I guess time will tell zx.


EDIT: I've been thinking about this. I am now pretty sure it's you.

Good thing I'm too lazy to download things. (Although if I did I probably wouldn't have ran it:P)

-Epi

I think it COULD b zx. It wouldnt stop him from using an alt nick on oh say schools computer or something...not saying he did...but yea

being, it was 6 in the morning for me, i most likely would have in my 1/2 sleep 1/2 awake state not knowing what I was doing. luckily my instinct was to do nothing.

I was like: "Aww hell i have to dl something to be a forums whore -.-" then: "Wait why would we have to download a patch from tw.org....Wait why was i pmd and not it announced by Rodge or something" then the bell rang, lol(I was in school)

Actually it could be anyone, even if the ip's are whack. A lot of people on this forum attend school, giving them access to plenty of computers there. :P Its not me. Im stupid.

Only a couple of people received the message, right? Maybe we should look at the targets and see if there's a connection. (Heh, this is like an episode of Law & Order.)

I thought about that too. I didn't get it. Perhaps people who did should PM a forum mod.

Hmm...Motivation......>.>

I got the pm. It's probably zx. This nerd has begged me online for my email so he can supposedly "hack" it.
zx> so..whats your email?
zx> are you scared of telling me?
zx> i'll find your email in a couple minutes
1:a2m> LOL GIVE HIM DOCK>'S EMAIL
zx> so are you evasive on forums?

The file is a variation of the ProRat Trojan/Backdoor virus.

It can allow unauthorized access to your computer obviously, from a random network location. An inquisition into this matter brings out the probable chance that the person responsible for this wanted to collect passwords for names on subspace by utilizing the trojan's ability to log all keyboard activity into a file in the windows directory, which can later be retrieved through the trojan.

After executing the file (in this case, the one provided in the link), the file duplicates itself into either the Windows/System dir or Windows/System32 dir (depending on the version of the virus) under the name (or a similiar one) Lservice.exe or Sservice.exe, registers a couple of entries in your windows registry, and deletes itself from the initial directory in which it was executed. It can be any of these registry entries, as well as others, depending on the virus version:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = Explorer.exe C:\<Windows System>\<Filename>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \
Windows Reg Services = C:\<Windows System>\<Filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run\
Windows Reg Services = C:\<Windows System>\<Filename>
DirectX for Microsoft Windows = C:\<Windows System>\<Filename>

It will also put in the following prompts into your Win.ini and System.ini files, both located in C:\Windows\:

Win.ini

Section = Windows
Parameter = Run
Value = C:\<Windows System>\<Filename>

-------

System.ini

Section = Boot
Parameter = Shell
Value : Explorer.exe C:\<Windows System>\<Filename>

A crafty compilation of these strings and prompts will keep reloading the virus each time you restart your computer. Well then what if you just erase the strings and prompts? That's where the next phase comes in.

Eventually the virus will seed the file Winkey.dll into your Windows/System dir, which is the file where the core of the virus is held. That file will monitor the variables incepted into the Win.ini and System.ini files, as well as it's registry strings, and will re-incept them each time you try to remove them the second you close the file or registry window.

Deleting Winkey.dll is not possible through Windows, since it is running itself during that time, and deleting it in Dos or before you get to windows will simply re-instate the file so long as the string variables persist.

There's a number of ways to deal with the issue. One way is to manually edit the registy in Dos as well as delete Winkey.dll there, which can be rather difficult if you don't know the regedit terminology, or you can delete the file and reinstate an older variation of your registry through Dos, assuming you have one.

As far as dealing with the Win.ini and System.ini files, you can do that through Windows. Simply move both files to a different directory, remove the variables, make the files read only until the issue is resolved, then move them back into the C:\Windows dir.

Of course, I suppose anti-virus programs have their own methods of dealing with the trojan so that you don't have to go through the hassle..

That's fucking hilarious.

I used a special anti-trojan virus program called "The Cleaner" I dont know how good it is or anything, but might try it see how it works?

Begging for your email address .... Now somthing just doesn't seem right there to me... Another xog? totally set up on fitting in and being wanted? sad


See! 100% totally solid completely untouchable evidence, it was evasive!

OMG ITS ZETA BURN!!!!!1111one

remeber he said he was a leet haxor and he could change his subnet mask and IP? Well hes gone and done this!! he's untracable!!! OMG OMG OMG