Irok virus?
Leon A. Koch
I discovered a vbs file in my startup folder recently,
but as I don't use Outlook, the virus didn't spread.
Upon editing the irokrun.vbs file, I found the script
referenced an executable called "irok.exe" that was
in my windows/system directory. I was unable to
delete any of these files, and needless to say Norton
didn't find anything. I figured this virus was harmless,
and I would just wait for an updated virus definitions
so I could remove it, however...
About a day later while using PGP tools, a dos window
appeared. It said something about burning the world,
and it then told me that my harddrive had been erased.
Sure enough upon checking, the entire harddrive had
been corrupted. It was a secondary drive, used only for
file storage.
I also have linux on the same machine, so I can get
access to the files, but none of them have a valid name
( all root directories are called '???????' ). Several linux
utilities for rebuilding the file allocation table have failed
( it's a fat32 drive ).
Does anyone know what virus I have, or how to recover
my hard drive?
davidovv97
wrote:
]Has anyone heard of a virus called "irok".
-----------------------------------------------------------------------------------------
do a search at <http://vil.nai.com/villib/alphar.asp>, concerning vbs
infetions.
davidovv PRO-TECT 2000 http://go.to/protect2000
sept...@my-deja.com
"Leon A. Koch" <nos...@nospam.com> wrote:
> Has anyone heard of a virus called "irok".
>
> I discovered a vbs file in my startup folder recently,
> but as I don't use Outlook, the virus didn't spread.
> Upon editing the irokrun.vbs file, I found the script
> referenced an executable called "irok.exe" that was
> in my windows/system directory. I was unable to
> delete any of these files, and needless to say Norton
> didn't find anything. I figured this virus was harmless,
> and I would just wait for an updated virus definitions
> so I could remove it, however...
>
> About a day later while using PGP tools, a dos window
> appeared. It said something about burning the world,
> and it then told me that my harddrive had been erased.
> Sure enough upon checking, the entire harddrive had
> been corrupted. It was a secondary drive, used only for
> file storage.
>
> I also have linux on the same machine, so I can get
> access to the files, but none of them have a valid name
> ( all root directories are called '???????' ). Several linux
> utilities for rebuilding the file allocation table have failed
> ( it's a fat32 drive ).
>
> Does anyone know what virus I have, or how to recover
> my hard drive?
Well it's called IRoK v1.1, and it was coded by Raid a member of the
[SLAM] virus coding group. It is written in the HLL ASIC and will
prepend to EXE/COM files. It's a runtime virus which means it won't
stay resident in memory. It hasn't yet been detected by any AV vendor...
It will work on most systems like win95/win98/NT/win2k... it's 10.000
bytes in lenght. It uses a rough encryption that uses the time/date of
the file for seed, so if the file time/date is modified your file will
be corrupted. Also the virus will drop a VBS script in the startup
directory and try to send itself to the first 65 users in your contact
list... it does also drop a script.ini in MIRC directory and sends an
infected .exe to anyone joining a channel with an infected user. It has
a dangerous payload as you may have noticed.
Sent via Deja.com http://www.deja.com/
Before you buy.
Randy Abrams
Dr. Costas work and realizing the importance of cancer research I think.
> In article <01n04sg3tif73504t...@4ax.com>, Dr. Costas
> Giannakenas MD <cg...@anon.net> wrote:
> > On Fri, 26 Nov 1999 08:59:26 -0800, Raid Slam
> > <soho20N...@hotmail.com.invalid> wrote:
> > Raid,
> > Why the heck do you bother to respond to these
> > postings? Personally I would never bother.
<snip>
> > To get a few things straight. I don't care much for your virus
> >writing as the damage that can be caused by one of your viruses is
> >possibly greater than you could imagine - imagine if one of your
> >creations was to trash my data.
> My hope is that you will never encounter a virus of mine, As you've done
> nothing to me. However, should you ever come across one of mine,
> just email me, or write a note here; and I'll contact you with removal
> instructions. I know it's not much, but...
> >The data concerns patients with cancer, their lab tests, their
> >therapies, the course of their disease etc. Loss of this data could
> >possibly lead to loss of human lives. Why?
> I don't want to harm anybody in that way. Noted exception: Jed connors
> (cracky?) I lost a family member to cancer a few years ago... So i have
> an idea how important your research is to you.
<snip>
> I can't do anything about Toadie or Termite, as they've made it wild,
> and they aren't coming home... But, I can prevent Storm Trooper and
> others (mine) from ever becoming wild.
<snip>
> Regards,
> Raid [SLAM]
Regards,
Randy
--
--
The opinions expressed in this message are my own personal views
and do not reflect the official views of the Microsoft Corporation.
Raid Slam
<nos...@nospam.com> wrote:
>Has anyone heard of a virus called "irok".
Yes.
>I discovered a vbs file in my startup folder recently,
>but as I don't use Outlook, the virus didn't spread.
>Upon editing the irokrun.vbs file, I found the script
>referenced an executable called "irok.exe" that was
>in my windows/system directory. I was unable to
>delete any of these files, and needless to say Norton
>didn't find anything. I figured this virus was harmless,
>and I would just wait for an updated virus definitions
>so I could remove it, however...
The vbs file is created by the executable that referenced it,
Only one time however. Your machine was marked for future
incidents should another virus ever come your way that knows
about the identification. Irok uses the marker so it doesn't
place another .vbs file in your startup directory. I only want
you to email your friends and associates once. If you did so more
then one time, they might know something's up. Norton will not be
aware of the virus until they have decided upon a unique
scanstring to use. Hueristics never have been a problem for me.
>About a day later while using PGP tools, a dos window
>appeared. It said something about burning the world,
>and it then told me that my harddrive had been erased.
>Sure enough upon checking, the entire harddrive had
>been corrupted. It was a secondary drive, used only for
>file storage.
The lyrics quoted are from Tool Anema. While it does say your
hard disk was erased, that's not exactly accurate. :) I'll leave
you to figure out what happened to your stuff, if anything.
>I also have linux on the same machine, so I can get
>access to the files, but none of them have a valid name
>( all root directories are called '???????' ). Several linux
>utilities for rebuilding the file allocation table have failed
>( it's a fat32 drive ).
LOL! That's because nothing was wrong with your file allocation
tables in the first place.
>Does anyone know what virus I have, or how to recover
>my hard drive?
Yes and Yes.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
Raid Slam
<david...@hotmail.com> wrote:
>do a search at <http://vil.nai.com/villib/alphar.asp>,
>concerning vbs infections.
The .vbs file isn't a virus, nor a worm. The executable is your
virus.
>davidovv PRO-TECT 2000 http://go.to/protect2000
Laugh! Don't bother.
Regards,
Raid [SLAM]
Raid Slam
wrote:
>It's a runtime virus which means it won't stay resident in
>memory. It hasn't yet been detected by any AV vendor...
Not exactly. It does become resident for a time, but infects via
runtime only. Laugh
>a dangerous payload as you may have noticed.
Are you AV wannabe now?
Raid Slam
<nos...@nospam.com> wrote:
>Has anyone heard of a virus called "irok".
incidently, Where did you become infected by it? It's not
supposed to be ... out.
kurt wismer
> In article <38D4A073...@nospam.com>, "Leon A. Koch"
> <nos...@nospam.com> wrote:
> >Has anyone heard of a virus called "irok".
>
> incidently, Where did you become infected by it? It's not
> supposed to be ... out.
oh come on, raid... you know better than that... what have i been saying
for years now? uncontrolled distribution enables malicious spreading..
--
". . . and i was looking so good, shamoo took a shining to me. and they're
so smart those things, you know, they got all these human emotions. love,
lust, green hundred year old eyed jealousy. barthalamoo - was *livid*.
unbeknownst to me, i can't hear a god damned thing underwater."
Nick FitzGerald
> incidently, Where did you become infected by it? It's not
> supposed to be ... out.
*If* Raid can be taken for his word (I generally doubt
it) then the above means that Raid's own closest, "most
trusted" friends/accomplices are untrustworthy.
Still, Raid will feign ignorance of writing viruses per
se, is fundamentally dangerous, given the failings of
human judgement, etc.
Most other kinds of ignorance he does not have to pretend.
--
Nick FitzGerald
Raid Slam
FitzGerald" <ni...@virus-l.demon.co.uk> wrote:
>*If* Raid can be taken for his word (I generally doubt
>it) then the above means that Raid's own closest, "most
>trusted" friends/accomplices are untrustworthy.
You may take what I said any way you like. Twist it around to
suit your pleasure, You mean shit to me Nick. Your just a fly
sitting on a pile of dogshit pronouncing to the world how great
and wonderful you are, And how we should phear your eliteness.
Pathetic lamer.
>Still, Raid will feign ignorance of writing viruses per
>se, is fundamentally dangerous, given the failings of
>human judgement, etc.
The only mistake I see so far is someone forgot to press the
Abort button when they were blessed with the wonderful (heh) news
of your existance.
>Most other kinds of ignorance he does not have to pretend.
You always were an excellent teacher.
Leon Koch
I figured you would turn up to gloat about this whole thing.
I have actually recovered both my files and system.
Thanks to everyone who helped.
Thanks to Raid for not making the payload too harsh. ; )
I can't help but wonder though, why don't you do something positive
with your time...
On Thu, 23 Mar 2000 07:59:20 -0800, Raid Slam
<soho20N...@hotmail.com.invalid> wrote:
>Yes.
>
>The vbs file is created by the executable that referenced it,
>Only one time however. Your machine was marked for future
>incidents should another virus ever come your way that knows
>about the identification. Irok uses the marker so it doesn't
>place another .vbs file in your startup directory. I only want
>you to email your friends and associates once. If you did so more
>then one time, they might know something's up. Norton will not be
>aware of the virus until they have decided upon a unique
>scanstring to use. Hueristics never have been a problem for me.
>
>The lyrics quoted are from Tool Anema. While it does say your
>hard disk was erased, that's not exactly accurate. :) I'll leave
>you to figure out what happened to your stuff, if anything.
>
>LOL! That's because nothing was wrong with your file allocation
>tables in the first place.
>
>Yes and Yes.
Raid Slam
Koch <nos...@nospam.com> wrote:
>Hello Raid,
Hi Leon.
>I figured you would turn up to gloat about this whole thing.
Gloat? Nope. I turned up because I was curious as to where you
found my irok virus. You see, he's not supposed to be out
anywheres. It's still an ongoing project, I'm not finished with
it yet.
>I have actually recovered both my files and system.
Great. I didn't think it would take you too long to figure it
out.
>Thanks to everyone who helped.
>Thanks to Raid for not making the payload too harsh. ; )
:P
>I can't help but wonder though, why don't you do something
>positive with your time...
Shrug. I enjoy writing the bugs. I can't help it.
Where did you find it?
Leon Koch
I don't actually know where I found it. It was running through
newsgroups, and then a short while after that my system died.
I have a feeling it was from alt.binaries.cracks.
As I said, I have no idea which file/message it was from.
kjk
IE5.0 won't access any web pages. Could somebody at least tell me how to get
rid of this thing??? It was posted to several newsgroups but this addy.
jgr...@yahoo.com
Raid Slam <soho20N...@hotmail.com.invalid> wrote in message
news:25d68662...@usw-ex0106-045.remarq.com...
Leon Koch
You are fortunate though, because thanks to certain unknown
people giving samples to most AV companies ( ..grin.. , thanks
axel ) most of them will now be able to detect and remove the
virus. Just get an updated set of definitions. How did you find out
you had the virus?
kjk
should have known better in the first place. Something about curiosity and
the cat I suppose. I found the cross post later from Dr. Solomons but I
haven't been able to access anything via the WWW since it happened. Im not
sure if that has anything to do with the virus or not though. I'm just
guessing. Anyway, I can get the fix from his page at work tomorrow. Oh well,
gotta be tough when your dumb, huh?
Leon Koch <nos...@nospam.com> wrote in message
news:9hrtds0svmihbe7q9...@4ax.com...
Raid Slam
<ran...@microsoft.com> wrote:
>It would appear to be Raid's gift to Dr. Costas. Something about
>respecting Dr. Costas work and realizing the importance of
>cancer research I think.
[Material out of context snipped]
Nice try Randy. But I know your methods, so I'm not going to fall
into your snide little trap.
Raid Slam
<1...@get.net> wrote:
>I've got your virus but nothings happened as of yet other than
>the fact that IE5.0 won't access any web pages. Could somebody
>at least tell me how to get rid of this thing???
Nothing is supposed to happen, atleast not right away... Irok
doesn't interact with IE or netscape, so Irok isn't at fault for
IE not working, sorry.
> It was posted to several newsgroups but
>this addy. jgr...@yahoo.com
Thanks, I've contacted this individual. The person (I don't know
what sex they are) sent me a few... amusing emails. Since when do
antivirus companies solicite you for viruses? (apparently, one
does now...) Here's the emails I got about it:
Date:
Mon, 27 Mar 2000 16:36:54 +0500
To:
jgr...@yahoo.com
From:
Proland Software <pra...@pspl.com> | Block
address
Subject:
Respinse to your ACV posting.
Add Addresses
Hello,
We are writing this mail from Proland Software company. We are
the
developers of Protector Plus antivirus software providing
antivirus
solution to our strong customer base across the world in more
than 60
countries.
You can visit our website to know more about us at
http://www.pspl.com
In response to your ACV posting we are sending this mail.
We request you to send the infected file sample of Irok to
sup...@pspl.com
at the earliest. So that we can provide with the cure for the
virus.
Regards,
Customer Support Cell.
Proland Software
http://www.pspl.com
--
From:
"derek wood"
<drumme...@ns.sympatico.ca> | Block address
To:
<jgr...@yahoo.com>
Subject:
hey...
Date:
Sun, 26 Mar 2000 22:22:04 -0400
Add
Addresses
dear rotten bastard,
do you realize that the dianna troi thing you put on the
newsgroup does something to
your registery and notepad when you open it? if you didn't sorry
about the rotten
bastard comment..if you did know i hope that someone some day
takes a bat to your
head and opens it up and shows you your brains ,because its
people like you who are
the cankersores of society and are nothing but worthless pieces
of shit.
--
He/she wouldn't tell me where they got my IRok, nor how/if they
spread it, but... they did provide me with the emails above.
(Side note: Rude person too)
sept...@my-deja.com
Raid Slam <soho20N...@hotmail.com.invalid> wrote:
> In article <8b2psp$jji$1...@nnrp1.deja.com>, sept...@my-deja.com
> wrote:
> >It's a runtime virus which means it won't stay resident in
> >memory. It hasn't yet been detected by any AV vendor...
>
> Not exactly. It does become resident for a time, but infects via
> runtime only. Laugh
>
> >a dangerous payload as you may have noticed.
>
> Are you AV wannabe now?
>
Heheh no no no, I'm in the same bussiniess as you :) I don't care about
virus problems until it feels personal, and sometimes when I read
messages on newsgroups I feel like helping :) Nothing wrong with that I
think. You don't have to be a total asshole just because you code
viruses. I know you pretty well so I know you aren't one eighter. I sad
to say that 50 % of the antivirus people fall in that catagory
(assholes).
> Regards,
> Raid [SLAM]
Raid Slam
Yep. Antivirus guys aren't as bright as they'd like you to
believe. When the Toadie was all hyped up, nobody (except
datafellows) got any of the description details correct. Mcafee
and Symantec were so far off, I wondered if the guys even looked
at it.
>You are fortunate though, because thanks to certain unknown
>people giving samples to most AV companies ( ..grin.. , thanks
>axel ) most of them will now be able to detect and remove the
>virus. Just get an updated set of definitions.
Ahh, Axel isn't very useful. Irok wakes up because of him. :)
And... I'm pretty sure the samples Axel forked to avers is the
serialized beta copies; Ie: the real deal has yet to be captured.
>How did you find
>out you had the virus?
It probably told him.
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> > It was posted to several newsgroups but
> >this addy. jgr...@yahoo.com
>
> Thanks, I've contacted this individual. The person (I don't know
> what sex they are) sent me a few... amusing emails.
I thought John Grahms was one of the pseudonyms you use, Raid?
Did you ask this person who has been posting your viruses to various
newsgroups why he appears to be using one of your pseudonyms?
--
Graham Cluley, Head of Corporate Communications, Sophos Anti-Virus
email: gcl...@sophos.com http://www.sophos.com
US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
Raid Slam
Actually, It's a real name. Quiet popular; Which is why I use it.
Makes it just a wee bit more interesting.
>Did you ask this person who has been posting your viruses to
>various newsgroups why he appears to be using one of your
>pseudonyms?
As I mentioned (I realize you have a reading comprehension
problem) he wouldn't tell me where he got the virus, or why he
was spreading it. And to be honest Graham, I don't really give a
fuck. It's out, ah well.
Btw, what version of unix are you running? (harmless question)
Trinity
information about getting rid of the virus... Anyone have any info?
i have tried McAfee's and Nortons site and they do not have any info. about
it at all...
Help?!
Thanks,
Neo
drago...@yourinter.net
Axel Pettinger wrote:
> Raid Slam wrote:
> >
> > In article <9hrtds0svmihbe7q9...@4ax.com>, Leon
> > Koch <nos...@nospam.com> wrote:
> > >As to what the virus actually does, I think only Raid knows... ;
> > >P
>
> ... and a few virus research analysts I'd say. :)
>
> For an IMO good description see ...
> http://www.avp.ch/avpve/file/h/hlp_irok.stm
>
> > Yep. Antivirus guys aren't as bright as they'd like you to
> > believe. When the Toadie was all hyped up, nobody (except
>
> "Hype"? Hmm, somehow comes CAI into my mind. I wonder why ...<g>
>
> > datafellows) got any of the description details correct. Mcafee
> > and Symantec were so far off, I wondered if the guys even looked
> > at it.
>
> It seems some of them have/had problems to replicate your virus(es).
> I've heard that a machine (called GEORGE) had problems with Irok because
> the virus crashed always ...
>
> > >You are fortunate though, because thanks to certain unknown
> > >people giving samples to most AV companies ( ..grin.. , thanks
> > >axel ) most of them will now be able to detect and remove the
> > >virus. Just get an updated set of definitions.
>
> Yep.
>
> > Ahh, Axel isn't very useful. Irok wakes up because of him. :)
>
> No, Raid. I tried to make Irok sleepy, very sleepy ... :P
>
> > And... I'm pretty sure the samples Axel forked to avers is the
> > serialized beta copies;
>
> What are "serialized beta copies"? Is this version of Irok buggy ...?
>
> > Ie: the real deal has yet to be captured.
>
> And how's that "real deal" called?
>
> Regards,
> Axel Pettinger
Axel Pettinger
Raid Slam
>out you had the virus?
Check this out leon:
http://www.symantec.com/avcenter/venc/data/irok.trojan.worm.html
Norton does not clean irok. In fact, Norton doesn't even call
irok properly. :-) Norton fails to describe what Irok actually
does, and makes several bogus claims concerning the virus's
ability to corrupt files. As I said, Norton fuckin blows.
>On Mon, 27 Mar 2000 00:02:05 -0800, "kjk" <1...@get.net> wrote:
>
>>I've got your virus but nothings happened as of yet other than
the fact that
>>IE5.0 won't access any web pages. Could somebody at least tell
me how to get
>>rid of this thing??? It was posted to several newsgroups but
this addy.
>>jgr...@yahoo.com
>>
>
>
>
Leon Koch
Norton sucks dick.
How funny is it though when av companies get it so very wrong about a
virus. ; )
see also:
http://www.cai.com/virusinfo/virusalert.htm#vbs_irok
"the worm will display an Armageddon message and corrupt the entire
hard drive rendering it unusable"
What the hell are they getting paid for?
kjk
program activated after I uninstalled Mcafee4.0.3 and re installed VS4.0.2,
just like the Dr. sol message said to do. I am assuming that the dr sol
message was a ruse by the sendor. I never saw any 'space' screen, just a
quick dos screen flash. (knew I was screwed). Oh and the Meat Puppet Lines
were a nice touch btw. Also, the poster, jgr...@yahoo.com had this same
header on his page too,
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
The fastest and easiest way to search and participate in Usenet - Free!
infected my lab machine that I'm constantly torturing anyway. Sorry if I
disappointed anyone.
> >How did you find
> >out you had the virus?
>
> It probably told him.
>
> Regards,
> Raid [SLAM]
>
>
anaktos
> The .vbs file isn't a virus, nor a worm. The executable is your
> virus.
> Regards,
> Raid [SLAM]
And why is the .VBS for?
Can't you manipulate outlook from the C++ program?
It's just ActiveX stuff, right?
As about the infection method you use, does it work allways?
What happends if an *.EXE file is not actually executable but a DLL,
and just export some fuctions?
Anaktos
http://welcome.to/SPL/
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> In article <8bo7ie$jrm$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
> >I thought John Grahms was one of the pseudonyms you use, Raid?
>
> Actually, It's a real name. Quiet popular; Which is why I use it.
> Makes it just a wee bit more interesting.
Oh okay, I hadn't heard it before you started using it. Odd coincidence I
thought.
> >Did you ask this person who has been posting your viruses to
> >various newsgroups why he appears to be using one of your
> >pseudonyms?
>
> As I mentioned (I realize you have a reading comprehension
> problem) he wouldn't tell me where he got the virus, or why he
> was spreading it. And to be honest Graham, I don't really give a
> fuck. It's out, ah well.
But you should care if someone is ripping you off by distributing your
viruses. Isn't that a breach of copyright?
Axel Pettinger
>
> Axel Pettinger wrote:
>
> > Raid Slam wrote:
> > >
> > > >P
> >
> > ... and a few virus research analysts I'd say. :)
> >
> > For an IMO good description see ...
> > http://www.avp.ch/avpve/file/h/hlp_irok.stm
> >
> > > Yep. Antivirus guys aren't as bright as they'd like you to
> > > believe. When the Toadie was all hyped up, nobody (except
> >
> > "Hype"? Hmm, somehow comes CAI into my mind. I wonder why ...<g>
> >
> > > datafellows) got any of the description details correct. Mcafee
> > > and Symantec were so far off, I wondered if the guys even looked
> > > at it.
> >
> > It seems some of them have/had problems to replicate your virus(es).
> > I've heard that a machine (called GEORGE) had problems with Irok
> > because the virus crashed always ...
> >
> > > >You are fortunate though, because thanks to certain unknown
> > > >people giving samples to most AV companies ( ..grin.. , thanks
> > > >axel ) most of them will now be able to detect and remove the
> >
> >
> > > Ahh, Axel isn't very useful. Irok wakes up because of him. :)
> >
> > No, Raid. I tried to make Irok sleepy, very sleepy ... :P
> >
> > > And... I'm pretty sure the samples Axel forked to avers is the
> > > serialized beta copies;
> >
> > What are "serialized beta copies"? Is this version of Irok buggy
> > ...?
> >
> > > Ie: the real deal has yet to be captured.
> >
> > And how's that "real deal" called?
> >
> > Regards,
> > Axel Pettinger
>
> provide no information about getting rid of the virus... Anyone have
> any info? i have tried McAfee's and Nortons site and they do not have
> any info. about it at all...
> Help?!
Hi Neo,
You want information about Irok? No problem ...
http://www.avp.ch/avpve/file/h/hlp_irok.stm
http://www.europe.f-secure.com/v-descs/irok.htm
http://www1.rav.ro/virus/showvirus.php3?id=43
http://www.sophos.com/virusinfo/analyses/irok.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=IROK
http://www.cai.com/virusinfo/virusalert.htm#vbs_irok
http://www.cai.com/press/2000/03/trojan_irok.htm
http://www.symantec.com/avcenter/venc/data/irok.trojan.worm.html
To get rid of it, better to *disinfect* infected files - btw, you
shouldn't use your computer at the moment as Irok can be destructive -
you could use F-Prot, AVP, and RAV.
To disinfect them with AVP you - of course - need the scanner and the
Daily Update, i.e. from
<http://www.kasperskylab.ru/eng/products/download.asp>.
To disinfect them with F-Prot send them a (ZIP packed) virus sample
<viru...@complex.is> and ask for an updated SIGN.DEF.
Extract the scanners into an empty directory (it shouldn't be in the
PATH!), or - that would be better - start your computer from a clean
virus free floppy boot disk. Install the DOS scanners and use them to
check your files. Don't execute other COM (excl. COMMAND.COM) or EXE
files on the infected computer as they could be infected.
Good luck!
Regards,
Axel Pettinger
Arthur Kopp
<a...@stud-mailer.uni-marburg.de> wrote:
<snipped post>
Sorry to see it required another of Raid's little gems to drag you
back here. Haven't seen you posting in awhile. Good to CU.
Art
Axel Pettinger
I haven't had so much time to post in acv (or even to read the most
posts) in the last months. Well, I'm still somewhat busy. But I hope to
have soon a little bit more time ...
> Good to CU.
Good to see that you're still posting in acv.
Regards,
Axel Pettinger
Raid Slam
<anon...@cotse.com> wrote:
>
>The virus has a bug HAHAHAHAHAHAHAHAHA
Nope. The virus decides whether or not to pass control to you.
And it's maxxed at 80 characters command line (a known OS
limitation). The virus does suffer from a bug however, but that's
a memory leak and only occurs under win95a oses.
>In some cases the virus can corrupt host programs. The
>virus has a bug and it doesn't supply command line options
>to the host program correctly, so every program that
>operates with command line parameters will not work
>correctly after infection.
You really might want to check this for yourself. file corruption
only occurs if the user plays with an infected file, and it's
deliberate. :)
kurt wismer
> I have the Irok virus. I have checked out the link and and they provide no
> information about getting rid of the virus... Anyone have any info?
> i have tried McAfee's and Nortons site and they do not have any info. about
> it at all...
if you think you have a virus then scan your computer with a good up to
date anti-virus product like f-prot (http://www.complex.is) or avp
(http://www.avp.ru)...
if you think you have a virus which your anti-virus can't detect then try
a different anti-virus or try sending a file you suspect to be infected
to the anti-virus developer...
by the way, the best (i mean best) way to restore a virus infected file is
to replace it with a known clean backup... you shouldn't have to wait for
anti-virus products to be updated to do that... but you should still send
in infected samples so that av products can be updated for those poor
souls who don't have backups...
> Help?!
> Thanks,
you're welcome, hope this helps...
--
". . . and i was looking so good, shamoo took a shining to me. and they're
so smart those things, you know, they got all these human emotions. love,
lust, green hundred year old eyed jealousy. barthalamoo - was *livid*.
unbeknownst to me, i can't hear a god damned thing underwater."
kurt wismer
>
>
> > The .vbs file isn't a virus, nor a worm. The executable is your
> > virus.
> > Regards,
> > Raid [SLAM]
>
> And why is the .VBS for?
> Can't you manipulate outlook from the C++ program?
c++? did raid stop working in asic?
kurt wismer
> In article <2000032905...@cotse.com>, "Katrin Podrezov"
> <anon...@cotse.com> wrote:
> >
> >The virus has a bug HAHAHAHAHAHAHAHAHA
>
> Nope. The virus decides whether or not to pass control to you.
> And it's maxxed at 80 characters command line (a known OS
> limitation).
???? since when? the limit *USED* to be longer than that... 128 characters
as i recall... did this change in windows?
Raid Slam
Actually it's a common misconception. None of my viruses are
written purely in asic. They do have asm routines written
entirely in asm. I use the asic compiler alot because it's
automatic defense against hueristics, and because I like asic.
Raid Slam
sop...@cix.compulink.co.uk wrote:
>But you should care if someone is ripping you off by
>distributing your viruses. Isn't that a breach of copyright?
You really should be more concerned with your sophos internet
connection at this point Graham. You might go offline for some
unknown reason. That would be a shame.
Have you looked into higher bandwidth? Say... atleast 4 t3s? I
have a funny feeling you'll wish you had.
Raid Slam
>characters as i recall... did this change in windows?
The specified DOS limit was 80 characters plus one null. You can
extend it to 128 and beyond, but the command line tail puller
will only support upto 80 characters. and btw, not to knock on
whoever (whichever company said it) but irok does pass command
lines just fine if less then 81 characters.
Pierre Vandevenne
>> And it's maxxed at 80 characters command line (a known OS
>> limitation).
>
>???? since when? the limit *USED* to be longer than that... 128 characters
>as i recall... did this change in windows?
80h eq 128d
---
Pierre Vandevenne, MD
www.datarescue.com, home of the IDA Pro Disassembler
Version 4.03 available - register renaming / local variables
Free crypto stuff with source
Dmitry Gryaznov
>
> In article <Pine.SOL.4.21.00032...@chimp.cdf>, kurt wismer <g9k...@cdf.toronto.edu> wrote:
>
> >> And it's maxxed at 80 characters command line (a known OS
> >> limitation).
> >
> >???? since when? the limit *USED* to be longer than that... 128 characters
> >as i recall... did this change in windows?
>
> 80h eq 128d
<NIT_PICKING>
The first byte is used for the parameter line length and the last
byte of the line is supposed to contain <CR> (0Dh). Which leaves
126 bytes for the line itself. And when entering a command from the
keyboard one has to take into account the size of the DOS input
buffer - 127 bytes (one byte being reserved) and the length of the
command itself without parameters.
</NIT_PICKING>
--
Sincerely,
Dmitry O. Gryaznov
kurt wismer
> In article <Pine.SOL.4.21.00032...@chimp.cdf>,
> kurt wismer <g9k...@cdf.toronto.edu> wrote:
> >c++? did raid stop working in asic?
>
> Actually it's a common misconception. None of my viruses are
> written purely in asic. They do have asm routines written
> entirely in asm. I use the asic compiler alot because it's
> automatic defense against hueristics, and because I like asic.
i know all this, i meant "working in" in a more common usage sense... the
person i replied to seem to think you were working in c++...
kurt wismer
> In article <Pine.SOL.4.21.00032...@chimp.cdf>,
> kurt wismer <g9k...@cdf.toronto.edu> wrote:
> >???? since when? the limit *USED* to be longer than that... 128
> >characters as i recall... did this change in windows?
>
> The specified DOS limit was 80 characters plus one null. You can
> extend it to 128 and beyond, but the command line tail puller
> will only support upto 80 characters. and btw, not to knock on
> whoever (whichever company said it) but irok does pass command
> lines just fine if less then 81 characters.
or maybe one of us is talking in base 16 without recognizing the
fact... my recollection says there are 128 (80h) bytes of space in the psp
reserved for the command tail...
i'm quite certain i've successfully passed more than 80 characters worth
of commandline args to a program before without having to do anything
special with the commandline parser i used...
Nick FitzGerald
> After this whole experience Raid, I'd have to agree.
>
> Norton sucks dick.
Norton who?
> How funny is it though when av companies get it so very wrong about a
> virus. ; )
I think you meant "sad" rather than "funny"...
> see also:
> http://www.cai.com/virusinfo/virusalert.htm#vbs_irok
> "the worm will display an Armageddon message and corrupt the entire
> hard drive rendering it unusable"
>
> What the hell are they getting paid for?
Ummmmm, remind us what you said when you first posted to
acv about Irok. I'll save you the trouble:
> and it then told me that my harddrive had been erased.
> Sure enough upon checking, the entire harddrive had
> been corrupted. It was a secondary drive, used only for
> file storage.
>
> I also have linux on the same machine, so I can get
> access to the files, but none of them have a valid name
> ( all root directories are called '???????' ). Several linux
> utilities for rebuilding the file allocation table have failed
> ( it's a fat32 drive ).
>
> Does anyone know what virus I have, or how to recover
> my hard drive?
Sounds like it was fairly "unusable" to you. Just because
*you* have the right combination of abilities, contacts and
nouse to correct the corruption rendered by Irok, does not
mean others do...
Siding with the misanthrope that wrote the thing which may
have been your undoing seems odd to me.
--
Nick FitzGerald
LHigdon
thankfull to have lived through the experience that they eagerly are
willing to forgive their assailant.
On Thu, 30 Mar 2000 02:16:25 GMT, "Nick FitzGerald"
<ni...@virus-l.demon.co.uk> wrote:
<snip>
anaktos
> > Actually it's a common misconception. None of my viruses are
> > written purely in asic. They do have asm routines written
> > entirely in asm. I use the asic compiler alot because it's
> > automatic defense against hueristics, and because I like asic.
>
> i know all this, i meant "working in" in a more common usage sense...
the
> person i replied to seem to think you were working in c++...
I knew that RAID use a freeware compiler for writting programs(virii)
but didn't
knew that it was a C compiler. I thought it was a C++.
So, Raid,
why don't you use Visual C which gives you more power over the OS, like
ActiveX support for manipulate outlook, word, excel, etc..
Is it just a matter of oversized programs, or something else?
---------------------------------------
Leon Koch
computer loving bastard had raped me, I would be a little less
forgiving...
On Thu, 30 Mar 2000 02:58:16 GMT, lthi...@mciworld.com (LHigdon)
wrote:
Leon Koch
<ni...@virus-l.demon.co.uk> wrote:
>I think you meant "sad" rather than "funny"...
True, funny is not the right word. I am just disappointed that these
people can not provide the public with more accurate information.
>Ummmmm, remind us what you said when you first posted to
>acv about Irok. I'll save you the trouble:
Yes, I said that initially, but that was on the basis of never having
dealt with a virus on my system before. I had no idea what to expect,
and unlike the people I was critising, I have had no experience or
training in this field. I was just disappointed that they took as fact
what some random person (me) posted to a NG, without investigating the
situation themselves.
>Sounds like it was fairly "unusable" to you. Just because
>*you* have the right combination of abilities, contacts and
>nouse to correct the corruption rendered by Irok, does not
>mean others do...
I know that they don't. I am very, very grateful to the people who
have helped me with this whole thing. I am just really pissed off that
others who do get the virus, can not go to an AV company and get the
real facts regarding the virus.
>Siding with the misanthrope that wrote the thing which may
>have been your undoing seems odd to me.
I am not siding with anyone. I think viruses are a huge waste of time
and the people who write them should (if capable) be doing a lot
better things with their time.
Sorry to get under your skin Nick. I have respect for everyone in the
AV field, if they do their job properly. I just finding it really
disappointing to see experts post information that will lead people
into trouble. eg. "Oh, this AV says my hardrive is corrupted, well
then I'll just format it and lose all my data..."
LHigdon
On Thu, 30 Mar 2000 18:47:47 +0800, Leon Koch <nos...@nospam.com>
wrote:
Nick FitzGerald
> True, funny is not the right word. I am just disappointed that these
> people can not provide the public with more accurate information.
Time may see that improve. When a new virus is first
reported from the field, there is huge pressure on the AV
developers to get detection and disinfection (if they
normally offer it) into an update so it can be shipped to
the affected customer(s). Setting aside time for an
expert (whose time would be better spent working on
devising detectionand/or disinfection) to work on writing
an accurate, succinct description of how it works and
what to be wary of with it, is not usually that high of a
priority during that initial flurry of activity.
> Yes, I said that initially, but that was on the basis of never having
> dealt with a virus on my system before. I had no idea what to expect,
> and unlike the people I was critising, I have had no experience or
> training in this field. I was just disappointed that they took as fact
> what some random person (me) posted to a NG, without investigating the
> situation themselves.
That some of the web descriptions reflect your observations
or comments does not mean they have been "taken" by those
AV developers. It may be that whoever wrote their initial,
quick description saw much the same thing.
> I know that they don't. I am very, very grateful to the people who
> have helped me with this whole thing. I am just really pissed off that
> others who do get the virus, can not go to an AV company and get the
> real facts regarding the virus.
I think enough of the "real facts" were initially available.
Some sites probably made the effectes of the payload sound
quite a bit worse than it is *if* you have or can afford
access to suitable data recovery skills...
> I am not siding with anyone. I think viruses are a huge waste of time
> and the people who write them should (if capable) be doing a lot
> better things with their time.
Well, we certainly agree on that. Some of your comments
suggest and air of commiseration with Raid. He doesn't
need it, and from what we have seen of him, it is wasted on
him. If instead of posting in the tone you did, you had
expressed the smallest shred of anger or despair at his
senseless act, he would have lambasted you as "an ignorant
luser" who "deserved to be hit". He *is* that nice, really!
> Sorry to get under your skin Nick. I have respect for everyone in the
> AV field, if they do their job properly. I just finding it really
> disappointing to see experts post information that will lead people
> into trouble. eg. "Oh, this AV says my hardrive is corrupted, well
> then I'll just format it and lose all my data..."
You didn't get "under my skin" -- it's probably too thick
for that! 8-)
I agree that the line "everything is hopelessly lost" should
be played down, *but* for a lot of users that is the truth.
They do not have the time, expertise or money to either fix
the corruption themselves or get good professional assistance.
Sadly, those same people are the ones most likely to have no
backups at all.
But what really sucks is Raid will be jerking off in his burrow
over every one of those stories he hears.
Just remember that if it were not for sick fucks like Raid, it
wouldn't matter what the Avers wrote on their web pages.
--
Nick FitzGerald
kurt wismer
> > > Actually it's a common misconception. None of my viruses are
> > > written purely in asic. They do have asm routines written
> > > entirely in asm. I use the asic compiler alot because it's
> > > automatic defense against hueristics, and because I like asic.
> >
> > i know all this, i meant "working in" in a more common usage sense...
> the
> > person i replied to seem to think you were working in c++...
>
> I knew that RAID use a freeware compiler for writting programs(virii)
> but didn't
> knew that it was a C compiler. I thought it was a C++.
it's not C either... asic actually bears a reasonably close relation to
basic, or so i recall...
> So, Raid,
> why don't you use Visual C which gives you more power over the OS, like
> ActiveX support for manipulate outlook, word, excel, etc..
> Is it just a matter of oversized programs, or something else?
if i'm not mistaken, the reasons raid uses asic instead of the myriad of
other languages available are included in the top most quote of this
very message... perhaps you missed it...
anaktos
> On Thu, 30 Mar 2000, anaktos wrote:
> it's not C either... asic actually bears a reasonably close relation
to
> basic, or so i recall...
???
> if i'm not mistaken, the reasons raid uses asic instead of the myriad
of
> other languages available are included in the top most quote of this
> very message... perhaps you missed it...
No, there is no such information in this thread, you are mistaken.
What makes you answer at newsgroup messages, even when you
have nothing to say?
It happens all the time or it's because of the season? Are you feeling
lonly? Have you tried IRC or they have allready ban you from every
single channel?
-------------------------------------
AnaKtos
Raid Slam
FitzGerald" <ni...@virus-l.demon.co.uk> wrote:
>Time may see that improve. When a new virus is first
>reported from the field, there is huge pressure on the AV
>developers to get detection and disinfection (if they
>normally offer it) into an update so it can be shipped to
>the affected customer(s).
If the antivirus people are too moronic to properly disassemble a
virus, they cannot provide the public with trustworthy
information. Norton suggests merely deleting some files will
remove it. It mentions nothing of the payload. (If you go and
delete the files, you likely won't have an operating system left)
Trend antivirus claims the virus is impossible to disinfect
because it overwrites the host. It's a prepender. The host
contents are normally fully recoverable, *if* you know how.
Mcafee antivirus claims it's a worm/trojan, and only lists one
known varient. (5 Irok viruses are known to exist. I should
know, I wrote them.)
AVP and datafellows both claim it contains a destructive payload
which results in file corruption. Untrue. It renames all files
and directories in \ to high ascii characters. Nothing is deleted
nor corrupted. It's a very simple (antique) copy protection trick
from the old days before the PC was popular.
I think I know why you don't tackle executable dissasemblies
nick, your clearly not a programmer.
>That some of the web descriptions reflect your observations
>or comments does not mean they have been "taken" by those
>AV developers. It may be that whoever wrote their initial,
>quick description saw much the same thing.
Then they aren't experts at computer software and operating
systems. They should not be employed in the pc field if they
cannot tell the difference between corruption and a simple trick.
>I think enough of the "real facts" were initially available.
>Some sites probably made the effectes of the payload sound
>quite a bit worse than it is *if* you have or can afford
>access to suitable data recovery skills...
Oh really? Nick, a for/next loop to rename all entries to "00001"
to whatever would restore full access to the users machine. He
would manually need to rename the directories for windows,
program files etc. However, *NOTHING* is corrupted from his
system. You should stop while your ahead lamer, Your a bigger
fool with each line.
>I agree that the line "everything is hopelessly lost" should
>be played down, *but* for a lot of users that is the truth.
>They do not have the time, expertise or money to either fix
>the corruption themselves or get good professional assistance.
>Sadly, those same people are the ones most likely to have no
>backups at all.
Read above. And take some pc courses.
>But what really sucks is Raid will be jerking off in his burrow
>over every one of those stories he hears.
So umm, what did the boss at virusbulletin say when you kept
getting fuck me notes Nick? :)
>Just remember that if it were not for sick fucks like Raid, it
>wouldn't matter what the Avers wrote on their web pages.
And remember, if it weren't for morons like Nick, this world
wouldn't be nearly as entertaining. Writing a piece of software
is hardly a "sick fuck". Bullshiting the public convincing them
your an expert in the field when you certainly aren't is a "sick
fuck", more so for trying to defend your position when called on
it.
Frederic Bonroy
> > if i'm not mistaken, the reasons raid uses asic instead of the myriad
> of
> > other languages available are included in the top most quote of this
> > very message... perhaps you missed it...
> No, there is no such information in this thread, you are mistaken.
"I use the asic compiler alot because it's automatic defense against
hueristics, and because I like asic."
> What makes you answer at newsgroup messages, even when you
> have nothing to say?
> It happens all the time or it's because of the season? Are you feeling
> lonly? Have you tried IRC or they have allready ban you from every
> single channel?
Blah blah. Buy glasses.
Patricia A. Shaffer
<soho20N...@hotmail.com.invalid> wrote:
> (5 Irok viruses are known to exist. I should
>know, I wrote them.)
You are so proud of yourself, aren't you! You have inconvenienced (at
the least) a lot of innocent folks. You have caused great distress,
deliberately and with malice aforethought (as evidenced by your postings
prior to the "escape" of Irok). You have wilfully caused problems for
anyone who does not match up to your "intelligence"... for nothing more
than self-gratification, for the chance to gloat over the misery you
have caused for others.
That is despicable. Whatever sympathy I might have had for your opinions
has just disappeared ... not that it will matter to you, I suppose. You
are a predator, no less than the spammers and sleaze who promulgate the
porn you so despise. Faugh!
--
Patricia
Proud Citizen of the Commonwealth of Virginia
"Anti-spammers are the immune system of the Internet." (CDR M. Dobson)
"The spam wars are about rendering email useless for unsolicited
advertising before unsolicited advertising renders email useless
for communication."(Walter Dnes/Jeff Wynn) Opt-out is cop-out! <http://www.cauce.org>
Raid Slam
A. Shaffer <ra...@swva.net> wrote:
>You are so proud of yourself, aren't you! You have
>inconvenienced (at the least) a lot of innocent folks.
Proud? Not really.
> You have caused great
> distress, deliberately and with malice aforethought (as
> evidenced by your postings prior to the "escape" of Irok).
I gave fair warning what would happen. Some people apparently
didn't get the hint. Maybe they are reconsidering it now.
>nothing more than self-gratification, for the chance to gloat
>over the misery you have caused for others.
Misery loves company. Had nothing to do with self gratification.
Purely revenge motivated. Pure hatred for others, that is why I
wrote it. Simply because I hate people, simply because they
deserve the shit I dump on them, they earned it.
>That is despicable. Whatever sympathy I might have had for your
>opinions has just disappeared ... not that it will matter to
>you, I suppose.
I don't want nor need your sympathy, You understand so very
little.
Joe O'Sullivan
Without meaning any insult to Kirt, I think you would find he is trying to
help, from your comment on C++ you need it because .asm would, compiled, via
masm be *quite* powerful.
If you know everything why do you bother even engaging into a conversation
joos
>> it's not C either... asic actually bears a reasonably close relation
>to
>> basic, or so i recall...
>???
>> if i'm not mistaken, the reasons raid uses asic instead of the myriad
>of
>> other languages available are included in the top most quote of this
>> very message... perhaps you missed it...
>No, there is no such information in this thread, you are mistaken.
>
LHigdon
tend to think of you as a "sick fuck" when you make statements like
this. These are the kinds of statements usually attributable to guys
like Dahmer, Bundy and Gacy. You don't really think this way?
Arthur Kopp
wrote:
>>Misery loves company. Had nothing to do with self gratification.
>>Purely revenge motivated. Pure hatred for others, that is why I
>>wrote it. Simply because I hate people, simply because they
>>deserve the shit I dump on them, they earned it.
>Sure I'm not telling you something you don't already know. People will
>tend to think of you as a "sick fuck" when you make statements like
>this. These are the kinds of statements usually attributable to guys
>like Dahmer, Bundy and Gacy. You don't really think this way?
He's certainly said so enough times here. Why do you think he's
kidding?
Art
LHigdon
again, maybe it's the truth.
On Thu, 30 Mar 2000 21:24:44 GMT, art...@mindsprung.com (Arthur Kopp)
wrote:
kurt wismer
> >I think enough of the "real facts" were initially available.
> >Some sites probably made the effectes of the payload sound
> >quite a bit worse than it is *if* you have or can afford
> >access to suitable data recovery skills...
>
> Oh really? Nick, a for/next loop to rename all entries to "00001"
> to whatever would restore full access to the users machine. He
> would manually need to rename the directories for windows,
> program files etc. However, *NOTHING* is corrupted from his
> system.
hang on, if the directory names are *lost* (only recoverable from memory -
which may not be up to the task for some people) then how exactly can you
claim nothing is corrupted when clearly the directory information has been
transformed into something that no longer allows programs to work right?
kurt wismer
> kurt wismer <g9k...@cdf.toronto.edu> wrote:
> > On Thu, 30 Mar 2000, anaktos wrote:
>
> > it's not C either... asic actually bears a reasonably close relation
> to
> > basic, or so i recall...
> ???
which word confused you?
> > if i'm not mistaken, the reasons raid uses asic instead of the myriad
> of
> > other languages available are included in the top most quote of this
> > very message... perhaps you missed it...
> No, there is no such information in this thread, you are mistaken.
as a matter of fact there *was*, but you have snipped it out in this
reply...
perhaps you recall the text:
====
Actually it's a common misconception. None of my viruses are
written purely in asic. They do have asm routines written
entirely in asm. I use the asic compiler alot because it's
automatic defense against hueristics, and because I like asic.
Regards,
Raid [SLAM]
====
clearly this indicates that he uses asic because it has properties he
finds useful, and because he likes it... (and he augments the asic code
with pure asm)
> What makes you answer at newsgroup messages, even when you
> have nothing to say?
why is grass green? why is the sky blue?... i'm exercising my freedom of
speech and i'm not hurting anyone in the process...
Raid Slam
kurt wismer <g9k...@cdf.toronto.edu> wrote:
>hang on, if the directory names are *lost* (only recoverable
>from memory - which may not be up to the task for some people)
>then how exactly can you claim nothing is corrupted when clearly
>the directory information has been transformed into something
>that no longer allows programs to work right?
They are not "transformed" they are simply renamed. If you name
them back, everything works fine. Irok isn't erasing or
corrupting any of your data. It's RENAMING a few filenames on
you.
Kadabra
> They are not "transformed" they are simply renamed. If you name
> them back, everything works fine. Irok isn't erasing or
> corrupting any of your data. It's RENAMING a few filenames on
> you.
>
> Regards,
> Raid [SLAM]
Hey Raid,
Let me ask you a question...
How is it that you can remain so calm and visible while others are mounting a legal case for your arrest? To an outsider, it looks
like you WANT to get arrested. I can't believe this is the case. What's the scoop?
IMHO, from everything I have seen, I would think the heat is going up...
Are you going to start shooting or something when the feds arrive?
One more...
What in the fuck happened to you to make you so angry?
I am not passing judgement I am just curious...
Kadabra
Kadabra
Andrew Dadmun <ada...@NOSPAM.mpinteractive.com> wrote in message
news:38e44638$0$10...@wodc7nh0.news.uu.net...
>Don't get mad at Raid, get yourself informed and get
Andrew:
I am not "mad" at Raid.
I was just wondering how he could remain calm and visible when it's obvious
that the fact that his
work is climbing the charts in seriousness at the AV companies and this will
give them ammo to say that
he is a threat to society, the American way etc etc etc.
vx...@freedom.net
Kadabra wrote ======>
> To an outsider, it looks like you WANT to get arrested.
Things aren't always as they seem.
If he wanted to get arrested, there are certainly easier ways...
But, if he does get arrested and stuck in the pokey, I hope his
"butt-sector" doesn't get infected when he goes for the soap!
Wouldn't it be ironic if he went to jail and contracted AIDS?
No cleanser for that one. Makes having to re-re-name a few
directories seem like fun.
vxfx
______________________________________________________________________________
Total Internet privacy -- get your Freedom pseudonym at http://www.freedom.net
kurt wismer
> On Thu, 30 Mar 2000 11:37:03 -0800, Raid Slam
> <soho20N...@hotmail.com.invalid> wrote:
> >
> >Misery loves company. Had nothing to do with self gratification.
> >Purely revenge motivated. Pure hatred for others, that is why I
> >wrote it. Simply because I hate people, simply because they
> >deserve the shit I dump on them, they earned it.
> >
> Sure I'm not telling you something you don't already know. People will
> tend to think of you as a "sick fuck" when you make statements like
> this. These are the kinds of statements usually attributable to guys
> like Dahmer, Bundy and Gacy. You don't really think this way?
you doubt his sincerity? i don't...
as for the value judgement, i can only say it's not always easy to find
your way out of the darkness...
kurt wismer
> In article <Pine.SOL.4.21.00033...@eddie.cdf>,
> kurt wismer <g9k...@cdf.toronto.edu> wrote:
>
> >hang on, if the directory names are *lost* (only recoverable
> >from memory - which may not be up to the task for some people)
> >then how exactly can you claim nothing is corrupted when clearly
> >the directory information has been transformed into something
> >that no longer allows programs to work right?
>
> They are not "transformed" they are simply renamed. If you name
> them back, everything works fine. Irok isn't erasing or
> corrupting any of your data. It's RENAMING a few filenames on
> you.
technically, renaming *does* erase data, as there is no structure in any
wintel filesystem i've ever heard of labeled "previous
filename"... certainly the filename is a kind of data...
a corruption is, at it's most basic, a detrimental modification by some
intentional or accidental mechanism...
now, programs tend not to deal too well with having their files
arbitrarily renamed on them - thus a detrimental modification has occured
(not to the *contents* of the file, but certainly to the reference by
which software would have otherwise been able to locate and make use of
the file)...
if you happen to know or remember what all the file names were and can
tell which was what then fine and dandy - a bunch of people won't be able
to, though...
Andrew Dadmun
between Raid et al. While I am not a proponent of Raid's, I do believe he
is one of the more interesting people on this newsgroup. I try to take my
own measures to prevent _my_ systems from becoming infected - as should
everyone. As a fly on the wall in this newsgroup (for the most part), I
expect Raid's so-called calmness and visibility results from the fact that
he knows that no one knows who he is or even where he lives - even with the
"clues" he drops from time to time. I don't care who he is or where he is -
I merely find these threads more interesting when he gets involved. People
seem to get so mad at him because he writes viruses. If it wasn't him it
would be someone else. Don't get mad at Raid, get yourself informed and get
some good AV software. Knowledge is power.
Regards,
Andrew
"Kadabra" <ab...@fuschia.com> wrote in message
news:se7ptp...@corp.supernews.com...
> Raid Slam <soho20N...@hotmail.com.invalid> wrote in message
news:17a993ec...@usw-ex0106-045.remarq.com...
>
> > They are not "transformed" they are simply renamed. If you name
> > them back, everything works fine. Irok isn't erasing or
> > corrupting any of your data. It's RENAMING a few filenames on
> > you.
> >
anaktos
answer.
I recieved just one message which gave me no real information
about anything.
When i 'flame' him about his usefullness i get *3* messages
from people who tried to show how smart they are and what an
asshole I [=AnaKtos] am. You people can smell flame or what?
If you are so hotblood why don't get out to the park and start
a real fight?
-------------------------------------
Anaktos
Frederic Bonroy
> I asked a couple of question which virually only Raid could
> answer.
"So, Raid, why don't you use Visual C which gives you more power over
the OS, like ActiveX support for manipulate outlook, word, excel, etc..
Is it just a matter of oversized programs, or something else?"
> I recieved just one message which gave me no real information
> about anything.
You did receive an answer. Here we go again:
"I use the asic compiler alot because it's automatic defense against
hueristics, and because I like asic."
Isn't that the answer to your question above?
> When i 'flame' him about his usefullness i get *3* messages
> from people who tried to show how smart they are and what an
> asshole I [=AnaKtos] am. You people can smell flame or what?
You are clearly the one who is seeking trouble. No chance. Go away.
Raid Slam
Hmm. This should be interesting.
>How is it that you can remain so calm and visible while others
>are mounting a legal case for your arrest? To an outsider, it
>looks like you WANT to get arrested. I can't believe this is the
>case. What's the scoop?
Because their is nothing to mount against me legally. I didn't
spread the irok virus, and their is no proof claiming otherwise.
I'm sure if there was, somebody would have said so by now. :)
And besides, I do not care about the threats of arrest. Arresting
me for writing a computer program. Sheesh.
>IMHO, from everything I have seen, I would think the heat is
>going up... Are you going to start shooting or something when
>the feds arrive?
If the feds ever do come to my home to fuck with me, I will shoot
atleast 3 of them dead before they get me.
>One more...
>
>What in the fuck happened to you to make you so angry?
I'd rather not comment.
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> Because their is nothing to mount against me legally. I didn't
> spread the irok virus, and their is no proof claiming otherwise.
> I'm sure if there was, somebody would have said so by now. :)
Presumably you don't deny that on January 13th you posted to this
newsgroup:
"In a few weeks, IrOk (which is based off of Toadie) is going
to be completed. And I am going to lose it into the wild, on
purpose. YOu can quote me on that one this time Graham."
I'm sure you can understand my confusion. Certainly on January 13th you
seemed to be suggesting that you would release it into the wild.
--
Graham Cluley, Head of Corporate Communications, Sophos Anti-Virus
email: gcl...@sophos.com http://www.sophos.com
US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
Raid Slam
the time, but not quiet) irok won't pass the damn command line.
I've fixed it. I might even be nice and give the bin to antivirus
companies. Hmm.. maybe.
Raid Slam
<ab...@fuschia.com> wrote:
>I am not "mad" at Raid.
>I was just wondering how he could remain calm and visible when
>it's obvious that the fact that his
>work is climbing the charts in seriousness at the AV companies
>and this will give them ammo to say that he is a threat to
>society, the American way etc etc etc.
I'd like to know where your getting this information. How are you
determining iroks spread?
Raid Slam
sop...@cix.compulink.co.uk wrote:
>In article <127c67be...@usw-ex0106-045.remarq.com>,
>soho20N...@hotmail.com.invalid (Raid Slam) wrote:
>
>> Because their is nothing to mount against me legally. I didn't
>> spread the irok virus, and their is no proof claiming
otherwise.
>> I'm sure if there was, somebody would have said so by now. :)
>
>Presumably you don't deny that on January 13th you posted to
>this newsgroup:
No, I don't deny it. However, since that posting the information
in the posting isn't accurate. I did complete irok, but it isn't
based on Toadie source. I was planning to release it into the
wild, but I never did so.
>I'm sure you can understand my confusion. Certainly on January
>13th you seemed to be suggesting that you would release it into
>the wild.
No problem Graham, I hope I was able to clear up the confusion
for you.
Arthur Kopp
<soho20N...@hotmail.com.invalid> wrote:
>>Presumably you don't deny that on January 13th you posted to
>>this newsgroup:
>
>No, I don't deny it. However, since that posting the information
>in the posting isn't accurate. I did complete irok, but it isn't
>based on Toadie source. I was planning to release it into the
>wild, but I never did so.
>
>>I'm sure you can understand my confusion. Certainly on January
>>13th you seemed to be suggesting that you would release it into
>>the wild.
>
>No problem Graham, I hope I was able to clear up the confusion
>for you.
Slick as a presidential candidate! Or a top level corporate executive.
You missed your calling, Raid. You BS with the best of them!!!
Art
Joe O'Sullivan
heard of a freebie? Seriously I would not set out to knock any developer,
whatever you write, but to let someone know where they are going wrong can
only be a good thing. Would you not say to a waiter in a restaurant that
the food was bad?
joos
Raid Slam wrote in message <0c20b056...@usw-ex0105-034.remarq.com>...
>In article <95452606...@euston.vossnet.co.uk>, "Joe
>O'Sullivan" <jo...@vossnet.co.uk> wrote:
>
>>Why not tell us all this way the AV companies don't get the jump
>>you seem to want to deny them anyway.
>
>I already denied them the jump by not forking it to them when I
>wrote it.
>
>But, I spent a good 20 minutes debugging the problem, so I'm not
>just going to hand it over to an antivirus person without
>anything in return.
>
>Regards,
>Raid [SLAM]
Kadabra
> I'd like to know where your getting this information. How are you
> determining iroks spread?
http://vil.nai.com/villib/newvir.asp
(Note all the 'low' risk ones)
But, let me clarify...
Do I KNOW whether it has spread or not? No.
Haven't seen it. Haven't looked for it.
Anyway, here is my point... If it comes down to it in a court of law,
who do you think the judge is going to listen to? You, the angry
virus author or the AV Pro's who have assessed your work as being
the worst thing ever? Would it be the first time that a VX author
was made out to be the evilist most vile being ever? No. Look at
Chris Pile, David Smith, etc. Not pretty. Just don't be surprised if
you find the seriousness of your work being overstated. Remember -
who is going to argue with the "experts".
Shit, even if you had to go to court, imagine the time and money
that would be spent just defending yourself against some pretty big
companies.
In another message, you said that you didn't release the thing. (Irok)
Look at "involuntary" manslaughter. I would not be surprised to
see new precedence being made that would hold VX authors responsible
for their creations no matter how they got out.
Imagine if some company accidentally released an engineered bio virus.
Think there would be a lawsuit? You bet.
So, what's my point? Be careful. The wolves are howling at the gate-
and they are pissed.
Kadabra
PS:
I am not trying to tell you to stop what you are doing.
Just voicing the fact that it wouldn't surprise me to hear that you
got arrested and then see gloating AV posts.
Not telling you what to do but if I was in your shoes I would
"repent", release a fix for my virus, post an apology, create a new
identity and continue working with a lower profile.
My two cents.
Anyway,
later
Kadabra
Raid Slam
art...@mindsprung.com (Arthur Kopp) wrote:
>Slick as a presidential candidate! Or a top level corporate
>executive
I fail to see the reasoning behind this response Art. Graham had
asked me a question and I kindly responded. Was there something
wrong with my response?
Arthur Kopp
wrote:
>In another message, you said that you didn't release the thing. (Irok)
>Look at "involuntary" manslaughter. I would not be surprised to
>see new precedence being made that would hold VX authors responsible
>for their creations no matter how they got out.
Everyone should be held responsible for their creations, no matter
what.
Art
Arthur Kopp
<soho20N...@hotmail.com.invalid> wrote:
>In article <38e4bd7c...@news.mindspring.com>,
>art...@mindsprung.com (Arthur Kopp) wrote:
>
>>Slick as a presidential candidate! Or a top level corporate
>>executive
>
>I fail to see the reasoning behind this response Art. Graham had
>asked me a question and I kindly responded. Was there something
>wrong with my response?
There is something wrong, Raid, with admitted virus authors who's
creations are ITW pleading not guilty to releasing their creations.
Art
Joe O'Sullivan
want to deny them anyway.
joos
Raid Slam wrote in message <04cbefca...@usw-ex0106-045.remarq.com>...
Sugien
If you created a virus that would propregate to every computer it could find on
the web and afterwards destroy the computer the virus ran on guaranteed. What
would you do with it.
personally if I were able to make such a thing, I certainly would not tell any
one I had. I would then destroy all copies, and try to completely block my
original thought for creating it.
--
Paul Michael Bryant
Gladiators
57th AHC 1972-73
My Senior Prom was VietNam
**************************
Fax (603) 388-3801
Dino-Soft Software Inc
http://www.zoomnet.net/~quick
***********************************
** Make money the way I do**
http://www.zoomnet.net/~quick/make-money
"Arthur Kopp" <art...@mindsprung.com> wrote in message
news:38e4e0fa...@news.mindspring.com...
kurt wismer
> In article <8c2c84$qcm$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
> >In article <127c67be...@usw-ex0106-045.remarq.com>,
> >soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> >
> >> Because their is nothing to mount against me legally. I didn't
> >> spread the irok virus, and their is no proof claiming
> otherwise.
> >> I'm sure if there was, somebody would have said so by now. :)
> >
> >Presumably you don't deny that on January 13th you posted to
> >this newsgroup:
>
> No, I don't deny it. However, since that posting the information
> in the posting isn't accurate. I did complete irok, but it isn't
> based on Toadie source. I was planning to release it into the
> wild, but I never did so.
thats all well and nice, but the feds would kinda have to take your word
on that - and they generally don't do that...
not to say it would be an open and shut case if it went to trial, but
you've established intent for them, and the fact that it was released by
someone using your pseudonym can definitely be used against you...
Raid Slam
>Why not tell us all this way the AV companies don't get the jump
>you seem to want to deny them anyway.
I already denied them the jump by not forking it to them when I
wrote it.
But, I spent a good 20 minutes debugging the problem, so I'm not
just going to hand it over to an antivirus person without
anything in return.
Regards,
Evelyn
really kind and good. Even some of the horrible ones are OK when you get to
know them. You must get to meet a few more (and not by crashing their
computers!)
Love
Ev
sop...@cix.compulink.co.uk
g9k...@cdf.toronto.edu (kurt wismer) wrote:
> not to say it would be an open and shut case if it went
> to trial, but you've established intent for them, and the
> fact that it was released by someone using your
> pseudonym can definitely be used against you...
Yes, if I was Raid I would definitely want to know who it was who posted
Irok to various newsgroups. Maybe it was someone trying to frame Raid
seeing as he used one of Raid's well known pseudonyms when posting the
virus?
Raid, you said you had contacted this "John Grahms" person. Did you ask
him why he was using one of your pseudonyms? Did you ask him how he got
hold of your virus? Presumably you know everyone you gave your virus
directly to? It sounds like one of them cannot be trusted.. maybe you
should bear this in mind if you ever decide to write another virus.
Hope that helps
Ronald Steedman
contents are corrupted. This is because, relative to Windows operations
under definition four the quality of the data stored has been decimated.
Hence the data has been 'corrupted', although the original data remains
unaltered. Considering the filesystem as a whole corruption occurs under
most definitions since it has been maliciously modified, it's no longer
preserved for its intended use, and relative to many operations it lacks
the expected quality.
-- Ron Steedman
From federal standard 1037C Glossary of Telecommunications Terms:
data corruption: The violation of data integrity. (188) Synonym data
contamination.
data integrity: 1. [The] condition that exists when data is unchanged from
its source and has not been accidentally or maliciously modified, altered,
or destroyed. [NIS] 2. The condition in which data are identically
maintained during any operation, such as transfer, storage, and retrieval.
(188) 3. The preservation of data for their intended use. 4. Relative to
specified operations, the a priori expectation of data quality.
Raid Slam <soho20N...@hotmail.com.invalid> wrote:
: They are not "transformed" they are simply renamed. If you name
PaX
are
really kind and good. Even some of the horrible ones are OK when you get to
know them. You must get to meet a few more (and not by crashing their
computers!)<<<<<<<<<<<
Eve,
I cant speak for RaiD but some of us have just reasons for disliking
other members of our race,Ever try discussing HLL programming or assembler
with your normal circle of friends?? generally results in a look of "woooaaa
wierdo"
In general human beings are one of the only creatures that will cause death
and destruction the world over for no reason other than they can.Bit l;ike
the reasons some vxers write viruses...
hope that helps...
Dalt
Kaiser-Sose
"Nick FitzGerald" wrote
> Time may see that improve. When a new virus is first
> reported from the field, there is huge pressure on the AV
> developers to get detection and disinfection (if they
> normally offer it) into an update so it can be shipped to
> the affected customer(s). Setting aside time for an
> expert (whose time would be better spent working on
> devising detectionand/or disinfection) to work on writing
> an accurate, succinct description of how it works and
> what to be wary of with it, is not usually that high of a
> priority during that initial flurry of activity.
Nick, your so hipocritical. You make no sense anymore.
It seems to me like you have lost your torch and are weaseling your way
around the AV field. The last thing I remember you correctly answerring was
KAK. Sure anyone can do that its simple. You slammed all of the AV
companies that posted a fix because they were either inacurate or
incomplete. Now someone else mentions they are disatisfied with the
response they obtained and you have to take an opposing side to the matter.
Are you the only one capable of diagnosing or *putting down* an AV company?
Your losing respect fast in this field if you ask me. You should maybe
regroup and and take a vacation for a while then come back fresh. I also
believe Raid is correct in assuming your not a programmer. The only thing I
have seen you diagnose is simple script language malware that is simple to
define. I am not sticking up for Raid, here my comments on him will follow.
When it comes to an EXE, you get tongue tied unless you have the answer from
someone else like an AV vendor in this case. In my opinion Leon owed no
appology to your critique. He was speaking the truth. They made it sound
like it was irreversible where the only thing that Raids program did was
rename the file in *illegal* ascii characters. True an old trick from the
early days for protecting data and programs. HackersClub had this listed
for years now. In the mean time it probably never did any other damage. I
haven't had the privilage to decompile this baby but my guess is that the
original file names are written somewhere. Assuming Raid left a backdoor.
Or maybe not. Either way the files weren't corrupted.
Leon wasn't wrong in my oppinion for his thoughts on this matter. They
should have explicitly stated that they had no fix at the time but were
working on it. Instead of saying all is gone.
As far as Raid goes, I think you should try and use your talents more
productively for whatever country your from. Maybe get into military
defense and have your work used for surveillance or something to that
matter. I believe your pretty smart in your field but that field is not to
promising as far as productivity goes. I'm sure they would cut you some
kind of deal don't you think?
Anyways the whole post here was directed at Nick because he does nothing but
tick people off. Especially after his nice little posts about how my
country (USA) is such a bad stereotype. He lost my respect from there. I'm
sure he lost the respect from the people who gave everything they had to
make this country free too. Unless you have a fix Nick, keep your sarcastic
unsupported comments to yourself. Or at least start up alt.nick.virus so
that people know what they are in for when they post.
Have a nice day Nick,
-Harry
Bart Bailey
> In article <se7ptp...@corp.supernews.com>, "Kadabra"
> <ab...@fuschia.com> wrote:
>
> >IMHO, from everything I have seen, I would think the heat is
> >going up... Are you going to start shooting or something when
> >the feds arrive?
>
> If the feds ever do come to my home to fuck with me, I will shoot
> atleast 3 of them dead before they get me.
Sounds like Tim May, in any case good luck and straight shooting.
> >One more...
> >
> >What in the fuck happened to you to make you so angry?
>
> I'd rather not comment.
A comment/reply to that question would be as interesting as some of the details
of the more arcane mechanisms of the virus itself, at least to me.
Frederic Bonroy
> Raid, why don't you like people?
I suspect Raid hates himself as much as he hates the rest of the world.
He makes his own life harder by taking the risk that some guys from the
FBI might be knocking at his door some day. Maybe he even fights with
some kind of conscience whenever he learns that one of his viruses has
struck in the office of some charity organization... And finally,
he must cope with the awareness that thousands of people simply hate
him like poison.
Not a nice life and his own fault.
Laugh at me if you wish - that's my impression.
Raid Slam
sop...@cix.compulink.co.uk wrote:
>Yes, if I was Raid I would definitely want to know who it was
>who posted Irok to various newsgroups.
I'd like to know who did it myself, But I can want in one hand
and shit in the other. Which do you suppose would fill first?
>Maybe it was someone trying to frame Raid seeing as he used one
>of Raid's well known pseudonyms when posting the virus?
Maybe. But let's get something straight for our loyal readers.
The name John Grahms is amazingly popular here in the united
states. It very well could (and probably is for some people) a
real name. So let's not mislead people, thank you kind sir.
>Raid, you said you had contacted this "John Grahms" person. Did
>you ask him why he was using one of your pseudonyms? Did you
>ask him how he got hold of your virus?
As I said above, John grahms is a very popular name. I can hardly
claim it as unique to my own self. So again I must ask you to
clarify this for the public. I'm sure your not misleading them
intentionally.
>Presumably you know everyone you gave your virus directly to?
>It sounds like one of them cannot be trusted.. maybe you
>should bear this in mind if you ever decide to write another
>virus.
Writing viruses is certainly not illegal in this country, so I
fully intend to pursue the hobby, idle threats aside. Concerning
who I gave the virus too, that's really none of your business now
is it? :)
Raid Slam
<stee...@quake.cs.fsu.edu> wrote:
> According to this definition of data corruption (see below),
>the file contents are corrupted.
No sir, they aren't. I can verify this to be true. Access to your
files has been denied if your incompetent (I'm guessing the
majority of people infected by it and the majority of avers
studying it are incompetent based on the posts and claims about
what the virus does/doesn't do.) but the contents of your files
and programs is very much intact.
Before you attempt to critize or talk down to me concerning
something I know very well, I'd recommend you learn about the
topic beforehand. I have no problem making you a fool.
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> In article <8c4i59$2bm$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
>
> >Yes, if I was Raid I would definitely want to know who it was
> >who posted Irok to various newsgroups.
>
> I'd like to know who did it myself, But I can want in one hand
> and shit in the other. Which do you suppose would fill first?
>
> >Maybe it was someone trying to frame Raid seeing as he used one
> >of Raid's well known pseudonyms when posting the virus?
>
> Maybe. But let's get something straight for our loyal readers.
> The name John Grahms is amazingly popular here in the united
> states. It very well could (and probably is for some people) a
> real name. So let's not mislead people, thank you kind sir.
I don't want to mislead anyone. I'm sure you don't want to either.
That's why we should find out who is using your pseudonym. I did a search
on Deja News and I couldn't find anyone other than you who seems to use
this pseudonym. Are you sure its that common a name in the USA?
Raid Slam
<fbo...@mail.dotcom.fr> wrote:
>I suspect Raid hates himself as much as he hates the rest of the
>world. He makes his own life harder by taking the risk that some
>guys from the FBI might be knocking at his door some day.
I suspect you should not discuss matters you know nothing about,
puppet.
>Maybe he even fights with some kind of conscience whenever he
>learns that one of his viruses has struck in the office of some
>charity organization...
Oi? Expecting sympathy? Remorse perhaps? Save it for weaklings.
>And finally, he must cope with the awareness that thousands of
>people simply hate him like poison.
And you think I'm in the least bit concerned by this? Do you
think I CARE if anyone hates me or not? Did you not pay close
attention to the text that irok prints before "corrupting"
(renaming, l00sers) your data?
>Not a nice life and his own fault.
As I said, you don't know what your talking about.
Raid Slam
Mcafee.com (trust your pc to us was at some point their slogan?)
Has written (entire material quoted below, mcafee has already
changed the text once on me)
Virus Characteristics
UPDATE: April 1, 2000 - AVERT has discovered
through additional
research, that this virus can format a users
hard drive. This can occur
after daylight savings time has occurred; when a
users system is
infected; and a reboot takes place.
HLLT.Irok family is written in the High Level
Language (HLLT) ASIC, a
dialect of BASIC, as opposed to assembler or
"low level language". It
has one variant 10000 bytes long and the virus
code is compressed.
When first run on an infected system:
It infects COM and EXE files in the current
directory and in the PATH.
It avoids files containing the characters win,
dll, spa, man, drv, scr,
krnl, 386, msc, com, exp, mou, gw, go, sta, use,
gdi, or con. It
deletes files matching the name anti-vir.dat,
chklist.ms, chklist.cps,
vs.vsn, or ivb.ntz.
The virus encrypts the first 10000 bytes of the
executable file, moves
a slice equal to the size of the virus to the
end of the file, and
replaces the first 10000 bytes of the file with
its own code. The date
and time of the file is used as a decryption key
so if any infected file
is changed in any way it will no longer run. The
virus does not pass
command-line parameters to infected programs so
programs which use
parameters will no longer work correctly.
It creates a "dropper" file called
c:\windows\system\irok.exe, and
creates a script file called IROKRUN.VBS in
c:\windows\startm~1\programs\startup. If the
"c:\windows\startm~1\programs\startup" folder
does not exist, the
virus will fail to drop the script. The script
attempts to use Outlook
mail to send itself to up to 60 Outlook address
book entries. The
message contains the subject "I thought you
might like to see this."
and the message body "I thought you might like
this. I got it from
paramount pictures website. It's a startrek
screen saver."
The c:\windows\system\irok.exe file is attached
to the message. The
virus creates a file called
c:\windows\system\winrde.dll as a marker to
see if it has already dropped the VBS file or
not. The winrde.dll file is
not really a DLL file, but just a marker. The
VBS file will run the next
time the computer is started, if the Windows
scripting host is
installed, and then deletes itself.
If the directory "c:\mirc" exists, it creates a
"dropper" file called
c:\mirc\irok.exe and also creates the file
c:\mirc\script.ini which
attempts to use mIRC client and "dcc"s itself
under the name
IROK.EXE whenever somebody joins the IRC
channel. If anyone says
"irok" in an IRC channel the infected user is
in, the script will display
the message "My computer is 0wned by IRoK v1.1"
in all the channels
the user in currently in. The mirc script is
already detected as
IRC/Simpsalapim.gen
The virus contains the strings:
Hey You! <----------- >>> Push enter stupid!
IRoK v1.1 is initializing...
In addition, the virus can delete disk data. It
has also been reported
that the NTDETECT.COM file becomes corrupted
(This will prevent NT
systems from booting). See here for details.
--------------
Now here lies the problem:
UPDATE: April 1, 2000 - AVERT has discovered through additional
research, that this virus can format a users hard drive. This can
occur after daylight savings time has occurred; when a users
system is infected; and a reboot takes place.
The virus has NO ABILITY WHATSOEVER to format anything, not even
so much as a floppy disk! Further, NOTHING on the virus is keyed
to detonate based on the hour or the day. (The counters you've
read other av companies talking about are NOT COUNTERS! iF IT'S
17 MINUTES PAST THE HOUR, YOUR HARD DISK WILL BE RENAMED, NOT
CORRUPTED, NOT FORMATTED. if it's 21 minutes at the hour, Irok
will introduce itself and allow you to resume working.
If it's between 3pm to 5pm, irok will enter "doze" mode. Do not
attempt to trick the virus during this time.
Do any of you INCOMPETENT antivirus personal have anything to
say? Anything at all to the public who relies on your "knowledge"
which has proven to be anything but? Any apologies avers?
Evelyn
anyone ever been caught and what sort of sentences/fines are given?
--
Love
Evelyn
http://www.woolston.greatxscape.net/
Reply via Newsgroup only
"Frederic Bonroy" <fbo...@mail.dotcom.fr> wrote in message
news:38E75F41...@mail.dotcom.fr...
> Evelyn wrote:
>
> > Raid, why don't you like people?
>
> I suspect Raid hates himself as much as he hates the rest of the world.
> He makes his own life harder by taking the risk that some guys from the
> FBI might be knocking at his door some day. Maybe he even fights with
> some kind of conscience whenever he learns that one of his viruses has
> struck in the office of some charity organization... And finally,
> he must cope with the awareness that thousands of people simply hate
> him like poison.
>
> Not a nice life and his own fault.
>