Antivirus: October 2005 Archives

IM Virus part 2

Symantec reponded to my virus submission, reporting that they are calling it spybot.worm. And the virus defs are in the latest rapid release defs. The response took long enough that I think it wasn't an autoreply. If its the autoreply, I know its not something new. I tried the rapid release defs on my own computer and then set xdbdown to download rapid release defs.

I also downloaded the file (img0099.com) and ran it on a vmware machine. Of course good viruses know when they are in a virtual environment and dont do everything. I also didn't set up a fake network connection, so I dont know what network downloads it may have tried. I'm tempted to try that, but I dont want to hose my real computer.

It did a lot of registry lookups. The main thing is that it created is c:\winnt\system32\express.exe and starting that with HKCU run and HKLM run/runservice. That file is also detected by the rapid release defs. The file is set as a hidden and system file so you may need to go into dos and run attrib -h -s express.exe (in the system32 directory).

The rapid release virus definitions I am using from Symantec is 10/26/2005 rev25

By Roger on October 26, 2005 9:21 PM | | Comments (0)

IM virus

I had some users passing around an IM virus today. I'm still trying to get a handle on what virus it was to make cleaning it easier.

The users sent "YAY!! http;//home.earthlink.net/~lzingelmann/IMG0099.com" to each other. I downloaded img0099.com and submitted it to symantec (haven't heard back yet) as well as virus total. Virustotal.com saw a few heuristic detections and one detection as a kelvir.

I see over at Harry's blog that there is a new IM virus out today called virkel. That's really not good. It does more than attempt to spread. It tries to download other updates and act as a bot. I tried to be the nice guy and let the user take the laptop home with them instead of taking it from them (with the caution that they not log into aim). What a bad choice that was.

I'm still waiting on a useful IM security writeup. I may have to run this in a vm environment just to see what it does if the antivirus industry doesn't geete off their collective butts.

The funny part about this is some of the people who got infected were part of my Facetime evaluation. The veresion of Facetime that I am running did nothing to help this other than create a log trail for later cleanup. :(

By Roger on October 26, 2005 6:11 PM | | Comments (0)

w32/doombot.b

F-Secure posted in their blog on saturday abouta new massmailer doombot.a and doombot.b. I'm seeing a little bit of doombot.b this morning in inbound email..

By Roger on October 17, 2005 7:57 AM | | Comments (0)

(no) Support

I was just on the phone with an IM Security vendor support number. I asked how to set up the antivirus scanning. For my trouble, I got a lecture on the dangers of allowing file transfer via IM. No kidding, thats why I want the IM Security software. If I merely wanted to disable all the features of the IM product, I wouldn't need your software!

By Roger on October 6, 2005 3:54 PM | | Comments (0)
« Antivirus: September 2005 | Main Index | Archives | Antivirus: November 2005 »

Search