New Virus - vt100.exe

I heard of new virus with rootkit capabilities. So far NOD does not detect it:

The virus consist of 2 parts:

1) vt100.exe ( 50 kB EXE ) - hidden process
2) code of about 8 kB which is used to infect EXE files.
3) it also tries to connect to some IP.

I asked my friend to send a sample to ESET (but not sure he will), so I hope it will be detected soon.

 

Please , submit this file to
support(at)eset.com
samples(at)eset.com

(at) means @

Write as a subject possible new virus .

Include the VirusTotal image and explain them why you think it for suspicious.

Nice day!

 

At the first sight, the file appears to be very similar to the English version of cmd.exe (apart from the Polish text). We'll see what the guys in the lab say.

 

I do not have the sample, so I asked my frien to send it. I will try to monitor if he does it.

Edit: Oh, now I see Marcos wrote somebody already sent the sample.

 

This "somebody" is called VirusTotal . When you submit a file to VirusTotal , by default , a sample is given to these AV vendors which participate in this service . ESET is one these vendors so when you or your friend submitted the file , Virus Total sent a sample to ESET labs.

I just told you to manually submit the file just in case , to be more sure all NOD32 customers are well-protected

 

Thx, but I am aware of sending samples and I always do it if I can

To not open a new thread I will write about some NOD unpacking problem I have discovered yesterday. It happened afrer I downloaded a CCleaner installer:

http://img413.imageshack.us/img413/7306/nod3rr.jpg

The text marked with red color means: "error - unknown compression method"

I know NOD would detect it if it was something dangerous while extracting.

 

I don't think it is a problem . Also I would never use CCleaner , though

 

I have used CCleaner for a very long time and never had an issue, nor have the 100's of clients that I have installed CCleaner on their PC's.

Cheers

 

great

 

Same here....one of my tools on my USB thumb drive...have used it hundreds 'n hundreds of times...excellent program.

 

Gotta love CCleaner.....one of the best.

 

Hello.

I just send you cmd_vt100.exe and vt100.exe to samples(at)eset.com.

cmd_vt100.exe is infected windows cmd.exe file.
vt100.exe is proper virus-rootkit .

Here is log from my program:

Code:

GMER 1.0.10.9819 - http://www.gmer.net
Rootkit 2006-05-04 18:30:25
Windows 5.1.2600 Dodatek Service Pack 2


---- Processes - GMER 1.0.10 ----

Process  C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) 3004 <-- ROOTKIT !!!
Library  C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) @ C:\WINDOWS\system32\VT100.EXE [3004] 0x00400000 <-- ROOTKIT !!!

---- Registry - GMER 1.0.10 ----

Reg      \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100 Emulator C:\WINDOWS\system32\VT100.EXE

---- Files - GMER 1.0.10 ----

File     C:\WINDOWS\system32\VT100.EXE

---- EOF - GMER 1.0.10 ----

As you can see, virus-rootkit hides its process, file, and registry key.
After start, vt100.exe infects almost all files on all possible disks.
Virus also send some data over network to host located in *pl domain.

Here is another report but in polish:
http://www.gmer.net/vt100.exe.php

Regards