IRC Virii

Anima

Yo,

Recently i've been bombarded with viruii from irc. Theres been two occastions where i've had to format and reinstall. Which písses me off to no end.

Anyway i've got my zonealarm and my avg installed but they don't do squat. Fair enough avg warns me of these two viruii that i get. The randi.h virus and the some other one. There both fairly harmless to my system but the randi.h one is used by someone to steal cd keys for games. Which is highly gay.

So is there anyway to fully block these basterds from doing it?

theciscokid

Yes stop using winblows

scojones

what theciscokid said, with lots of !!!!! after it.

ecksor

I think there are a couple of faults in recent versions of mIRC and Internet Explorer that have facilitated the spread of this stuff. Make sure that those pieces of software (and ideally your entire system) is up to date.

After that, don't click on URLs or accept files from individuals you don't trust.

Cr8or

see url for info about bad irc links

http://www.boards.ie/vbulletin/showthread.php?threadid=121863

joePC

Get blackICE firwall, Here

Stops most attacks & are you not running a AV??

Thanks joePC

Martyr

In the case of the IE problem, which allowed some scripting code to download
executable to any path on the users computer.

Say for example, the IE users root drive was C:\, given write access,
a hacker could place an executable there with the name explorer.exe

When someone were logging on to system, lets say on NT

The malicious explorer.exe C:\ would get executed before C:\windows\explorer.exe on Win9x or C:\WINNT\explorer.exe on NT

Same situation with DLL files that load...KERNEL32.DLL/WS2_32.DLL..etc

Problem is, anyone with write access to C:\ could place an image to carry
out a..task only permitted by ADMINISTRATOR

Then it could simply run the proper explorer.exe and exit without the
ADMINISTRATOR knowing what happened.

Thats just as an example..add normal user to ADMINISTRATOR group

install logging utilities to capture passwords..anything i suppose.

Martyr

I forgot to mention a little thing too about firewalls which some of
you might find a little interesting.

I saw about 4 year ago, a virus that would terminate firewalls/anti-virus
software, anything that could stop it functioning properly using
the PostMessage api specifying WM_QUIT/WM_DESTROY or WM_CLOSE.

This was effective on Win9x..and some software on NT.

Now, that most users of Win9x are upgrading to XP or NT
it allows for more interesting way of avoiding detection of malicious code
without terminating application.

If you are a frequent user of internet browser ..lets say Microsoft Internet Explorer
And, as an assumption you have a firewall rule to ALWAYS allow connections
outward by Internet Explorer...

In the window title, you see "Internet Explorer"

If code were to enumerate all windows using EnumWindows and then
using GetWindowText

Compare text with "Internet Explorer", if it is equal, allocate
memory there using VirtualAllocEx, inject relocatable TCP/IP code
using WriteProcessMemory and finally execute with CreateRemoteThread.

This goes unoticed by some firewalls like Zonealarm..perhaps any windows
firewall.

I've seen this done, and yes, it works perfectly, although its not been
mentioned much.

tibor

This is a fairly common technique, another one used by a lot of Adware/Spyware is simply to install itself as a Browser Helper Object. As well as being able to freely send/recieve data through your firewall they'll have access to all Windows Messages passed through the browser.

Martyr

Access to all messages as in.. message hook, using SetWindowsHookEx
or API hook?
Replacing functions.
I'm not aware of any spyware/adware that uses relocatable TCP/IP code
in order to bypass a firewall.
Although, it could debug a process, duplicating a socket handle..maybe.

tibor

Originally posted by Average Joe
Access to all messages as in.. message hook, using SetWindowsHookEx
or API hook?
Replacing functions.

My bad; events, not messages. This explains the methods used a lot better than I could.

I'm not aware of any spyware/adware that uses relocatable TCP/IP code
in order to bypass a firewall.
Although, it could debug a process, duplicating a socket handle..maybe.

Shouldv've been a full-stop there - meant in viruses - although I do remember some spyware samples doing it, I can't remember names. Some viruses that use the technique are W32.HLLW.Lovgate.G@mm, W32.Randex.E,
Backdoor.EggDrop, and Backdoor.Spotcom,.

zAbbo

And check here