WORM.BIZEX Virus not detected?

Hi,

We have Nod32 on all our client workstations. We recently found that a large number of them were infected with something that looks like a variant of the WORM.BIZEX virus. This virus appears to have been picked up by various AV companies in Feb 2004.

The behaviour was that it created dlla32.exe, dllw32.exe, & dllx32,exe files in System32 folder, and users startup menu's, and added "Load32" registry key to "Run" section of registry. The virus was visible in the process list, and each time you kill it, another copy spawns itself.

Booting in safe mode with a command prompt, deleting all copies of the above files from the windows folders, and users profiles, and removing all registry keys referencing the above files seems to have done the trick cleaning it.

The worrying thing was that Nod32 did not detect or clean this virus. We are currently in the process of cleaning all the infected machines manually, as above, but have no relaible way to prevent re-infection.

Does anybody know if ESET already have this virus/worm covered (ie. our installation was wrong), or if they are planning to add it to their virus definitions in the near future?

Here are the build details of Nod32. Its updated overnight, one of versions 1.77, or 1.78, or 1.79 (I did not right down the version number when we found the problem yesterday) failed to detect it last night.

Current NOD32 system information
Version: 1.780 (20040603)
Installed on: 06/04/2004
Virus database build: 3810
Environment version: 1.047
Last Update attempt: 06/04/04 09:39:15

Diagnostics information
Base module build: 3776

Cheers,
Ben.

[sig]

Just for others' information, the critter you mention it might be a variant of has been described here:

http://www.computerweekly.com/Article128637.htm
http://www.trendmicro.com/vinfo/viru...e=WORM_BIZEX.A
http://secunia.com/virus_information/504/bizex.a/

I searched for Bizex in the NOD virus definitions web site pages but found nothng under that name, FWIW.

[kjempen]

Quote:

Originally Posted by benr@qpl.com.au

... one of versions 1.77, or 1.78, or 1.79 (I did not right down the version number when we found the problem yesterday) failed to detect it last night...

You are correct, it's not listed in NOD32's update information. Since most of the AV vendors (Trend Micro, Sophos, Symantec, Kaspersky, McAfee) use the same name ("Bizex") to describe this worm, I doubt NOD32 would use a different name. Therefore I guess it's possible that NOD32 doesn't have it in its definitions base.

Anyway, if you would like NOD32 to protect you (and other users) from getting this worm in the future, you could send a zipped sample of the "infected" files to samples@eset.sk (or samples@nod32.com).

Hi all,

Thanks for your replies. I sent a copy of the original posting to the ''samples@eset.sk' address shortly after posting here, but wihtout any attached files.

I have now tried to send a copy of the virus to both the addresses: 'samples@eset.sk'; 'samples@nod32.com'.

Its a bit tricky because we have an upstream mail provider who filters out viruses for us. If I cannot get it through from here, I will try again using another ISP.

Cheers,
Ben.

[kjempen]

Thanks for your effort, Ben, as it's also helping us other NOD32 users being protected from this worm. Just a little tip, if you have problems submitting virus samples, try protecting the zipped archive with a password (sending the samples to both of the addresses was also a good idea). Just remember to mention the password in the e-mail to ESET. If you have problems with catching the "infected" files, you could try a free antivirus scanner called AntiVir Personal Edition. After looking through its definitions base, it seems to detect 4 different variants of the Bizex worm. It's a good "back-up" scanner, in case one needs a second opinion.

Hi,

Just to let you all know - Eset have included this in their definitions now. It can be detected by version 1 & 2. It gets detected as "Win32/Spy.Dumarin.C Trojan".

Cheers,
Ben.

[Blackspear]

Just a question, why are you still on version 1 of Nod32? when there is a FREE update to version 2.

Cheers

Its a good question.

I did not see the cost benefit of moving to version 2, until I had too (especially since it was embedded in our SOE); Version 1 has worked fine so far. Even in this case, the use of version 1 was immaterial to the issue (I did some testing and found that I would probably have had the same issue with V2 as I did with V1).

Now, however, Eset, and the local distributor have both suggested that I must move to version 2 anyway due to its improved heuristic scanning and other features. I will be doing so soon.