New p2p-virus?

Discussion in 'NOD32 version 2 Forum' started by ALEX(XX), Apr 20, 2006.

Thread Status:
Not open for further replies.
  1. ALEX(XX)

    ALEX(XX) Registered Member

    Joined:
    Mar 17, 2006
    Posts:
    19
  2. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    That's after a long time after ZMist one of the "best" viruses i've seen.
    It's indeed highly complex - the encryption algo is medium difficult and the virus uses a lot of tricks. I've here some samples with nice antiemulation tricks, such as code performance speed tests (meaning the virus will know when it runs in a virtual environment) and registry dummy - writing tricks, such as trying to write a random value to the registry and trying to read it later and compare it. If not equ or if it doesn't exist the virus exits. The virus is able to act as space filler, same technic was used by the tschernobyl virus already (CIH). The virus is able to use EPO functionallity, it looks for common API calls after the entry point and hooks/redirects them. Means the virus does not execute its own code/decrypter at a fixed position after the entry point.

    Cleaning becomes tricky as Dr. Web already stated correct, however, cleaner will be available soon via my weblog somehow during this week when i have some time.
     
  3. RejZoR

    RejZoR Polymorphic Sheep

    Joined:
    May 31, 2004
    Posts:
    6,230
    Location:
    Europe/Slovenia
    Interesting, a must have piece of malware for a collector like myself then... :D
    Now where did i put that Tenga.A hm...;)
     
  4. ALEX(XX)

    ALEX(XX) Registered Member

    Joined:
    Mar 17, 2006
    Posts:
    19
    The description was specified: ~Win32.Polipos~ - added link and quote tags - dog

     
    Last edited by a moderator: Apr 20, 2006
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well.... no other names from other vendros on DrWeb web site. :( Does NOD32 detects it?
     
  6. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    i submitted samples this morning.
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Thx Inspector. :) Hope your samples are analysed faster than mine. :D Otherwise...... :p
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,332
    Surely faster than the old dos executables and joke programs.
     
  9. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Does NOD32 detect this virus?
     
  10. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    It doesn't detect the samples I have anyways - I guess they are waiting to figure out how to clean it rather than add 'detection' before this for fear of breaking many infected machines.

    AntiVir 6.34.0.24 04.20.2006 no virus found
    Avast 4.6.695.0 04.21.2006 no virus found
    AVG 386 04.21.2006 no virus found
    Avira 6.34.0.56 04.22.2006 no virus found
    BitDefender 7.2 04.22.2006 Win32.Polipos.A
    CAT-QuickHeal 8.00 04.21.2006 (Suspicious) - DNAScan
    ClamAV devel-20060202 04.22.2006 no virus found
    DrWeb 4.33 04.22.2006 Win32.Polipos
    eTrust-InoculateIT 23.71.136 04.22.2006 Win32/Polipos!Worm
    eTrust-Vet 12.4.2171 04.21.2006 no virus found
    Ewido 3.5 04.22.2006 no virus found
    Fortinet 2.71.0.0 04.22.2006 W32/Polipos.V12
    F-Prot 3.16c 04.21.2006 no virus found
    Ikarus 0.2.59.0 04.21.2006 no virus found
    Kaspersky 4.0.2.24 04.22.2006 P2P-Worm.Win32.Polipos.a
    McAfee 4746 04.21.2006 no virus found
    NOD32v2 1.1502 04.22.2006 no virus found
    Norman 5.90.16 04.21.2006 no virus found
    Panda 9.0.0.4 04.22.2006 no virus found
    Sophos 4.04.0 04.21.2006 W32/Polipos-A
    Symantec 8.0 04.22.2006 no virus found
    TheHacker 5.9.7.133 04.22.2006 no virus found
    UNA 1.83 04.21.2006 no virus found
    VBA32 3.11.0 04.22.2006 Virus.Win32.Polipos.A
     
  11. mackattack

    mackattack Registered Member

    Joined:
    Apr 22, 2006
    Posts:
    3
    Location:
    Dublin Ireland
    Hi,

    Anyone know of a way to clean this virus it seems a site we have in Athlone, Ireland is infected and has wiped the machines they use. I have just got them to shut down everything untill I can find info on it.

    A full site rebuild is not what I want to advise at this stage.
    Any help would be great.

    Regards
     
  12. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,545
    Location:
    Canada
    If you read at the end of the article from Dr. Web, they can remove it.

    http://info.drweb.com/show/2815/en



    At present, Virus monitoring service of Doctor Web, Ltd. designed the curing procedure for files infected with Win32.Polipos. It was done for users whose anti-virus programs still do not detect this virus and whose computers, though protected by other anti-virus programs, are infected with the virus and let it infect other computers. The curing technique is rather difficult, as it requires processing of a complicated crypt algorithm XTEA, and the decoding of the virus code can take much time. You should not download any additional curing utilities to cure the infected files, just use Dr.Web Anti-virus and update the virus bases on time.
     
  13. mackattack

    mackattack Registered Member

    Joined:
    Apr 22, 2006
    Posts:
    3
    Location:
    Dublin Ireland
    Hey,

    Thanks for the quick reply, I have one of the users trying to find a machine thats not inected on the LAN to download as the infected machines can not do very much.

    Mac
     
  14. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    AFAIK, vendors should have a disinfection routine :thumb: added over the coming days. Dr Web's CureIT! tool can clean it, Mike (Inspector Clouseau) is developing his own disinfection tool also.

    P.S. Greetings from Cork :)
     
  15. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,545
    Location:
    Canada

    You're most welcome and I hope you can get back in business ASAP.;)
     
  16. mackattack

    mackattack Registered Member

    Joined:
    Apr 22, 2006
    Posts:
    3
    Location:
    Dublin Ireland
    Hello Cork, if I was closer a pint might have to be bought.

    Do you know what the virus does to the machine after a few days. The users onsite are telling me the machine is wiped, from what I can gather all the documents are gone from mapped drives.

    Thanks for the help.
     
  17. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    if Polipos is as bad as everyone is making out then it would be nice to have at least detection for it even if the cleaning comes later
     
  18. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    agreed.
     
  19. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, Marcos thank you for the answer ...now I know you're not paying attention to these not-dangerous threats like jokes, DOS and phishing e-mails.

    You concentrate on highly-dangerous threats like this p2p worm....which is still not detected by NOD32. :rolleyes: :rolleyes: :(
     
  20. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Reply by member i_kenefick, removed. TOS violation.



    snowbound
     
  21. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Pyko - at least we know the thread is being watched. You should get an answer soon... and maybe detection later :ninja:
     
  22. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Someone in the 'polipos' thread in the 'other AV' section of the forum claims that Dr Web didn't clean up this virus.

    http://www.wilderssecurity.com/showpost.php?p=734457&postcount=37
     
  23. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    I noticed Win32/Polip in the latest NOD32 update v.1.1505.
     
  24. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Detection was added for win32/Polip virus in 1.1505 (20060425)

    polip.png
     
    Last edited: Apr 25, 2006
  25. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    good to see! wonder is this will catch all variants and whether it cleans too?
     
Thread Status:
Not open for further replies.