip

The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable detected by Sophos Anti-Virus as Troj/Senecs using the IDE file for VBS/RTF-Senecs.

If the embedded executable is opened (run), it drops and runs a VBS file which attempts to send scenes.zip to all contacts from the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans, Troj/Optix-03-C and Troj/WebDL-E. Both Trojans are detected using the IDE file for VBS/RTF-Senecs.

Troj/Optix-03-C is a backdoor Trojan that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the sub-directory \OleFiles\, moves itself there and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup = \OleFiles\.

This ensures that the server process is run automatically each time the machine is restarted.

Troj/WebDL-E attempts to download and run a program from a tripod.com website. The downloaded program is the Troj/Sub7-21-I backdoor Trojan. Troj/WebDL-E will also attempt to send a success notification message to an ICQ account. After running, the Trojan removes itself from the system.
]]> http://www.dslreports.com/forum/remark,4513025 Tue, 24 Sep 2002 04:48:44 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4512207 Randy Bell : As I suspected, all the major AVs detect the Yaha worm:

Sophos virus analysis: W32/Yaha-E
»www.sophos.com/virusinfo/analyse···ae.html

Trend Micro: WORM_YAHA.E
»www.trendmicro.com/vinfo/virusen···_YAHA.E

McAfee - AVERT: W32/Yaha.g@MM
»vil.nai.com/vil/content/v_99528.htm

F-Secure Computer Virus Information Pages: Yaha.E
»www.f-secure.com/v-descs/yaha_e.shtml

Antivirus - Security - Norman: W32/Yaha.E@mm
»www.norman.com/virus_info/w32_ya···m.shtml

Panda Software: W32/Lentin.E
»www.pandasoftware.es/library/W32···_en.htm

Symantec Security Response - W32.Yaha.E@mm
»securityresponse.symantec.com/av···mm.html

Computer Associates: Win32.Yaha.D
»www3.ca.com/virusinfo/Virus.asp?ID=11900

Kaspersky Labs: I-Worm.Lentin (aka Yaha)
»master-ve.kaspersky-labs.com/vir···d=49928

[text was edited by author 2002-09-24 06:37:42]]]> http://www.dslreports.com/forum/remark,4512207 Tue, 24 Sep 2002 00:50:32 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4512088 Randy Bell : Symantec Security Response - W32.LastScene@mm
»www.symantec.com/avcenter/venc/d···@mm.html

McAfee - AVERT: W32/LastScene.a@MM
»vil.nai.com/vil/content/v_99299.htm

VBS/LastScene
»www.vsantivirus.com/lastscene.htm
Translation: »translate.google.com/translate?h···%3DUTF-8

VBS/Couple.A (VBS/LastScene.B)
»www.vsantivirus.com/couple-a.htm
Translation: »translate.google.com/translate?h···%3DUTF-8

There are several other references to this worm, but they are unfortunately not translated into English.]]> http://www.dslreports.com/forum/remark,4512088 Tue, 24 Sep 2002 00:36:48 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511824 Quantic : Our Terms and Conditions:

They are in the process of being drastically changed. They were written at the begining of our company's switch to the AV market, and we realize that things have changed since then.]]> http://www.dslreports.com/forum/remark,4511824 Tue, 24 Sep 2002 00:06:22 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511803 Quantic : Continued:

5) Why do you use names for these trojans that are not common to other AV/AT?

Our scanner engine comes from:
»www.drweb32.com/

The names they choose for detecting their viruses is entirely up to them. We add aliases in the software for common known file type names however.

6) There is no 6. 8)

7) Mysterious spam question.

Let me give you a little insight. We are a new company in this field. The spam that was mentioned was when we had a bug in our mailing system and sent our marketing email to users several times within minutes of each other. It was an honest to gosh mess and we have paid dearly for the mistake. Once branded as a "spammer" and it is difficult to remove the brand. That issue has been fixed, just an FYI.

8) Can you point out the exact steps to get to that link? It is treating it as a click through to download the scan.]]> http://www.dslreports.com/forum/remark,4511803 Tue, 24 Sep 2002 00:04:23 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511727 Quantic : Name Game:

Let me attempt to answer each of these questions in full before we move on to the next. Bear with me, as one of my previous posts had to be shortened to get in under the preview, so let's give it a shot.

1) What is QO WebDL?

Alias: VBS_LastScene, Troj_LastScene, Win32/LastScene.A, VBS/LastScene@MM, Win32.LastScene@mm
Category: VB Script, Win32
Type: Worm
Alert: Low

Characteristics:

QO WebDL is an e-mail worm that uses Microsoft Outlook to spread.

The worm arrives attached to an e-mail with the following Subject line:

"Scene from last weekend."

and a message body that reads:

"Please do not forward!!!"

The attached file is a ZIP archive named:

“scenes.zip”

Inside the ZIP archive, there is one RTF document called: “scenes.wri”. In the standard Windows installation, files with the extension “wri” are associated with the WordPad application. When a user opens this file he/she will be presented with the following display:

Opening the embedded object represented by the right icon (scene2.jpg) opens an embedded picture and does not perform any malicious operation.

However, following the left link (scenes1.jpg) results in running an embedded malicious Win32 executable program (detected as Win32.Scene worm). This program carries and installs Win32.Optix.02 backdoor and drops WebDL.C Trojan (when executed this Trojan downloads another backdoor: Win32.SubSeven.21.B).

The Optix backdoor is located in the file: “%Windows\OleFiles\realupdt.exe” and the registry is modified in order to load the backdoor at the system start-up.

Also it drops and executes a VB Script, which uses Microsoft Outlook to e-mail copies of the worm (scenes.zip) to all entries located in all Address Lists.
In order to distract a user from all its background activity, the worm displays yet another picture:

It is important to note that the worm cannot spread automatically and requires a lot of user ‘co-operation’. Pre-viewing, opening an e-mail or even clicking on the attachment will not result in the execution of any malicious code. A user must click on the left icon shown in the WordPad document in order to trigger the worm replication.

Additionally the “scenes.zip” must be located in the Windows Temp directory in order to send e-mails with any attachments (otherwise e-mails will not spread worm files).

2) Our software requires a connection to check for virus definition updates, or newer versions of the scanner engine, or eanthology manager application.

3) The only "spyware" that may be contained within our software is the ability to check for virus definitions, check for user status (premium, vip account status), and the ability to send the scan results to our support department. Any other claim is false.

4) We do our very best to clean all viruses we detect off an infected machine. Some viruses, as you may already know, require some manual intervention. That is where our support department comes in.

Continue on next thread.]]> http://www.dslreports.com/forum/remark,4511727 Mon, 23 Sep 2002 23:57:11 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511663 Name Game : This is your T and C page...besides the below statment...I have read it all before..I think it stink..and you can not be serious about half the stuff you have there>

Installation may also include the eAcceleration Download Receiver or other Provider free software. End Users also agree to allow Provider to display online advertising for our own products, if they are not paid subscribers.

»www.eanthology.net/legal/sa/]]> http://www.dslreports.com/forum/remark,4511663 Mon, 23 Sep 2002 23:50:07 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511558 Name Game : 7.What is going on here at this link about your products?

Mysterious "spam"

»news.spamcop.net/pipermail/spamc···035.html

_____________________________

8. When people go here to read about your stop sign..why do they instantly get the popup in their face to download it 2 seconds later.

»www.stop-sign.com/?pg=eanthology···ne&clk=1]]> http://www.dslreports.com/forum/remark,4511558 Mon, 23 Sep 2002 23:40:27 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511313 Name Game : Yes.

1.What is "QO WebDL" and do you think that gingers friend had all those problems on one system?

2. Does you software require all that constant connection to sites and if so what is it doing?

3. Does your software contain what they call in this forum spyware?

4. Does your software clean all trojans off a system?

5.Why do you use names for these trojans that are not common to other AV/AT?
[text was edited by author 2002-09-23 23:22:03]
]]> http://www.dslreports.com/forum/remark,4511313 Mon, 23 Sep 2002 23:20:17 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511308 Randy Bell :

said by Quantic :
trojan.yab.20

Aliases:
Yaha, module of Yaha

Description:
W32.Yaha@mm is a mass-mailer that sends itself to all email addresses it finds in the Windows address book and within files that have the extension of .ht*.

It copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.

Those are what we have for the particular viruses. Now let us address why maybe Norton, McAfee, Trend-Micro doesn't detect them? Good question, I do not have the answer for you.

Norton detects six variants of Yaha, and I'm sure the others you mentioned (McAfee and Trend) detect it too. What I didn't know was that Yaha is related to YAB.

Symantec Security Response - W32.Yaha@mm
»securityresponse.symantec.com/av···@mm.html

Welcome to dslreports, Quantic!! :):)]]> http://www.dslreports.com/forum/remark,4511308 Mon, 23 Sep 2002 23:20:07 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4511012 Quantic : Good day all.

I would like to take this opportunity to put to rest any questions you may have concerning the eAnthology software as I will be acting as a representative for eAcceleration Software, the makers of the eAnthology suite, and most notably, the Stop-Sign Personal Alarm service.

A little history here if you will:

Stop-Sign is an "on command" virus scanning utility. This means that it will scan your computer for viruses only when you run it, there-by minimizing the draw on your system's resources. When the full version of scanner (available
only by subscribing to eAnthology) detects a virus, it will cure or eliminate it if possible, or quarantine it, thus preventing the virus from causing your computer any further harm. If it can do nothing else, the Stop-Sign scanner
will alert you to the possiblity of a virus or threat. In addition to alerting you, if your computer is connected to the internet when the scan is run, Stop-Sign will automatically send the results of the scan to eAnthology Customer Support Team. We are notified of the results of the scan and can respond immediately with the correct action if any is needed.

* The trial version of the virus scanner is meant to give prospective customers a look at the functionality and interface of the software. It will perform only
a light scan of your system and is unable to "cure" any viruses it may find.

I hope this gives you a better understanding of our product, service and support.

Now, on to the viruses:

trojan.apex.10
Apex: WORM_APLORE.A

Risk rating:
Virus type: Worm
Destructive: No

Aliases:
APLORE.A, Worm.PSecure, APLORE, Aphex, Apex

Description:
This UPX-compressed, mass-mailing worm uses Microsoft Outlook and Visual Basic Script (VBS) to propagate copies of itself via email. It originates from a malicious Web site that prompts a visiting user to download and execute its file, which is a malicious executable that displays a hoax message.

Upon execution, it creates an auto run key in the registry, drops other files, and copies itself into the System directory. Thereafter, it stays in memory and sends advertising messages to to users connected to the same Internet Relay Chat (IRC) channel as its infected user.

trojan.ie.start

Description:
This Visual Basic Script Trojan modifies the Internet Explorer startup page link to connect to »www.passthison.com/r1/?did-you-w···his-time, or any other url designated by the code modifier. It does not have a destructive payload, just causes an annoyance.

trojan.yab.20

Aliases:
Yaha, module of Yaha

Description:
W32.Yaha@mm is a mass-mailer that sends itself to all email addresses it finds in the Windows address book and within files that have the extension of .ht*.

It copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.

Those are what we have for the particular viruses. Now let us address why maybe Norton, McAfee, Trend-Micro doesn't detect them? Good question, I do not have the answer for you. Here is a link to our virus engine if you would like to peruse around.

»www.drweb32.com/

Here is another link done by a 3rd party comparing each engine and how it rates. Click on the link that points to Dialogue Science.

»www.virusbtn.com/vb100/archives/products.xml

I hope this helps to answer any questions you may have had on this subject. Please feel free to respond with any more questions/concerns, and I will address them directly.]]> http://www.dslreports.com/forum/remark,4511012 Mon, 23 Sep 2002 22:55:58 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4510734 Randy Bell : Yeh, I should have searched DSLR rather than Google:

Hmmm...klimax says that The Cleaner detected YAB on his system: »Help! Possible trojan/back door

But this could be a variant of YAB undetected by Moosoft. :):)
[text was edited by author 2002-09-23 22:54:43]]]> http://www.dslreports.com/forum/remark,4510734 Mon, 23 Sep 2002 22:33:19 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4510539 Name Game : LOL...Randy did you ever think about searching your own DSLR Forum instead of Google?????»Help! Possible trojan/back door

And what is this "nice find" stuff ????
[text was edited by author 2002-09-23 22:20:19]]]> http://www.dslreports.com/forum/remark,4510539 Mon, 23 Sep 2002 22:18:27 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4510319 Randy Bell : I found this at Symantec, which I'm unsure is the same thing referred to here (not much info):

DSME.Apex.2893
»securityresponse.symantec.com/av···82.html

I also found this at Sophos:

Sophos virus analysis: Joke/Apex-A
»www.sophos.com/virusinfo/analyse···xa.html

As a final step, I sent an IM to IGGY who runs TDS-3 on his system, to check his database for these trojans and post here if he finds anything. :):)

[text was edited by author 2002-09-23 22:25:11]]]> http://www.dslreports.com/forum/remark,4510319 Mon, 23 Sep 2002 21:58:47 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4509075 Name Game : Yet Another Binder 2.01

Description:Yet Another Binder (YAB) is a powerful multi-featured file binding tool that can be used to distribute a number of files to a target system very discretely.

Up to 50 commands
Compatible with Windows 9x/NT/ME/2K/XP. (Untested on 95, NT and ME)
Up to 100MB of files can be bound in total. Each file can be up to 10MB in size
File Extraction, Execution, Deletion all supported
Random characters in filenames (by using wild cards)
Fake (customizable) message box.
Custom icon for output file.
Built in icon library.
Melt stub on execution.
Much, much, more! ]]> http://www.dslreports.com/forum/remark,4509075 Mon, 23 Sep 2002 20:19:29 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4509022 Name Game : Well guys..there is an "ie start" I think its a virus/worm....there is a YAB and also APEX. I will post them if you can not find them..it is one of those "let's use our own name things"...they all do it..but seem these guys have it down to a science.]]> http://www.dslreports.com/forum/remark,4509022 Mon, 23 Sep 2002 20:13:21 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508860 Randy Bell :

said by Ryan :
do any trojan scanners even pick up what this thing picks up?

TrojanHunter doesn't have those listed in its detected trojans. Ginger said NAV and Moosoft (The Cleaner) detected nothing. Maybe someone here who owns TDS-3 or KAV can check their database: but I doubt it, at this point -- really sounds flaky to me.

EDIT: I went to Kaspersky Labs and did a search on the following, and got no hits:

trojan.ie.start;
trojan.yab.20;
trojan.apex.10

No hits on Google either: do these trojans actually exist, or what? :):)

[text was edited by author 2002-09-23 20:09:06]]]> http://www.dslreports.com/forum/remark,4508860 Mon, 23 Sep 2002 19:58:49 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508819 Ryan : do any trojan scanners even pick up what this thing picks up? ]]> http://www.dslreports.com/forum/remark,4508819 Mon, 23 Sep 2002 19:53:56 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508708 Name Game : Well..that's it..guess I can sell my stock in Eanthology real quick .]]> http://www.dslreports.com/forum/remark,4508708 Mon, 23 Sep 2002 19:43:51 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508692 kcazzie : I remember there was a post about this , just the other day...Here's the link... »eAnthology]]> http://www.dslreports.com/forum/remark,4508692 Mon, 23 Sep 2002 19:42:21 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508647 guycad$ :

said by Ginger5 :
A friend using software EAnthony, a spyware and virus tool I'm told, returned "QO WebDL", and offered to "clean it". After this, the "trojan.yab.20" was removed. However, still shows the following trojans:

trojan.ie.start;
trojan.yab.20;
trojan.apex.10

I asked here about eAnthology as well. My (sole) experience with it so far is uniformly negative. Each component seems to be in constant communication over the internet. Part of the suite includes a virus mail sensor. I get real nervous about any program which processes mail and communicates over the internet before, at the same time, and after.

This is addition to not detecting the win32.kazaa.benjamin virus.

[shrug] YMMV]]> http://www.dslreports.com/forum/remark,4508647 Mon, 23 Sep 2002 19:38:33 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508458 Ryan : Im seriously wondering what this product is up too. NO OTHER VIRUS SCAN picks up what it picks up and it seems to pick up stuff on a clean install. I guess according to this program every windows cd is infected with trojans. DO NOT TRUST THIS PRODUCT!]]> http://www.dslreports.com/forum/remark,4508458 Mon, 23 Sep 2002 19:21:51 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4508049 Ginger5 : Thanks, Quantic.

He's a young lad with a frequent history of worms/viruses -- norty fellow.

Haven't heard from him in a bit; so he must be ok :)
--
We tweak it because it's there.]]> http://www.dslreports.com/forum/remark,4508049 Mon, 23 Sep 2002 18:42:45 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4502854 anon : Stop-Sign is a product contained within a suite named eAnthology.

Stop-Sign itself is a virus scanner coupled with the ability to detect spyware. It can, and will remove any virus you may have, either with its internal cleaner, or with the help of their support guys.

I had a couple viruses and they cleaned my system up pretty good. Although I had to ask for help a couple times, they came through in helping me remove gator, and some trojans I had.]]> http://www.dslreports.com/forum/remark,4502854 Mon, 23 Sep 2002 03:03:51 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4418876 Ginger5 : Much appreciated. I haven't used/heard of EAnthony either.

No matter. Your expertise is most sincerely appreciated.

Thank you.
--
We tweak it because it's there.]]> http://www.dslreports.com/forum/remark,4418876 Fri, 13 Sep 2002 23:29:49 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4411657 CalamityJane :

quote:
not even EAnthony for Eanthology. ;-)

Ah! Guess I picked up on the "Stop Sign" rather than EAnthony. Thanks for your comment.

P.S. Love the new avatar...my Dad was a football referee -Time Out's well known to me! :D
--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-09-13 09:40:24]

[text was edited by author 2002-09-13 09:43:42]
]]> http://www.dslreports.com/forum/remark,4411657 Fri, 13 Sep 2002 09:39:08 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4411408 Name Game : Thanks, Jane..I know all about them..and others...also feel that this could be a false positive...but not going to second guess anything..not even EAnthony for Eanthology.;-)
Although I was sure that is what it meant and another reason to have the individual come here in "real time". That way he and then others would get benefit out of the tread.

My opinion of the latter ?????...people are always looking for a another proggie beside what they do have..in this forum we find people running 2 or three AV's at the same time just to be sure..they get daily on line scans...they set all their scan engines to real time as the surf the net..then at night they set one of those to Scan all 1,000,0000 files they have and it all takes 20 min to 2hours.

Now we have people running multiple firewalls.

I will not be using anything from Eanthology..but I will be glad to help someone sort out if they have any bad boys running on their system.

Regards, John]]> http://www.dslreports.com/forum/remark,4411408 Fri, 13 Sep 2002 08:54:33 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4411156 CalamityJane : Name Game. This the company that has the flashing red "button" with a stop sign on a pop-up to lure customers to their site. There have been some excellent discussions on Stop Sign by Eanthology over at GRC discussions
»www.www.grc.com/discussions.htm
See the Spyware threads in August and you will see a discussion with a representative of that company and some valid questions about their marketing practices and services. The service tends to be known for many "false positives" that many feel dupe their customers into believing they are infected and need to buy this company's service.

Check it out...I'd like to see your opinion on Stop Sign from Eanthology.

Edit: correct typos Add link to Stop Sign
»www6.buttonware.net/dlp_def/dlp_···notags)

[text was edited by author 2002-09-13 08:17:24]]]> http://www.dslreports.com/forum/remark,4411156 Fri, 13 Sep 2002 08:03:10 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4411002 Name Game : Probably a good idea..I have never heard of EAnthony software..it appears no one else has or they would have posted..I have no idea if your friends system is clean..but obvious they are not sure either. They do not have to join..as you know anyone can post in the forum.]]> http://www.dslreports.com/forum/remark,4411002 Fri, 13 Sep 2002 07:12:31 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4409374 Ginger5 : Time out, thank you very kindly. I will suggest he do just that. I'll encourage him to participate in broadband.

Sincerely,

Ginger
--
We tweak it because it's there.

PS: I do not have remote control, nor do I wish remote control. Nonetheless, I've encouraged his security questions in this forum.
[text was edited by author 2002-09-13 02:34:58]
]]> http://www.dslreports.com/forum/remark,4409374 Thu, 12 Sep 2002 23:52:01 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4408861 Name Game : Troj/WebDL

»www.sophos.com/virusinfo/analyse···ecs.html

Trojan:
Server name
WebDL.exe ]]> http://www.dslreports.com/forum/remark,4408861 Thu, 12 Sep 2002 23:05:14 EDT Re: Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4408359 Name Game : Only to tell you that there are trojans out there by that name.

Suggesting to you also that if all this is on a friends machine..that this forum is open to everyone even that friend..if and he/she thinks they are infected..it would be much easier to help if they posted..so you do not have to remote control.]]> http://www.dslreports.com/forum/remark,4408359 Thu, 12 Sep 2002 22:22:05 EDT Virus/Trojan Help Needed http://www.dslreports.com/forum/remark,4407864 Ginger5 : A friend using software EAnthony, a spyware and virus tool I'm told, returned "QO WebDL", and offered to "clean it". After this, the "trojan.yab.20" was removed. However, still shows the following trojans:

trojan.ie.start;
trojan.yab.20;
trojan.apex.10

OS: Win98
Connection: dial up
AV: NAV 2002, dB definitions updated

Moosoft and NAV show he's clean.

Suggestions?

Much thanks in advance :)
--
We tweak it because it's there.]]> http://www.dslreports.com/forum/remark,4407864 Thu, 12 Sep 2002 21:36:08 EDT