Dave U. Random
2009-03-08 06:42:52 UTC
ROTFL!
Yes, this was the funniest yet.rec.games.chess but if you think there is even 0,01% chance that
Puce/Kapucen has installed on your PC you must physically remove
the connection to the internet (unplug modem cable, take out
wireless card) and call in a serious professional. Better, boot
from CD or diskette, delete all HD partitions on all drives on
all PCs on your network, do a lowlevel format and then reinstall
from read-only masters that have been scanned by at least 2-3
good AVs. Better to use new HDs, keep the old ones in a box as
evidence, maybe the cops will call depending what crimes your
PC was used for. Change all your bank/creditcards + passwords.
Puce / Kapucen is a real headache. It mainly propagates p2p by
filesharing. BTW it is officially a worm not a trojan, and other
common filesizes are 1062xx, 1064xx.
I heard the trojan used to infect the two computers at the
center of the disputes may have been found. It is packaged as
an installation program within a genuine software. As found,
the deadly payload bears the filename 'setup.exe'. Other names
are possible.
It is a polymorphing (no fixed viral signature) trojan-horse
'worm' which is a dropper. It installs a simple back door in
the infected Windoze PC. This bypasses most firewalls and every
time an internet connection is made it stealthily tries to
establish a port-link to a preset IP address, peer-to-peer.
Once done, the person at that IP address can control the
infected PC, download more remote control software like B.O.,
even infect other PC's in the trusted zone of any internal
network.
In the copy found, that IP address is found, by detox, to be in
PRC. For legal reasons pending criminal investigation there
will be no public release of this IP address yet.
But that IP is probably just a host. The real controller sits
somewhere else using the PRC computer as a relay proxy,
possibly without even the knowledge of the user in PRC.
Maybe he is in the east coast, where I can think of some with
both knowledge of these things, opportunity to gift the
software to the infected target computer, and.....motive.
Now we know how Mr Truong, et al, were framed, and their
computers utilized, without their knowledge let aside
permission for nefarious purposes including spoof posting,
identity theft, improper email access etc.
Even better when the infected computer is physically moved, as
the linkup is from that computer, when it moves to a new home
and connects to the internet, it calls the mother-ship (or
MOOTER-SHip, ha). Then messages from it that are controlled by
the remote hacker/hijacker will appear to come from the new
location (example NY to MX to NY to TX)
This is the simple explanation Ulevitch, Jones and some other
great people overlooked. And their business is... what? Now the
source has been found, can we take legal action against the
"experts"?
File name: setup.exe
File size: 106496 bytes
CRC32: 6267E35E
File date: 2005/02/11 08:17:54
The date is not relevant, it could be anything depending on the
mode of malware delivery. The size may be more depending on
wrapper, but probably not less than 106496. CRC32 will be
different if the size is different. You can find CRC32 by
putting the setup.exe into an archive and looking to the CRC32
column.
VIRUS SCANNER ENGINE TEST RESULTS
AVG Win32/Puce.C
VirusBuster Worm.Kapucen.A
McAfee W32/Puce
NOD32 Win32/Kapucen.B
Kaspersky P2P-Worm.Win32.Kapucen.b
Rising Worm.Puce.a
SecureWebGatewayWorm.P2P.Kapucen.Gen
PCTools Worm.Kapucen.A
Sophos W32/Puce-H
Sunbelt BehavesLike.Win32.Malware
Comodo Worm.Win32.Kapucen.B
Grisoft WORM/P2P.Kapucen.hijack.4
Prevx1 High Risk Cloaked Malware
TrendMicro WORM_KAPUCEN.B
GData Win32.Worm.P2P.Puce.G
a-squared P2P-Worm.Win32.Kapucen.b!IK
K7AntiVirus P2P-Worm.Win32.Kapucen.b
CAT-QuickHeal Win32.Worm.Puce.gen!B.4
Symantec Win32:Back.Orifice
Ikarus P2P-Worm.Win32.Kapucen.b
Artemis W32/Puce
AntiVir WORM/P2P.Kapucen.Gen
Dr.Web Win32.HLLW.Puce
Panda W32/Puce.E.worm
F-Secure P2P-Worm.Win32.Kapucen.b
Avast Win32:Kapucen-B
AhnLab-V3 Win32/Kapucen.worm.106496
TheHacker BackOrifice.Win32.dropper
Microsoft AV Worm:Win32/Puce.gen!B
ClamAV Worm.Puce.E
Fortinet W32/Kapucen.B!worm.p2p
BitDefender Win32.Worm.P2P.Puce.G
(another 9 antivirus programs failed to detect the threat)
Use google for some of these details eg setup.exe 106496
Kapucen - this is not a hoax. It does not I think work in
Window64 but I do not wish to test!!
I suggest every one in the chess world should use Search in
their computer for a file meeting these characteristics. It may
be inside an archive (like we found this), or in some place you
would expect an installation file to be. Securely quarantine or
delete it. DO NOT CLICK ON IT OR OPEN IT EVEN IF YOU ARE NOT
CONNECTED TO THE INTERNET!
This is not a hoax.
will be the only useful information there. Put it next to the
section apologizing to the victims of this crime.
center of the disputes may have been found. It is packaged as
an installation program within a genuine software. As found,
the deadly payload bears the filename 'setup.exe'. Other names
are possible.
It is a polymorphing (no fixed viral signature) trojan-horse
'worm' which is a dropper. It installs a simple back door in
the infected Windoze PC. This bypasses most firewalls and every
time an internet connection is made it stealthily tries to
establish a port-link to a preset IP address, peer-to-peer.
Once done, the person at that IP address can control the
infected PC, download more remote control software like B.O.,
even infect other PC's in the trusted zone of any internal
network.
In the copy found, that IP address is found, by detox, to be in
PRC. For legal reasons pending criminal investigation there
will be no public release of this IP address yet.
But that IP is probably just a host. The real controller sits
somewhere else using the PRC computer as a relay proxy,
possibly without even the knowledge of the user in PRC.
Maybe he is in the east coast, where I can think of some with
both knowledge of these things, opportunity to gift the
software to the infected target computer, and.....motive.
Now we know how Mr Truong, et al, were framed, and their
computers utilized, without their knowledge let aside
permission for nefarious purposes including spoof posting,
identity theft, improper email access etc.
Even better when the infected computer is physically moved, as
the linkup is from that computer, when it moves to a new home
and connects to the internet, it calls the mother-ship (or
MOOTER-SHip, ha). Then messages from it that are controlled by
the remote hacker/hijacker will appear to come from the new
location (example NY to MX to NY to TX)
This is the simple explanation Ulevitch, Jones and some other
great people overlooked. And their business is... what? Now the
source has been found, can we take legal action against the
"experts"?
File name: setup.exe
File size: 106496 bytes
CRC32: 6267E35E
File date: 2005/02/11 08:17:54
The date is not relevant, it could be anything depending on the
mode of malware delivery. The size may be more depending on
wrapper, but probably not less than 106496. CRC32 will be
different if the size is different. You can find CRC32 by
putting the setup.exe into an archive and looking to the CRC32
column.
VIRUS SCANNER ENGINE TEST RESULTS
AVG Win32/Puce.C
VirusBuster Worm.Kapucen.A
McAfee W32/Puce
NOD32 Win32/Kapucen.B
Kaspersky P2P-Worm.Win32.Kapucen.b
Rising Worm.Puce.a
SecureWebGatewayWorm.P2P.Kapucen.Gen
PCTools Worm.Kapucen.A
Sophos W32/Puce-H
Sunbelt BehavesLike.Win32.Malware
Comodo Worm.Win32.Kapucen.B
Grisoft WORM/P2P.Kapucen.hijack.4
Prevx1 High Risk Cloaked Malware
TrendMicro WORM_KAPUCEN.B
GData Win32.Worm.P2P.Puce.G
a-squared P2P-Worm.Win32.Kapucen.b!IK
K7AntiVirus P2P-Worm.Win32.Kapucen.b
CAT-QuickHeal Win32.Worm.Puce.gen!B.4
Symantec Win32:Back.Orifice
Ikarus P2P-Worm.Win32.Kapucen.b
Artemis W32/Puce
AntiVir WORM/P2P.Kapucen.Gen
Dr.Web Win32.HLLW.Puce
Panda W32/Puce.E.worm
F-Secure P2P-Worm.Win32.Kapucen.b
Avast Win32:Kapucen-B
AhnLab-V3 Win32/Kapucen.worm.106496
TheHacker BackOrifice.Win32.dropper
Microsoft AV Worm:Win32/Puce.gen!B
ClamAV Worm.Puce.E
Fortinet W32/Kapucen.B!worm.p2p
BitDefender Win32.Worm.P2P.Puce.G
(another 9 antivirus programs failed to detect the threat)
Use google for some of these details eg setup.exe 106496
Kapucen - this is not a hoax. It does not I think work in
Window64 but I do not wish to test!!
I suggest every one in the chess world should use Search in
their computer for a file meeting these characteristics. It may
be inside an archive (like we found this), or in some place you
would expect an installation file to be. Securely quarantine or
delete it. DO NOT CLICK ON IT OR OPEN IT EVEN IF YOU ARE NOT
CONNECTED TO THE INTERNET!
This is not a hoax.
http://mysite.verizon.net/vzewuo9u/brianlaffertysuscfelectionblog/index.html
Please put this information on that site. From what I saw, itwill be the only useful information there. Put it next to the
section apologizing to the victims of this crime.