unknown virus with F-Secure

[fatpizzaman]

I am using F-Secure 5.40 and with latest updates. I want to know about this, it detected a 'suspicious win32pe,perhaps a new virus!'!

Do i take this as a false positive as f-secure didnt detect this program as a virus the yesteday, when i was using the program? What should i do?

I cannot disinfect, but i mite be able to delete it.. is it a false warning or what?

[Paul Wilders]

Hi FPM,

Quote:

it detected a 'suspicious win32pe,perhaps a new virus!'!

suspious is the essence here - provoked by the use of heuristics; migth well be a false positive.

Quote:

What should i do?

send a copy to the AV vendor for examination. In the meanwhile, use both the free KAV/AVP and DrWeb file scanners to double check (somewhere on our "free service" page": www.wilders.org/free_services.htm )

regards.

paul

[Technodrome]

Could be a false positive.

Follow Paul's suggestion and scan with another virus scanner!


Technodrome

It could be a false positive...but these two are out there big time..the one you have called Win32 PE ..is it an .exe..what is the path..can you tell us anything more about it?

Follow Paul's suggestions.


_______________________________________________

Win32.Klez.H
Klez.H also drops and activates a polymorphic virus - Win32/Wqk.C.

The encrypted text inside the worm code reads:

“ & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing”


Klez also acts as a companion virus. It locates a Win32 PE program, copies it under a different name (using a random extension) and overwrites the original with the worm code (e.g. - it copies MSACCESS.EXE to MSACCESS.UYI and overwrites the original MSACCESS.EXE).


http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1705
_______________________________________________
I-Worm.Melting
http://www.europe.f-secure.com/v-descs/melting.shtml


This is a worm virus spreading via Internet. The worm itself is a Win32 PE EXE file about 18Kb of length. It is written in VisualBasic. It is transferred via the net in email messages using an infected attachment with the name "MeltingScreen.exe".
When an infected message is received and the attached EXE file is executed, the worm gets control and starts its spreading routine. This routine connects to MS Outlook, enters address book, gets Internet addresses from there and sends messages by using these addresses.

Ein neuer Worm Namens I-Worm.Melting treibt zur Zeit sein Unwesen im osteuropäischen Raum, insbesondere in Russland. Jedoch ist nicht auszuschliessen, dass dieser Form auch in Deutschland auftauchen könnte. Entdeckt wurde diese durch das russische Softwarehaus Kaspersky Lab. (AVP - Anti Viral Toolkit Pro).
Der Worm wird per Dateianhang unter dem Namen "Win32PE.exe" (Grösse 18 KB) per E-Mail versendet. Die Infektion des Systemes erfolgt über die Datei "MeltingScreen.exe"


Die E-Mail enthält den Text:
"Hello my friend ! Attached is my newest and funniest Screensaver, I named it MeltingScreen. Test it and tell me what you think. Have a nice day my friend. p.s.: Please install the Runtime Library for VB 5.0, before you run the ScreenSaver."



Nachdem der Dateianhang durch den Anwender geöffnet wird, werden alle EXE-Dateien im Windowsverzeichniss in ".bin-Dateien" umbenannt. Dazu wird der Worm an alle Adressen des Mailprogrammes Outlook versendet. Danach "verschmilzt" der Bildschirm des Anwender, wie es auf dem entsprechenden Screenshot so sehen ist.

Desweiteren kann dabei das gesamte System unter Umständen zum Absturz gebracht werden.

Hinweis: Es gab in vergangender Zeit zahlreiche Bildschirmschoner, die in der Tat den Bildschirm "zerschmelzen" lassen. Diese Bildschirmschoner, welche in der Regel schon recht alt sind, haben nichts mit diesem neuen Worm zu tun !

[Technodrome]

Keep us informed fatpizzaman!


Technodrome