dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6396

Ginger5
Premium Member
join:2002-03-24
Madison, WI

Ginger5

Premium Member

Virus/Trojan Help Needed

A friend using software EAnthony, a spyware and virus tool I'm told, returned "QO WebDL", and offered to "clean it". After this, the "trojan.yab.20" was removed. However, still shows the following trojans:

trojan.ie.start;
trojan.yab.20;
trojan.apex.10

OS: Win98
Connection: dial up
AV: NAV 2002, dB definitions updated

Moosoft and NAV show he's clean.

Suggestions?

Much thanks in advance

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Only to tell you that there are trojans out there by that name.

Suggesting to you also that if all this is on a friends machine..that this forum is open to everyone even that friend..if and he/she thinks they are infected..it would be much easier to help if they posted..so you do not have to remote control.
Name Game

Name Game to Ginger5

Premium Member

to Ginger5
Troj/WebDL

»www.sophos.com/virusinfo ··· ecs.html

Trojan:
Server name
WebDL.exe

Ginger5
Premium Member
join:2002-03-24
Madison, WI

Ginger5

Premium Member

Time out, thank you very kindly. I will suggest he do just that. I'll encourage him to participate in broadband.

Sincerely,

Ginger

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Ginger5

Premium Member

to Ginger5
Probably a good idea..I have never heard of EAnthony software..it appears no one else has or they would have posted..I have no idea if your friends system is clean..but obvious they are not sure either. They do not have to join..as you know anyone can post in the forum.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Name Game. This the company that has the flashing red "button" with a stop sign on a pop-up to lure customers to their site. There have been some excellent discussions on Stop Sign by Eanthology over at GRC discussions
»www.www.grc.com/discussions.htm
See the Spyware threads in August and you will see a discussion with a representative of that company and some valid questions about their marketing practices and services. The service tends to be known for many "false positives" that many feel dupe their customers into believing they are infected and need to buy this company's service.

Check it out...I'd like to see your opinion on Stop Sign from Eanthology.

Edit: correct typos Add link to Stop Sign
»www6.buttonware.net/dlp_ ··· m=notags)

[text was edited by author 2002-09-13 08:17:24]

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Ginger5

Premium Member

to Ginger5
Thanks, Jane..I know all about them..and others...also feel that this could be a false positive...but not going to second guess anything..not even EAnthony for Eanthology.
Although I was sure that is what it meant and another reason to have the individual come here in "real time". That way he and then others would get benefit out of the tread.

My opinion of the latter ?????...people are always looking for a another proggie beside what they do have..in this forum we find people running 2 or three AV's at the same time just to be sure..they get daily on line scans...they set all their scan engines to real time as the surf the net..then at night they set one of those to Scan all 1,000,0000 files they have and it all takes 20 min to 2hours.

Now we have people running multiple firewalls.

I will not be using anything from Eanthology..but I will be glad to help someone sort out if they have any bad boys running on their system.

Regards, John

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

quote:
not even EAnthony for Eanthology.
Ah! Guess I picked up on the "Stop Sign" rather than EAnthony. Thanks for your comment.

P.S. Love the new avatar...my Dad was a football referee -Time Out's well known to me!

Ginger5
Premium Member
join:2002-03-24
Madison, WI

Ginger5 to Name Game

Premium Member

to Name Game
Much appreciated. I haven't used/heard of EAnthony either.

No matter. Your expertise is most sincerely appreciated.

Thank you.

Quantic
@eacceleration.com

Quantic to Ginger5

Anon

to Ginger5
Stop-Sign is a product contained within a suite named eAnthology.

Stop-Sign itself is a virus scanner coupled with the ability to detect spyware. It can, and will remove any virus you may have, either with its internal cleaner, or with the help of their support guys.

I had a couple viruses and they cleaned my system up pretty good. Although I had to ask for help a couple times, they came through in helping me remove gator, and some trojans I had.

Ginger5
Premium Member
join:2002-03-24
Madison, WI

Ginger5

Premium Member

Thanks, Quantic.

He's a young lad with a frequent history of worms/viruses -- norty fellow.

Haven't heard from him in a bit; so he must be ok

Ryan
Premium Member
join:2001-03-03
Boston, MA

Ryan to Ginger5

Premium Member

to Ginger5
Im seriously wondering what this product is up too. NO OTHER VIRUS SCAN picks up what it picks up and it seems to pick up stuff on a clean install. I guess according to this program every windows cd is infected with trojans. DO NOT TRUST THIS PRODUCT!

guycad$
In Search Of Free Speech
Premium Member
join:2002-05-02
Pompton Lakes, NJ

1 recommendation

guycad$ to Ginger5

Premium Member

to Ginger5
said by Ginger5:
A friend using software EAnthony, a spyware and virus tool I'm told, returned "QO WebDL", and offered to "clean it". After this, the "trojan.yab.20" was removed. However, still shows the following trojans:

trojan.ie.start;
trojan.yab.20;
trojan.apex.10

I asked here about eAnthology as well. My (sole) experience with it so far is uniformly negative. Each component seems to be in constant communication over the internet. Part of the suite includes a virus mail sensor. I get real nervous about any program which processes mail and communicates over the internet before, at the same time, and after.

This is addition to not detecting the win32.kazaa.benjamin virus.

[shrug] YMMV

kcazzie
One Of Jerry's Kids
Premium Member
join:2000-08-13
Morton Grove, IL

kcazzie to Ginger5

Premium Member

to Ginger5
I remember there was a post about this , just the other day...Here's the link... »eAnthology

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Ginger5

Premium Member

to Ginger5
Well..that's it..guess I can sell my stock in Eanthology real quick .

Ryan
Premium Member
join:2001-03-03
Boston, MA

Ryan to Ginger5

Premium Member

to Ginger5
do any trojan scanners even pick up what this thing picks up?

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

said by Ryan:
do any trojan scanners even pick up what this thing picks up?
TrojanHunter doesn't have those listed in its detected trojans. Ginger said NAV and Moosoft (The Cleaner) detected nothing. Maybe someone here who owns TDS-3 or KAV can check their database: but I doubt it, at this point -- really sounds flaky to me.

EDIT: I went to Kaspersky Labs and did a search on the following, and got no hits:

trojan.ie.start;
trojan.yab.20;
trojan.apex.10

No hits on Google either: do these trojans actually exist, or what? :)

[text was edited by author 2002-09-23 20:09:06]

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Ginger5

Premium Member

to Ginger5
Well guys..there is an "ie start" I think its a virus/worm....there is a YAB and also APEX. I will post them if you can not find them..it is one of those "let's use our own name things"...they all do it..but seem these guys have it down to a science.
Name Game

Name Game to Ginger5

Premium Member

to Ginger5
Yet Another Binder 2.01

Description:Yet Another Binder (YAB) is a powerful multi-featured file binding tool that can be used to distribute a number of files to a target system very discretely.

Up to 50 commands
Compatible with Windows 9x/NT/ME/2K/XP. (Untested on 95, NT and ME)
Up to 100MB of files can be bound in total. Each file can be up to 10MB in size
File Extraction, Execution, Deletion all supported
Random characters in filenames (by using wild cards)
Fake (customizable) message box.
Custom icon for output file.
Built in icon library.
Melt stub on execution.
Much, much, more!

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to Ginger5

Premium Member

to Ginger5
I found this at Symantec, which I'm unsure is the same thing referred to here (not much info):

DSME.Apex.2893
»securityresponse.symante ··· 082.html

I also found this at Sophos:

Sophos virus analysis: Joke/Apex-A
»www.sophos.com/virusinfo ··· exa.html

As a final step, I sent an IM to IGGY who runs TDS-3 on his system, to check his database for these trojans and post here if he finds anything. :)

[text was edited by author 2002-09-23 22:25:11]

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Ginger5

Premium Member

to Ginger5
LOL...Randy did you ever think about searching your own DSLR Forum instead of Google?????»Help! Possible trojan/back door

And what is this "nice find" stuff ????
[text was edited by author 2002-09-23 22:20:19]

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

Yeh, I should have searched DSLR rather than Google:

Hmmm...klimax says that The Cleaner detected YAB on his system: »Help! Possible trojan/back door

But this could be a variant of YAB undetected by Moosoft. :)
[text was edited by author 2002-09-23 22:54:43]
Quantic
join:2002-09-23

Quantic to Ginger5

Member

to Ginger5
Good day all.

I would like to take this opportunity to put to rest any questions you may have concerning the eAnthology software as I will be acting as a representative for eAcceleration Software, the makers of the eAnthology suite, and most notably, the Stop-Sign Personal Alarm service.

A little history here if you will:

Stop-Sign is an "on command" virus scanning utility. This means that it will scan your computer for viruses only when you run it, there-by minimizing the draw on your system's resources. When the full version of scanner (available
only by subscribing to eAnthology) detects a virus, it will cure or eliminate it if possible, or quarantine it, thus preventing the virus from causing your computer any further harm. If it can do nothing else, the Stop-Sign scanner
will alert you to the possiblity of a virus or threat. In addition to alerting you, if your computer is connected to the internet when the scan is run, Stop-Sign will automatically send the results of the scan to eAnthology Customer Support Team. We are notified of the results of the scan and can respond immediately with the correct action if any is needed.

* The trial version of the virus scanner is meant to give prospective customers a look at the functionality and interface of the software. It will perform only
a light scan of your system and is unable to "cure" any viruses it may find.

I hope this gives you a better understanding of our product, service and support.

Now, on to the viruses:

trojan.apex.10
Apex: WORM_APLORE.A

Risk rating:
Virus type: Worm
Destructive: No

Aliases:
APLORE.A, Worm.PSecure, APLORE, Aphex, Apex

Description:
This UPX-compressed, mass-mailing worm uses Microsoft Outlook and Visual Basic Script (VBS) to propagate copies of itself via email. It originates from a malicious Web site that prompts a visiting user to download and execute its file, which is a malicious executable that displays a hoax message.

Upon execution, it creates an auto run key in the registry, drops other files, and copies itself into the System directory. Thereafter, it stays in memory and sends advertising messages to to users connected to the same Internet Relay Chat (IRC) channel as its infected user.

trojan.ie.start

Description:
This Visual Basic Script Trojan modifies the Internet Explorer startup page link to connect to »www.passthison.com/r1/?d ··· his-time, or any other url designated by the code modifier. It does not have a destructive payload, just causes an annoyance.

trojan.yab.20

Aliases:
Yaha, module of Yaha

Description:
W32.Yaha@mm is a mass-mailer that sends itself to all email addresses it finds in the Windows address book and within files that have the extension of .ht*.

It copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.

Those are what we have for the particular viruses. Now let us address why maybe Norton, McAfee, Trend-Micro doesn't detect them? Good question, I do not have the answer for you. Here is a link to our virus engine if you would like to peruse around.

»www.drweb32.com/

Here is another link done by a 3rd party comparing each engine and how it rates. Click on the link that points to Dialogue Science.

»www.virusbtn.com/vb100/a ··· ucts.xml

I hope this helps to answer any questions you may have had on this subject. Please feel free to respond with any more questions/concerns, and I will address them directly.

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

said by Quantic:
trojan.yab.20

Aliases:
Yaha, module of Yaha

Description:
W32.Yaha@mm is a mass-mailer that sends itself to all email addresses it finds in the Windows address book and within files that have the extension of .ht*.

It copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.

Those are what we have for the particular viruses. Now let us address why maybe Norton, McAfee, Trend-Micro doesn't detect them? Good question, I do not have the answer for you.
Norton detects six variants of Yaha, and I'm sure the others you mentioned (McAfee and Trend) detect it too. What I didn't know was that Yaha is related to YAB.

Symantec Security Response - W32.Yaha@mm
»securityresponse.symante ··· @mm.html

Welcome to dslreports, Quantic!! :)

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI


1 recommendation

Name Game to Ginger5

Premium Member

to Ginger5
Yes.

1.What is "QO WebDL" and do you think that gingers friend had all those problems on one system?

2. Does you software require all that constant connection to sites and if so what is it doing?

3. Does your software contain what they call in this forum spyware?

4. Does your software clean all trojans off a system?

5.Why do you use names for these trojans that are not common to other AV/AT?
[text was edited by author 2002-09-23 23:22:03]
Name Game

1 recommendation

Name Game to Ginger5

Premium Member

to Ginger5
7.What is going on here at this link about your products?

Mysterious "spam"

»news.spamcop.net/piperma ··· 035.html

_____________________________

8. When people go here to read about your stop sign..why do they instantly get the popup in their face to download it 2 seconds later.

»www.stop-sign.com/?pg=ea ··· ne&clk=1
Name Game

Name Game to Ginger5

Premium Member

to Ginger5
This is your T and C page...besides the below statment...I have read it all before..I think it stink..and you can not be serious about half the stuff you have there>

Installation may also include the eAcceleration Download Receiver or other Provider free software. End Users also agree to allow Provider to display online advertising for our own products, if they are not paid subscribers.

»www.eanthology.net/legal/sa/
Quantic
join:2002-09-23

Quantic to Ginger5

Member

to Ginger5
Name Game:

Let me attempt to answer each of these questions in full before we move on to the next. Bear with me, as one of my previous posts had to be shortened to get in under the preview, so let's give it a shot.

1) What is QO WebDL?

Alias: VBS_LastScene, Troj_LastScene, Win32/LastScene.A, VBS/LastScene@MM, Win32.LastScene@mm
Category: VB Script, Win32
Type: Worm
Alert: Low

Characteristics:

QO WebDL is an e-mail worm that uses Microsoft Outlook to spread.

The worm arrives attached to an e-mail with the following Subject line:

"Scene from last weekend."

and a message body that reads:

"Please do not forward!!!"

The attached file is a ZIP archive named:

“scenes.zip”

Inside the ZIP archive, there is one RTF document called: “scenes.wri”. In the standard Windows installation, files with the extension “wri” are associated with the WordPad application. When a user opens this file he/she will be presented with the following display:

Opening the embedded object represented by the right icon (scene2.jpg) opens an embedded picture and does not perform any malicious operation.

However, following the left link (scenes1.jpg) results in running an embedded malicious Win32 executable program (detected as Win32.Scene worm). This program carries and installs Win32.Optix.02 backdoor and drops WebDL.C Trojan (when executed this Trojan downloads another backdoor: Win32.SubSeven.21.B).

The Optix backdoor is located in the file: “%Windows\OleFiles\realupdt.exe” and the registry is modified in order to load the backdoor at the system start-up.

Also it drops and executes a VB Script, which uses Microsoft Outlook to e-mail copies of the worm (scenes.zip) to all entries located in all Address Lists.
In order to distract a user from all its background activity, the worm displays yet another picture:

It is important to note that the worm cannot spread automatically and requires a lot of user ‘co-operation’. Pre-viewing, opening an e-mail or even clicking on the attachment will not result in the execution of any malicious code. A user must click on the left icon shown in the WordPad document in order to trigger the worm replication.

Additionally the “scenes.zip” must be located in the Windows Temp directory in order to send e-mails with any attachments (otherwise e-mails will not spread worm files).

2) Our software requires a connection to check for virus definition updates, or newer versions of the scanner engine, or eanthology manager application.

3) The only "spyware" that may be contained within our software is the ability to check for virus definitions, check for user status (premium, vip account status), and the ability to send the scan results to our support department. Any other claim is false.

4) We do our very best to clean all viruses we detect off an infected machine. Some viruses, as you may already know, require some manual intervention. That is where our support department comes in.

Continue on next thread.
Quantic

Quantic to Ginger5

Member

to Ginger5
Continued:

5) Why do you use names for these trojans that are not common to other AV/AT?

Our scanner engine comes from:
»www.drweb32.com/

The names they choose for detecting their viruses is entirely up to them. We add aliases in the software for common known file type names however.

6) There is no 6. 8)

7) Mysterious spam question.

Let me give you a little insight. We are a new company in this field. The spam that was mentioned was when we had a bug in our mailing system and sent our marketing email to users several times within minutes of each other. It was an honest to gosh mess and we have paid dearly for the mistake. Once branded as a "spammer" and it is difficult to remove the brand. That issue has been fixed, just an FYI.

8) Can you point out the exact steps to get to that link? It is treating it as a click through to download the scan.
Quantic

Quantic to Ginger5

Member

to Ginger5
Our Terms and Conditions:

They are in the process of being drastically changed. They were written at the begining of our company's switch to the AV market, and we realize that things have changed since then.