Gnutella Forums

Gnutella Forums (https://www.gnutellaforums.com/)
-   General Gnutella / Gnutella Network Discussion (https://www.gnutellaforums.com/general-gnutella-gnutella-network-discussion/)
-   -   Gnutella W32.Alcra.B Virus/Trojan Migration (https://www.gnutellaforums.com/general-gnutella-gnutella-network-discussion/42395-gnutella-w32-alcra-b-virus-trojan-migration.html)

erikinlongbeach August 2nd, 2005 09:32 PM

Gnutella W32.Alcra.B Virus/Trojan Migration
 
Beware of the 851.7KB Trojan Horses!

OS: Windows
Client: Any
Internet Connection: Any
Error Message: None (yet)

I often have seen files ( <1MB) when I search for software. Often, I
search the P2P networks if I'm looking for a particular file. This
is much easier than searching the web for patches, updates, service
packs, and other files. I became suspicious when files of the same
size often appear for different searches. I noticed this even about
6 months ago.
Upon viewing the files on a particular host, the file
name is different from what it appears in the search. This is
obviously related to how Limewire tracks the same file with
differing file names. Once in a while, this method fails and you
download a file completely different from what you thought you were
downloading.
Recently, I have seen a lot of search results containing a 851.7 KB
file. Most of the time, this file appears in the search results
first and multiply. I suspect that malicious users take advantage of
the open source network to modify the programming solely for the
distribution of malicious code (malware), which includes viruses,
trojan horses, and spyware. I wish Limewire would add a feature to
further limit the search by file size or range.
Curious about these files, I downloaded a few of them. I opened the
file with WinZip. This file had a ZIP file extension, but can be
another extension, or executable (.EXE,. COM, etc.) . In the file,
there was only one file, 'setup.exe', and it was about 2.6 MB
uncompressed. I have seen this before, except the file was about 5
MB. In the previous case, I just deleted it. I suspected maybe
malicious program like spyware. I checked it out with Norton
Anti-Virus. WinZip facilitates running a virus scanner from a menu
or the keyboard, provided that it's setup properly. Norton
Anti-Virus produced a dialog box that said a virus was detected and
immediately removed. The location was from the temporary directory.
The virus was detected as "W32.Alcra.B" . The same virus appeared
for the second file downloaded. Both ZIP files were deleted
afterward. The CRC32 for 'setup.exe' was 0x8C304414 for two ZIP
files examined. The CRC32 could be different since the majority of
the file is probably filler data to fool the end user.

These should be common sense, but just in case, here are some
suggestions to avoid infection:

1. Always check files with a virus scanner program, such as Norton
Anti-Virus, McAfee or similar. Keep virus definitions updated
regularly.

2. Use other known and trusted virus scanners in addition to the
more popular anti-viral programs. The reason for this is hackers are
more familiar with how to undermine and defeat the protection of the
more common anti-viral programs and might be less successful with
less common programs.

3. Use anti-Spyware programs such as Ad-Aware, Microsoft
Anti-Spyware, and other commercial programs. The same applies to
spyware definitions.

4. If a file has the wrong or unreasonable file size, don't download
it, or delete it if you have.

5. Never execute (run), unknown, unscanned files.

6. Turn on firewall features. A hardware based firewall is better.
Most routers/gateways have firewalls built into the firmware. Block
all unnecessary ports. Don't use the Demilitarized Zone (DMZ Hosts)
feature unless you really know what you're doing.

I hope readers in this forum find this post helpful. Feel free to
post any other helpful suggestions.

Erik

ErikSon August 18th, 2005 11:22 PM

you're not fooling anyone

This
is much easier than searching the web for patches, updates, service
packs, and other files. I became suspicious when files of the same
size often appear for different searches.

when will p2p n00bs realize that web patches, updates, service packs and SHAREWARE are virus free online, and when its on lame p2p apps like gnutella/limeware/bearshare/etc. those .EXES get infected by VIRUSES.

Lord of the Rings December 19th, 2005 01:20 PM

This thread is in the LimeWire (LW) section, but applies to all gnutella users: WARNING: Viruses on network you should be aware of! (click on link); ie: more good advice, & "if" you should be unlucky to make the mistake of downlding something you didn't intend to downld such as making a mistake with file sizes, then there's also lots of advice about how to rid yourself of it.

I guess someone voting in this poll above reactivated this oldish thread.


All times are GMT -7. The time now is 06:57 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.