New virus worm alert ....



Raiye
07-09-2005, 11:48 PM
New virus doing the rounds - We contracted it here via hotmail, so it got
through trends virus guard used by hotmail, got through avg with no probs,
and delivered its payload

subjects of emails have been

party invite
attachment returned
you suck!

Contains a zip file 0.33mb in size

disables the following ...

cmd, regedit and taskman

Even safe boot with command prompt will freeze

Files delivered are party.scr and invite.pif, but the pif is hidden, and
will not allow the file to be renamed to .txt it puts the .pif back to the
end of it - avg will than flag suspicious activity but it dont know what.

Any body know how to recover the disabled files without having to
re-install - they are all still there - but are being trapped somehow

TpwUK

David H. Lipman
07-09-2005, 11:48 PM
From: "Raiye" <raiye.beresford@remove.this.ntlworld.com>

| New virus doing the rounds - We contracted it here via hotmail, so it got
| through trends virus guard used by hotmail, got through avg with no probs,
| and delivered its payload
|
| subjects of emails have been
|
| party invite
| attachment returned
| you suck!
|
| Contains a zip file 0.33mb in size
|
| disables the following ...
|
| cmd, regedit and taskman
|
| Even safe boot with command prompt will freeze
|
| Files delivered are party.scr and invite.pif, but the pif is hidden, and
| will not allow the file to be renamed to .txt it puts the .pif back to the
| end of it - avg will than flag suspicious activity but it dont know what.
|
| Any body know how to recover the disabled files without having to
| re-install - they are all still there - but are being trapped somehow
|
| TpwUK
|

Please submit the ZIP file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Raiye
07-09-2005, 11:48 PM
<snip>

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.

>
> Please submit the ZIP file to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against 18 different AV vendor's
> scanners.
>
> Another way to submit is to send the suspect file to the following email
> address
> scan<at>virustotal.com
> { replace <at> with @ } with only the word SCAN as the subject.
>
> Please post back the EXACT results.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
This is a report processed by VirusTotal on 05/27/2005 at 13:58:11 (CET)
after scanning the file "File.zip" file.

Antivirus Version Update Result
AntiVir 6.30.0.15 05.27.2005 no virus found
AVG 718 05.27.2005 no virus found
Avira 6.30.0.15 05.27.2005 no virus found
BitDefender 7.0 05.27.2005 Win32.Dod.A@mm
ClamAV devel-20050501 05.27.2005 no virus found
DrWeb 4.32b 05.27.2005 no virus found
eTrust-Iris 7.1.194.0 05.26.2005 Win32/Mugly.M!Worm
eTrust-Vet 11.9.1.0 05.27.2005 Win32.Mugly.L!ZIP
Fortinet 2.27.0.0 05.27.2005 W32/Mugly.M-mm
Ikarus 2.32 05.27.2005 no virus found
Kaspersky 4.0.2.24 05.27.2005 Email-Worm.Win32.Wurmark.l
McAfee 4500 05.26.2005 W32/Mugly.m@MM
NOD32v2 1.1110 05.27.2005 Win32/Wurmark.L
Norman 5.70.10 05.23.2005 no virus found
Panda 8.02.00 05.27.2005 W32/Mugly.M.worm
Sybari 7.5.1314 05.27.2005 no virus found
Symantec 8.0 05.27.2005 W32.Picrate.C@mm
VBA32 3.10.3 05.27.2005 Email-Worm.Win32.Wurmark.l

David H. Lipman
07-09-2005, 11:48 PM
From: "Raiye" <raiye.beresford@remove.this.ntlworld.com>


| This is a report processed by VirusTotal on 05/27/2005 at 13:58:11 (CET)
| after scanning the file "File.zip" file.
|
| Antivirus Version Update Result
| AntiVir 6.30.0.15 05.27.2005 no virus found
| AVG 718 05.27.2005 no virus found
| Avira 6.30.0.15 05.27.2005 no virus found
| BitDefender 7.0 05.27.2005 Win32.Dod.A@mm
| ClamAV devel-20050501 05.27.2005 no virus found
| DrWeb 4.32b 05.27.2005 no virus found
| eTrust-Iris 7.1.194.0 05.26.2005 Win32/Mugly.M!Worm
| eTrust-Vet 11.9.1.0 05.27.2005 Win32.Mugly.L!ZIP
| Fortinet 2.27.0.0 05.27.2005 W32/Mugly.M-mm
| Ikarus 2.32 05.27.2005 no virus found
| Kaspersky 4.0.2.24 05.27.2005 Email-Worm.Win32.Wurmark.l
| McAfee 4500 05.26.2005 W32/Mugly.m@MM
| NOD32v2 1.1110 05.27.2005 Win32/Wurmark.L
| Norman 5.70.10 05.23.2005 no virus found
| Panda 8.02.00 05.27.2005 W32/Mugly.M.worm
| Sybari 7.5.1314 05.27.2005 no virus found
| Symantec 8.0 05.27.2005 W32.Picrate.C@mm
| VBA32 3.10.3 05.27.2005 Email-Worm.Win32.Wurmark.l
|

Well there 'ya go. It is the W32/Mugly worm .M variant.
http://vil.nai.com/vil/content/v_130470.htm
http://vil.nai.com/vil/content/v_131359.htm

The worm is not new, the .M variant may be.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman
07-09-2005, 11:48 PM
From: "Raiye" <raiye.beresford@remove.this.ntlworld.com>


| This is a report processed by VirusTotal on 05/27/2005 at 13:58:11 (CET)
| after scanning the file "File.zip" file.
|
| Antivirus Version Update Result
| AntiVir 6.30.0.15 05.27.2005 no virus found
| AVG 718 05.27.2005 no virus found
| Avira 6.30.0.15 05.27.2005 no virus found
| BitDefender 7.0 05.27.2005 Win32.Dod.A@mm
| ClamAV devel-20050501 05.27.2005 no virus found
| DrWeb 4.32b 05.27.2005 no virus found
| eTrust-Iris 7.1.194.0 05.26.2005 Win32/Mugly.M!Worm
| eTrust-Vet 11.9.1.0 05.27.2005 Win32.Mugly.L!ZIP
| Fortinet 2.27.0.0 05.27.2005 W32/Mugly.M-mm
| Ikarus 2.32 05.27.2005 no virus found
| Kaspersky 4.0.2.24 05.27.2005 Email-Worm.Win32.Wurmark.l
| McAfee 4500 05.26.2005 W32/Mugly.m@MM
| NOD32v2 1.1110 05.27.2005 Win32/Wurmark.L
| Norman 5.70.10 05.23.2005 no virus found
| Panda 8.02.00 05.27.2005 W32/Mugly.M.worm
| Sybari 7.5.1314 05.27.2005 no virus found
| Symantec 8.0 05.27.2005 W32.Picrate.C@mm
| VBA32 3.10.3 05.27.2005 Email-Worm.Win32.Wurmark.l
|

I received your email indicating that the McAfee Command Line Scanner removed the
W32/Mugly.m@MM as well as the W32/sdbot.worm.gen.t

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Raiye
07-09-2005, 11:48 PM
<snip>

Many thanks for the private mails - saves clogging the thread, excellent
tips, and new lessons learnt

TpwUK

>
> I received your email indicating that the McAfee Command Line Scanner
> removed the
> W32/Mugly.m@MM as well as the W32/sdbot.worm.gen.t
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Crouchie1998
07-09-2005, 11:48 PM
Any virus seems to get through Hotmail. Just before Hotmail started to use
Trend they used McAfee online virus scanner & I proved to both Hotmail & to
McAfee that a virus was getting through the system on these 4 seperate
occassions. Not long after, Hotmail changed it online scanner

Crouchie1998
BA (HONS) MCP MCSE

Crouchie1998
07-09-2005, 11:48 PM
Hoaxes start like this. If you think you have a new virus then submit it to
SARC or McAfee...

Crouchie1998
BA (HONS) MCP MCSE

David H. Lipman
07-09-2005, 11:48 PM
From: "Crouchie1998" <crouchie1998@spamcop.net>

| Hoaxes start like this. If you think you have a new virus then submit it to
| SARC or McAfee...
|
| Crouchie1998
| BA (HONS) MCP MCSE
|

Actually it should be submitted to Virus Total. The suspect will be tested against 18
different AV vendor's scanners and the suspect is distributed to all member vendors as well
This includes Symantec and McAfee.

http://www.virustotal.com/flash/index_en.html

Based upon the resultant report, the submitter will know if it is truly new, if it is an
infector and what AV vendor's software recognizes the submission.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


New virus worm alert ....