New p2p-virus....Win32.Polipos ?

@IBK: So that means NOD32 detects all samples?

 

Most of apps will fail because of their internal CRC/HASH checks anyway.

 

no, it just means it detects all samples I have here. I think there will maybe be a much larger test with this virus done by Marx .

 

Now i recieved msg from Denis Nazavor from KL. He sad that KL finished making detection alghoritm and now kav must detect 100%.

Can somebody confirm?!

 

no. still not.

on my small (!) collection of polip it looks the following:
100% AntiVir, Avast, BitDefender, Dr.Web, eSafe, Ikarus, McAfee, NOD32, Panda, Sophos, Symantec, VBA32, VirusBuster
??% (detects not all) eTrust-INO, eTrust-VET, F-Secure, Fortinet, Kaspersky
0% AVG, ClamAV, Command, ewido, F-Prot, Microsoft, Norman, TrendMicro, QuickHeal

 

If someone has a back up image of their system is that safe from this virus?

 

That's strange that Kaspersky Labs should have problems with this poly. It isn't difficult to detect at all, the virus author made too many (typical) mistakes.

 

now it detects all samples i have.

p.s.: i will not publish more results about polip. Marx will publish his detailed results about this worm in some magazines most probably very soon.

 

Let us know what magazine it would be.

 

Of course it's not difficult to detect! There's a virus bulletin article in one of the next issues about it

 

vinny: As much as it pains me, I have to agree with stefan and IC. There will be no magic wand for you to recover your network. Have you determined how many systems are actually affected?
Leaving the infected systems running endangers all systems on your net that are still clean, and might also break infected systems that are still running. You also have a high risk of infecting customers or business partners! Also anyone connecting to your net and people all over the globe. What's more your infected systems data might be shared on P2P networks causing inside information to leak out to the whole world!

 

Greetings,

Due to several reasons I had to drop off on using norton and started using NOD32 as I was told it was a very able program that would secure "me".

Anyways I ended up dscovering today that all of a sudden I have this nasty Win32.polip jumping around endlessly... unlike vinny I only have a domestic network with 3 computers and only one is infected.

My question and humble request for your expertise is:
Without loosing my valuable hard disk content (so to avoid a format) what steps could I take to erradicate this nasty jumper? I thought about having NOD32 delete them all (and many are windows related and important for the system running) and try repairing windows installation. Would this work?

If not what could i do, i don't mind loosig all other programs, it's the content of the harddrive i'm worried!

 

This is the writeup from SoftWin, so I assume if your files are not executed they are more than likely OK.
I would download/create a bootCD based on WinPE or Linux, on a clean machine, backup your contents and do a fresh install. This is just me, rather safe than sorry.

http://www.bitdefender.com/VIRUS-1000066-en--Win32.Polipos.A.html

Code:

FILE INFECTION METHOD:

Using different entry-point obscuring techniques, Polipos makes itself a hard to detect virus:

    * It chooses a random imported function from the victim, and hooks all calls or jumps to that function.

    * It searches for functions that have the same stack-frame-restore code, and patches all instances of that code, with a call to its own body.


If it finds unused space in victim's code sections, it inserts code into them, as much as it can, without increasing those sections' sizes.
It increases the VirtualSize for the data sections of the victim, and will use that space from it's junk code.
If a resource section is found in the victim, sometimes it shifts that section, and inserts a new section after the last data section, and before the resources (other times it appends it's section after the resources), and repairs the resource section (otherwise it would damage the victim).

When infecting a file, it searches for the following files in same directory as the file that is going to be infected:

    * drwebase.vdb
    * avg.avi
    * vs.vsn
    * anti-vir.dat
    * avp.crc
    * chklist.ms
    * ivb.ntz
    * ivp.ntz
    * chklist.cps
    * smartchk.ms
    * smartchk.cps
    * aguard.dat
    * avgqt.dat
    * lguard.vps

It will delete these files if they are found.

Once the control of an infected file is passed to the virus body, it cleans the memory copy of the file (restores the original code at the patched locations), to make sure it is run only once from a certain file.

When the virus is executed from an file with overlay, it makes a copy of that in the %TEMP% folder, disinfects it, and runs it from that location. This is useful in case of installers or SFX archives that use integrity checks.

The virus will not infect the files matching the following names:

    * vtf tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn
    * pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup
    * temp norton mcafee anti tmp secure upx forti scan "zone labs"
    * alarm symantec retina eeye virus firewall spider backdoor
    * drweb viri debug panda shield kaspersky doctor "trend micro"
    * sonique cillin barracuda sygate rescue pebundle ida spf
    * assemble pklite aspack disasm gladiator ort expl process
    * eliashim tds3 starforce sec avx root burn aladdin
    * esafe olly grisoft avg armor numega mirc softice norman
    * neolite tiny ositis proxy webroot hack spy iss pkware
    * blackice lavasoft aware pecompact clean hunter common kerio
    * route trojan spyware heal alwil qualys tenable avast a2
    * etrust spy steganos security principal agnitum outpost avp
    * personal softwin defender intermute guard inoculate sophos
    * frisk alwil protect eset nod32 f-prot avwin ahead nero
    * blindwrite clonecd elaborate slysoft hijack roxio imapi
    * newtech infosystems adaptec "swift sound" copystar astonsoft
    * "gear software" sateira dfrgntfs

The decrypted virus body contains the following text:

    * Win32.Polipos v1.2 by Joseph.



PROCESS INFECTION METHOD:

The virus will infect all running processes excepting those matching the following names: savedump, dumprep, dwwin, drwatson, drwtsn32, smss, csrss, spoolsv, ctfmon, temp.

For the processes it infects, it hooks the following APIs, by patching directly the kernel copy from each process address space:

    * CreateFileW
    * CreateFileA
    * SearchPathW
    * SearchPathA
    * CreateProcessW
    * CreateProcessA
    * LoadLibraryExW
    * LoadLibraryExA
    * ExitProcess

Theese hooks will allow the virus to infect all files that an infected process accesses through the APIs mentioned above.


SPREADING METHOD:

The virus is able to connect to Gnutella P2P network, acting as a client. It uses a predefined list of Gnutella webcache servers, in order to obtain lists of available nodes (connected clients). Using the P2P network, it has a strong ability to spread itself like a worm.
REMOVAL INSTRUCTIONS: 	 
Disinfection for this virus is a difficult process, due to its encryption methods, and the fact it injects code into running processes. The memory clean method and file disinfection are in work, and will be available as soon as possible. 
ANALYZED BY:
Raul Tosa and Dan Lutas, BitDefender virus researchers.

 

but what about F-Prot? Do they really have no detection...?

 

Ummm and what about AVG, ClamAV, Command, Microsoft and Norman? I think this virus is dangerous even its spreading is considered to low but it's dangerous.

 

well, F-Prot was quite a nice AV..... AVG and all the others are not so reliable.
The av-comparatives.org and VB tests show this.

 

Good to see avast! up there with the rest of 100%.

Don't expect much from ClamAV. It's free and works relatively well against non polymorphic non infectable stuff but Polip might be a too big chunk...

 

http://www.heise.de/security/news/meldung/72459

 

Thanks for the news IBK, do you know if he will release his usual XLS report?
Also I tried Babelfish and Freetranslation and none can seem to get it right,
any suggestions?

 

If some of the neccessary systems are formatted or cleaned and latest symantec antivirus definations are installed after that they are hooked back into network which does have some infected systems also, what can assure prevention of new/formatted/cleaned systems of getting infected from already infected systems in network. As symantec is detecting POLIP now, can it prevent Polip from spreading to these machines. Or we should consider some other software, hardware etc. Please suggest.

 

http://www.pcwelt.de/news/sicherheit/136731/index.html

 

interesting to see that 2 free AVs - Avast! and AntiVir - have 100% detection here, beating some of the paid for AVs.

 

Nur eine Lösung, mussen Sie Deutsch erlernen. Traduction: you have to learn German.

 

Good to see avast! gets 100% detection, at least for samples in this test.

I don't know if an AVs such as avast!, AntiVir, BitDefender, McAfee, Kaspersky, Symantec that have 100% detection of this virus in this test will be able to detect all infected files of this virus in the real world.

 

Why Nod32 doesn't detect all variants?