Antivirus: January 2006 Archives

We've been seeing a number of w32/brepibot.gen in our inbound email since noon today.

McAfee has a writeup on this virus here. McAfee updated their definitions on January 30th noting:

There were several mass-spammings of new Brepibot variants recently. The 4685 DAT files contain updated detection to cover the new variants. One example of a spammed message is as follows:

The email's I've seen have the following characteristics:
Subjects:
Photo
Photo Approval Needed
Campus Life
Photo Approval Required
Campus Life Article
FWD:Photo
Photo Approval Deadline
photo approval needed
Photo Approval
Requesting Photo Approval

Attachment:
Photo and Article.exe

Source IPs:
62.49.4.123
86.135.27.88
83.38.83.48
213.132.238.109
68.186.147.67
157.253.66.7
82.38.170.158
86.128.48.255
84.92.83.135

In my email, I'm seeing email detected as malware.ae. It looks like the messages are heavy on the html content. But from the subject, source IP, and email addresses involved it does appear to be a false positive.

I've opened a support case with Message Labs and sent them a few samples to find out more.

Just saw a virus detected as nyxem.e in the inbound email. I believe nyxem is another name for the mywife family of viruses. Looks like this is a new varient

http://www.f-secure.com/v-descs/nyxem_e.shtml posted today

One of the things I neglected to mention in the previous post is that by exploiting these sites, wmf exploits are served up by sites you may trust and go to every day. They may be your friends site, or the site of a small business.

Getting infected via WMF exploit isn't a matter of visiting hacker or porn sites, its something that can happen very easily if you haven't patched.

One good thing about that call is that I had zero wait time. Either no one is calling support this week or Symantec has really improved the Gold level response time.

I called SAV support just now. You see Symantec’s security bulletin says that SAV 8 and 9 are not vulnerable to the RAR buffer overflow. http://www.symantec.com/avcenter/security/Content/2005.12.21b.html

However my vulnerability scanner says I am vulnerable because my dec2rar.dll file is the wrong version.
%ProgramFiles%\Common Files\Symantec Shared\Decomposers\dec2rar.dll Version is 3.2.10.16

So basically I wanted to make sure that 9 is always not vulnerable. That there is no way I could still be vulnerable by having an older version of this dll. Basically assure me that my vulnerability scan detection is a false positive.

It just blew his mind. Gold support just is not prepared for a call that is not answered by the knowledge base already. To his credit, he put me on hold to ask for some help. But I’m just not that confident in their final answer that 8 and 9 are not vulnerable to the rar vulnerability no matter what.

IMLogic is reporting a new IM worm using the wmf vulnerability. This is currently related as low.

If you've got IMLogic, you're cool. Otherwise you might want to wach access to 168.169.78.19 cause the file is live. Oh, I hear the file is detected with the Symantec bloodhound defs, but I didn't want to test that for myself.

I learned through Donna's Security Flash about some testing av-test.org has done to see which Antivirus vendors can detect wmf files.

See the results from January 1st in a PCMag Article. AVG didn't fare so well. Aren't they one of the free products that people alway push instead of the more established vendors?

Well shit. Suddenly that decision to purchase IMLogic (the product not the company) is not looking so good. Symantec has just purchased them.

When Symantec purchases something, its almost as bad as when Computer Associates purchases something. First I would suspect all development will go in the crapper while Symantec figures out what they bought and what they want to do with it. Good buy quarterly updates. Goodbye support for AIM Triton, Google Talk and AIM file transfers. I know you were on the roadmap, but the roadmap is now burned.

Next, support will suck. I suspect my support team will now be replaced slowly by the "Gold" level drones that Symantec hires.

Third, I wonder what will happen with the Sybari integration? Will it disappear now that two corporate giants the two companies.

Will my product completely disappear they way L0phtcrack has since the @stake purchase? Will it reappear later as Symantec IM Manager.

I really expected Webroot to be picked off (as Pestpatrol was). I didn't think about the possibility of IMLogic being bought.

IMLogic is still a better product that Facetime or Akonix. We'll have to hope for the best.

I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.

I'm still wondering how to uninstall the patch programatically when the real patch is released. I'm assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven't looked through.

Sybari (or is that Microsoft) sent out a security bulleting relating to WMF viruses. They are calling it WMF/Exploit.b, Alias: Exploit-WMF trojan, Exploit.Win32.IMG-WMF.a, Troj/DownLdr-QB

But most importantly, they warn:

****PLEASE NOTE****
For Windows platforms, users must set the "ScanAllAttachments" registry value to 1 for this filetype to be detected.

Domino Users:
For Domino, the following can be done:
1. Open the "notes.ini" file.
2. Add the ".JPG" and ".WMF" extension to the "AntigenAveExts" parameter.
3. Save the file.
4. Recycle services.

I always thought it a little sketchy that by default Sybari scans specific file types only. Hopefully Exchange performance wont grind to a halt when this change is made.

Just wondering if you guys who rely on attachment blocking in email to protect you are now blocking all image files to protect against WMF exploits? Enjoy your plaintext email existance.

I'll continue to enjoy the protection provided by Message Labs. Good antivirus enables business.

SANS has posted a WMF FAQ. Good summary for those not keeping up.
http://isc.sans.org/diary.php?storyid=994

The following quote is from the AVERT email. AFAIK this was sent to a public list and may be disseminated.

Advisory
AVERT is releasing this advisory to make our customers aware of new Exploit-WMF code having been released today and currently being used in spam attacks resulting in the installation of a new Backdoor-CEP variant.

Justification
Updated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being prepared now and will be released shortly.

Read About It
Information about Exploit-WMF is located on VIL at: vil.nai.com/vil/content/v_125294.htm

I tried to post this at dinner, but my blackberry doesn't do javascript. Just remembered to post this now.

All day spam directed to my company with teh subject Re: peeper cre has had a file detected as Possible Malware PNG/Generic. I have no way of knowing if this is related to the WMF exploits or not.