Alert - New virus on the loose

[Chmera]

Our own Mr. Ksoft's been taken down by it, as well as Conway The Z-Bomb virus is inverse - the better your antivirus software, the more damage it does. Sunrise(you may know the jerk) has been spreading it. I'm not going to tell you its URL, but watch out for any addresses containing 'z-bomb'. Especially from Sunrise's friends.

Apparently he made it and spread it simply because he was bored. I am alerting his nearest Sunshine Home for Psychopaths as we speak.

[Mr. K]

...

I've been taken down by it?  Really?  Hm.  My computer seems fine; in fact I have a virus scan running right now and it would notice something suspicious

I'm curious about this.  Google brings up nothing, so it seems to be new and unknown.  More details?

EDIT: Hm, Sunrise sent me an 'MP3' called "Massive Damage" but I never opened it.  Whaddya bet it's the virus? *delete*

EDIT AGAIN!!!!!: Before I deleted it, I opened it in a hex editor on a whim.  Here is a legible it of text I found in the ANSI data:

Z-Bombed.txt You have received the Z-Bomb.  Have a nice day.

Thank GOD I didn't open that thing!!!!!!!!!!!

If you receive a suspicious MP3 file, GET A HEX EDITOR AND CHECK IT FIRST.  The one I got was called "Psycho Gun - Massive Damage.mp3" and it sure as hell wasn't one.

I am going to spread the word a bit, get the warning out before that asshole goes widespread with it.

EDIT3: I'm making a list of addresses that are suspicious/known to spread ZBomb.  Can someone help me out?  I need Sunrise's MSN/email so I can post it up make people aware... or maybe spam him.  So basically, list of MSN's for Sunrise and all his friends.  Also, maybe a list of affected people?  I need to make sure people see this as a real threat.

[tseug]

It is about time for me to say... WTF! :huh2:

I'm interested to know how it works (and what it does), especially because of this:

The Z-Bomb virus is inverse - the better your antivirus software, the more damage it does

Could you PM it to me?

Also, how did you find out? (ATM I doubt it even exists, but I'm still curious :winktounge:)

[Chmera]

I asked the jerk himself, Sunrise. He told me everything but the code, pretty much. It doesn't delete anything, thankfully, but just makes the computer freeze and reboot. Annoying more than anything else, but still. Beware yon Jerkrise, for thou's compy may not return alive.

[Mindless]

Gimme a copy too. :wink:

[Mr. K]

You know, I tried executing that disguised MP3 Sunrise sent me via a virtual machine, and it refused to start.  Though that may be because the only OS I have is a crippled, slimmed down version of WinXP.  *needs to find Media Player and then try it*

And technically, with the "more damage" thing, it could basicially just look for certain Anti-Virus programs and hack them out.  That's what it means.

I spread the word, now with this info Chmera has squeezed out of him.  They respond with "Lol script kiddie".

I guess if people want it I could send the MP3.  Dunno if it's an acutal working copy.

[Mr. K]

Updateyness.  I've been talking with Sun himself.

Quotes from conversation:

sunriseh@maxnet.co.nz says (9:29 PM):
Crap antivirus = Crap Z-Bomb results
Good antivirus = Z-Bomb pwns you
It's an old trick really, I just amplified it in a few ways
(And hid a couple of secret messages in it)

sunriseh@maxnet.co.nz says (9:30 PM):
Haha, so your antivirus doesn't automatically scan new received files?
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:30 PM):
Not to my knowledge.
sunriseh@maxnet.co.nz says (9:30 PM):
That's why it didn't have any immediate effect
If it had've scanned it as soon as you had've received it, you'd've received instant pwnage

sunriseh@maxnet.co.nz says (9:31 PM):
Scan on startup would probably mean you'd get locked otu of your computer until you manually deleted the file (or your antivirus)
Haha, I know EXACTLY how it works   It's a very simple trick

sunriseh@maxnet.co.nz says (9:35 PM):
Bascially, upon scanning, you get pwned
It's one of the oldest tricks in the book... just improved and disguised better
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:35 PM):
Hm.  Was I pwned then if I manual-scanned it.
sunriseh@maxnet.co.nz says (9:36 PM):
Btw - if you actually can get into the tricks of how it works (not hard), there are a couple of secret mesasges hidden in it
Most likely.
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:36 PM):
Odd, computer is working fine.  In fact, it's working better.
OWNED
sunriseh@maxnet.co.nz says (9:36 PM):
Hm, maybe it's only on automatic scans then. I don't know exactly what the results will be. All I know is that 99.99% of the time it won't cause any irreversable damage
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:37 PM):
So it's not what I thought it was.  It's fixable then.  I had the feeling it zapped your disks, cripped Winblowz, etxc.
sunriseh@maxnet.co.nz says (9:37 PM):
No
sunriseh@maxnet.co.nz says (9:38 PM):
It could in theory flood your hard drive until all the space is used up, but that's reversable by deleting
I also doubt that'd happen very often

k, show's over kids.   Nothing serious.  lol script kiddie.

EDIT:  More on the inner workings of this thing.  Sunrise has asked that I only post its capabilites and figures.

I'll just say that it has to do with 560GB, and depending on your virus scanner's scanning habits, that will make it nail you faster/slower.   Also it is reversible.

Sunrise also challenges you to find out how it works by getting it from http://z-bomb.cabspace.com/  .  Disable your virus scanner before downloading/messing with, just for safety.  Hint: HEADER!

[tseug]

Hehe he's a n00b. :wink:

EDIT: What the hell... it doesn't do anything whatsoever.

[Mr. K]

Then obviously your antivirus sucks

Just don't scan it, that's all I'll say.  Try and figure out how it works.

[tseug]

Umm... I scanned it twice... my compy is fine...

[Mr. K]

Whoa.  Interesting.

[tseug]

......................

It's just an unusually deep zip archive..... nothing more. According to my antvirus and my disassembler.

[Mr. K]

Yes.  Do you know how it cripples your computer when it gets scanned?

[tseug]

It doesn't. At least not for my antivirus. It just takes a few minutes to scan, which has no effect on the rest of my comp.

EDIT: I suppose if your antivirus ran at a  high priority level it would freeze your comp for a bit, but that would still be fairly easy to fix.

EDIT2: Here are the messages:

Z-Bombed.txt - You have received the Z-Bomb. Have a nice day.

The Z-Bomb.txt - Welcome to the Z-Bomb. Can you find the three secret messages?

bomb.zip>>Z-Bombed.txt - You have received the Z-Bomb. Have a nice day.

[Mindless]

Yeah... it's just nested archives of 7mB files of "z"s... hence the name z-bomb (if you completely expanded all the files your hard disk would be filled with worthless "z"s)

My anti-virus is very good... so good, in fact, that it does not detect this lame excuse for a "virus"... because it isn't one.  As of right now, it's still scanning deep into the reaches of the nested archives... not slowing my computer a bit.

Edit: a message (from bomb.zip->4.zip->l.zip->e.zip->x)

i love you alexa, why don't you love me?!

Edit: another message (from bomb.zip->8.zip->e.zip->o.zip->n)

destruction is imminent do not try to survive   --eon8

Edit: i'm fairly certain that he forgot to put in the third message... LAME!

[tseug]

Heh, I think I'll search the depths. :winktounge:

EDIT: I checked the CRC of the files in the first level... the only different ones have different sizes

EDIT2: All unique messages have been found. :winktounge: maybe the third is "Z-Bombed.txt" which is randomly distributed all over it.... or he's just an idiot and forgot.

[Chmera]

Looks like this thing is just a flaming sack of crap. But hey, you never can tell, can you?  :tongue:

[tseug]

Here's a challenge: Make a zip file less than 16k (16384 bytes) with as many nodes as possible. A node is any file within the starting zip file. extensions aren't necessary.

EDIT: Sunrise's (13693b) contains 170842, just to give you an idea.

[Mindless]

without nesting, i can get 208 :/

[tseug]

Sunrise managed a very impressive ratio for most of the files... 90-99% :huh2:

[Mr. K]

...and most are blank probably.

[tseug]

Have you looked in it yet? The entire thing extracted would be several TB.

[lomay]

Updateyness.? I've been talking with Sun himself.

Quotes from conversation:

sunriseh@maxnet.co.nz says (9:29 PM):
Crap antivirus = Crap Z-Bomb results
Good antivirus = Z-Bomb pwns you
It's an old trick really, I just amplified it in a few ways
(And hid a couple of secret messages in it)

sunriseh@maxnet.co.nz says (9:30 PM):
Haha, so your antivirus doesn't automatically scan new received files?
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:30 PM):
Not to my knowledge.
sunriseh@maxnet.co.nz says (9:30 PM):
That's why it didn't have any immediate effect
If it had've scanned it as soon as you had've received it, you'd've received instant pwnage

sunriseh@maxnet.co.nz says (9:31 PM):
Scan on startup would probably mean you'd get locked otu of your computer until you manually deleted the file (or your antivirus)
Haha, I know EXACTLY how it works? ?It's a very simple trick

sunriseh@maxnet.co.nz says (9:35 PM):
Bascially, upon scanning, you get pwned
It's one of the oldest tricks in the book... just improved and disguised better
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:35 PM):
Hm.? Was I pwned then if I manual-scanned it.
sunriseh@maxnet.co.nz says (9:36 PM):
Btw - if you actually can get into the tricks of how it works (not hard), there are a couple of secret mesasges hidden in it
Most likely.
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:36 PM):
Odd, computer is working fine.? In fact, it's working better.
OWNED
sunriseh@maxnet.co.nz says (9:36 PM):
Hm, maybe it's only on automatic scans then. I don't know exactly what the results will be. All I know is that 99.99% of the time it won't cause any irreversable damage
\\Mr. Ksoft - DEVIANTART http://ksoftman.deviantart.com/ // says (9:37 PM):
So it's not what I thought it was.? It's fixable then.? I had the feeling it zapped your disks, cripped Winblowz, etxc.
sunriseh@maxnet.co.nz says (9:37 PM):
No
sunriseh@maxnet.co.nz says (9:38 PM):
It could in theory flood your hard drive until all the space is used up, but that's reversable by deleting
I also doubt that'd happen very often

k, show's over kids.? ?Nothing serious.? lol script kiddie.

EDIT:? More on the inner workings of this thing.? Sunrise has asked that I only post its capabilites and figures.

I'll just say that it has to do with 560GB, and depending on your virus scanner's scanning habits, that will make it nail you faster/slower.? ?Also it is reversible.

Sunrise also challenges you to find out how it works by getting it from http://z-bomb.cabspace.com/? .? Disable your virus scanner before downloading/messing with, just for safety.? Hint: HEADER!

YOU have an deviantart account!? O_o ...*adds you*

edit: wait...i can't.? :sad: *makes an topic about it*
edit2: *added* and it took long :angry:

[Mr. K]

Ahem. offtopic.

Tseug, not TB.  Sunrise said it's 560GB.  I don't have much drive space left so I haven't actually extracted and examined anything.

[lomay]

Ahem. offtopic.

DO'H! 

[tseug]

According to my calculations it's 1.225 TB, which is roughly twice what he said... :huh:

[chaos_defrost]

i love you alexa, why don't you love me?!

A bit off topic, but I remember from when Sunrise/Steaver used to visit the forums regularly, he seems to have a LOT of problems with girls. That's like the fourth or fifth person he's "loved", if my memory serves me correctly, which it may not.

Still four or five more than me, though.  :angry:

[Mr. K]

Same here

I'm searching for the last message; nothing's come up yet.

[Lemming]

Found it. Won't say where, unless you want me to.

all your base are belong to us

Pretty lame, huh?

[tseug]

O_o I already gave up on finding it... but I didn't search the txt files.

[Mr. K]

I would think all the txts say "You have been Z-Bombed" etc.  But hey, it's over.

Good work Lemming.

EDIT:  Oh, and yesterday Sunrise said that he's making a new way to spread it to n00bs.  Apparently a way that makes it actually seem like a legit file or something.

[Chmera]

'All your base are belong to us'? It was definitely made by Jerkrise. I admire your patientness, Lemming. I'd have had a go but I just don't have the time. =P

[Lemming]

Haha, for all you know it could be hidden in my sig. Of course, unless your antivirus scans all your viewed images AND it reacts to the Z-Bomb in a bad way, you'd never notice (as the file if downloaded only takes up 13KB on your hard drive unexpanded).

[Mr. K]

Hello, Sunrise.  I'm safe, ha.  And it's not in your sig...

It's in your AVATAR!  *removal*  *permaban, because that is what I must do for an arse like thou*

[tseug]

*claps*

Wow he is such a n00b... there is absolutely no reason an antivirus would scan images. That would just waste time.

EDIT: Well I suppose it could end up in the cache... but his "virus" doesn't even work anyways. :winktounge:

[Mr. K]

It does if you've got Norton cranked up to max security.

BTW, the Sunrise ordeal is not over yet.  I've received six emails today asking for me to reset my password because I forgot it.  I have good reason to believe he's trying to guess it.  What a fag.

[tseug]

Norton is pretty bad... probably the antivirus his archive is aimed at.

Could you give me all the IP's he's posted from? I might be able to do something with them. :winktounge:

EDIT: IMO he is a bitch, but fag works too...

[Mr. K]

They won't be much help; while I tried to talk with him, he let it slip that he's got a proxy.

According to the ban list, here's all of Sunrise I've banned so far.

69.158.110.*
193.194.68.*
203.89.160.83
207.44.210.*

Not helpful.

[tseug]

Thought so. Try getting him to send something over msn. (probably still a proxy, but worth a try...)

[Mr. K]

How would that help?  He'd probably just send me a trojan.

[tseug]

If he's only using web based proxies, his real IP would show up as the sender. If he's using proxies for all communication over the internet (a little harder to set up), it wouldn't.

[Mr. K]

Hm.  For the record, I've never seen an IP address show up when someone sends a file via MSN...

[Mindless]

Assuming a file transfer is a TCP connection (it probably is) you can use TCPView to get the IP address.  I don't see how that will help unless you want to hack his computer...

[tseug]

I was planning on using him as a test subject for a DoS attack.

[Chmera]

Go for it, dude! *cheers tseug on*

[lomay]

If he's only using web based proxies, his real IP would show up as the sender. If he's using proxies for all communication over the internet (a little harder to set up), it wouldn't.

I can't belivle hes still on My AIM list. D:
*blocks him*

[Liebatron]

I don't know what a web proxie is or what halfof the things you guys just said are, and I don't have a hex editor, under those conditions, how can I tell if the thing's a virus or not?

[BLAZE]

That thing? Rename it to .zip and open with WinZip.

[Timballisto]

Hey Ax don't listen to that.  I mean, having read the past posts you probably would have realized that but, whatever.

Wow...now did you really think he was going to fall for that?  He's smarter than that, even if he doesn't know the stuff.

[Liebatron]

Honestly, I didn't even read that post until after Timballisto posted his post. Also, I realised that it wouldn't matter anyways. I don't know how to check for email attachments, and don't know how to open them either.This is a good color, I think.