Virusburst

Dustin Cook · 01-06-2007, 08:25 PM

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in
news:VeOdnUfap6yAXADYnZ2dnUVZ_revnZ2d@giganews.com :

> Dustin the files are analyzed and checked and verified here in my
> office test lab.

Then why do you release a simple script file, instead of an actual
program which could do real content analysis, to be sure it's getting the
right file in it's crosshairs?

I don't know of any serious office test labs which release mass deletion
scripts.... What's the name of this office?

> Our test boxes are infected for weeks at a time and
> then checked for changes they are constantly monitored and not with
> just one infection but two and three at a time. We know what these
> files are and what they do and how they change. I understand what you
> are saying but you need to understand what we do to prevent from
> happening what you say can happen. Yes it can happen but we guard
> against it.

Monitored for what and how? And what are you infecting them with in the
first place? Virus's infect, trojans are not capable of infection. They'd
be viruses if they could....Trojans.. ehh, you know as adware, spyware,
riskware.. heh, etc... they're all trojans when it comes right down to
it.

> For example. a few months ago we found a file that is not
> a windows file but a legitimate file if it is deleted it will break
> your system, however only if you have certain software installed. We
> find these all the time.

This is normal in the study of malware and systems which may have some on
them. It's not something to brag about.

> If the malware can be removed safely without
> deleting that file then spyerase will not delete that file. If it
> cannot then it will be deleted and replaced on reboot with a good
> clean file or the file is replaced before scanning and it will not be
> included in the detection database. We did however use this method to

detection database? What detection database? Your file is a long batch
file that occasionally calls 3rd party programs (Strange, one would think
a lab would develop their own software for that)... to delete files and
stop processes which may be running in memory. I don't see any references
to any database of any kind in your script.... No file io calls to any
files of any kind, except for deletion...

Your script is incapable of deciding whether or not a file is malware
because it does not do any kind of analysis, it simply deletes any files
that match hard coded names... Any malware that's released that goes for
common names has the benefit of making sure your script trashes the host
in the process of removal...

It's one thing to have false alarms as all programs occasionally do, but
it's never okay to treat a file as bad simply because of it's name!

> set traps for the thieves who try to steal spyerase. I will send you
> one such file, you analyze it and tell me if bug hunter detects it or

Pcbutts, a question if you will...

You mentioned spyerase was developed in 2005, correct? If that's the
case, why do several roguefix versions I have at the shop predate it, and
practically match several lines for lines in your spyerase?

I've tried to be as civil with you as I possibly know how, but I'm
convinced you've stolen those routines and don't really understand what's
going on in the code; hence your need to release a script, and depend on
other programs to do everything for you.

> if you know what the file does and what program uses it. You can post
> your answer here but don't name the file.

The file is common with several programs, one of which is acs... It's a
library often mistaken for being malware.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V2.0
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: January 4th, 2007

Thread: Virusburst

Thread Tools

Display

Threaded View

Re: Virusburst

Thread Information

Users Browsing this Thread

Posting Permissions