Hi,

yesterday for unknown reasons I decided to run filemon, just to resee its face.
I was expecting the usual explorer's farts, but this time I was surprised: non-MS farts!!
Well, I had Opera running in the bg (512), doing nothing: no js pages, no nothing. I wasn't online either.
This program was examining the names of EVERY files in hidden dirs (id est, those we DON'T see NEVER in graphic mode, as Temp internet, recycled, ...) and also seemed to be ANALISING zip's contents!! I have always been suspicious about that "zip.dll" it has, but don't use it for the .zip we download... maybe this is it? :\

Anyway, it wasn't a brute read either. It "knows" we would see the HDD activity led blinking, so it does about 2/3 accesses per second. What about that? If it was a urgent thing (like one we ask) it wouldn't make those HUGE delays... nor I think it takes a whole second to process stuff - the processor is idle!

And a little detail I don't know anything about, is that is accessed some "files" (I dunno) with the path "0x3??". This is what filemon told me, and I haven't found anything on win32api ref, but its there... some of those were: 0x31d, 0x29c and 0x3d2.
It seemed to give as results the content of temporaty int files. The recycled contents are a normal path (as "disk:\path\file)".... it also looked through some normal dirs (but that has nothing to do with nothing of its bee's knees
The resume of the accesses were to get "Attributes", then do a "FindOpen" and then "FindNext"s as needed. And it SEEK/READ zip files!!

I have tried something (reversing) on Opera6, but it is MUCH beyond my knowledge now. Opera 5 I saw that it seem not to be packed, but I haven't check it yet...

If someone has anything to say.

Regards,

Ok,

It is a little disappointing there be no answers, but anyway.
I have found the reason that filemon gives numbers for some paths: the file was opened before it was started, so it doesn't know the path of the file. For the files opened after it is launched, it keeps a hash table that it uses to show us the paths.

BUT that still doesn't make my thread a mistake - I don't see why Opera would be accessing several directories on my disk, and even more my RECYCLED folders (it access files NOT shown ANYMORE for me, normally with WindozeExplorer), and my Temporary Internet Files/index.dat (cookies too) ... as it has its own cache folder, and its own history file and even its own cookie storage file.

Until later,

Dedec0

Could it be part of some time trial scheme (or other protection information hiding)? I don't know what kind of limitations it has, but it is quite common to spread out files with time trial information all over the computer anyway, so that people should not be able to reset the trial period easily.


dELTA

I thought of that also, but I'm sure Opera uses adverts rather than time trials.

Howdy,

I ran the same thing on my rig and got nothing.
Opera 7.01 ad laiden free version.

I tried all different types of tests and did not
see one example of Opera doing anything wrong.

Because Opera is so configurable, I dont think
it was a "fair" comparison. I have just about
everything shut-off.

I dont know what to tell you, check your ports?
It may be some mal-ware.....

Woodmann

could it possibly be some anti virus scan from opera itself? (just a guess, i dont use opera myself)

Why don't you ask Opera developers?
If you don't trust their answers then don't trust their soft

dELTA, squidge>
I don't think also this could be it, as I see that Opera is banner based. But looking from here you can't know...
It bugs me, Opera reading a whole zip file's contents, wich has content related to nothing, as I saw in my zip archiver. (some I checked were old files I created for me and then deleted... they still there! :-o reaaally old)

Woodmann>
Hello, I have a fair amount of Opera's "features" turned of too. Plenty servers bugs me about \me not using this or that. But I can't think of some of these features being related to sparse file reading... :\ And I still use Opera5 (I like Opera 6.04, wich I also have, but it has some weird bug that no one else claimed to have.)
What do you mean "check my ports"?
I think I don't have any viruzes on my PC now, but really need to clean it up one of these days...

evlncrn8>
I don't have this kind of program running together. The only programs that start automatically in my computer are my sound boards' drivers and modem driver's. I have that windoze's TaskAgenda (or something) completely shut off. It seems to me now, unprobable that this is another program's fault.

banshee>
Yeah, right. Opera development. :-p ... I am a member of their forums, and they even bothered to help me with that serious bug I mentioned, I imagine whatthey do with "\me reversing their software's hidden 'features' ".
What the "bug" is about: a MESSAGE box with an error message EVERY time I start Opera ("Your history list file is corrupted and will be cleared" and I have trying install/uninstall, manually deletage of all files that contains information created after opera is installed, some registry cleaning... I am kinda out of what to guess.
About trusting their software: I don't trust M$' more than theirs. And their thing is light (even with this great amount of protectio! :-o ).

ALL>

I will try to examine (and maybe reverse) some of Opera5 in a little time. Later versions of Opera seem to be packed (at least Opera 6.04 is packed, wich is the one I started to disasm while ago; Opera 5 I could sucessfully do some Resource editing with a tool, I assume now it isn't packed) and I don't know how to unpack things yet. I think about a thread with my results in Opera...
But my hopes with this thread were to find an explanation for the file accesses or to find someone else experiencing it. I will try to get Opera doing it again, and maybe find something that TRIGGER the process...

Regards,

Hi,

I just found out. I had some friends over, and it seems like we got a Hybris virus. :\

Well, I will look how to get rid of it (manually =). Do you think this could be a nice thing to put on a thread, or is it not that much, after all..?

But it bugs me, because I didn't catch anyother program doing the accesses. Only when Opera was working. So the virus "moved" or got installed on opera's executable?... wild guess. What anyone think?

Regards,

Hi,

If you are using opera mail, change to another
email client after you get it cleaned up.

Else use an online virus scan to make sure
you have removed all infected files.

Woodmann

I am not using any pop3 clients lately. Only my webmail accounts. So I think the virus isn't going anywhere easily. I said it is a Hybris virus because there is this string in its "install" file (checked on hexeditor); I have read that somewhere, but I can't recall WHERE now.

Anyway, I noted a few hours ago that my zipfiles are getting corrupted, most old are now (you might have seen it before: the .exe's inside the zips get renamed to ".ex$" and a file with the old name is created, with size of 23040 bytes).

I am re-searching about this and I couldn't confirm the Hybris' fault completely - the size of Hybris-B matches, but about the zip-corrupting... Comercial crep gets in the way...

It doesn't seem like a "urgent" problem for me. I might rename my new zip files with another extension, and change the registry too... this may work as a temporary patch for me. I am really not in the mood for running bloatware VSs neither to reinstall my PC now...

See you around...

Ps: I will search what is an "online virus scan" but the name isn't attractive for me. There are really free ones, though.

This PS reads stupdier now. I meant that I would search how it works, etc...

Just note that the hybris worm can alter its code and functionality by downloading new code from the net, so be careful. Whichever virus I would possibly have, I would try to kill it immediately, you never know what damage it can do, intentionally or unintentionally.


dELTA

dELTA> Hello. I tried to find all information about the virus, but the best there seem to be exposed out there is that the virus used registry "run once" to install itself replacing the "wsock32.dll". No more details about other files it uses (there is a (random 8 letter in CAPS) in the windir that the virus creates, but I don't know what it does... :\
I restored my winsock32 today, and I will check the virus activities in just a few minutes... will it be gone? =) I will tell the board tomorrow.

--------

Is it a good idea for me to reverse this virus? Could I do this in this board? I searched but I found nothing about that being done (neither on other places, where the subject is usually censored :-(

I would still recommend you to get an antivirus program to make sure the virus is removed completely. Very often there are many tricks of the viruses that are not mentioned in the common online descriptions of them.

And sure, if you want to reverse the virus yourself to understand what it does, you are welcome to post about it in the advanced reversing/programming forum at this board. It can actually be quite interesting and educating to reverse viruses, even though many of the worms of today are written in higher level languages, not containing equally cool stunts and tricks as in the good old days. Many of them still contain really cool stuff though.


dELTA

Hi, dELTA and all,

I didn't know about that, I am laughing now: viruses in HLLs... LOL =D
But I am conviced, for the time being, that the virus is gone. I have kept the "sick" wsock32.dll" and I checked some other system DLLs to make sure they are not modified. I am also keeping, with a different name, the files the virus created, checking that others are not being created.

I know the risk I am in, doing this.

Ps: How do I change the thread's title? I tried, but it changed the title of my FIRST MESSAGE!

Yes, I saw the other day that Symantec had even started to classify high-level language viruses separately, like e.g. "W32.HLLW.Mankx" (HLLW = High Level Language Worm). What is the world coming too, people vriting viruses in Visual Basic...

All of a sudden now I'm sure I'll get a message on my screen saying:

"Please download the latest VB runtimes, update your IE Scripting host to the latest version, download this and that OCX file, and update your MDAC components to the current version, otherwise this virus won't run."




And about changing the thread titles, normal users cannot do that. Seems like some nice moderator already fixed it for you though.


dELTA

I yesterday ricieved 'microsift update'..

You, guys, sent it me??
Or how it happens, why virus(or worm) comes to me??

PS, i unpacked it using UPXfix..
there is some 'crypted' strings, who want decrypt!?

evaluator:

It's most likely the palyh worm. You can read about it here:

http://anticrack.p15106404.pureserver.info/modules.php?op=modload&name=News&file=article&sid=4093&mode=&order=0&thold=0

It is an email worm that reads other peoples email lists and then send itself out with a tag line "from" m$.

Do a search on you machine for "MSCCN32.EXE" especially in the windows directory and in the registry autorun key.

It is packed with UPX.

Regards.

hi, JMI!

I know what worm it is, because yohoo has anti-virus check, so..

OK, I debugged this worm now & those seem great m$ crypto used ~:0

So as I understand, this kind crypto is embeded in msvc compiler??
(Because decrypted in EXE's initialisation?)

these are decrypted texts
-http://www.geocities.com/dnggobhytc/nbvhf.txt
-http://www.geocities.com/lfhcpsnfs/mdero.txt
-http://www.geocities.com/fjgoplsnjs/jane.txt
-www.geocities.com/dnggobhytc/nbvhf.txt
-www.geocities.com/dnggobhytc/nbvhf.txt
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
Your detailsApproved (Ref: 38446-263) 467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie

now I will look for this files on web..

JMI!
>Do a search on you machine for "MSCCN32.EXE...
JMI, I have NOT any ANTI-vir & never been infected from InterNato

yah, pages killed..

evaluator:

Your decrypted info is right out of the palyh worm. This thread I gave includes this info:

Messages contain the following attributes:

From:


support@microsoft.com
Subject:
[one of the following]

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
Message Body:


All information is in the attached file.
Attached file name:


your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm also creates a file named "hnks.ini" in the Windows directory and writes to this file the email addresses that were found on an infected machine.

**************

So it appears it got your address from someone else's computer or maybe the Yahoo Directory.

Regards.