 |
|
|
|
Next: Problems using internet, virus at fault?
|
| Author |
Message |
External
Since: Dec 11, 2007
Posts: 10
|
(Msg. 1) Posted: Wed Jan 09, 2008 8:09 pm
Post subject: 21-byte virus? (curiosity)
Archived from groups: alt>comp>virus (more info?)
|
|
|
|
|
| Back to top |
|
 | |
External
Since: Aug 05, 2005
Posts: 424
|
(Msg. 2) Posted: Wed Jan 09, 2008 9:28 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
It seems that it was first posted to Usenet on Dec 13, 2007 in this
post:
http://groups.google.ca/group/swnet.teknik.telefoni/msg/04506de1839416...dmode=s
From: Usenet Rulez <Onanera.Mera.det.fods.sossar.va... RemoveThis @dag.nu>
Newsgroups: swnet.teknik.telefoni,swnet.diverse
Subject: Re: Newsgroupssabotörerna
Date: Thu, 13 Dec 2007 15:07:11 +0000 (UTC)
Message-ID: <8999A05A3A81878B87595478 RemoveThis @swnet.nu>
X-Complaints-To: postmaster RemoveThis @swnet.nu
User-Agent: X-pev/5.04.25
It was the third post in that thread, posted by the person who started
the thread. They did not attach the file in the first post, but they
did the next time they posted to that thread, and two more times (on
Dec. 16).
Seems that many, most, or all posts of cwp064_034.jpg.exe are made by
"Usenet Rulez", who has a posting history that started in Dec 2007 and
has 330 posts in Dec 2007 and 383 posts (so far) in January 2008.
A VT scan of cwp064_034.jpg.exe turns up 100% negative.
The file is 21 bytes. Here is a hex dump:
50 66 4C 30 E0 44 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00
Or in Ascii: PfL0.D
E0, if it's an extended ASCII character, looks to be the Greek letter
alpha.
Buzzard wrote:
> I just noticed a post in alt.angst that contains an
> attachment "cwp064_034.jpg.exe"
> The file is 21 bytes long, and consists of the
> string "PfLO_D", followed by a few non-printable
> characters. |
|
| Back to top |
|
| |
External
Since: Jun 01, 2006
Posts: 165
|
(Msg. 3) Posted: Thu Jan 10, 2008 1:50 pm
Post subject: Re: 21-byte virus? (curiosity) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Jun 03, 2006
Posts: 117
|
(Msg. 4) Posted: Fri Jan 11, 2008 5:58 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Virus Guy" <> wrote in message news:
> It seems that it was first posted to Usenet on Dec 13, 2007 in this
> post:
>
> http://groups.google.ca/group/swnet.teknik.telefoni/msg/04506de1839416...dmode=s
>
> From: Usenet Rulez <Onanera.Mera.det.fods.sossar.va....RemoveThis@dag.nu>
> Newsgroups: swnet.teknik.telefoni,swnet.diverse
> Subject: Re: Newsgroupssabotörerna
> Date: Thu, 13 Dec 2007 15:07:11 +0000 (UTC)
> Message-ID: <8999A05A3A81878B87595478.RemoveThis@swnet.nu>
> X-Complaints-To: postmaster.RemoveThis@swnet.nu
> User-Agent: X-pev/5.04.25
>
> It was the third post in that thread, posted by the person who started
> the thread. They did not attach the file in the first post, but they
> did the next time they posted to that thread, and two more times (on
> Dec. 16).
>
> Seems that many, most, or all posts of cwp064_034.jpg.exe are made by
> "Usenet Rulez", who has a posting history that started in Dec 2007 and
> has 330 posts in Dec 2007 and 383 posts (so far) in January 2008.
>
> A VT scan of cwp064_034.jpg.exe turns up 100% negative.
>
> The file is 21 bytes. Here is a hex dump:
>
> 50 66 4C 30 E0 44 00 00
> 00 00 00 00 00 00 00 00
> 00 00 00 00 00
>
> Or in Ascii: PfL0.D
>
> E0, if it's an extended ASCII character, looks to be the Greek letter
> alpha.
>
>
> Buzzard wrote:
>
>> I just noticed a post in alt.angst that contains an
>> attachment "cwp064_034.jpg.exe"
>> The file is 21 bytes long, and consists of the
>> string "PfLO_D", followed by a few non-printable
>> characters
It will execute, but it doesn't do anything much.
Here's disassembly:
..
seg000:0100 ;
seg000:0100 ;
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
seg000:0100 ; º This file is generated by The Interactive Disassembler
(IDA) º
seg000:0100 ; º Copyright (c) 2002 by DataRescue sa/nv,
<ida.RemoveThis@datarescue.com> º
seg000:0100 ; º Licensed to: Freeware version º
seg000:0100 ;
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
seg000:0100 ;
seg000:0100 ;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
seg000:0100 ; File Name : C:\work\FILE.COM
seg000:0100 ; Format : MS-DOS COM-file
seg000:0100 ; Base Address: 0h Range: 100h-115h Loaded length: 15h
seg000:0100
seg000:0100
seg000:0100 ;
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
seg000:0100
seg000:0100 ; Segment type: Pure code
seg000:0100 seg000 segment byte public 'CODE'
seg000:0100 assume cs:seg000
seg000:0100 org 100h
seg000:0100 assume es:nothing, ss:nothing, ds:seg000
seg000:0100
seg000:0100 public start
seg000:0100 start:
seg000:0100 push ax
seg000:0101 dec esp
seg000:0103 xor al, ah
seg000:0105 inc sp
seg000:0105 ;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
seg000:0106 db 0 ;
seg000:0107 db 0 ;
seg000:0108 db 0 ;
seg000:0109 db 0 ;
seg000:010A db 0 ;
seg000:010B db 0 ;
seg000:010C db 0 ;
seg000:010D db 0 ;
seg000:010E db 0 ;
seg000:010F db 0 ;
seg000:0110 db 0 ;
seg000:0111 db 0 ;
seg000:0112 db 0 ;
seg000:0113 db 0 ;
seg000:0114 db 0 ;
seg000:0114 seg000 ends
seg000:0114
seg000:0114
seg000:0114 end start
To answer the question. I believe a malicious executable file could be
written in 21 bytes, just write 0s to boot sectors for instance. >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Jun 03, 2006
Posts: 117
|
(Msg. 5) Posted: Fri Jan 11, 2008 7:21 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
It isn't that simple, accessing raw sectors, I guess.
dskpatch.com in XP doesn't allow access.
Roadkil's sector editor does allow, so I don't
know what's necessary to access raw sectors.
Of course, I haven't tried writing anything to
sectors with Roadkil. I just read, chicken I guess. >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Dec 11, 2007
Posts: 10
|
(Msg. 6) Posted: Fri Jan 11, 2008 8:30 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Russg wrote:
> It isn't that simple, accessing raw sectors, I guess.
> dskpatch.com in XP doesn't allow access.
> Roadkil's sector editor does allow, so I don't
> know what's necessary to access raw sectors.
> Of course, I haven't tried writing anything to
> sectors with Roadkil. I just read, chicken I guess.
I hadn't considered the possibility of it being a
non-replicating malicious program (a bomb, i guess that
would be called?) I haven't tried accessing direct
sectors in a long time either, although it used to be
simple, trip dos interrupt 25 for read, 26 for write.
That is arcane stuff, though. pre-internet.
I do know that a small *batch* file can copy itself,
because I sicced on on my annoying roomate back in
1985 (no harddrives back in those days, just 2 floppy)
with an autoexec.bat that said:
ECHO OFF
COPY AUTOEXEC.BAT B:
--
Buzzard >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Nov 14, 2007
Posts: 20
|
(Msg. 7) Posted: Sat Jan 12, 2008 2:12 am
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Imported from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Jun 01, 2006
Posts: 165
|
(Msg. 8) Posted: Sat Jan 12, 2008 2:17 am
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
whodunit.DeleteThis@hellifniknow.com (Sycho) wrote in news:47882173.1333203
@whyioughta.com:
> Today Buzzard <Buzzard.DeleteThis@domain.invalid.net> in alt.comp.virus on Fri,
> 11 Jan 2008 20:30:21 -0500 thought that it would be fun to share with
> the rest of the class this little ditty..
>
>>Russg wrote:
>>> It isn't that simple, accessing raw sectors, I guess.
>>> dskpatch.com in XP doesn't allow access.
>>> Roadkil's sector editor does allow, so I don't
>>> know what's necessary to access raw sectors.
>>> Of course, I haven't tried writing anything to
>>> sectors with Roadkil. I just read, chicken I guess.
>>
>>I hadn't considered the possibility of it being a
>>non-replicating malicious program (a bomb, i guess that
>>would be called?) I haven't tried accessing direct
>>sectors in a long time either, although it used to be
>>simple, trip dos interrupt 25 for read, 26 for write.
>>
>>That is arcane stuff, though. pre-internet.
>>I do know that a small *batch* file can copy itself,
>>because I sicced on on my annoying roomate back in
>>1985 (no harddrives back in those days, just 2 floppy)
>>with an autoexec.bat that said:
>>
>>ECHO OFF
>>COPY AUTOEXEC.BAT B:
>
> Remember keyboard remappers and ANSI bombs?
>
> I still have a few of those laying around here. I even have an old
> .bat worm too.
My bad.. I was looking at it from an .exe header point of view. 
--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.DeleteThis@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Nov 14, 2007
Posts: 20
|
(Msg. 9) Posted: Sat Jan 12, 2008 5:01 am
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Imported from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Jan 31, 2004
Posts: 241
|
(Msg. 10) Posted: Sat Jan 12, 2008 1:59 pm
Post subject: Re: 21-byte virus? (curiosity) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Buzzard" wrote:
> I just noticed a post in alt.angst that contains an
> attachment "cwp064_034.jpg.exe"
> The file is 21 bytes long, and consists of the
> string "PfLO_D", followed by a few non-printable
> characters.
The file claims to be UUencoded but it isn't. The encoding is invalid
so I don't know how you managed to get a 21 byte file out of it. Any
sane application will refuse to decode it. If you view the source of
the post the string "utfyllnad" can be seen between the UUencode start
and end markers.
It's just a silly joke.
> Just out of curiosity
> can a *modern* virus really
> exist in a file that size?
Modern viruses for Windows are PE format executables, so the answer
would be no. The smallest PE file would be a few hundred bytes. >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Dec 11, 2007
Posts: 10
|
(Msg. 11) Posted: Sat Jan 12, 2008 10:46 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Sycho wrote:
> Today Buzzard <Buzzard.RemoveThis@domain.invalid.net> in alt.comp.virus on Fri,
> 11 Jan 2008 20:30:21 -0500 thought that it would be fun to share with
> the rest of the class this little ditty..
>(snip)
>>That is arcane stuff, though. pre-internet.
>>I do know that a small *batch* file can copy itself,
>>because I sicced on on my annoying roomate back in
>>1985 (no harddrives back in those days, just 2 floppy)
>>with an autoexec.bat that said:
>>
>>ECHO OFF
>>COPY AUTOEXEC.BAT B:
>
> Remember keyboard remappers and ANSI bombs?
>
> I still have a few of those laying around here. I even have an old
> .bat worm too.
I've heard of ansi bombs, but never actually seen one.
don't remember any keyboard remappers though,
although I do remember the Pakistani (C) Brain virus
that was going around in the late '80s.
I got infected with that one
from playing video games and sharing floppies.
--
Buzzard >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Nov 14, 2007
Posts: 20
|
(Msg. 12) Posted: Sun Jan 13, 2008 1:53 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Imported from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Jun 01, 2006
Posts: 165
|
(Msg. 13) Posted: Sun Jan 13, 2008 5:36 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
whodunit.TakeThisOut@hellifniknow.com (Sycho) wrote in news:478848d4.11415597
@whyioughta.com:
> Today Dustin Cook <bughunter.dustin.TakeThisOut@gmail.com> in alt.comp.virus on
> Sat, 12 Jan 2008 02:17:26 GMT thought that it would be fun to share
> with the rest of the class this little ditty..
>
>>whodunit@hellifniknow.com (Sycho) wrote in news:47882173.1333203
>>@whyioughta.com:
>>
>>> Today Buzzard <Buzzard.TakeThisOut@domain.invalid.net> in alt.comp.virus on Fri,
>>> 11 Jan 2008 20:30:21 -0500 thought that it would be fun to share with
>>> the rest of the class this little ditty..
>>>
>>>>Russg wrote:
>>>>> It isn't that simple, accessing raw sectors, I guess.
>>>>> dskpatch.com in XP doesn't allow access.
>>>>> Roadkil's sector editor does allow, so I don't
>>>>> know what's necessary to access raw sectors.
>>>>> Of course, I haven't tried writing anything to
>>>>> sectors with Roadkil. I just read, chicken I guess.
>>>>
>>>>I hadn't considered the possibility of it being a
>>>>non-replicating malicious program (a bomb, i guess that
>>>>would be called?) I haven't tried accessing direct
>>>>sectors in a long time either, although it used to be
>>>>simple, trip dos interrupt 25 for read, 26 for write.
>>>>
>>>>That is arcane stuff, though. pre-internet.
>>>>I do know that a small *batch* file can copy itself,
>>>>because I sicced on on my annoying roomate back in
>>>>1985 (no harddrives back in those days, just 2 floppy)
>>>>with an autoexec.bat that said:
>>>>
>>>>ECHO OFF
>>>>COPY AUTOEXEC.BAT B:
>>>
>>> Remember keyboard remappers and ANSI bombs?
>>>
>>> I still have a few of those laying around here. I even have an old
>>> .bat worm too.
>>
>>My bad.. I was looking at it from an .exe header point of view.
>
> That "trick" with adding the .exe extension (Exs: lame-image.jpg.exe,
> lame-pr0n.mpg.exe and lame-whatever.avi .exe) is
> soooo outdated. Hard to believe that there are those who still fall
> for that gag.
Well, the idea being is that it's an executable and not really a jpeg. So
I took it from an exe point of view when I said the file is invalid. It
doesn't have an intact EXE header.
how do you know for sure it's intended to be a .com file?
--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.TakeThisOut@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Jun 03, 2006
Posts: 117
|
(Msg. 14) Posted: Sun Jan 13, 2008 5:36 pm
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
snip
Dustin wrote.
> how do you know for sure it's intended to be a .com file?
>
I don't think it is intended to be a .com file.
It was just silly thing, 8 bytes that will execute,
but meaningless. I took the hex dump and
made a .com file from the 8+13 0s . It is/was
silly, sorry. >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
External
Since: Apr 04, 2007
Posts: 74
|
(Msg. 15) Posted: Mon Jan 14, 2008 8:52 am
Post subject: Re: 21-byte virus? (cwp064_034.jpg.exe) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
In article <13og64u9l96nla1.RemoveThis@corp.supernews.com>,
Buzzard.RemoveThis@domain.invalid.net says...
> I do know that a small *batch* file can copy itself,
> because I sicced on on my annoying roomate back in
> 1985 (no harddrives back in those days, just 2 floppy)
Hell, we did stuff along those lines on mainframes.
--
Snob? Were I a snob, I wouldn't be talking to you. >> Stay informed about: 21-byte virus? (curiosity) |
|
| Back to top |
|
| |
| Related Topics: | Java Byte Verify virus - My AVG has located this virus, but hasn't removed it or moved it into the virus vault. I went to the Microsoft site and ran their scan and it says there is no malware. I don't know how to remove this virus.
Byte Verify - I have read some of the instructions on how to remove this Trojan - but I can't turn off my System Restore feature - it is greyed out. -- Regards John
Java/Byte Verify - Does anyone have any experience with this? What does it do and is there any specific tool that gets rid of it other than the typical anti-virus engine? If anyone can provide some information on this, it would be appreciated.
>> Java/Byte Verify Help << - Hi Folks I have found this "virus" or whatever it is. I searched the web and found some info at Norton. I tried to follow the instructions that I found. It said to turn off the windows XP restore, and then do a virus scan. Well, I did do th...
java/byte/verify - Someone please help. My AVG has found java/byte/verify, I have totally uninstalled anything to do with java. I was told (or read) on the net that if I did that it would cure ths issue and then I could download the sun version. I am running win/98. After.... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
