anti malware malware

sam1967.TakeThisOut@hetnet.nl wrote:

> On Fri, 13 Feb 2004 01:32:06 -0800, Big Will

>>Well, somebody suggested earlier in this newsgroup that someone ought to
>>create a worm that would uninstall mydoom. Well, it's happenning.
>>First, there was doomjuice. Now I'm reading on Symantec's website about
>>Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
>>to an infected computer, then disinfect the MyDoom virus. WTF. Can't
>>the VX-ers come up with something a little more originial then this.
>
>
> it surely isnt VX-ers behind these "White Worms" now is it ?

sure it is... who did you think was behind it?

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
 >> Stay informed about: anti malware malware 

On Fri, 13 Feb 2004 10:42:17 -0500, kurt wismer <kurtw.TakeThisOut@sympatico.ca>
wrote:

>sam1967@hetnet.nl wrote:
>
>> On Fri, 13 Feb 2004 01:32:06 -0800, Big Will
>
>>>Well, somebody suggested earlier in this newsgroup that someone ought to
>>>create a worm that would uninstall mydoom. Well, it's happenning.
>>>First, there was doomjuice. Now I'm reading on Symantec's website about
>>>Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
>>>to an infected computer, then disinfect the MyDoom virus. WTF. Can't
>>>the VX-ers come up with something a little more originial then this.
>>
>>
>> it surely isnt VX-ers behind these "White Worms" now is it ?
>
>sure it is... who did you think was behind it?

it makes no logical sense for them to download m$ patches to the
infected machines and remove all traces of MyDoom does it ?
who is behind it ? god knows ?
 >> Stay informed about: anti malware malware 

sam1967.TakeThisOut@hetnet.nl wrote:
> On Fri, 13 Feb 2004 10:42:17 -0500, kurt wismer <kurtw.TakeThisOut@sympatico.ca>
>>sam1967@hetnet.nl wrote:
>>>On Fri, 13 Feb 2004 01:32:06 -0800, Big Will
>>
>>>>Well, somebody suggested earlier in this newsgroup that someone ought to
>>>>create a worm that would uninstall mydoom. Well, it's happenning.
>>>>First, there was doomjuice. Now I'm reading on Symantec's website about
>>>>Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
>>>>to an infected computer, then disinfect the MyDoom virus. WTF. Can't
>>>>the VX-ers come up with something a little more originial then this.
>>>
>>>
>>>it surely isnt VX-ers behind these "White Worms" now is it ?
>>
>>sure it is... who did you think was behind it?
>
> it makes no logical sense for them to download m$ patches to the
> infected machines and remove all traces of MyDoom does it ?

patches? what patches? mydoom doesn't use any bugs in windows, there
are no patches...

does it make sense for the vx to make a worm or virus that disinfects
mydoom? sure it does... some vx'ers compete with each other, some have
rivalries, and some think they can make 'good' viruses and/or worms...
it's happened in the past, it will most likely happen again in the
future...

also, don't assume people (vx'ers included) always behave in a
'logical' manner...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
 >> Stay informed about: anti malware malware 

sam1967.DeleteThis@hetnet.nl wrote:
> On Fri, 13 Feb 2004 12:21:27 -0500, kurt wismer <kurtw.DeleteThis@sympatico.ca>
>>sam1967@hetnet.nl wrote:
>>>On Fri, 13 Feb 2004 10:42:17 -0500, kurt wismer <kurtw.DeleteThis@sympatico.ca>
>>>>sam1967@hetnet.nl wrote:
[snip]
>>>>>it surely isnt VX-ers behind these "White Worms" now is it ?
>>>>
>>>>sure it is... who did you think was behind it?
>>>
>>>it makes no logical sense for them to download m$ patches to the
>>>infected machines and remove all traces of MyDoom does it ?
>>
>>patches? what patches?
>
>
> i was referring to Nachia-B (Welchia-B) which makes use of the various
> RPC bugs to propagate and once propagated downloads patches to the
> computer (only English, Korean and Chinese - not Japanese) and applies
> them.

ok, but those patches have nothing to do with mydoom (the only thing
mydoom exploits is user gullibility and there's no patch for that)...
nor do they have anything to do with the security holes that welchia.b
itself exploits... i have no idea why the worm applies the patches it
does, but i see no reason to believe that it was the work of anyone
outside of the vx...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
 >> Stay informed about: anti malware malware 

>Well, somebody suggested earlier in this newsgroup that someone ought to
>create a worm that would uninstall mydoom.

Was probably me "earlier in this newsgroup", but the idea is not so
new really.

> Well, it's happenning.
>First, there was doomjuice. Now I'm reading on Symantec's website about
>Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
>to an infected computer, then disinfect the MyDoom virus. WTF. Can't
>the VX-ers come up with something a little more originial then this.

Honestly, as long as those specific worms don't spread by e-mail I
care not too much. Of course provided this does not lead to attacking
machines which are not already infected! And, provided one is lucky
enough to be catched by a "white" worm, would that not still be better
than if those machines get to know Doomjuce?

I fully agree though that people should run AV software on their
machines and otherwise take care not to get caught by malware. Still,
there is the fact that there are thousand over thousands machines out
there now with an open backdor - thanks to MyDoom.A.

It's obvious that many poeple will try to abuse all those machines.
Not really too surprizing - wether we like it or not.

Markus
 >> Stay informed about: anti malware malware 

On Fri, 13 Feb 2004 14:30:47 -0500, kurt wismer <kurtw.RemoveThis@sympatico.ca>
wrote:

>sam1967@hetnet.nl wrote:
>> On Fri, 13 Feb 2004 12:21:27 -0500, kurt wismer <kurtw.RemoveThis@sympatico.ca>
>>>sam1967@hetnet.nl wrote:
>>>>On Fri, 13 Feb 2004 10:42:17 -0500, kurt wismer <kurtw.RemoveThis@sympatico.ca>
>>>>>sam1967@hetnet.nl wrote:
>[snip]
>>>>>>it surely isnt VX-ers behind these "White Worms" now is it ?
>>>>>
>>>>>sure it is... who did you think was behind it?
>>>>
>>>>it makes no logical sense for them to download m$ patches to the
>>>>infected machines and remove all traces of MyDoom does it ?
>>>
>>>patches? what patches?
>>
>>
>> i was referring to Nachia-B (Welchia-B) which makes use of the various
>> RPC bugs to propagate and once propagated downloads patches to the
>> computer (only English, Korean and Chinese - not Japanese) and applies
>> them.
>
>ok, but those patches have nothing to do with mydoom

true . but welchia-b (nachia-b) cleans up mydoom from infected
computers and applies the microsoft patches listed above.
that is pretty strange behaviour for vx-ers. no ?


> (the only thing
>mydoom exploits is user gullibility and there's no patch for that)...

lol.
 >> Stay informed about: anti malware malware 

sam1967.TakeThisOut@hetnet.nl wrote:
[snip]
> true . but welchia-b (nachia-b) cleans up mydoom from infected
> computers and applies the microsoft patches listed above.
> that is pretty strange behaviour for vx-ers. no ?

no... like i said, it's been done before and it will probably be done
again... anti-virus viruses have been around for more than 10 years...
its not new or strange, it's just infrequent...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
 >> Stay informed about: anti malware malware 

Big Will wrote:
> Well, somebody suggested earlier in this newsgroup that someone ought to
> create a worm that would uninstall mydoom. Well, it's happenning.
> First, there was doomjuice. Now I'm reading on Symantec's website about
> Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
> to an infected computer, then disinfect the MyDoom virus. WTF. Can't
> the VX-ers come up with something a little more originial then this.
>

Well, let's see, who would benefit from the mydoom worms being knocked
out so that they can no longer bombard SCO and Microsoft web sites?

Beats me.

--
Adrian S

"I am not a number, I am a free man!"
"You are 127.0.0.1"
 >> Stay informed about: anti malware malware