how-to block ads
|
|
Share Topic
 |
 |
|
|
|
 VampirefoPremium,MVM
join:2000-12-11
Huntington, WV
kudos:1
| reply to Andreas Haak
Re: Blaster worm remover and source code ... Hi, here is the latest MSblast variant and as you can see your program does nothing to stop it, TH Guard killed it though. Your claim the program wont rename itself didn't last, We both knew it would, or many MSblast variant's would be released.
Just add signature for this exploit to your program, the file name is going to change, often, and your program will be worthless, add signature detections, and you can detect new MSblast variants.
I am not your enemy, I am trying to help you, even though, most poster want to blast me, if they take a minute to understand detecting a worm by name only is useless.
--
TrojanHunter Stands For Privacy!!!!!!!
[text was edited by author 2003-08-13 16:15:40] | |
| >variant and as you can see your program does nothing to
>stop it,
Wrong. Simply wrong. The install protection for the worm still works. That means if you cleaned the PC in fact the worm won't infect the PC. Even in its new variants.
>Your claim the program wont rename itself didn't last, We
>both knew it would, or many MSblast variant's would be
>released.
The virus didn't rename it self. A script kiddie hex edited it. This can be done with every signature. Its a complete new variant. The Blaster.a worm is still detected. The Blaster.b worm, not.
>Just add signature for this exploit to your program, the
Even if I had added a signature it won't help. In fact the B variant used a diffrent EXE packer. So I have to add a second signature. Same as now (and in fact same as all other had to do).
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... . | | |
|
VampirefoPremium,MVM
join:2000-12-11
Huntington, WV
kudos:1
| This is A, not b same file, different name, Why do you think TH can catch it? cause it's the same file, your program misses it, no hex editing was done, oh well. I have wasted my time with you, wont be wasting any more time in this thread.
This pic just shows how Stinger is able to detect it, it's the same worm, Stinger uses signatures for detection, not just file name.
If you want the file, give me an e-mail address to send it to, hopefully, you will then add signature, I doubt it though.
Best Regards
Vampirefo
--
TrojanHunter Stands For Privacy!!!!!!!
[text was edited by author 2003-08-13 20:04:12] | |
| >This is A, not b same file, different name, Why do you
>think TH can catch it?
Cause it scans the process memory. Try to scan it on demand. Its undetected.
>cause it's the same file, your program misses it, no hex
>editing was done, oh well.
In fact it was. Do a file compare  .
>This pic just shows how Stinger is able to detect it, it's
>the same worm, Stinger uses signatures for detection, not
>just file name.
Stinger uses signature + unpacking.
>If you want the file, give me an e-mail address to send it
>to, hopefully, you will then add signature, I doubt it
>though.
haak.a@yaw.at - please inside a password protected ZIP file.
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... . | |
| @vamp:
»New Blaster variant
Or do you think you are more expert than Kaspersky? | |
|
