Trojans: common programming language ?

Discussion in 'Computer Security' started by tarquinlinbin, Apr 27, 2004.

  1. Hello,
    i was wondering if there is a common language in which trojans and
    indeed viruii are prgrammed?

    I ask becuase there is a file that i would like to study to find out
    what it is and what it does?.
     
    tarquinlinbin, Apr 27, 2004
    #1
    1. Advertising

  2. On Tue, 27 Apr 2004 23:18:41 +0100, tarquinlinbin
    <> wrote:

    >Hello,
    >i was wondering if there is a common language in which trojans and
    >indeed viruii are prgrammed?
    >
    >I ask becuase there is a file that i would like to study to find out
    >what it is and what it does?.


    No. Viruses can and are written in a range of different languages.

    A lot of the latest Trojans have been pumped out in VB, mostly due to
    the fact that VB is taught widely in schools.

    If you remember the Melissa Virus (incorrectly called a virus) it was
    a macro worm written in VBA (Visual Basic for Applications) which is
    strongly implemented in Office 97 and above.

    The blaster worm was well written in Visual C#.NET (ignoring a small
    error that crashed infected computers and defeated its stealth attack
    plan)

    Many of the first viruses were written assembly language, C or Python.
    Most Scripting worms use VBS or Windows Scripting. Other modern worms
    and Trojans are written in RAD languages such as VB or even C++

    When talking computers, the plural of virus is viruses though, either
    are acceptable. Some people are just picky.

    Many modern programming languages write a signature to the file
    indicating the owner of the machine, the serial number for the
    software/OS and many other traceable bits of information.

    If you were wanting to compile a virus for testing/research purposes,
    please ensure you disconnect every part of the LAN from the net. Also
    ensure that before reconnecting, you format EVERY hard drive for EVERY
    computer on the LAN at the time of testing, even if you 'know' that
    particular machine is not infected.

    Letting a virus get out into the wild is not only irresponsible but,
    in most countries, is a higher offence than a hit-and-run. WHEN (not
    if) you get tracked and caught, you will be looking at a definite jail
    term (possibly quite long) as well as fines and suits totaling a
    couple of hundred million dollars.

    I would recommend a lot of reading on the subject and also to join
    SANS and CERT and read as many white papers as possible. You will also
    need to learn C and assembly.

    As almost every virus has been disassembled by professionals, there is
    a lot of information out there regarding what certain viruses do. To
    Google for this information, search <VirusName/FileName> and "White
    Paper"

    I would recommend duplicating someone else's study before trying to do
    your own. It will be a difficult yet rewarding experience.

    If you are thinking about writing a virus, don't! You are probably
    already flagged by several government departments for posting such a
    question as this.

    HTH

    Aaron Lingwood
     
    Aaron B. Lingwood, Apr 28, 2004
    #2
    1. Advertising

  3. On Wed, 28 Apr 2004 09:52:15 +1000, Aaron B. Lingwood
    <ten.EGNUM.edonretni@reraos where munge='on'> wrote:


    >
    >If you are thinking about writing a virus, don't! You are probably
    >already flagged by several government departments for posting such a
    >question as this.
    >
    >HTH
    >
    >Aaron Lingwood

    Hi Aaron ,well im not thinking of writing a virus, i 'm not clever
    enough to do that !. No ,my problem is that i have a file which needs
    to be investigated. Its a small exe about 50kb. It doesnt flag as a
    virus when scanned with several packages but it does have dubious
    purpose!.
    joe
     
    tarquinlinbin, Apr 28, 2004
    #3
  4. On Wed, 28 Apr 2004 13:23:15 +0100, tarquinlinbin
    <> wrote:

    >Hi Aaron ,well im not thinking of writing a virus,

    Good to hear.
    > i 'm not clever enough to do that !.

    Trust me, half the viruses out there were written by quite dull
    beings.
    >No ,my problem is that i have a file which needs
    >to be investigated. Its a small exe about 50kb. It doesnt flag as a
    >virus when scanned with several packages but it does have dubious
    >purpose!.
    >joe


    No problem. I will try to answer any questions you have. Also, you may
    want to mention the filename and any other information as chances are,
    someone here has come across the file before.


    Aaron Lingwood
     
    Aaron B. Lingwood, Apr 28, 2004
    #4
  5. On Thu, 29 Apr 2004 03:25:59 +1000, Aaron B. Lingwood
    <ten.EGNUM.edonretni@reraos where munge='on'> wrote:

    >On Wed, 28 Apr 2004 13:23:15 +0100, tarquinlinbin
    ><> wrote:
    >
    >>Hi Aaron ,well im not thinking of writing a virus,

    >Good to hear.
    >> i 'm not clever enough to do that !.

    >Trust me, half the viruses out there were written by quite dull
    >beings.
    >>No ,my problem is that i have a file which needs
    >>to be investigated. Its a small exe about 50kb. It doesnt flag as a
    >>virus when scanned with several packages but it does have dubious
    >>purpose!.
    >>joe

    >
    >No problem. I will try to answer any questions you have. Also, you may
    >want to mention the filename and any other information as chances are,
    >someone here has come across the file before.
    >
    >
    >Aaron Lingwood

    Well i can refer you to my previous posting on this item..as below

    quote..
    Hello
    ,it might be me whos getting paranoid but im convinced something is
    not right. NIS flagged up

    outbound tcp connect

    remote address is www.superdomen.fig (217.69.122.26) http (80)

    process name is c:\windows\system32\sspool.exe

    i blocked it. Checking the NIS log file,sometimes the avobe remote ip
    is 217.69.116.217

    sspool.exe is not a legit file as far as i know. looking in the sys32
    folder,it was pretending to be a screensaver and its icon was a
    barcode picture. I had to reboot in safe mode to delete as access
    denied otherwise.

    A couple of weeks ago the same thing happenedonly this time it was
    called mspool.exe ,again,barcode icon,non legit file.

    my main problem is how are these items appearing in my sys32 folder?.
    I'm convinced that there is some kind of morphic trojan/virus but
    NIS/NAV doesnt flag it, also i cant find any info on the above ip
    no's.

    does this sound familar to anyone?

    unquote...

    The file,once deleted ,morphs and reappears,,so far as

    up1

    up2


    the latest being csrsc.exe which i captured to a floppy before
    deleting. I submitted the file to www.anti-trojan.org and also to
    symantec using their SARC engine, no replies from either. I will
    happily email this item to any interested parties. Its 50k and does
    not flag as a virus with NIS (regularly updated),nevertheless it is
    malicious. I suspect it might be a trojan server. I have
    since,severely clamped the security on pc and have had no
    re-occurences so far though i am not 100% confident that its sorted
    yet..
     
    tarquinlinbin, Apr 29, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paulo Morgado

    Mixed programming language MCSD.NET

    Paulo Morgado, Jul 27, 2003, in forum: MCSD
    Replies:
    1
    Views:
    943
    Jaime
    Jul 27, 2003
  2. Paulo Morgado

    Mixed programming language MCSD.NET

    Paulo Morgado, Jul 28, 2003, in forum: MCSD
    Replies:
    3
    Views:
    1,249
    Paulo Morgado
    Jul 30, 2003
  3. Replies:
    0
    Views:
    427
  4. gokul
    Replies:
    6
    Views:
    545
  5. Tony Jarvis
    Replies:
    4
    Views:
    594
    Olav.NET
    Dec 28, 2003
Loading...

Share This Page