B00ze/Empire  wrote in
news:m2ufiq$od7$1@dont-email.me: 

> On 2014-10-30 15:23, Dustin  wrote:
> 
>> Dustin  wrote in
>> news:XnsA3D682CC1C8A0C9X238BHEUFHHI5RJ791@192.254.233.145:
>>> B00ze/Empire  wrote in
>>>
>>>> So HOW do you remove it? If I recall, RegEdit will not let you
>>>> delete the key, so what's the trick? Please tell :-)
>>>
>>> Hehehehe.. It's piss easy. First, stop explorer.exe, then
>>> terminate all dllhost processes. Make sure you leave yourself a
>>> console prompt and have sysinternals regdelnull utility. :)
>>>
>>> Remove the registry keys that you can with regedit, finish up by
>>> running the utility I mentioned above on ALL the system hives.
>>
>> Just so you know, I left out one detail, so I can ask virusguy
>> about it later if he chimes in trying to take credit for what I
>> told you to remove the beastie. I'd asked him days ago if he knew
>> how. I know he doesn't, and I know as long as I skip certain
>> things, I can determine if he's figured it out on his own, or is
>> going by what I wrote. 
>>
>> Also, while regedit won't let you do certain things with the
>> registry; the API itself as well as other apps certainly will.
>> The null character issue as well as the extended ascii characters
>> are a regedit.exe issue only. Blame typical MS programmers. The
>> same people who told filemanager that directories don't exist if
>> their using extended ascii in their filenames are the people I
>> suspect wrote regedit with the silly limits it has.
>>
>> The malware itself is probably one of the easiest ones I've dealt
>> with in years. Even though it has no actual file based home. it's
>> very easy to remove and is not very well protected at all. One
>> might even say because of the way it's loading into the system,
>> it's extremely vulnerable.
> 
> Thanks! I got RegDelNull downloaded :-) What's amazing is that
> Windows can actually execute registry keys, it boggles the mind.
> What the hell were they thinking; Microsoft sometimes...

It's not executing a registry key, per say. The program decodes 
itself from javascript back to it's real executable self and makes a 
standard API call to run from memory there. Now, this will make you 
wonder what they were thinking: The very POC (which is what this 
actually was) was discussed on IRC #virus nearly 17 years or so ago; 
MS has known this could happen for nearly two decades. AV was 
informed of this, nearly two decades ago. NOBODY from MS or the AV 
companies took myself or my fellow VX associates seriously. 

Now, they don't have any choice in the matter. They can't deny it's 
possible anymore. Someone had enough of their bull####. They wrote 
and released a demonstration of it. This is one of those cases where 
full disclosure is being used, because other methods of making this 
issue known had failed. Full disclosure being a viable, ITW sample; 
demonstrating that it works. 

Good thing this particular sample isn't actually viral and is only 
trying to steal some time from your browser. It could have been 
written to do some serious damage and know, atleast for a while, no 
automated AV/AM tool would be hunting for it. As it is, any AV/AM 
tool that can scan for it, HAS BEEN RETOOLED to do it. IE: additional 
code was added to their engines, not just a definitions update. In 
order for them to detect and deal with this.

It's worth stating now for the public record that during my days as 
an active VXer, I did reach out, several times to various companies; 
including MS, trying to explain that I'd discovered something they 
shouldn't allow to happen. They would ignore me. So, I'd release a 
virus doing what I previously warned them could be done. Not so easy 
to ignore me then. :) Or your customers that you falsely said were 
safe and wouldn't be affected.

I wrote the toadie virus to demonstrate a serious security issue I 
felt Pegasus email client had. I'd already tried contacting it's 
author several months before the first toadie made it itw. The author 
blew me off with the sorry ass excuse; NO virus exploits my software, 
I'm not worried about this what if scenario you've presented me.

what if scenario is it? Well, let's see about that. Now, if you 
google toadie, pegasus is stuck with the association; they HAD TO fix 
the program. They WOULD NOT have fixed it, had Toadie not existe

I wrote the anticheck virus to demonstrate several flaws with the 
program known as Chekmate (a snake oil program, imo). I chatted with 
its author on usenet (alt.comp.virus) for sometime. He got upset to 
the point where he thought publishing my real name would shut me up. 
:) He even resorted to lame trickery to acquire my real name. He 
denied he got the file I sent him, twice. He claimed he wouldn't 
download it from my website and until he'd seen it, he stated his 
program was safe from it and I was blowing smoke up peoples asses.

In my haste to prove him wrong, I resorted to using an ISP email 
account (it didn't bounce either time, so I know he lied when he 
claimed he didn't get first one, he did. He just wanted to confirm 
the address and the name associated with it, instead of fixing his 
lame ass program). He fingered the account to learn my name and 
published it, trying to get me to leave his sorry ass program alone.

He's since gone totally out of business (His program wasn't freeware) 
and I'm *still here* heheh.

I know this because it took several posts with him addressing me by 
first name and avoiding my questions. He pulled the same stunt BD did 
a few years back with the google streetmap view of what he thought 
was my house. I don't bow to intimidation. If anything, you give me 
the green light to have some fun with you when you try that ####.

When he finally realized the demo virus I'd written did actually 
evade his program, he made some changes to his software and published 
my full name in his announcement. The changes he made weren't enough 
to stop me, though. I could have easily modified the demo to deal 
with his primitive changes, but the damage was already done for him. 

I'd already proven with viable code you didn't have to take my word 
for it, you could see the result for yourself. his program vs my demo 
virus. His program LOST. Demo virus infected it, succesfully; his 
program didn't notice it was infected, as I told him it wouldn't. 
There was no need in all the back and forth. Prior to writing the 
damn demo virus, I outlined how to attack his program right in 
alt.comp.virus. 

He went with the deny deny deny method of PR. Like a ####ing 
politician. Once the demo was made available and he confirmed it did 
what I said it would, out came my first and last name in one of his 
replies when he announced the security improvements he'd made but 
didn't give me credit for letting him know about; what a prick eh?

I also did this with a person known as Zvi Netiv, creator of the 
snake oil program known as Invircible. He claimed it could 
detect/prevent and reverse infections even by unknown viruses. He and 
I went back and forth about this for quite sometime. I even published 
demo source in asic no less showing how to read his 'checksum' files 
and fix them; so if you modified a file, invircible wouldn't notice 
it. [g] That REALLY pissed him off. He threatened to sue me for 
unauthorized reverse engineering. LOL!

Hell, my program read his checksum files quite well; they could tell 
you what filenames were stored in it, and what they're informations 
were when the 'capture' was taken. The entire algorithm was laid out 
for the world to see. So, a vxer could easily infect a file he/she 
knows is 'checksummed' and then modify the invircible data file to 
reflect the changes. The result; invircible thought everything was 
okay. [g]

I was NOT the first person to reverse engineer his snake oil program. 
Another AVer did it before me, and their disection was a bit more 
thorough than mine. They pulled out all the stops, I focused on 
specific functions. They published their detailed findings too. Very 
thorough work. They got tired of his bull#### claims concerning his 
products abilities, too.

I didn't stop there though. I told him that his product would not 
only fail to detect me or changes I might make, it'll fail to remove 
me with his 'cure all' too. he wasn't saving enough information about 
the files original state and my virus was a prepender, something his 
software was really ill equipped to handle. I went on to tell him 
that my virus could actually infect his software and ride along it, 
infecting a machine as it pleased and he would not only be a carrier, 
but he wouldn't be aware he was carrying me. :-)

He denied all of that too. This caught the attention of a reporter. 
That was very bad for him. The reporter took a sample of my krile 
virus and several types of viruses and tested them against 
Invircible. The result? Invircible was determined to be something you 
should avoid. I've still got a complete copy of the article, I'd be 
happy to post it if you'd like to read it for nostalgic purposes.

Zvi even went so far as to claim that Krile was a destructive 
overwriter and that's why he couldn't clean files infected with it. 
Well, the problem is, overwriting viruses destroy their host during 
the infection process; there's no going back. The original progam 
will never run. You'll *know* something is wrong after you try to run 
it the first time. Programs infected by krile would still run, 
although they would spread the virus to more programs.

His programs self check functions all failed to detect changes, 
because my virus would clean itself from the host prior to executing 
it, and put itself back when the host process(s) all terminated. It 
was sitting in memory watching and waiting, like a good little virus. 
minding it's manners. [g]

You'd think prepender would have told him and others that, but they 
didn't listen.

-- 
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!


--- NewsGate v1.0 gamma 2