BetaArchive Logo
Navigation Home Screenshots Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 3d, 15h, 56m | CPU: 27% | MEM: 1760MB of 3343MB used
{The community for beta collectors}

Forum rules


Any off topic discussions should go in this forum. Post count is not increased by posting here.
FTP Access status is required to post in this forum. Find out how to get it


Post new topic Reply to topic  [ 18 posts ] 
Author Message
 PostPost subject: Trojans in your OS collection?        Posted: Sat Aug 18, 2007 3:58 am 
Reply with quote
Donator
Offline

Joined
Tue Oct 17, 2006 8:26 pm

Posts
929
Hey all,

I've been doing a pretty exhaustive Virus Scan of every disk image I own. I started to see a very unhappy trend...

Most of the disk images are infected with some Trojan or another. A lot I have gotten off of servers here. This isn't just Windows disk images, but it is getting close to almost half of every image I have. The problem is, there seems to be no descriptions of these things that are worth anything. So I don't know if these are simple Autorun Trojans, or something embedded in the OS install files themselves.

The most recent one found (too many to list), was found on every NextStep/OpenStep/Rhapsody image I have. ClamAV detected something called vgen.114 on all of them.

SO everyone with time, check your media. I will post a list of everything I have found, once the scanning is done. Feel free to post anything detected you find in your collection here.

P.S. Other than these files being moved from unprivileged user dirs to a secured read-only file server, these files haven't been written to. For some, its approaching 12-14 years old. None of them have ever been built from loose files, so it is unlikely that these were infected on my system... and with the types I see, spread out across the types of os's, it appears very deliberate.


Top  Profile
 PostPost subject:        Posted: Sat Aug 18, 2007 4:15 am 
Reply with quote
Donator
User avatar
Offline

Joined
Fri Aug 18, 2006 4:30 pm

Posts
1520

Favourite OS
Mac OS 9.2.2
Hmmn, were these all from the BA servers, or from OSBA? All my OS Betas are from OSBA, as I don't have a need for more of them.

_________________
Image
Mozilla/5.0 (Macintosh; U; PPC; en-US; mimic; rv:9.3.2) Clecko/20120101 Classilla/CFM
"Stupid can opener! You killed my father, and now you've come back for me!"


Top  Profile
 PostPost subject:        Posted: Sat Aug 18, 2007 4:23 am 
Reply with quote
Donator
Offline

Joined
Sat Feb 24, 2007 4:14 pm

Posts
6612

Location
United Kingdom

Favourite OS
Server 2012 R2
hmm, I've downloaded numerous things from the BetaArchive server and Kaspersky hasn't detected anything.

Could you post a list of (some of?) infected files and where you think you got them from?

_________________
BuildFeed - the ultimate collaborative NT build list - Windows Longhorn - a look at a defining Microsoft project


Top  Profile  WWW
 PostPost subject:        Posted: Sat Aug 18, 2007 4:35 am 
Reply with quote
Donator
Offline

Joined
Tue Oct 17, 2006 8:26 pm

Posts
929
Well, here is what I have so far... I can't tell the origin of these images, but most came from OSBA or here if I haven't already had them for years. What the actual virus/trojan is, I have no idea... this was a deep scan from within a nrg/iso.bz2. So it is on the CD images, I just have no idea where...

The UI on the server is pegged from the virus scan, so this is all that is showing in the log window without me having to scroll:

Rhapsody DR1 and DR2, NextStep 3.3, OpenStep 4.0 and 4.2 all come back infected with "VGen.114"

NextStep Nebula is infected with something simply named "Trilogy"

OS/2 4.52, EComStation 1.1 and EComStation 2.0 Beta 1, are all infected with "Trojan.Dropper.JS.Mimail" variants.


Top  Profile
 PostPost subject:        Posted: Sat Aug 18, 2007 4:38 am 
Reply with quote
Any memphis/windows98 beta will almost always have what is detected
as a virus too by most AV programs.
The .cnf files, which aren't virus's at all, detect as such.
I wouldn't be too concerned if the iso's were unadulterated in any way
from leaving the makers of such OS's.


Top
 PostPost subject:        Posted: Sat Aug 18, 2007 8:10 am 
Reply with quote
Donator
Offline

Joined
Tue Oct 17, 2006 8:26 pm

Posts
929
A little bit of update. Doing some searching on "Vgen.144" revealed that the name it goes by in other antivirus applications is "EatFlu.a".

EatFlu.A and EatFlu.b are contained in the files eatflu.com and eatflu2.com, respectively. This is a DOS virus, so of little concequence in Windows... this is where what I detected falls in.

EatFlu.C is contained in a file called 088665.vom. This is a Windows Variant, possibly unrelated to the previous two (other than the author).

So these are there deliberately... and planted, evidently a long time ago. As I have found out, quite a substantial bit of antivirus apps only seem to scan for EatFlu.c... so maybe they don't think DOS viruses are a resource worth detecting.


Top  Profile
 PostPost subject:        Posted: Sat Aug 18, 2007 8:45 am 
Reply with quote
Donator
User avatar
Offline

Joined
Fri Aug 18, 2006 4:30 pm

Posts
1520

Favourite OS
Mac OS 9.2.2
The windows malicious software removal tool detected 182 pieces of malicious software, and it hasn't scanned 1/10th of my drive... d*** betas!

_________________
Image
Mozilla/5.0 (Macintosh; U; PPC; en-US; mimic; rv:9.3.2) Clecko/20120101 Classilla/CFM
"Stupid can opener! You killed my father, and now you've come back for me!"


Top  Profile
 PostPost subject:        Posted: Sat Aug 18, 2007 1:05 pm 
Reply with quote
Donator
Offline

Joined
Fri Aug 18, 2006 12:05 pm

Posts
698

Location
Or-stray-liagh
Could you upload one of the infected files to Virustotal.com and let us know the results? It will be interesting to see how the other virus scanners pick it up (Virustotal scans the file against about 30 virus scanners)

_________________
pr0gram the pr0grammer
BetaArchive retiree | OSBA Expat


Top  Profile
 PostPost subject:        Posted: Mon Aug 20, 2007 2:26 am 
Reply with quote
FTP Access
Offline

Joined
Sat Nov 11, 2006 5:53 pm

Posts
342

Location
Saint-Henri, Montréal, Québec

Favourite OS
Chicago (hometown pride)
have you tried a non-ClamAV antivirus? I have had a lot of false positives (not delibrate, but still false) from that particular AV.


Top  Profile
 PostPost subject:        Posted: Mon Aug 20, 2007 2:53 am 
Reply with quote
Donator
Offline

Joined
Tue Oct 17, 2006 8:26 pm

Posts
929
ClamAV is still scanning (I have got a lot). I am currently cobbling together a small app as a front end to just about every AV I can get my hands on in the meantime. From there, I will rescan everything again... but it is an excersize in patience.

As for ClamAV, I have already hit a couple of false positives. For instance, I have a folder with mIRC, which was never installed ON the file server itself, but rather from a client machine onto a share off of the file server. If there are no mIRC registry settings, ClamAV detects this as some generic trojan.

But as for the EatFlu viruses, they are very specific files. I checked and they are there (eatflu.com).

Ill keep everyone updated as I go on. Ill be sure o create MD5sums of everything so you can all test it on your own collection.


Top  Profile
 PostPost subject:        Posted: Mon Aug 20, 2007 10:54 am 
Reply with quote
FTP Access
Offline

Joined
Sat Nov 11, 2006 5:53 pm

Posts
342

Location
Saint-Henri, Montréal, Québec

Favourite OS
Chicago (hometown pride)
If anyone wants the executable (for whatever reason), I looked in my virii collection and have a file called EATFLU.COM and EATFLU2.COM.


Top  Profile
 PostPost subject:        Posted: Tue Aug 21, 2007 12:23 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Thu Mar 01, 2007 8:37 pm

Posts
316

Location
Your Closet

Favourite OS
Chicago build 34-had it :(
AndrewP182 who wants a file that is or might be a virus???


Top  Profile
 PostPost subject:        Posted: Tue Aug 21, 2007 12:29 am 
Reply with quote
FTP Access
Offline

Joined
Sat Nov 11, 2006 5:53 pm

Posts
342

Location
Saint-Henri, Montréal, Québec

Favourite OS
Chicago (hometown pride)
for analysis, I dunno, collections without it.


Top  Profile
 PostPost subject:        Posted: Tue Aug 21, 2007 1:21 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Oct 04, 2006 11:02 pm

Posts
514
clt_42 wrote:
AndrewP182 who wants a file that is or might be a virus???


Some people collect and rip malware to pieces just for fun (and the challenge of seeing what it does and how). It's kinda fun actually, done it a couple of times myself, though I'm not good at it... it's cool though if you really get in to it.


Top  Profile
 PostPost subject:        Posted: Tue Aug 21, 2007 1:28 am 
Reply with quote
FTP Access
Offline

Joined
Sat Nov 11, 2006 5:53 pm

Posts
342

Location
Saint-Henri, Montréal, Québec

Favourite OS
Chicago (hometown pride)
It's the most fun thing you can do with Sandboxie. I do both scary chinese adware and virii.


Top  Profile
 PostPost subject:        Posted: Tue Aug 21, 2007 4:25 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Fri Sep 01, 2006 10:04 pm

Posts
1022

Location
The Ephemeral between existance and non-existance: AKA "being"

Favourite OS
Rhapsody, BeOS
I really doubt that Rhapsody could have a win/dos virus on it...

Where are these file actually located on the archive?

_________________
Image
Part Time Troll - HPC Enthusiast - Spelling Master - Old Fart


Top  Profile  WWW
 PostPost subject: how about this...        Posted: Tue Aug 21, 2007 8:50 am 
Reply with quote
Donator
Offline

Joined
Tue Oct 17, 2006 8:26 pm

Posts
929
How about instead of doubting, scan your copy. That was the whole point of this thread. If no one cares, I will keep the results to myself.


Top  Profile
 PostPost subject:        Posted: Tue Aug 21, 2007 6:59 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Aug 31, 2006 2:45 pm

Posts
1432

Location
UK

Favourite OS
Longhorn 4074
In the archive Windows 95 OSR 2 - International Versions.rar in directory JPN.AT\OSR2\WIN95_23.CAB\ in file rsrcmtr.exe my av has detectet a virus called Win32:Deadcode-D. Is it real? :shock: :?

EDIT: In the same archive but another file ive found also Nikki-3133 virus

EDIT 2: Found a virus in memphis beta 1 in file relnotes.doc


Top  Profile  WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 




Who is online

Users browsing this forum: Majestic-12 [Bot] and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2018

 

Sitemap | XML | RSS