roimoi trojan? in Security http://www.dslreports.com/forum/r9449079 en Thu, 10 Dec 2009 06:23:27 EDT Thu, 10 Dec 2009 06:23:27 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9462839 sig : I'm very glad BOClean and apparently TDS also are including this sort of thing in their defs. This sort of stuff is seriously noxious and not all AV's catch them. Meanwhile, as noted, the freeware antispyware app folks who provide an increasingly herculean public service are under attack and have limited resources to deal with that while at the same time continually tending and updating their products.

(Although that reminds me to check out the spywareinfo server saga to see who is the mysterious corporate sponsor that will assist at least on the hosting, site access side.) ]]> http://www.dslreports.com/forum/remark,9462839 Sat, 21 Feb 2004 17:23:18 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9462186 K McAleavey : "Jimmyhelp" also ... yep, that's the one. The "Jimmylegs" are the FINAL result after a complete infection. And like CWS and LOP, they TOO have discovered "polymorphism" ... that's one of BOClean's "let's include this sucker" parameters ... add "stealth" and then kill firewalls, AV's and such, break througyh all the defenses and STILL manage to startup, "you're OURS!" :)

But yeah, those are just ONE of the s¢umbag$ we deal with in BOClean ... CWS and LOP are *far* worse, but "roings.com" is RIGHT up there with them. And getting worse daily as the assault on *ALL* of us who do "real-world trojans" as well as the "zoo trojans" mounts. Wonder why merijin and others are down? - only reason WE'RE still lit is by the grace of the HIGHLY talented folks who maintain our site for daily updates that our customers *PAY* for us to provide.

But "Jimmyloader" and "Jimmyhelp" are separete downloadings, ALSO covered in BOClean. If it's SNEAKY, and it'll get past your security settings and your firewall, it's *OURS* to have fun with a baseball bat with. That's WHAT we do. :)
--
Kevin McAleavey support@nsclean.com »www.nsclean.com/]]> http://www.dslreports.com/forum/remark,9462186 Sat, 21 Feb 2004 16:08:04 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9461701 anon : It does seem that you have that virus. You must get rid of it as quick as possible or it will disrupt your whole enire network. This must be done immediately.

Keep us posted on your condition]]> http://www.dslreports.com/forum/remark,9461701 Sat, 21 Feb 2004 15:06:08 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9461664 Zupe : Roings.com is associated with spyware known as "JimmyLoader", is this something different or just an alternate name?]]> http://www.dslreports.com/forum/remark,9461664 Sat, 21 Feb 2004 15:01:25 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9460789 K McAleavey : "roings.com" ... I *know* you guys already have this one, from the same exchange ... emailed you a pair of samples again whilst BBR was down. I'm *sure* when you saw what I resent, it was "ho-hum" to ya. :)

But yes, everyone else decided to call it "ROIMOI" based on its author's name for the "gen" which would produce MORE "gumbo variations" ... did YOU guys choose another name?
--
Kevin McAleavey support@nsclean.com »www.nsclean.com/]]> http://www.dslreports.com/forum/remark,9460789 Sat, 21 Feb 2004 13:04:36 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9459479 bcastner : Gavin,

See: »www.tek-tips.com/viewthread.cfm?···9&page=1]]> http://www.dslreports.com/forum/remark,9459479 Sat, 21 Feb 2004 09:20:11 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9459432 Gavin_TH : I cant be sure if its covered.. can someone scan it or send a copy to me :) I will check and post back if submit@diamondcs.com.au doesnt have one already. The only thing that rings a bell is that popuppers.com:

Registrant:
popuppers
box 3904
Fort Smith, Arkansas 72913
United States

Registered through: GoDaddy.com

The infamous GoDaddy.com strikes again.
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
]]> http://www.dslreports.com/forum/remark,9459432 Sat, 21 Feb 2004 09:05:44 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458873 K McAleavey : If you include "spyware" in the collection (the MAJOR "growth industry" for ne'er-do-wells) I'd say the past three weeks have QUINTUPLED the number of absolute nasties floating around. And despite Microsoft's band-aids, it's getting worse by the day because people INSIST on allowing "scripting" and "activeX" in the "internet zone" because they're apparently too lazy to lock THAT down and move ONLY those few sites that are truly trustworthy ("your BANK")into the "trusted sites zone" to be permitted to use those. It's been nothing short of INSANE here.

An advantage for US at least is that well-chosen behavior patterns allow us the luxury of not having to reinvent the wheel every time a "new" variant is released by copycat cut-and-pasters ... and particularly on the browser hijack side of reality, it's been like shooting fish in a barrel. We have the spammers and scammers *so* honked off that our sites and mailboxes are getting attacked as well by the very same people who've been taking out the "anti-spyware" sites. Were it not for the dedicated people at our server farm, we'd be scrood as well since we're also "under attack" on a constant basis lately.

The internet has turned into a trailer park in a bad part of town. And the *LAW* is backing these @#$&$!@!#$%! up. They have a "constitutional right" to do this. :(

Join us in our next FTC involvement, and submit your own "hijacked" stories - MAYBE we can finally overrule the courts and stop this madness ...

»www.ftc.gov/opa/2004/02/spyware.htm

(edited to correct missing "trusted sites zone" reference)]]> http://www.dslreports.com/forum/remark,9458873 Sat, 21 Feb 2004 05:26:02 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458860 K McAleavey : "ROIMOI" is the name of the "spyware" itself - the AV's generally don't cover these, and when they do, you have to go and set the AV to detect "jokes" or "programs" to set them into a mode to handle them. Most antitrojans do NOT cover these at all. I know TDS has it covered (though don't know what name they chose) since this particular one came in from a shared resource we both use WEEKS ago. It's been out for a WHILE now.

One of the biggest problems though is "name that nasty" and is further complicated by the antivirus industry. It's something all of us who work together have fought hard to no avail to convince others that uniform names would be a big help, but that's just not the way it's going (and it's getting worse) ... check this out:

»www.newsfactor.com/perl/story/15662.html

What WE do (as do most of us) is WE go with the name given to a nasty by its creators. This is to our opinion the most reasonable naming convention, especially in trying to compare trojans covered. In this case, "roimoi" is indeed the "official name" (check back to the graphic I posted and you can confirm) whereas some others have called it "Sidesearch" (particularly the anti-spyware folks who prefer to identify the company even if there are many from the same company) or "random" (the Av's call it "spyware.gen" for 'generic') and I've also seen one company just call it "roings" ...

As far as who I *know* has it covered though, that would be Kapersky, TDS, (I *think* Norton covered it) and Spybot S&D. I don't know about anyone else. We had this covered in BOClean about an hour after roings.com first released it. But FWIW, this is considered "adware" by many and not a "backdoor" so many of the antitrojans just didn't bother to cover it. Our attitude here in the BOClean funny farm is that if it damages a system, hides, or is malicious, it gets covered. And a great deal of "hijackers" *are* trojans even if the technopurists dismiss them as "minor."

There are about 25 or so "variants" of roimoi floating around - they appear under many filenames, many different sizes, many different packings and very different registry GUIDs ...

Why are we doing what "Spybot" and "Ad-aware" are already doing for free? the spammers and scammers have been hiring up all the former trojan horse artists and paying them serious money - "adware" has the "talents" and techniques of the nastiest of the malware people behind them and it's getting worse. Same for all these "worms" ... the vast majority of them exist to put spam relays and "attack bots" onto the machines of the unsuspecting. CLASSIC trojans therefore to us.

But that's my story and I'm sticking to it. :)
--
Kevin McAleavey support@nsclean.com »www.nsclean.com/]]> http://www.dslreports.com/forum/remark,9458860 Sat, 21 Feb 2004 05:14:53 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458838 Link Logger : February has been a disaster thus far as the average volume of attack/scan traffic has doubled since the start of the month, and all indications are that it will continue to increase for the remainder of the month (I'm looking forward to February 26th as I'm betting we will see a 'DoomJuice' for Bagel.B, if not before then).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9458838 Sat, 21 Feb 2004 04:53:58 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458823 sig : On the main page of the security forum, look under the Dobermans to the "We like links", second line in red, between "this log follow these steps" and "Security FAQ."]]> http://www.dslreports.com/forum/remark,9458823 Sat, 21 Feb 2004 04:42:00 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458813 Jooske : I'm still blind, not seeing the submission link. Anyway, as BOClean seems to be the only one having it in their database (google doesn't show other av/at mentioning it in their detection/descriptions) submission seems not to have worked yet or does this nasty go with other aliases too?]]> http://www.dslreports.com/forum/remark,9458813 Sat, 21 Feb 2004 04:35:33 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458796 sig :
said by Jooske See Profile:
Must be overlooking that, as i don't see that link you mention. Is TDS lab in the list of receivers?


Yes, it is. ]]> http://www.dslreports.com/forum/remark,9458796 Sat, 21 Feb 2004 04:25:40 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458785 Jooske : Must be overlooking that, as i don't see that link you mention. Is TDS lab in the list of receivers?]]> http://www.dslreports.com/forum/remark,9458785 Sat, 21 Feb 2004 04:18:26 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458705 Sparrow : There is also a direct e-mail link at the top of this forum to send malware samples to the vendors. :)
Submit Suspected Malware ]]> http://www.dslreports.com/forum/remark,9458705 Sat, 21 Feb 2004 03:39:49 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9458657 Jooske : Think it's clear enough the AT vendors are working really hard and willing to share samples among them all to keep internet clean. Stories like releasing nasties themselves should be put aside immediately as the top notch software does not need such cheap tricks and it would put an even heavier load on cleaning out the users.
Gavin (DCS) reminded us the other day to please send samples all time of anything you find or looks suspicious to you, better many doubles then one missed and a system damaged. (submit@diamondcs.com.au) ]]> http://www.dslreports.com/forum/remark,9458657 Sat, 21 Feb 2004 03:25:29 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9454456 K McAleavey : Thanks for the kind words. Unfortunately, we've got WAY too many nasties to deal with (the past few weeks have been INSANE) and since we do spyware, worms, rootkits and many things in addition to backdoors, I haven't had time to exhale lately, much less visit the groups.

I can say this though, ALL of the newsgroups where this is apparently showing up (the "24hoursupport.helpdesk" in particular) are all the hangouts of a specific antitrojan vendor who is well known here - only difference is this time it's our turn to be "marketed against" by this ... "Evidence Eliminator" class competitor.

Anyone who DOES have some time is welcome to copy the picture I posted and the origin of this "trojan" (roings.com) over there if they're so inclined.

Samples of ROIMOI and other roings.com nasties have already been made available to our sharing group - any other "experts" can have a sample as well if they don't already have this one.
--
Kevin McAleavey support@nsclean.com
»www.nsclean.com/]]> http://www.dslreports.com/forum/remark,9454456 Fri, 20 Feb 2004 18:33:55 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9454267 gkweb : Don't care Kevin, everyone know that BOBlean is a good product and that you are honnest and dedicated to your task.]]> http://www.dslreports.com/forum/remark,9454267 Fri, 20 Feb 2004 18:14:46 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9454262 bcastner : John2g,

I do not doubt that the discussion so far is less than flattering, and I also do not doubt it is unfair. The problem is real, the source as being from NSClean is ridiculous. But this is what is being said, and the company should do something in response to the multiple Newsgroup postings.

To Schouw, I think you should get the .DLL very soon. At least it was promised that it would be sent to the address you provided in your IM.

Bill Castner]]> http://www.dslreports.com/forum/remark,9454262 Fri, 20 Feb 2004 18:14:16 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9454211 K McAleavey : It would appear as though this is yet another marketing ploy by an anti-trojan that "ONLY covers back doors" and markets by bashing any and all competition rather than fixing their own product. I wish I could say I was surprised, but I suppose it's OUR turn in the barrel this week instead of TDS. :(

The SCOOP - "ROIMOI" is "spyware" from an organization known as ROINGS.COM, found in many "freeware" items such as eDonkey and others, and also installed by "drive-by" websites.

The name "ROIMOI" was given to this particular item by the anti-spyware exchange, and is detected by a number of products including Norton antivirus. It is an executable "handler" which updates the BHO's and other hijackers and all of these are randomly named entities. It can bring a machine to its knees.

Samples of the "roings.com" hijackers have been provided far and wide to all in the anti-malware business, and the origin of this absolute nonsense would have known about this if they covered ALL trojans and not just a handful. :(

Sorry folks, but aren't we ALL getting tired of one particular vendor whose sole function seems to be the bashing of everybody else? :(
--
Kevin McAleavey support@nsclean.com »www.nsclean.com/

screenshot of ROIMOI's code
]]> http://www.dslreports.com/forum/remark,9454211 Fri, 20 Feb 2004 18:09:01 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9453372 John2g :
said by bcastner See Profile:

and the newsgroup reaction that it is a planted trojan decidedly very odd stuff.


Probably posted by a would be competitor of NSClean to foment trouble.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,9453372 Fri, 20 Feb 2004 16:38:40 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452985 bcastner : Curiouser and curiouser. This is what "seemed" to work for some:

Safe Mode:

. Use Hijack and look for odd .dlls being loaded in the 04 HKEY RUN sequence. It is polymorphic, but they are .DLLs, and usually consist of mainly numbers.DLL;

. Registry search for "roimoi" you should have one hit. Remove the key (likely, but not always, under an InProc32 subkey of a value);

. Search the registry for CLSID: {F9A06B36-C8C0-4644-9B5E-DBD82EB2E563} and delete the entry.

Reboot to normal mode.

This advice has worked, but this roimoi is odd, and the newsgroup reaction that it is a planted trojan decidedly very odd stuff.]]> http://www.dslreports.com/forum/remark,9452985 Fri, 20 Feb 2004 16:04:03 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452872 Schouw : Unfortunately I can't give out samples anymore...]]> http://www.dslreports.com/forum/remark,9452872 Fri, 20 Feb 2004 15:52:14 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452781 Vampirefo : Schouw,

If you have a copy of this file send it to me I am sure I could make a remover for it.
--
Spam Officially Legal

]]> http://www.dslreports.com/forum/remark,9452781 Fri, 20 Feb 2004 15:42:11 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452700 Schouw : From all cases I've seen where users couldn't access their 'windows explorer/my computer', it was all due to a dll.

Using HijackThis was simplest way out.]]> http://www.dslreports.com/forum/remark,9452700 Fri, 20 Feb 2004 15:32:51 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452661 bcastner : Schouw,

You go guy.

This guy has no freeware removal opportunities at the moment, and reallly screws up a workstation.]]> http://www.dslreports.com/forum/remark,9452661 Fri, 20 Feb 2004 15:29:32 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452645 bcastner : Vamepirefo,

I agree it is unfair to nasclean, BOClean. Any additional information you can throw out will hopefully be caught by Google, and by me.

Bill Castner]]> http://www.dslreports.com/forum/remark,9452645 Fri, 20 Feb 2004 15:27:44 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452148 Vampirefo : I read them only to conclude that BOClean released this Trojan, that makes no sense to me. BOClean made up the name of the file sure, they probably got it from the registry entries.

I see no reason for BOClean to release a Trojan/Spyware so I think people are mistaken, this a more than likely a new spyware, nothing I read shows it to be anything but Spyware, explore high cpu due more than likely to ads be displayed or downloaded.
--
Spam Officially Legal ]]> http://www.dslreports.com/forum/remark,9452148 Fri, 20 Feb 2004 14:28:50 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452136 Schouw : I've taken a look at google.
Yes, this confirms the thoughts I had, I have the sample.

I had an argument about this with the analysts..
said by Sergey:
No, it is only buggy program.


Seems like it I will have to convince him. :)]]> http://www.dslreports.com/forum/remark,9452136 Fri, 20 Feb 2004 14:27:00 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9452093 bcastner : Don't have one, but will try.

Google "roimoi" and read the first three or four responses.

Google, Groups, "roimoi" and see the newsgroup discussions. Fairly or unfairly the consensus in the Northern Eurpean groups is that this was a deliberatly created malware to sell a sole removal tool.

I tend not to believe conspiracy theories. But roimoi is certainly growing, and not "caught" by current freeware AV or spyware/adware tools.]]> http://www.dslreports.com/forum/remark,9452093 Fri, 20 Feb 2004 14:21:32 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9451846 Vampirefo : Can you send me a copy, I am 99% sure it's just spyware, but will analyze it if you send me a copy.
--
Spam Officially Legal ]]> http://www.dslreports.com/forum/remark,9451846 Fri, 20 Feb 2004 13:50:17 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9451570 bcastner : Just saw another query about it. Must be spreading.
cwshredder and SpyBot, PestPatrol, and online AV scans right now do not notice it.]]> http://www.dslreports.com/forum/remark,9451570 Fri, 20 Feb 2004 13:17:50 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9451236 Schouw : I have/had a sample of it..
I've seen TOO much this week..
KL detects it.(Or it was rejected because it was simply a badly coded file, can't recall correctly..)]]> http://www.dslreports.com/forum/remark,9451236 Fri, 20 Feb 2004 12:40:03 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9451057 bcastner : roimoi (yes, vague French for I am King) pegs the users explorer.exe at nearly 99% CPU utilization.

It is not caught by AV scans, or SpyBot; and Hijack does not note anything interesting about it.

What is fascinating is that there is a strong suggestion in the newsgroups that the program was written by a single malware cleaner program to promote its products.

This could be completely unfair, but even the suggestion is an odd twist on things.

If not now, someday I suspect it will be true.]]> http://www.dslreports.com/forum/remark,9451057 Fri, 20 Feb 2004 12:20:03 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9449654 Vampirefo : Never heard of it, or perhaps it goes by another name. Sounds more like spyware than a Trojan from what I read again I haven't seen one so don't know for sure.
--
Spam Officially Legal ]]> http://www.dslreports.com/forum/remark,9449654 Fri, 20 Feb 2004 09:17:51 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9449641 gkweb : I wonder if teh author of this trojan is french, because it could mean "i'm a king", litterally "king me".

May be a coincidence :)]]> http://www.dslreports.com/forum/remark,9449641 Fri, 20 Feb 2004 09:16:29 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9449607 tataye : Who in the hell will buy an antiroimoi tool LOL
--
beast father]]> http://www.dslreports.com/forum/remark,9449607 Fri, 20 Feb 2004 09:10:30 EDT Re: roimoi trojan? http://www.dslreports.com/forum/remark,9449126 John2g : BOClean will remove it for me without the need for any further removal tool :)]]> http://www.dslreports.com/forum/remark,9449126 Fri, 20 Feb 2004 07:12:46 EDT roimoi trojan? http://www.dslreports.com/forum/remark,9449079 bcastner : Several complaints have surfaced about this. The suggestion in the Newsgroups was that this roimoi trojan was deliberately introduced, along with a list of others, to sell a specific tool to remove it for $$$?

Google Groups, "roimoi"

Very odd.

Seems that it is being distributed through the eDonkey/eMule network in popular video files.]]> http://www.dslreports.com/forum/remark,9449079 Fri, 20 Feb 2004 06:55:09 EDT