Monthly Archive for March, 2005

Removal of Serflog/Sumom worm

Published
by
Peter
on March 20, 2005
in security
. Comments

Serflog/SumoM
My little niece had been trying for a while now to send me through MSN Messenger a picture called “How a Blonde Eats a Banana”. My reaction was, as any one’s should be: don’t know what she’s sending, nor why, there’s no prior conversation, no context, no nothing: I did not accept it. But I did not think further about it. A couple of days later I found that a) the girl’s computer had a virus, b) the virus eagerly tried to infect other PCs via Messenger, and c) had succesfully accomplished that task in several cases. One of the victims handed over his PC to me (being the family geek and all). Since it was a nasty worm, and it took me some time to disable it, here is the procedure to follow:

  • The virus is a worm called W32.Serflog.A, Win32.Bropia.U, Worm.Win32.Sumom.a, W32/Crog.worm or WORM_FATSO.A, depending on what anti-virus company site you visit. I used the information on the Symantec (Norton Antivirus) site to see how it locked itself to the PC.
  • The worm does several things:
    • it tries to infect other PCs through Messenger (and eMule, but not too aggressively).
    • It does not prevent users from ‘working’ (surfing, email, …) so I can see some people doing nothing about it while the program keeps trying to multiply.
    • And, most importantly, the worm makes it very hard for even an experienced user to desactivate or remove it.
  • The worm starts itself up when Windows starts. Alas, you cannot use Task Manager to see and terminate this process. The invader immediately kills any window starting up that has “Task” in its title. You cannot visit the site of a vendor of antivirus software, because they have all been made inaccessible. You cannot delete its entries from the Registry because it kills the Regedit or Regedt32 applications from the moment they start. You cannot start a DOS Prompt, because … you get the picture.
  • So what you do is the following: create command prompt with a different name. Go to the C:\WINNT\system32 (Win2K) or C:\Windows\System32 (WinXP) folder and copy the cmd.exe file to e.g. whatever.exe. Now doubleclick the last file, and you should get a command prompt (DOS box). The worm will not detect this.
  • The worm works through 3 hidden .exe files: %System%\formatsys.exe - %System%\serbw.exe - %Windir%\msmbw.exe. We will deactivate them by making them accessible (non-hidden) and renaming them:
    attrib -h serbw.exe
    ren serbw.exe die_sucker.dead     (and the same for the other 2)
    I first tried to delete the files, but that did not work. Renaming did work, though.
  • Restart your computer. The worm will try to start up by one of the three .exe files, since they are now gone, it will not run. Now start up regedit and delete the hooks the worm had placed in the Registry (see Symantec page for details).
  • Go to the hosts file (most likely in %SYSTEM%\drivers\etc\hosts) and delete the lines that made the antivirus vendors unavailable. (See Symantec page for details)
  • Switch off the computer, hit yourself on the head and go and buy an antivirus program. What were you thinking? The virus would have been detected and cleaned by: F-Secure - Norton - Sophos - McAfee - TrendMicro - …
    If you have been infected by it, you know you are too gullible to surf the Internet without protection.

These instructions should work on any Windows installation. You might use Symantec’s removal tool, but I had no Internet connection when I was struggling with the intruder. Took me about thirty minutes to figure out a way to circumvent the vicious sucker.

Is this a really nasty piece of software? Yes. Do I admire the person who wrote it? Not at all. It’s not clever engineering, just malevolent.

Technorati:

If you're new here, you may want to subscribe to my RSS feed or receive updates via email. Thanks for visiting!

iTunes and ID3 tags

Published
by
Peter
on March 11, 2005
in music and podcast
. Comments

I have a Sony MP-40 car radio that reads CDs with MP3 files. However, since I started using iTunes to create my MP3 CDs, I sometimes seem to lose the ID3 tags (Title/ Artist/ Album). I now know why: iTunes writes ID3v2 tags, and the Sony only handles ID3v1 (MP40 PDF).
Main differences:

  • ID3v1 tags are written in a 128 byte fixed-length field at the end of the audio file. 
    Song title 30 characters
Artist     30 characters
Album      30 characters
Year        4 characters
Comment    30 characters
Genre       1 byte
  • ID2v2 can accommodate variable length tags, and allows storing them at the beginning and/or the end of the file. 
    +-----------------------------+
|      Header (10 bytes)      |
+-----------------------------+
|       Extended Header       |
| (variable length, OPTIONAL) |
+-----------------------------+
|   Frames (variable length)  |
+-----------------------------+
|           Padding           |
| (variable length, OPTIONAL) |
+-----------------------------+
| Footer (10 bytes, OPTIONAL) |
+-----------------------------+

There are advantages for both systems:

  • prepending the ID3 info (add it in the beginning of the file) is essential for non-random access (e.g. streaming) and low bandwidth situations. You want to display the information as fast as possible, before the music starts playing.
  • appending the ID3 data (add it at the end of the file) makes it easier to edit. If you have a 50MB music podcast, and you change the Album/Artist info (which is necessary in a lot of cases, the authors don’t always pay attention to good tagging - thank god Doppler can do this automatically), in a lot of cases the whole file has to be rewritten, and this takes several seconds.

iTunes actually does the most sensible thing: it prepends ID3v2 tags and uses the ‘padding’ to reserve about 1,6 KB of space. So if new ID3 info has to be added, it can take some of the place reserved by the padding and iTunes only needs to change the first 1,6KB of the file, and leave the rest untouched. This combines the advantages of appending and prepending.

The default location of an ID3v2 tag is prepended to the audio so that players can benefit from the information when the data is streamed. It is however possible to append the tag, or make a prepend/append combination.
(from id3.org)

Until I change my car stereo, my only option is to change the ID3 format of my files before I burn them to a MP3 CD. iTunes can do this (the ‘Advanced’/'Convert ID3 tags’ option), but it’s still a drag.

Just one thing from Amerie

Published
by
Peter
on March 7, 2005
in music
. Comments


It first jumped into my ear via Pentdego’s MixOfTheWeek mixes podcast: the irresistible first number on the DJ Fiskars January mix (originally featured on MOTW Forum).

In the mix it is preceded by 10 seconds of “Are You My Woman” (The Chi-Lites), the famous sample used in “Crazy In Love” by Beyonce. They do sound alike: the minimal instrumentation, the prominent drums, the chord chop on the first beat of every 4 bars . No big surprise there, as I found out later, both songs were created by the same guy: Rich Harrisson.

Studio Brussel is pushing the song this week: “One Thing” by Amerie. There’s a video clip on her MTV page. As nice as her legs might be, it’s a pity she’s blocking the view of the drummer, who lays down a nice Clyde Stubblefield-ish groove. The song is featured on the soundtrack of “Hitch“, and that movie is just being released here in chilly Brussels.

If you like this kind of music, check out the “DJ Fiskars’ Powercuts” mix on MOTW

Hybrid CD: making it run on Mac and PC

Published
by
Peter
on March 4, 2005
in Apple, hardware and technology
. Comment

Just write it on a CD” can mean a lot of things. There’s the plain audio CD (also ‘IEC 908′ or ‘Red Book‘ standard - 74 minutes of audio), the CD-ROM (or ‘Yellow Book‘ - 700MB of data), the CD-R (’Orange Book‘) and I’m not even gonna go into stuff like SVCD (Super Video CD - up to 60 minutes of video).

While these colorful standards define the lowest level of formatting, for a CD-R/CD-ROM you still have the issue of which filesystem to use on it. Apple has chosen for using its Hierarchical File System (HFS) - the weird one with the resource forks - on CD media too, while PCs use the ISO 9660 standard (in its basic version: 8.3 filenames). PC-style CDs are readable on a Mac most of the time, while Mac disks are only accessible on a PC with special software. And it’s possible to create a CD with both a Mac and PC partition, each of them invisible for the other platform: the hybrid disc.
Continue reading ‘Hybrid CD: making it run on Mac and PC’

Gentleman that’s going around, turning the joint upside-down

Published
by
Peter
on March 2, 2005
in Belgium and copyright
. Comment


What started as a testcase for ‘quoting’ music without breaking the law (making use of Belgium’s citing right) and made for some amusing exchanges of condescending legalese, has become awkward since the author has voluntarily turned into a stool pigeon.

Some background: on Feb 13 the Skynetblogger Librarian had put a link on his blog that pointed to a RealAudio recording of “One-Trick Pony” by Nelly Furtado. When the IFPI, represented by its lawyer Olivier Maeterlinck, asked him on Feb 21 to remove this link (a classic ‘cease and desist’, that Mr Maeterlinck probably sends dozens of every week), the blogger reacted by putting up a link to a excerpt of the song (1:29 of the total 4:47) that he hosted on his own website. He then put forward that because of the right to cite (”citaatrecht” in Dutch) he should be allowed to do this. The right to cite an original work without explicit permission of the author is regularly used in written communication, but is restricted to the following purposes: critic, polemic, education or scientific efforts (“kritiek, polemiek of onderwijs, of in het kader van wetenschappelijke werkzaamheden”). It made for an interesting test case, which was noticed by other bloggers like LVB. IFPI did not seem to object to the excerpt (but started questioning the right to link to the song’s lyrics). The conversation took the form of an exchange of legal statements with long slightly abusive sentences, lots of unnecessary adjectives and the occasional disclaimer. The stuff they teach lawyers at university, in other words.

But then on Feb 26, Librarian published a post with a completely different story: he had removed all links to other bloggers from his site because they might contain ‘illegal’ (i.e. copyrighted) images or other content. Had he stopped at that, it would be nothing but overly cautious. But he also asked bloggers who wanted their link restored, to contact him and ensure him that all content on their blog was OK. Moreover, he said that whoever did not reply within 7 days was automatically suspect of providing illegal content, and if the blog was hosted by skynetblogs.be (probably the largest Belgian blog provider) he would report it to Skynet as an inadmissible blog (ongeoorloofde blog). This is not only pretentious (as if every blogger would read Librarian’s blog and react), but also equivalent with a social suicide.

I have no idea what his motivation is. It could be fear (for getting sued as a testcase) or irony (’see, this is what this legislation would lead to’). It is really rather silly. If you want to know what the limits are of what you can do on a blog with copyrighted material, check with SABAM. It is responsible for protecting the rights of the authors and has published its prices: the price for putting music on-line: 13,07 euro per month for 15 minutes of audio, to be paid by the party responsible for hosting the actual files. SABAM has no prices for “linking to other people’s audio”.

I wonder, in the days of pirate radio stations, was it illegal to refer to their names and frequencies?