Do we have a Boinc virus?


log in

Advanced search

Message boards : Number crunching : Do we have a Boinc virus?

1 · 2 · 3 · 4 . . . 27 · Next
Author Message
Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240169 - Posted: 31 Jan 2006, 6:01:01 UTC
Last modified: 31 Jan 2006, 6:06:14 UTC

Something interesting came up on Team Starfire. A Non Seti member had a problem with "setiathome_4.18_windows_intelx86.exe" running in the background and couldn't get rid of it. After doing a lot of searching we found that it was hidden in his system32 folder and the exe was renamed to "wupdmgr1.exe" Someone went to a lot of trouble to hide everything. We found out the user that is getting the credits and his stats are very interesting. http://setiathome.berkeley.edu/team_display.php?teamid=122736 A one user team and ranked 10th in the world. What do you think?

edit: had the wrong url posted.

>Fred
____________

http://www.teamstarfire.org/

Profile Shadowcats
Volunteer tester
Send message
Joined: 22 Sep 03
Posts: 36
Credit: 146,467
RAC: 0
Australia
Message 240170 - Posted: 31 Jan 2006, 6:05:33 UTC

Ummm can't see
This user has chosen not to show information about their computers.
:(

____________
G'day from.....

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240171 - Posted: 31 Jan 2006, 6:07:06 UTC - in response to Message 240170.

Ummm can't see
This user has chosen not to show information about their computers.
:(

Try it now. I had the wrong URL posted.
____________

http://www.teamstarfire.org/

Profile Shadowcats
Volunteer tester
Send message
Joined: 22 Sep 03
Posts: 36
Credit: 146,467
RAC: 0
Australia
Message 240174 - Posted: 31 Jan 2006, 6:16:57 UTC

Yup see it now thanks but he/she has compys hidden
so who knows how many they have would be an idea if
someone could find this out
something doesn't add up to me i did read the Team Starfire thread
very interesting.

____________
G'day from.....

Profile Prognatus
Send message
Joined: 6 Jul 99
Posts: 1600
Credit: 391,546
RAC: 0
Norway
Message 240175 - Posted: 31 Jan 2006, 6:17:39 UTC

Did he download BOINC from download.com or directly from Berkeley?

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240176 - Posted: 31 Jan 2006, 6:20:35 UTC - in response to Message 240175.

Did he download BOINC from download.com or directly from Berkeley?

He didn't even know what Boinc or Seti was. He just noticed the files were using his CPU time.

____________

http://www.teamstarfire.org/

Profile Kinguni
Volunteer tester
Avatar
Send message
Joined: 15 Feb 00
Posts: 239
Credit: 9,043,007
RAC: 0
Canada
Message 240177 - Posted: 31 Jan 2006, 6:21:32 UTC - in response to Message 240175.

Did he download BOINC from download.com or directly from Berkeley?


He didn't download it at all. It installed without his permission under a different name, made to look like it's the Windows Update service.
____________
Join Team Starfire
BOINC Chat

Profile Shadowcats
Volunteer tester
Send message
Joined: 22 Sep 03
Posts: 36
Credit: 146,467
RAC: 0
Australia
Message 240180 - Posted: 31 Jan 2006, 6:25:30 UTC

Reading the Starfire thread has he actually asked his brother
if he installed it and didn't want him knowing about it?
just a thought........
____________
G'day from.....

Profile Misfit
Volunteer tester
Avatar
Send message
Joined: 21 Jun 01
Posts: 21790
Credit: 2,510,901
RAC: 0
United States
Message 240184 - Posted: 31 Jan 2006, 6:28:53 UTC
Last modified: 31 Jan 2006, 6:38:20 UTC

Interesting process name - wupdmgr.exe

According to Boinc Stats he has 13 hosts, and more info.

Here are his computers on CPDN.

Profile Prognatus
Send message
Joined: 6 Jul 99
Posts: 1600
Credit: 391,546
RAC: 0
Norway
Message 240185 - Posted: 31 Jan 2006, 6:30:32 UTC - in response to Message 240177.
Last modified: 31 Jan 2006, 6:40:40 UTC

He didn't download it at all. It installed without his permission under a different name, made to look like it's the Windows Update service.
Did he get an email from "Microsoft" with a link to "Windows Update"?
If so, he probably got a virus. Microsoft doesn't send out emails like that. A friend of mine followed such a link and had to reformat his entire drive to get rid of the virus.

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240186 - Posted: 31 Jan 2006, 6:30:54 UTC - in response to Message 240180.

Reading the Starfire thread has he actually asked his brother
if he installed it and didn't want him knowing about it?
just a thought........

I think he would have recognized the name if it was his brother. He is from Canada and the account is in Germany.
____________

http://www.teamstarfire.org/

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240187 - Posted: 31 Jan 2006, 6:31:55 UTC - in response to Message 240184.
Last modified: 31 Jan 2006, 6:38:20 UTC

Interesting process name - wupdmgr.exe

I see what you mean!
____________

http://www.teamstarfire.org/

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240203 - Posted: 31 Jan 2006, 6:58:13 UTC - in response to Message 240184.

Interesting process name - wupdmgr.exe

According to Boinc Stats he has 13 hosts, and more info.

Here are his computers on CPDN.


Nice work Misfit! For 13 host that's a nice RAC, 121,566 and today was a bad day.
____________

http://www.teamstarfire.org/

Profile Paul D. Buck
Volunteer tester
Send message
Joined: 19 Jul 00
Posts: 3898
Credit: 1,158,042
RAC: 0
United States
Message 240218 - Posted: 31 Jan 2006, 8:27:04 UTC

Very interesting ... quite an exploit ... :(

I wonder if this would be a good canditate for: Total Credit => 0 ...
____________

Profile MikeSW17
Volunteer tester
Send message
Joined: 3 Apr 99
Posts: 1603
Credit: 2,700,523
RAC: 0
United Kingdom
Message 240223 - Posted: 31 Jan 2006, 8:52:15 UTC

The subject of Virii always elicits a very emotional and often panic reaction.

Before taking this discussion further, It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit.

Whatever the outcome of this issue, BOINC is entirely blameless.



____________

Profile Paul D. Buck
Volunteer tester
Send message
Joined: 19 Jul 00
Posts: 3898
Credit: 1,158,042
RAC: 0
United States
Message 240224 - Posted: 31 Jan 2006, 9:00:45 UTC - in response to Message 240223.

The subject of Virii always elicits a very emotional and often panic reaction.

Before taking this discussion further, It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit.

Whatever the outcome of this issue, BOINC is entirely blameless.

Oh, sure... no argument there ...
____________

Profile Kinguni
Volunteer tester
Avatar
Send message
Joined: 15 Feb 00
Posts: 239
Credit: 9,043,007
RAC: 0
Canada
Message 240227 - Posted: 31 Jan 2006, 9:11:49 UTC - in response to Message 240223.

It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit.

Whatever the outcome of this issue, BOINC is entirely blameless.



Of course. This was done by more than one user with classic SETI as well.
____________
Join Team Starfire
BOINC Chat

Profile Mr.Pernod
Volunteer tester
Avatar
Send message
Joined: 8 Feb 04
Posts: 350
Credit: 1,015,988
RAC: 0
Netherlands
Message 240235 - Posted: 31 Jan 2006, 10:17:58 UTC

Seen the same thing happening with FaH.
Some people find it usefull to make programs like FaH or SETI part of selfextracting/installing archives distributed via p2p networks.
So it is most like it was just a simple p2p-download (which the 'victim' most likely will not admit too) that installed SETI.

Profile Crunch3r
Volunteer tester
Avatar
Send message
Joined: 15 Apr 99
Posts: 1540
Credit: 3,314,460
RAC: 0
Germany
Message 240237 - Posted: 31 Jan 2006, 10:37:11 UTC - in response to Message 240218.

Very interesting ... quite an exploit ... :(

I wonder if this would be a good canditate for: Total Credit => 0 ...


I agree with you Paul.
Furthermore i would consider deleting the accout as an option.



____________

Join BOINC United now!
Auto eVB | Autoversicherung

Jack Gulley
Send message
Joined: 4 Mar 03
Posts: 423
Credit: 526,566
RAC: 0
United States
Message 240241 - Posted: 31 Jan 2006, 11:15:19 UTC

If the Berkeley staff are not already all over this one, they should be, before the press is. Computer ID's in that account might allow them to find the IP addresses being used, and maybe track back to some of the system owners. And at least tell us how many different systems are being used and are "infected" this way. It would take at least 100 and maybe 300 systems or more to generate that kind of average credit.

The team was setup January 1, 2006 but he had over 5 million credits then. Based on his credit history he has been at this for four months or longer, holds second place in BOINC/Seti rank, and has not been detected?

1 · 2 · 3 · 4 . . . 27 · Next

Message boards : Number crunching : Do we have a Boinc virus?

Copyright © 2014 University of California