TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post - A new self-replicating Malware (Virus and Worm) attacks!!!

22-11-2007, 04:27 PM

Do you provide the source code? For tools such as that, the source code is a
reasonable requirement.

Whether you provide the source code or not, you need to document the details
of what the program does, and provide as many references to recognized sites
as possible that explain what needs to be done in such a manner that
justifies what your program does.

"hanisimo" <hanisimo@gmail.com> wrote in message
news:1195041429.119517.103540@50g2000hsm.googlegro ups.com...
> Dear Sir or Madam,
>
> A new computer worm is attacking the computers around the world, the
> serious problem is the most of the anti viruses cannot detect & clean
> it... also the removal tool was not available on the Internet... other
> serious problem presents when some of current anti viruses detect this
> virus as other kind of virus (Worm 32 family) ... and usually these
> antivirus delete the whole infected file (exe & autorun.inf ... ext)...
>
> This virus infects computer, for instance by:
>
> - Infecting the local hard disk drivers & executable applications
>
> - Carrying himself on a removable medium such as a floppy disk, CD, or
> USB drive.
>
> - Sending himself over a local network or the Internet. This virus can
> spread to other computers by infecting files on a network file system
> or a file system that is accessed by another computer.
>
> - Adding keys into Windows registry
>
> This virus is mixture between worms, virus and maybe Trojan; he is a
> self-replicating computer program, attaches itself to existing
> programs in the infected PC (modify files on a targeted computer). It
> confused with computer worms. He can spread itself to other computers
> without needing to be transferred as part of a host. And usually this
> mixture of a computer worm and virus may be a Trojan horse too...
>
> This virus blurring the line between viruses and worms (maybe Trojan
> too) actually it is self-replicating Malware.
>
> Description:
> Nobody sure yet about the name of this new virus... Saturday, November
> 03, 2007 I submitted the virus exe file to "Virustotal" (Virustotal is
> a service that analyzes suspicious files and facilitates the quick
> detection of viruses, worms, Trojans, and all kinds of Malware
> detected by antivirus engines) and I got these results:
>
> Antivirus Result
>
> AVG Worm/Generic.DKD
>
> BitDefender Win32.Worm.P2P.VBT
>
> CAT-QuickHeal Worm.AutoRun.tk
>
> F-Secure Virus.Win32.AutoRun.tk
>
> Ikarus Win32.Worm.P2P.VBT
>
> Kaspersky Virus.Win32.AutoRun.tk
>
> Panda Suspicious file
>
> Sophos W32/Dawin-A
>
> VBA32 Virus.Win32.AutoRun.tk
>
> The manger antivirus engines give different name for this virus
> (Malware); I think that means two things:
>
> 1- There is no specific name of this virus
>
> 2- Each antivirus engine handles this virus in a different way. And
> does not detect the latest version of him (detects him as other kind
> of virus - Worm 32 family)
>
> Technical Details:
>
> When executed, the virus drops file / component (a copy of itself)
> "KB915865.exe" in all physical drives. That includes too all removable
> drives, such as flash disks. It creates the folder "\MSOCache
> \90000804-6000-11D3-8CFE-0150048383C9\" in drives it affects, and
> drops a copy of itself as "KB915865.exe" This folder is set to Hidden
> and System.
>
> \MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
>
> Also it drops an AUTORUN.INF file to automatically execute dropped
> copies when the drives are accessed. The said file contains the
> following strings:
>
> [AutoRun]
>
> open=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .
>
> shellexecute=.\MSOCache
> \90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .
>
> shell\Open\command=.\MSOCache
> \90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .
>
> shell=Open
>
> open=.
>
> This virus creates registry entries to enable its automatic execution
> at every system startup.
>
> Platform:
>
> This worm affects systems running on Windows 98, ME, NT, 2000, XP, and
> Server 2003.
>
> Solution:
> I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
> it is free and available on my blog:
>
> http://www.e-nil.com/blogs/?page_id=32
>
>
> For more information or details please do not hesitation to contact me
>
> Best regards and have a nice day,
> Hani Simo
>
>

22-11-2007, 04:27 PM	#15
Sam Hobbs Guest Posts: n/a	Re: A new self-replicating Malware (Virus and Worm) attacks!!! Do you provide the source code? For tools such as that, the source code is a reasonable requirement. Whether you provide the source code or not, you need to document the details of what the program does, and provide as many references to recognized sites as possible that explain what needs to be done in such a manner that justifies what your program does. "hanisimo" <hanisimo@gmail.com> wrote in message news:1195041429.119517.103540@50g2000hsm.googlegro ups.com... > Dear Sir or Madam, > > A new computer worm is attacking the computers around the world, the > serious problem is the most of the anti viruses cannot detect & clean > it... also the removal tool was not available on the Internet... other > serious problem presents when some of current anti viruses detect this > virus as other kind of virus (Worm 32 family) ... and usually these > antivirus delete the whole infected file (exe & autorun.inf ... ext)... > > This virus infects computer, for instance by: > > - Infecting the local hard disk drivers & executable applications > > - Carrying himself on a removable medium such as a floppy disk, CD, or > USB drive. > > - Sending himself over a local network or the Internet. This virus can > spread to other computers by infecting files on a network file system > or a file system that is accessed by another computer. > > - Adding keys into Windows registry > > This virus is mixture between worms, virus and maybe Trojan; he is a > self-replicating computer program, attaches itself to existing > programs in the infected PC (modify files on a targeted computer). It > confused with computer worms. He can spread itself to other computers > without needing to be transferred as part of a host. And usually this > mixture of a computer worm and virus may be a Trojan horse too... > > This virus blurring the line between viruses and worms (maybe Trojan > too) actually it is self-replicating Malware. > > Description: > Nobody sure yet about the name of this new virus... Saturday, November > 03, 2007 I submitted the virus exe file to "Virustotal" (Virustotal is > a service that analyzes suspicious files and facilitates the quick > detection of viruses, worms, Trojans, and all kinds of Malware > detected by antivirus engines) and I got these results: > > Antivirus Result > > AVG Worm/Generic.DKD > > BitDefender Win32.Worm.P2P.VBT > > CAT-QuickHeal Worm.AutoRun.tk > > F-Secure Virus.Win32.AutoRun.tk > > Ikarus Win32.Worm.P2P.VBT > > Kaspersky Virus.Win32.AutoRun.tk > > Panda Suspicious file > > Sophos W32/Dawin-A > > VBA32 Virus.Win32.AutoRun.tk > > The manger antivirus engines give different name for this virus > (Malware); I think that means two things: > > 1- There is no specific name of this virus > > 2- Each antivirus engine handles this virus in a different way. And > does not detect the latest version of him (detects him as other kind > of virus - Worm 32 family) > > Technical Details: > > When executed, the virus drops file / component (a copy of itself) > "KB915865.exe" in all physical drives. That includes too all removable > drives, such as flash disks. It creates the folder "\MSOCache > \90000804-6000-11D3-8CFE-0150048383C9\" in drives it affects, and > drops a copy of itself as "KB915865.exe" This folder is set to Hidden > and System. > > \MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe > > Also it drops an AUTORUN.INF file to automatically execute dropped > copies when the drives are accessed. The said file contains the > following strings: > > [AutoRun] > > open=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe . > > shellexecute=.\MSOCache > \90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe . > > shell\Open\command=.\MSOCache > \90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe . > > shell=Open > > open=. > > This virus creates registry entries to enable its automatic execution > at every system startup. > > Platform: > > This worm affects systems running on Windows 98, ME, NT, 2000, XP, and > Server 2003. > > Solution: > I wrote a specific removal tool for this virus (e-nil! Virus Cleaner), > it is free and available on my blog: > > http://www.e-nil.com/blogs/?page_id=32 > > > For more information or details please do not hesitation to contact me > > Best regards and have a nice day, > Hani Simo > >