dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2459
share rss forum feed


ninersfan

join:2001-02-09
Castro Valley, CA

New Kazaa Magic Eightball Virus deletes MP3s

Wonder if this is a New RIAA tactic to piss-off file-swappers?
Found on Zeropaid:
posted on November 27, 2002 @ 10:52am

»www.zeropaid.com/news/articles/a···002b.php
Download the latest skin from KaZaA and you won't get a slick-looking piece of software. Instead, you'll install a virus that wipes out your music files. See what happened to our files when we tried installing the skin, tonight on "Tech Live."

Two viewers tipped us to the file, called the Magic Eightball skin. It comes as a Zip file named eightball2.zip. Once opened, the program executes on some systems, erasing music files and causing system crashes, the viewers said.

We found the skin by searching the term "eightball skin" on KaZaA. The Zip file did not execute on a Windows 98 SE machine, saying it was missing a required DLL file. But on a Windows XP machine, the file executed and popped up a dialog box asking if we wanted to "see some magic."

We clicked on Yes and five more dialog boxes popped up, each one counting down: five, four, three, two, and then one.

When we finished, all of the MP3 files stored on our system were gone. The system began popping up error messages, and we had to reboot the machine.

Read the whole story here.

So far the major antivirus companies have not addressed this particular trojan. For now, don't search for or download any KaZaA skins named Eightball.



Xstealth

join:2002-03-19
Chicago, IL

Damn........these Ridiculously Ignorant Assholes of America(RIAA), just have nothing else better to do.....do they. Get a life you fools!!
--
I am 'The Wise' as what I speak reaches further than the abyss of space.



corster
Premium
join:2002-02-23
Gatineau, QC

1 recommendation

reply to ninersfan

Click for full size
McAfee now detects it
Proof and Version showen.
»vil.mcafee.com/dispVirus.asp?virus_k=99823


corster
Premium
join:2002-02-23
Gatineau, QC
reply to ninersfan

Not in Norton's VIL yet.



jaina
Premium
join:2001-09-04
Westfield, IN

Geesh, what will they think of next?



corster
Premium
join:2002-02-23
Gatineau, QC
reply to ninersfan

I have always hated McAfee, but for once I was glad I had it! I had actually downloaded the Skin on my norton computer and extracted it. It didn't catch.
Then I downloaded it on my McAfee Computer and it caught it.



corster
Premium
join:2002-02-23
Gatineau, QC
reply to ninersfan

and my McAfee caught SubSeven and when it couldn't clean it or delete it, it quarintined it. My Norton just halted my computer!



ninersfan

join:2001-02-09
Castro Valley, CA

said by corster:
and my McAfee caught SubSeven and when it couldn't clean it or delete it, it quarintined it. My Norton just halted my computer!
Did you have your Norton updated with the 11/27/02 definitions?

Unfortunately, I didn't get a chance to track this down further yesterday as was busy with gobble, gobble

Apparently, Norton was offering protection from this virus (trojan) all along, just by a different name as is usually the case with Symantec. Had me a little concerned as Symantec has always been a step ahead of McAfee in the past on newly spreading threats.

Still, this is another example of the need for *everyone* to keep their antivirus definitions up to date as you never know what lurks out there.

FWIW, Symantec has named this one: W32.Darkgoose.Trojan
(I think someone has a sense of humour there too

http://securityresponse.symantec.com/avcenter/venc/data/w32.darkgoose.trojan.html

said by Mcafee:

When run, the trojan creates a batch file on the root of the C:\ drive, Abracadabra.bat. This batch file contains instructions to delete all files in the following directories and subdirectories:

Looks to be the same description as the one in Symantec's link above.

said by Symantec:

When it is executed, W32.Darkgoose.Trojan creates the file C:\Abracadabra.bat

This batch file contains instructions to delete all files from these folders:

C:\
C:\Windows
C:\Windows\System
C:\Windows\System32

Now I had previously found the file eightball2.zip on KaZaA and downloaded it, was planning to submit to Symantec if necessary, but decided then to just delete instead.

I could always test it with the current definitions, now I've found that Norton doesn't detect viruses in compressed files on download, but seems to check only on a manual scan or when unzipping.

Anyway, the Virus Definitions (Intelligent Updater) * November 27, 2002
and
Virus Definitions (LiveUpdate™) **
November 27, 2002


offer the needed protection so it looks like we can relax on this one, but who know's what's next...stay tuned
--
Opinions are like ?ssholes. Everybody has one. — “Dirty Harry”.


Xstealth

join:2002-03-19
Chicago, IL


Niner, I use Ontrack SystemSuite. When I do a full scan,(uh....yes...I update regularly), I get the same thing about zipped files, they can't be scanned, but the program says that they are likely low risk. So, what do I do about all these zipped files that are considered low risk by the program, yet are of atleast some considerable risk in my opinion.
--
I am 'The Wise' as what I speak reaches further than the abyss of space.



ninersfan

join:2001-02-09
Castro Valley, CA

Click for full size
Click for full size
said by Xstealth:

Niner, I use Ontrack SystemSuite. When I do a full scan,(uh....yes...I update regularly), I get the same thing about zipped files, they can't be scanned, but the program says that they are likely low risk. So, what do I do about all these zipped files that are considered low risk by the program, yet are of atleast some considerable risk in my opinion.

Interesting, as I have Ontrack SystemSuite v4.0 myself (and use that antivirus as my backup for an alternate system scan), just I don't keep it memory resident as it's never recommended to have two memory resident antivirus scanners.

Anyway, to answer your question...Personally, I think Ontrack (Trend Micro is providing the antivirus engine here) is in the same class/category of Symantec and McAfee in regards to releasing protection against whatever the threat dujour is so to speak, but to be extra safe...the best way to scan a recently downloaded (questionable) file is both before and after un-compressing.

The act of uncompressing a file in itself is low-risk as they are not able to "self-execute", but that normally must be done by the user too.

Personally, I try to take the added precaution if I'm ever downloading the theoretically more risky type files of at least waiting a few or more days (especially over long holiday weekend periods) before accessing the recently downloaded file. This gives the added benefit of allowing whichever antivirus flavor you choose to use the opportunity of becoming aware of the latest threat and including the protection in their most recently issued definitions.

Note that in System Suite 4.0 there are configuration options to scan in archives (meaning compressed files), so you may want to check that box for default scanning anyway.

I believe though that this is a variation in the "on demand" type scanning as opposed to a full system scan which may not be scanning compressed files, which for all practical purposes are low risk until uncompressed.

For testing purposes myself, I have some zipped klez samples on my machine which are of no worry to me whatsoever...just wouldn't want to unzip them accidentally and leave them sitting around that way if you know what I mean.

[text was edited by author 2002-11-29 18:43:05]


corster
Premium
join:2002-02-23
Gatineau, QC
reply to ninersfan

Also set up your WinRAR,WinZip,and WinAce to scan using your Virus Scanner.



corster
Premium
join:2002-02-23
Gatineau, QC
reply to ninersfan

and ninersfan, McAfee had the virus in the vil 1 day earlier, and Norton Defs come out at 10:30pm EST.



corster
Premium
join:2002-02-23
Gatineau, QC
reply to ninersfan

And also, the One in TechTV's article only deletes MP3s. The one on McAfee and Norton's sites delete windows.

A lesson to learn for people who download skins:
Only Download Skins with the Altnet Yellow Symbol



ninersfan

join:2001-02-09
Castro Valley, CA

said by corster:
A lesson to learn for people who download skins:
Only Download Skins with the Altnet Yellow Symbol
That suggestion will mean no skins for anyone using the supertrick (hosts file) as altnet is totally disabled for those users due to privacy concerns with altnet and other malware possibilities.

My alternative of downloading whatever skin you like and not installing for at least 2-3 days will offer reasonable protection for users with up-to-date antivirus definitions.

(an anti trojan such as trojan hunter helps even more in this regard).


Xstealth

join:2002-03-19
Chicago, IL

Niner, I took a look at that option for scanning into zipped files and it turned out that I didn't have it checked......I do now. Funny though, now that I think about it, I usually manually scan all files that I download outside of the full scan to keep a check on my entire system. So, it may very well be that those files that are declared unscanable by the program, have, indeed, actually been scanned by me manually already, all due to the fact that I didn't have that option checked......heh. Thanks for pointing that out.
--
I am 'The Wise' as what I speak reaches further than the abyss of space.