|
|
10-06-2008, 02:00 AM
|
#1 |
|
Guest
Posts: n/a
|
New Variant of Gpcode Found
Has everyone heard about this one? From ZDNet "Virus analysts at Kaspersky Lab have intercepted a new variant of Gpcode, a malicious virus that encrypts important files on an infected desktop and demands payment for a key to recover the data." http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 max -- Virus Removal http://max.shplink.com/removal.html I block all spam/googlegroupers-you can too! http://improve-usenet.org/index.html Change nomail.afraid.org to gmail.com to reply by email. |
|
|
10-06-2008, 03:59 AM
|
#2 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
From: "What's in a Name?" <maxwachtel@nomail.afraid.org>
| | Has everyone heard about this one? | | From ZDNet | "Virus analysts at Kaspersky Lab have intercepted a new variant of | Gpcode, a malicious virus that encrypts important files on an infected | desktop and demands payment for a key to recover the data." | | http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 | | max Yepper... My understanding is miscreants afre using Blog Spots to help spread this Trojan. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
|
|
10-06-2008, 05:57 AM
|
#3 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
"What's in a Name?" wrote in
<news:484d77aa$0$3349$4c368faf@roadrunner.com>: > Has everyone heard about this one? > > From ZDNet > "Virus analysts at Kaspersky Lab have intercepted a new variant of > Gpcode, a malicious virus that encrypts important files on an infected > desktop and demands payment for a key to recover the data." > > http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 > > max NOTE: Inappropriate use of FollowUp-To header was ignored. Original list of newsgroups was used for this reply. --- Rant on inappropriate use of the FollowUp-To header --- Don't use the FollowUp-To header. Posting to, say, 3 newsgroups but moving replies to just 1 of them or to a completely different one means you disconnect the visitors of those other 2 (or 3) newsgroups from the rest of the discussion. If a newsgroup is appropriate for your post then it is also appropriate for the replies. Or, converserly, if the continued discussion of your post is not appropriate in all the newsgroups to which you cross-posted then you should not have posted to those other newsgroups in the first place. You are using the FollowUp-To header to move replies to YOUR "home" newsgroup but which the users of the other newsgroups may not visit. After all, if you cross-post and include your "home" newsgroup then you'll see all those replies in your home newsgroup and meanwhile all the other users can still see the replies in their newsgroup where you decided to also publish your post. In http://www.faqs.org/faqs/usenet/primer/part1/, it says, "For a cross-post, you may want to set the Followup-To: header line to the most suitable group for the rest of the discussion". Read another way, that means you disconnect the discussion from all the visitors of the other newsgroups to which you decided to publish your post. Why did you publish to those other newsgroups if you are going to yank the discussion away from those users and perhaps even from the respondents you were attempting to elicit? It is exasperating to post a reply and never see it in the newsgroup where you read the original post. If your post was appropriate for all the groups to which you cross-posted then why wouldn't those same groups be appropriate for the replies? To yank away the discussion to your "home" group is rude since that is probably not the "home" group for your respondents. You wanted replies which may require further replies but now your respondents no longer see the thread in the newsgroup that they visit to where you published your post. Also, the respondents may not know if their reply is appropriate in the "home" group that you happen to choose. In general, malcontents and spammers use the FollowUp-To header to hide negative replies to their flame or spam posts, often sending the replies off to a *.test newsgroup. Is that the company of users to which you want to be associated? There are some cases where FollowUp-To should be used. For example, say a newsgroup is supposed to only get used for citing the content of a spam e-mail. Discussions about that spam are not supposed to be published in that citing newsgroup. Just the exhibits are published there. If someone wants to discuss that particular spam, their replies should go into a different newsgroup meant for those discussions. I believe that is how some of the NANAE newsgroups operate but the principle may apply elsewhere; however, it is rare few newsgroups where FollowUp-To is appropriate. For the vast majority of newsgroups, FollowUp-To is *not* appropriate. If you do not want continue the discussion in the other newsgroups then don't cross-post over there to only then use FollowUp-To to yank away the continued discussion. If the discussion is not appropriate in those other newsgroups then it seems you have self-nominated your post to be off-topic and hence spam. If you do use the FollowUp-To header, you are expected per netiquette to alert the readers of your post that you used that header. Be polite and add a note (at the start of your post) saying that you used the header (ex., "WARNING: FollowUp-To was used and points to <newsgroup>". You might also want to explain why you consider any further discussion in the other newsgroups is inappropriate despite your rudeness in posting to those other newsgroups. Many times respondents wonder where their reply post went because they expect to see it in the group they visited and where they read your post. Not all NNTP clients alert the user that the poster used the FollowUp-To header. Think about it: you post to multiple newsgroups but yank the replies to a different newsgroup than where your respondents visited, then you need more help and reply to those replies but which are now only in your "home" newsgroup, but the respondents won't see their posts nor will they see your replies to them asking for more help. FollowUp-To is not required when you cross-post since your "home" newsgroup should be one those that were specified in the list of newsgroups. You'll watch the discussion in your home newsgroup and the respondents or lurkers can watch that same discussion in their own newsgroup. If you don't want replies to show up in all the newsgroups to which you cross-posted then don't cross-post over there in the first place! When crossposting, there are not multiple copies of your post that wastes bandwidth for each to get them propagated to other NNTP servers and there aren't multiple copies of your post consuming disk space. A single copy gets sent to the other NNTP servers and a single copy resides on each NNTP server with pointers to it to make it show up in multiple newsgroups. You aren't saving bandwidth or disk space by redirecting replies for a cross-posted message to a single newsgroup. You are just being rude to the visitors of the other newsgroups to which you cross-posted but tried to yank away the discussion. --- End of rant --- |
|
|
|
10-06-2008, 05:58 AM
|
#4 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
What's in a Name? <maxwachtel@nomail.afraid.org> wrote in news:484d77aa$0
$3349$4c368faf@roadrunner.com: > Has everyone heard about this one? > > From ZDNet > "Virus analysts at Kaspersky Lab have intercepted a new variant of > Gpcode, a malicious virus that encrypts important files on an infected > desktop and demands payment for a key to recover the data." > > http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 > > max I haven't seen this one, but this has been done before..... -- Regards, Dustin Cook - http://bughunter.it-mate.co.uk BugHunter v2.2e AntiMalware Removal Utility |
|
|
|
10-06-2008, 08:50 AM
|
#5 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
On 6/9/2008 7:17 PM, Dustin Cook after much thought,came up with this jewel: > What's in a Name? <maxwachtel@nomail.afraid.org> wrote in news:484d77aa$0 > $3349$4c368faf@roadrunner.com: > >> Has everyone heard about this one? >> >> From ZDNet >> "Virus analysts at Kaspersky Lab have intercepted a new variant of >> Gpcode, a malicious virus that encrypts important files on an infected >> desktop and demands payment for a key to recover the data." >> >> http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 >> >> max > > I haven't seen this one, but this has been done before..... > > Seems that VXers have been busy the last 18 months. If this one starts spreading, only working backups can save you. -- Virus Removal http://max.shplink.com/removal.html I block all spam/googlegroupers-you can too! http://improve-usenet.org/index.html Change nomail.afraid.org to gmail.com to reply by email. |
|
|
|
10-06-2008, 08:54 PM
|
#6 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
VanguardLH wrote:
> "What's in a Name?" wrote in > <news:484d77aa$0$3349$4c368faf@roadrunner.com>: > >> Has everyone heard about this one? >> >> From ZDNet >> "Virus analysts at Kaspersky Lab have intercepted a new variant of >> Gpcode, a malicious virus that encrypts important files on an >> infected desktop and demands payment for a key to recover the data." >> >> http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 >> >> max > > > NOTE: Inappropriate use of FollowUp-To header was ignored. Original > list of newsgroups was used for this reply. > > > --- Rant on inappropriate use of the FollowUp-To header --- > > Don't use the FollowUp-To header. Posting to, say, 3 newsgroups but > moving replies to just 1 of them or to a completely different one > means you disconnect the visitors of those other 2 (or 3) newsgroups > from the rest of the discussion. If a newsgroup is appropriate for > your post then it is also appropriate for the replies. Or, > converserly, if the continued discussion of your post is not > appropriate in all the newsgroups to which you cross-posted then you > should not have posted to those other newsgroups in the first place. > You are using the FollowUp-To header to move replies to YOUR "home" > newsgroup but which the users of the other newsgroups may not visit. > After all, if you cross-post and include your "home" newsgroup then > you'll see all those replies in your home newsgroup and meanwhile all > the other users can still see the replies in their newsgroup where > you decided to also publish your post. > > In http://www.faqs.org/faqs/usenet/primer/part1/, it says, "For a > cross-post, you may want to set the Followup-To: header line to the > most suitable group for the rest of the discussion". Exactly. He did the right thing. > Read another > way, that means you disconnect the discussion from all the visitors > of the other newsgroups to which you decided to publish your post. In your not-humble, ignorant opinion. <snipped evidence that Vanguard has way too much time on his hands and a boulder on his shoulder> You're a control freak. Now say something about my sig. -- Rhonda Lea Kirk Fries If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way. - Bertrand Russell |
|
|
|
10-06-2008, 09:56 PM
|
#7 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
On Tue, 10 Jun 2008 09:33:40 -0400, "Rhonda Lea Kirk Fries" <nimue@databasix.com> wrote: >> In http://www.faqs.org/faqs/usenet/primer/part1/, it says, "For a >> cross-post, you may want to set the Followup-To: header line to the >> most suitable group for the rest of the discussion". > >Exactly. He did the right thing. I agree with Mr Vanguard. The FAQ is wrong (if that's what it actually still says). Jim. |
|
|
|
10-06-2008, 10:56 PM
|
#8 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
James Egan wrote:
> On Tue, 10 Jun 2008 09:33:40 -0400, "Rhonda Lea Kirk Fries" > <nimue@databasix.com> wrote: > >>> In http://www.faqs.org/faqs/usenet/primer/part1/, it says, "For a >>> cross-post, you may want to set the Followup-To: header line to the >>> most suitable group for the rest of the discussion". >> >> Exactly. He did the right thing. > > I agree with Mr Vanguard. The FAQ is wrong (if that's what it actually > still says). http://www.cs.tut.fi/~jkorpela/usenet/xpost.html See the last paragraph. http://www.cybernothing.org/faqs/net-abuse-faq.html#2.3 We just disagree on this. What Max did is still the standard, regardless of opinions to the contrary. -- Rhonda Lea Kirk Fries If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way. - Bertrand Russell |
|
|
|
10-06-2008, 10:56 PM
|
#9 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
"Rhonda Lea Kirk Fries" wrote in
<news:g2lvnm$6lt$1@blackhelicopter.databasix.com >: > VanguardLH wrote: > >> NOTE: Inappropriate use of FollowUp-To header was ignored. Original >> list of newsgroups was used for this reply. >> >> >> --- Rant on inappropriate use of the FollowUp-To header --- >> >> Don't use the FollowUp-To header. Posting to, say, 3 newsgroups but >> moving replies to just 1 of them or to a completely different one >> means you disconnect the visitors of those other 2 (or 3) newsgroups >> from the rest of the discussion. If a newsgroup is appropriate for >> your post then it is also appropriate for the replies. Or, >> converserly, if the continued discussion of your post is not >> appropriate in all the newsgroups to which you cross-posted then you >> should not have posted to those other newsgroups in the first place. >> You are using the FollowUp-To header to move replies to YOUR "home" >> newsgroup but which the users of the other newsgroups may not visit. >> After all, if you cross-post and include your "home" newsgroup then >> you'll see all those replies in your home newsgroup and meanwhile all >> the other users can still see the replies in their newsgroup where >> you decided to also publish your post. >> >> In http://www.faqs.org/faqs/usenet/primer/part1/, it says, "For a >> cross-post, you may want to set the Followup-To: header line to the >> most suitable group for the rest of the discussion". > > Exactly. He did the right thing. > >> Read another >> way, that means you disconnect the discussion from all the visitors >> of the other newsgroups to which you decided to publish your post. > > In your not-humble, ignorant opinion. You can't even follow the logic, can you? What the hell do you think happens when the FollowUp-To header is used (and obeyed)? Those FAQs regurgitate netiquette that is over 20 years old and were based on NNTP clients actually notifying their users that a FollowUp-To header had been used or it could be seen in the console-mode NNTP client when it displayed the headers. Some NNTP clients will show the FollowUp-To header and some even alert that a post used it when you reply. Many NNTP clients provide no such information. Also, you will notice that those FAQs never qualify why they are recommending that behavior. They just regurgitate what they read somewhere else. If someone told you that you needed their fantastic memory defragmentation program without explaining why, would you actually get it despite that memory access is random, anyway? > You're a control freak. I didn't realize that I had such a huge virtual gun pointed at his and your heads that you considered my replies as anything other than a strong suggestion regarding netiquette. Obviously you're too lazy to figure out the logic in the use of that header and are some lemming that follows what someone wrote in a "FAQ". Okay, so continue being a lemming and follow my "FAQ". Duh! Like anyone can prevent you from making your own anarichal choices in Usenet, uh huh. Apparently you can't even figure out that you are spewing your own opinion regarding the use of this header. Gee, then you must be a control freak, too. (rolls eyes) |
|
|
|
10-06-2008, 10:56 PM
|
#10 |
|
Guest
Posts: n/a
|
Re: New Variant of Gpcode Found
"What's in a Name?" wrote in
<news:484d77aa$0$3349$4c368faf@roadrunner.com>: > Has everyone heard about this one? > > From ZDNet > "Virus analysts at Kaspersky Lab have intercepted a new variant of > Gpcode, a malicious virus that encrypts important files on an infected > desktop and demands payment for a key to recover the data." > > http://blogs.zdnet.com/security/?p=1251&tag=nl.e539 > > max NOTE: FollowUp-To ingored. Reply posted to original list of newsgroups. From a cursory scan of the articles and the ones to which is linked, and from the dearth of information provided there, the pest infilitrates a system and then encrypts files to hold them ransom until the user pays to get a utility to decrypt them. The pest itself is not encrypted (as something would have to unencrypted to decrypt it to run that executable but that that other program is the pest). So the pest itself would still be detectable even if morphed (since polymorphism for a large number of variants will vaporize when the program gets loaded into memory). So the anti-malware products could still alert on the pest based on signature and definitely on heuristics if loaded (by watching which apps use the crypto API). Maybe this threat will make some users realize that they really should be doing regular backups. |
|
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
