python - confusing advice
JClark
According to McAfee:
http://vil.nai.com/vil/content/v_994.htm
"Python is a polymorphic, stealth, file infecting virus. It infects
.COM and .EXE files, including COMMAND.COM.
Upon infection, this virus may becomes memory resident at the top of
system memory but below the 640K DOS boundary."
McAfee goes on to describe all the bad things it does.
But.... there are other reports:
Python is just a programming language:
http://www.python.org/doc/faq/installed/
Or another source says it's a great language for writing viruses (nice
guy):
http://vx.netlux.org/lib/vvx00.html
In my own computer, a search for "python" brings up instances within
Roxio, Cyberlink-PowerDVD9, and Pinnacle Studio 12. There is a whole
subfolder "Python" under Roxio (c:\program files\common files\roxio
shared\media share 101\)
Are these just innocent dll's and xml's? Or viruses? If they are
viruses why did not my antivirus programs find and remove them (Avira
and AVG)?
Many thanks for any clarification of my confusion, and for any
suggestions about what, if anything, I should do.
Jack
FromTheRafters
news:6joqa59bm3j56nor5...@4ax.com...
"Python" by itself is not a proper malware name. Sometimes, a malware
(especially a virus) is named similarly to the programming language used
to create it (for instance "delf"). Just because a program was written
in such a language doesn't mean it is malware.
David W. Hodgins
> I have conflicting reports on Python.
> According to McAfee:
> http://vil.nai.com/vil/content/v_994.htm
In this case, it was a poor choice for the name of the virus, as
python is indeed a cross platform programming language.
http://www.python.org/download/windows/
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
JClark
That's what I want to think. Avira doesn't even list python in its
virus list. But the McAfee description just uses the word "python" to
describe all the bad stuff. Really scary. Take a look at the link:
http://vil.nai.com/vil/content/v_994.htm
I do appreciate your thoughts on this and former topics.
Jack
JClark
<dwho...@nomail.afraid.org> wrote:
>On Sun, 13 Sep 2009 17:36:09 -0400, JClark <jcl...@nomail.invalid> wrote:
>
>> I have conflicting reports on Python.
>> According to McAfee:
>> http://vil.nai.com/vil/content/v_994.htm
>
>In this case, it was a poor choice for the name of the virus, as
>python is indeed a cross platform programming language.
>http://www.python.org/download/windows/
>
>Regards, Dave Hodgins
Hi Dave,
So finding all those files with the name python can be ignored on my
system?
Many thanks for your input. The McAfee description keeps repeating the
simple word "python" which makes it so worrisome.
Jack
David H. Lipman
| That's what I want to think. Avira doesn't even list python in its
| virus list. But the McAfee description just uses the word "python" to
| describe all the bad stuff. Really scary. Take a look at the link:
| http://vil.nai.com/vil/content/v_994.htm
| I do appreciate your thoughts on this and former topics.
| Jack
And it discusses an ~15 year old file infecting virus. A true virus. But what's in a
name ?
Take the Jerusalem virus. Are you going to connect the city with a virus ? No.
Pure coincidence of the Python virus vs. the Python interpreter. Nothing more, nothing
less. Please don't try to connect the two.
Then there's Monty Python. OMG they may have a viral video { LOL }
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
nobody >
From that webpage:
"The Python virus was received in December, 1994"
I vaguely remember having dealt with it "back in DOS days", but under a
different name.
I'm pretty sure that any AV program worth beans has had this one
hardwired in since day 1.
David W. Hodgins
> Many thanks for your input. The McAfee description keeps repeating the
> simple word "python" which makes it so worrisome.
According to mcafee, they gave the virus that name becuase the decrypted
virus contains that word in text format. The word python is not used
in the file name(s).
What led you to the mcafee site about this ancient virus?
FromTheRafters
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:h8k7q...@news3.newsguy.com...
> From: "JClark" <jcl...@nomail.invalid>
>
> | That's what I want to think. Avira doesn't even list python in its
> | virus list. But the McAfee description just uses the word "python"
> to
> | describe all the bad stuff. Really scary. Take a look at the link:
>
> | http://vil.nai.com/vil/content/v_994.htm
>
> | I do appreciate your thoughts on this and former topics.
> | Jack
>
> And it discusses an ~15 year old file infecting virus. A true virus.
> But what's in a
> name ?
>
> Take the Jerusalem virus. Are you going to connect the city with a
> virus ? No.
>
> Pure coincidence of the Python virus vs. the Python interpreter.
> Nothing more, nothing
> less. Please don't try to connect the two.
>
> Then there's Monty Python. OMG they may have a viral video { LOL }
It would have to be 'completely different' - just like Python the
language and Python the virus.
David H. Lipman
>> And it discusses an ~15 year old file infecting virus. A true virus.
>> But what's in a
>> name ?
>> Take the Jerusalem virus. Are you going to connect the city with a
>> virus ? No.
>> Pure coincidence of the Python virus vs. the Python interpreter.
>> Nothing more, nothing
>> less. Please don't try to connect the two.
>> Then there's Monty Python. OMG they may have a viral video { LOL }
| It would have to be 'completely different' - just like Python the
| language and Python the virus.
And now for something completely different...
�Your highness, when I said that you are like a stream of bat's piss, I only mean
that you shine out like a shaft of gold when all around it is dark�
JClark
<dwho...@nomail.afraid.org> wrote:
>On Sun, 13 Sep 2009 21:54:10 -0400, JClark <jcl...@nomail.invalid> wrote:
>
>> Many thanks for your input. The McAfee description keeps repeating the
>> simple word "python" which makes it so worrisome.
>
>According to mcafee, they gave the virus that name becuase the decrypted
>virus contains that word in text format. The word python is not used
>in the file name(s).
>
>What led you to the mcafee site about this ancient virus?
>
>Regards, Dave Hodgins
HI Dave,
The McAfee site popped up on a google search by my son, who has become
a bit obsessed, I fear, about the security of his computer. But I'm
not virus knowlegeable enough to refute his fears.
I posted details of this situation in this group on August 25
Message-ID: <c3l7951gr0vcod4mc...@4ax.com>
Since then he's stopped using the Dell laptop and I put together a
desktop system for him, doing the same things I did for the Dell:
Short and flash the BIOS, wipe the HD with WipeDrive in DOS, partition
with FDISK, format as NTFS and reinstall Windows XP. But he's
searching all over the drive, findings scripts, dlls with funny lines
in them, the WMI jargon regarding "impersonate" etc. He finds things
he thinks are viruses. Even though I put the premium version of Avira
on the system and ran a full system check before taking it over to
him. He has Online Armor full version firewall. I also put a Linksys
router between his new cable modem (changed the default router
password.)
He sent me some files he's worried about tonight:
1. a DCOM log from wbemprox.log
(Mon Sep 14 13:07:37 2009.81109) : Using the principal -RPCSS/asuscf-
(Mon Sep 14 13:07:42 2009.86500) : Using the principal -RPCSS/asuscf-
(Mon Sep 14 13:07:42 2009.86562) : ConnectViaDCOM, CoCreateInstanceEx
resulted in hr = 0x0
many more lines
2. Framework log (GLUE-1)
Login Warning - provider with that name already existed, overridden
with latest provider login
(root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting)
09/01/2009 15:02:38.265 thread:864
[d:\xpsprtm\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252]
3. A long script from pickletester, which I won't copy here.
4. httpserver.py etc etc
Dave, I appreciate your help or any suggestions. Again, I'm having a
hard time believing there is any threat in this new system, but
although I am reasonably computer literate, I'm virus-ignorant.
Jack
JClark
wrote:
Here's a recent transmission from my son, with his concerns. Again, I
don't know enough to tell him he's over his head:
(Apologies for caps, his original email)
PLEASE SEE ATTACHED. YES IT DOES HAVE AN ANTIVIRUS "MUK" PROGRAM.
YES,
IT WRITES A FILE THAT MAKES BACKUPS AND RESTORES USELESS. ONE EASY
TEST
FOR YOUR PC.... "UNLOCK" TASK BAR, AUTOHIDE IT, THEN REBOOT A FEW
TIMES. YOU WILL DEFAULT TO LOCKED UNHIDDEN. IT HAS TROUBLE EXACTLY
MIRRORING THE NUANCES EACH WIN VER - NT 2K 98 XP AND I ASSUME VISTA.
LIKELY WHY YOUR VEIW AS LIST REGEDIT DID NOT TAKE...
DEAREST FATHER:
I THINK THIS WILL ASSURE YOU THAT I AM ON A "REDIRECTED
MIRROR/SHELL SITE". AND NOT THE RR SITE. EVENTUALLY THIS PC WILL
HAVE THE FATE OF MY LAPTOP. I HAVE EXPERIECED THIS FOR MONTHS AND IT
IS HARD TO ITERATE ITS COMPLEXITY. I FOUND 100'S OF HIDDEN FILES ON
THE NEW PC WITH "JEFF C. LAPTOP" DIRECTORIES ... IN UNNAMED SUB
DIRECTORIES. I ASSUME THAT IS WHERE THE INFECTION ORIGIONATED. YOU
LIKELY (AND UNDERSTANDABLTY) USED SOME OLD SOFTWARE ... OPEN OFFICE
PERHAPS. WE LIKELY HAVE SCREEN READERS... SO ...BE CAUTI0US WITH
PERSONAL AND FINANCIAL STUFF. U USE AN AX CARD FOR AMROUR? U MAY
WANT 2 CHANGE THE NUMBER.
I FOUND THE BELOW EVIDENCE (IT HAS BEEN HARD, BECAUSE SHELL
BLOCKS U OUT OF THE EVIDENCE), U FIND THIS BY RUNNING "IN NETWORK
CONNECTIONS" (FOUND IN THE CONTROL PANEL) IN SAFE MODE WITHOUT
INTERNET CABLE PLUGGED IN (IF YOU HAVE NO "ONBOARD WIRELESS" ). THE
FIELD IS STILL "SHELLED" BUT YOU CAN BREAK IT BY CHANGING THE DISPLAY
OF MONITOR, IE: RED WITH ALL THE OPTIONS ..THEN OPEN UP A FEW MEDIA
PLAYERS (U MAY WANT TO CHECK FOR PYTHONS .. I BELIEVE THEY ARE
**PY.LNK IN THE DORMANT STATE). THEN CLICK ON THE PROPERTY'S OBJECT
SEVERAL TIMES, CUT/SELECT ALL EVEN IF YOU SEE NOTHING. PLEASE SEE
BELOW:
!@! I JUST GOT A "PICKLE" IN THIS DOCUMENT ... IS WAS A VERY
LIGHT ABBERATION INBETWEEN A WORD I COULD NOT CUT AND PASTE THE IT.
... I CHECKED THE FILE SIZE FROM THE BACK UP AND THE FILE WAS ABOUT
1500 KB BIGGER... GUESS I SAW IT BECAUSE I HAVE THE DISPLAY SO MESSED
UP... I AM TENATIOUSLY BACKING UP. COINICEDENTALLY MY EVIDENCE GETS
CHANGED OR DISAPEARS. THUS, I WAS WORRIED ABOUT MY MENTALL HEALTH!
MIRROR SITE FROM "IN NETWORK CONNECTIONS"
1)ADDRESS/URL:
MS-ITS:C:\WINDOWS\Help\netcfg.chm::/EXEC=,control.exe, netconnections
CHM=ntshared.chm FILE=alt_url_windows_component.htm
2)GENERAL:
EXEC=,control.exe, netconnections CHM=ntshared.chm
FILE=alt_url_windows_component.htm
THIS IS FROM MY "BROWSER ADDRESS BOX"
1)REDIRECT (UNVERIFIED, JUST LOOK) TO A FAKE MS SITE:
http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=home
FINALLY, I HOPE TO GET ON-LINE AND ASK OPEN OFFICE ABOUT THEIR
SOFTWARE PLATFORM. IN THE INTERIM, AND IF YOU HAVE THE INTEREST, MY
"PYTHON FOLDER" HAS A ENTIRE TEST SITE. IT IS ONE \ FOLDER UNDER THE
PYYTHON FOLDER. THE PROGRAMS ARE "INFANTS' AND HAVE CODE
EXPLANATIONS. OBVIOUSLY, THE INF, COM, HML, ARE EASIER TO READ; BUT
THE DLL HAVE SOME MEAT. READ THE BOTTOM OF THE DLL FIRST. I AM
PRETTY SURE YOU HAVE THE VIRUS. SORRY, I KNOW YOU WERE TRYING TO HELP
AND THE TENACITY OF THE BUG IS AMAZING...
GIVE ME A CALL THIS WEEK AND TELL ME IF I NEED A STRAIGHT JACKET.
-- JC
PS: I COULD GO ON FOR HOURS... IT LIKES TO PICLKLE IMAGES, RECORDINGS,
ETC. I THINK IT IS EASIER. I HAS A PREFERENCES PROGRAM TO TRACK
YOU...IT DOES HAVE CODE THAT IMPRESONATES REGISTRATION OF SOFTWARE,
LOG ONS, ETC. I T ALSO HIDES BY CALLING A RESPECABLE PROGRAM WHICH IN
TURN CALLS A PYTHON SYSTEM PROGRAM (USUALLY HAS A *32* OR *NT32*). IT
USES THE WMI NAMESPACE, REMOTE ACCESS - EARLY ON IT MAKES WINXP (OR
YOUR OS) THINK YOU ARE ASKING FOR HELP FROM THE ABOVE SITE. IT
REQUESTS FROM YOUR COMPUTER REMOTE ASSISTANCE. ONCE THAT IS DONE IT IS
OVER. IT DOWNLOADS A SERIES OF PROGRAMS, MAINLY DLLS RAN AS APPS .. I
CAN PRETTY MUCH LIST THE PROGRESSION FOR YOU ..MSVCRT (MAKE PROXY
MIRROR CONNECTION) REGVR32 (REGEDIT OR SERVER I FORGET)
ADVAPI32...RPCRT4 (?).. USER32 ...GDI32.. OLE32, HIMENG, ACGINARL,
WINMA (?) .. OLEAVT32... SACM32......AND SO ON. EVENTUALLY YOUR
ENTIRE OS IS NT32 WITH A WINXP/98/ETC SHELL AND
...............YOU ARE NO LONGER IN KANSAS DORTHY..........
I have no idea what all of this means, if anything. Again, I
appreciate any advice the group can give me.
Jack
David H. Lipman
JClark:
Tell your son to do the following...
Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Then post the contents of the HJT log in the post with a full explanation of the problem
and/or suspicions and what has been done to date in one of the below expert forums...
{ Please - Do NOT post the HJT Log here ! }
Forums where he can get expert advice, assistance and one-on-one direction.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
1PW
Hello Jack:
The AV protection you installed is excellent. What other antimalware
protection have you installed?
--
1PW
FromTheRafters
I would be more concerned about your son in this case. It seems he
suspects mental issues, as do I. His confidence in his computer's
security will *never* be restored until he can think clearly. His fears
will not be refuted by logic unless he begins thinking logically.
I'm sorry, this is not meant to be mean spirited.
JClark
I installed "Online Armor" for firewall. And I think I put
Superantispyware on as well, but I've messed with several systems
lately, and I'm not sure about the last SAS. I put malwarebytes on
some of them. (I'm not a pro ... just a lot of family and friends
asking for my help lately.)
Thanks.
Jack
JClark
Rafters,
I completely understand, and you have expressed my own concerns as
well. I am very grateful for your thoughts.
Jack
David W. Hodgins
> I have no idea what all of this means, if anything. Again, I
> appreciate any advice the group can give me.
The openoffice application is written mostly in the python
language. There should be almost a thousand .py files in
C:\Program Files\OpenOffice.org 3\Basis\program\python-core-2.3.4\lib
and it's subdirectories.
If he can handle the learning curve, you may want to suggest
he investigate installing a version of linux. My preference
is Mandriva Linux Free 2009 Spring from
http://www.mandriva.com/en/download/free
although ubuntu from
http://www.ubuntu.com/GetUbuntu/download
seems to be more popular right now.
He'd find lots of python programs there :-), as well as other
scripts etc, but at least he wouldn't have to worry about
getting a virus.
Sounds like it's going to be difficult to convince him that
nothing he's found so far indicates any malware infection.
Best of luck!
JClark
<dwho...@nomail.afraid.org> wrote:
>On Mon, 14 Sep 2009 18:40:38 -0400, JClark <jcl...@nomail.invalid> wrote:
>
>> I have no idea what all of this means, if anything. Again, I
>> appreciate any advice the group can give me.
>
>The openoffice application is written mostly in the python
>language. There should be almost a thousand .py files in
>C:\Program Files\OpenOffice.org 3\Basis\program\python-core-2.3.4\lib
>and it's subdirectories.
>
>If he can handle the learning curve, you may want to suggest
>he investigate installing a version of linux. My preference
>is Mandriva Linux Free 2009 Spring from
>http://www.mandriva.com/en/download/free
>although ubuntu from
>http://www.ubuntu.com/GetUbuntu/download
>seems to be more popular right now.
>
>He'd find lots of python programs there :-), as well as other
>scripts etc, but at least he wouldn't have to worry about
>getting a virus.
>
>Sounds like it's going to be difficult to convince him that
>nothing he's found so far indicates any malware infection.
>
>Best of luck!
>
>Regards, Dave Hodgins
It seems clear now that the "viruses" are imaginary. I greatly
appreciate your input and that of the others in the group.
Jack
FromTheRafters
"JClark" <jcl...@nomail.invalid> wrote in message
If converting to Linux - be advised that "masquerading" is also normal
computerese terminolgy. :o)
There are *always* things that look suspicious to the suspicious
mind...as they say - to a hammer, everything looks like a nail.
JClark
Again, thank you.
Jack