ok it would seem that many of my poser user friends have been infected with this virus, including myself................here is the mcafee description: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139296

but, could someone tell me in laymans terms what it is actually doing in my puter??

is it deleting files?
is it sending personal info somewhere?
ect......?

thanks

netta

Attached Link: http://www.drweb.com/

(This is as I understand it - I'm not an expert..)

What it's actually doing is lowering your security levels, thus making your PC more vulnerable to other attacks. And it does it by slowly infecting your .exe and/or .scr files.
It also attacks your AV proggies, trying to blind-side them, so they either can't see it or can't get rid of it.

It is very tiresome to get rid of. Some of the major AVs can't (yet) touch it.

However, I'm told that Dr. Web's "cureit" can get rid of it. There's a free version available at (or near) the above link. (I think you get to the free one via the downloads page..)

The free version doesn't do automatic updates - you have to get the paid-for version for that, but apparantly it CAN get rid of this pest without you having to do a re-format.

Best do it quickly though. From what I've read it spreads itself onto the .exe files on your PC and if it gets into the main operating system it can start causing it to crash...
Hope that helps,

Cheers,
Diolma

thank you for the reply.

netta

It is getting into files and inserting itself in the parts of them that are 'hidden / unused'. Windows organizes data on your computer in 'blocks' that are often larger than what it fills them with. I think this is where it is hiding - so that it looks like it is not actually there. It then copies itself into all the 'exe' files on your hard drive, and then uses anything on your computer it can to send itself to any contacts you might have - mostly peer to peer such as instant messaging and wareze downloaders, but I suspect a few other means as well. Many legitimate programs also have things in them that send data across the net, not always with your permission. You can probably get / recieve this thing through those. One of the problems this virus causes is to get itself into the 'wrong' parts of memory of a program, causing it to crash. It can also mess up saving of files - and it will insert itself into any 'exe' you save off the net - such as a daz download... Another problem is that this virus turns your PC into a host for peer-to-peer networks, and uses up your bandwidth for that... I suspect this is behind all the router resets and slower connections I have been suffering in the past month... I suggest getting the tool here: http://download.drweb.com/drweb+cureit/ And running that to cure your PC. If you can, download that tool on a computer you -KNOW- is not infected. Like a mactintosh, or an OLD PC that you no longer plug into the internet... Burn it to a CD with a closed session, and run it from the CD with your PC in safe-mode -AFTER- you have also turned off system restore and deleted all your old restore points. I also put these on my CD: http://www.bitdefender.com/VIRUS-1000066-en--Win32.Polipos.A.html http://www.avast.com/eng/free_virus_protectio.html After I cured my PC, I installed 'avast' from the CD, and ran it again to see what else it could find. Likewise everytime I ran drweb I also ran bitdefender - to get the opinion of two competing companies rather than just one. One final note. Before you boot up in safe mode to clean your PC, unplug it, if there is an off switch to the power supply on the back, turn that off. If you know how to safely remove RAM chips, pull them out. Then let it sit for 5-30 minutes, until it gets cold ( :p This is overdoing it a little - 2-5 minutes usually works, but best to be safe than sorry). Then plug it in and do the cureit. The purpose of that is to clean out all the 'preserved memory' that windows keeps around between reboots - in which this thing hides.

What no one seems to have mentioned yet though is that is a P2P worm.

Risk Assessment     - Home Users: Low -  Corporate Users: Low  - Date Discovered: 4/25/2006 - Date Added: 4/25/2006 - Origin: N/A Length: N/A - Type: Virus SubType: P2P Worm DAT Required: 4748

Uses Gnutella protocol to spread through p2p clients like BearShare that implements this protocol.

From what I have been told I believe you have to be using a P2P programe and downloading pirated stuff in order to get this particular virus.

That is NOT TRUE!!!! I got the virus by a known vendor here sending me an update.  Took me 4 days to clean......I should add...COmcast said it was clean.......I don't open stuff till they say OK.

1st off, thank god I had a backup...It killed poser/shade/psp8/Carrara/Hexagon .exes...no biggie I got those fixed in now time(only 3 re-install). That said when I hooked up my external the Virus jumped over to that & Killed Poser/Shade/PSP by this time PC -CIllian had a decent stop procedure in place...so only had  to re-install 3 programs.

That said PC-CIllian alerted me but their stop procedure was flawed when it hit...& it got into my sys32 area & infected notepad & various other apps(which I have now fixed) & it also changed my bootup(which I have not been able to fix)

So PLEASE STOP perpetuating the myth that those who got infected are using P2P...as I am not.

Seeing this accusation is getting old & fast.

Be very careful removing your RAM!!! Static electricity kills RAM. It only takes 30 volts to fry your chips and you can easily generate 3000 volts just brushing your hair. Ensure you have the correct equipment and follow the correct practices.

Between Dr.web Cureit./Pc-Cillan & bitefinder...I'm clean now. No need for removing RAM sticks/reformatting etc etc

This is what I get now from props that  loaded OK before. [see attached].

Any ideas if this is related or a P6 specific problem, I tried deleting and redoing preferences and that didn't work.

Does anyone know the name of the utility for checking and fixing poser file paths, might as well ask while I'm here!

Just in case!

What file was it you were trying to install?...specific item.

Quote - From what I have been told I believe you have to be using a P2P programe and downloading pirated stuff in order to get this particular virus.

MAYBE the first person who got this virus had to. But then... MSN Instant Messenger, Windows Messenger, AOL Chat, BitTorrent - these are all forms of P2P as well. Further. Once it is on a machine, if you take an exe off that machine you get it too. For example, let us say 'person X' has the virus and makes a new item for Poser that they sell or give away through a website. they package that item as an exe. Everybody who gets that item gets the virus. Person Y has never done anything with their brand new PC save for turn it on, go on the net, and buy that item for Poser. Person Y gets the virus. Think of it this way: The first person who ever got AIDS more than likely got it by being too frisky with a monkey. But today, it is everywhere and you don't need any monkeys to transmit it nor recieve it (Apologies for seeming humor in something totally not humorous - I couldn't think of a better way to illustrate this).

XLT explanation Arcady! Thumbs up :)

Quote - Be very careful removing your RAM!!!

That's why I said "if you know how to do it". But, frankly, it is an overstep. If you simply unplug the machine for a few minutes you achieve the same result. What some are suggesting is to remove the battery that keeps your CPU clock up to date. That too is probably an over-reaction, but there are viruses out there that can hide in the ram used by that clock... For me, I don't need to worry there as my clock battery has been dead for years. I got a bad one when I bought the MB... if I unplug my PC, it decides its 1/1/2002 and even forgets what speed my CPU is set to...

"One final note. Before you boot up in safe mode to clean your PC, unplug it, if there is an off switch to the power supply on the back, turn that off. If you know how to safely remove RAM chips,"

erm. please do not do this.. it is totally not needed!!!

you do NOT ever need to to that. RAM is Voltile Storage. no Current, no Storage.

To much caffiene I think..........................:)

Quote - "One final note. Before you boot up in safe mode to clean your PC, unplug it, if there is an off switch to the power supply on the back, turn that off."

erm. please do not do this.. it is totally not needed!!!

you do NOT ever need to to that. RAM is Voltile Storage. no Current, no Storage.

As long as there is power, a certain amount of ram is preserved. Further, as every electrician knows; capacitors take time to discharge. If you do not unplug much of memory can be preserved. Many viruses are known to take advantage of this.

Quote - What some are suggesting is to remove the battery that keeps your CPU clock up to date. That too is probably an over-reaction, but there are viruses out there that can hide in the ram used by that clock...

I did say we were being paranoid :laugh:
and yes, that's why, I've known of a few that like to hang out  in the unused memory located just behind the RTC in it's allocated window.

I would never suggest pulling the system RAM unless it was absolutly nesecary. it's just too dangerous for people who've never done it before. pulling the battery is IMO a bit over the top as well as I can't remember any infectious software that has used that particular trick in ages.

what really irks me about polipos is that it looks, from what I've read, that it's able to perform thread injection into other processes.

Quote - > Quote - "One final note. Before you boot up in safe mode to clean your PC, unplug it, if there is an off switch to the power supply on the back, turn that off."

erm. please do not do this.. it is totally not needed!!!

you do NOT ever need to to that. RAM is Voltile Storage. no Current, no Storage.

As long as there is power, a certain amount of ram is preserved. Further, as every electrician knows; capacitors take time to discharge. If you do not unplug much of memory can be preserved. Many viruses are known to take advantage of this.

sorry that is nonsense.
if you want I can parade a few dozen computer techs through here to agree. when the power to ram is interrupted - by the RESET SWITCH or by shut off thats it. it's wiped.

this is Computer Basics 101.
as to "many viruses are known..." no. since as stated when the power is off... so they cannot and do not exist.

please. do some research and don't spread around information that can potentially make a situation worse!

oh and name 1 virus that can sit in ram and survive a reset, verified by Symtec, Mcaffee, Grisoft, etc.
(links acceptable)

yes, you don't need to pull the RAM. cycle the system's power once and it's all gone. I've had many occasions where the only thing that stopped me from picking up scads of inexpensive RAM was some cockamami policy handed down from the CIO that all storage media had to be destroyed before the computer was surplussed.

in my other post I know I said "might not need to", that should have read "you don't need to". I forget that smileys don't quite communicate what they used to :mellow:

my steps would be:

• archive
• 4, 11, 12, 14, 17, 18.
• restore

Paranoid? No. Unless you remove power from memory, nothing is going to force it to empty out other than the software of the OS - which can be easily targetted and told to do otherwise. Merely using restart or shutdown doesn't necessarily remove power.

again no.
but since you are determined to hang onto this wrong information, I leave you to it.
but please. don't offer tech support. I've had enough fixing of things that ppl thought that they can fix in my life already.

Quote - Paranoid? No.Unless you remove power from memory, nothing is going to force it to empty out other than the software of the OS - which can be easily targetted and told to do otherwise. Merely using restart or shutdown doesn't necessarily remove power.

paranoid? yes.

we're not using bloody spintronics to make RAM yet. and when we do, you'll have to use a very powerful EM field - think MRI machine - to wipe the stuff. power down and it gets wiped. even then, when the system comes back up it will test it to make sure it's good. if that doesn't replace it's contnents then the OS loading up will. polipos NEEDS windows to run, it's not OS independant and doesn't show signs of infecting the boot sector yet. even if it could survive in RAM between boots, when Windows comes up it's memory mapping tables are compleatly empty, even the stuff for swap. It would be over written as the memory was filled up.

:-|

restart? maybe. my systems will still perform most of POST when they reboot. and the OS will come up with empty memory tables.
shutdown? yes. this terminated power to all but the "important" system components:

• WoL NIC (for remote management)
• WoR Modem (for FAX servers)
• CMOS (for power on at a specified time)

sometimes paranoia is usefull, this isn't one of those times, and I'm kicking myself for helping to stoke the fire.

want to avoid most computer security problems? get a Mac they have a low user volume. otherwise get a really obscure system like a Sun, SGI, or HP (IA64, HP-PA, or Alpha). to really avoid these problems get rid of the little blighter. :laugh:

I'd second that good advice for the paranoid and those who are sick of virus and internet problems. More and more people are getting a cheap Mac mini or second hand OSX computer for all their downloading, internet and email needs. You can then check everything for virus. before moving the files to the PC. They network with Windows computers so just plug it into the router and turn on Windows sharing. This gives you a "relatively" safe internet experience. I've been saved from 18 discovered email infections alone. Not having to reinstall my software and Runtimes or tearing my hair out has paid for it.

Quote - > Quote - From what I have been told I believe you have to be using a P2P programe and downloading pirated stuff in order to get this particular virus.

MAYBE the first person who got this virus had to. But then... MSN Instant Messenger, Windows Messenger, AOL Chat, BitTorrent - these are all forms of P2P as well. Further. Once it is on a machine, if you take an exe off that machine you get it too. For example, let us say 'person X' has the virus and makes a new item for Poser that they sell or give away through a website. they package that item as an exe. Everybody who gets that item gets the virus. Person Y has never done anything with their brand new PC save for turn it on, go on the net, and buy that item for Poser. Person Y gets the virus. Think of it this way: The first person who ever got AIDS more than likely got it by being too frisky with a monkey. But today, it is everywhere and you don't need any monkeys to transmit it nor recieve it (Apologies for seeming humor in something totally not humorous - I couldn't think of a better way to illustrate this).

Thanks I was not aware that you could get the virus this way - I will be a lot more careful as I have been downloading freebies etc.

BTW I was not accusing anyone - just quoting from the link the original poster provided.

This one is getting everywhere at the moment, I caught it by downloading (from a legit source) something for a game I bought, my virus checker at the time didn't report any infection.

Quote - For example, let us say 'person X' has the virus and makes a new item for Poser that they sell or give away through a website. they package that item as an exe.

The only problem with this scenario is that merchants don't package their own exe's for Daz, and Poser Pro's & Rendo sell zips.

so this is not a virus you get from visiting a website  but you have to open an infected exe or scr file to get it?

"Risk Assessment     - Home Users: Low -  Corporate Users: Low  - Date Discovered: 4/25/2006 - Date Added: 4/25/2006 - Origin: N/A Length: N/A - Type: Virus SubType: P2P Worm DAT Required: 4748

**uses Gnutella protocol to spread through p2p clients like BearShare that implements this protocol."
**

**Very curious!!!, something strange is going on???
There's no way to a virus spread by P2P using Gnutella, eMule, BitTorrent!!!
You cannot send a virus or any file to a computer using P2Ps, the computer's user must request the file for downloading, it's not like emails that can be sent and received without your knowledge.
The only files that you download are those that you wanted,  this file can be infected, but never is downloaded if you haven't requested it.
Even if you download it and is infected, nothing happens, the file is stored only in the folders that you decided to share in the network,  but  nothing happens, downloading an infected file is not enough, you must execute it (run, open) to have your computer infected.
**

"From what I have been told I believe you have to be using a P2P programe and downloading pirated stuff in order to get this particular virus."
Another myth!, P2Ps are as a knife, with a knife you can kill someone or use it to eat, you decide how you use it.
There exist  a lot of  legal materials that you can use P2Ps, if you are the author and if want to do it, you can share your work with people usintg these networks and you needn't to have a site for this, your computer is just enough!

Quote - "Risk Assessment     - Home Users: Low -  Corporate Users: Low  - Date Discovered: 4/25/2006 - Date Added: 4/25/2006 - Origin: N/A Length: N/A - Type: Virus SubType: P2P Worm DAT Required: 4748

**uses Gnutella protocol to spread through p2p clients like BearShare that implements this protocol."
**

**Very curious!!!, something strange is going on???
There's no way to a virus spread by P2P using Gnutella, eMule, BitTorrent!!!
You cannot send a virus or any file to a computer using P2Ps, the computer's user must request the file for downloading, it's not like emails that can be sent and received without your knowledge.
The only files that you download are those that you wanted,  this file can be infected, but never is downloaded if you haven't requested it.
Even if you download it and is infected, nothing happens, the file is stored only in the folders that you decided to share in the network,  but  nothing happens, downloading an infected file is not enough, you must execute it (run, open) to have your computer infected.
**

"From what I have been told I believe you have to be using a P2P programe and downloading pirated stuff in order to get this particular virus."
Another myth!, P2Ps are as a knife, with a knife you can kill someone or use it to eat, you decide how you use it.
There exist  a lot of  legal materials that you can use P2Ps, if you are the author and if want to do it, you can share your work with people usintg these networks and you needn't to have a site for this, your computer is just enough!

As I said above, and will say again, - I am not accusing anyone of anything  - just quoting from the link that original poster provided. It is obvious that using a P2P one has to request the file in order to download it - it is also obvious that without  opening that file you are not going to get "infected" - so it must then be equally obvious that requesting the file from a P2P means that you are eventually going to open the file - otherwise why bother?. And they sure ain't gonna tell you which files are infected.  I am equally sure that as you said, there are legal materials available - just as there are 99% more of the "pirated" variety.

Symantec says the following:

When W32.Polip is installed, it performs the following actions:

1. Infects .scr and .exe files when they are opened or executed on the compromised computer.
2. Hides its presence on the compromised computer by injecting its code into running processes.
3. Attempts to spread by sharing infected files on the Gnutella file sharing network, even if the Gnutella software isn't installed on the compromised computer.
4. Tries to lower security settings by deleting certain files relating to antivirus software.

Quote - uses Gnutella protocol to spread through p2p clients like BearShare that implements this protocol."

yes, this is the primary worm-style transportation method. this would mean that it has its own ability to either automatically add itself to the share queue if you have a Gnutella-like P2P application running, or it has it's own P2P engine.

Quote - "From what I have been told I believe you have to be using a P2P programe and downloading pirated stuff in order to get this particular virus."

at first? yes. this is its preferred method of propegation. but once it's in the system it can propegate so long as an infected file moves between hosts. to borrow from arcady's example there's was an accepted primary transmission method, but there were ancilliary methods. this is no different.

Quote - so this is not a virus you get from visiting a website  but you have to open an infected exe or scr file to get it?

now? yes, it's possible if you download and execute. DAZ* was catching much flack over the weekend as people who were already infected from another source were getting hits from the EXEs they were downloading as polipos was infecting them as they arrived.

*DAZ has since made sure that they did not have infected installers in their distribution chain.

It is obvious that using a P2P one has to request the file in order to download it - it is also obvious that without  opening that file you are not going to get "infected" - so it must then be equally obvious that requesting the file from a P2P means that you are eventually going to open the file - otherwise why bother?.

Is not so simple, warez users are very much expert than normal users, you have to be very stupid to just download a file and open it. Warez sites and P2Ps are full of virus, porn dialers and any kind of crap, so they know very well the risk that have and the preventive measures to be taken.
There is also Darwin's natural selection at work, who is stupid enough must learn his lesson formating the disk so, or he never more download any warez or next time he is more careful downloading something.

And they sure ain't gonna tell you which files are infected. 
They do it, P2P if full of text files informing which file has a virus or is fake
Virus is not a big problem with P2P, worst is with mp3s that have wrong tittles or movies.
Imagine downloading 700M of a movie and then discover that is other movie, a porn movie or the movie itself  in Chinese language with Russian subtitles,  c'est la vie,  throw in in the trash can and try one more time.

1. Attempts to spread by sharing infected files on the Gnutella file sharing network, even if the Gnutella software isn't installed on the compromised computer

In theory a virus can install a P2P server in your computer, but what files will go to share???
All your exe files???, and who will request exes files?, who wants to download taskman.exe ???
Normaly you have no instalation programs in your computer, you have installed programs that by itself are useless. People download full programs, most of them in zip or rar format or some CD image, so nobody will download nothing from your infected computer with exception of your mp3 or avi files, but there's no way to put a virus in a mp3 file.
The only exception to the rule are Daz products that by itself are a full product, but the question is, do you have your original Daz product in your disk? or you have only the installed product that is not more an exe file and the original exe product is only in your CD backup?
And who will want to download aiko3.exe????, only Poser users!  what importance has Poser in the whole world?, almost none!, beside the 3ds communities almost nobody knows what is Poser or even 3d..
Do you think that Symantec knows  that Daz3d exist or what it is?

The whole story, or is a lie in an temptative to attack P2P networks and users, or the maker of the virus was an idiot just because the virus will spread nothing using P2Ps protocols.
This virus only spreads by conventional channels as email, messenger and all the Windows security faults.

kawaecki - nothing strange at all is going on.

The virus resides in .exe/scr files.

Some content providers package their content in .exe files.

The only way to get the content from the providers is to download and run the .exe file to install the content.

If the content provider is already infected (for whatever reason), then as soon as the .exe file is run on the recipient's PC the virus springs into life....

Not strange, just bloody annoying!

Cheers,
Diolma

Oops - multiple x-post.
Ignore my feeble attempt at an explanation..

Quote - In theory a virus can install a P2P server in your computer, but what files will go to share???

probably more along the lines of 'in practice the virus is a P2P server that shares itself and any other file it's had a chance to infect'. given a 55-75KB file size to the viral load, I can see a very simple P2P engine being strapped into the payload.

I am wondering if you can get this virus from Windows updates or from your virus updates too.

Thanks in advance,

Nancy

I would say that yes, it's possible. but, only if the updates themselves are already infected.

Ok thank you very much.