News Items
Sep 22, 2005 10:12PM
Updates to AIMFix tonight: I've added code to remove some new variants of the ancient "NITEAIM" virus that was going around a while back. Apparently someone resurrected it with some new filenames and registry keys. In any case, I've added it to AIMFix and also done some code cleanup. I had hoped to do more coding tonight but didn't have time. Within the next few days I'd like to implement a new "quarantine" to move suspected virus files to a safe location rather than deleting them, in case of mistaken identity cases.
I did finally get a chance to load up pokapoka, but it's a bit more complicated than I could have hoped. It appears to load a couple dll files and hide itself reasonably thoroughly, so it's going to need some special removal work to clean. I'm not familiar with how hooking and many of the other virus techniques are implemented, so I've no idea how long it'll take to come up with something. In any case, I'll see what I can do and hopefully with a bit of help something should come of it soon.
-Jay
Sep 21, 2005 02:52PM
AIMFix has been updated several times today and last night to remove some new components. Aurora has mostly stopped cropping up, but it looks like the next big thing is pokapoka. It's been around a long time but no one seems to have made a removal tool for it, so I will try and take a look at this tonight. I've got a copy of the infecting file for it, so if I have time after hitting the gym, I'll load it up in a virtual windows install and track what changes it makes. Hopefully I can provide some kind of removal for it and help out those who are afflicted by pokapoka's various variants.
In related news, I was finally able to find out yesterday how to run code with full System privileges on 2000/XP machines, which should help with terminating stubborn processes and deleting files. Next on the chopping block is to improve the ability of AIMFix to scan files for virus infections. I'd like to have some kind of signature checking, which is how programs like antivirus scanners generally work, but it's a bit more complicated than my current methods, so we'll see :)
Will post later this evening if I get a chance to look at pokapoka's infection methods.
-Jay
Sep 19, 2005 10:15PM
Though I haven't been able to confirm this yet, it appears that someone or several someones are masquerading as me on AIM (HolsticDriving) and sending out virus links to people that appear to come from my screen name. How creative. Hopefully, anyone with common sense will take a second to look around this website or search the web and figure out that I am not responsible for any type of virus links being sent to them.
Sep 19, 2005 12:18PM
Well, it's been a while since any news posts or journal entries, so I figured I'd do a little catch-up. On the virus front, there have been a bunch of new variants, but nothing exciting or particularly new. I've made some updates to AIMFix, but mostly I'm working on simply learning C properly so that I can extend and improve my code. It's been brewing for quite some time, but I think that before long, there will be a complete overhaul of AIMFix with an entirely new framework behind it, and preferably a new interface as well. As simple as it is currently, there are plenty of people that have a lot of trouble when faced with an application that isn't a graphical interface.
Dave Daeschler, the author of the original PhxFix, has been kindly helping me by tutoring me in the finer points of C++ programming and Object Oriented design in general. If it wasn't for Dave, AIMFix wouldn't even exist, and thanks to him and my friends Warren and Jon, and others along the way, I've been able to learn and grow much faster than I ever could alone. I wish I had more time to devote to C and C++ programming, and to learning enough Win32 specifics to make big improvements to AIMFix. As it stands I'll have to be content with small updates that add up over time.
Hopefully things will mature enough someday for me to be able to release the source code, and move on to greater things than strictly AIM virus removals. You'll notice if you use the contact page that things have changed. There is now a required checkbox asking people to swear in good faith that they have actually read the instructions about sending me a HijackThis log with any requests. I'd like to think it's helped, but judging by my inbox, I get just as many emails with no information as I ever have :-\
Ah well, such is the life of those who choose to fight malware, right?
In any case, it's my hope that new AIMFix features and improvements will be coming. I'm slowly learning how to do proper software development and less hacking things together, and it's beginning to pay off. Wish me luck :)
-Jay
Aug 26, 2005 11:45AM
Updates, updates, updates! After receiving some more information on the Block-Checker malware, I spent an hour or two last night updating BlockRemove to remove as many components as I could and make it a more complete tool. There's a bit more work to be done in cleaning up the registry, but I will work on that as time allows next week.
I have also just uploaded a new version of BlasTemp today. While not many people use it (hence the lack of any updates since March of 2004). Mostly they were internal updates to the code, but it should work better on both legacy Windows platforms (Windows 98, ME) and on NT systems like Windows 2000 or XP. I'd still like to figure out how to get lower level access to the files to get around the restrictions Windows places on the temporary directory, but I haven't really had time to dig any deeper just yet.
There will be some updates to the software page to reflect the new software versions and I should be adding a BlockRemove page shortly.
-Jay
