ircbrute

[vjp2.at]

I just destroyed a USB fob because I found IRCBUTE/Taquito on it.
I am trying to find out if it got there from a browser (likeliest
suspect) or from opening PDF files. Can it just get there by using the
file system? I believe I got it by downloading two zip files (my own
files) using a browser at a public library.



- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[FromTheRafters]

I just destroyed a USB fob because I found IRCBUTE/Taquito on it.
I am trying to find out if it got there from a browser (likeliest
suspect) or from opening PDF files. Can it just get there by using the
file system? I believe I got it by downloading two zip files (my own
files) using a browser at a public library.

It probably happened as soon as you plugged it into the library
computer.

There was no need to destroy the fob.

 

[vjp2.at]

So IRCBRUTE works through the file system?

*+-There was no need to destroy the fob.

I agree, but no one was willing to help me fix it.

- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[David H. Lipman]

From: <[email protected]>


| So IRCBRUTE works through the file system?

| *+-There was no need to destroy the fob.

| I agree, but no one was willing to help me fix it.

It loaded via an AutoRun worm.
That's why you should disable AutoPlay/AutoRun on a PC where you use
random-read/random-write media.

 

[Char Jackson]

On Tue, 9 Mar 2010 19:28:09 +0000 (UTC),

So IRCBRUTE works through the file system?

*+-There was no need to destroy the fob.

I agree, but no one was willing to help me fix it.

In what way was it broken that it required fixing? Or is this just a
language thing?

 

[vjp2.at]

*+->
*+->So IRCBRUTE works through the file system?
*+->
*+->*+-There was no need to destroy the fob.
*+->
*+->I agree, but no one was willing to help me fix it.

*+-In what way was it broken that it required fixing? Or is this just a
*+-language thing?

No, they refused to touch the fob. Essentially made me feel I owed it
to them to throw it away. I destroyed it because I wasn;t sure if I
ever left confidential stuff on it.

- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[vjp2.at]

*+-It loaded via an AutoRun worm.

Oh, shoot! If a CD doesn;t have any suspicious AUTORUN on it, is it
safe to assume it is clean?

So How can I be sure it came from the library (ie Yesterday) and I
wasn't carrying it around longer? I have a few CDs I wrote from that
FOB in December. I used Adobe Acrobat on that fob in January, to
bring home files I got scanned outside. I also used MS Access in
October.


- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[vjp2.at]

There is a CLAMWIN machine that hasn't updated since the summer. WIll
that machine be secure? When did clamwin learn about ircbrute?



- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[David H. Lipman]

From: <[email protected]>


| *+-It loaded via an AutoRun worm.

| Oh, shoot! If a CD doesn;t have any suspicious AUTORUN on it, is it
| safe to assume it is clean?

| So How can I be sure it came from the library (ie Yesterday) and I
| wasn't carrying it around longer? I have a few CDs I wrote from that
| FOB in December. I used Adobe Acrobat on that fob in January, to
| bring home files I got scanned outside. I also used MS Access in
| October.

There have been instances of malware infected CDROMS. But a very rare case. Much higher
for USB "Masss Storage Devices".

One of the cases I have heard is for CD/DVD ROMs associated with an AutoRun worm was a
deliberate spearphishing attack.

 

[David H. Lipman]

From: <[email protected]>

| There is a CLAMWIN machine that hasn't updated since the summer. WIll
| that machine be secure? When did clamwin learn about ircbrute?

N O !

 

[FromTheRafters]

So IRCBRUTE works through the file system?

Devices, not files. Well, there are files on the device...

When the USB device is inserted, the OS "recognises" the device and
there is a feature that allows data on the device to cause the OS to
invoke a player (autoplay) or otherwise chose a program to execute
(autorun). If your home computer has this feature disabled (as it
should), then you were in no danger. It seems to me that the library has
the worm, and inserting your USB device caused the worm to try and load
an autorun.inf and program (worm body) on the device so as to infect the
next vulnerable (autorun=on) computer it got plugged into.

There is no way to tell (from here) how the library's computer got
infested, there are *other* channels (vectors) used by the worm to
spread.

*+-There was no need to destroy the fob.

I agree, but no one was willing to help me fix it.

That's too bad.

 

[vjp2.at]

I had to log on to the library with password.

Clamwin (updated) found nothing on my main machine,
so it does seem the library was the source.
I checked the CDs going back. No infection, no autorun, no RESTORE.

THe infected fob never had contact to my machines except via CDROMS
burned from it.

But CLAMWIN did find a chkdisk error on an 8MB PDF on the 4GB USB fob.

- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[FromTheRafters]

I had to log on to the library with password.

Thus giving you a false sense of security.

Clamwin (updated) found nothing on my main machine,
so it does seem the library was the source.

I use ClamWin as a second opinion scanner, but I still don't trust it
completely. It does have its share of false positives, and I suspect its
share of false negatives as well. If it detects the malware on the USB
device, but not on the machine, my guess is that your machine is not
infested.

I checked the CDs going back. No infection, no autorun, no RESTORE.

THe infected fob never had contact to my machines except via CDROMS
burned from it.

Then how was it detected as being infected with an autorun worm?

 

[vjp2.at]

*+->
*+-> THe infected fob never had contact to my machines except via CDROMS
*+-> burned from it.

*+-Then how was it detected as being infected with an autorun worm?


On a machine at another library I went to download info from

Actually, I got no warning - I just saw something Resote/Taquito
(faded) on the fob, and when it didn't let me delete it, got
suspicious and right clicked virus scan.


- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[Dustin Cook]

From: <[email protected]>


| So IRCBRUTE works through the file system?

| *+-There was no need to destroy the fob.

| I agree, but no one was willing to help me fix it.

It loaded via an AutoRun worm.
That's why you should disable AutoPlay/AutoRun on a PC where you use
random-read/random-write media.

Hold down right shift key when inserting your media if you don't know or
cannot disable the autorun. This will do it for you, but ONLY for that
go around.

 

[vjp2.at]

Now we have all the possible souces of infection claiming it couldn't
possibly be their machines because they have the latest antivirus
software



- = -
Vasos Panagiotopoulos, Columbia'81+, Reagan, Mozart, Pindus, BioStrategist
http://www.panix.com/~vjp2/vasos.htm http://www.facebook.com/vasjpan2
---{Nothing herein constitutes advice. Everything fully disclaimed.}---
[Homeland Security means private firearms not lazy obstructive guards]
[Urb sprawl confounds terror] [Phooey on GUI: Windows for subprime Bimbos]

 

[David H. Lipman]

From: <[email protected]>

| Now we have all the possible souces of infection claiming it couldn't
| possibly be their machines because they have the latest antivirus
| software



The False Negative syndrome.

 

[Gufus]

Hi David,

14 Mar 10, David H. Lipman writes to All:

From: <[email protected]>
| Now we have all the possible souces of infection claiming
| it couldn't possibly be their machines because they have
| the latest antivirus software

The False Negative syndrome.

My life story, not viral on my network. <grin>

Hay David, thanks for pointing me to fidolook. I use it on my server all the
time now, and it helped me set "TZ" variables on my network via it's header
info. See my time is correct now.

Gufus

--
K Klement

Enhance your marketing at http://www.gypsy-designs.com
mailto:[email protected]
Gypsy Designs Fax: (403) 242-3221

.... You are too narrowminded if you can see through a keyhole with both eyes.

 

[David H. Lipman]

From: "Gufus" <[email protected]>

| Hi David,

| 14 Mar 10, David H. Lipman writes to All:

| My life story, not viral on my network. <grin>

| Hay David, thanks for pointing me to fidolook. I use it on my server all the
| time now, and it helped me set "TZ" variables on my network via it's header
| info. See my time is correct now.

| Gufus

Excellent !

You can even take advantage of its yEnc decoding as well as using an X-Face.

 

[Gufus]

Hi David,

15 Mar 10, David H. Lipman writes to All:

Excellent !

You can even take advantage of its yEnc decoding as well as
using an X-Face.

Funny you should say that, I just emailed you on that subject, like how do I
setup X-Face in fidolook? I tried everything.

We can take it to email, if you wish, just use "(e-mail address removed) (gufus)". I
don't know if your newsgroup email address is valid.

Gufus


--
K Klement

Enhance your marketing at http://www.gypsy-designs.com
mailto:[email protected]
Gypsy Designs Fax: (403) 242-3221

.... If a cow laughs hard does milk come out its nose?