unknown virus with F-Secure

Discussion in 'other anti-virus software' started by fatpizzaman, Jul 30, 2002.

Thread Status:
Not open for further replies.
  1. fatpizzaman

    fatpizzaman Registered Member

    Joined:
    Feb 27, 2002
    Posts:
    52
    I am using F-Secure 5.40 and with latest updates. I want to know about this, it detected a 'suspicious win32pe,perhaps a new virus!'!

    Do i take this as a false positive as f-secure didnt detect this program as a virus the yesteday, when i was using the program? What should i do?

    I cannot disinfect, but i mite be able to delete it.. is it a false warning or what?
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi FPM,

    suspious is the essence here - provoked by the use of heuristics; migth well be a false positive.

    send a copy to the AV vendor for examination. In the meanwhile, use both the free KAV/AVP and DrWeb file scanners to double check (somewhere on our "free service" page": www.wilders.org/free_services.htm )

    regards.

    paul
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Could be a false positive.

    Follow Paul's suggestion and scan with another virus scanner!


    Technodrome
     
  4. It could be a false positive...but these two are out there big time..the one you have called Win32 PE ..is it an .exe..what is the path..can you tell us anything more about it?

    Follow Paul's suggestions.


    _______________________________________________

    Win32.Klez.H
    Klez.H also drops and activates a polymorphic virus - Win32/Wqk.C.

    The encrypted text inside the worm code reads:

    “ & Win32 Foroux V1.0
    Copyright 2002,made in Asia
    About Klez V2.01:
    1,Main mission is to release the new baby PE virus,Win32 Foroux
    2,No significant change.No bug fixed.No any payload.
    About Win32 Foroux (plz keep the name,thanx)
    1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
    2,With very interesting feature.Check it!
    3,No any payload.No any optimization
    4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing”


    Klez also acts as a companion virus. It locates a Win32 PE program, copies it under a different name (using a random extension) and overwrites the original with the worm code (e.g. - it copies MSACCESS.EXE to MSACCESS.UYI and overwrites the original MSACCESS.EXE).


    http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1705
    _______________________________________________
    I-Worm.Melting
    http://www.europe.f-secure.com/v-descs/melting.shtml


    This is a worm virus spreading via Internet. The worm itself is a Win32 PE EXE file about 18Kb of length. It is written in VisualBasic. It is transferred via the net in email messages using an infected attachment with the name "MeltingScreen.exe".
    When an infected message is received and the attached EXE file is executed, the worm gets control and starts its spreading routine. This routine connects to MS Outlook, enters address book, gets Internet addresses from there and sends messages by using these addresses.

    Ein neuer Worm Namens I-Worm.Melting treibt zur Zeit sein Unwesen im osteuropäischen Raum, insbesondere in Russland. Jedoch ist nicht auszuschliessen, dass dieser Form auch in Deutschland auftauchen könnte. Entdeckt wurde diese durch das russische Softwarehaus Kaspersky Lab. (AVP - Anti Viral Toolkit Pro).
    Der Worm wird per Dateianhang unter dem Namen "Win32PE.exe" (Grösse 18 KB) per E-Mail versendet. Die Infektion des Systemes erfolgt über die Datei "MeltingScreen.exe"


    Die E-Mail enthält den Text:
    "Hello my friend ! Attached is my newest and funniest Screensaver, I named it MeltingScreen. Test it and tell me what you think. Have a nice day my friend. p.s.: Please install the Runtime Library for VB 5.0, before you run the ScreenSaver."



    Nachdem der Dateianhang durch den Anwender geöffnet wird, werden alle EXE-Dateien im Windowsverzeichniss in ".bin-Dateien" umbenannt. Dazu wird der Worm an alle Adressen des Mailprogrammes Outlook versendet. Danach "verschmilzt" der Bildschirm des Anwender, wie es auf dem entsprechenden Screenshot so sehen ist.

    Desweiteren kann dabei das gesamte System unter Umständen zum Absturz gebracht werden.

    Hinweis: Es gab in vergangender Zeit zahlreiche Bildschirmschoner, die in der Tat den Bildschirm "zerschmelzen" lassen. Diese Bildschirmschoner, welche in der Regel schon recht alt sind, haben nichts mit diesem neuen Worm zu tun !
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Keep us informed fatpizzaman!


    Technodrome
     
Loading...
Thread Status:
Not open for further replies.