Category: Geeks r Us
Hello everyone. For whatever reason I reboot my laptop 2 days ago and I get no speech. No jaws, no window eyes, no nvda, no narrator. You heard me right, nothing worked. I didn't feel like dealing witht the issue, so I just formatted. Since I have all my data backed up anyway I don't really care, however I don't understand how I got it, but a format worked just fine. I really hope someone finds out what the hell this thing is, because I know for a fact none of my files I have are infected, and the files I do get from people are trustable. I figured UI'd put this out there because I was not even touched when this thing originally came out.
Perhaps it was just your sound card?
I don't think so. He called me on skype, and he said that he heard the windows sounds, and everything else, but he had no speech whatsoever.
i haven't heard of anyone else getting it yet, so i'm not sure
Thanks for the heads-up re: the SAPI infection. Beware, all.
Has anyone using a mac gotten it? This is probably a stupid question, but I just thought I'd be the idiot who asked it.
NO this is not going to effect the mac. The mac does not use sapi voices so that is good. However, I am just dumbfounded how I got this thing. I realy would make a backup though, But since I just got this new mac I will be coming on here more.
Hi,
Well unless there's a new variant of it, just add an 'a' folder to the windows folder. (Windows/A) It won't run anymore. Ah, well for those who don't know, I'm a computer security freak. I coded the useless script that prevents running on this thing. Just add that folder. It won't execute on a Mac. I reported the virus to uh..Sophos Anti-Virus, they put it in the database, and a blog post on it. This thing is not a worm, it's a trojan horse. I've seen it hidden in JAWS cracks, however submissions detail that they do not run cracked JAWS. So just add the folder and move on... I'm also 12 years old.
Ryan, I have done this and tht doesn't even work. I have done c:windows/a and windows/A and neighter of those work. I didn't want to screw with it like I said so I jsut formatted. So i am just warning those of you someone might be getting this again.
Good to know that its not on the macs. I got nothing to worry about, well, until I give this mac back. :(
Your'e safe; SAPI is a Windows thing.
To post 8, is Sophos the only Antivirus prog that has this trojan in its database?
This thing obviously is morfing of some kind and it not letting it's victims loose. In any events, ryan, you may have to find a way to fix this issue, and if you don't mind, how did you code this script? If you fixed the issue, then you know what the issue was, and if if you knew what the issue is, then how can we all prevent it from happening again?
so, what are they calling this thing? and if we know the name of the files, cant we just do a computer search and find the shit and delete the damn things?
This is the JSAPI virus, I think. It affects Windows machines that use SAPI (Speech Application Programming Interface).
Hi,
Well between me and Tyler Spivey, which some of you know as a former black hat hacker, helped me with finding out how this thing works. It has been changed. I coded the script in autoit, it simply creates a directory of a in the windows folder. To post 14, it is "hooked" into files, meaning windows the pest say "oh no! don't delete that, I need that!". It becomes part of a system file. To my knowledge, McAfee and Sophos are the only 2 that have it in there database. Here's the analysis for the one the a folder prevents:
roj/KillJWS-A is a Trojan for the Windows platform.
When Troj/KillJWS-A is installed the following files are created:
<Windows>configsvchost.exe
<Windows>mci32.exe
<System>securityService.dll
The following registry entries are created to run code exported by securityService.dll on startup:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifysecurityService
DllName
securityService.dll
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifysecurityService
impersonate
0
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifysecurityService
Startup
startup
After 26 December 2007 Troj/KillJWS-A will terminate the following processes related to speech synthesis and speech recognition software:
jfw.exe
hal.exe
narrator.exe
wineyes
speech32
gwm32
kurzweil
[End]
Since you said SAPI, I don't think this is the virus. None the less, SAPI is used by the sighted briefly, so this isn't targeted towards us. I'll keep a look out on the anti-vir sights for detection notices.
Sorry to clutter the boards up, but here's a link to Sophos's blog entry describing the details of it: http://www.sophos.com/security/blog/2008/01/998.html
Well, actually it crashes Microsoft Narrator, so I'm not entirely sure if it crashes SAPI. I thought it did.
To post 16, thanks a million for all the information with regards to the fix on this. What I'm unsure of is who made this thing. If this is a trojan I wonder just hat its intetion really is. Anyways I also am unsure why this thing keeps changing of each machine this is on. Again, thanks.