[20:09] <LadyDana> Hello everyone. :*)
[20:09] <LadyDana> Thank you all for coming! Allow me to first mention how excited I am about holding this class. It has been quite a while since the Help Committee has held any classes, so this is somewhat of a first if you will. :)
[20:09] <LadyDana> This class was organized because we noticed that there was a big difference in the answers that a user could get to same question ... all depending on which help channel they might have asked it in at the time.
[20:10] <LadyDana> This information session is specifically about the current situation on the most wide-spread viruses, backdoors and trojans.
[20:10] <LadyDana> I would very much like to thank RichG aka Richku for getting all the information to me ... and at very short notice at that! 
[20:10] * LadyDana grins at Richku
[20:10] <LadyDana> There are also the various #NoHack ops and DALnet exploits@ team members who have made themselves available to answer any questions that you may have.
[20:10] <Richku> *cough* :)
[20:11] <LadyDana> It's also very likely that some of these people will have things to add at the end (or even during ;) the session. They are quite more knowledgable about this than me.
[20:11] <LadyDana> So, a big big thanks to all of you!! *hugs*
[20:11] <LadyDana> Just a short sidenote before everyone starts asking me the same question. YES, this class is being logged and YES, it will be made available in a little while to anyone who wants it.
[20:11] <zukeee> *hides*
[20:11] <LadyDana> Now, on to the interesting stuff ;)
[20:12] <LadyDana> I don't really like moderating a class, but due to the great number of people present here today, we don't really have a choice ...
[20:12] <LadyDana> If you have questions then *please* HOLD ON to them. There will be moments throughout the class when we will have Question and Answer sessions.
[20:12] <LadyDana> There are already people asking me about the +m ;)
[20:13] <LadyDana> Speaking of Questions and Answers, that's how the introduction of the information session has been set up. There are some common questions that often get asked, so we will start with them ... just to warm you up! ;)
[20:13] <LadyDana> ееееееее Introduction ееееееее
[20:13] <LadyDana> [Q] 'What is a computer virus?'
[20:13] <LadyDana> [A] A piece of programming code that infects other computer
[20:13] <LadyDana> files/media and sometimes causes damage.
[20:14] <LadyDana> [Q] 'What is a trojan horse virus?'
[20:14] <LadyDana> [A] A piece of programming code that does NOT infect other computer files/media, but just causes destruction or annoyance.
[20:14] <LadyDana> [Q] 'What is a backdoor trojan horse virus?'
[20:15] <LadyDana> [A] A piece of programming code that, when executed, hides in the background listening for connections over the Internet or a LAN.
[20:15] <LadyDana> Usually they allow complete manipulation of the infected computer.
[20:15] <LadyDana> [Q] 'What is a worm?'
[20:15] <LadyDana> [A] A piece of programming code that does nothing but spread and sometimes destroy.
[20:15] <LadyDana> [Q] How do backdoor trojan horse viruses work?
[20:16] <LadyDana> [A] (psst, I'm horrible at ASCII art so be kind ;)
[20:16] <LadyDana> - Infected computer (server) = A.
[20:16] <LadyDana> - Hacker A (client over Internet) = B.
[20:16] <LadyDana> - Hacker B (client over LAN) = C.
[20:16] <LadyDana>                 A --- Internet --- B
[20:16] <LadyDana>                 |
[20:16] <LadyDana>         LAN (local area network)
[20:16] <LadyDana>                 |
[20:16] <LadyDana>                 C
[20:17] <LadyDana> (Woohoo! It worked! ;)
[20:17] <LadyDana> In this case, we are presuming there are two hackers: One connected to
[20:17] <LadyDana> the Internet and one on the same LAN as the infected computer (A).
[20:17] <LadyDana> The CLIENT part of the trojan can connect to the SERVER part (the server runs on the infected computer) and once the connection is established, the server executes any commands sent from the client.
[20:18] <LadyDana> So .. do you have any questions? If so, please /msg Dana-Class ME!! <-- I'll voice you one by one.
[20:18] <BadDreams> cool
[20:18] <BadDreams> im first :)
[20:19] <BadDreams> MY question is generally, do you know which virus is affecting DALnet the most?
[20:19] <BadDreams> i mean has there been any trending done to see?
[20:19] <LadyDana> We will actually list some of the most common ones and their characteristics in a bit :)
[20:19] <LadyDana> There are also at least 2 nohack mailing lists that I am aware of ..
[20:19] <BadDreams> ic
[20:19] <LadyDana> They are composed of people from many different networks who exchange information with each other.
[20:20] <BadDreams> It would be nice to see by class, if it was possible, which virus's are targeting here the most.
[20:20] <BadDreams> thanx for answering :)
[20:20] <BadDreams> im done
[20:20] <LadyDana> =)
[20:20] <KitFox> BadDreams: Be aware that with the new ircd code, some of us ARE beginning to keep some records on what viruses are present on the network.
[20:20] <LadyDana> Actually, I believe that KitFox has some stats for you a bit later on <g>
[20:21] * KitFox is just trying to figure out how to set up the overhead projector. He'll have the stats then.
[20:21] <LadyDana> *smile*
[20:21] <LadyDana> Wuher?
[20:21] <Wuher> Dana r0x0r! *erp.. settles down and asks* Do all akill/kline reasons under the subjects we're covering here come under (exp/specific), or is there another entitlement 'sides exploits?
[20:22] <zukeee> yes Wuher 
[20:22] <zukeee> we have all or try and have all of our akills with codes
[20:22] <zukeee> they can be found at http://kline.dal.net/exploits/exploitsakill.htm
[20:23] <LadyDana> :)
[20:23] <LadyDana> Anything else Wuher?
[20:24] <LadyDana> Well, Wuher seems to have fallen asleep .. I'll just move on to the next person <g>
[20:24] <LordKaT> hmmm so is it possible for a virii being run from a client machien to actually corrupt the registry of a server under a win98 network?
[20:25] <KitFox> Only if the client machine has access to the server, or the virus infects the server
[20:25] <LordKaT> mm i guess thats more of a networking security issue, thanks anyway :)
[20:26] <Zeus-> what is the best virus scanner to use against the trojans that are rapidly infecting dalnet?
[20:26] <awni2> Zeus- common sense
[20:26] <Zeus-> [awni2] no. i mean to recommend to others.
[20:26] <Richku> awni has spoken :)
[20:26] <Zeus-> lol.
[20:27] <Richku> The Cleaner, a trojan remover, is a good one..
[20:27] <awni2> most virii that spread on dalnet are new
[20:27] <sour> norton, mcaffee
[20:27] <sour> those are two good ones
[20:27] <Richku> it's updated weekly with the newest trojan definitions
[20:27] <awni2> so antivirus programs don't have them covered when they hit 
[20:27] <Zeus-> alright.  thanks
[20:27] <awni2> so if you get the virus when it first hits, your antivirus won't help you
[20:27] <zukeee> I send any that i get to www.nai.com or to www.sophos.com 
[20:27] <KitFox> We do make every attempt to forward any virus files we locate to AntiVirus companies to include in their scanners.
[20:27] <LadyDana> Last one for now .. :) We can have a free for all at the end
[20:27] <Richku> www.moosoft.com if you're interested
[20:27] <GoodBoy26> just one think: it doesn't make sense to write in a akill/kline msg that someone should join #nohack... I've seen some victims who were in our channel and they've got akilled... not really full of sense, sorry.
[20:28] <KitFox> Trend Micro also gets copies.
[20:28] <LadyDana> We try to refer people to the website more than anything else ..
[20:28] <LadyDana> However, there are some people that don't pay attention to kills
[20:29] <LadyDana> They just keep coming back over and over again, still infected and ignoring the advice.
[20:29] <LadyDana> A very short akill is a good way to actually get their attention .. but it's usually used as a last resort.
[20:29] <GoodBoy26> yes I know... but I've seen some msg's with that channel .... I know that you like the website so just don't mention #nohack :)
[20:29] <LadyDana> :)
[20:29] <sour> if they get lost when they go to the website, once the akill is over they can join #nohack and get help 
[20:30] <LadyDana> good point sour .. :)
[20:30] <GoodBoy26> hmm ok... but again, I've seen them akilled when they were in #nohack
[20:30] <sour> 'i was told to go to www.nohack.net/jday.html, i went and did what it told me to do, can you please tell me if i'm still infected?'
[20:30] <LadyDana> Miscommunications happen :)
[20:31] <LadyDana> Thank you GoodBoy26. :)
[20:31] <awni2> sometimes they get akilled because they're lagged
[20:31] <GoodBoy26> no prob
[20:31] * LadyDana continues ...
[20:31] <awni2> the ircop who akills them doesn't see them join #nohack 
[20:31] <LadyDana> ееееееее Methods of Infection ееееееее
[20:31] <LadyDana> The following files can contain harmful programming code: (flood coming up .. )
[20:32] <LadyDana> ° .com          - MS-DOS programs.
[20:32] <LadyDana> ° .vbs          - Microsoft Visual Basic scripts.
[20:32] <LadyDana> ° .js           - Java scripts.
[20:32] <LadyDana> ° .scr          - Screensavers.
[20:32] <LadyDana> ° .exe          - Windows programs.
[20:32] <LadyDana> ° .doc          - Rich-Text (WordPad) documents.
[20:32] <LadyDana> ° .xl?          - Microsoft Excel spreadsheets.
[20:32] <LadyDana> ° .dot          - Microsoft Office Document Templates.
[20:32] <LadyDana> ° .bat          - MS-DOS Batch Files.
[20:32] <LadyDana> ° .tsk          - Windows Task Scheduler files.
[20:32] <LadyDana> ° .inf          - Windows configuration settings/scripts.
[20:32] <LadyDana> ° .ocx          - ActiveX controls.
[20:32] <LadyDana> ° .pif          - Program information files.
[20:32] <LadyDana> 
[20:32] <LadyDana> * Important * 
[20:33] <LadyDana> You should note that there are more, but that these are the most common/dangerous ones. Ideally (and sensibly), don't run an unknown file without checking it out with a virus scanner first.
[20:33] <LadyDana> Here is some misc. information :)
[20:33] <LadyDana> The Windows Scripting Host is installed by default with Windows 98. It allows .vbs and .js files to be executed and processed.
[20:34] <LadyDana> WordPad has an exploit which allows programs embedded in WordPad/Microsoft Word documents (.doc files) to be executed automatically when the document is opened.
[20:34] <LadyDana> Program information files (.pif files) can also be exploited: If coded properly, these files can function exactly like MS-DOS Batch files (.bat files).
[20:34] <LadyDana> The Jpg.bat worm sends itself using raw socket commands, instead of mIRC's own, built-in DCC system. This allows the worm to spread without this being noticed by the infected user.
[20:35] <LadyDana> I'll quickly go on to the first virus/backdoor/trojan.
[20:35] <LadyDana> ееееееее Judgement Day ееееееее
[20:35] <LadyDana> -> Removal: http://www.nohack.net/jday.html
[20:35] <LadyDana> Judgement Day is a farily new IRC worm. It is distributed as .vbs files (Visual Basic Scripts) and .js files (Java Scripts).
[20:35] <LadyDana> It invisibly creates an IRC drone which connects like a normal user but...
[20:36] <LadyDana> ° listens for commands which can manipulate the IRC drone or the infected user's computer;
[20:36] <LadyDana> ° sends the Judgement Day worm to anyone who joins a channel the IRC drone is on;
[20:36] <LadyDana> ° accepts any files sent to it (only some versions of Judgement Day do this because some are buggy);
[20:36] <LadyDana> ° looks for the biggest channels and joins them;
[20:36] <LadyDana> ° spies on the infected user's conversations.
[20:36] <LadyDana> Judgement Day has been pretty much wiped out from DALnet, thanks to the cooperation of infected channels and helpers.
[20:37] <LadyDana> Okay, second Question & Answer session .. we'll take 5 only :) If you have already asked a question then please give others a chance.
[20:37] <LadyDana> /msg Dana-Class ME!! <-- for a question
[20:38] <Koolbie> Three questions:  1.  Is there a diffe
[20:38] <Koolbie> rence between a trojan horse and virus?  2. Does a trojan replicate or does just a virus replicate?   3. Where does a computer virus hide in your pc?
[20:38] <Koolbie> bad typos sorry
[20:38] * awni2 wants to answer
[20:38] <Koolbie> shoot
[20:39] <awni2> a trojan is a program that poses as a good file , but it is not
[20:39] <Koolbie> k
[20:39] <awni2> a trojan does NOT copy itself to other files
[20:39] <awni2> a trojan may copy itself to other places on the hard disk or over a network 
[20:40] <awni2> a virus is not  a whole program , it needs other programs to 'live'
[20:40] <Koolbie> hmmm, I didn't think a trojan horse replicated itself
[20:40] <awni2> like a biological virus , it has to reside inside anoter program
[20:40] <awni2> it depends on how the trojan is programed 
[20:41] <awni2> if you are refering to backdoors , some replicate , some don't
[20:41] <awni2> most of them don't 
[20:41] <Koolbie> does a virus hide itself in storage areas on your pc?
[20:41] <awni2> there are 2 types of virii 
[20:41] <awni2> file infectors , and boot infectors
[20:42] <Koolbie> k
[20:42] <awni2> file infectors infect files , and boot infectors hide in the boot sector 
[20:42] <Koolbie> you get a bott infector from a boot disk I assusme
[20:42] <Koolbie> assume
[20:42] <awni2> at the end of the class , i'd like to talk about where backdoors usually hide
[20:42] <Koolbie> k
[20:42] <Koolbie> thanks
[20:42] <LadyDana> =)
[20:43] <HorseC> thanks
[20:43] <LadyDana> ^_^
[20:43] <HorseC> one question only :)
[20:43] <HorseC> Many channels on Danet are putting up bots to cycle the channel looking for users sending viri
[20:44] <HorseC> is there and thought being given to the idea of dalnet prviding this service to channels in a bot the network owns
[20:44] <LadyDana> a lot of bots are run by the massads@ team
[20:44] <LadyDana> originally, they were meant to catch spam only
[20:44] <LadyDana> now, they have also diversified to catch dcc sends
[20:44] <KitFox> HorseC: Be aware that as well, we have added some features to the ircd that block virus sends in most circumstances.
[20:45] <LadyDana> *Pyr0s* you can tell the user that .. having a single bot owned by the network would be bad, because scripts could easily avoid sending the virus to the bot if it had always the same nickname
[20:45] <HorseC> Thanks LD, and kit.... some general information on how to request these bots and about the services in the ircd would be nice, but not in this forum :)
[20:45] <LadyDana> That's a very good point too Pyr0s .. thank you <g>
[20:46] <LadyDana> Thanks for the question HorseC :)
[20:46] <BadDreams> eh
[20:46] <BadDreams> heh
[20:46] <BadDreams> sorry
[20:46] <BadDreams> ok
[20:46] <BadDreams> hold on, i forgot my question
[20:46] <BadDreams> oh yes
[20:46] <LadyDana> *sigh*
[20:46] <LadyDana> ;)
[20:46] <BadDreams> what are some typical signs of infections?
[20:47] <BadDreams> what should the avg joe look for
[20:47] <KitFox> Sending files that you do not try to send...
[20:47] <KitFox> People asking you "Why are you trying to send me this?" when you didn't send them anything...
[20:47] <LadyDana> If a stranger is sending you a file .. you should be suspicious in general ..
[20:47] <KitFox> Getting akilled with a message saying "Hey! You have a virus!"
[20:47] <BadDreams> well say, what if your infected with sub7 and your by some off chance, not sending files to ppl
[20:48] <BadDreams> i mean, if someone's only having their cd try open/closed they may think its just the pc
[20:48] <BadDreams> is there any signs or alterations windows may give to let a person know they have a infection?
[20:48] <KitFox> If you are infected with any major backdoor trojan, like SUb7, Back Oriface, etc, then there are USUALLY no outward signs of the infection at all.  
[20:48] <BadDreams> well, thats not totally true
[20:48] <awni2> BadDreams i'll talking about that at the end of the class :)
[20:48] <BadDreams> sub7, netbus all change your windows key in the info screen
[20:48] <LadyDana> okay, neat :)
[20:48] <LadyDana> BadDreams, let's hold it off for the end, k? ;)
[20:48] <BadDreams> np
[20:49] <LadyDana> Speaking of the devil .. :)
[20:49] <LadyDana> ееееееее SubSeven ееееееее
[20:49] <LadyDana> -> Removal: http://split.netset.com/miscfix/subseven.shtml
[20:49] <LadyDana> SubSeven is probably the most popular and wide-spread trojan horse virus at the moment, as it boasts lots of different features and a highly-configurable server component.
[20:49] <LadyDana> SubSeven allows the server to connect to an IRC server and broadcast the infected computer's IP address, the server's port and password and a note. It also accepts limited commands.
[20:50] <LadyDana> It's a little extensive to go into in detail for this information session, so I invite you all to go to http://subseven.slak.org if you are interested in more information. :)
[20:50] <LadyDana> ееееееее Jpg.bat ееееееее
[20:50] <LadyDana> -> Removal: http://www.nohack.net/bin/JpgBatRem.exe
[20:51] <LadyDana> There are two variants of Jpg.bat, the only difference between them, really, is that the second variant constantly sends files to people on channels. 
[20:51] <LadyDana> As mentioned above, Jpg.bat (ribbed) does not use mIRC's built-in DCC system to spread, it uses raw socket commands, invisibly.
[20:51] <LadyDana> Jpg.bat also contains a backdoor and sends messages to certain channels, containing information about what the infected user is doing.
[20:52] <LadyDana> ееееееее Movie.avi.pif ееееееее
[20:52] <LadyDana> -> Removal: http://www.nohack.net/bin/movierem.bat
[20:52] <LadyDana> This worm is fairly new. It exploits Windows' vulnerability to run and process .pif files in the same way as .bat files.
[20:53] <LadyDana> This worm is not really very dangerous... and it's boring :) So that's that, *ahem*. (Richku)
[20:53] <LadyDana> Question and Answer Session! :) /msg Dana-Class ME!! <-- limited.
[20:53] <Richku> :p
[20:54] <Moine> with these sockets, how would a user know they were infected?
[20:54] <Moine> they might not beleive people when they say they are
[20:54] <Moine> 'i'm not sending anything!'
[20:54] <KitFox> Having people ask them "Why the heck are you trying to send me this?" or being akilled or killed for sending.
[20:54] <awni2> good point , and in many cases , they don't believe it :( 
[20:54] <Moine> they might not beleive people when they say they are sending..
[20:55] <awni2> an akill makes a believe out of u :P
[20:55] <LadyDana> *ponder* Most backdoors/trojans allow people to control you.
[20:55] <Moine> what are the chances of an akill?
[20:55] <Moine> of infected users
[20:55] <LadyDana> If you can make them say something or do something .. it's proof.
[20:55] <KitFox> Very high in some circumstances.
[20:55] <Moine> thanks
[20:55] <KitFox> Occasioanlly, we run a system to automatically akill them with a special message when they attempt to send a virus file.
[20:55] <Moine> thats all
[20:56] <LadyDana> ok :)
[20:56] <scriptr> I was just wondering are there any viruses/trojans currently able to affect/infect without recieving a file through dcc?
[20:56] <KitFox> Yes.
[20:56] <scriptr> is there a list and or any defense against them?
[20:57] <awni2> through email and in some scripts 
[20:57] <KitFox> Some viruses and trojans take advantage of Open Windows SMB shares.
[20:57] <KitFox> There is no list currently compiled.  To defend against them: Don't leave any shares on your computer open.
[20:57] <scriptr> ok thats what I was wondering Kitfox ty 
[20:58] <LadyDana> :)
[20:58] <scriptr> ty awni2 I knew those too :)
[20:58] <Dalila> Do all these virus and removals work the same either for mIRC or pIRCh or vIRC, or whatever the client is?
[20:58] <KitFox> Also, may of these are now being detected by AV programs.  As we find more, we get them added to the DAT files.
[20:58] <KitFox> 99% of the viruses are Client-specific.
[20:58] <KitFox> And the VAST majority of them infect ONLY mIRC.
[20:59] <awni2> i've only seen one that affects pirch , tune.vbs
[20:59] <Dalila> ok thanks, =)
[20:59] <LadyDana> :)
[20:59] <KitFox> So, I guess you could say that one of the best ways to avoid these viruses is to not use mIRC.
[20:59] <LadyDana> Thank you Dalila.
[21:00] <awni2> i talk too much 
[21:00] <^IQ^> seein as the majority of people here are unlikely to accept files they dont know about, and we're therefore only (really) gonna be hit by them shares type virii....
[21:00] <^IQ^> how do we MAKE SURE we're safe from them...?
[21:00] <KitFox> Don't Share.
[21:01] <^IQ^> urmmm, what's sharing?
[21:01] <^IQ^> <--stoopid
[21:01] <KitFox> If you do not have any shares on your system, Share viruses can't put themselves on your system.
[21:01] <KitFox> Sharing is WIndows FIle Sharing.
[21:01] <KitFox> That is when you have the folder or disk drive with a little hand under it, allowing other people to access it over the network.
[21:02] <^IQ^> arrrr, brillyant, that'll about do me, danke :o)
[21:02] <LadyDana> :)
[21:02] <LadyDana> last one, Aries1
[21:02] <awni2> www.grc.com has more info 
[21:02] <awni2> on sharing 
[21:02] <Aries1> hiyas ... thanx ... just a quick question
[21:02] <Aries1> <LadyDana> Jpg.bat also contains a backdoor and sends messages to certain channels, containing information about what the infected user is doing.
[21:02] <Aries1> now ... is that like the JD ?
[21:02] <Aries1> as in echoing the hosts actions etc ?
[21:03] <Richku> pretty much, yes
[21:03] <Aries1> ick ... ok thanx :O)
[21:03] <Richku> :)
[21:03] * LadyDana moves on ...
[21:03] <LadyDana> ееееееее EXbuz/Profiles ееееееее
[21:03] <LadyDana> -> Removal: http://www.nohack.net/bin/EXbuzRem4.exe
[21:04] <LadyDana> This worm is pretty old, it doesn't do much but spread. However it does disable some mIRC commands so that it cannot be removed manually.
[21:04] <LadyDana> This worm also uses different names:
[21:04] <LadyDana> (flood coming up again ..)
[21:04] <LadyDana> ° yourway.exe
[21:04] <LadyDana> ° megamirc.exe
[21:04] <LadyDana> ° photo.exe
[21:05] <LadyDana> ° viagra.exe
[21:05] <LadyDana> ° pppboost.exe
[21:05] <LadyDana> ° grana.exe
[21:05] <LadyDana> ° emails.exe
[21:05] <LadyDana> ° overnuke.exe
[21:05] <LadyDana> ° putas.exe
[21:05] <LadyDana> ° sexy.exe
[21:05] <LadyDana> ° nukescan.exe
[21:05] <LadyDana> ° soueu.exe
[21:05] <LadyDana> ° videosex.exe
[21:06] <LadyDana> If you are in the habit of joining bit chat channels such as #teens, #chatzone, etc. chances are that you have already run into one of those.
[21:06] <LadyDana> The trojan also attempts to extract a file named 'com.exe', but this fails as the file is corrupted.
[21:06] <LadyDana> ееееееее Script.ini ееееееее
[21:06] <LadyDana> This one's pretty much gone, but some important points here...
[21:06] <LadyDana> ° most versions of script.ini block commands which would allow it to be removed;
[21:06] <LadyDana> ° some versions of script.ini will DELETE ALL DATA on a user's hard drive if /remote off is typed.
[21:07] <LadyDana> So please do NOT tell users to type /remote off, /remove etc .. it can have pretty bad consequences on the user's harddrive.
[21:07] <LadyDana> ееееееее Other Things ееееееее
[21:07] <LadyDana> Just some general FYIs... (after this we'll have a Q&A session again .. then it will be KitFox's turn :)
[21:08] <LadyDana> ° ANY file-type can be loaded into mIRC;
[21:08] <LadyDana> ° a free, online anti-virus can be found at http://housecall.antivirus.com;
[21:08] <LadyDana> ° some viruses will ignore you if you mention words like: virus, trojan, worm, infected;
[21:08] <LadyDana> ° Dr. Watson (C:\Windows\Drwatson.exe) is a great diagnostic program that comes with Windows 98;
[21:08] <LadyDana> ° you can see active connections by typing netstat -a in any MS-DOS prompt window, or type netstat -a >> ns.txt to write the output to ns.txt;
[21:09] <LadyDana> ° to check if a user's port is open, ask them to type: /run telnet localhost <Port>;
[21:09] <LadyDana> ° trojans aren't written to be found... ! 
[21:09] <LadyDana> And I know that this has been mentioned before .. but do *not* run files from strangers without checking it first!
[21:09] <KitFox> AND...
[21:09] <LadyDana> Question & Answer Session .. (last moderated one :)
[21:10] <LadyDana> woops ;)
[21:10] * LadyDana waits for KitFox :*)
[21:10] <KitFox> Be aware that NOT ALL VIRUSES are detected by AV programs. (Ladymorgaine knows this. :))
[21:10] <KitFox> Done. :)
[21:10] <LadyDana> :))
[21:11] <LadyDana> okay, questions --> /msg Dana-Class ME!!
[21:11] <scriptr> oh 
[21:11] <scriptr> lol ok is there a way to scan the ini or mrc viruses to look for specific lines that occur in the viruses?
[21:12] <scriptr> could you use a $read command line to look for a line found in common viruses
[21:12] <KitFox> Currently, no.  And most AV programs do NOT scan TXT-type files, such as mIRC scripts, due to the processing power required to do this.
[21:13] <scriptr> hmmm ok is there a way to list the mrc or ini without getting infected?
[21:13] <KitFox> Yes
[21:13] <KitFox> Just load it in notepad.
[21:13] <KitFox> mIRC scripts are 100% plantext or .ini files.
[21:13] <scriptr> ok thank you will work on the rst :)) 
[21:13] <LadyDana> :)
[21:13] <KitFox> .ini files are just plaintext with INI beginnings.
[21:13] <LordKaT> heh thanks for taking me once again ;) is it possible for a virus to actually spread itself by pretending to be a "service" that sends itself to itself and resides in another directory and those two speard like that ect ect.. ? if it is possible is there a virus that does this?
[21:14] <KitFox> Viruses will use any method they can to try to spreead themselves.
[21:14] <KitFox> SOme will pretend to be a picture of a fireman licking a dog....
[21:14] <KitFox> Some will pretend to be a cool file from a friend...
[21:15] <KitFox> Some will pretend to be a movie, or a text file of X-Rated passwords....
[21:15] <LordKaT> ok thanks.
[21:15] <KitFox> The file attempt to spread itself by whatever method the writer has it try.
[21:15] <LadyDana> thanks again LordKaT :)
[21:15] <SnowHawke> Some ppl have networks which needs file sharing turned on, will a firewall help prevent viruses in that case?
[21:16] <KitFox> Passwords will help.  Secure passwords are best, but any password will USUALLY prevent a virus from being able to utilize the share.
[21:16] <SnowHawke> K, thanks :)
[21:16] <KitFox> Also, setting the share Read Only, is a good idea too.
[21:17] <awni2> SnowHawke do u need it share over the internet ?
[21:17] <awni2> or just over a LAN ?
[21:17] <KitFox> Having a share Full Access with no password is... well, simply put, Just Plain STUPID AS ALL HELL
[21:17] <SnowHawke> Just over a LAN
[21:17] <KitFox> If you use a modem to dial into the internet, you can NOT bind WIndows FIle Sharing to the dialup networking adapter...
[21:17] <awni2> then don't bind ur NIC to tcp/ip 
[21:17] * LadyDana sets some ice cream in front of KitFox to cool him down ;)
[21:18] <SnowHawke> cable modem, no dailup
[21:18] * awni2 gets fired up to get some ice cream
[21:18] <KitFox> SnowHawke: If you use TCP/IP for file sharing, and have an open share, then anybody on the internet can access it
[21:19] <SnowHawke> Ok, thanks KitFox
[21:19] <LadyDana> thank you SnowHawke :)
[21:19] <LadyDana> okay, no other questions ..
[21:19] <KitFox> Cable Modems, DSL, and other Always On connections are some of the worst for this, where people share their C drive ith no password, so that ANYBODY can do anything to their files at all. :)
[21:19] * LadyDana leaves the floor to KitFox :)
[21:19] * KitFox has the overhead projector working too. :)
[21:19] * KitFox gets out the transparency...
[21:20] <KitFox> Virus            / AV Name (If known) / Hosts
[21:20] <KitFox> movie.avi.pif    / BAT_QWERTY            8904
[21:20] <KitFox> Mypicture        / VBS_FOOL              7396
[21:20] <KitFox> ribbed (jpg.bat) / BAT_WINSYS            4578
[21:20] <KitFox> links            / VBS_FREELINK          4442
[21:20] <KitFox> tune             / VBS_TUNE              3968
[21:20] <KitFox> jday .js         / JAVA_JDAY             3057
[21:20] <KitFox> story            / VBS_CHERNOBYL          373
[21:20] <KitFox> jday .vbs        / VBS_JDAY                75
[21:20] <KitFox> DMSetup                                  1096
[21:20] <KitFox> EXbus                                     577
[21:20] <KitFox> script (script.ini)                       563
[21:20] <KitFox> MrSmartvirus                              408
[21:20] <KitFox> mypicv2                                    38
[21:20] <KitFox> Data collected over  3days 6hrs 24mins 27secs
[21:20] <KitFox> That is the current distribution of infected hosts on DALnet, as collected by file send attempts to users who have DCC's blocked by the ircd.
[21:21] <KitFox> That is by unique host, not by how many sends...  SOOOooooo... One host sending 50 infections counts once. :)
[21:23] <awni2> we're taking a breath :) 
[21:23] <KitFox> And, on that note, I have been asked to inform you about the IRCD additions. :)
[21:23] <LadyDana> +er
[21:23] <LadyDana> :P
[21:24] <KitFox> Be aware, that the information I am about to give is currently in beta test, officially, and is not necessarily the end way that things will work...
[21:24] <KitFox> As a default, the send of filetypes thatc an be double-clicked on and execute script or code on the PC are blocked.
[21:25] <KitFox> If a user attempts to send a file of a blocked filetype, they will receive a message indicating that it was blocked, and the user they try to send it to will receive a message as well.
[21:26] <KitFox> Examples:
[21:26] <KitFox> -hebron.in.us.dal.net- The user KitFox is not accepting DCC sends of filetype *.exe from you. Your file mirc1.exe was not sent.
[21:26] <KitFox> Spoof (~i1zoI41x@adsl-63-193-151-187.dsl.lsan03.pacbell.net) has attempted to send you a file named mirc1.exe, which was blocked.
[21:26] <KitFox> Those are what the Sender and Receiver will see.
[21:27] <KitFox> The -RECEIVER- has to allow the DCC to be sent, currently by typing /dccallow +<nick>
[21:28] <KitFox> Similar to a watch list, this adds a person to the DCC Allow list, which is maintained until the client logs off.
[21:28] <KitFox> Some important questions and answers about this:
[21:28] <KitFox> Q: Does it block ALL DCC sends?! 
[21:28] <KitFox> A: No, it only blocks sends of files that can be click-clicked and ran.
[21:29] <KitFox> Q: Will it affect me sending my (MP3's, GIF's, JPG's, Pictures, WAV files)?
[21:29] <KitFox> A: No, it only blocks sends of files that can be click-clicked and ran.  Data files are not affected.
[21:30] <KitFox> Q: Okay, it said MyFriend tried to send me a file and it was blocked.  I added them to the allow list.  Why am I not getting the file?
[21:30] <KitFox> A: WHen a send is blocked, it is BLOCKED and lost.  They need to resend the send request a second send time.
[21:31] <KitFox> Q: Maybe I should just add EVERYBODY I meet to my dccallow list.
[21:31] <KitFox> A: Not a good idea... SOmebody you meet could then unknowingly send you a virus and you'd be very embarrassed when your hard drive gets reformatted.
[21:32] <KitFox> And those are the majority of the questions we get...
[21:32] <KitFox> Any other questions? (Dana, could you handle the Q/A?
[21:32] <LadyDana> of course :)
[21:33] <LadyDana> /msg Dana-Class me!!
[21:33] <GohnJalt> Could we get a list of the blocked file extensions ?
[21:34] <KitFox> js pl exe com bat dll ini vbs pif mrc scr doc xls lnk
[21:34] <GohnJalt> Thanks ... that's all 
[21:34] <LadyDana> thank you GohnJalt :)
[21:34] <HorseC> Not a question. but a note of thanks to you, and ALL the staff for taking the time to put together this class.... It is appreciated by all.  (ok im done) :)
[21:35] <LadyDana> lol ..
[21:35] <LadyDana> We enjoy it .. don't we gang? ;)
[21:35] <zukeee> yes :) 
[21:36] <Deacon_Blue> Hi, and thanks :)
[21:36] <KitFox> You're Welcome.
[21:37] <Deacon_Blue> OK, if I go to somewhere like grc.com, and nothing shows.....ie, no netbios connection, ports closed..........what are the chances of getting hacked/infected......apart from accepting and running a file?
[21:37] <KitFox> Usually small.
[21:37] <Deacon_Blue> I have a home lan, btw
[21:37] <awni2> Deacon_Blue do you run a firewall ?
[21:37] <Deacon_Blue> So, I shouldn't panic and race off looking for a firewall?
[21:37] <Deacon_Blue> awni2, no
[21:38] <awni2> i'd run one to be safer :)
[21:38] <KitFox> The only way for you to become infected with something is by it exploiting a hole in your system.  These holes can be backdoors, or user silliness (Clicking on an infected file) or open ports.
[21:39] <LadyDana> =)
[21:39] <LadyDana> Anything else Deacon_Blue?
[21:39] <Deacon_Blue> hmm....backdoors.........how likely if the system has no common ports open?
[21:39] <KitFox> Only if you ran a backdoor trojan.
[21:39] <zukeee> Not all trojans use common ports some are programmable
[21:40] <Deacon_Blue> OK, so files should be my main concern?
[21:40] <KitFox> As always.
[21:40] <Deacon_Blue> Thank you :)
[21:40] <LadyDana> Thank you Deacon_Blue :)
[21:40] <syeirah> Thanks for all your help, and my question was answered in the "what are the blocked files" question :) so umm.. nevermind <G>
[21:41] <LadyDana> ok :)
[21:41] <Moine> thanks
[21:41] <Moine> where can i find more infomation?
[21:41] <Moine> the specifics.. such as files altered
[21:41] <KitFox> In books, magazines, classes, and online.
[21:42] <Moine> could you give me some sites?
[21:42] <KitFox> Unfortunately, no. :(
[21:42] <Moine> ok, what would i search for?
[21:42] <KitFox> www.nohack.net has SOME information....
[21:42] <awni2> i'll give a bit of info on where backdoors can hide
[21:42] <zukeee> www.hackfix.org
[21:42] <KitFox> Many do not have specific information due to the fact that it allows people to exploit things more easily.
[21:42] <awni2> at the end of the class :)
[21:42] <Moine> ok thanks , i'll go there
[21:42] <LadyDana> :)
[21:43] <SnowHawke> My question was URLs,,just got answered,,,are y'all planning on holding more classes like this one?
[21:43] <KitFox> Yes.
[21:43] <SnowHawke> k,,thanks :)
[21:44] <LadyDana> There is the same class for the people of other timezones on Sunday 10AM EST
[21:44] <LadyDana> Which would be 2PM GMT
[21:44] <LadyDana> You can mention it to your friends ..
[21:45] <LadyDana> okay, no more questions :)
[21:45] <LadyDana> awni2, you have the floor.
[21:45] <KitFox> Great.  I'm going to go do my taxes. :)
[21:45] <awni2> wish i could dance :P
[21:45] <LadyDana> Thanks KitFox <g>
[21:45] * zukeee puts on dancing music for awni2 
[21:46] <awni2> it was mentioned that you can use netstat to see what connections you have to your computer 
[21:46] <awni2> you should close all applications that use the internet before running netstat so that you don't get confused
[21:47] <awni2> Common places for backdoors to hide : 
[21:47] <awni2> - registry
[21:47] <awni2> - system.ini
[21:47] <awni2> - win.ini 
[21:47] <awni2> oh, thanks zukeee :)
[21:48] <awni2> to access your registry , click on Start/Run and type Regedit 
[21:48] <awni2> in Regedit , there are 3 places of interest to backdoors 
[21:48] <awni2> HKEY_CURRENT_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
[21:48] <awni2> HKEY_CURRENT_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
[21:49] <awni2> HKEY_CLASSES_ROOT\EXEFILE\COMMAND\SHELL
[21:49] <awni2> ops
[21:49] <awni2> HKEY_CLASSES_ROOT\EXEFILE\SHELL\COMMAND
[21:50] <awni2> grr , i need to right things down next time
[21:50] * awni2 said he doesn't know how to dance
[21:50] <awni2> HKEY_CLASSES_ROOT\EXEFILE\SHELL\OPEN\COMMAND
[21:50] <awni2> there we go :) 
[21:51] <awni2> sorry , it's 5 am here , my memory is fading 
[21:52] <awni2> HKEY_CLASSES_ROOT\EXEFILE\SHELL\OPEN\COMMAND should have (default) as the Name and "%1" %* as the Data 
[21:52] <awni2> if it has anything else, you might have sub7 or pretty park 
[21:53] <awni2> run and runservices can be a bit tricky , because backdoors use names that sound like system files 
[21:53] <awni2> rundll16.exe for example , or tskmngr.exe 
[21:54] <awni2> it's best to get someone with some experience to help out if you're dealing with run or runservices sections 
[21:54] <awni2> -system.ini 
[21:54] <awni2> to get to system.ini , click Start/Run and type sysedit 
[21:55] <awni2> this will open system.ini ,win.ini,autoexec.bat,config.sys and protocols.ini 
[21:55] <awni2> in system.ini , look for the line Shell= 
[21:55] <awni2> it should be , in most cases, only Shell= Explorer.exe 
[21:56] <awni2> sometimes you'll see printer drivers on the same line, those are safe 
[21:57] <awni2> if you see msrexe.exe , or filename.dl , then you're backdoored 
[21:57] <awni2> -win.ini 
[21:57] <awni2> in , win.ini , u need to look for the line Run= 
[21:57] <awni2> in 99% of cases , you'll only see Run=
[21:58] <awni2> if you see Run= filename.extention , u may need help 
[21:59] <awni2> these are the hiding places for backdoors, your windows Startup folder can be used to run a backdoor on startup , but that's not really hidden :)
[21:59] <awni2> any combination of these hiding places can be used 
[22:00] <awni2> or just 1 of them 
[22:00] * awni2 takes off his dancing shoes :)
[22:00] <LadyDana> Okay ..
[22:01] <LadyDana> this class is officially over :*)
[22:01] <LadyDana> Thank you all for participatin g..