anti malware malware

Discussion in 'Anti-Virus' started by Big Will, Feb 13, 2004.

  1. Big Will

    Big Will Guest

    Well, somebody suggested earlier in this newsgroup that someone ought to
    create a worm that would uninstall mydoom. Well, it's happenning.
    First, there was doomjuice. Now I'm reading on Symantec's website about
    Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
    to an infected computer, then disinfect the MyDoom virus. WTF. Can't
    the VX-ers come up with something a little more originial then this.

    --
    William

    If it don't work, hit it.
    If it still doesn't work, kick it.
    If it works after hitting it and kicking it, then it doesn't matter if
    hitting it or kicking it helped, what's important is it worked.
     
    Big Will, Feb 13, 2004
    #1
    1. Advertisements

  2. Big Will

    sam1967 Guest

    it surely isnt VX-ers behind these "White Worms" now is it ?
     
    sam1967, Feb 13, 2004
    #2
    1. Advertisements

  3. Big Will

    kurt wismer Guest

    sure it is... who did you think was behind it?
     
    kurt wismer, Feb 13, 2004
    #3
  4. Big Will

    Markus Zingg Guest

    Well, somebody suggested earlier in this newsgroup that someone ought to
    Was probably me "earlier in this newsgroup", but the idea is not so
    new really.
    Honestly, as long as those specific worms don't spread by e-mail I
    care not too much. Of course provided this does not lead to attacking
    machines which are not already infected! And, provided one is lucky
    enough to be catched by a "white" worm, would that not still be better
    than if those machines get to know Doomjuce?

    I fully agree though that people should run AV software on their
    machines and otherwise take care not to get caught by malware. Still,
    there is the fact that there are thousand over thousands machines out
    there now with an open backdor - thanks to MyDoom.A.

    It's obvious that many poeple will try to abuse all those machines.
    Not really too surprizing - wether we like it or not.

    Markus
     
    Markus Zingg, Feb 13, 2004
    #4
  5. Big Will

    sam1967 Guest

    it makes no logical sense for them to download m$ patches to the
    infected machines and remove all traces of MyDoom does it ?
    who is behind it ? god knows ?
     
    sam1967, Feb 13, 2004
    #5
  6. Big Will

    kurt wismer Guest

    it makes no logical sense for them to download m$ patches to the
    infected machines and remove all traces of MyDoom does it ?[/QUOTE]

    patches? what patches? mydoom doesn't use any bugs in windows, there
    are no patches...

    does it make sense for the vx to make a worm or virus that disinfects
    mydoom? sure it does... some vx'ers compete with each other, some have
    rivalries, and some think they can make 'good' viruses and/or worms...
    it's happened in the past, it will most likely happen again in the
    future...

    also, don't assume people (vx'ers included) always behave in a
    'logical' manner...
     
    kurt wismer, Feb 13, 2004
    #6
  7. Big Will

    sam1967 Guest

    i was referring to Nachia-B (Welchia-B) which makes use of the various
    RPC bugs to propagate and once propagated downloads patches to the
    computer (only English, Korean and Chinese - not Japanese) and applies
    them.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html

    Downloads one of the following patches from Microsoft's Windows Update
    Web site, if the version of the operating system of the infected
    machine is Chinese, Korean, or English:

    download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a
    /WindowsXP-KB828035-x86-CHS.exe
    download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59
    /WindowsXP-KB828035-x86-KOR.exe
    download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a
    /WindowsXP-KB828035-x86-ENU.exe
    download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c
    /Windows2000-KB828749-x86-CHS.exe
    download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513
    /Windows2000-KB828749-x86-KOR.exe
    download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9
    /Windows2000-KB828749-x86-ENU.exe

    Installs the patch, and then restarts the computer.
     
    sam1967, Feb 13, 2004
    #7
  8. Big Will

    kurt wismer Guest


    i was referring to Nachia-B (Welchia-B) which makes use of the various
    RPC bugs to propagate and once propagated downloads patches to the
    computer (only English, Korean and Chinese - not Japanese) and applies
    them.[/QUOTE]

    ok, but those patches have nothing to do with mydoom (the only thing
    mydoom exploits is user gullibility and there's no patch for that)...
    nor do they have anything to do with the security holes that welchia.b
    itself exploits... i have no idea why the worm applies the patches it
    does, but i see no reason to believe that it was the work of anyone
    outside of the vx...
     
    kurt wismer, Feb 13, 2004
    #8
  9. Big Will

    sam1967 Guest

    true . but welchia-b (nachia-b) cleans up mydoom from infected
    computers and applies the microsoft patches listed above.
    that is pretty strange behaviour for vx-ers. no ?

    lol.
     
    sam1967, Feb 13, 2004
    #9
  10. Big Will

    kurt wismer Guest

    no... like i said, it's been done before and it will probably be done
    again... anti-virus viruses have been around for more than 10 years...
    its not new or strange, it's just infrequent...
     
    kurt wismer, Feb 13, 2004
    #10
  11. Big Will

    Adrian_S Guest

    Well, let's see, who would benefit from the mydoom worms being knocked
    out so that they can no longer bombard SCO and Microsoft web sites?

    Beats me.
     
    Adrian_S, Feb 14, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.