sig
Premium
join:2001-05-05
1 edit | reply to K McAleavey
Re: roimoi trojan?
I'm very glad BOClean and apparently TDS also are including this sort of thing in their defs. This sort of stuff is seriously noxious and not all AV's catch them. Meanwhile, as noted, the freeware antispyware app folks who provide an increasingly herculean public service are under attack and have limited resources to deal with that while at the same time continually tending and updating their products.
(Although that reminds me to check out the spywareinfo server saga to see who is the mysterious corporate sponsor that will assist at least on the hosting, site access side.) |
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| reply to Zupe
"Jimmyhelp" also ... yep, that's the one. The "Jimmylegs" are the FINAL result after a complete infection. And like CWS and LOP, they TOO have discovered "polymorphism" ... that's one of BOClean's "let's include this sucker" parameters ... add "stealth" and then kill firewalls, AV's and such, break througyh all the defenses and STILL manage to startup, "you're OURS!" 
But yeah, those are just ONE of the s¢umbag$ we deal with in BOClean ... CWS and LOP are *far* worse, but "roings.com" is RIGHT up there with them. And getting worse daily as the assault on *ALL* of us who do "real-world trojans" as well as the "zoo trojans" mounts. Wonder why merijin and others are down? - only reason WE'RE still lit is by the grace of the HIGHLY talented folks who maintain our site for daily updates that our customers *PAY* for us to provide.
But "Jimmyloader" and "Jimmyhelp" are separete downloadings, ALSO covered in BOClean. If it's SNEAKY, and it'll get past your security settings and your firewall, it's *OURS* to have fun with a baseball bat with. That's WHAT we do.
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ |
|
why am i anonymous
@167.1.x.x | reply to Zupe
It does seem that you have that virus. You must get rid of it as quick as possible or it will disrupt your whole enire network. This must be done immediately.
Keep us posted on your condition |
|
Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs: | reply to bcastner
Roings.com is associated with spyware known as "JimmyLoader", is this something different or just an alternate name? |
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| reply to Gavin_TH
"roings.com" ... I *know* you guys already have this one, from the same exchange ... emailed you a pair of samples again whilst BBR was down. I'm *sure* when you saw what I resent, it was "ho-hum" to ya.
But yes, everyone else decided to call it "ROIMOI" based on its author's name for the "gen" which would produce MORE "gumbo variations" ... did YOU guys choose another name?
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:  | reply to bcastner
Gavin,
See: »www.tek-tips.com/viewthread.cfm?···9&page=1 |
|
Gavin_TH
join:2003-04-03
Australia
| reply to bcastner
I cant be sure if its covered.. can someone scan it or send a copy to me I will check and post back if submit@diamondcs.com.au doesnt have one already. The only thing that rings a bell is that popuppers.com:
Registrant:
popuppers
box 3904
Fort Smith, Arkansas 72913
United States
Registered through: GoDaddy.com
The infamous GoDaddy.com strikes again.
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
|
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
1 edit | reply to Link Logger
If you include "spyware" in the collection (the MAJOR "growth industry" for ne'er-do-wells) I'd say the past three weeks have QUINTUPLED the number of absolute nasties floating around. And despite Microsoft's band-aids, it's getting worse by the day because people INSIST on allowing "scripting" and "activeX" in the "internet zone" because they're apparently too lazy to lock THAT down and move ONLY those few sites that are truly trustworthy ("your BANK")into the "trusted sites zone" to be permitted to use those. It's been nothing short of INSANE here.
An advantage for US at least is that well-chosen behavior patterns allow us the luxury of not having to reinvent the wheel every time a "new" variant is released by copycat cut-and-pasters ... and particularly on the browser hijack side of reality, it's been like shooting fish in a barrel. We have the spammers and scammers *so* honked off that our sites and mailboxes are getting attacked as well by the very same people who've been taking out the "anti-spyware" sites. Were it not for the dedicated people at our server farm, we'd be scrood as well since we're also "under attack" on a constant basis lately.
The internet has turned into a trailer park in a bad part of town. And the *LAW* is backing these @#$&$!@!#$%! up. They have a "constitutional right" to do this. 
Join us in our next FTC involvement, and submit your own "hijacked" stories - MAYBE we can finally overrule the courts and stop this madness ...
»www.ftc.gov/opa/2004/02/spyware.htm
(edited to correct missing "trusted sites zone" reference) |
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| reply to Jooske
"ROIMOI" is the name of the "spyware" itself - the AV's generally don't cover these, and when they do, you have to go and set the AV to detect "jokes" or "programs" to set them into a mode to handle them. Most antitrojans do NOT cover these at all. I know TDS has it covered (though don't know what name they chose) since this particular one came in from a shared resource we both use WEEKS ago. It's been out for a WHILE now.
One of the biggest problems though is "name that nasty" and is further complicated by the antivirus industry. It's something all of us who work together have fought hard to no avail to convince others that uniform names would be a big help, but that's just not the way it's going (and it's getting worse) ... check this out:
»www.newsfactor.com/perl/story/15662.html
What WE do (as do most of us) is WE go with the name given to a nasty by its creators. This is to our opinion the most reasonable naming convention, especially in trying to compare trojans covered. In this case, "roimoi" is indeed the "official name" (check back to the graphic I posted and you can confirm) whereas some others have called it "Sidesearch" (particularly the anti-spyware folks who prefer to identify the company even if there are many from the same company) or "random" (the Av's call it "spyware.gen" for 'generic') and I've also seen one company just call it "roings" ...
As far as who I *know* has it covered though, that would be Kapersky, TDS, (I *think* Norton covered it) and Spybot S&D. I don't know about anyone else. We had this covered in BOClean about an hour after roings.com first released it. But FWIW, this is considered "adware" by many and not a "backdoor" so many of the antitrojans just didn't bother to cover it. Our attitude here in the BOClean funny farm is that if it damages a system, hides, or is malicious, it gets covered. And a great deal of "hijackers" *are* trojans even if the technopurists dismiss them as "minor."
There are about 25 or so "variants" of roimoi floating around - they appear under many filenames, many different sizes, many different packings and very different registry GUIDs ...
Why are we doing what "Spybot" and "Ad-aware" are already doing for free? the spammers and scammers have been hiring up all the former trojan horse artists and paying them serious money - "adware" has the "talents" and techniques of the nastiest of the malware people behind them and it's getting worse. Same for all these "worms" ... the vast majority of them exist to put spam relays and "attack bots" onto the machines of the unsuspecting. CLASSIC trojans therefore to us.
But that's my story and I'm sticking to it.
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to K McAleavey
February has been a disaster thus far as the average volume of attack/scan traffic has doubled since the start of the month, and all indications are that it will continue to increase for the remainder of the month (I'm looking forward to February 26th as I'm betting we will see a 'DoomJuice' for Bagel.B, if not before then).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
sig
Premium
join:2001-05-05 | reply to Jooske
On the main page of the security forum, look under the Dobermans to the "We like links", second line in red, between "this log follow these steps" and "Security FAQ." |
|
Jooske
join:2002-05-19
| reply to sig
I'm still blind, not seeing the submission link. Anyway, as BOClean seems to be the only one having it in their database (google doesn't show other av/at mentioning it in their detection/descriptions) submission seems not to have worked yet or does this nasty go with other aliases too? |
|
sig
Premium
join:2001-05-05
| reply to Jooske
said by Jooske  :
Must be overlooking that, as i don't see that link you mention. Is TDS lab in the list of receivers?
Yes, it is. |
|
Jooske
join:2002-05-19 | reply to Sparrow
Must be overlooking that, as i don't see that link you mention. Is TDS lab in the list of receivers? |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand | reply to Jooske
There is also a direct e-mail link at the top of this forum to send malware samples to the vendors.
Submit Suspected Malware |
|
Jooske
join:2002-05-19
| reply to K McAleavey
Think it's clear enough the AT vendors are working really hard and willing to share samples among them all to keep internet clean. Stories like releasing nasties themselves should be put aside immediately as the top notch software does not need such cheap tricks and it would put an even heavier load on cleaning out the users.
Gavin (DCS) reminded us the other day to please send samples all time of anything you find or looks suspicious to you, better many doubles then one missed and a system damaged. (submit@diamondcs.com.au) |
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
1 edit | reply to gkweb
Thanks for the kind words. Unfortunately, we've got WAY too many nasties to deal with (the past few weeks have been INSANE) and since we do spyware, worms, rootkits and many things in addition to backdoors, I haven't had time to exhale lately, much less visit the groups.
I can say this though, ALL of the newsgroups where this is apparently showing up (the "24hoursupport.helpdesk" in particular) are all the hangouts of a specific antitrojan vendor who is well known here - only difference is this time it's our turn to be "marketed against" by this ... "Evidence Eliminator" class competitor.
Anyone who DOES have some time is welcome to copy the picture I posted and the origin of this "trojan" (roings.com) over there if they're so inclined.
Samples of ROIMOI and other roings.com nasties have already been made available to our sharing group - any other "experts" can have a sample as well if they don't already have this one.
--
Kevin McAleavey support@nsclean.com
»www.nsclean.com/ |
|
gkweb
join:2003-06-09
76800 | reply to bcastner
Don't care Kevin, everyone know that BOBlean is a good product and that you are honnest and dedicated to your task. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
 ·Verizon Online DSL
| reply to bcastner
John2g,
I do not doubt that the discussion so far is less than flattering, and I also do not doubt it is unfair. The problem is real, the source as being from NSClean is ridiculous. But this is what is being said, and the company should do something in response to the multiple Newsgroup postings.
To Schouw, I think you should get the .DLL very soon. At least it was promised that it would be sent to the address you provided in your IM.
Bill Castner |
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| reply to bcastner
screenshot of ROIMOI's code |
The SCOOP - "ROIMOI" is "spyware" from an organization known as ROINGS.COM, found in many "freeware" items such as eDonkey and others, and also installed by "drive-by" websites.
The name "ROIMOI" was given to this particular item by the anti-spyware exchange, and is detected by a number of products including Norton antivirus. It is an executable "handler" which updates the BHO's and other hijackers and all of these are randomly named entities. It can bring a machine to its knees.
Samples of the "roings.com" hijackers have been provided far and wide to all in the anti-malware business, and the origin of this absolute nonsense would have known about this if they covered ALL trojans and not just a handful.
Sorry folks, but aren't we ALL getting tired of one particular vendor whose sole function seems to be the bashing of everybody else?
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ |
|
