|
 
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | Re: roimoi trojan? BOClean will remove it for me without the need for any further removal tool  | |
|
tataye
join:2003-12-15 | Who in the hell will buy an antiroimoi tool LOL
--
beast father | |
|
gkweb
join:2003-06-09
76800 | I wonder if teh author of this trojan is french, because it could mean "i'm a king", litterally "king me".
May be a coincidence | |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | Never heard of it, or perhaps it goes by another name. Sounds more like spyware than a Trojan from what I read again I haven't seen one so don't know for sure.
--
Spam Officially Legal | |
|
|
 | Schouw
Premium
join:2003-05-29
Netherlands | Re: roimoi trojan? I have/had a sample of it..
I've seen TOO much this week..
KL detects it.(Or it was rejected because it was simply a badly coded file, can't recall correctly..) | |
|
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | Can you send me a copy, I am 99% sure it's just spyware, but will analyze it if you send me a copy.
--
Spam Officially Legal | |
|
|
|
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
 ·Comcast
| Re: roimoi trojan? I read them only to conclude that BOClean released this Trojan, that makes no sense to me. BOClean made up the name of the file sure, they probably got it from the registry entries.
I see no reason for BOClean to release a Trojan/Spyware so I think people are mistaken, this a more than likely a new spyware, nothing I read shows it to be anything but Spyware, explore high cpu due more than likely to ads be displayed or downloaded.
--
Spam Officially Legal | |
|
Schouw
Premium
join:2003-05-29
Netherlands
| I've taken a look at google.
Yes, this confirms the thoughts I had, I have the sample.
I had an argument about this with the analysts..
said by Sergey:
No, it is only buggy program.
Seems like it I will have to convince him. | |
|
|
|
Schouw
Premium
join:2003-05-29
Netherlands | From all cases I've seen where users couldn't access their 'windows explorer/my computer', it was all due to a dll.
Using HijackThis was simplest way out. | |
|
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
1 edit | Re: roimoi trojan? Schouw,
If you have a copy of this file send it to me I am sure I could make a remover for it.
--
Spam Officially Legal
| |
|
Schouw
Premium
join:2003-05-29
Netherlands | Unfortunately I can't give out samples anymore... | |
|
|
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| Re: roimoi trojan? said by bcastner  :
and the newsgroup reaction that it is a planted trojan decidedly very odd stuff.
Probably posted by a would be competitor of NSClean to foment trouble.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
|
|
|
gkweb
join:2003-06-09
76800 | Don't care Kevin, everyone know that BOBlean is a good product and that you are honnest and dedicated to your task. | |
|
| 
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
1 edit | Re: roimoi trojan? Thanks for the kind words. Unfortunately, we've got WAY too many nasties to deal with (the past few weeks have been INSANE) and since we do spyware, worms, rootkits and many things in addition to backdoors, I haven't had time to exhale lately, much less visit the groups.
I can say this though, ALL of the newsgroups where this is apparently showing up (the "24hoursupport.helpdesk" in particular) are all the hangouts of a specific antitrojan vendor who is well known here - only difference is this time it's our turn to be "marketed against" by this ... "Evidence Eliminator" class competitor.
Anyone who DOES have some time is welcome to copy the picture I posted and the origin of this "trojan" (roings.com) over there if they're so inclined.
Samples of ROIMOI and other roings.com nasties have already been made available to our sharing group - any other "experts" can have a sample as well if they don't already have this one.
--
Kevin McAleavey support@nsclean.com
»www.nsclean.com/ | |
|
| | Jooske
join:2002-05-19
| Re: roimoi trojan? Think it's clear enough the AT vendors are working really hard and willing to share samples among them all to keep internet clean. Stories like releasing nasties themselves should be put aside immediately as the top notch software does not need such cheap tricks and it would put an even heavier load on cleaning out the users.
Gavin (DCS) reminded us the other day to please send samples all time of anything you find or looks suspicious to you, better many doubles then one missed and a system damaged. (submit@diamondcs.com.au) | |
|
| | | 
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand | Re: roimoi trojan? There is also a direct e-mail link at the top of this forum to send malware samples to the vendors.
Submit Suspected Malware | |
|
| | | | Jooske
join:2002-05-19 | Re: roimoi trojan? Must be overlooking that, as i don't see that link you mention. Is TDS lab in the list of receivers? | |
|
| | | | | 
sig
Premium
join:2001-05-05
| Re: roimoi trojan? said by Jooske :
Must be overlooking that, as i don't see that link you mention. Is TDS lab in the list of receivers?
Yes, it is. | |
|
| | | | | | Jooske
join:2002-05-19
| Re: roimoi trojan? I'm still blind, not seeing the submission link. Anyway, as BOClean seems to be the only one having it in their database (google doesn't show other av/at mentioning it in their detection/descriptions) submission seems not to have worked yet or does this nasty go with other aliases too? | |
|
| | | | | | |
sig
Premium
join:2001-05-05 | Re: roimoi trojan? On the main page of the security forum, look under the Dobermans to the "We like links", second line in red, between "this log follow these steps" and "Security FAQ." | |
|
| | | | | | |
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| "ROIMOI" is the name of the "spyware" itself - the AV's generally don't cover these, and when they do, you have to go and set the AV to detect "jokes" or "programs" to set them into a mode to handle them. Most antitrojans do NOT cover these at all. I know TDS has it covered (though don't know what name they chose) since this particular one came in from a shared resource we both use WEEKS ago. It's been out for a WHILE now.
One of the biggest problems though is "name that nasty" and is further complicated by the antivirus industry. It's something all of us who work together have fought hard to no avail to convince others that uniform names would be a big help, but that's just not the way it's going (and it's getting worse) ... check this out:
»www.newsfactor.com/perl/story/15662.html
What WE do (as do most of us) is WE go with the name given to a nasty by its creators. This is to our opinion the most reasonable naming convention, especially in trying to compare trojans covered. In this case, "roimoi" is indeed the "official name" (check back to the graphic I posted and you can confirm) whereas some others have called it "Sidesearch" (particularly the anti-spyware folks who prefer to identify the company even if there are many from the same company) or "random" (the Av's call it "spyware.gen" for 'generic') and I've also seen one company just call it "roings" ...
As far as who I *know* has it covered though, that would be Kapersky, TDS, (I *think* Norton covered it) and Spybot S&D. I don't know about anyone else. We had this covered in BOClean about an hour after roings.com first released it. But FWIW, this is considered "adware" by many and not a "backdoor" so many of the antitrojans just didn't bother to cover it. Our attitude here in the BOClean funny farm is that if it damages a system, hides, or is malicious, it gets covered. And a great deal of "hijackers" *are* trojans even if the technopurists dismiss them as "minor."
There are about 25 or so "variants" of roimoi floating around - they appear under many filenames, many different sizes, many different packings and very different registry GUIDs ...
Why are we doing what "Spybot" and "Ad-aware" are already doing for free? the spammers and scammers have been hiring up all the former trojan horse artists and paying them serious money - "adware" has the "talents" and techniques of the nastiest of the malware people behind them and it's getting worse. Same for all these "worms" ... the vast majority of them exist to put spam relays and "attack bots" onto the machines of the unsuspecting. CLASSIC trojans therefore to us.
But that's my story and I'm sticking to it.
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ | |
|
| | 
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| February has been a disaster thus far as the average volume of attack/scan traffic has doubled since the start of the month, and all indications are that it will continue to increase for the remainder of the month (I'm looking forward to February 26th as I'm betting we will see a 'DoomJuice' for Bagel.B, if not before then).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
|
| | |
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
1 edit | Re: roimoi trojan? If you include "spyware" in the collection (the MAJOR "growth industry" for ne'er-do-wells) I'd say the past three weeks have QUINTUPLED the number of absolute nasties floating around. And despite Microsoft's band-aids, it's getting worse by the day because people INSIST on allowing "scripting" and "activeX" in the "internet zone" because they're apparently too lazy to lock THAT down and move ONLY those few sites that are truly trustworthy ("your BANK")into the "trusted sites zone" to be permitted to use those. It's been nothing short of INSANE here.
An advantage for US at least is that well-chosen behavior patterns allow us the luxury of not having to reinvent the wheel every time a "new" variant is released by copycat cut-and-pasters ... and particularly on the browser hijack side of reality, it's been like shooting fish in a barrel. We have the spammers and scammers *so* honked off that our sites and mailboxes are getting attacked as well by the very same people who've been taking out the "anti-spyware" sites. Were it not for the dedicated people at our server farm, we'd be scrood as well since we're also "under attack" on a constant basis lately.
The internet has turned into a trailer park in a bad part of town. And the *LAW* is backing these @#$&$!@!#$%! up. They have a "constitutional right" to do this. 
Join us in our next FTC involvement, and submit your own "hijacked" stories - MAYBE we can finally overrule the courts and stop this madness ...
»www.ftc.gov/opa/2004/02/spyware.htm
(edited to correct missing "trusted sites zone" reference) | |
|
Gavin_TH
join:2003-04-03
Australia
| I cant be sure if its covered.. can someone scan it or send a copy to me I will check and post back if submit@diamondcs.com.au doesnt have one already. The only thing that rings a bell is that popuppers.com:
Registrant:
popuppers
box 3904
Fort Smith, Arkansas 72913
United States
Registered through: GoDaddy.com
The infamous GoDaddy.com strikes again.
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
| |
|
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| Re: roimoi trojan? "roings.com" ... I *know* you guys already have this one, from the same exchange ... emailed you a pair of samples again whilst BBR was down. I'm *sure* when you saw what I resent, it was "ho-hum" to ya.
But yes, everyone else decided to call it "ROIMOI" based on its author's name for the "gen" which would produce MORE "gumbo variations" ... did YOU guys choose another name?
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ | |
|
|
Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs: | Roings.com is associated with spyware known as "JimmyLoader", is this something different or just an alternate name? | |
|
| 
why am i anonymous
@167.1.x.x | Re: roimoi trojan? It does seem that you have that virus. You must get rid of it as quick as possible or it will disrupt your whole enire network. This must be done immediately.
Keep us posted on your condition | |
|
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| "Jimmyhelp" also ... yep, that's the one. The "Jimmylegs" are the FINAL result after a complete infection. And like CWS and LOP, they TOO have discovered "polymorphism" ... that's one of BOClean's "let's include this sucker" parameters ... add "stealth" and then kill firewalls, AV's and such, break througyh all the defenses and STILL manage to startup, "you're OURS!"
But yeah, those are just ONE of the s¢umbag$ we deal with in BOClean ... CWS and LOP are *far* worse, but "roings.com" is RIGHT up there with them. And getting worse daily as the assault on *ALL* of us who do "real-world trojans" as well as the "zoo trojans" mounts. Wonder why merijin and others are down? - only reason WE'RE still lit is by the grace of the HIGHLY talented folks who maintain our site for daily updates that our customers *PAY* for us to provide.
But "Jimmyloader" and "Jimmyhelp" are separete downloadings, ALSO covered in BOClean. If it's SNEAKY, and it'll get past your security settings and your firewall, it's *OURS* to have fun with a baseball bat with. That's WHAT we do.
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ | |
|
| |
sig
Premium
join:2001-05-05
1 edit | Re: roimoi trojan? I'm very glad BOClean and apparently TDS also are including this sort of thing in their defs. This sort of stuff is seriously noxious and not all AV's catch them. Meanwhile, as noted, the freeware antispyware app folks who provide an increasingly herculean public service are under attack and have limited resources to deal with that while at the same time continually tending and updating their products.
(Although that reminds me to check out the spywareinfo server saga to see who is the mysterious corporate sponsor that will assist at least on the hosting, site access side.) | |
|
|
|
|
·
