You have the darkman trojan.

5 views
Skip to first unread message

pie...@hotmail.com

unread,
Apr 8, 1998, 3:00:00 AM4/8/98
to


Hello All,

I got this file called "SITEPASS.EXE"

Don't laugh. Yes it was in surfing in one of these newsgroups related to
...sex. And, obviously, the name of the file is to make one thinks he will get
some kind of password to get on a sex site.

But it is a virus!

Fortunately, it seems to be a mild virus. It deletes your AUTOEXEC.BAT and
replace it with one with a ECHO command that write to your screen YOU HAVE THE
DARKMAN TROJAN.

For people who knows little about computer it could be a disaster.

I went on McAfee and Symantec sites and didn't find anything about the
Darkman Trojan. Does someone know how I could have this file analysed just to
be sure that the autoexec problem was the only one and that I don't have a
timed bomb under my keybord.

Thank you,

Pierre

-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/ Now offering spam-free web-based newsreading

Virus

unread,
Apr 8, 1998, 3:00:00 AM4/8/98
to

Sounds like a simple batch file exe...

include <iostream.h>
include <conio.>
int Main (Void);
{
Delete something.. here;
cout ("Display something...here;
}
End Program

ViRuS

"Pro ViRuS 98"
"Life is simple, become a virus today!"

pie...@hotmail.com wrote in article <6ggc47$ei5$1...@nnrp1.dejanews.com>...

JZpimp

unread,
Apr 8, 1998, 3:00:00 AM4/8/98
to

In article <01bd6320$c5fae760$a781fed0@uymfdlvk>, "Virus" <vi...@earthlink.net>
writes:

>Sounds like a simple batch file exe...
>
>include <iostream.h>
>include <conio.>
>int Main (Void);
>{
> Delete something.. here;
> cout ("Display something...here;
>}
>End Program
>
> ViRuS
>
>"Pro ViRuS 98"
>"Life is simple, become a virus today!"
>
>

Well, actually what you just attempted to write was C++ not BATCH.

Joshua S. Zarwel
JZp...@aol.com
"It's like that and that's the way it is."


Martin Overton

unread,
Apr 9, 1998, 3:00:00 AM4/9/98
to

Hi,

On Wed, 08 Apr 1998 12:28:40 -0600, pie...@hotmail.com wrote:
> I got this file called "SITEPASS.EXE"
>
> Don't laugh. Yes it was in surfing in one of these newsgroups related to
>...sex. And, obviously, the name of the file is to make one thinks he will get
>some kind of password to get on a sex site.
>
> But it is a virus!

No, it's a Trojan, as it doesn't replicate.

> Fortunately, it seems to be a mild virus. It deletes your AUTOEXEC.BAT and
>replace it with one with a ECHO command that write to your screen YOU HAVE THE
>DARKMAN TROJAN.

Sounds typical of a trojan.

> For people who knows little about computer it could be a disaster.

Indeed, and yet people still write Trojans and viruses and think they
are not hurting anyone.

> I went on McAfee and Symantec sites and didn't find anything about the
>Darkman Trojan. Does someone know how I could have this file analysed just to
>be sure that the autoexec problem was the only one and that I don't have a
>timed bomb under my keybord.

Most anti-virus software is not written to detect trojans, although
detection of trojans is becoming more common. Dr. Solomon's have just
released a Trojan dectection/removal program which is available for
free on their website at http://www.drsolomon.com.

To get the file verified simply send it to your favoutite anti-virus
vendor and they should report back to you within a reasonable time.

> Thank you,

You're very welcome, I hope it helps?


Martin Overton
ChekWARE - BTS Member - Chek...@Cavalry.com
Anti-Virus - http://chekware.simplenet.com/cmindex.hts
Tarantulas - http://chekware.simplenet.com/burrow/index.hts
Maintainer of The HOAX FAQ and the a.p.a Tarantula FAQ.

Pierre Vandevenne

unread,
Apr 9, 1998, 3:00:00 AM4/9/98
to

In <6gi66r$m40$1...@eros.clara.net>, "Richard Saunders" <Saunder...@clara.net> writes:

>Send to it F-prot!
>Here is the new virus txt from the program.

Richard Saunders & family !!!!!
Ever heard of Emily Postnews ?????

---
Pierre Vandevenne, MD - http://www.datarescue.com/ida.htm
IDA Pro 3.7 adds multi pass analysis, stack variables, symbolic constants,
unicode, ELF support, color highlighting, C++ name demangling to compiler
library recognition - now with Delphi and Pascal FLIRT support !


RAiD

unread,
Apr 9, 1998, 3:00:00 AM4/9/98
to

In article <352bd7a4...@news.demon.co.uk>,
Chek...@Cavalry.com (Martin Overton) wrote:

>You're very welcome, I hope it helps?

I was beginning to wonder where you went....I see v2.30 is still being
offered, with the same exploit I've demonstrated...You don't really care
about the poor saps who think there safe using your product do you?


Email: juno@raid.x (swap to mail)
http://207.23.1.97/~raid/index.html
http://krile.dyn.ml.org/~raid/index.html

kurt wismer

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

On Thu, 9 Apr 1998, RAiD wrote:

> In article <352bd7a4...@news.demon.co.uk>,
> Chek...@Cavalry.com (Martin Overton) wrote:
>
> >You're very welcome, I hope it helps?
>
> I was beginning to wonder where you went....I see v2.30 is still being
> offered, with the same exploit I've demonstrated...You don't really care
> about the poor saps who think there safe using your product do you?

you haven't a clue what a multi-layered av is, do you...

i realise there are times when whack-an-ego (a.c.v. version of
whack-a-mole) might be appropriate but when was the last time you saw
martin claim his av detected all viruses or was 100% secure? (provide
message id's please)

why bother demonstrating that his product can't do the impossible when he
doesn't claim otherwise and we all know it?

martin's chekmate is a tool, it is meant to be used in conjunction with
other tools... if you've fallen for the av pablum that av marketroids hand
out implying that av companies offer av solutions i respectfully suggest
you pull your head out of your arse...

and look up the word "complement" while you're at it...

--
"they shot a movie once, in my hometown,
everybody was in it, from miles around,
down at the speedway, some kind of elvis thing,
well i ain't no movie star, but i can get behind anything"


RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article
<581621D33CEC3811.632D60A2...@library-proxy.airnews.
net>,

>Your prejudice against generic AV is showing.

Prejudice?

Generic AV which has a blatent security risk yes.

RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <Pine.GSO.3.95.980409221130.25666A-100000@eddie>,
kurt wismer <a270...@cdf.toronto.edu> wrote:

>you haven't a clue what a multi-layered av is, do you...

You haven't checked out chekmate have you? Multi-layed my ass. It stores
data on a few KEY files, and thats it. It does not scan your entire drive.

And its author in the documentation suggests trying to run a suspect virus
infected file in checkwares directory. of course, using the very
configuration file checkmate uses, the virus can easily evade this little
'virus capture' bullshit.


>i realise there are times when whack-an-ego (a.c.v. version of
>whack-a-mole) might be appropriate but when was the last time you saw
>martin claim his av detected all viruses or was 100% secure? (provide
>message id's please)

Kurt, please.. Download chekmate, and have a look. Then you tell me if its
multi-layered. Pfft.

>why bother demonstrating that his product can't do the impossible when he
>doesn't claim otherwise and we all know it?

Because his damn product has a serious flaw in it's design, and he knows
it.

>martin's chekmate is a tool, it is meant to be used in conjunction with
>other tools... if you've fallen for the av pablum that av marketroids
>hand out implying that av companies offer av solutions i respectfully
>suggest you pull your head out of your arse...

kurt, download chekmate. See what it does for yourself. Almost all viruses
these days leave the files he 'protects' alone. It's no more multi-layered
then msdos backup.exe is.

RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article
<113FA10923A997E1.6333D64F...@library-proxy.airnews.
net>,

>Yes, prejudice. If I told you you I was distributing my generic AV
>tomorrow, wouldn't you be prepared to say tonight, that
>krile.uglypieceofdooky.lastversionplus.x could infect it by
>piggyfscking it before dawn? ;-)

Nope. Since the last krile was v1.0i, and there will be no further kriles
coded. :-)

>Generic AV, when used as the only layer of AV security may present a
>security risk, especially when exposed to targeted attacks. Duh.

What you call a targetted attack is Bullshit. He knew damn well his AV was
junk, and i wouldn't even consider it AV. It doesn't even scan your entire
hard disk. It's a poorly designed, half assed coded program.

Martin Overton

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

Hi RAiD, or do you prefer Casio, RustBug or Dustin?

In article <6gjf44$oak$1...@news.usit.net>, nospam.i...@View.signature.Below
(RAiD) wrote:

>In article <352bd7a4...@news.demon.co.uk>,
> Chek...@Cavalry.com (Martin Overton) wrote:
>
>>You're very welcome, I hope it helps?
>
>I was beginning to wonder where you went...

I've been rather busy with other work (Year 2000, etc.) over the last few
weeks or so, I have posted from time to time, when I could help or offer
advice and I had a few minutes to spare.

Thought you'd scared me off? ;-)

I see your still being helpful to all and sundry peddling your viruses.

> I see v2.30 is still being
>offered, with the same exploit I've demonstrated...

Yes 2.30 is still available, an updated *freeware* version will be released
soon that counters your directed attack and minimises the chance of a similar
attack, But you already knew that, didn't you.

Just like you knew that all my registered customers were sent information on
your attack and ways to counter it, and a new version was made available
within hours of getting your sample.

>You don't really care
>about the poor saps who think there safe using your product do you?

As I have repeatedly stated my product is not a single layered solution to
viruses, but should be used as part of a multi-layered approach where a
scanner (preferably on-access) is the first layer. My claims for my product
are not excessive nor do I claim that it's perfect, no av product is.

I do respond to feedback, be it positive or negative, and fix problems where
it is feasible and desirable (for my customers). Also I've decided to make
the new version free for non-commercial use, as I used to offer ChekMate
before.

As I told you before, I'm not in this industry for the money, but to help
people. That doesn't make me some form of saint, better than anyone or
whatever, so don't make out that I have a hidden agenda or an axe to grind.

Do you care about those that you infect, either directly or indirectly with
your viruses? I don't give a flying fig that you write viruses (as long as you

keep them to yourself), I just object to you making them available to others
and therefore making the problem larger. Why not go back to writing ShareWare
software, you used to, didn't you.

No doubt you'll come back with some ascerbic wit, veiled threat or another
personal attack? But then you could prove me wrong and be reasonable for a
change ;-)

Rergards,
Martin Overton
--

Martin Overton

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

Hi Kurt,

In article <Pine.GSO.3.95.980409221130.25666A-100000@eddie>, cr...@torfree.net
wrote:

>On Thu, 9 Apr 1998, RAiD wrote:
>
>> In article <352bd7a4...@news.demon.co.uk>,
>> Chek...@Cavalry.com (Martin Overton) wrote:
>>
>> >You're very welcome, I hope it helps?
>>

>> I was beginning to wonder where you went....I see v2.30 is still being
>> offered, with the same exploit I've demonstrated...You don't really care

>> about the poor saps who think there safe using your product do you?
>

>you haven't a clue what a multi-layered av is, do you...

No he obviously doesn't, maybe he ought to read my 1996 Virus Bulletin
International Conference paper. It's reasonably well explained in there,
actually I really ought to update that paper to cover new technologies and
threats.

>i realise there are times when whack-an-ego (a.c.v. version of
>whack-a-mole) might be appropriate but when was the last time you saw
>martin claim his av detected all viruses or was 100% secure? (provide
>message id's please)

He won't be able to, as I don't make that claim (and *never* have).

>why bother demonstrating that his product can't do the impossible when he
>doesn't claim otherwise and we all know it?
>

>martin's chekmate is a tool, it is meant to be used in conjunction with
>other tools... if you've fallen for the av pablum that av marketroids hand
>out implying that av companies offer av solutions i respectfully suggest
>you pull your head out of your arse...

He also ought to post his proof as to why he called me a liar, he like another

that posts here seems to like throwing accusations and failing to supply
proof.

Martin Overton

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <6gka55$48l$2...@news.usit.net>, nospam.i...@View.signature.Below
(RAiD) wrote:

>In article <Pine.GSO.3.95.980409221130.25666A-100000@eddie>,
> kurt wismer <a270...@cdf.toronto.edu> wrote:
>

>>you haven't a clue what a multi-layered av is, do you...
>

>You haven't checked out chekmate have you? Multi-layed my ass. It stores
>data on a few KEY files, and thats it. It does not scan your entire drive.

ChekMate is not a full multi-layered solution (it uses over-lapping detection
techniques). Multi-layered as I've frequently stated includes at least the
following tools:

1. an up to date scanner (preferably on-access).

2. regular backups.

3. integrity checker or other generic tools/utilities.

>>martin's chekmate is a tool, it is meant to be used in conjunction with
>>other tools... if you've fallen for the av pablum that av marketroids
>>hand out implying that av companies offer av solutions i respectfully
>>suggest you pull your head out of your arse...
>

>kurt, download chekmate. See what it does for yourself. Almost all viruses
>these days leave the files he 'protects' alone. It's no more multi-layered
>then msdos backup.exe is.

Dustin, see above.....

Martin Overton

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <6gka54$48l$1...@news.usit.net>, nospam.i...@View.signature.Below
(RAiD) wrote:
>In article
><113FA10923A997E1.6333D64F...@library-proxy.airnews.
>net>,
>
>>Yes, prejudice. If I told you you I was distributing my generic AV
>>tomorrow, wouldn't you be prepared to say tonight, that
>>krile.uglypieceofdooky.lastversionplus.x could infect it by
>>piggyfscking it before dawn? ;-)
>
>Nope. Since the last krile was v1.0i, and there will be no further kriles
>coded. :-)

Dustin, does that mean you've decided to stop writing viruses?

(and if the answers yes then I'm a flying pig ;-)

>>Generic AV, when used as the only layer of AV security may present a
>>security risk, especially when exposed to targeted attacks. Duh.

Indeed, as is any security product.

>What you call a targetted attack is Bullshit. He knew damn well his AV was
>junk, and i wouldn't even consider it AV.

Is it, I think not. In four years I've seen and heard from no-one that
ChekMate is junk, oh. except for you and your personal crusade against generic

anti-virus products and me, or is the cryptic message you left on my website
stating that 'RAiD owns you' just the encrypted text of 'Hello Martin' or
'Beautiful plumage the Norwegian Blue'?

It detects the action (and therefore presence of viruses) so that makes it an

anti-virus tool, or maybe I've been deluding myself for all these years that
integrity checkers and scanners are anti-virus tools?

> It doesn't even scan your entire
>hard disk. It's a poorly designed, half assed coded program.

Ummm... that's why I tend to call it a targeted integrity checker....strange
then that it doesn't scan anything, isn't it?

You keep forgetting that I don't claim it's perfect, that's a rather large
blind -spot you have, almost a big as the one where you state that your virus
writing is not hurting anyone.

Do you have some form of aim to have me be rude to you, can't see why as I've
been nothing but tolerant and polite to you. If that's what you're waiting for

then you'll be waiting a long time......

When are you going to supply your proof to prove your allegation that I'm a
liar? It must be over 3 months now since you made that allegation, what's
next? You going to claim I'm the the pay of an anti-virus company ;-)

....Oh damn! I'm wearing Dr. Solomon's socks.....and a Virus Bulletin 97
tee-shirt, that means I'm in the pay of both SOPHOS and Solomons....oh and
then there's the fridge magnets from IBM, the stress balls from McAfee,
etc....

kurt wismer

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

On Fri, 10 Apr 1998, RAiD wrote:

> In article

> <581621D33CEC3811.632D60A2...@library-proxy.airnews.
> net>,
>
> >Your prejudice against generic AV is showing.
>
> Prejudice?
>
> Generic AV which has a blatent security risk yes.

generic av which isn't *supposed* to be 100% secure you mean... you don't
seem to be able to wrap your head around that idea though...

kurt wismer

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

On Fri, 10 Apr 1998, RAiD wrote:

> In article <Pine.GSO.3.95.980409221130.25666A-100000@eddie>,
> kurt wismer <a270...@cdf.toronto.edu> wrote:
>
> >you haven't a clue what a multi-layered av is, do you...
>
> You haven't checked out chekmate have you? Multi-layed my ass. It stores
> data on a few KEY files, and thats it. It does not scan your entire drive.

thank you for proving me right... chekmate is a single layer, not the
whole thing... there is no product on the market, that i know of, which
has all the components necessary to implement an exhaustive multi-layered
strategy...

> And its author in the documentation suggests trying to run a suspect virus
> infected file in checkwares directory. of course, using the very
> configuration file checkmate uses, the virus can easily evade this little
> 'virus capture' bullshit.

as i suggested the last time you went raving on about this, chekmate
makes it possible to use full integrity checking *less* often (nb. i
didn't say it replaces a full integrity checker) which is desirable in
many instances because a full integrity check is computationally expensive
and detracts from productivity...

> >i realise there are times when whack-an-ego (a.c.v. version of
> >whack-a-mole) might be appropriate but when was the last time you saw
> >martin claim his av detected all viruses or was 100% secure? (provide
> >message id's please)
>

> Kurt, please.. Download chekmate, and have a look. Then you tell me if its
> multi-layered. Pfft.

you did it again... no product has all the peices, chekmate is one of the
possible layers, not all of them...

> >why bother demonstrating that his product can't do the impossible when he
> >doesn't claim otherwise and we all know it?
>

> Because his damn product has a serious flaw in it's design, and he knows
> it.

his product had no such flaw, your understanding of multi-layered av has a
serious flaw...

> >martin's chekmate is a tool, it is meant to be used in conjunction with
> >other tools... if you've fallen for the av pablum that av marketroids
> >hand out implying that av companies offer av solutions i respectfully
> >suggest you pull your head out of your arse...
>
> kurt, download chekmate. See what it does for yourself. Almost all viruses
> these days leave the files he 'protects' alone. It's no more multi-layered
> then msdos backup.exe is.

you apparently didn't read what i said... if you think av companies offer
"solutions" you should pull your head out of your arse... they make
components... you have to peice the components together to get any kind of
serious multi-layered av system...

think about it, raid, would you use a single scanner only? probably not...
why then should you hold martin's product to the fallacious standard of
being a complete solution when you don't do so for scanners?

RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <892213931.12723.2...@news.demon.co.uk>,
mar...@salig.demon.co.uk (Martin Overton) wrote:

>ChekMate is not a full multi-layered solution (it uses over-lapping
>detection techniques). Multi-layered as I've frequently stated includes

I know this martin, I've read your documentation and used your program
several times. You never claimed it was multi-layered, Kurt did. :)


>Dustin, see above.....

I'm impressed martin, YOu can use finger real.email addy :-)

RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <892213932.12723.3...@news.demon.co.uk>,
mar...@salig.demon.co.uk (Martin Overton) wrote:

>Dustin, does that mean you've decided to stop writing viruses?

By no means martin. Just that I've decided to stop with the KRiLE family,
I wrote a few too many of them as it is. :-)


>When are you going to supply your proof to prove your allegation that I'm
>a liar? It must be over 3 months now since you made that allegation,
>what's next? You going to claim I'm the the pay of an anti-virus company
>;-)

You are a liar martin. antichek was written to prove that your program had
/has a serious flaw, you either overlooked this, or didn't care. Which is
it?

RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <Pine.GSO.3.95.980410093528.16711C-100000@eddie>,
kurt wismer <a270...@cdf.toronto.edu> wrote:

I didn't claim it should be a complete solution, but as it stands, the
limited checking it does do, isn't worth your drive space. It doesn't
store checksum files for each file, it snapshots your boot-sector, and a
few files from the windows directory, and your command.com, autoexec bat
etc. How is this even a single layer? please, enlighten me.

RAiD

unread,
Apr 10, 1998, 3:00:00 AM4/10/98
to

In article <892213929.12723.0...@news.demon.co.uk>,

mar...@salig.demon.co.uk (Martin Overton) wrote:
>Hi RAiD, or do you prefer Casio, RustBug or Dustin?

RAiD will do fine martin.

>I've been rather busy with other work (Year 2000, etc.) over the last
>few weeks or so, I have posted from time to time, when I could help or
>offer advice and I had a few minutes to spare.

Ahh...Nifty...

>Thought you'd scared me off? ;-)

I wouldn't ever think that. :)


>I see your still being helpful to all and sundry peddling your viruses.

Peddling? Oh yes, offering them on a webpage is peddling isn't it...OOpsie

>Yes 2.30 is still available, an updated *freeware* version will be
>released soon that counters your directed attack and minimises the chance
>of a similar attack, But you already knew that, didn't you.

I was expecting you to do this yes. I'll be anxious to see what you've
done.

>
>Just like you knew that all my registered customers were sent information
>on your attack and ways to counter it, and a new version was made
>available within hours of getting your sample.

To registered users only, as your virus advisory dictates. :)
What about the users who haven't registered yet?

>are not excessive nor do I claim that it's perfect, no av product is.

This I agree with, you have my respect, for what little its worth.

>
>the new version free for non-commercial use, as I used to offer ChekMate
>before.

Spoken like an author. Very good of you martin.


>As I told you before, I'm not in this industry for the money, but to help
>people. That doesn't make me some form of saint, better than anyone or
>whatever, so don't make out that I have a hidden agenda or an axe to
>grind.

I didn't once say you had a hidden agenda, nor an axe to grind martin. I
simply stated your program has (I have not seen the new version) a
security flaw. If this is fixed, then I have no problems with your
product, except for a few minor things, which i'll email.

>Do you care about those that you infect, either directly or indirectly
>with your viruses? I don't give a flying fig that you write viruses (as
>long as you

Actually I do martin. For example, each krile [since v1.0e] has a
backdoor, to make it easy for an infected user should his AV program fail
him to remove it. Simply rename the infected file to win.com, or
command.com in a directory by itself and execute it. KRiLE will not
re-infect the file. yes, this is a tedious process, but..it does work.

>and therefore making the problem larger. Why not go back to writing
>ShareWare software, you used to, didn't you.

Well, you've fingered my real email address, so you already know that I
did :)

>No doubt you'll come back with some ascerbic wit, veiled threat or
>another personal attack? But then you could prove me wrong and be
>reasonable for a change ;-)

Nah. I'm not that cruel. :)


>Rergards,

typo? :)

Mark Lookabaugh

unread,
Apr 11, 1998, 3:00:00 AM4/11/98
to

Martin Overton wrote:

> ....Oh damn! I'm wearing Dr. Solomon's socks.....and a Virus Bulletin 97
> tee-shirt, that means I'm in the pay of both SOPHOS and Solomons....oh and
> then there's the fridge magnets from IBM, the stress balls from McAfee,
> etc....

If you run across any more of the free antivirus printers, send them
over. :)


--
Mark Lookabaugh
mlookaba (at) telepath.com
USS Brewton FF-1086 Home Page
http://www.telepath.com/mlookaba/navy.htm

Virus

unread,
Apr 11, 1998, 3:00:00 AM4/11/98
to

Yeah, I know...

Was trying to make a point at 3 am..

ViRuS

"Pro Virus 98"
"Virii,Little creatures with big goals"

JZpimp <jzp...@aol.com> wrote in article
<199804082251...@ladder01.news.aol.com>...

Martin Overton

unread,
Apr 12, 1998, 3:00:00 AM4/12/98
to

In article <6gm1ei$o2l$1...@news.usit.net>, nospam.i...@View.signature.Below
(RAiD) wrote:
>In article <892213931.12723.2...@news.demon.co.uk>,

> mar...@salig.demon.co.uk (Martin Overton) wrote:
>
>>ChekMate is not a full multi-layered solution (it uses over-lapping
>>detection techniques). Multi-layered as I've frequently stated includes
>
>I know this martin, I've read your documentation and used your program
>several times. You never claimed it was multi-layered, Kurt did. :)

That's not how I read it, but then my news-server is currently 35 hours
behind, so maybe I missed that post from Kurt?

Kurt care to confirm/deny this claim from Mr. Cook?

>>Dustin, see above.....
>
>I'm impressed martin, YOu can use finger real.email addy :-)

Didn't need to you left so many other clues that is was very easy to find your
real name via dejanews.

If someone had more than a few minutes to spare they could probably find out a
lot more. It won't be me doing it though as I don't have the inclination or
the time to waste.

Regards,

Martin Overton

unread,
Apr 12, 1998, 3:00:00 AM4/12/98
to

In article <6gm1ek$o2l$2...@news.usit.net>, nospam.i...@View.signature.Below
(RAiD) wrote:
>In article <892213929.12723.0...@news.demon.co.uk>,

> mar...@salig.demon.co.uk (Martin Overton) wrote:
>>Hi RAiD, or do you prefer Casio, RustBug or Dustin?
>
>RAiD will do fine martin.

Sorry, if you make your real identity so easy to find then I call you by your
real name, so Dustin Cook it will be from now on when I reply to you.

>>I've been rather busy with other work (Year 2000, etc.) over the last
>>few weeks or so, I have posted from time to time, when I could help or
>>offer advice and I had a few minutes to spare.
>
>Ahh...Nifty...

Yes, something like 97 percent of my time is taken up by Y2K work at the
moment, so I don't get much time to read this group let alone reply much.

>>Thought you'd scared me off? ;-)
>
>I wouldn't ever think that. :)

Of course not......

>>I see your still being helpful to all and sundry peddling your viruses.
>
>Peddling? Oh yes, offering them on a webpage is peddling isn't it...OOpsie

Couldn't that still be seen as incitement? Certainly some of the text supplied
with some of your samples could be taken that way.....but we're covering old
ground and I don't have the time to waste.

>>Yes 2.30 is still available, an updated *freeware* version will be
>>released soon that counters your directed attack and minimises the chance
>>of a similar attack, But you already knew that, didn't you.
>
>I was expecting you to do this yes. I'll be anxious to see what you've
>done.

No doubt you'll create another targeted attack.....what's the old saying... ah
yes, "Anything done in software can be undone in software".

>>Just like you knew that all my registered customers were sent information
>>on your attack and ways to counter it, and a new version was made
>>available within hours of getting your sample.
>
>To registered users only, as your virus advisory dictates. :)
>What about the users who haven't registered yet?

My first responsibility is to my registered customers, the evaluation version
will be updated when I have some spare time to update it... I have other
features I want to add.

>>are not excessive nor do I claim that it's perfect, no av product is.
>
>This I agree with, you have my respect, for what little its worth.

Thanks, I think ;-)

>>the new version free for non-commercial use, as I used to offer ChekMate
>>before.
>
>Spoken like an author. Very good of you martin.

What's this got to do with being an author? I am returning ChekMate to being a
freeware product (free for non-commercial use) as it used to be.

>>As I told you before, I'm not in this industry for the money, but to help
>>people. That doesn't make me some form of saint, better than anyone or
>>whatever, so don't make out that I have a hidden agenda or an axe to
>>grind.
>
>I didn't once say you had a hidden agenda, nor an axe to grind martin. I
>simply stated your program has (I have not seen the new version) a
>security flaw. If this is fixed, then I have no problems with your
>product, except for a few minor things, which i'll email.

I see you decided not to e-mail me then, but post here publicly instead.

As I and a few others have stated it isn't a security flaw, it was a decision
to offer a balance of security and ease-of-use, just like every other av and
security product. I could have easily encrypted the ini file, I've yet to see
any AV product do this.

Maybe the 95 versions of AV products should encrypt their registry entries
too?

None do that I've tested, by your definition that is a security flaw.

>>Do you care about those that you infect, either directly or indirectly
>>with your viruses? I don't give a flying fig that you write viruses (as
>>long as you
>
>Actually I do martin. For example, each krile [since v1.0e] has a
>backdoor, to make it easy for an infected user should his AV program fail
>him to remove it. Simply rename the infected file to win.com, or
>command.com in a directory by itself and execute it. KRiLE will not
>re-infect the file. yes, this is a tedious process, but..it does work.

Why not just keep them to yourself instead?
Why is it so important that you have to distribute them?

>>and therefore making the problem larger. Why not go back to writing
>>ShareWare software, you used to, didn't you.
>
>Well, you've fingered my real email address, so you already know that I
>did :)

I didn't find out that information from there, but from dejanews as I've
already stated.

>>No doubt you'll come back with some ascerbic wit, veiled threat or
>>another personal attack? But then you could prove me wrong and be
>>reasonable for a change ;-)
>
>Nah. I'm not that cruel. :)

I noticed that, yes you're right, you can't be reasonable can you :-)

>>Rergards,
>
>typo? :)

Yep, see I am human and I do make mistakes too, and when I do I acknowledge
them and fix them.

Martin Overton

unread,
Apr 12, 1998, 3:00:00 AM4/12/98
to

In article <352F0018.5A6B@NO_ADS.telepath.com>, mlookaba@NO_ADS.telepath.com
wrote:

>Martin Overton wrote:
>
>> ....Oh damn! I'm wearing Dr. Solomon's socks.....and a Virus Bulletin 97
>> tee-shirt, that means I'm in the pay of both SOPHOS and Solomons....oh and
>> then there's the fridge magnets from IBM, the stress balls from McAfee,
>> etc....
>
>If you run across any more of the free antivirus printers, send them
>over. :)

Any more? I've yet to find one at all ;-)

Martin Overton

unread,
Apr 12, 1998, 3:00:00 AM4/12/98
to

In article <6gm1en$o2l$3...@news.usit.net>, nospam.i...@View.signature.Below
(RAiD) wrote:
>In article <892213932.12723.3...@news.demon.co.uk>,

> mar...@salig.demon.co.uk (Martin Overton) wrote:
>
>>Dustin, does that mean you've decided to stop writing viruses?
>
>By no means martin. Just that I've decided to stop with the KRiLE family,
>I wrote a few too many of them as it is. :-)

That's a shame Dustin, I hoped that you'd seen the light.
I suppose you realise that means I'll have to put my wings away after all and
stop practicing my Oinking now ;-)

>>When are you going to supply your proof to prove your allegation that I'm
>>a liar? It must be over 3 months now since you made that allegation,
>>what's next? You going to claim I'm the the pay of an anti-virus company
>>;-)
>
>You are a liar martin. antichek was written to prove that your program had
>/has a serious flaw, you either overlooked this, or didn't care. Which is
>it?

How is that supposed to prove I'm a liar?

I and others have already addressed this allegation (of a security flaw) time
and time again.

Neither, I knew that such an attack was possible, as are many attacks against
all av products and it's been discussed to death. I have never claimed that
ChekMate was perfect or a 100% solution, therefore your argument (or proof) is
unacceptable.

Mark Lookabaugh

unread,
Apr 12, 1998, 3:00:00 AM4/12/98
to

Spanska wrote:
>
> Martin Overton:

> >Sorry, if you make your real identity so easy to find then I call you by your
> >real name, so XXXXXX XXXX it will be from now on when I reply to you.
>
> Hey, Martin, is it the only way you've found to have a revenge
> on Raid, posting his real name on a public forum? All of you
> always say that we are immoral and unethical (which is quite
> true in general), but i see more and more that AV people are
> the same.

Posting someone's real name is unethical?

How _very_ twisted your morals are...

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Spanska writes:
> Martin Overton:
> >Sorry, if you make your real identity so easy to find then I call
> >you by your real name, so XXXXXX XXXX it will be from now on when
> >I reply to you.
>
> Hey, Martin, is it the only way you've found to have a revenge
> on Raid, posting his real name on a public forum? All of you
> always say that we are immoral and unethical (which is quite
> true in general), but i see more and more that AV people are
> the same.

What's immoral and unethical about Martin calling RAiD by his real name?

--
Graham Cluley, gcl...@uk.drsolomon.com Dr Solomon's AntiVirus (DSAV)
UK Support: sup...@uk.drsolomon.com UK Tel: +44 (0)1296 318700
US Support: sup...@us.drsolomon.com US Tel: 781 273 7400
CompuServe: GO DRSOLOMON Web: http://www.drsolomon.com
Check out alt.comp.virus.pictures!! http://members.aol.com/altcompvir

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <892413848.5139.3...@news.demon.co.uk>,
Chek...@Cavalry.com (Martin Overton) wrote:

>Sorry, if you make your real identity so easy to find then I call you by
>your real name, so Dustin Cook it will be from now on when I reply to
>you.

LoL martin. You seem to be under the impression this will phase me?
Perhaps stop me from showing people what junk your program really is? :)

Does one think I'm that foolish? You don't intimidate nor scare me in the
least. :)

>Why not just keep them to yourself instead?
>Why is it so important that you have to distribute them?

What for? Then, I wouldn't be able to show some AV producers for what they
really are. :)

BTW, since you claimed you obtained this account name Via deja news, I'd
like to see the message. :-) Or, can you provide it? :)

>I didn't find out that information from there, but from dejanews as I've
>already stated.

Wheres the dejanews post martin? :)

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <892413846.5139.2...@news.demon.co.uk>,

Chek...@Cavalry.com (Martin Overton) wrote:
>Didn't need to you left so many other clues that is was very easy to find
>your real name via dejanews.

Sure you did martin. Please, post the message where it links that name, or
just admit using the name is an act of petty revenge for daring to
challenge you :-)

Don't you think, had I wanted a name to be used, I would have used it?
Would you like someone posting your real address, social security number
etc? :)

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <1998041222481...@nym.alias.net>,

Spanska <Use-Author-Address-Header@[127.1]> wrote:
>Hey, Martin, is it the only way you've found to have a revenge
>on Raid, posting his real name on a public forum? All of you
>always say that we are immoral and unethical (which is quite
>true in general), but i see more and more that AV people are
>the same.

He's desperate. He doesn't want any more anti-chekmate viruses written to
show his piece of junk program for what it is. :-)

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <892413850.5139.4...@news.demon.co.uk>,
Chek...@Cavalry.com (Martin Overton) wrote:

>That's a shame Dustin, I hoped that you'd seen the light.
>I suppose you realise that means I'll have to put my wings away after all
>and stop practicing my Oinking now ;-)

LoL martin. when this is finished, You realize how stupid your going to
look right? :-)

>Neither, I knew that such an attack was possible, as are many attacks

You *knew* it was possible eh? Why bother suggesting users rename the bait
files then? Storing bait file names right in the open, no matter what you
or others wanna claim, IS a security flaw. And by the looks of things, You
knew and didn't give a shit. :)

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Sun, 12 Apr 1998, Martin Overton wrote:

> In article <6gm1ei$o2l$1...@news.usit.net>, nospam.i...@View.signature.Below
> (RAiD) wrote:
> >In article <892213931.12723.2...@news.demon.co.uk>,


> > mar...@salig.demon.co.uk (Martin Overton) wrote:
> >
> >>ChekMate is not a full multi-layered solution (it uses over-lapping
> >>detection techniques). Multi-layered as I've frequently stated includes
> >
> >I know this martin, I've read your documentation and used your program
> >several times. You never claimed it was multi-layered, Kurt did. :)
>
> That's not how I read it, but then my news-server is currently 35 hours
> behind, so maybe I missed that post from Kurt?
>
> Kurt care to confirm/deny this claim from Mr. Cook?

i never said it was multi-layered... i did accuse him of having no idea of
what a multi-layered av was, however, since he obviously seems to think
your (or anyone elses i imagine) product should be 100% secure all on it's
own...

apparently he misinterpreted that to mean that chekmate was all the layers
in a mult-layered av, thus proving me right, since no product (to my
knowledge) has all the layers and that should be clear to anyone who did
understand what multi-layered av was...

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On 12 Apr 1998, Spanska wrote:

> Martin Overton:


> >Sorry, if you make your real identity so easy to find then I call you by your

> >real name, so XXXXXX XXXX it will be from now on when I reply to you.


>
> Hey, Martin, is it the only way you've found to have a revenge
> on Raid, posting his real name on a public forum? All of you
> always say that we are immoral and unethical (which is quite
> true in general), but i see more and more that AV people are
> the same.

what's wrong with posting raid's true identity? he said himself that it
was easy to find... that suggests he didn't really care much... then
there's all the clues he gave (like being a regular in fido a couple years
ago under his real name)...

dustin cook (whom i do seem to recall vaguely, only because he had the
same last name as jeff cook - a tbav rep) hasn't shown all that much
concern over hiding his identity... if he had he wouldn't have flaunted
the availability of it...

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

RAiD writes:
> >I didn't find out that information from there, but from dejanews
> >as I've already stated.
>
> Wheres the dejanews post martin? :)

I thought this was about to develop into another of those wonderful
alt.comp.virus competitions. So in readiness I leapt to Dejanews to try
and find some messages from Dustin Cook. Turns out there are loads...
some of them even seem to have his snail mail address.

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <Pine.GSO.3.95.980412204733.7798N-100000@eddie>,

kurt wismer <a270...@cdf.toronto.edu> wrote:
>what's wrong with posting raid's true identity? he said himself that it
>was easy to find... that suggests he didn't really care much... then
>there's all the clues he gave (like being a regular in fido a couple
>years ago under his real name)...

Indeed kurt, but...Emailing martin a copy of antichek (which I admit was
foolish, I didnt forge the email header) is where he got my name. His
claims of finding it via dejanews is a joke to say the least.


>xxxx (whom i do seem to recall vaguely, only because he had the


>same last name as jeff cook - a tbav rep) hasn't shown all that much
>concern over hiding his identity... if he had he wouldn't have flaunted
>the availability of it...

your ever so right, I'll know to use a bogus email addy next time I email
an antivirus person. Never know how desperate they might become :)

Ernest Petter

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Mon, 13 Apr 98 00:51:38 GMT, RAiD wrote:
>In article <892413848.5139.3...@news.demon.co.uk>,

> Chek...@Cavalry.com (Martin Overton) wrote:
>
>>Sorry, if you make your real identity so easy to find then I call you by
>>your real name, so Dustin Cook it will be from now on when I reply to
>>you.
>
>LoL martin. You seem to be under the impression this will phase me?

[I missed Martin's original post so I'll follow-up via Mr.Cook's]

Dernnit Martin, it's a good thing I can still cancel the orders for
all those t-shirts. How will I ever afford to go to VBCON now?


Regards,
--
Ernest

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <6grptm$h9d$1...@plutonium.compulink.co.uk>,

san...@cix.co.uk ("Graham Cluley") wrote:
>I thought this was about to develop into another of those wonderful
>alt.comp.virus competitions. So in readiness I leapt to Dejanews to try
>and find some messages from Dustin Cook. Turns out there are loads...
>some of them even seem to have his snail mail address.

But, are you *sure* that Dustin Cook is me grahm? :-)

usit.net isn't a usa wide isp you know :)

Also, on another note, the martin Dustin posts didn't start until *after*
I emailed him a copy of antichek..He never responded, so..I had no choice
but to advertise the exploit. His choice :)

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Kurt Wismer writes:
> what's wrong with posting raid's true identity? he said himself
> that it was easy to find... that suggests he didn't really
> care much... then there's all the clues he gave (like being a
> regular in fido a couple years ago under his real name)...

Dustin Cook has posted on alt.comp.virus quite a few times too.. even
participating in the odd ChekMate thread. Seeing as he's not too
concerned about keeping his identity a secret I'll be very happy to
include a picture of him on alt.comp.virus.pictures.

Have you got a picture of yourself on the net Dustin?

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article
<91EC338D0AC07279.8F476563...@library-proxy.airnews.
net>,
spam.go...@pc-pro.com (Ernest Petter) wrote:

heres the result of the dejanews search for 'Dustin Cook'...
 
 
Matches 1-20 of exactly 52 for search:
   
Help
Power Search
Interest Finder
Browse Groups
 

Date Scr Subject Newsgroup
Author

1. 98/04/12 031 Re: RAiD Blowing Smoke Again alt.comp.virus
Martin Overton
2. 98/04/12 030 Re: RAiD Blowing Smoke A#1/2 alt.comp.virus
Martin Overton
3. 98/04/02 030 Re: Colorado in mourning rec.sport.football.co
Dustin Christmann
4. 98/04/06 028 Re: Katz hahahahahahahahahah alt.sport.qzar
Barry J. Sikora II
5. 98/04/06 028 Re: Katz hahahahahahahahahah alt.sport.qzar Jake
PTA
6. 98/04/08 027 Re: Automatyczna instala#20/ pl.comp.os.win95
Mirek Siedlecki
7. 98/04/11 026 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
8. 98/04/10 026 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
9. 98/03/25 026 Re: MercNDSP serving wrong m bit.listserv.pmail Jon
Dustin
10. 98/04/09 025 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
11. 98/04/08 025 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
12. 98/04/01 025 LIST: Who's Who? In Spri#3/8 alt.tv.simpsons
Haynes Lee
13. 98/04/01 025 LA Times predicts Padres#5/5 alt.sports.baseball.s xyz

14. 98/03/31 025 NEWS: The Joy of Sects #2/3 alt.religion.scientol
Scanner
15. 98/03/29 025 LATimes (J.Reid): Nation#5/5 alt.sports.baseball.s
Steven Chan, quoti
16. 98/04/05 024 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
17. 98/04/04 024 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
18. 98/03/29 024 Major League Baseball Capsul newsguy.sports.baseba UPI

19. 98/03/19 024 Re: More Rodgers and Hart, p rec.arts.theatre.musi
wmmin
20. 98/03/08 024 Review: Wag the Dog (1997) rec.arts.movies.revie Luke
Buckmaster
<< Previous results  ·  Next results >>
 I want an easier way to subscribe to newsgroups!

 
 
Matches 21-40 of exactly 52 for search:
   
Help
Power Search
Interest Finder
Browse Groups
 

Date Scr Subject Newsgroup
Author

21. 98/04/07 024 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
22. 98/04/06 024 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
23. 98/04/03 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
24. 98/04/02 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
25. 98/04/01 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
26. 98/03/31 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
27. 98/03/30 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
28. 98/03/29 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
29. 98/03/28 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
30. 98/03/27 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
31. 98/03/20 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
32. 98/03/19 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
33. 98/03/18 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
34. 98/03/17 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
35. 98/03/16 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
36. 98/03/15 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
37. 98/03/14 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
38. 98/03/13 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
39. 98/03/12 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
40. 98/03/11 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
<< Previous results  ·  Next results >>

 
 
Matches 21-40 of exactly 52 for search:
   
Help
Power Search
Interest Finder
Browse Groups
 

Date Scr Subject Newsgroup
Author

21. 98/04/07 024 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
22. 98/04/06 024 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
23. 98/04/03 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
24. 98/04/02 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
25. 98/04/01 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
26. 98/03/31 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
27. 98/03/30 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
28. 98/03/29 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
29. 98/03/28 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
30. 98/03/27 023 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
31. 98/03/20 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
32. 98/03/19 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
33. 98/03/18 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
34. 98/03/17 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
35. 98/03/16 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
36. 98/03/15 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
37. 98/03/14 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
38. 98/03/13 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
39. 98/03/12 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
40. 98/03/11 022 FS: 1996 BASEBALL INSERT#3/8 rec.collecting.sport.
Mohammad T. Mirzai
<< Previous results  ·  Next results >>

Now martin, the jig is up :) Come clean, admit you fingered the email addy
I emailed you from...:-)

I'm by no means a sports fan...:) and I don't collect baseball
cards..Muahahaha

So martin, tell the truth, admit..You fucked up :-) Dig that hole.

Here, a shovel...:)

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Dustin Cook/RAiD writes:
> Indeed kurt, but...Emailing martin a copy of antichek (which I
> admit was foolish, I didnt forge the email header) is where he
> got my name. His claims of finding it via dejanews is a joke
> to say the least.

I just found loads of posts by you (Dustin Cook) on Dejanews. Some of
them wibbled on about Chekmate, ASIC, and the usual subjects you wibble
on about. Maybe Martin worked it out from that. Martin knows a thing or
two about the net - I'm sure he didn't find it too tricky to work out via
Dejanews.. it's got a powerful search engine.

> >xxxx (whom i do seem to recall vaguely, only because he had
> >the same last name as jeff cook - a tbav rep)

Why are you censoring Kurt's posting? Are you ashamed of your name?
Dustin is a very fashionable name here in the UK y'know.

> your ever so right, I'll know to use a bogus email addy next
> time I email an antivirus person. Never know how desperate they
> might become :)

Doesn't sound to me like Martin was being desperate. He just likes
things nice-and-tidy. It's so much easier to use people's real names
than remember the pseudonym they're using this week. Look at all the
hassle we had with that bloke pretending to work for Peter Norton, and
claiming his name was G Eubanks...

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Dustin Cook/RAiD writes:
> In article <6grptm$h9d$1...@plutonium.compulink.co.uk>,
> san...@cix.co.uk ("Graham Cluley") wrote:
> >I thought this was about to develop into another of those
> >wonderful alt.comp.virus competitions. So in readiness I
> >leapt to Dejanews to try and find some messages from Dustin
> >Cook. Turns out there are loads... some of them even seem
> >to have his snail mail address.
>
> But, are you *sure* that Dustin Cook is me grahm? :-)

I don't know. Isn't it? Is this yet another pseudonym? Does this mean
we can have a competition after all?

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <6grrj3$ilr$1...@plutonium.compulink.co.uk>,

san...@cix.co.uk ("Graham Cluley") wrote:
>Dustin Cook has posted on alt.comp.virus quite a few times too.. even
>participating in the odd ChekMate thread. Seeing as he's not too
>concerned about keeping his identity a secret I'll be very happy to
>include a picture of him on alt.comp.virus.pictures.

minor correction: RAiD has posted here (and is doing so now) I doubt very
much Dustin Cook even reads alt.comp.virus. (You guys do realize what hole
you've dug right? :))

>Have you got a picture of yourself on the net Dustin?

Why don't you ask him? :)

As for me, No, I haven't had a picture taken in some years now.

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Dustin Cook/RAiD writes:

> Now martin, the jig is up :) Come clean, admit you fingered
> the email addy I emailed you from...:-)
>
> I'm by no means a sports fan...:) and I don't collect baseball
> cards..Muahahaha
>
> So martin, tell the truth, admit..You fucked up :-) Dig that hole.
>
> Here, a shovel...:)

You're searching DejaNews incorrectly. I found loads of posts from
Dustin Cook on DejaNews when I tried. Try again, and check out the
searching instructions more thoroughly.

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Dustin Cook/RAiD writes:
> In article <6grrj3$ilr$1...@plutonium.compulink.co.uk>,
> san...@cix.co.uk ("Graham Cluley") wrote:
> >Dustin Cook has posted on alt.comp.virus quite a few times too..
> >even participating in the odd ChekMate thread. Seeing as he's
> >not too concerned about keeping his identity a secret I'll be
> >very happy to include a picture of him on alt.comp.virus.pictures.
>
> minor correction: RAiD has posted here (and is doing so now) I
> doubt very much Dustin Cook even reads alt.comp.virus. (You guys
> do realize what hole you've dug right? :))

Check out DejaNews. Dustin Cook has posted to alt.comp.virus plenty of
times in the past.

Kurt Wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

RAiD (nospam.i...@View.signature.Below) wrote:
: In article <Pine.GSO.3.95.980410093528.16711C-100000@eddie>,
: kurt wismer <a270...@cdf.toronto.edu> wrote:

: >think about it, raid, would you use a single scanner only? probably
: >not... why then should you hold martin's product to the fallacious
: >standard of being a complete solution when you don't do so for scanners?

: I didn't claim it should be a complete solution, but as it stands, the
: limited checking it does do, isn't worth your drive space.

it may not be worth your drive space, but that doesn't mean it isn't
worth anybody's drive space... different strokes for different folks...

that happens to be another facet of multi-layer av, by the way...

: It doesn't
: store checksum files for each file,

of course not, that's the realm of the full integrity checker... which
is most secure when used from a clean bootable disk, which means it can't
(easily) use baiting to detect viruses...

yet chekmate does...

it's a targeted integrity checker with some other niceties thrown in...
it is meant to make the full (computationally expensive) integrity check
shedule sparser so as to keep productivity higher...

(at least that's my interpretation)

: it snapshots your boot-sector, and a
: few files from the windows directory, and your command.com, autoexec bat
: etc. How is this even a single layer? please, enlighten me.

you forgot the baiting...

anyways, that's a layer (maybe a thin one, it depends on your
perspective, but it's thicker than mem /c) because it's a means of
monitoring some (not all) potentially viral changes on your computer on
a frequent basis (which can't reasonably be done with a full integrity
checker)...

and while you may not be happy with the files it checks, let me remind
you that plain file infectors are rare in the wild...
--
"the beautiful lull, the dangerous tug,
we get to feel small from high up above.
and after the glimpse, and over the top
the rest of the world becomes a giftshop"

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Mon, 13 Apr 1998, RAiD wrote:

> In article <892413850.5139.4...@news.demon.co.uk>,


> Chek...@Cavalry.com (Martin Overton) wrote:
>
> >That's a shame Dustin, I hoped that you'd seen the light.
> >I suppose you realise that means I'll have to put my wings away after all
> >and stop practicing my Oinking now ;-)
>
> LoL martin. when this is finished, You realize how stupid your going to
> look right? :-)
>
> >Neither, I knew that such an attack was possible, as are many attacks
>
> You *knew* it was possible eh? Why bother suggesting users rename the bait
> files then? Storing bait file names right in the open, no matter what you
> or others wanna claim, IS a security flaw. And by the looks of things, You
> knew and didn't give a shit. :)

"it's a security flaw because i said so"... blah...

it's a necessity for any program that is meant to be used often... but you
can't seem to see that integrity checkers can fulfill different
functions and play multiple roles in a multi-layered av strategry...

you've come a long way, charlie brown, but you've got a long ways yet to
go...

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Mon, 13 Apr 1998, RAiD wrote:

> In article <892413846.5139.2...@news.demon.co.uk>,


> Chek...@Cavalry.com (Martin Overton) wrote:
> >Didn't need to you left so many other clues that is was very easy to find
> >your real name via dejanews.
>
> Sure you did martin. Please, post the message where it links that name, or
> just admit using the name is an act of petty revenge for daring to
> challenge you :-)

some revenge... you've given the impression in the past that you didn't
care... why would anyone think it would hurt you...

> Don't you think, had I wanted a name to be used, I would have used it?

you said you real name was easy enough to find, and you didn't care... why
do you care so much now?

maybe you just don't like the fact that it was martin that brought it to
light...

> Would you like someone posting your real address, social security number
> etc? :)

he probably wouldn't mind as much as you would...

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Mon, 13 Apr 1998, RAiD wrote:

> In article <1998041222481...@nym.alias.net>,
> Spanska <Use-Author-Address-Header@[127.1]> wrote:

> >Hey, Martin, is it the only way you've found to have a revenge
> >on Raid, posting his real name on a public forum? All of you
> >always say that we are immoral and unethical (which is quite
> >true in general), but i see more and more that AV people are
> >the same.
>

> He's desperate. He doesn't want any more anti-chekmate viruses written to
> show his piece of junk program for what it is. :-)

oh yes, raid's got martin on the run now... his next virus will bring
chekware to it's very knees...

hark, is that an invisible pink unicorn i see on the far side of the
linoleum field?

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <6grt6p$kfb$1...@plutonium.compulink.co.uk>,

san...@cix.co.uk ("Graham Cluley") wrote:

>Check out DejaNews. Dustin Cook has posted to alt.comp.virus plenty of
>times in the past.

Yes he has, from a bbs as I recall. (reading the posts).

A bbs, yet..Im on an ISP, how do you link them to be the same person?

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <6grsq1$k5p$1...@plutonium.compulink.co.uk>,

san...@cix.co.uk ("Graham Cluley") wrote:

>You're searching DejaNews incorrectly. I found loads of posts from
>Dustin Cook on DejaNews when I tried. Try again, and check out the
>searching instructions more thoroughly.

am I? I used standard search, i then went back and found tons from years
ago, from a BBS (does anyone else still remember those?) and I've yet to
see one with him talking about chekmate. His asic posts aren't much, in
fact...if he still codes in asic (which is doubtful) he doesn't/didn't
know as much as I do about the language.

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article
<45D02B3E6EB2C1C1.DBF157C2...@library-proxy.airnews.

net>,
spam.go...@pc-pro.com (Ernest Petter) wrote:
>On Mon, 13 Apr 98 01:49:23 GMT, RAiD wrote:
>
>[that sure was quick]

Doh, sorry..Long post I know.

>RAiD you got me all wrong.

Have i?

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <ErBx4G.JC...@torfree.net>,
cr...@torfree.net (Kurt Wismer) wrote:

>it may not be worth your drive space, but that doesn't mean it isn't
>worth anybody's drive space... different strokes for different folks...

I suppose.

>it's a targeted integrity checker with some other niceties thrown in...
>it is meant to make the full (computationally expensive) integrity check
>shedule sparser so as to keep productivity higher...

which niceties?

>you forgot the baiting...

Doh! So I did...Oops.

>anyways, that's a layer (maybe a thin one, it depends on your
>perspective, but it's thicker than mem /c) because it's a means of
>monitoring some (not all) potentially viral changes on your computer on
>a frequent basis (which can't reasonably be done with a full integrity
>checker)...

I stand corrected then Kurt.


>and while you may not be happy with the files it checks, let me remind
>you that plain file infectors are rare in the wild...

Allow me to remind you...2 of my viruses have been wildlisted for over a
year now...HLLP.5850.C and HLLP.5850.D I believe. There not much to brag
about, but..they are wildlisted.

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <6grsbq$jje$1...@plutonium.compulink.co.uk>,

san...@cix.co.uk ("Graham Cluley") wrote:

>I don't know. Isn't it? Is this yet another pseudonym? Does this mean
>we can have a competition after all?

I believe we do indeed have a competition.

My name (real one) might not be the one I used for this account...I see
nobody took that into consideration. and btw, thats not illegal.

I also see nobody took into account how many Dustin Cook's there
are..Shrug...details people details. :)

RAiD

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

In article <6grsbn$jj8$1...@plutonium.compulink.co.uk>,

san...@cix.co.uk ("Graham Cluley") wrote:

>I just found loads of posts by you (Dustin Cook) on Dejanews. Some of
>them wibbled on about Chekmate, ASIC, and the usual subjects you wibble
>on about. Maybe Martin worked it out from that. Martin knows a thing or
>two about the net - I'm sure he didn't find it too tricky to work out via
>Dejanews.. it's got a powerful search engine.

I can't find any posts about Dustin cook concerning chekmate. I did find
some about asic. However, asic is a widely distributed program...So, Im
sure he and I aren't the only ones using it.

>Why are you censoring Kurt's posting? Are you ashamed of your name?
>Dustin is a very fashionable name here in the UK y'know.

My apologies, I'll let this continue. it's funny actually. Sorry for
'censoring' you kurt.

>Doesn't sound to me like Martin was being desperate. He just likes
>things nice-and-tidy. It's so much easier to use people's real names
>than remember the pseudonym they're using this week. Look at all the
>hassle we had with that bloke pretending to work for Peter Norton, and
>claiming his name was G Eubanks...

How long have i been posting as RAiD? c'mon, do you see any bogus raids?

Graham Cluley

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

Spanska writes:
> Graham Cluley:
> >What's immoral and unethical about Martin calling RAiD
> >by his real name?
>
> kurt wismer:

> >what's wrong with posting raid's true identity?
>
> Simple: it's against the netiquette. In other words,
> it's against the Net ethics. So, unethical. This is a
> word you always use, i thought you could understand it. I
> personally don't bother with the netiquette, but i thought
> you did (i'm so naive sometimes).

I was under the impression that RAiD invited people to find out his true
identity? Wasn't that the case? If not then I'm sorry for getting that
wrong. But it doesn't matter anyway because RAiD says he isn't Dustin
Cook..

Now.. the real person who should be upset is Dustin Cook. Has anyone
contacted him yet? I would imagine he's very upset being linked to a
virus author. Dustin Cook hasn't posted up on alt.comp.virus for a long
time, but he used to.. anyone can find that out for themselves via
DejaNews.

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Mon, 13 Apr 1998, RAiD wrote:

> In article <Pine.GSO.3.95.980412204733.7798N-100000@eddie>,


> kurt wismer <a270...@cdf.toronto.edu> wrote:
> >what's wrong with posting raid's true identity? he said himself that it
> >was easy to find... that suggests he didn't really care much... then
> >there's all the clues he gave (like being a regular in fido a couple
> >years ago under his real name)...
>

> Indeed kurt, but...Emailing martin a copy of antichek (which I admit was
> foolish, I didnt forge the email header) is where he got my name. His
> claims of finding it via dejanews is a joke to say the least.

frankly i don't see that it matters where he got it... or even that he got
it at all... it's just a name after all... if you think it makes you any
less anonymous you're wrong...

and if you slipped up, tough luck for you...

> >xxxx (whom i do seem to recall vaguely, only because he had the

> >same last name as jeff cook - a tbav rep) hasn't shown all that much
> >concern over hiding his identity... if he had he wouldn't have flaunted
> >the availability of it...
>

> your ever so right, I'll know to use a bogus email addy next time I email
> an antivirus person. Never know how desperate they might become :)

well, i don't see that it matters much anymore... it's become common
knowledge...

what scares me, though, is that i remember claiming it was possible to
write viruses in asic back in the day in fido land...

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98
to

On Mon, 13 Apr 1998, RAiD wrote:

> In article <6grptm$h9d$1...@plutonium.compulink.co.uk>,


> san...@cix.co.uk ("Graham Cluley") wrote:

> >I thought this was about to develop into another of those wonderful
> >alt.comp.virus competitions. So in readiness I leapt to Dejanews to try
> >and find some messages from Dustin Cook. Turns out there are loads...
> >some of them even seem to have his snail mail address.
>
> But, are you *sure* that Dustin Cook is me grahm? :-)
>

> usit.net isn't a usa wide isp you know :)
>
> Also, on another note, the martin Dustin posts didn't start until *after*
> I emailed him a copy of antichek..He never responded, so..I had no choice
> but to advertise the exploit. His choice :)

they didn't start until quite some time (months) after the antichek virus
thing, actually... you'd think that if it had bothered him so much and he
got your address from that that he'd have stuck it to you (as it were)
much sooner...

kurt wismer

unread,
Apr 13, 1998, 3:00:00 AM4/13/98