[10:12] Hello everyone. :*) [10:13] Thank you all for coming! Allow me to first mention how excited I am about holding this class. It has been quite a while since the Help Committee has held any classes, so this is somewhat of a first if you will. :) [10:13] I see a few familiar faces ... ;) [10:13] There are a few people who were already there at the class on Thursday [10:13] This one will basically be a repeat of the former one .. [10:13] Some information has been patched up though, basically from some of the questions that various users have asked. [10:14] This class was organized because we noticed that there was a big difference in the answers that a user could get to same question ... all depending on which help channel they might have asked it in at the time. [10:15] This information session is specifically about the current situation on the most wide-spread viruses, backdoors and trojans. [10:15] I would very much like to thank RichG aka Richku for getting all the information to me ... and at very short notice at that! Unfortunately, he was not able to attend today .. but that doesn't make him any less a contributor ;) [10:15] There are also the various #NoHack ops and DALnet exploits@ team members who have made themselves available to answer any questions that you may have, both today and Thursday. They are the ones who are opped along side me [10:16] So, a big big thanks to all of you!! *hugs* [10:16] Just a short sidenote before everyone starts asking me the same question. YES, this class is being logged and YES, it will be made available in a little while to anyone who wants it. [10:16] There may be a delay of a day or two, for however long it takes me to clean up both logs. [10:17] Once that has been done, the gracious DALnet Webteam will post it somewhere and the URL will be announced on the appropriate mailing lists. [10:17] Now, on to the interesting stuff ;) [10:17] I don't really like moderating a class, but due to the great number of people present here today, we don't really have a choice ... [10:17] If you have questions then *please* HOLD ON to them. There will be moments throughout the class when we will have Question and Answer sessions. [10:18] Speaking of Questions and Answers, that's how the introduction of the information session has been set up. There are some common questions that often get asked, so we will start with them ... just to warm you up! ;) [10:18] Note: Someone *cough* has pointed out to me that the definitions given here were not exactly technical. :) [10:18] Please keep in mind that we aren't doing "technical" .. but rather definitions that can be easily understood :*) [10:19] Okay, so here goes. [10:19] ееееееее Introduction ееееееее [10:19] [Q] 'What is a computer virus?' [10:19] [A] A piece of programming code that infects other computer files/media and sometimes causes damage. [10:20] [Q] 'What is a trojan horse virus?' [10:20] [A] A piece of programming code that does NOT infect other computer files/media, but just causes destruction or annoyance. [10:21] [Q] 'What is a backdoor trojan horse virus?' [10:21] [A] A piece of programming code that, when executed, hides in the background listening for connections over the Internet or a LAN. [10:21] Usually they allow complete manipulation of the infected computer. [10:21] [Q] 'What is a worm?' [10:22] [A] A piece of programming code that does nothing but spread and sometimes destroy. [10:22] [Q] How do backdoor trojan horse viruses work? [10:22] [A] (psst, I'm horrible at ASCII art so be kind ;) [10:22] - Infected computer (server) = A. [10:22] - Hacker A (client over Internet) = B. [10:23] - Hacker B (client over LAN) = C. [10:23] *crosses her fingers* [10:23] A --- Internet --- B [10:23] | [10:23] LAN (local area network) [10:23] | [10:23] C [10:23] There we go [10:23] In this case, we are presuming there are two "hackers": One connected to the Internet and one on the same LAN as the infected computer (A). [10:24] The CLIENT part of the trojan can connect to the SERVER part (the server runs on the infected computer) and once the connection is established, the server executes any commands sent from the client. [10:24] [Q] How do we get all this information together? [10:25] [A] There are mailing lists composed of people who are active in the fight against viruses/trojans and backdoors from many different IRC networks. [10:25] They exchange information, give each other tips, ressources and the like. :) [10:25] (I'm actually subscribed to one of them ... and my, I can tell you that it's quite busy ;) [10:26] When a new virus is found, they often get sent to the various anti-viral companies for analysis .. [10:26] Now is the first question & answer session. Due to the limited amount of time, only 5 questions will be taken. [10:26] If you have a question, /msg Dana-Class ME!! <-- and I'll voice you in turn :) [10:27] Go ahead viper :) [10:27] <[[viper_az]]> ok [10:28] <[[viper_az]]> camna kalau virus tu serang bios?apa nak buat utk halangnya? [10:28] English please [10:29] [[viper_az]]: I'll try to find someone who speaks malay .. and we'll answer your question in private [10:29] *** LadyDana sets mode: +v Jonathan_25-aka-Cosmos [10:29] you can tell us the addy of the maillist maybe ?? is there maybe a DALnet virii maillist maybe ? [10:30] sorry for the maybes :) [10:30] Well, personally, I'm subscribed to nohack@linuxbox.org [10:30] It's a mailing list run by ge [10:30] ok, thanks [10:30] that was already all [10:31] =) [10:31] Ge is the one who runs this mailing list [10:31] If you are interested in signing up then you should contact him .. however, there's some technical stuff in there. [10:31] I often get lost. :) So you might not want to sign up unless you are really interested. [10:32] i am [10:32] :) [10:32] okay, then get in contact with ge [10:32] i will [10:32] :) [10:32] Thanks for your question [10:33] i know its a lil early for this (but I need t /part soon) so.. is it possible (or is there a) virus that can wipe out the bios? [10:33] LordKaT? :) [10:33] yes, there is. [10:33] yup thats mah name.. LordKaT [10:33] k thankz [10:33] Which one would that be jim? [10:34] CIH does that [10:34] ok :) [10:34] Thanks LordKaT. [10:34] also known as Russian New Year [10:34] Hi :P [10:34] Hi all :) I am just intersted to ask in fact 2 questions one as a kind of info and the other as a way to deal with viruses [10:35] okay, go ahead :) [10:35] In fact the first question i knew that many kind of backdoors are in use now other than the ctcp Lagg msg and the scriptvesr the new in leopard [10:36] i wanna ask here maybe other can help what is the best way to stop them [10:36] and the other in use to be aware from [10:36] and the other question is why don't DALnet make bots for Infected users [10:36] Let me make sure I', understanding the question [10:37] jim-mm sure [10:37] You want to know the best way to avoid falling victim to a backddor? [10:37] To stop them ! [10:37] eagle what kind of bots do you mean? [10:37] u know many lamers are using these ppl to join the channel and flood them [10:37] I see [10:38] The only real solution to that is to treat them as any other abusive user and ban them [10:38] well eagle the ops should be kicking them out [10:38] I used once a script that send ctcp remote off there script [10:38] Barbara i was Sop in #lebanon and it was really lame many ppl were joining can't ban all ! [10:38] those type of scripts can easily land you in trouble eagle, I recommend not doing that [10:39] Barbara believe me ban list won't handle all [10:39] if you have particular problems with a channel, speak to me after the class and I'll try to help [10:39] jim-mm ok man thanks [10:39] eagle you need to ban them [10:39] hm [10:39] maybe add a bot to your channel then [10:39] Can i ask another question ? [10:39] yes? [10:39] Bandit^ thanks :) [10:40] why don't DALnet make bots for Infected users [10:40] wanrn them and invite them to join #nohack [10:40] DALnet runs #nohack to help infected users, but the managment and control of channels is up to the channel ops. [10:40] eagle you need to help a bit too, we do alot also [10:40] yeah what jim said [10:41] Barbara I know :") it is just a suggecstion [10:41] and thanks a lot for understanding and listening :) [10:41] :) [10:41] you're welcome [10:41] Thanks for your questions. [10:42] ^MAXX^? :) [10:43] <^MAXX^> my question is regarding the trojan horse virus i know alot are refered to as remote administration tools and they werk great for transfering files from one computer to another, any safe way to run one on a computer? [10:43] In a word, NO. [10:44] <^MAXX^> i'm slow...soory [10:44] If you must do remote admin, use a commercial program like PC Anywhere or Carbon Copy [10:44] <^MAXX^> no way to password protect a computer? [10:45] no ^MAXX^, these things are designed to open up PC's. I wouldn't trust one as far as I could throw the disk it was on. [10:45] <^MAXX^> ok, thanks.. [10:45] you're welcome [10:46] okay, I'll just move along now .. we have other questions & answer sessions in a bit :) [10:46] ееееееее Methods of Infection ееееееее [10:46] The following files can contain harmful programming code: [10:46] (flood coming on) [10:46] ° .com - MS-DOS programs. [10:46] ° .vbs - Microsoft Visual Basic scripts. [10:46] ° .js - Java scripts. [10:47] ° .scr - Screensavers. [10:47] ° .exe - Windows programs. [10:47] ° .doc - Rich-Text (WordPad) documents. [10:47] ° .xl? - Microsoft Excel spreadsheets. [10:47] ° .dot - Microsoft Office Document Templates. [10:47] ° .bat - MS-DOS Batch Files. [10:47] ° .tsk - Windows Task Scheduler files. [10:47] ° .inf - Windows configuration settings/scripts. [10:47] ° .ocx - ActiveX controls. [10:47] ° .pif - Program information files. [10:47] * Important * [10:47] You should note that there are more, but that these are the most common/dangerous ones. [10:48] Misc. Notes: [10:48] The Windows Scripting Host is installed by default with Windows 98. It allows .vbs and .js files to be executed and processed. [10:48] WordPad has an exploit which allows programs embedded in WordPad documents (.doc files) to be executed automatically when the document is opened. [10:48] Program information files (.pif files) can also be exploited: [10:48] If coded properly, these files can function exactly like MS-DOS Batch files (.bat files). [10:49] The Jpg.bat worm sends itself using raw socket commands, instead of mIRC's own, built-in DCC system. This allows the worm to spread without this being noticed by the infected user. [10:49] ееееееее Judgement Day ееееееее [10:49] Judgement Day is a farily new IRC worm. It is distributed as .vbs files (Visual Basic Scripts) and .js files (Java Scripts). [10:50] It invisibly creates an IRC drone which connects like a normal user but... [10:50] ° listens for commands which can manipulate the IRC drone or the infected user's computer; [10:50] ° sends the Judgement Day worm to anyone who joins a channel the IRC drone is on; [10:50] ° accepts any files sent to it (only some versions of Judgement Day do this because some are buggy); [10:51] ° looks for the biggest channels and joins them; [10:51] ° spies on the infected user's conversations. [10:51] In the class on Thursday, I mistakenly said that the Judgement Day virus has nearly been wiped out on DALnet. [10:51] After that, lots of people came to me and mentioned that that was incorrect. [10:51] So, my sincere apologies ... it's very much in evidence still :( [10:52] The #nohack ops and exploits@ members are still working on fighting it and disinfecting users one at a time. [10:52] ееееееее SubSeven ееееееее [10:52] -> Removal: http://split.netset.com/miscfix/subseven.shtml [10:53] SubSeven is probably the most popular and wide-spread trojan horse virus at the moment, as it boasts lots of different features and a highly-configurable server component. [10:53] SubSeven allows the server to connect to an IRC server and broadcast the infected computer's IP address, the server's port and password and a note. It also accepts limited commands. [10:53] More information can be found at http://subseven.slak.org [10:54] Second Question & Answer session .. if you have already asked a question then give others a chance too please :*) [10:54] /msg Dana-Class ME!! [10:54] thanks [10:54] [Q] Just Wondering, is there any opers or those in exploit team know about detecting Sub 7 Virus ? and how to remove them.. AnD one more thing.. how can those ppl that know how to use the exploit to help the exploit team..? i mean to let their know [10:55] humm [10:55] thx [10:55] im lagg or what? [10:55] a bit lagged HacXeD [10:56] ? [10:56] HacXeD yes there are opers that know how to detect the Sub7 Trojan [10:56] hello [10:56] Yes they know how to remove it from the infected machine :_ [10:57] how can they know how to use the trojan to remve the trojan? many have infected themselves to see what all it does.. others have researched it to death :) [10:57] does that help HacXeD [10:58] HacXeD? :) [10:59] Zukee: i mean if we (normal user) know any new ways to remove the sub7 to help the infected user and inform the exploit team? [11:00] HacXeD you are best to get them to run an anti-virus software that has been updated to the latest dat files.. or to use the cleaner3.exe or higher [11:00] :)- [11:01] okeh [11:01] Well, thank you HacXeD :) [11:01] thanks [11:02] just quite a question about sub7 [11:02] wait [11:02] ? [11:03] mm [11:03] HacXeD just ask all my question [11:03] lol, oki doki :) [11:03] i am sorry i came in late.. but is there a place on the web that has this infor you are giving out.... in text.. in one place? like a outline of what you covered already.. and i missed? just seems that would be one way to spead the word of this out there..some of us have got to the point we dont take any files in.. even logs of channels like this class [11:04] http://www.nohack.net has a lot more information than this [11:04] thanks... hope that was not asked before [11:04] I have also given URLs to the more common viruses/trojans/backdoors .. You can always check there for more information. [11:04] In addition, a log of both sessions of this class will be posted (once I get the logs cleaned up ;) [11:04] np :) [11:04] Thanks for asking [11:04] great... [11:04] * redagain bows [11:05] and backs off [11:05] A general rule : TEXT files (.txt) cannot carry any kind of virus, so any .txt file is safe. Use NOTEPAD to open them, it's got no scripting capability. [11:05] ok, i was infected once, and then i wondered, if i could just delete that .pif file? It is that i ever heard, that delete a virus file does activate it [11:06] Jonathan_25-aka-Cosmos IF u didn't run it then yes, just delete it [11:06] awni [11:06] Jonathan_25-aka-Cosmos - no, you should run a full virus scan, since the .pif will probably have added other files to your machine [11:07] Jonathan_25-aka-Cosmos but if u did run it, u need to get the propre cleaner for it [11:07] unless of course you didn't run it [11:07] problem was: i did delete it from pc at uni, and at home i was having a virus from files, that i copied from uni [11:08] you need to do a full scan Jonathan_25-aka-Cosmos, and get your uinversity admin to do the same. [11:09] does that answer your question jonathan? [11:10] ok [11:11] haha, i have no admin access :) [11:11] we run nt [11:11] thanks [11:11] :) [11:11] Thanks for your question Jonathan [11:11] With apologies to the Ops I know and trust in #nohack I ask this question.. how can we trust the responses we get in there.. and in #exploit? What type of screening is performed on the nicks prior to their being opped.. I have been around irc long enough to know blind trust is not in my best interest. [11:12] Ok, I'll take that [11:12] #exploit? [11:12] I'm SOP in #nohack, and a DALnet IRC Operator. [11:12] The SOP's and founders work very hard to ensure that only accurate advice is given on #nohack by people who know what they are doing [11:13] I -PERSONALLY- vet *every* fix uploaded to www.nohack.net to see that it IS what it CLAIMS to be. [11:13] as to #exploit, I've no idea and I wouldn't recommend you trust it at all. [11:14] does that answer your question? [11:14] *shrug* jim-mm rejected my remover cuz of a tiny mistake , made me fix it [11:14] jim-mm I appreciate your status.. but I guess the question really goes to the issue of trustworthy ppl offering information in there... are they screened [11:15] yes they are fire-ant, by all channel sops. I also visit channel undecover at times to see that things are going correctly [11:15] as an Op in many mirc help channels I send newbies in there all the time and want to feel assured that I am not creating additional problems for them [11:16] You can send any user with a trojan problem to #nohack with confidence [11:16] Fire^Ant they work verry hard in there at helping with viruses...and there are new ones everyday...i think there doing a great job [11:16] Please don't send to #wxploit, I've no idea what it is and I cannot vouch for it [11:16] thanks jim-mm... question answered [11:16] I'd also like to point out that #NoHack is Help Committee and DALnet recommended. They work very closely on some issues with the DALnet Oper exploits@ team as well. [11:16] If you have any cause for concern about #nohack ops, mail me on jim-mm@nohack.net and I'll look into it [11:16] They would not be in their recommended position if they were not of the best quality :*) [11:17] Well, thanks for your question Fire^Ant :) [11:17] * LadyDana moves on [11:17] ееееееее Jpg.bat ееееееее [11:17] -> Removal: http://www.nohack.net/bin/JpgBatRem.exe [11:17] There are two variants of Jpg.bat, the only difference between them, really, is that the second variant constantly sends files to people on channels. [11:18] *** Joins: TeXaS`STaR` (TexasStar@sdn-ar-001txwacoP291.dialsprint.net) [11:18] As mentioned above, Jpg.bat (ribbed) does not use mIRC's built-in DCC system to spread, it uses raw socket commands, invisibly. [11:18] Jpg.bat also contains a backdoor and sends messages to certain channels, containing information about what the infected user is doing. [11:19] ееееееее Movie.avi.pif ееееееее [11:19] -> Removal: http://www.nohack.net/bin/movierem.bat [11:19] This worm is fairly new. It exploits Windows' vunerability to run and process .pif files in the same way as .bat files. [11:19] This worm is not really very dangerous... and it's boring :) So that's that, ahem. (RichG) [11:20] ееееееее EXbuz/Profiles ееееееее [11:20] -> Removal: http://www.nohack.net/bin/EXbuzRem4.exe [11:20] This worm is pretty old, it doesn't do much but spread. However it does disable some mIRC commands so that it cannot be removed manually. [11:20] This worm also uses different names: (flood coming up) [11:20] ° yourway.exe [11:20] ° megamirc.exe [11:20] ° photo.exe [11:20] ° viagra.exe [11:20] ° pppboost.exe [11:20] ° grana.exe [11:20] ° emails.exe [11:20] ° overnuke.exe [11:21] ° putas.exe [11:21] ° sexy.exe [11:21] ° nukescan.exe [11:21] ° soueu.exe [11:21] ° videosex.exe [11:21] If you are in the habit of joining bit chat channels such as #teens, #chatzone, etc. chances are that you have already run into one of those. [11:21] The trojan also attempts to extract a file named 'com.exe', but this fails as the file is corrupted. [11:21] Okay, another quick Question & Answer Session .. you know the drill, /msg Dana-Class ME!! [11:22] Hi Again sorry for asking too much and thx for giving me this chance again but this class was *really* Needed and I am enjoying it... [11:22] I wanna ask about 2 kind of files NOT mentioned here and which i got once [11:23] one was from an extention *.dll and the other *.art any Hint ?! [11:23] ;) [11:23] *.dll can be bad , but i don't know about .art , it *might* be a picture [11:23] Eagle are you stating you got a trojan with those extensions and are asking what it is ? [11:23] .art should be harmelss, it's a microsoft drawing file (then again, who knows what lurks in M$ code) [11:23] or it might be .art.exe or .art.com [11:24] Zukee Both [11:24] k [11:24] Zukee i think we should share what we know :) and I am asking since Not mentioned [11:24] .dll's can cetainly contain viruses [11:25] thx jim-mm Zukee awni :) [11:25] thanks Eagle :) [11:25] and of course LadyDana ;) [11:25] :) Eagle [11:25] hey, they are the ones doing all the work ^_^ [11:25] thanks [11:25] hmm i have idea ,, i wish that you could understand me ,, my english is not very well ,, as server can change nick to guest ,, why dont DALnet services COder let server push user who send virus to part all channel and join #nohack sorry if this Q has been posted or silly one [11:26] Actually, the IRCD has a feature now against infected users [11:26] I'll talk about it later in this session, ok? :) [11:26] okay thanks :)) [11:26] :) [11:26] Go for it Psionic :) [11:27] ok ;) define "harmless" for movie*.pif [11:27] it copies it self a few times and spreads is all it does [11:28] it overwrites winstart.bat , but i've never seen anyone that needed winstart.bat [11:28] alrighty then, answers my curiosity :) [11:28] :) [11:29] redagain? [11:29] ack, redpanda even? I always make the same mistake ;) [11:29] hey i just wanted to aska question about these viruses [11:29] lol [11:29] when these files fail to complete their job [11:30] the fixer has no clear idea of what it was suppose to do [11:30] but jim-mm just told me [11:31] Well .. [11:31] that the fixer was coded for every specific virus so even if its not present the fix knows what to look for [11:31] There are different versions out for a lot of the viruses [11:31] And the anti-virus programs and the various cleaning files adapt to the new versions [11:31] So basically, what you have is one always adapting to the other one [11:31] * redpanda i see [11:32] i see [11:32] You need to know (1) what you are infected with (2) around what version it is [11:32] yes , we're always updating the removers :) [11:32] so that you can clean it with the correct fixer [11:32] usually the cleaners for the newer versions are also able to handle the older versions of the same virus [11:32] yes redpanda [11:32] i understand [11:32] :) [11:32] great [11:32] thanks for asking [11:33] thank u [11:33] thanks.. Just a quick question [11:33] I can't type today My brain is all in a muddle. [11:33] when joining a large channel often I get more than one server msg saying a file was blocked... is the server forwarding information anywhere for action to be taken or is it up to the channel operators to kick the infected user with the address of where to go for help or to join #nohack? [11:34] Operators who wish to receive the information will get it [11:34] I'll actually talk about this blocking mode later one [11:34] ok cool [11:34] where can we get the info so we can update our scripts? [11:35] Information regarding what? [11:35] * LadyDana is not sure what you mean [11:35] if channel operators wish to receive the information where can they get it [11:35] They cannot .. [11:35] When I said operators, I'm talking about IRC Operators [11:35] It's a user mode :) [11:36] so Just send all infected to #nohack? [11:36] byrnsy: Well, some viruses prevent you from joining help channels such as #nohack [11:36] Therefore, the best way would be to ask them to leave all channels and go to http://www.nohack.net [11:36] byrnsy thats correct [11:37] ok cool [11:37] thanks :) [11:37] :)) [11:37] * LadyDana goes on [11:37] ееееееее Script.ini ееееееее [11:37] This one's pretty much gone, but some important points here... [11:37] ° most versions of script.ini block commands which would allow it to be removed; [11:37] ° some versions of script.ini will DELETE ALL DATA on a user's hard drive if /remote off is typed. [11:38] So please do NOT tell users to type /remote off, /remove etc .. it can have pretty bad consequences on the user's harddrive. [11:38] ееееееее Other Things ееееееее [11:38] Just some general FYIs... [11:38] ° ANY file-type can be loaded into mIRC; [11:38] ° a free, online anti-virus can be found at http://housecall.antivirus.com; [11:39] ° some viruses will ignore you if you mention words like: virus, trojan, worm, infected; [11:39] ° not *all* viruses are detected by anti-virus programs [11:39] ° Dr. Watson (C:\Windows\Drwatson.exe) is a great diagnostic program that comes with Windows 98; [11:39] ° There's also ZoneAlarm, a great *FREE* firewall type application at www.zonelabs.com [11:40] ° you can see active connections by typing netstat -a in any MS-DOS prompt window, or type netstat -a >> ns.txt to write the output to ns.txt; [11:40] ° another free antivirus prog : http://www.icsa.net/html/communities/antivirus/index.shtml <-- Thanks to one of the participants here :) [11:40] ° to check if a user's port is open, ask them to type: /run telnet localhost ; [11:40] ° trojans aren't written to be found... ! [11:41] I'll be doing the section on the IRCD features (on which we already had some questions ..) [11:41] After that we'll do one last question & answer session, then awni gets the floor .. :) [11:41] ееееееее IRCD Feature ееееееее [11:41] Virus / AV Name (If known) / Hosts [11:42] movie.avi.pif / BAT_QWERTY 8904 [11:42] Mypicture / VBS_FOOL 7396 [11:42] ribbed (jpg.bat) / BAT_WINSYS 4578 [11:42] links / VBS_FREELINK 4442 [11:42] tune / VBS_TUNE 3968 [11:42] jday .js / JAVA_JDAY 3057 [11:42] story / VBS_CHERNOBYL 373 [11:42] jday .vbs / VBS_JDAY 75 [11:42] DMSetup 1096 [11:42] EXbus 577 [11:42] script (script.ini) 563 [11:42] MrSmartvirus 408 [11:42] mypicv2 38 [11:43] Data collected over 3days 6hrs 24mins 27secs [11:43] Okay .. in English *wink* -- That is the current distribution of infected hosts on DALnet, as collected by file send attempts to users who have DCC's blocked by the ircd. [11:43] That is by unique host, not by how many sends... SOOOooooo... One host sending 50 infections counts once. :) [11:43] Be aware, that the information I am about to give is currently in beta test, officially, and is not necessarily the end way that things will work... [11:44] As a default, the send of filetypes that can be double-clicked on and execute script or code on the PC are blocked. [11:44] If a user attempts to send a file of a blocked filetype, they will receive a message indicating that it was blocked, and the user they try to send it to will receive a message as well. [11:44] Examples: [11:44] -hebron.in.us.dal.net- The user KitFox is not accepting DCC sends of filetype *.exe from you. Your file mirc1.exe was not sent. [11:45] Spoof (~i1zoI41x@adsl-63-193-151-187.dsl.lsan03.pacbell.net) has attempted to send you a file named mirc1.exe, which was blocked. [11:45] Those are what the Sender and Receiver will see. [11:45] The -RECEIVER- has to allow the DCC to be sent, currently by typing /dccallow + [11:45] Similar to a watch list, this adds a person to the DCC Allow list, which is maintained until the client logs off. [11:46] Some important questions and answers about this: [11:46] [Q] Does it block ALL DCC sends?! [11:46] [A] No, it only blocks sends of files that can be click-clicked and ran. [11:47] Extensions: *.js *.pl *.exe *.com *.bat *.dll *.ini *.vbs *.pif *.mrc *.scr *.doc *.xls and *.lnk [11:47] [Q] Will it affect me sending my (MP3's, GIF's, JPG's, Pictures, WAV files)? [11:47] [A] No, it only blocks sends of files that can be click-clicked and ran. Data files are not affected. (See above) [11:48] [Q] Okay, it said MyFriend tried to send me a file and it was blocked. I added them to the allow list. Why am I not getting the file? [11:48] [A] When a send is blocked, it is BLOCKED and lost. They need to resend the send request a second send time. [11:48] [Q] Maybe I should just add EVERYBODY I meet to my dccallow list. [11:48] [A] Not a good idea... Somebody you meet could then unknowingly send you a virus and you'd be very embarrassed when your hard drive gets reformatted. [11:49] A command that's available for reference purposes on the DCCALLOW feature .. type: /quote dccallow HELP [11:49] Okay, last Question & Answer Session :) You know the drill .. /msg Dana-Class ME!! [11:50] yes Wuher? [11:50] Hi hi. My question was actually related to: [A] When a send is blocked, it is BLOCKED and lost. They need to resend the send request a second send time. [11:51] that's right. The person recieving will need to /dccallow the sender then ask them to send again. [11:52] But that's was the answer, I suppose. Here's another question.. since you're already "seeing" people send the files (in the ircd), you could force them to part all channels & join #nohack, or an alternate channel. Or even an automatic temp akill, with a msg to head to the site. [11:52] Whats your viewpoint on something like that? [11:53] Lots of things are considered, but there are many issues involved with decisions like that. Speculation would be unfair and only start nasty rumours. [11:53] i don't wanna get akilled for sending a virus to jim to research :P [11:54] *laugh* That'd be slightly amusing ;> [11:54] at this time, there are no plans I am aware of to do either of those things. [11:54] Right .. the point is that we are never sure if it is a virus or not .. or even if it is, why it was sent. [11:54] Something as automatic as that will probably run into a few false hits .. [11:54] Not necessarily the same way the dcc block works, but rather based on specific file types. [11:54] And when you get akilled or even just disconnected from a server because it made a mistake .. well .. [11:55] As I said, lots of things are considered but few are implemented. I won't speculate on what may or may not be considere in future. [11:55] =) [11:56] Okie dokie. [11:56] *whisper* Politically correct answer [11:56] <-- Isn't as good as jim-mm on that ;\ [11:56] Thanks for your question Wuher :) [11:56] Hi again ;) [11:56] LadyDana Said A command that's available for reference purposes on the DCCALLOW feature .. type: /quote dccallow HELP [11:57] -> Server: dccallow HELP [11:57] - [11:57] |0-0| Warning: Unknown Command (dccallow) [11:57] You have a script interferring probably [11:57] which client are you using eagle? and which server? [11:57] /quote dccallow help [11:57] get onto a fresh copy of your client and try again .. also check that your server supports this [11:57] hmm , does it work on vancouver.dal.net too ? [11:57] eagle, your server has not been updated yet [11:57] not all the servers have been updated yet [11:58] -> Server: dccallow help [11:58] |0-0| Warning: Unknown Command (dccallow) [11:58] Hmm another q [11:58] in the site for the sub7 thingy [11:58] yes? [11:58] what does the helper and ops here have as best removal for sub7 [11:59] I pointed out a webpage before .. [11:59] other than manual many users barelly can user mIRC to use MS-DOS commands [11:59] http://split.netset.com/miscfix/subseven.shtml [11:59] eagle - The Cleaner (www.moosoft.com I think) will remove Sub7 [12:00] LadyDana is i am not wrong i see only command :| [12:00] thx jim-mm [12:00] LadyDana thanks again for giving me another oportunity [12:00] ;*) [12:00] :) [12:01] yes yoko ? [12:01] hi and thanks for holding this class [12:01] just wondered about the +/- D modes I've been seeing or will dccallow completely replace that? [12:01] dccallow replaced +/-D totally [12:02] ok - great - thanks [12:02] it should be on all servers shortly [12:02] you're welcome [12:02] thanks for asking [12:03] yes ShuGun? [12:03] u can do a detecteur of the script when somone join the server u do a quik search about the virus (sorry for my english) [12:04] oups [12:04] u can do a detecteur of the virus when somone join the server u do a quik search about the virus (sorry for my english) [12:04] ShuGun - if you mean can we detect viruses when people connect to the server the answer is no [12:04] okih [12:04] we need to wait for the virus to try and spread [12:05] but u can detecte him when he send the virus i think [12:05] so u must search about this also [12:05] yes, with the new DCCALLOW functions we can [12:05] the virus try and spread auto when u r connected [12:06] When a file is blocked, the IRC Operators on that server get a message like this : [12:06] -hebron.in.us.dal.net- *** Notice -- smith1234 (moo@cow.net) [12:06] sending forbidden filetyped file !!wendi-wild.jpg.bat to bob1234 (channel [12:06] #juareznstuff) [12:07] that lets us know who is infected and what with so we can help them [12:07] Does that help? [12:07] mmmmmmm [12:07] okih [12:07] great and thx a lot [12:07] Thanks [12:08] i think this will be a general question but just hope i am always with the updated news. I think my question was already answered by jim-mm indirectly to yoko's question. [12:08] May i know is that all DALnet server ready for /dccallow? Or is that only server with (bahamut(pelennor)-1.4(02) ready for /dccallow but not (bahamut(pelennor)-1.4(01) or older? [12:08] 1.4(x) should support it, but to be sure, look for 1.4(02) upwards [12:08] i heard of that both -1.4(02) and -1.4(01) support /dccallow [12:09] none of the 1.2(x) branch support dccallow [12:09] All servers shiuld be running 1.4(02) soon. [12:09] ahh okie.. thanks [12:09] that's pretty clear. [12:10] :) [12:10] last question [12:10] Wanted to say thank you to all of you who are giving of your free time (I know you dont get paid 2 put up with this) to work on this. you all are great! for giving of the help and infor on this stuff and trying to make this a great place to be on irc. I only wish we could put the folks making these viruses in jail, take away their computers! Any hope for that? and if you are doing that already.. we need to spead the word what happens 2 [12:10] such dirt [12:10] Writing viruses is a criminal act if they cause damage. [12:11] For example, the writer of MELISSA was charged by the FBI [12:11] great... i did not hear.. somehow.. about that [12:11] not everyone of them gets caught, but some do [12:11] those that do can pay heavily [12:12] can we do more as to speading the word as to what happens to them? like a web site ? of the lastest who.. whos? [12:12] feel free to do so if you like [12:13] * redagain bows to the folks in the channel [12:13] :) [12:14] okay, now awni2 has the floor [12:14] he's going to tell you a little about where viruses/backdoors/etc. are often hiding [12:14] yup :) [12:15] there are 3 main places for them to hide : [12:15] 1- The Registry [12:15] 2- System.ini [12:15] 3- Win.ini [12:15] The acctual trojan doesn't hide there, it just inserts a line to make it run everytime windows starts [12:16] we'll talk about the registry first [12:16] i'm pausing between lines cuz i'm lagged, don't want to flood u :) [12:17] ok , to open the registry , click on Start/Run and type Regedit [12:17] in the registry , there are 3 places of interest to us (and to trojans) [12:18] first one is : HKEY_CLASSES_ROOT\EXEFILE\SHELL\OPEN\COMMAND [12:18] if you look to the right , in regedit, you will see : Name Data [12:19] Name should be Default , and Data should be "%1" %* [12:19] if it says windos.exe , mueexe.exe , or run.exe then the user has sub7 [12:20] if it says files32.vxd , then the user has Pretty Park [12:20] second place , is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES [12:24] ok , i seem to have a problem with my connection , it comes and goes [12:24] Under RunServices , there will be a reference to the trojan name [12:25] to get rid of the trojan , you need to delete the reference to the trojan , and restart the computer to delete the trojan file itself [12:25] the other location in the registry ,is [12:25] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN [12:26] you will find a reference to the trojan there, delete the reference , restart the computer , delete the trojan file [12:27] BIG WARNING : The registry is not for beginners ,and a very easy place to mess up Windows [12:27] now to System.ini [12:28] in System.ini ,you will see Shell=Eplorer.exe [12:28] in most cases , there won't be anything else on that line [12:28] in some cases , you will some driver , like hpxxx [12:29] but in most cases , this should have only [12:29] Shell=Explorer.exe [12:29] If you see filename.dl or msrexe.exe , then you have sub7 [12:30] to fix the problem, just delete whatever is after Explorer.exe , restart the computer , and locate the file and delete it [12:31] Win.ini works the same way as System.ini , only difference is we look for Run= instead of Shell= [12:31] usually Run= has nothing after it , but if it does ,and u're sure it's a trojan, cleaning is just like cleaning System.ini : [12:32] delete whatever is after Run= , restart the computer , locate the file and delete it [12:33] For completeness : Your Windows Startup folder can be used to start the trojan when windows starts, but i've never seen that used before :) [12:33] There's also a techinque that *can* be used , but it seems that trojan writers don't know about it yet , so i'll pretend i don't either :) [12:34] yes, so shhh [12:34] :) [12:34] if u want an easy way to get to your system files , u can use Sysedit , and for Win98 users , you can use [12:34] msconfig.exe [12:35] (or be a real man ans use notepad :P) [12:35] msconfig makes it safer , u can Undo what u messed up :) [12:35] * awni2 hands jim-mm notepad [12:36] notepad is the all time favorite , yeah i know , we techies are weird :) [12:36] If u're affraid of messing something up , u should use msconfig when accessing the registry [12:37] ok, i'm gonna get permission for something, so hold on a sec .. [12:41] Sorry, we are having some technical problems ;) [12:43] ok this is what i can say about this [12:43] If you see someone type [12:43] qwerty [12:43] in the channel , kickban or akick them [12:44] in #nohack ,i'll request akicks [12:44] i know i won't get an akill :( [12:44] i'm sorry for taking so long, i'm done now :) [12:44] Well, thank you all for participating :)