New p2p-virus?

Discussion in 'NOD32 version 2 Forum' started by ALEX(XX), Apr 20, 2006.

Thread Status:
Not open for further replies.
  1. ALEX(XX)

    ALEX(XX) Registered Member

  2. Inspector Clouseau

    Inspector Clouseau AV Expert

    That's after a long time after ZMist one of the "best" viruses i've seen.
    It's indeed highly complex - the encryption algo is medium difficult and the virus uses a lot of tricks. I've here some samples with nice antiemulation tricks, such as code performance speed tests (meaning the virus will know when it runs in a virtual environment) and registry dummy - writing tricks, such as trying to write a random value to the registry and trying to read it later and compare it. If not equ or if it doesn't exist the virus exits. The virus is able to act as space filler, same technic was used by the tschernobyl virus already (CIH). The virus is able to use EPO functionallity, it looks for common API calls after the entry point and hooks/redirects them. Means the virus does not execute its own code/decrypter at a fixed position after the entry point.

    Cleaning becomes tricky as Dr. Web already stated correct, however, cleaner will be available soon via my weblog somehow during this week when i have some time.
  3. RejZoR

    RejZoR Polymorphic Sheep

    Interesting, a must have piece of malware for a collector like myself then... :D
    Now where did i put that Tenga.A hm...;)
  4. ALEX(XX)

    ALEX(XX) Registered Member

    The description was specified: ~Win32.Polipos~ - added link and quote tags - dog

    Last edited by a moderator: Apr 20, 2006
  5. pykko

    pykko Registered Member

    well.... no other names from other vendros on DrWeb web site. :( Does NOD32 detects it?
  6. Inspector Clouseau

    Inspector Clouseau AV Expert

    i submitted samples this morning.
  7. pykko

    pykko Registered Member

    Thx Inspector. :) Hope your samples are analysed faster than mine. :D Otherwise...... :p
  8. Marcos

    Marcos Eset Staff Account

    Surely faster than the old dos executables and joke programs.
  9. izi

    izi Registered Member

    Does NOD32 detect this virus?
  10. i_kenefick

    i_kenefick Registered Member

    It doesn't detect the samples I have anyways - I guess they are waiting to figure out how to clean it rather than add 'detection' before this for fear of breaking many infected machines.

    AntiVir 04.20.2006 no virus found
    Avast 4.6.695.0 04.21.2006 no virus found
    AVG 386 04.21.2006 no virus found
    Avira 04.22.2006 no virus found
    BitDefender 7.2 04.22.2006 Win32.Polipos.A
    CAT-QuickHeal 8.00 04.21.2006 (Suspicious) - DNAScan
    ClamAV devel-20060202 04.22.2006 no virus found
    DrWeb 4.33 04.22.2006 Win32.Polipos
    eTrust-InoculateIT 23.71.136 04.22.2006 Win32/Polipos!Worm
    eTrust-Vet 12.4.2171 04.21.2006 no virus found
    Ewido 3.5 04.22.2006 no virus found
    Fortinet 04.22.2006 W32/Polipos.V12
    F-Prot 3.16c 04.21.2006 no virus found
    Ikarus 04.21.2006 no virus found
    Kaspersky 04.22.2006 P2P-Worm.Win32.Polipos.a
    McAfee 4746 04.21.2006 no virus found
    NOD32v2 1.1502 04.22.2006 no virus found
    Norman 5.90.16 04.21.2006 no virus found
    Panda 04.22.2006 no virus found
    Sophos 4.04.0 04.21.2006 W32/Polipos-A
    Symantec 8.0 04.22.2006 no virus found
    TheHacker 04.22.2006 no virus found
    UNA 1.83 04.21.2006 no virus found
    VBA32 3.11.0 04.22.2006 Virus.Win32.Polipos.A
  11. mackattack

    mackattack Registered Member


    Anyone know of a way to clean this virus it seems a site we have in Athlone, Ireland is infected and has wiped the machines they use. I have just got them to shut down everything untill I can find info on it.

    A full site rebuild is not what I want to advise at this stage.
    Any help would be great.

  12. Antarctica

    Antarctica Registered Member

    If you read at the end of the article from Dr. Web, they can remove it.

    At present, Virus monitoring service of Doctor Web, Ltd. designed the curing procedure for files infected with Win32.Polipos. It was done for users whose anti-virus programs still do not detect this virus and whose computers, though protected by other anti-virus programs, are infected with the virus and let it infect other computers. The curing technique is rather difficult, as it requires processing of a complicated crypt algorithm XTEA, and the decoding of the virus code can take much time. You should not download any additional curing utilities to cure the infected files, just use Dr.Web Anti-virus and update the virus bases on time.
  13. mackattack

    mackattack Registered Member


    Thanks for the quick reply, I have one of the users trying to find a machine thats not inected on the LAN to download as the infected machines can not do very much.

  14. i_kenefick

    i_kenefick Registered Member

    AFAIK, vendors should have a disinfection routine :thumb: added over the coming days. Dr Web's CureIT! tool can clean it, Mike (Inspector Clouseau) is developing his own disinfection tool also.

    P.S. Greetings from Cork :)
  15. Antarctica

    Antarctica Registered Member

    You're most welcome and I hope you can get back in business ASAP.;)
  16. mackattack

    mackattack Registered Member

    Hello Cork, if I was closer a pint might have to be bought.

    Do you know what the virus does to the machine after a few days. The users onsite are telling me the machine is wiped, from what I can gather all the documents are gone from mapped drives.

    Thanks for the help.
  17. rothko

    rothko Registered Member

    if Polipos is as bad as everyone is making out then it would be nice to have at least detection for it even if the cleaning comes later
  18. i_kenefick

    i_kenefick Registered Member

  19. pykko

    pykko Registered Member

    Well, Marcos thank you for the answer I know you're not paying attention to these not-dangerous threats like jokes, DOS and phishing e-mails.

    You concentrate on highly-dangerous threats like this p2p worm....which is still not detected by NOD32. :rolleyes: :rolleyes: :(
  20. snowbound

    snowbound Retired Moderator

    Reply by member i_kenefick, removed. TOS violation.

  21. i_kenefick

    i_kenefick Registered Member

    Pyko - at least we know the thread is being watched. You should get an answer soon... and maybe detection later :ninja:
  22. Joliet Jake

    Joliet Jake Registered Member

    Someone in the 'polipos' thread in the 'other AV' section of the forum claims that Dr Web didn't clean up this virus.
  23. ctrlaltdelete

    ctrlaltdelete Registered Member

    I noticed Win32/Polip in the latest NOD32 update v.1.1505.
  24. i_kenefick

    i_kenefick Registered Member

    Detection was added for win32/Polip virus in 1.1505 (20060425)

    Last edited: Apr 25, 2006
  25. rothko

    rothko Registered Member

    good to see! wonder is this will catch all variants and whether it cleans too?
Thread Status:
Not open for further replies.