Re: [Freedos-user] Malware III
Hi Kurt, www.virustotal.com/analisis/b97305ed784aa31390f07840b8d8fe578a473d8612693b1a255520b4d870e535-1181473738 already shows an analysis of the suspicious filetype dll file. Executable files exist in lib/locale.so, plugins/ ssavers/ and of course in the ndn Linux executable itself. Clamscan Linux only finds the dll suspicious, though. Results: Antivir 1226, Avast Krile-5880, ClamAV DOS.PS-MPC.Gen1, Fortinet suspicious, Webwasher 1226, received 2007.06.10 ... I requested a re-analyis and now virustotal says: a-squared Virus.Krile.5880!IK, AhnLab-V3 Win-Trojan/Xema.variant, AntiVir 1226, Avast Krile-5880, ClamAV DOS.Benediction, GData Krile-5880, Ikarus Virus.Krile.5880, Artemis!2dff4f88a041, McAfee-GW Virus.1226, Panda suspicious, Sophos Mal/Generic-A. This still means that many well-known scanners have nothing to complain about the file - Prevx, Symantec, Trendmicro, Kaspersky, DrWeb, BitDefender, AVG... to mention a few. name viradd virsiz rawdsiz ntrpy md5 CODE32 0x1000 0x152c0 0x15400 6.23 0f8a49f974e93c4d91e050f9c697210e CONST32 0x17000 0x21274 0xde00 6.18 f8f86c23fa95d8cb9fcd2d2dfe55a17f .idata 0x39000 0x14 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b .edata 0x3a000 0xc4 0x200 2.26 84eeb05e282546c09bef340e22a339b5 .reloc 0x3b000 0x1790 0x1800 6.77 54dedf3f810cd3a6b7e5c69eff9cdb3c This leaves a kind of mixed feeling, so I looked inside the file: NDN filetype detection plugin 1.0, 2001 based on GetTyp 1998 by Philip Helger / PHaX ... it finds a number of un-unpackable exe packers, so it probably also looks as if it is un-unpackable itself to antivirus which do not look closely? Some URLs: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74420 Xema - but then more scanners would see it as Xema. http://vil.nai.com/vil/content/v_4137.htm Krile - would be 5880 bytes and from 1997, overwrites first 5880 bytes of victim, puts original in encrypted form at end McAfee would detect it, but it says only 1226... http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=vis&idvirus=3 The 1226 virus would steal information but is from 1990, which means it would be unlikely to even know internet? It would be polymorphic as well and would block some pages, which again makes no sense for such an old virus... As the name says, 1226 would be 1226 bytes in size. Maybe the NDN people can change the file to make sure nobody thinks it would be a virus. While they are at it, they can check it for viruses themselves, too... They probably should reduce the number of "protector" and "hackish packer" detections, if you ask me. Eric > I have again downloaded: ndn_2_31_3836_bin_lnx.tgz; I got it from: > http://ndn.muxe.com , which was furnished to me by rugxulo... -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
[Freedos-user] Malware III
To everyone interested: I have again downloaded: ndn_2_31_3836_bin_lnx.tgz; I got it from: http://ndn.muxe.com , which was furnished to me by rugxulo. I have still not decompressed it, because I have just moved, and I don't have all my equipment here. I usually disect dangerously interesting things on a different computer, not the "main" one I have tediously configured. I even fear to look at it with the hexeditor, since this 'opens' the file. Sounds paranoid? I tried sending the file over to the ubuntu partition, and seem to be having undue trouble with changing the permissions, including, but not limited to it wanting me to assume root status, which in ubuntu is nasty, since going beyond 'sudo' gives malware an extra "handle" , namely, a root password which normally wouldn't exist in ubuntu, if you are familiar with it. So, it sits in a folder with the little padlock symbol, which I didn't put there, as if to bait me!. To be honest, I also scanned it with bughunter, which found nothing. *but, the clamwin is quite advanced, and clearly is sophisticated enough to look into an uncompressed file with an "alien" filesystem(linux)* , so can you blame me for being suspicious? Again, I have not yet seen clamwin get chumped by non-malware; this may be a first, but the 0n-the-fly scanners seem to be the ones that get fooled. --kurtwb2...@gmail.com. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
Re: [Freedos-user] keyb and freedos
Hi Roberto, I must add that it shouldn't even be necessary: just "KEYB UK" should do. On the other hand, I'm aware that there are two distinct british keyboard layouts. You should just try "keyb uk" first. See if *all* key labels match what you're typing. If you're successful, you should find the euro sign under + <4>. If you keyboard layout is the other one, then you should try "keyb uk /id:168". Again, test all your keys. If you're successful, you should find the euro sign under + . If you're still in trouble, please let me know. Regards, Henrique Aitor Santamaría escreveu: Sorry, I was wrong. The problem is with the syntax: drop the 'CP' letters: keyb UK,858,keyboard.sys Regards, Aitor El día 11 de septiembre de 2009 15:48, Aitor Santamaría escribió: Roberto, I gor your mail but am quite busy this week. The person that may easily help would be Henrique Peron (for knowledge). Regards, Aitor 2009/9/11 Eric Auer : Hi Roberto, I am no expert for KEYB, but even if Aitor is too busy to answer, I am sure somebody on freedos-user can help you :-) Eric Roberto iw2evk tiscali.it wrote: I've written to Aitor Santamarino without result so I write you... I want install keyb UK with CP858 (euro sign). I tried keyb UK,CP858 ,,keyboard.sys but does not work... I've added the path to keyboard.sys but failed... What is the right command? Many thanks in advance Roberto iw2ek -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
Re: [Freedos-user] keyb and freedos
Sorry, I was wrong. The problem is with the syntax: drop the 'CP' letters: keyb UK,858,keyboard.sys Regards, Aitor El día 11 de septiembre de 2009 15:48, Aitor Santamaría escribió: > Roberto, I gor your mail but am quite busy this week. > The person that may easily help would be Henrique Peron (for knowledge). > > Regards, > Aitor > > > 2009/9/11 Eric Auer : >> >> Hi Roberto, >> >> I am no expert for KEYB, but even if Aitor is too busy to >> answer, I am sure somebody on freedos-user can help you :-) >> >> Eric >> >> Roberto iw2evk tiscali.it wrote: >> >>> I've written to Aitor Santamarino without result so I write you... >>> I want install keyb UK with CP858 (euro sign). >>> I tried keyb UK,CP858 ,,keyboard.sys but does not work... >>> I've added the path to keyboard.sys but failed... >>> What is the right command? >>> Many thanks in advance >>> Roberto iw2ek >> >> >> >> -- >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> ___ >> Freedos-user mailing list >> Freedos-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/freedos-user >> > -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
Re: [Freedos-user] keyb and freedos
Roberto, I gor your mail but am quite busy this week. The person that may easily help would be Henrique Peron (for knowledge). Regards, Aitor 2009/9/11 Eric Auer : > > Hi Roberto, > > I am no expert for KEYB, but even if Aitor is too busy to > answer, I am sure somebody on freedos-user can help you :-) > > Eric > > Roberto iw2evk tiscali.it wrote: > >> I've written to Aitor Santamarino without result so I write you... >> I want install keyb UK with CP858 (euro sign). >> I tried keyb UK,CP858 ,,keyboard.sys but does not work... >> I've added the path to keyboard.sys but failed... >> What is the right command? >> Many thanks in advance >> Roberto iw2ek > > > > -- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > ___ > Freedos-user mailing list > Freedos-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freedos-user > -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
Re: [Freedos-user] keyb and freedos
Hi Roberto, I am no expert for KEYB, but even if Aitor is too busy to answer, I am sure somebody on freedos-user can help you :-) Eric Roberto iw2evk tiscali.it wrote: > I've written to Aitor Santamarino without result so I write you... > I want install keyb UK with CP858 (euro sign). > I tried keyb UK,CP858 ,,keyboard.sys but does not work... > I've added the path to keyboard.sys but failed... > What is the right command? > Many thanks in advance > Roberto iw2ek -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
