Spyware Warrior

[wyrmrider]

----- Original Message -----
From: "AntiVir PersonalEdition Support-Team" <virus_malware @ antivir-pe.de>
To: <wyrmrider
Sent: Friday, October 07, 2005 3:28 AM
Subject: Re: Upload einer verdaechtigen Datei (Call #561016)


Dear Sirs,

Thank you for your recent inquiry.

We found a new virus in the attachment you have sent us.
The signature will be integrated in one of our next updates.

We thank you for your assistance.
--
Mit freundlichen Grüßen | Sincerely

i.A. Herr K. Müller
Customer Support

AntiVir PersonalProducts GmbH
Anschrift: Lina-Ammon-Str. 19a
D-90471 Nürnberg | Germany
http://www.antivir-pe.de
http://www.free-av.de
____________________________________________________________________________
__________
nobody else caught it, and I almost deleted it from quarantine but I was suspicious eventhough it was caught by heuristics set on high


This is a report processed by VirusTotal on 10/04/2005 at 17:00:44 (CET)
after scanning the file "275372BB.034" file.

Antivirus Version Update Result
AntiVir 6.32.0.6 10.04.2005 Heuristic/Virus.Win32 antivir heuristics set
on high flagged it
Avast 4.6.695.0 09.30.2005 no virus found
AVG 718 09.29.2005 no virus found
Avira 6.32.0.6 10.04.2005 Heuristic/Virus.Win32
BitDefender 7.2 10.04.2005 no virus found
CAT-QuickHeal 8.00 10.04.2005 (Suspicious) - DNAScan
ClamAV devel-20050917 10.04.2005 no virus found
DrWeb 4.32b 10.02.2005 no virus found
eTrust-Iris 7.1.194.0 10.03.2005 no virus found
eTrust-Vet 11.9.1.0 10.04.2005 no virus found
Fortinet 2.48.0.0 10.04.2005 no virus found
F-Prot 3.16c 10.04.2005 no virus found
Ikarus 0.2.59.0 10.04.2005 no virus found
Kaspersky 4.0.2.24 10.04.2005 no virus found
McAfee 4595 10.03.2005 no virus found
NOD32v2 1.1240 10.03.2005 no virus found
Norman 5.70.10 10.04.2005 no virus found
Panda 8.02.00 10.04.2005 no virus found
Sophos 3.98.0 10.04.2005 no virus found
Symantec 8.0 10.03.2005 no virus found
TheHacker 5.8.2.117 10.03.2005 no virus found
VBA32 3.10.4 10.02.2005 no virus found

[paperghost]

Heheh well done!

Question is, are they gonna name it after you

[MadameX]

way to go, wrmrider!
_________________
CARMA

[wyrmrider]

a little update

I rescaned with Virustotal today and still no others pick up whatever virus we found

I then on line scanned with Bit Defender with Heuristics On
and found--- I posted a FYI in the Sunbelt forum


[Scan Results]
Line00000000 = "C:\WINDOWS\Downloaded Installations\{96CE8F39-1668-4FE3-B005-A7B1BC316B61}\Sunbelt CounterSpy.msi=>(Embedded CAB)=>sunasinstallhelper.exe Suspected of: BehavesLike:Win32.AV-Killer"

Heuristics were on
I discovered a new virus which Antivir Heruistics detected. After a virustotal scan showed no other AV's detecting I was scanning with several other engines with settings set on high

lucky I turn off auto fixing on the first pass with these heuristic programs

any other Av's have a reputation as being good with heuristics?
I'll try them against the Wyrmrider virus

[Gary R]

Pity it wasn't a worm Wyrm'sWorm has a nice ring to it.

Well done Wyrmrider, nice catch.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[Nick]

Give NOD32 a shot at it. It has good heuristics. There is a free trial you can use:
http://www.nod32.com/download/trial.htm

You can also upload it to Jotti and let a whole range of scanners take a crack at it
http://virusscan.jotti.org/
_________________
Nick's Security Ticker

[wyrmrider]

I'll try nod32 thanks Nick - one of the few I've never tried
Wyrms' Worm- I love it

AntiVir
Found Heuristic/Virus.Win32 (probable variant)
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

leave no turn unstoned

[wyrmrider]

Disabled antivir guard
I had bit-defender on machine so updated and ran "online scan"
no hits
then
installed NOD-W98 version
Updated to latest NOD definitions
advanced heuristics were enabled
Scanned the infected file only
no detection


will do a complete system scan later today
I have to get some work done in the next two hours then will start scan with all the options cranked up
as they say- should do this every so often

found memory usage high after exiting NOD32 W98 version
cacheman brought it down

EDIT Sunday 6PM California time
Complete SCan with NOD32 everything turned on
only found Steve Gibson's DCOMbob.exe as a Win32/Exploit.DcomRpc.A Trojan

File: DCOMbob.exe
Status:
INFECTED/MALWARE
MD5 7554c5e1b98b0e7f21016f957fbf6e84
Packers detected:
UPX
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Exploit.Dcomrpc.A
ClamAV
Found nothing
Dr.Web
Found Exploit.DCom.32
F-Prot Antivirus
Found nothing
Fortinet
Found W32/DcomScan.A-tr
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/Exploit.DComRpc.A
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found Exploit.Win32.DComRpc.A

I'll have to check this out, Really doubt that Gibson's software has a trojan

Wilders has a FP thread from 2002 about a FP, but MDS is different than mine
I posted to NOD forum at Wilders

I think this is a good example of the need to run on-demand scans as well as your regular installed AV over the years I'v found several this way. No luck getting Kaspersky to be reliable on THIS machine

[wyrmrider]

We found a new virus in the attachment you have sent us (TR.Bravis).
The signature will be integrated in one of our next updates

E-Mail today from Antivir

[wyrmrider]

275372BB.034 = C:\PROGRAM FILES\FBM SOFTWARE\INSTALLERS\ZEROSPYWARE_SETUP3.02.0036.0004PART1.TMP

Bitdefender and NOD32 think file is truncated
possible as this is a tmp file
still under investigation
will submit to FBM for analysis