Puce/Kapucen Re: USCF/ VIRUS warning. Trojan used to infect members' P
Dave U. Random
> On Mar 6, 6:50 am, "Mr.Vidmar" <vid...@nowhere.com> wrote:
>
> > ROTFL!
>
> Yes, this was the funniest yet.
I don't see what is funny. This is to do with the flamewar in
rec.games.chess but if you think there is even 0,01% chance that
Puce/Kapucen has installed on your PC you must physically remove
the connection to the internet (unplug modem cable, take out
wireless card) and call in a serious professional. Better, boot
from CD or diskette, delete all HD partitions on all drives on
all PCs on your network, do a lowlevel format and then reinstall
from read-only masters that have been scanned by at least 2-3
good AVs. Better to use new HDs, keep the old ones in a box as
evidence, maybe the cops will call depending what crimes your
PC was used for. Change all your bank/creditcards + passwords.
Puce / Kapucen is a real headache. It mainly propagates p2p by
filesharing. BTW it is officially a worm not a trojan, and other
common filesizes are 1062xx, 1064xx.
> I heard the trojan used to infect the two computers at the
> center of the disputes may have been found. It is packaged as
> an installation program within a genuine software. As found,
> the deadly payload bears the filename 'setup.exe'. Other names
> are possible.
>
> It is a polymorphing (no fixed viral signature) trojan-horse
> 'worm' which is a dropper. It installs a simple back door in
> the infected Windoze PC. This bypasses most firewalls and every
> time an internet connection is made it stealthily tries to
> establish a port-link to a preset IP address, peer-to-peer.
> Once done, the person at that IP address can control the
> infected PC, download more remote control software like B.O.,
> even infect other PC's in the trusted zone of any internal
> network.
>
> In the copy found, that IP address is found, by detox, to be in
> PRC. For legal reasons pending criminal investigation there
> will be no public release of this IP address yet.
>
> But that IP is probably just a host. The real controller sits
> somewhere else using the PRC computer as a relay proxy,
> possibly without even the knowledge of the user in PRC.
>
> Maybe he is in the east coast, where I can think of some with
> both knowledge of these things, opportunity to gift the
> software to the infected target computer, and.....motive.
>
> Now we know how Mr Truong, et al, were framed, and their
> computers utilized, without their knowledge let aside
> permission for nefarious purposes including spoof posting,
> identity theft, improper email access etc.
>
> Even better when the infected computer is physically moved, as
> the linkup is from that computer, when it moves to a new home
> and connects to the internet, it calls the mother-ship (or
> MOOTER-SHip, ha). Then messages from it that are controlled by
> the remote hacker/hijacker will appear to come from the new
> location (example NY to MX to NY to TX)
>
> This is the simple explanation Ulevitch, Jones and some other
> great people overlooked. And their business is... what? Now the
> source has been found, can we take legal action against the
> "experts"?
>
> File name: setup.exe
> File size: 106496 bytes
> CRC32: 6267E35E
> File date: 2005/02/11 08:17:54
> The date is not relevant, it could be anything depending on the
> mode of malware delivery. The size may be more depending on
> wrapper, but probably not less than 106496. CRC32 will be
> different if the size is different. You can find CRC32 by
> putting the setup.exe into an archive and looking to the CRC32
> column.
>
> VIRUS SCANNER ENGINE TEST RESULTS
> AVG Win32/Puce.C
> VirusBuster Worm.Kapucen.A
> McAfee W32/Puce
> NOD32 Win32/Kapucen.B
> Kaspersky P2P-Worm.Win32.Kapucen.b
> Rising Worm.Puce.a
> SecureWebGatewayWorm.P2P.Kapucen.Gen
> PCTools Worm.Kapucen.A
> Sophos W32/Puce-H
> Sunbelt BehavesLike.Win32.Malware
> Comodo Worm.Win32.Kapucen.B
> Authentium W32/Kapucen.gen1@p2p
> Grisoft WORM/P2P.Kapucen.hijack.4
> F-Prot W32/Kapucen.gen1@p2p
> Prevx1 High Risk Cloaked Malware
> TrendMicro WORM_KAPUCEN.B
> GData Win32.Worm.P2P.Puce.G
> a-squared P2P-Worm.Win32.Kapucen.b!IK
> K7AntiVirus P2P-Worm.Win32.Kapucen.b
> CAT-QuickHeal Win32.Worm.Puce.gen!B.4
> Symantec Win32:Back.Orifice
> Ikarus P2P-Worm.Win32.Kapucen.b
> Artemis W32/Puce
> AntiVir WORM/P2P.Kapucen.Gen
> Dr.Web Win32.HLLW.Puce
> Panda W32/Puce.E.worm
> F-Secure P2P-Worm.Win32.Kapucen.b
> Avast Win32:Kapucen-B
> AhnLab-V3 Win32/Kapucen.worm.106496
> TheHacker BackOrifice.Win32.dropper
> Microsoft AV Worm:Win32/Puce.gen!B
> ClamAV Worm.Puce.E
> Fortinet W32/Kapucen.B!worm.p2p
> BitDefender Win32.Worm.P2P.Puce.G
> (another 9 antivirus programs failed to detect the threat)
>
> Use google for some of these details eg setup.exe 106496
> Kapucen - this is not a hoax. It does not I think work in
> Window64 but I do not wish to test!!
>
> I suggest every one in the chess world should use Search in
> their computer for a file meeting these characteristics. It may
> be inside an archive (like we found this), or in some place you
> would expect an installation file to be. Securely quarantine or
> delete it. DO NOT CLICK ON IT OR OPEN IT EVEN IF YOU ARE NOT
> CONNECTED TO THE INTERNET!
>
> This is not a hoax.
>
>
>> http://mysite.verizon.net/vzewuo9u/brianlaffertysuscfelectionblog/index.html
> Please put this information on that site. From what I saw, it
> will be the only useful information there. Put it next to the
> section apologizing to the victims of this crime.