View Full Version : W32.SpyBot.Worm
codpet
July 10th, 2007, 01:41 AM
I have submitted several files that a *new* variant of the W32.SpyBot.Worm file generates to samples@nod32.com, and sample@nod32.com. I have not heard a response, yet the virus continues to crush our corporate network. Symantec, and NOD32 stand by and do nothing to stop it.
What do I have to do for attention on this matter? It's hard to convince my Director to switch to NOD32 entirely if your product fails to protect.
The worm spreads fast, and generates the following files:
C:\exec.exe
C:\Windows\sys32.exe
C:\Windows\sys33.exe
C:\Windows\iexplorer.exe
It's identified only in part by NOD32 as a rootkit worm. NOD32, and Symantec both can't stop the worm, or clean it.
ASpace
July 10th, 2007, 02:13 AM
Hello !
It is an Eset policy and you won't hear from the Virus Lab at all . They just receive the samples but do not answer people. In such an emergency , please , submit the files to Eset Technical Support , email support[at]eset[dot]com
Attach the suspected files and as much information as you may think of . Depending on the situation they will provide you with solution appropriate to kill the parasite :thumb:
Marcos
July 10th, 2007, 03:15 AM
Please email support[at]eset.com and enclose the subject and time/date you sent that email on.
codpet
July 11th, 2007, 06:16 AM
They wrote back and had my test the files against virustotal.com. Several virus scanners picked the files up, NOD32 was not one of them. After a few hours of the phone with Symantec, it's now one of the several that detects the new variant.
I sent the SHA1/MD5 information to ESET. I haven't heard anything back.
codpet
July 11th, 2007, 09:19 AM
File sys32.exe received on 07.11.2007 15:09:39 (CET)
Antivirus Versión Last Update Result
AhnLab-V3 2007.7.11.1 20070711 no virus found
AntiVir 7.4.0.39 20070711 TR/Drop.RHE.4
Authentium 4.93.8 20070710 no virus found
Avast 4.7.997.0 20070711 no virus found
AVG 7.5.0.476 20070710 no virus found
BitDefender 7.2 20070711 Trojan.Dropper.RHE
CAT-QuickHeal 9.00 20070711 no virus found
ClamAV devel-20070416 20070711 Trojan.SdBot-6507
DrWeb 4.33 20070711 Trojan.MulDrop.7389
eSafe 7.0.15.0 20070710 no virus found
eTrust-Vet 30.8.3779 20070711 Win32/Injeven
Ewido 4.0 20070711 no virus found
FileAdvisor 1 20070711 no virus found
Fortinet 2.91.0.0 20070711 no virus found
F-Prot 4.3.2.48 20070710 no virus found
Ikarus T3.1.1.8 20070711 Trojan.MulDrop.7389
Kaspersky 4.0.2.24 20070711 no virus found
McAfee 5071 20070710 no virus found
Microsoft 1.2704 20070711 no virus found
NOD32v2 2392 20070711 no virus found
Norman 5.80.02 20070711 no virus found
Panda 9.0.0.4 20070711 Trj/ADSdropper.A
Sophos 4.19.0 20070706 no virus found
Sunbelt 2.2.907.0 20070711 no virus found
Symantec 10 20070711 W32.Spybot.Worm
TheHacker 6.1.6.144 20070709 no virus found
VBA32 3.12.0.2 20070710 Trojan.MulDrop.7389
VirusBuster 4.3.23:9 20070710 no virus found
Webwasher-Gateway 6.0.1 20070711 Trojan.Drop.RHE.4
Aditional information
File size: 125526 bytes
MD5: 5997298a35ef417a240551e94a3338e9
SHA1: 44e1dab608547c63e277c3156534778133e2a6c8
pykko
July 11th, 2007, 04:17 PM
-{ Quote: "They wrote back and had my test the files against virustotal.com. Several virus scanners picked the files up, NOD32 was not one of them. After a few hours of the phone with Symantec, it's now one of the several that detects the new variant.
I sent the SHA1/MD5 information to ESET. I haven't heard anything back." }-
Yes... you're not in their priorities, or maybe they thought you're a VX collector. ::)
Londonbeat
July 11th, 2007, 04:29 PM
-{ Quote: "maybe they thought you're a VX collector." }-
It may be a good idea to send samples from a new/different email address, in my experience after I'd emailed a few samples over the course of several weeks; very few samples I submit are added, it's possible submitting multiple samples using the same email puts your email on their "VX collector list" meaning your submissions will have lowest priority.
Londonbeat
Marcos
July 11th, 2007, 04:44 PM
-{ Quote: "Yes... you're not in their priorities, or maybe they thought you're a VX collector. ::)" }-
Don't stir up a hornet's nest, Codpet is not a virus collector; he has asked us to assist him in removing an infiltration from his network and all the functional samples he has submitted are actually detected:
AhnLab-V3 2007.7.11.1 20070711 no virus found
AntiVir 7.4.0.39 20070711 TR/Drop.RHE.4
Authentium 4.93.8 20070711 no virus found
Avast 4.7.997.0 20070711 no virus found
AVG 7.5.0.476 20070711 no virus found
BitDefender 7.2 20070711 Trojan.Dropper.RHE
CAT-QuickHeal 9.00 20070711 no virus found
ClamAV devel-20070416 20070711 Trojan.SdBot-6507
DrWeb 4.33 20070711 Trojan.MulDrop.7389
eSafe 7.0.15.0 20070710 no virus found
eTrust-Vet 30.8.3780 20070711 Win32/Injeven
Ewido 4.0 20070711 no virus found
FileAdvisor 1 20070711 no virus found
Fortinet 2.91.0.0 20070711 no virus found
F-Prot 4.3.2.48 20070711 no virus found
Ikarus T3.1.1.8 20070711 Trojan.MulDrop.7389
Kaspersky 4.0.2.24 20070711 no virus found
McAfee 5072 20070711 no virus found
Microsoft 1.2704 20070711 no virus found
NOD32v2 2394 20070711 Win32/Rbot
Norman 5.80.02 20070711 no virus found
Panda 9.0.0.4 20070711 Trj/ADSdropper.A
Sophos 4.19.0 20070706 no virus found
Sunbelt 2.2.907.0 20070711 no virus found
Symantec 10 20070711 W32.Spybot.Worm
TheHacker 6.1.6.144 20070709 no virus found
VBA32 3.12.0.2 20070710 Trojan.MulDrop.7389
VirusBuster 4.3.23:9 20070711 no virus found
Webwasher-Gateway 6.0.1 20070711 Trojan.Drop.RHE.4
Aditional information
File size: 125526 bytes
MD5: 5997298a35ef417a240551e94a3338e9
SHA1: 44e1dab608547c63e277c3156534778133e2a6c8
Since the problem has been resolved, I'll draw this case to a close.
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums