Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
|  reply to Ginger5
Re: Virus/Trojan Help Needed
LOL...Randy did you ever think about searching your own DSLR Forum instead of Google?????»Help! Possible trojan/back door
And what is this "nice find" stuff ????
[text was edited by author 2002-09-23 22:20:19] |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| Yeh, I should have searched DSLR rather than Google:
Hmmm...klimax says that The Cleaner detected YAB on his system: »Help! Possible trojan/back door
But this could be a variant of YAB undetected by Moosoft.  :)
[text was edited by author 2002-09-23 22:54:43] |
|
Quantic
join:2002-09-23
| reply to Ginger5
Good day all.
I would like to take this opportunity to put to rest any questions you may have concerning the eAnthology software as I will be acting as a representative for eAcceleration Software, the makers of the eAnthology suite, and most notably, the Stop-Sign Personal Alarm service.
A little history here if you will:
Stop-Sign is an "on command" virus scanning utility. This means that it will scan your computer for viruses only when you run it, there-by minimizing the draw on your system's resources. When the full version of scanner (available
only by subscribing to eAnthology) detects a virus, it will cure or eliminate it if possible, or quarantine it, thus preventing the virus from causing your computer any further harm. If it can do nothing else, the Stop-Sign scanner
will alert you to the possiblity of a virus or threat. In addition to alerting you, if your computer is connected to the internet when the scan is run, Stop-Sign will automatically send the results of the scan to eAnthology Customer Support Team. We are notified of the results of the scan and can respond immediately with the correct action if any is needed.
* The trial version of the virus scanner is meant to give prospective customers a look at the functionality and interface of the software. It will perform only
a light scan of your system and is unable to "cure" any viruses it may find.
I hope this gives you a better understanding of our product, service and support.
Now, on to the viruses:
trojan.apex.10
Apex: WORM_APLORE.A
Risk rating:
Virus type: Worm
Destructive: No
Aliases:
APLORE.A, Worm.PSecure, APLORE, Aphex, Apex
Description:
This UPX-compressed, mass-mailing worm uses Microsoft Outlook and Visual Basic Script (VBS) to propagate copies of itself via email. It originates from a malicious Web site that prompts a visiting user to download and execute its file, which is a malicious executable that displays a hoax message.
Upon execution, it creates an auto run key in the registry, drops other files, and copies itself into the System directory. Thereafter, it stays in memory and sends advertising messages to to users connected to the same Internet Relay Chat (IRC) channel as its infected user.
trojan.ie.start
Description:
This Visual Basic Script Trojan modifies the Internet Explorer startup page link to connect to »www.passthison.com/r1/?did-you-w···his-time, or any other url designated by the code modifier. It does not have a destructive payload, just causes an annoyance.
trojan.yab.20
Aliases:
Yaha, module of Yaha
Description:
W32.Yaha@mm is a mass-mailer that sends itself to all email addresses it finds in the Windows address book and within files that have the extension of .ht*.
It copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.
Those are what we have for the particular viruses. Now let us address why maybe Norton, McAfee, Trend-Micro doesn't detect them? Good question, I do not have the answer for you. Here is a link to our virus engine if you would like to peruse around.
»www.drweb32.com/
Here is another link done by a 3rd party comparing each engine and how it rates. Click on the link that points to Dialogue Science.
»www.virusbtn.com/vb100/archives/products.xml
I hope this helps to answer any questions you may have had on this subject. Please feel free to respond with any more questions/concerns, and I will address them directly. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by Quantic  :
trojan.yab.20
Aliases:
Yaha, module of Yaha
Description:
W32.Yaha@mm is a mass-mailer that sends itself to all email addresses it finds in the Windows address book and within files that have the extension of .ht*.
It copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.
Those are what we have for the particular viruses. Now let us address why maybe Norton, McAfee, Trend-Micro doesn't detect them? Good question, I do not have the answer for you.
Norton detects six variants of Yaha, and I'm sure the others you mentioned (McAfee and Trend) detect it too. What I didn't know was that Yaha is related to YAB.
Symantec Security Response - W32.Yaha@mm
»securityresponse.symantec.com/av···@mm.html
Welcome to dslreports, Quantic!! :) |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
Yes.
1.What is "QO WebDL" and do you think that gingers friend had all those problems on one system?
2. Does you software require all that constant connection to sites and if so what is it doing?
3. Does your software contain what they call in this forum spyware?
4. Does your software clean all trojans off a system?
5.Why do you use names for these trojans that are not common to other AV/AT?
[text was edited by author 2002-09-23 23:22:03] |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
7.What is going on here at this link about your products?
Mysterious "spam"
»news.spamcop.net/pipermail/spamc···035.html
_____________________________
8. When people go here to read about your stop sign..why do they instantly get the popup in their face to download it 2 seconds later.
»www.stop-sign.com/?pg=eanthology···ne&clk=1 |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
This is your T and C page...besides the below statment...I have read it all before..I think it stink..and you can not be serious about half the stuff you have there>
Installation may also include the eAcceleration Download Receiver or other Provider free software. End Users also agree to allow Provider to display online advertising for our own products, if they are not paid subscribers.
»www.eanthology.net/legal/sa/ |
|
Quantic
join:2002-09-23
| reply to Ginger5
Name Game:
Let me attempt to answer each of these questions in full before we move on to the next. Bear with me, as one of my previous posts had to be shortened to get in under the preview, so let's give it a shot.
1) What is QO WebDL?
Alias: VBS_LastScene, Troj_LastScene, Win32/LastScene.A, VBS/LastScene@MM, Win32.LastScene@mm
Category: VB Script, Win32
Type: Worm
Alert: Low
Characteristics:
QO WebDL is an e-mail worm that uses Microsoft Outlook to spread.
The worm arrives attached to an e-mail with the following Subject line:
"Scene from last weekend."
and a message body that reads:
"Please do not forward!!!"
The attached file is a ZIP archive named:
“scenes.zip”
Inside the ZIP archive, there is one RTF document called: “scenes.wri”. In the standard Windows installation, files with the extension “wri” are associated with the WordPad application. When a user opens this file he/she will be presented with the following display:
Opening the embedded object represented by the right icon (scene2.jpg) opens an embedded picture and does not perform any malicious operation.
However, following the left link (scenes1.jpg) results in running an embedded malicious Win32 executable program (detected as Win32.Scene worm). This program carries and installs Win32.Optix.02 backdoor and drops WebDL.C Trojan (when executed this Trojan downloads another backdoor: Win32.SubSeven.21.B).
The Optix backdoor is located in the file: “%Windows\OleFiles\realupdt.exe” and the registry is modified in order to load the backdoor at the system start-up.
Also it drops and executes a VB Script, which uses Microsoft Outlook to e-mail copies of the worm (scenes.zip) to all entries located in all Address Lists.
In order to distract a user from all its background activity, the worm displays yet another picture:
It is important to note that the worm cannot spread automatically and requires a lot of user ‘co-operation’. Pre-viewing, opening an e-mail or even clicking on the attachment will not result in the execution of any malicious code. A user must click on the left icon shown in the WordPad document in order to trigger the worm replication.
Additionally the “scenes.zip” must be located in the Windows Temp directory in order to send e-mails with any attachments (otherwise e-mails will not spread worm files).
2) Our software requires a connection to check for virus definition updates, or newer versions of the scanner engine, or eanthology manager application.
3) The only "spyware" that may be contained within our software is the ability to check for virus definitions, check for user status (premium, vip account status), and the ability to send the scan results to our support department. Any other claim is false.
4) We do our very best to clean all viruses we detect off an infected machine. Some viruses, as you may already know, require some manual intervention. That is where our support department comes in.
Continue on next thread. |
|
Quantic
join:2002-09-23
| reply to Ginger5
Continued:
5) Why do you use names for these trojans that are not common to other AV/AT?
Our scanner engine comes from:
»www.drweb32.com/
The names they choose for detecting their viruses is entirely up to them. We add aliases in the software for common known file type names however.
6) There is no 6. 8)
7) Mysterious spam question.
Let me give you a little insight. We are a new company in this field. The spam that was mentioned was when we had a bug in our mailing system and sent our marketing email to users several times within minutes of each other. It was an honest to gosh mess and we have paid dearly for the mistake. Once branded as a "spammer" and it is difficult to remove the brand. That issue has been fixed, just an FYI.
8) Can you point out the exact steps to get to that link? It is treating it as a click through to download the scan. |
|
Quantic
join:2002-09-23 | reply to Ginger5
Our Terms and Conditions:
They are in the process of being drastically changed. They were written at the begining of our company's switch to the AV market, and we realize that things have changed since then. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Ginger5
Symantec Security Response - W32.LastScene@mm
»www.symantec.com/avcenter/venc/d···@mm.html
McAfee - AVERT: W32/LastScene.a@MM
»vil.nai.com/vil/content/v_99299.htm
VBS/LastScene
»www.vsantivirus.com/lastscene.htm
Translation: »translate.google.com/translate?h···%3DUTF-8
VBS/Couple.A (VBS/LastScene.B)
»www.vsantivirus.com/couple-a.htm
Translation: »translate.google.com/translate?h···%3DUTF-8
There are several other references to this worm, but they are unfortunately not translated into English. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Ginger5
As I suspected, all the major AVs detect the Yaha worm:
Sophos virus analysis: W32/Yaha-E
»www.sophos.com/virusinfo/analyse···hae.html
Trend Micro: WORM_YAHA.E
»www.trendmicro.com/vinfo/virusen···M_YAHA.E
McAfee - AVERT: W32/Yaha.g@MM
»vil.nai.com/vil/content/v_99528.htm
F-Secure Computer Virus Information Pages: Yaha.E
»www.f-secure.com/v-descs/yaha_e.shtml
Antivirus - Security - Norman: W32/Yaha.E@mm
»www.norman.com/virus_info/w32_ya···mm.shtml
Panda Software: W32/Lentin.E
»www.pandasoftware.es/library/W32···E_en.htm
Symantec Security Response - W32.Yaha.E@mm
»securityresponse.symantec.com/av···@mm.html
Computer Associates: Win32.Yaha.D
»www3.ca.com/virusinfo/Virus.asp?ID=11900
Kaspersky Labs: I-Worm.Lentin (aka Yaha)
»master-ve.kaspersky-labs.com/vir···id=49928
[text was edited by author 2002-09-24 06:37:42] |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
I would also like to talk to you about the user who "had" QO WebDL on their system in this thread...I posted the definition of it in a previous post in this thread...you also then gave your understanding of it in your 2) above.
I question it..for it is not completely accurate..this is a better one. For Lastscene. But if you read the whole thing.
How could "Troj/WebDL-E" even have been on that person system????
Why did not your program just call it Lastscene????
Also..is not Aplore a worm or is it a trojan?
_____________________________________________
W32/Lastscene@mm TROJ_SCENES
Type
Visual Basic Script worm
Detection
Detected by Sophos Anti-Virus since January 2002.
Description
VBS/RTF-Senecs arrives in an email message with the following characteristics:
Subject: Scene from last weekend
Message: Please do not forward
Attachment: scenes.zip
The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable detected by Sophos Anti-Virus as Troj/Senecs using the IDE file for VBS/RTF-Senecs.
If the embedded executable is opened (run), it drops and runs a VBS file which attempts to send scenes.zip to all contacts from the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans, Troj/Optix-03-C and Troj/WebDL-E. Both Trojans are detected using the IDE file for VBS/RTF-Senecs.
Troj/Optix-03-C is a backdoor Trojan that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the sub-directory \OleFiles\, moves itself there and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup = \OleFiles\.
This ensures that the server process is run automatically each time the machine is restarted.
Troj/WebDL-E attempts to download and run a program from a tripod.com website. The downloaded program is the Troj/Sub7-21-I backdoor Trojan. Troj/WebDL-E will also attempt to send a success notification message to an ICQ account. After running, the Trojan removes itself from the system.
|
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by Name Game:
is not Aplore a worm or is it a trojan?
I've noticed the same problem with some malware: there seems to be a fuzzy line between a worm and a trojan. One such example I came across was the nautical worm:
Symantec Security Response - W32.HLLW.Nautic
»securityresponse.symantec.com/av···tic.html
Also Known As: BKDR_NAUTIC.A [Trend], Worm.Win32.Nautical [AVP]
Note Trend's detection as BKDR_NAUTIC.A, suggesting a backdoor trojan. Computer Associates lists one alias as Backdoor/Nautical.Server, also suggesting a trojan.
Nautical comes in a zipfile package containing a "server" and "client" part: nautical.exe and client.exe. NAV detects the client part as Backdoor.Trojan.Client, suggesting that nautical is a trojan.
KAV detects both client and server parts as Worm.Win32.Nautical. eTrust detects the server as a worm named Win32.Calinaut. But F-Prot detects it as "security risk or backdoor/trojan".
Computer Associates (eTrust) states: Win32.Calinaut is a worm that spreads by creating network shares on the local machine and then offering itself enticingly. It can also exhibit backdoor like functionality.
So we get conflicting messages from the names and descriptions given this malware by various vendors. I'm wondering whether the same confusion applies here, with W32/Lastscene@mm TROJ_SCENES detected by Sophos.
If we call this thing a worm, note that it also apparently contains a dropper for two trojans, Troj/Optix-03-C and Troj/WebDL-E. So it contains the functionality of both a worm and a trojan, which is confusing. :)
[text was edited by author 2002-09-24 06:49:33] |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Ginger5
Nice examples Randy...but we are talking about Aplore here and nothing else. They can call it Apex if they wish...but when a user or potential user of their product gets a message from this product or download it should be accurate in the wording it uses..to ask someone if the wish to clean off a trojan is a lot different than a virus or worm..unless we are going to start changing definitions of the terms..but the biggest problem is the way people have ended up with this software on their PC with the ad campaign and never wanted it in the first place.
I have no grudge against this venture personally..but I have many email from confused people who keep on asking me what this thing is all about..how did it get on their system..and what they should do because their own AV/AT tells them their PC is just fine..and working with them I have found that they are right. The other group are older people who are very confused and the feel intimidated..others helpless for they are trying to do the right thing to protect their PC and the friends they email with. I think it all very unfair.
These people only do email and do not visit many sites, are not into P2P or chats and their PC's have not been compromized. |
|
Quantic
join:2002-09-23
| reply to Ginger5
Good morning all.
I want to thank you fgor the warm welcome I received yesterday but neglected to mention in my tired state. Now I am refreshed and it would appear time to answer some more concerns.
First - We use a 3rd party scanner engine made by www.drweb32.com
Whatever terms they use for their viruses is entirely up to them. As Randy pointed out, even Symantec has troubles classifying the same things as other people. Here is an analogy, albeit maybe a bad one, but an analogy nonetheless.
The differences between GM cars in parts are negligent. Most are the exact same thing, the exact same part, but yet the GM makers have different names for each of them for each automobile maker. Think of this in terms of the AV side. The scanners all work in approximately same way, but we have different names for each of the viruses, and definitions. Bad analogy? Maybe.
Concerning the question of how they get our software. There are only three ways they can get it. There are NO OTHER options.
1) We are often bundled with File-sharing programs like I-Mesh, AudioGalaxy, etc. When people accept the user agreement, they also accept the user agreements for all other software bundled in the same package.
2) They see one of our banners, click through, and it takes them to our download pages.
3) They visit other download sites where we have affiliates with, and they download from there.
Concerning bad press: Yes we received quite a bit of bad press that we are reeling from, and working diligently to fix. We have made great strides in our software to ensure it works with every Windows OS, and is compatible with the competition. There are still a few bugs that needs to be worked out, but we know about most of them, and are making changes as we speak.
We are not perfect, but we have that goal in mind. |
|
sig
Premium
join:2001-05-05
| En route to perfection in regards to your product (certainly something I would encourage) and given whatever bad press your company has received, you might also want to clarify on your site that the use of the Virus Bulletin 100 % logo on your subscribe/purchase pages does not imply that your product has received a VB 100% award. Unsophisticated and unknowing users might see that logo on your site and mistakenly infer that Stop-Sign has received such a performance rating or some other endorsement from the VB. Or, simply remove the VB logo and thus ensure no such mistaken inference is possible.
»eAnthology |
|
Quantic
join:2002-09-23
| reply to Ginger5
Sig:
The reference is the scanner engine we use. The Dr. Web scanner engine is made by Dialogue Science. They received the VB 100% award for the Dr. Web engine. We use that same engine and added some additional features and enhancements, but the core is the same. Hence the VB 100% award.
Does this explain your concern? |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to Ginger5
Apparently Quantic borrowed the description of trojan.apex.10 from Trend:
Aliases: WORM_APLORE.A, APLORE.A, Worm.PSecure, APLORE, Aphex, Apex
WORM_APLORE.A - Description and solution
»www.trendmicro.com/vinfo/virusen···APLORE.A
This UPX-compressed, mass-mailing worm uses Microsoft Outlook and Visual Basic Script (VBS) to propagate copies of itself via email. It originates from a malicious Web site that prompts a visiting user to download and execute its file, which is a malicious executable that displays a hoax message.
Upon execution, it creates an auto run key in the registry, drops other files, and copies itself into the System directory. Thereafter, it stays in memory and sends advertising messages to to users connected to the same Internet Relay Chat (IRC) channel as its infected user. :) |
|
sig
Premium
join:2001-05-05 | reply to Quantic
Frankly, no that doesn't address my concern since your product still is not Dr. Web and has not received the VB 100% award. I've responded more fully in the other thread. |
|
