Return to Unfiction unforum
 a.r.g.b.b 
FAQ FAQ   Search Search 
 
Welcome!
New users, PLEASE read these forum guidelines. New posters, SEARCH before posting and read these rules before posting your killer new campaign. New players may also wish to peruse the ARG Player Tutorial.

All users must abide by the Terms of Service.
Website Restoration Project
This archiving project is a collaboration between Unfiction and Sean Stacey (SpaceBass), Brian Enigma (BrianEnigma), and Laura E. Hall (lehall) with
the Center for Immersive Arts.
Announcements
This is a static snapshot of the
Unfiction forums, as of
July 23, 2017.
This site is intended as an archive to chronicle the history of Alternate Reality Games.
  

The time now is Tue Nov 19, 2024 8:55 pm
All times are UTC - 4 (DST in action)		 View posts in this forum since last visit
View unanswered posts in this forum
Calendar
 Forum index » Archive » Archive: MetaCortechs » MetaCortechs: General/Updates
[ANSWER] Metacortechs.com Screensaver
View previous topicView next topic
Page 1 of 2 [16 Posts]   Goto page: 1, 2 Next
Author Message
BrianEnigma
Entrenched


Joined: 05 Oct 2003
Posts: 1199
Location: Pacific Northwest

 		[ANSWER] Metacortechs.com Screensaver
For those worried that the Metacortechs.com screensaver houses a nasty evil virus or trojan horse, there is still a way to view the Flash file it wraps without running an EXE (or SCR, which is basically the same thing). Here's how:

1. Download the mc_setup.exe file to disk. Don't open or run it, simply download it.
2. This file is a self-extracting zip. If you like the command line, most tools will let you simply "unzip mc_setup.exe" to extract out the data portion of the archive. On Windows, you can open it in WinZip to view and extract the contents.
3. Extract the "screensaver.swf" file. This is the main part of the screensaver--the rest is overhead used to wrap a Flash file as a screensaver. Since the other stuff is executable, you want to steer clear of it.
4. Open the SWF in a web browser.

That's all. It's just a Flash file. If you don't want to go through the work, there's a copy here: http://netninja.com/scrapbook/Metacortex/metacortex/screensaver.swf

PostPosted: Tue Nov 04, 2003 6:18 pm
 View user's profile Visit poster's website
 Back to top 
ReMont
Boot


Joined: 01 Nov 2003
Posts: 15
Location: France

 		The swf file do probably not contain virus, but when I unpacked the mc_setup.exe file, I found a W32/CTX in the uninstall.exe file
Quote:
Virus Characteristics:
This virus is a polymorphic PE file infector. It is the by-product of the W32/Cholera.worm and once dropped on a system, can spread as usual PE type infectors. Spreading can occur via shared applications on a network server or by the common forwarding of email joke programs through an infected user. The polymorphism of the W32/CTX virus is similar to the type within Win95/Marburg, Win95/HPS and W32/Parvo and is enhanced slightly. It also includes entry-point modification mechanism so the virus installs a jump on itself rather far from the original host's entry point.

Symptoms
Not noticeable; some infected files may be corrupted and no longer run. Infected files have a size divisible by 101.

Method Of Infection
Direct infector; receipt of an email message containing the W32/Cholera.worm in a file SETUP.EXE of 49,187 bytes and running it.
From Network Associates Inc.

PostPosted: Tue Nov 04, 2003 7:13 pm
 View user's profile Yahoo Messenger
 Back to top 
Azathoth666
Unfettered

Joined: 09 Oct 2003
Posts: 321
Location: OZ-tralia

 		Good point, I'd forgotten about that. I'm not sure, but I believe that was in the initial screensaver uninstall.

Correct me if I'm wrong, but to my knowledge they've since fixed it and new downloads of the screensaver aren't carriers... This is hearsay, I haven't downloaded it and pulled it apart recently.
_________________
We don't stop playing because we grow old.
We grow old because we stop playing.

PostPosted: Tue Nov 04, 2003 7:27 pm
 View user's profile
 Back to top 
ReMont
Boot


Joined: 01 Nov 2003
Posts: 15
Location: France

 		When I have detected this virus I send them an email but the problem isn't fixed yet
(I have just downloaded the file to verify)

I just hope it's not part of the mystery.

PostPosted: Tue Nov 04, 2003 7:43 pm
 View user's profile Yahoo Messenger
 Back to top 
XtRaVa
Unfettered

Joined: 25 Oct 2003
Posts: 565
Location: Portsmouth, England

 		Do you like dragons?

PostPosted: Tue Nov 04, 2003 8:16 pm
 View user's profile MSN Messenger
 Back to top 
ReMont
Boot


Joined: 01 Nov 2003
Posts: 15
Location: France
XtRaVa wrote:
Do you like dragons?

Yes, why?

PostPosted: Tue Nov 04, 2003 8:24 pm
 View user's profile Yahoo Messenger
 Back to top 
XtRaVa
Unfettered

Joined: 25 Oct 2003
Posts: 565
Location: Portsmouth, England
ReMont wrote:
XtRaVa wrote:
Do you like dragons?

Yes, why?


Well your avatar is of a dragon...ergo, I asked that question Razz

PostPosted: Tue Nov 04, 2003 8:27 pm
 View user's profile MSN Messenger
 Back to top 
enaxor
I Have No Life

Joined: 25 Feb 2003
Posts: 2395
Quote:
Symptoms
Not noticeable; some infected files may be corrupted and no longer run. Infected files have a size divisible by 101.


There's that number again. Shocked
_________________
10/05/2007, 04/23/2009, 07/02/2015
The world is a much dimmer place.

PostPosted: Tue Nov 04, 2003 8:42 pm
 View user's profile
 Back to top 
AnthraX101
Entrenched

Joined: 18 Mar 2003
Posts: 797

 		I'm just not seeing this file being infected by this virus. Both Norton and Trend Micro detect no virus in the file. The file size is not divisible by 101 (46080 bytes). There also only apear to be 3 calls to kernel32.dll, not the required 29. I can't see any large blocks of what looks to be encrypted data.

What virus scan are you using, McAffe? If so, what version and definition file?

AnthraX101

PostPosted: Tue Nov 04, 2003 8:46 pm
 View user's profile
 Back to top 
Brotherhalo
Veteran


Joined: 17 Oct 2003
Posts: 78
Location: Dark Side of Endor

 		I just extracted and scanned everything using:

McAfee VirusScan v6.02.3000
Virus Definitions: 4.0.4299 created on 22 October 2003
Scan Engine: 4.2.60

Nary a detection in sight...

PostPosted: Tue Nov 04, 2003 8:51 pm
 View user's profile AIM Address Yahoo Messenger MSN Messenger
 ICQ Number 
 Back to top 
ReMont
Boot


Joined: 01 Nov 2003
Posts: 15
Location: France
Quote:
W32/CTX-A is a Win32 executable file virus. A polymorphic Windows virus, it uses several techniques designed to evade detection by anti-virus software products.

If the current day and hour are the same as those at the time of infection, and the current month is six months after the month of infection, then the virus will change the Desktop background colour.
From Sophos
Quote:
W32.CTX is written is assembly. The virus is inserting polymorphic making the detection of the virus more complicated. CTX is a PE (Portable Executable) infector. The entry point of the infected files will not be changed during infection. Rather the virus modifies the code section of the host program and inserts a CALL to its polymorphic decryptor. The virus wants to avoid detection from first generation W32 heuristic engines this way.
From Symantec (Norton Editor)

My current virus scan is AntiVir(r)XP.
http://www.free-av.com/
Program Version: v6.22.01.01 - (23 october 2003)
Search Engine: v6.22.0.1 - (24 october 2003)
Virus Definition: v6.22.0.14 - (23 october 2003)

If someone want to try it to verify...

PostPosted: Tue Nov 04, 2003 8:58 pm
Last edited by ReMont on Tue Nov 04, 2003 11:29 pm; edited 3 times in total
 View user's profile Yahoo Messenger
 Back to top 
JamesBenjamin
Boot

Joined: 16 Oct 2003
Posts: 10

 		hmmm
and on a side note, when you watch the swf file, after 'metacortechs' theres some text that flashes in the bottom right... its too quick for me to see, anyone want to grab it out of there?

PostPosted: Tue Nov 04, 2003 9:56 pm
 View user's profile AIM Address
 Back to top 
ReMont
Boot


Joined: 01 Nov 2003
Posts: 15
Location: France
Quote:
and on a side note, when you watch the swf file, after 'metacortechs' theres some text that flashes in the bottom right... its too quick for me to see, anyone want to grab it out of there?

It says:
Code:
logging user info
b_moveBy(x,y){this.x=this.x+x;x,y)
...
identity
...
And after I'm not able to read

PostPosted: Tue Nov 04, 2003 10:18 pm
 View user's profile Yahoo Messenger
 Back to top 
heatha
Veteran


Joined: 04 Nov 2003
Posts: 74

 		Isn't that java script?

If there is a virus or part of a virus being detected, that might well be part of the mystery. Agent Smith refers to humanity as being like a virus - moving in, consuming everything, growing beyond the environment's capacity....

Quote:
"I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your species. I realized that you're not actually mammals. Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment, but you humans do not. You move to an area, and you multiply, and multiply, until every natural resource is consumed. The only way you can survive is to spread to another area. There is another organism on this planet that follows the same pattern. A virus. Human beings are a disease, a cancer of this planet, you are a plague, and we are the cure. "


PostPosted: Tue Nov 04, 2003 11:52 pm
 View user's profile Visit poster's website AIM Address
 Back to top 
AnthraX101
Entrenched

Joined: 18 Mar 2003
Posts: 797

 		That is not straight javascript. It looks similar, but is not valid code. The moveBy command is used to moave the positioning of a window via javascript.

AnthraX101

PostPosted: Wed Nov 05, 2003 12:04 am
 View user's profile
 Back to top 
Display posts from previous:   Sort by:   
Page 1 of 2 [16 Posts]   Goto page: 1, 2 Next
View previous topicView next topic
 Forum index » Archive » Archive: MetaCortechs » MetaCortechs: General/Updates
Jump to:  


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
You cannot post calendar events in this forum



Powered by phpBB © 2001, 2005 phpBB Group