sig
Premium
join:2001-05-05
| reply to CalamityJane
Re: Virus/Trojan Help Needed
Perhaps checking if they're authorized by the VB to use the 100% VB logo on their site? Or if the VB has any restrictions regarding the use of their logo?
[text was edited by author 2002-09-28 22:34:17] |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Name Game
quote:
That is despicable
And Name Game says he can't spell (heh, he got this one right...AND the right definition because typing write is not the same as spelling right, but who really cares?)
So, where is Quantic who removed his location hiding? It takes a whole day to read two threads? Or one whole day to "formulate" a response? I usually don't "formulate", I usually just respond.
Waiting for this answer and the one on the sister/brother thread
»eAnthology
--
It takes a disaster to make a woman out of a female |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Name Game
said by Name Game  :
7.What is going on here at this link about your products?
Mysterious "spam"
»news.spamcop.net/pipermail/spamc···035.html
_____________________________
8. When people go here to read about your stop sign..why do they instantly get the popup in their face to download it 2 seconds later.
»www.stop-sign.com/?pg=eanthology···ne&clk=1
RE: Number 8.
To clear up any confusion..that link..is not any click through on anything... Nothing to do with their ad or the crazy little tests they have for you.
It came from the action of anyone just going to their Home page
»www.stop-sign.com/
Trying to find out what this thing is all about.
EANTHOLOGY SUPPORT SUBSCRIBE DOWNLOAD
Then hitting the TAB button on the top of that page called DOWNLOAD.
That's it. you get the popup to download and you can not even read the page called download and find out anything about the product. On that page they do have reference to DR WEB and some other info. But you can not read it becuase the Popup to download it is right in your face. If you do not hit the cancel button but rather the close X it will start download the whole thing on your system. Then you will see that on this page there is a download NOW button...too late..they have the page hooked to the click through.
That is despicable.
And if you hit the button called SUBSCRIBE..you get another Popup..you can not read about this product and find out what is all about to even subscribe..and that is why so many people still have questions in the other thread at this forum calle eAnthology. No one even knows what the whole program plan they offer is all about until you have a PC full of their downloads and then you have to struggle to clean them off. |
|
Ginger5
Premium
join:2002-03-24
Madison, WI | reply to CalamityJane
Jane, stick a fork in me; I'm done 
--
We tweak it because it's there. |
|
Ginger5
Premium
join:2002-03-24
Madison, WI
 ·Charter Pipeline
| reply to Quantic
"Quantic
Posts: 13
Joined 09-23-2002
In response to Ginger: Good morning all. I want to thank you fgor the warm welcome I received yesterday but neglected to mention in my tired state. Now I am refreshed and it would appear time to answer some more concerns.
1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.
2) They see one of our banners,....
First - We use a 3rd party scanner engine...."
Mods (ahem) ??
--
We tweak it because it's there. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Ginger5
Ginger,
The saga continues here (and has instructions by Name Game & Guycad on how to get OFF your friend's machine)
»eAnthology
--
It takes a disaster to make a woman out of a female |
|
Ginger5
Premium
join:2002-03-24
Madison, WI | reply to CalamityJane
Interesting... |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Ginger5
Gee...downloading your program and never even once said "Yes".
P.S. I recreated this event from the website she was at and got the popup ad. NEVER ONCE DID I HIT A SCAN NOW BUTTON....just the ad to close it.
--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-09-24 17:37:41] |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Quantic
said by Quantic :
Concerning the question of how they get our software. There are only three ways they can get it. There are NO OTHER options.
1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.
2) They see one of our banners, click through, and it takes them to our download pages.
3) They visit other download sites where we have affiliates with, and they download from there.
Here's how my neighbor just got HIJACKED by one of your "banners". She was at a genealogy website "Find A Grave" (yes, one frequented by seniors).....Got a pop up ad. See picture one. See the little "x" to "close" the annoying ad? She click that and got....taken to your website instead
»defender.veloz.com/dlp_ban/dlp_b···r=online
Ok- tried to use the back key to go back to the original Find A Grave site she was on and Voila, see picture #two. Before that could fully load, she got the following warning from her firewall (see my next post)
--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-09-24 18:13:53] |
|
davidovv
join:2001-06-19
Netherlands
| reply to Quantic
Hope you don't mind interfering here. As for Dr.Web, one should address first and foremost their actual home page:
»www.dials.ru/english/home.htm
No offense, Quantic - bit IMO that's where those interested in this AV should go to - the real source.
regards.
paul wilders
»www.wilders.org security |
|
sig
Premium
join:2001-05-05 | reply to Quantic
Frankly, no that doesn't address my concern since your product still is not Dr. Web and has not received the VB 100% award. I've responded more fully in the other thread. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Ginger5
Apparently Quantic borrowed the description of trojan.apex.10 from Trend:
Aliases: WORM_APLORE.A, APLORE.A, Worm.PSecure, APLORE, Aphex, Apex
WORM_APLORE.A - Description and solution
»www.trendmicro.com/vinfo/virusen···APLORE.A
This UPX-compressed, mass-mailing worm uses Microsoft Outlook and Visual Basic Script (VBS) to propagate copies of itself via email. It originates from a malicious Web site that prompts a visiting user to download and execute its file, which is a malicious executable that displays a hoax message.
Upon execution, it creates an auto run key in the registry, drops other files, and copies itself into the System directory. Thereafter, it stays in memory and sends advertising messages to to users connected to the same Internet Relay Chat (IRC) channel as its infected user. :) |
|
Quantic
join:2002-09-23
| reply to Ginger5
Sig:
The reference is the scanner engine we use. The Dr. Web scanner engine is made by Dialogue Science. They received the VB 100% award for the Dr. Web engine. We use that same engine and added some additional features and enhancements, but the core is the same. Hence the VB 100% award.
Does this explain your concern? |
|
sig
Premium
join:2001-05-05
| reply to Quantic
En route to perfection in regards to your product (certainly something I would encourage) and given whatever bad press your company has received, you might also want to clarify on your site that the use of the Virus Bulletin 100 % logo on your subscribe/purchase pages does not imply that your product has received a VB 100% award. Unsophisticated and unknowing users might see that logo on your site and mistakenly infer that Stop-Sign has received such a performance rating or some other endorsement from the VB. Or, simply remove the VB logo and thus ensure no such mistaken inference is possible.
»eAnthology |
|
Quantic
join:2002-09-23
| reply to Ginger5
Good morning all.
I want to thank you fgor the warm welcome I received yesterday but neglected to mention in my tired state. Now I am refreshed and it would appear time to answer some more concerns.
First - We use a 3rd party scanner engine made by www.drweb32.com
Whatever terms they use for their viruses is entirely up to them. As Randy pointed out, even Symantec has troubles classifying the same things as other people. Here is an analogy, albeit maybe a bad one, but an analogy nonetheless.
The differences between GM cars in parts are negligent. Most are the exact same thing, the exact same part, but yet the GM makers have different names for each of them for each automobile maker. Think of this in terms of the AV side. The scanners all work in approximately same way, but we have different names for each of the viruses, and definitions. Bad analogy? Maybe.
Concerning the question of how they get our software. There are only three ways they can get it. There are NO OTHER options.
1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.
2) They see one of our banners, click through, and it takes them to our download pages.
3) They visit other download sites where we have affiliates with, and they download from there.
Concerning bad press: Yes we received quite a bit of bad press that we are reeling from, and working diligently to fix. We have made great strides in our software to ensure it works with every Windows OS, and is compatible with the competition. There are still a few bugs that needs to be worked out, but we know about most of them, and are making changes as we speak.
We are not perfect, but we have that goal in mind. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
Nice examples Randy...but we are talking about Aplore here and nothing else. They can call it Apex if they wish...but when a user or potential user of their product gets a message from this product or download it should be accurate in the wording it uses..to ask someone if the wish to clean off a trojan is a lot different than a virus or worm..unless we are going to start changing definitions of the terms..but the biggest problem is the way people have ended up with this software on their PC with the ad campaign and never wanted it in the first place.
I have no grudge against this venture personally..but I have many email from confused people who keep on asking me what this thing is all about..how did it get on their system..and what they should do because their own AV/AT tells them their PC is just fine..and working with them I have found that they are right. The other group are older people who are very confused and the feel intimidated..others helpless for they are trying to do the right thing to protect their PC and the friends they email with. I think it all very unfair.
These people only do email and do not visit many sites, are not into P2P or chats and their PC's have not been compromized. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Name Game
said by Name Game:
is not Aplore a worm or is it a trojan?
I've noticed the same problem with some malware: there seems to be a fuzzy line between a worm and a trojan. One such example I came across was the nautical worm:
Symantec Security Response - W32.HLLW.Nautic
»securityresponse.symantec.com/av···tic.html
Also Known As: BKDR_NAUTIC.A [Trend], Worm.Win32.Nautical [AVP]
Note Trend's detection as BKDR_NAUTIC.A, suggesting a backdoor trojan. Computer Associates lists one alias as Backdoor/Nautical.Server, also suggesting a trojan.
Nautical comes in a zipfile package containing a "server" and "client" part: nautical.exe and client.exe. NAV detects the client part as Backdoor.Trojan.Client, suggesting that nautical is a trojan.
KAV detects both client and server parts as Worm.Win32.Nautical. eTrust detects the server as a worm named Win32.Calinaut. But F-Prot detects it as "security risk or backdoor/trojan".
Computer Associates (eTrust) states: Win32.Calinaut is a worm that spreads by creating network shares on the local machine and then offering itself enticingly. It can also exhibit backdoor like functionality.
So we get conflicting messages from the names and descriptions given this malware by various vendors. I'm wondering whether the same confusion applies here, with W32/Lastscene@mm TROJ_SCENES detected by Sophos.
If we call this thing a worm, note that it also apparently contains a dropper for two trojans, Troj/Optix-03-C and Troj/WebDL-E. So it contains the functionality of both a worm and a trojan, which is confusing. :)
[text was edited by author 2002-09-24 06:49:33] |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
I would also like to talk to you about the user who "had" QO WebDL on their system in this thread...I posted the definition of it in a previous post in this thread...you also then gave your understanding of it in your 2) above.
I question it..for it is not completely accurate..this is a better one. For Lastscene. But if you read the whole thing.
How could "Troj/WebDL-E" even have been on that person system????
Why did not your program just call it Lastscene????
Also..is not Aplore a worm or is it a trojan?
_____________________________________________
W32/Lastscene@mm TROJ_SCENES
Type
Visual Basic Script worm
Detection
Detected by Sophos Anti-Virus since January 2002.
Description
VBS/RTF-Senecs arrives in an email message with the following characteristics:
Subject: Scene from last weekend
Message: Please do not forward
Attachment: scenes.zip
The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable detected by Sophos Anti-Virus as Troj/Senecs using the IDE file for VBS/RTF-Senecs.
If the embedded executable is opened (run), it drops and runs a VBS file which attempts to send scenes.zip to all contacts from the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans, Troj/Optix-03-C and Troj/WebDL-E. Both Trojans are detected using the IDE file for VBS/RTF-Senecs.
Troj/Optix-03-C is a backdoor Trojan that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the sub-directory \OleFiles\, moves itself there and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup = \OleFiles\.
This ensures that the server process is run automatically each time the machine is restarted.
Troj/WebDL-E attempts to download and run a program from a tripod.com website. The downloaded program is the Troj/Sub7-21-I backdoor Trojan. Troj/WebDL-E will also attempt to send a success notification message to an ICQ account. After running, the Trojan removes itself from the system.
|
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Ginger5
As I suspected, all the major AVs detect the Yaha worm:
Sophos virus analysis: W32/Yaha-E
»www.sophos.com/virusinfo/analyse···hae.html
Trend Micro: WORM_YAHA.E
»www.trendmicro.com/vinfo/virusen···M_YAHA.E
McAfee - AVERT: W32/Yaha.g@MM
»vil.nai.com/vil/content/v_99528.htm
F-Secure Computer Virus Information Pages: Yaha.E
»www.f-secure.com/v-descs/yaha_e.shtml
Antivirus - Security - Norman: W32/Yaha.E@mm
»www.norman.com/virus_info/w32_ya···mm.shtml
Panda Software: W32/Lentin.E
»www.pandasoftware.es/library/W32···E_en.htm
Symantec Security Response - W32.Yaha.E@mm
»securityresponse.symantec.com/av···@mm.html
Computer Associates: Win32.Yaha.D
»www3.ca.com/virusinfo/Virus.asp?ID=11900
Kaspersky Labs: I-Worm.Lentin (aka Yaha)
»master-ve.kaspersky-labs.com/vir···id=49928
[text was edited by author 2002-09-24 06:37:42] |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Ginger5
Symantec Security Response - W32.LastScene@mm
»www.symantec.com/avcenter/venc/d···@mm.html
McAfee - AVERT: W32/LastScene.a@MM
»vil.nai.com/vil/content/v_99299.htm
VBS/LastScene
»www.vsantivirus.com/lastscene.htm
Translation: »translate.google.com/translate?h···%3DUTF-8
VBS/Couple.A (VBS/LastScene.B)
»www.vsantivirus.com/couple-a.htm
Translation: »translate.google.com/translate?h···%3DUTF-8
There are several other references to this worm, but they are unfortunately not translated into English. |
|
