New p2p-virus?

[ALEX(XX)]

What do you think of it? Whether there Is at you any information about Win32.Polipos? (Excuse for bad English. )

http://info.drweb.com/show/2815/en

[Inspector Clouseau]

That's after a long time after ZMist one of the "best" viruses i've seen.
It's indeed highly complex - the encryption algo is medium difficult and the virus uses a lot of tricks. I've here some samples with nice antiemulation tricks, such as code performance speed tests (meaning the virus will know when it runs in a virtual environment) and registry dummy - writing tricks, such as trying to write a random value to the registry and trying to read it later and compare it. If not equ or if it doesn't exist the virus exits. The virus is able to act as space filler, same technic was used by the tschernobyl virus already (CIH). The virus is able to use EPO functionallity, it looks for common API calls after the entry point and hooks/redirects them. Means the virus does not execute its own code/decrypter at a fixed position after the entry point.

Cleaning becomes tricky as Dr. Web already stated correct, however, cleaner will be available soon via my weblog somehow during this week when i have some time.

[RejZoR]

Interesting, a must have piece of malware for a collector like myself then...
Now where did i put that Tenga.A hm...

[ALEX(XX)]

The description was specified: ~Win32.Polipos~ - added link and quote tags - dog

Quote:

Originally Posted by Dr.Web

Win32.Polipos is a complicated polymorphic virus.

The virus affects the Windows executable files putting the polymorphic descriptor code into vacant areas of the code sections. The main code-protected body of the virus goes into a new section of the infected executable file.

When launched, the virus injects its code into all active processes. The exceptions are the processes, which have the following names:
savedump, dumprep, dwwin, drwtsn32, drwatson, kernel32.dll, smss, csrss, spoolsv, ctfmon, temp.

Self-decoded and extracted copies of the virus become resident in the memory of each active application. Each copy is responsible for a certain type of action: searching for files which are appropriate for infection, the process of infection itself, P2P network (based on Gnutella networks) function control and so on. Infected files become available for all the users of the network.

Win32 Polipos intercepts the following API functions:
ExitProcess, CreateProcess, CreateFileA, LoadLibraryExA, SearchPathA, CreateProcessW, CreateFileW, LoadLibraryExW, SearchPathW.

When the abovementioned functions are executed, the infection of new files takes place. The virus puts the infected file with overlays (sfx-archives, distributors and so on) in control and creates a clean ptf*.tmp copy of the infected file in the temporary directory. Then it launches the clean copy of the infected executable file.

The virus removes the following antivirus program files:
drwebase.vdb, avg.avi, vs.vsn, antivir.dat, avp.crc, chklist.ms,ivb.ntz, ivp.ntz, chklist.cps, smartchk.ms, smartchk.cps, aguard.dat, avgqt.dat, lguard.vps.

Win32.Polipos does not infect files, whose names have the following combinations:
tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup temp norton mcafee anti tmp secure upx forti scan zone labs alarm symantec retina eeye virus firewall spider backdoor drweb viri debug panda shield kaspersky doctor trend micro sonique cillin barracuda sygate rescue pebundle ida spf assemble pklite aspack disasm gladiator ort expl process eliashim tds3 starforce safe'n'sec avx root burn aladdin esafe olly grisoft avg armor numega mirc softice norman neolite tiny ositis proxy webroot hack spy iss pkware blackice lavasoft aware pecompact clean hunter common kerio route trojan spyware heal alwil qualys tenable avast a2 etrust spy steganos security principal agnitum outpost avp personal softwin defender intermute guard inoculate sophos frisk alwil protect eset nod32 f-prot avwin ahead nero blindwrite clonecd elaborate slysoft hijack roxio imapi newtech infosystems adaptec swift sound copystar astonsoft gear software sateira dfrgntfs

The virus contains the line “Win32.Polipos v1.2 by Joseph”.

[pykko]

well.... no other names from other vendros on DrWeb web site. Does NOD32 detects it?

[Inspector Clouseau]

i submitted samples this morning.

[pykko]

Quote:

Originally Posted by Inspector Clouseau

i submitted samples this morning.

Thx Inspector. Hope your samples are analysed faster than mine. Otherwise......

[Marcos]

Surely faster than the old dos executables and joke programs.

[izi]

Does NOD32 detect this virus?

[i_kenefick]

Quote:

Originally Posted by izi

Does NOD32 detect this virus?

It doesn't detect the samples I have anyways - I guess they are waiting to figure out how to clean it rather than add 'detection' before this for fear of breaking many infected machines.

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.21.2006 no virus found
AVG 386 04.21.2006 no virus found
Avira 6.34.0.56 04.22.2006 no virus found
BitDefender 7.2 04.22.2006 Win32.Polipos.A
CAT-QuickHeal 8.00 04.21.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 04.22.2006 no virus found
DrWeb 4.33 04.22.2006 Win32.Polipos
eTrust-InoculateIT 23.71.136 04.22.2006 Win32/Polipos!Worm
eTrust-Vet 12.4.2171 04.21.2006 no virus found
Ewido 3.5 04.22.2006 no virus found
Fortinet 2.71.0.0 04.22.2006 W32/Polipos.V12
F-Prot 3.16c 04.21.2006 no virus found
Ikarus 0.2.59.0 04.21.2006 no virus found
Kaspersky 4.0.2.24 04.22.2006 P2P-Worm.Win32.Polipos.a
McAfee 4746 04.21.2006 no virus found
NOD32v2 1.1502 04.22.2006 no virus found
Norman 5.90.16 04.21.2006 no virus found
Panda 9.0.0.4 04.22.2006 no virus found
Sophos 4.04.0 04.21.2006 W32/Polipos-A
Symantec 8.0 04.22.2006 no virus found
TheHacker 5.9.7.133 04.22.2006 no virus found
UNA 1.83 04.21.2006 no virus found
VBA32 3.11.0 04.22.2006 Virus.Win32.Polipos.A

[mackattack]

Hi,

Anyone know of a way to clean this virus it seems a site we have in Athlone, Ireland is infected and has wiped the machines they use. I have just got them to shut down everything untill I can find info on it.

A full site rebuild is not what I want to advise at this stage.
Any help would be great.

Regards

[Antarctica]

Quote:

Originally Posted by mackattack

Hi,

Anyone know of a way to clean this virus it seems a site we have in Athlone, Ireland is infected and has wiped the machines they use. I have just got them to shut down everything untill I can find info on it.

A full site rebuild is not what I want to advise at this stage.
Any help would be great.

Regards

If you read at the end of the article from Dr. Web, they can remove it.

http://info.drweb.com/show/2815/en



At present, Virus monitoring service of Doctor Web, Ltd. designed the curing procedure for files infected with Win32.Polipos. It was done for users whose anti-virus programs still do not detect this virus and whose computers, though protected by other anti-virus programs, are infected with the virus and let it infect other computers. The curing technique is rather difficult, as it requires processing of a complicated crypt algorithm XTEA, and the decoding of the virus code can take much time. You should not download any additional curing utilities to cure the infected files, just use Dr.Web Anti-virus and update the virus bases on time.

[mackattack]

Hey,

Thanks for the quick reply, I have one of the users trying to find a machine thats not inected on the LAN to download as the infected machines can not do very much.

Mac

[i_kenefick]

Quote:

Originally Posted by mackattack

Hi,

Anyone know of a way to clean this virus it seems a site we have in Athlone, Ireland is infected and has wiped the machines they use. I have just got them to shut down everything untill I can find info on it.

A full site rebuild is not what I want to advise at this stage.
Any help would be great.

Regards

AFAIK, vendors should have a disinfection routine added over the coming days. Dr Web's CureIT! tool can clean it, Mike (Inspector Clouseau) is developing his own disinfection tool also.

P.S. Greetings from Cork :-)

[Antarctica]

Quote:

Originally Posted by mackattack

Hey,

Thanks for the quick reply, I have one of the users trying to find a machine thats not inected on the LAN to download as the infected machines can not do very much.

Mac

You're most welcome and I hope you can get back in business ASAP.

[mackattack]

Quote:

Originally Posted by i_kenefick

AFAIK, vendors should have a disinfection routine added over the coming days. Dr Web's CureIT! tool can clean it, Mike (Inspector Clouseau) is developing his own disinfection tool also.

P.S. Greetings from Cork :-)

Hello Cork, if I was closer a pint might have to be bought.

Do you know what the virus does to the machine after a few days. The users onsite are telling me the machine is wiped, from what I can gather all the documents are gone from mapped drives.

Thanks for the help.

[rothko]

Quote:

Originally Posted by i_kenefick

It doesn't detect the samples I have anyways - I guess they are waiting to figure out how to clean it rather than add 'detection' before this for fear of breaking many infected machines.

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.21.2006 no virus found
AVG 386 04.21.2006 no virus found
Avira 6.34.0.56 04.22.2006 no virus found
BitDefender 7.2 04.22.2006 Win32.Polipos.A
CAT-QuickHeal 8.00 04.21.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 04.22.2006 no virus found
DrWeb 4.33 04.22.2006 Win32.Polipos
eTrust-InoculateIT 23.71.136 04.22.2006 Win32/Polipos!Worm
eTrust-Vet 12.4.2171 04.21.2006 no virus found
Ewido 3.5 04.22.2006 no virus found
Fortinet 2.71.0.0 04.22.2006 W32/Polipos.V12
F-Prot 3.16c 04.21.2006 no virus found
Ikarus 0.2.59.0 04.21.2006 no virus found
Kaspersky 4.0.2.24 04.22.2006 P2P-Worm.Win32.Polipos.a
McAfee 4746 04.21.2006 no virus found
NOD32v2 1.1502 04.22.2006 no virus found
Norman 5.90.16 04.21.2006 no virus found
Panda 9.0.0.4 04.22.2006 no virus found
Sophos 4.04.0 04.21.2006 W32/Polipos-A
Symantec 8.0 04.22.2006 no virus found
TheHacker 5.9.7.133 04.22.2006 no virus found
UNA 1.83 04.21.2006 no virus found
VBA32 3.11.0 04.22.2006 Virus.Win32.Polipos.A

if Polipos is as bad as everyone is making out then it would be nice to have at least detection for it even if the cleaning comes later

[i_kenefick]

Quote:

Originally Posted by rothko

if Polipos is as bad as everyone is making out then it would be nice to have at least detection for it even if the cleaning comes later

agreed.

[pykko]

Quote:

Originally Posted by Marcos

Surely faster than the old dos executables and joke programs.

Well, Marcos thank you for the answer ...now I know you're not paying attention to these not-dangerous threats like jokes, DOS and phishing e-mails.

You concentrate on highly-dangerous threats like this p2p worm....which is still not detected by NOD32.

[snowbound]

Reply by member i_kenefick, removed. TOS violation.



snowbound

[i_kenefick]

Quote:

Originally Posted by snowbound

Reply by member i_kenefick, removed. TOS violation.
snowbound

Pyko - at least we know the thread is being watched. You should get an answer soon... and maybe detection later

[Joliet Jake]

Quote:

Originally Posted by i_kenefick

AFAIK, vendors should have a disinfection routine added over the coming days. Dr Web's CureIT! tool can clean it, Mike (Inspector Clouseau) is developing his own disinfection tool also.

P.S. Greetings from Cork :-)

Someone in the 'polipos' thread in the 'other AV' section of the forum claims that Dr Web didn't clean up this virus.

http://www.wilderssecurity.com/showp...7&postcount=37

[ctrlaltdelete]

I noticed Win32/Polip in the latest NOD32 update v.1.1505.

[i_kenefick]

Detection was added for win32/Polip virus in 1.1505 (20060425)

[rothko]

good to see! wonder is this will catch all variants and whether it cleans too?