Category: Geeks r Us
hi all! a worm has been foudd that stops your jaws, hal, narrator, window eyes, maybe even sapi! i recommend you get n v d a and a good firewall. also someone else posted to this board about reformatting this may have happened to them. for more go to the audio games dot net forum, click off topic room then jaws virus watch. n v d a can be downloaded from n v d a dash project dot org. nvda-project.org.
this thing doesn't even need an e x e file!
Someone on my lj friends list has been attacked by this thing, and I originally thought she was just being incredibly stupid and accepting a file from someone, but she didn't even have to touch the computer to make this happen. From the information I've been able to gather on the audiogames.net forums, what appears to be happening is that someone is actually hacking into individual people's computers and are deleting the necessary files that make Sapi 5 synthesizers run. so when this happens, no more speech. I figure, you got 2 ways around this. One is really expensive and almost nobody ever uses these anymore, but if you can ever get one, obtain a hardware synthesizer. That way there aren't any files to delete and no chance of this happening, and if it does, you'll have the necessary tools to re-install Sapi 5 and JAWS if need be. or whatever screenreader you happen to use. The second way to combat this is to just plane have a good antivirus and firewall programs, so that when this individual tries to get into your computer to do the necessary hacks, he won't be able to get in. The better you have your computer locked down, the better. I happen to use Dectalk express for my hardware synthe and dectalk access 32 for my software synthesizer, and the fact is that for whatever reason, unless you use window-eyes, almost nobody uses that anymore, everyone seems to be using elloquence. To me it sounds like complete and utter crap it's second only to e-speak which sounds even worse, but the bottom line is to just keep your computer protected, and be careful who you hang out with. I don't think anyone is actually immune to this, but anyone who actually allows anyone else to hack into their computers needs to learn a few lessons about computer security. i know that may sound a bit harsh, but i mean that in the nicest possible way I promise. If you know what might happen, you can find ways to make sure it doesn't happen. Just in case anyone happens to be interested, Sapi 5 speech is downloadable from the net. Just google Sapi 5 speech and you should be able to locate it.
Wow--I think it;'s the same thing that uninstalled my sound card and my internet wireless card. I hope I don't get it again because a lot of people are.
And nobody I talk to would do something like that.
Please refer to the screen reader catastrophe answer posting. all the information, the correct information, is in there. Thanks happy new years.
The above poster fails to take into account that all instances of sapi 5 are effected on these people's machines. there might've been a crack of JAWS 8.0 that did bad stuff to people's computers. But this story that I'm hearing keeps mentioning that other screenreaders like Window-eyes, and Hal are effected too, basically anything that uses a Sapi 5 voice. Seems to me that Sapi 5 was deleted or somehow corrupted. I'm not even gonna name names or point fingers cause that's not cool to do. All I'm gonna say is be very careful who you hang out with, don't install any kind of software without first running it through a virus checker and keep those virus defs up-to-date. A good firewall will help too. It's like having a good alarm system for your house. If you have a good one, thieves can't get in and take everything, but if you leave your doors unlocked andhanging open, then hell yeah someone's gonna get in. just educate yourself about keeping your computers secure and safe. I'm sorry this happened to a lot of folks but this might have to be a hard lesson about life on the net. Not every peace of software is good.
yeah but it might not be an actual person, there are programs that can search your pc for ip addresses and stuff and use those. they get on one persons pc, look for addresses tell the pc to run them and bam.
instead of "i think", go out and get a firewall and look. get some kind of program that will log connections. Do net stat and see where connections are going. Lock down your network. If you still get this thing, then you can rule out one possibility. Experiment. I cannot stress enough the fact that you need to get out there and get your hands in this stuff. One format can save you from five more. Get vmware and experiment. I'm on Vista and no one has gotten this thing on Vista. Otherwise, I would have done the same.`
Hi.
I'm going to address everything that i feel needs addressing in this and the other topic.
Someone on my lj friends list has been attacked by this thing, and I originally thought she was just being incredibly stupid and accepting a file from someone, but she didn't even have to touch the computer to make this happen.
This could be true, but its strange how often nothing can turn into clicking a link.
The user would have to have had the cracked jfw though, running this would instigate some form of rat.
From the information I've been able to gather on the audiogames.net forums, what appears to be happening is that someone is actually hacking into individual people's computers and are deleting the necessary files that make Sapi 5 synthesizers run.
This again could be true, but unless the user is running orfeyus 3.08 (released about a month ago and was only adopted by one person that i kno of), the orfeyus synth was not sapi complient, there by making it not be effected if the problem is to do with deleeting some sapi runtimes or what ever.
@6, could this have hypertheticly made its way onto any private ftp's despite the runner not beeing a jfw person?
@7, contribute using well thought out answers and then perhaps i'll comment. Do you really think theres going to be any point in a bot beeing created that does ip scans? If the target is just for blind people, how many addresses in class c space heck, even in class b are a: going to be alive and b: going to have the said crack installed on them or have a exploit pressent so that a rat could be installed?
8 speaks words of wizdum.
I'd run this in a vm and look at what it does to the mbr bu not beeing a jfw user, i don't actually have the dll in question.
would AVG be a good program against this thing? I've been hearing alot about the screen readers being crashed, and if something get's deleted, that's going to be a bad sign for this computer...
Tbh, if someone that actually new what they were doing was infected with this and could report back, one of us could write a fix.
I'm not sure if an av will find this - all its doing is changing some files. I mean some will find generic type code infact, avast doesn't like most of my batch, but i'm not sure about this.
At the top of my head, sfc / scanboot - anyone thought of that?
while testing the software (or cause) as mentioned might sound reasonably competent, the fact that the source is not fully predictable at the moment makes this rather a sort of wasting of time. I know this since i have reformatted, messed with the registry, logged and monitored system changes and am behind a router. If this were people hacking on other's computer as i would expect it to be as well, there is an issue which should be resolved. For a fact, we do not know if anyone who does not use any screen reader is not capable of running narrator at the moment. ONe of my friends has a computer that does not have internet currently and I recall that no screen readers were installed on his machine. I used narrator not too long ago on it without any success. The fact is, when narrator is started the window will flash briefly and then disappear. Sapi 5, however, works fine with the non-visual desktop access screen reader. on the other hand, if any of these drivers would be "deleted" or "hacked into", the error should be reported by the application through some form of dialog box or log. Scanning the disk as mentioned above, while intuitive, will not work. This is due to the fact that i have reformatted my hard drive twice, first with the sucky windows tools and secondly with low-level formatting (google is your friend for that term) and nothing changed; the problem obviously still occurs. Lastly, one of my friends who seeemed to have this virus (or, if possible, maybe even boot virus) got a new hard drive and things have been alright again. He claims that he is however, using the "cracked version" of jaws successfully. I wish there was a bit of more detail on this from more users; however my findings are pretty much the same. Writing a fix for this would probably be a much more involved task than just getting and new hardrive or even flashing the bios and reinstalling it all. If any information is obtained on formatting or erasing completely the boot sectors I would really apreciate it, as this would enable me to go a step further on my experimentation. I notice too that vista users are not affected as of now, perhaps there is better control over the boot modification than there is on previous windows versions. I am afraid I have lost 2 hard drives at this time if nothing else can be done.
What I'm noticing is that it seems to only be around a certain concentrated group of people, only 17 out of, fuck, how many blind people are out there using JAWS or another screenreader that uses Sapi 5 voices? lots more than that. It's not something that you hear about growing exponentially by the hour. I am on tons of blindness related e-mail lists, 2 of them JAWS related and I've not heard one damn word about this situation. No warnings about losing speech or anything, nothing about this. and this is the kind of situation that makes blindness related e-mail lists and discussion groups go absolutely crazy. Also I look at several blindness related blogs, and i have friends who do technology radio shows and podcasts, and guess what? Not one word from them about this. You'd be seing posts about it all over everywhere and guess what? Nothin! I'm not trying to diminish the efforts of anyone to get these folks back up and running and I'm sorry as hell that it happened, it's an awful thing, especially to those who didn't do a damn thing to deserve it. I guess all i'm trying to say is, if a true answer to this is found I hope that it can be found soon and this whole crazy situation will be over and people will learn about antivirus programs, firewalls and other safety measures they can take to protect themselves. it's a damn awful way to have to learn, but I know one individual who is running around without antivirus software on their computer and these days that's just asking for trouble. Looks like they found it. Man this sucks. I'll keep my ears out for any news.
yeah either get anti virus or get a braillenote! it's running windows ce, and you get the power of the keysoft layer: NO!!! 3rd party apps. yeah, i don't have kntivirus on my pc, but my new pc ain't open yet and my old one's packed. that one was never connected anyway! so even if i wanted2and had the file, i couldn't test it.
lou, could you try going into a xp rcovery console using the xp disk and typing
fixmbr
And seeing what that does?
You'll need sited help for this - i'm not really going to spoon this to anyone untill I kno this works or untill someone sends me the source.
fixmbr? wasn it fdisk slash mbr and then ask the console to repair the boot records?... and aren't there programs out there that do that "better" than the above mentioned solution? I'll see what happens and post results back on here.
overwriting the boot sectors somehow does have an impact on narrators functionality. i inserted the xp cd, waited a couple of minutes then hit R; thereafter i hit the number one and then enter, and then typed fixmbr. There was a warning message stating that doing this would make partitions inaccessible and such; however, i just said yes (y, then enter) to it and the boot sector was overwritten. i rebooted this machine and narrator ran just fine on it. That is, ran fine, before I tried to run any of the screen readers again. So, narrator works after you have created a new boot sector.
Hi,
I am the person who started the topic on the AG-Forum, and would like to say that I am still clean.
I run:
i hate to say it. but as much as i hate vista, i have a laptop over here running it and it's real safe. I know people including myself hate vista but it may be a good move. or better yet, get a mac with lepard and use voice over. it's real good and it's built in to the os. i'm going to mac in a few years myself.
Yeah, one reason I won't get a Mac is the price-range, about 700 dollars for a computer decent for me, or about two thousand, that doesn't have everything I need. I don't think I'll ever switch, I'll definitely miss Visual Basic.
Will windowsfire wall be enough to protect thi computer from this thing/ Also would locking te computer help?
Get a good firewall, like ZOne Alarm or something. Get good antivirus software like AVG free, or that Antiver personal anti virus or what ever it is called. My PC is really secure.
no it won't... And ryan..., that's well alot of firewall annoyance... lol
Latest news..!
I was on msn with spike (ID 1702 on the zone) earlier, and he told me that he got hit by a mutated version of the bomb. Mutated because, all he had to do was scan with AVG, use his registry backup, and the problem was solved. This meaning that AVG actually detects something about the virus. He also told me about a file called mci32.exe, that I also have. It's file size is 24576 bites. We want to ask the people who have been hit, or are currently being hit by the bomb, to please look in the windows folder for mci32.exe, and see is it's size is the same. We think that the virus runs this program when the date reaches december 26th 2007 so it can get in the mbr and block the readers from being used. I also would like to confirm that people who aren't being hit don't have this file, or the size is different.
Thank you all.
Hi,
That makes sense, although it must have been mutated, because many people use AVG and could not get rid of it. So its worth a check. Could Spike post some HJ Logs?
But how did that file get there? I suppose if we could confirm it, I could write an autoit script that boots up to block anything called mci32.exe from running? Please elaborate on the details.
Thanks.
I'm unsure how it got there,and I've had to deal with it twice, no, i don't have any logs, only way I could get rid of it was to use a previously known good ghost image.
What I can tell you for sure is that it binds itself to winlogon.exe, I no longer have it, but I'll post a highjackthis log if I get it again.
The only known way to get rid of it is to have a registry backup, use it, then use something like killbox to erase it and its associated .dll since I've confirmed that this is what kills speech, one or both, unsure if you may have both, sorry if this didn't help much.
How long has this been around? I dunno if this is the same thing but a couple years ago, both of our family's desktop machines were hit by something like this-jaws totally quit working, wouldn't restart for anything, and we couldn't figure out what was wrong (although it may have been something else because not long after that our computers totally stopped working altogether...)
-Scratch
Hi,
It's possible, although this seems a different, more skillfully designed. And Spike, that's Victim you are talking about. I am somewhat thinking that Tyler gave someone the Victim Client sourcecode, and a person may have modified it. Or it could be something different, although I do think our friend Tyler is somehow invloved here, other than being infected. Tyler, please just tell us what you do, we can't get any more angry at you after Victim, so just tell us what you did with the source or anything. So, I guess people get a trial of ghost or buy it and make an image, hen restore it. Thanks. I'll make that out cure.
I used Ghost 2003 since it does images when the machine is restarted.
What I'm unsure of is why some machines like Ghost, mine for example, and others don't.
You could also use a Ubuntu live cd, boot into it, and delete the files that way, since Ubuntu doesn't run on your hard drive.
I have what I believe to be a clean machine and don't have a file called mci32.exe. I did a google search on it and found a few things, mostly in foreign languages with nothing pointing to malware sites that I no of.
If it were me, I'd rename the file and restart my computer and see what didn't work. Apparently it's not necessary for running a basic computer.
Just my thoughts.
Bob
Hmm, victim is mci32.exe? I don't believe so. I've never had victim on this box since I reformated, and I still have that file, and I do believe it's the virus... and this virus is older than victim, because it's been around since the crack for jaws 7.10 came out.
Thus, I trust tyler since he has helped me with stuff when I needed it. Here's my theory.
1. MCI32.exe loads into memory using winlogon.exe and waits for december 26th.
2. When the system reaches that date, it creates the mci32.dll so it can block speech, and tells the mbr to run mci32.exe at boot.
I'm currently coding a program in autoit to automatically remove the mci32 file before winlogon can run it. It's not done yet, but when it is, I'll host it on my ftp so you guys can download it.
Okay, there is no mci32 file with Victim, at least I don't think so. So can't you delete mci32.dll AND mci32.exe? Good Idea blbobby, try renaming it, and Tristan, would you mind if we used Remote Assistance?
This is from my virus girl I use for situations like this. Have a look.
Hi Jared,
That is indeed unfortunate. I don't, however, think this is necessarily a
case of the blind community being deliberately targeted. Over the holidays,
there were several exploits involving malware-delivering banner ads which
may have impacted sites that several of the impacted folks visited. In
addition details on new vulnerabilities in PHPbb, a popular forum software,
were also released. This raises the possibility that several forums may have
been compromised to foist malware onto visitors' computers.
Some of those commenting noted they had formatted and reinstalled multiple
times only to be 'reinfected' which furthers my belief there was a common
website or websites involved.
Additionally, the fact that multiple screenreader software was impacted
makes me believe the damage was incidental - perhaps the Trojan overwrote a
critical file or changed other settings that had impact on Jaws, etc.
The most critical step everyone should take is to ensure ALL of their
software is updated with the latest security patches. Not just Windows - but
all software. A great place to get a patch checkup is Secunia Software
Inspector at:
Software Inspector
I have no idea how accessible it is for blind users - if there are any
problems accessing it or using the service, let me know and I'll try to
reach out to someone there and at least report it. (I can't promise they
will take any action, just that I can try).
-- Mary
wow that kind of changes things a bit. If these vonerabilities were discovered on a lot more computers than were initially reported, then it is indeed something to be careful of of course, but the problem is we really don't know where it came from, who did it, and how to stop it.
What Mary says in post 35 makes perfect sense to me. Thanks Jrimer. That doesn't mean it's the solution, just that it's possible.
If it were more than the blind community affected, then the big guys, norton AVG and the like will fix it.
Bob
I really really really don't think that this virus spreads through websites. one of the times my friend spike got this virus he was completely offline installing his applications. And AVG already detects it. It saved 2 of my friends.
Yes, I did get it, on Jan 8, 2008 at 9:44 AM, there's another file that's added into windows
file name: c:windowsconfigsvchose.exe, 9 kb, 9216 bytes, the version I got mutated in such a way that I couldn't run NVDA, I could run jaws just fine, what would happen is that NVDA would start, get to the loading subsystems screen, and then crash.
The way I got rid of it was to restore to my October ghost image, update that, tweak that, make sure that nothing was added, then ghost again, so for now, I'm safe.
January 8th?
sorry, my bad, meant January 2, 2008
Oh good! Well not good that you had it but good that something is not going to happen on jan 8th.
hey.
ryan:
stop asking us to make hj logs, when we don't even have high jack what ever it is called. I don't even no how to get it, what it does, and why your so obsessed with it.
too all crashees *smile*:
I have victim sourcecode.
I don't think its tyler. Victim doesn't just crawl into your computer at a random time, and do this to our screen readers. It doesn't matter if its modified or not.
Ryan;
Stop blaiming victim.
I don't think its tyler.
Thank you,
tristan
Tristan,
most people know what HiJack This is, I explained it several times, you could have easily checked shaun's post, it just takes a log of everything running, etc. And I never blamed Tyler, just asking if he was involved, but I am sure he isn't now. I have a link to HiJack this, it is basic graphics, and should work. And to JRimer, PHPBB worm, I believe known as Santy, although I'd have to check, is not active, since that vulnerability is fixed. But she said there were news ones, and it all is possible. Text Ads aren't really a problem, although a common site, possible the Zone, PHP has been known for exploits, but these are only primitive theories.
Sorry, I have no patience for folks who won't do their own research.
Hijackthis is well known, easily googled, and a couple of links have been given here in this topic.
Enough said. Use it or not.
Bob
Tristan.
Stop blaming and taunting people when you have no idea what you're talking about. Either get some kind of tutor to help you learn to read (BECAUSE IT'S RIGHT HERE!),
Or just google it. NVDA is bad, but it doesnt prevent you from reading, does it? I use it a lot now and it works just fine! on the zone.
;)
Also everyone. Tyler is not involved (well he is in the sense of stopping it), but that's it.
Tyler can you tell us how to uninstall it? I mean knowing what it does it highly cool man but if you know how to uninstall it that'd help so everyone who has been slammed can be unslammed...
I very much agree with Bob here. If you really want the virus/trojan/worm/whatever the fuck it is to be off your computer, get off your fucking ass and do some work. Sorry to come off harsh but sometimes people need a verbal kick in the nuts.
Hi,
Sophos has a blog entry on this, which explains alot about it.
http://www.sophos.com/security/blog/2008/01/998.html
the sofos article mensioned the trogen came in a crack for an illegal version of jaws, and the thing is set to run on boxing day last year which leads me to believe that legal copies of jaws and other readers which are running ok now might not be affected. please correct me if I'm wrong on this.
the trojan is NOT, and i repeat, NOT into the jaws crack. I posted a fix elesewhere and have it on my ftp. You just delete the mci32.exe and .dll files. I guess now that there is a "script" that won't remove it but hault it from working everyone would just have it done to easy way and make the empty folders... but this removes it completely. I took a computer that hadn't had the scrtip ran and deleted the windowsconfigsvchost.exe and mci32.exe and .dll files and jaws works wonderfully now. The crack however, contains a bug which makes jaws expire but it won't even affect narratoror window eyes. WHen you run jaws (version 8.0.1.173 or whatever it is, cracked) it says "this version of jaws has expired" and it gives you an ok button. That'd be it. Sopho's in a way is not correct and i really wanna see what they have for a manual *removal*.
Hi
Louiano, not "the" (there are many) Jaws crack, there are dozens of FTP sites with cracks, someone probably modified them, but there has to be another method of infection. The sample I sent them happen to be that crack, which people said might be infected, so I checked it out, and thats what happened. They are not 100 percent correct, but there aren't incorrect in any way either. They do not have a manual removal exactly, but gave us what files to delete. Sophos only has the sample to base it on, it is not there fault. Mcaffe also has it, http://vil.mcafeesecurity.com/vil/content/v_143978.htm.
And I didn't use the crack, it was deleted, since we have legit versions of JAWS from the commission.
right. So, the crack I had tested needs two files to operate, a patched jfw.exe and jhook.dll. When you wouldinstall the demo version, then run it, works fine as a demo. When you replace the original files, the expiration message pops up. Nothing else. The virus might have been from another source indeed; although its unlike that the crack creates those files. Furthermore, the crack that is believed to be the cause of infection is specifically the one for jaws 8.0.2173, not 9. some executable file that never popped up a window did it. What attracts my interest is that htis is recreated when you reformat (if you haven't used the system account to delete the mci32.exe and mci32.dll, and %windir%config).