We may have a new outbreak...

2 such emails in the last 10 minutes:

email Attachments001.BHX - Win32/VB.NEI worm - deleted
Attachments001.BHX > MIME > Atta[001],zip .SCR - Win32/VB.NEI worm

Cheers

 

A bit late to the punch, though it is just starting to reach my mail box.

Cheers

 

Oh Don, just loves me, he so wants to share his photo album with me

From: don [don at xyz.com]
Sent: Thursday, 19 January 2006 10:39 PM
To: my email at @ xyz.com
Subject: Fwd: Photo

photo

photo2

photo3

__________ NOD32 EMON 1.1371 (2006011 Warning __________

Warning, NOD32 antivirus system found the following in the message: ... Video_part.mim - Win32/VB.NEI worm - deleted Video_part.mim > MIME > New Video,zip .sCr - Win32/VB.NEI worm

http://www.eset.com

Lots of them coming through, just gotta love Nod32

Cheers

 

Is this thread going anywhere?
What is the point in posting this in NOD32 forum, if it is detected? (except if image of NOD would need some vamp-up, which isn't the case, is it?)

Maybe this kind of thing would be more useful in 'Other AV' forum, then maybe somebody affected could buy NOD32?

 

Oh come now, I very rarely receive infected emails except during outbreaks, and thought this was such a case, in fact the virus radar shows it as number 3 on the list at this moment, and I continue to receive a number of emails infected only with this particular detection.

Cheers

 

Isn't that a bit like saying 'C'mon Blackspear, quit having fun and enjoying yourself !!'

Go for it Blackspear, I was just having a laugh to myself at your fun

 

Could U send file to Jotti in capure screen from Jotti's.

izi

 

And as I am armed to teeth and 100% prepared I very rarely get anything infected. I wonder what people are doing when they get infections? I must admit that I do download and try things from "hus-hus" sites but very rarely there is something nasty with them.

 

HEHE!

Nice of Don, isn't it?

 

This is a report processed by VirusTotal on 01/19/2006 at 19:12:15 (CET) after scanning the file "Attachments001.BHX" file.

Antivirus Version Update Result
AntiVir 6.33.0.77 01.19.2006 Worm/KillAV.GR
Avast 4.6.695.0 01.18.2006 no virus found
AVG 718 01.19.2006 Worm/VB.6.AN
Avira 6.33.0.77 01.19.2006 no virus found
BitDefender 7.2 01.19.2006 Win32.Worm.VB.TB
CAT-QuickHeal 8.00 01.18.2006 W32.Vb.Mi
ClamAV devel-20051123 01.18.2006 no virus found
DrWeb 4.33 01.19.2006 Win32.HLLM.Generic.391
eTrust-InoculateIT 23.71.54 01.19.2006 Win32/Blackmal.F!Worm
eTrust-Vet 12.4.2050 01.19.2006 Win32/Blackmal.F
Ewido 3.5 01.19.2006 no virus found
Fortinet 2.54.0.0 01.19.2006 W32/Grew.A!wm
F-Prot 3.16c 01.19.2006 W32/Kapser.A@mm
Ikarus 0.2.59.0 01.18.2006 Email-Worm.Win32.VB.BI
Kaspersky 4.0.2.24 01.19.2006 Email-Worm.Win32.Nyxem.e
McAfee 4678 01.19.2006 W32/MyWife.d@MM
NOD32v2 1.1371 01.18.2006 Win32/VB.NEI
Norman 5.70.10 01.19.2006 Small.KI@mm
Panda 9.0.0.4 01.19.2006 W32/Tearec.A.worm
Sophos 4.01.0 01.19.2006 W32/Nyxem-D
Symantec 8.0 01.19.2006 no virus found
TheHacker 5.9.2.076 01.18.2006 W32/Mywife.mime
UNA 1.83 01.19.2006 no virus found
VBA32 3.10.5 01.19.2006 Email-Worm.Win32.VB.bi

 

Congratulations for the big Symantec. ))) Perhaps in 3 or 4 years will ad a signature for it also. (I'm too evil, sorry.)

 

Yeah, I'm on his fan-mail now, receieved a few more from him this morning

 

...and just for the records, symantec detects this worm from the first minit on, even if virus total doesn't list it as infected! So don't judge based on amateurish online-scans! Bookmark this post for later reviews. It's always like this. Go to www.sarc.com ---> extend the virus threats. Search for the threat were they list "MyWife.d" as McAfee Alias - that's Symantec's Name. Take a look at the date when the description was written (that's usally later than the detection was added) and build up your own mind before you bash some AV program. Same applies for NOD32 if something isn't detected on such online scanner sites! You cannot judge the detection based on such online scanner results! And please someone send a link to this post to firefighter as well

 

http://www.sarc.com/avcenter/venc/data/w32.blackmal.e@mm.html


That's the link

 

And one more: The malware author is from Uk, i'm just tracking him down. He's known there as "mysoulmustfly". A typically VB programmer who used several public forums to collect information how to program network spreading code and how to include exploiting code. The malware authors becoming more and more dumb with each day. I'm just waiting for the moment when the next guy includes his phone number and residency.

 

Re: We may have a new outbreak... OT

Don't tell me you're feeling dull

Let me guess the future: AV R creating viruses so that you guys challenge each everyone of you

 

Don't ever trust Hotmail scan results, this is just the latest of many that it has missed

Cheers

 

That's an excellent advise Blackspear.
I remember when some people discovered that Hotmail didn't updated McAfee too much. I think this may apply now for TrendMicro.
Well... Patience...

 

I apologize for my post, but I was enlightened here that every thread must go somewhere. The one I started, I was told, wasn't going anywhere so I am now just studying, where each thread is going, and, as I cannot easily understand that, I have to ask questions.

To remind, I have a piece of small software, intended to protect remotely controlled security systems. It filters all the network traffic and blocks any unauthorized traffic, checks the running processes with authorization list and terminates any unauthorized processes. In addition, authorization lists and their signatures are hidden from Windows API, so there are some rootkit technologies involved too. NOD32 is not running on the computers with this software installed. And, of course, there are some strict internal regulations for use of such software - it is not, and cannot be installed(due to protection) on normal computer. And also, submitted to anybody for analysis, too.

The problem is, that NOD32 detects it as probable virus (and detects properly - there is no false positive - if this code would appear on any normal computer, it should be immediately deactivated, like NOD32 does).
But it is also not possible to copy it on CD with NOD32 running, as NOD does not have an option to manually choose action for AMON, which would not involve *prohibit access. In that way NOD32 is interfering with my work, which it is not supposed to do.

And yes, if NOD32 detects and indicates *probable virus and does not give an option to manually override clean action, it is stupid!
And, if technical support repeatedly, like a parrot, asks to submit the file, it is stupid too, and it forces me to post something in NOD32 forum.
Of course, those are small things that could be easily corrected if somebody would spend 5 minutes to understand the subject, not analyze if the thread is going anywhere or not, or, noticing the word *stupid, consider it bashing.
It also seems impossible for Eset to understand that I might be talking about principle, not solution for my particular case.

After all we are not talking here about Christmas presents, which you are supposed to like, or, if you don't, are expected to act as if you did.

 

Sorry guys for my post. I was just a little bit tired. No more bashing here.

Perhaps u're right. This online scanners are not always so accurate.

 

No Problem, you're OK; but for the record, Happy Bytes is absolutely correct, Symantec was detecting this worm early on. Gavin Coe posted about it three days ago over at TrojanHunter Forum in the following thread: NASTY new email worm -- at which point I noted that a friend had sent me samples and I can verify that they were detected.

I would also like to add, regarding online scanners: VirusTotal uses 8.0 engine of Symantec which is OLD engine {not much unpackers, no detection of expanded threats or spyware, etc.}; illukka and others have sent me quite a few samples that VirusTotal said were missed by Bymantec but were detected by my copy of the latest verion of the program.

Now, as Paul admonishes me/us, this is NOD32 subject and forum, so I didn't want to comment other than to corroborate Happy Bytes' statement, as I have tested early on and verified detection; thanks!

 

Does any one have any idea what this Win32/VB.NEI worm does? Some how it's got past NOD32 although it found it the next morning on it's daily scan and deleted it.

Thanks

Dave

 

NOD32 would have found it before, after you'd have extracted the archive. This worm also spreads in BinHex archives (used on Mac systems), hence these were not initally scanned by NOD32 as archives.

 

Thanks for your quick reply Marcos. I did a in depth scan again afterwards and it came up clean so I presume my machine is clear of it?