I had a service call today and when On-Site to fix a virus problem and it was called Skynet which is a rootkit then it was attached to Gamevance spyware/trojan which wasnt a problem just removed it with my portable version of eset and some other programs. Then it hit a message came up saying you cant catch me. which it then started doing all kinds of crap it inverted the desktop disabled all access to the system etc so then I pulled the drive and copied the clients information over and nuked the drive. Im just wanting to know has anyone else seen this type of virus? I have it on a thumb drive that im going to infect my workbench system to see if i can get rid of it. Please let me know if you have seen or know how to get ride of it because it starts at boot might be a veraint of a boot sector virus but i didn't have time to waste fighting it.

I dunno if its the same one, but i have see a varient of this little bugger.

Skynet aka the terminator, clever name.

This 1 is a memory resident virus and infects .exe files, and displays messages on screen. Very hard to find with most rootkit software, but unhackme takes it down like arnie would. Gmer is good too.

To clear the rest of the damage i used a kaspersky boot disk and dr web cure it, to disinfect the modified .exe files. You can also run malware bytes just to make sure.

This virus is very similar to the "virut" virus, as it hides in the very low levels of the system and infects/modifies .exe files

I have run across it before. I ran ComboFix once and it came up. Then it was a uphill battle. I have seen many systems with Gamevance, some easy, some not so easy. After ComboFix, Malwarebytes, and booting to UBCD4WIN and running AntiVir it was...all clean.

If you are planning to infect something you really should do it on a virtual machine. These days running a virtual sand box is as easy as downloading the software. One of the languages I am best at, is microsoft assembly for intel processors. I can tell you from my personal analysis of computer viruses "they" are getting more and more sophisticated. With the introduction of rootkits, we are starting to see a new breed of smart viruses.
I had one that was so bad on a clients system, I had to directly hex edit the rootkit by hand, b/c of the bizarre things happening, I had to directly access the hard drive while windows server 2003 was running and remove this. No small feat.
Anyway, I highly recommend that you download a copy of sun's free virtual machine. Then just click new machine, stick a windows xp or 98 cd rom in the pc's cd rom drive, and very quickly install a "test" operating system. Sun's virtual box, will let you direct feed it files from usb, or cd, or on disk. This way if your experiments with the virus get out of hand, you can simply dissipate that virtual machine, and restart it.
Just the other day I was running os/2 warp 3 on a vm, and a new os called react o/s (i'm friends with the developers), and i wanted to see how 'safe' reactos would be against malware. Anyway. either have a sparebox, or install a vm. If you like, I have John McAffee's virus analysis tools, which allow you to disassemble and see virus code in real time to learn what makes it tick.

I have John McAffee's virus analysis tools, which allow you to disassemble and see virus code in real time to learn what makes it tick.

Is there somewhere I can download these or would you be willing to upload them?

My biggest question on the virtual machines is this; since the worst infections seem to be rootkit-based, and either write to the MBR or BIOS, how can I be sure that stuff won't "hop" from the virtual machine and eat up the MBR or BIOS? Just wonderin'.

The rootkits is what I need the practice on mostly. Unhackme has worked wonders, though.

Learning on a virtual machine is great, i use suns virtual box just for this purpose.

But i would use an old computer with a virtual machine on. Im not saying that using a virtual machine isnt safe, but if your doing it on a personal/work computer, then theres a chance that your computer could get infected or damaged.

neva happened to me yet but you neva know.

besides lol i cant do it on my lappy, as even tho i try to infected a virtual machine, kaspersky on my host machine finds it straight away and kills it. That said, if kaspersky can get in my virtual machine, theres got to be a chance that the viruses could get out.

I wouldn't worry about infecting your computer while running a virtual machine. Unless you allow the VM direct access to a HDD, I can not imagine it having any way to actually get off of there. VM software intercepts all communication with the host hardware. If a virus were to write to the MBR, it would be written to the MBR section of the VM's disk file. BIOS calls are also re-routed.


mike, I am curious to actually see this happening. I can only imagine that when the virtual computer's hard drive is being written, Kaspersky scans the entire file looking for signatures, but in that case it would mark the virtual hard disk as a virus. Maybe it is intercepting the write requests and looking at the data it is writing. If you are saying that it is able to find the individual files in the VM and delete them, either I don't believe you or Kaspersky has support for VM disk images.

using VMs to learn about viruses is good advice - and no, it won't "hop" to the host box




and... yes, i'm seeing this SKYNET virus showing up too - saw it twice last week and again just this morning

did NOT give me the trouble it gave you, though! wow..


i had to resort to a modified "one-two punch" --- boxes w/ skynet will not boot into safe mode (blue screens or just bounces to the "windows didn't start correctly last time - choose how you want to boot..." screen

since we charge alot and time is money.. i'll roll straight into removing the affected computer, hooking it up to my laptop via IDE/USB cable, and running a FULL SCAN in malwarebytes


that will clear out most of it, to the point that it will now run in the orig computer

once on the new computer, i sock it with ComboFix and that clears it the rest of the way


to finish up, i'll install AntiVir (free), configure it for them, teach them how to use it and roll




unfortunately, in the computer i had this morning, skynet tampered with the reg files in such a way that EXE files were not associated with any particular program

grrr!



so, i couldn't access "my computer" or change the windows firewall or even run combofix (cuz its an EXE) - i tried "sfc /scannow" but... THAT'S an EXE as well!

grrr!



the box would go online though, so i found a tool called exefix_xp.com (http://windowsxp.mvps.org/exefile.htm) and that was all she wrote!

(might wanna keep that lil tidbit in your hip pocket...)




anyway.. interesting morning!