Win32/RAMNIT.A Anyone?

Discussion in 'Virus Information' started by David Kaye, Jul 27, 2010.

  1. David Kaye

    RJK Guest

    An interesting comment, Richard.

    You say that you hold Mr Lipman "in the highest esteem". Tell me why! Do
    you know who he is and by whom he is employed?

    AFAICT - he's just another unknown entity posting on Usenet. You
    obviously trust his word - but how can others *really* know the truth?

    If he was a *real* professional, he'd check his spelling before he hit
    the send key! ;-)

    Regards,

    Dave

    I won't be drawn into this one too much ! ...other than to say,

    "AFAICT - he's just another unknown entity posting on Usenet," so what !
    I've always been impressed by my sixth sense, (modesty completely aside for
    a few seconds), and its' rarely ever proved me wrong.
    Regarding your other peculiar observations / questions :-
    Your perpesctive on the "the truth" seems to be a unique, (and abnormally
    persistent and unperceptive), point of view !
    "spelling" ....well, ...we all "typo" now and again, it's usually blatantly
    obvious what the intended letter or word was from the context, (context
    means "surrounding text" - in case you don't know what "context" means), and
    to negatively comment on other peoples spelling, esp. when there is an
    obvious typo, is bit pathetic to say the least.

    regards, Richard

    ps ...please don't waste any more breath on the topic, if you have
    sufficient intellect, you'll agree that your points have been fully
    addressed. Pusuence of my response would simply be indication that you
    simply cannot, or choose not, understand what you're reading !
     
    RJK, Aug 6, 2010
    1. Advertisements

  2. David Kaye

    John Slade Guest

    That's all well and good but this conversation was not
    just about malware. It started out when Dave said he was
    reluctant to disable system restore because he wanted to keep
    the restore points. Well that problem would be solved by a
    simple backup. I think he got a bit angry because he overlooked
    something simple. So many times people who are programmers or
    people who don't regularly work in on site repairs tend to lose
    people skills and commons sense skills. I've been doing repairs
    for about 25 years and made a good living doing so. I never
    needed to advertise because I got more business by word of mouth
    than I could handle.

    Since this thread started people have tried to change the
    subject when they lose an argument. That's how we wound up on
    soldering irons and leaking capacitors.

    John
     
    John Slade, Aug 6, 2010
    1. Advertisements

  3. David Kaye

    John Slade Guest


    I could not have said it better myself.

    John
     
    John Slade, Aug 6, 2010
  4. David Kaye

    John Slade Guest

    Actually because a great number of people use a phrase for
    something other than it's initial meaning, a word's meaning can
    change. Much of the English language has been formed this way.
    Look at the word "cool" it means more than just the temperature.
    In fact some things that are really "hot" these days can also be
    "cool".

    John
     
    John Slade, Aug 6, 2010
  5. David Kaye

    John Slade Guest

    And acid core capacitors are wet capacitors. Now let me
    ask you this. Would you repair a motherboard that has several
    bulging electrolytic capacitors rather than replace the
    motherboard? I'm still waiting for Dustin to tell me when was
    the last time he repaired a sound card and what it was.

    John
     
    John Slade, Aug 6, 2010
  6. From: "John Slade" <>



    | Actually because a great number of people use a phrase for
    | something other than it's initial meaning, a word's meaning can
    | change. Much of the English language has been formed this way.
    | Look at the word "cool" it means more than just the temperature.
    | In fact some things that are really "hot" these days can also be
    | "cool".

    Jargon and coloquial speech is not proper English and is only for very informal
    converstations. Never on technical discussions.
     
    David H. Lipman, Aug 6, 2010
  7. From: "John Slade" <>



    | And acid core capacitors are wet capacitors. Now let me
    | ask you this. Would you repair a motherboard that has several
    | bulging electrolytic capacitors rather than replace the
    | motherboard? I'm still waiting for Dustin to tell me when was
    | the last time he repaired a sound card and what it was.

    I would consider such a circuit board to have compromised integrity and not being worthy
    of repair, only replacement.
     
    David H. Lipman, Aug 6, 2010
  8. David Kaye

    John Slade Guest


    Now tell Dustin Cook that please. He doesn't seem to
    get that point.

    John
     
    John Slade, Aug 6, 2010
  9. From: "Wolf K" <>

    | On 06/08/2010 16:51, David H. Lipman wrote:
    | [...]
    | For every context there is a proper register (that's a technical term).
    | You violate it at your peril. But be careful: just because you're among
    | truckers doesn't mean you can talk like one. That is, truckers among
    | themselves is one context, truckers with you present is another.

    | "Good communicators" are skilled at adapting their speech and writing to
    | the context.

    I'll drink to that !
     
    David H. Lipman, Aug 6, 2010
  10. From: "John Slade" <>





    | Now tell Dustin Cook that please. He doesn't seem to
    | get that point.

    Dustin is still young and is still learning. Albeit he has come a long ways :)

    Cheers Dustin.
     
    David H. Lipman, Aug 6, 2010
  11. From: "Wolf K" <>




    | A single malt and water, please.

    | ;-)

    Hold the water for me please.
     
    David H. Lipman, Aug 7, 2010
  12. David Kaye

    Dustin Guest

    IAWTP
     
    Dustin, Aug 8, 2010
  13. David Kaye

    Dustin Guest

    Dunno what to tell you about that. Perhaps they prefer to use technical
    terminology in a non technical way? Like, say, trojan being the same as
    virus...
    Well, I'm sure we all have at some point. Although, the problems are
    usually routine...
    Well, as I said, when the top is swollen and a grey powdery looking
    substance is all over it, it's a good clue. :)
    Well, I thought the fact I mentioned AT class for a bill or two was a
    clue about old times. :) You've been in the business a long time,
    right? I'm sure you remember the trusty AT class machines.
    We did onsite calls to home/business and some small industries here as
    well. If it required more than some software installation or a routine
    hardware repair, the box was taken back to the shop. We didn't do
    soldering work at the customers home. As you know, solder can be rather
    stinky stuff and it's not that good to be breathing. The shop was
    better suited due to the air system we had.
    AT/ATX class desktops and towers. IBM/PC and compatibles. We've worked
    on gateway, packard smells, compaq, hp, compaq after HP, emachines (god
    awful little computers, cheaply built and poor quality power supply
    units. In many cases, you would want to check the power supply power
    good line for an overload condition if you had to replace a bad
    mainboard, as the best tec (google this too if you'd like) was bad for
    murdering the mainboards by stepping the current up from 3.3 to 5volts
    and killing a power transistor or two. Emachines actually went so far
    as to send a little memo sheet when we signed up to do field service
    warranty work on their behalf; Always check the power good line when
    replacing mainboard, as the power supply may have been at fault for the
    untimely death of the mainboard, and if you didn't check it, it would
    most likely just kill the new board emachine sent us to put in.

    Have you no experience first hand with that issue either?
    Oh for sure! Try replacing the main control chip on the primary board
    for an HP laserjet4000. :(
    It depends on what the computer is controlling. In a few cases, the
    machines were running cnc milling machines and/or lathes. We couldn't
    just swap the computer out and reload windows. Some weren't even
    running windows. :)
    Well, to be technical, and professional, replacing the component with
    another working one isn't really repairing the original component. :)
    It's like car mechanics to me when you say you repaired something, by
    replacing the bad part. Yes, the machine as a whole is repaired, but
    the part is still in the same condition.

    The last soundcard I actually fixed was an AudigyFX. Creative wouldn't
    warranty the card, so I took a chance on it and replaced a bad resistor
    (It was visibly burnt). Soundcard's been fine ever since.

    if you have the latest and greatest hardware and the customer doesn't
    care, sure replace away... But, if you have to keep the machine running
    with the hardware it has for some odd reason (In this case, it's a
    digital recording studio and some of the software was custom written
    for that specific card), I had no other real option. I knew the cards
    problem was the resistor. honestly, I spent more in gas driving to get
    the right one than I did on the part. :)
    I understand that, but in my case; we would have been one of the
    companies (if you couldn't get the original manufacturer) that you'd
    pass the hard stuff off too. :)
     
    Dustin, Aug 8, 2010
  14. David Kaye

    Dustin Guest

    That's because I have a strong background in electronics, John. And in
    some cases, integrity can be verified via a thorough and rigourous
    system burn in. You can stress test a system after doing such a repair
    to make sure she's going to keep running, or you can just replace the
    whole board if your unsure of the board or your ability to properly
    replace the caps.

    either way you wish to do it, it can be done.
     
    Dustin, Aug 8, 2010
  15. David Kaye

    Dustin Guest

    I'm not trying to nitpick you John. You said you were a professional, I
    thought you might like to use the correct terminology. For something to
    be called a virus, it must replicate on purpose. Trojans don't do that.
    it's not being anal john, it's being technically correct; which is
    important as a professional.
    I'm not bent out of shape John, apologies if I came across that way.
    A manager I once had was like that. I stood back and watched him burn
    up 3 brand new mainboards right off the shelf, before he bothered to
    check the voltage levels of the power supply. I only suggested as a
    lowly employee at the time when the first one blew a couple of caps
    right off of it that he might want to check the power supply. As he was
    "manager" and been there longer than me, he dismissed the advice and
    wasted two more boards he didn't need to kill. The power supply was
    putting out just under 38 volts on the 12volt rail. I'm sure you can
    imagine the effects on a new board when he'd try to power them on. :)
     
    Dustin, Aug 8, 2010
  16. David Kaye

    kentotomato

    Joined:
    Aug 8, 2010
    Messages:
    1
    Likes Received:
    0
    Hello, I hope I'm not interrupting too much but I had a few enquiries about the RAMNIT and was hoping someone here could help me out.

    It looks like I was quite successful in disinfecting all the .html/.htm files using the 'search and delete' option (deleting the script lines at the bottom) in PowerGREP, but I'm having a little problem with the .exe files.

    Using CFF Explorer from NTools, I can remove the .rmnet header and data. But comparing across with a clean copy of the file (using a hex editor), I see there are two or three differences.
    1. Entrypoint. I'm led to believe that this can be retrieved, but I'm not quite sure how. I've looked at a site that has some information about Virut and tried using Ollydbg, but I guess I'm not good enough to figure it all out by myself.
    2. RawSize of the 'previous' section somtimes changes when I delete the .rmset header on CFF (and it's different from that of the clean file). I'm not quite sure why, but is it of any importance?
    3. SizeOfImage (under Optional Header) is occassionally different from that of the clean file. Is this of any importance?

    On a different note, I see that explorersrv.exe is often created under C:\Windows. Any ideas why? As far as I know (and I deduce from Ant's analysis) Explorer.exe isn't infected, so I just don't understand why explorersrv is created every once in a while. Just for the reference, I've successfully deleted desktoplayer.exe and the two dat files, as well as an .inf file in C:\Windows\inf, and modified the userinit value. After a few restarts, the virus isn't active, but is still 'dormant' in many of the infected .exe and .dll files.

    Thanks in advance :)
     
    kentotomato, Aug 8, 2010
  17. David Kaye

    Peter Foldes Guest

    I do. It has been there for a while

    --
    Peter

    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    http://www.microsoft.com/protect
     
    Peter Foldes, Aug 8, 2010
  18. [...]
    Yep, blasting caps.

    (not acid core - whatever that means)

    One time on a high power HF trsansmitter IPA stage, a tube shorted and
    apparently put plate voltage on the control grid. Several capacitors
    "blew" and spread foil and paper all over the unit. Really, it went off
    like a barrel bomb.
     
    FromTheRafters, Aug 8, 2010
  19. Yes, PCButts knows.
     
    FromTheRafters, Aug 8, 2010
  20. David Kaye

    David Kaye Guest

    Given that you're talking about radio transmitters I'm surprised -- SHOCKED I
    tell you -- that you don't know the reference. Acid core refers to acid core
    solder, which is the kind used on pipes. Techs are not supposed to use acid
    core on electronic circuits (it often voids the warrantee on components) but
    are supposed to use rosin core solder instead.

    That's Rule #1 in electronic tech....

    Well, that and the notion that "black boys rape our young girls, but violet
    gives willingly..." an unfortunately racist statement, but something else that
    first-time electronic techs learn.
     
    David Kaye, Aug 9, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.