Urgent! Please add this detection

I, together with a big number of Chinese customers, have reported and submitted a sample of this virus to ESET. The earliest report dates back to February. At this moment NOD32 is still unable to detect/remove this virus, and protect users from its infection.

Below is a letter sent 38 hours ago to samples@eset.com. No reply was made and no detection added so far. The letter ran as follows:

'Dear sir,

I'm writing to report a widespread and very destructive virus to you. The information regarding this virus runs hereunder:

Virus Name: Trojan-Spy.Win32.Delf.uy (by KAV)

The virus contains a .dll file and has its process invisible to users. It injects itself into system process to enable autorun with rundll32.exe.

The virus activates itself by means of the autorun.inf file. Once activated, it repeatedly generates a file named sysinfo.dll in system32 folder. It injects itself into explorer.exe and winlogon.exe processes, generates sysinfo2.dll (same binary as sysinfo.dll) and autorun.inf files on each disk partition, and propagates via system built-in autorun feature.

Registry changes: The virus repeatedly attempts to write HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377} key and subkeys, and HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377} key and subkeys to hijack browser. It also attempts to modify the value ShowSuperHidden to 4 under HKU\. DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced to disable viewing of hidden files.

Please find attached a sample of this virus in .RAR format.

I have reason to believe that this virus has been submitted multiple times by various users. At this hour it still can't be detected or successfully repelled/removed by NOD32 with the lastest signatures. I cannot stress enough how catastrophic, wide-spread and devastating it is to our computing lives. I'm from China, where folks refer it to 'USB Disk Virus', since it often migrates to and infects other computers through USB disk. It's such a common virus that nearly one third of local computers have been infected. Unable to cope with this threat, NOD32 is seeing a fast decrease in the number of user community.

NOD32 is a great antivirus product that has always my thumbs up. With regard to this major ITW threat, I'm pleading for your immediate attention and updating signatures accordingly.

I look forward to hearing from you.'

Again, this is no zoo virus. This is an active, malignant, widespread ITW threat that brings down to its feet nearly 1/3 of computers running NOD32 throughout China! Throughout China, how does that compare?

Please add this detection, now. Do your customers a favor and get them protected against this ~Snip~ threat. We don't want to reinstall Windows again!

Thread Title adjusted ~ Blackspear

 

Hello,
we have tracked down all email we have received at samples to no avail. Nevertheless, there was one dll received from Virus Total that was detected under that name by Kaspersky. We will analyse and add detection for it if it turns out to be alright (not corrupted). However, we will also need the dropper (exe file). Please zip it, protect the archive with the password "infected" and submit it to samples[at]eset.com with this thread's url in its subject.

 

Thank you for your attention, Marcos. This virus does not contain an .exe file, it's just a plain .dll which injects into system processes and enables autorun with rundll32.exe with help of autorun.inf file. Please double check, thanks again.

 

Security experts and IT professionals may visit the following link to retrieve a live sample of this virus in compressed RAR format.

Warning: Virus Sample

 

Please send autorun.inf to support[at]eset.com with this thread's url in the subject. There must be another exe file that drops the dll and registers it to the system unless it runs regsvr32 directly.

 

I've sent the email as per your instructions. The email reads,

Dear Sir,

I attach this virus as per Marcos instructions in the following thread:

https://www.wilderssecurity.com/showthread.php?p=1014125#post1014125

This is a scanning report from Virus Total.

AntiVir Found TR/Crypt.FKM.Gen
ArcaVir Found Trojan.Spy.Delf.Uy
Avast Found nothing
AVG Antivirus Found PSW.Generic4.HOS
BitDefender Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV Found nothing
Dr.Web Found BACKDOOR.Trojan (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Spy.Win32.Delf.uy
Fortinet Found Spy/Delf
Kaspersky Anti-Virus Found Trojan-Spy.Win32.Delf.uy
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found Trojan.Spy.Delf.cfa
VirusBuster Found nothing
VBA32 Found Trojan-Spy.Win32.Delf.uy

This is an analysis report from Norman Sandbox.

sysinfo2.dll : INFECTED with W32/Malware (Signature: W32/Delf.AGJM)

[ DetectionInfo ]
* Sandbox name: W32/Malware
* Signature name: W32/Delf.AGJM

[ General information ]
* File might be compressed.
* Decompressing ASPack.
* Drops files in %WINSYS% folder.
* File length: 197632 bytes.
* MD5 hash: 074926bb5145549a9a34ba04c172c735.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\SysInfo.dll.

[ Changes to registry ]
* Creates key "HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}\InprocServer32".
* Sets value ""="C:\WINDOWS\SYSTEM32\SysInfo.dll" in key "HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}\InprocServer32".
* Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}\InprocServer32".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377}".
* Sets value ""="MyBHO_0.1" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377}".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder".
* Sets value "ShowSuperHidden"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced".

[ Process/window information ]
* Creates an event called .
* Enumerates running processes.

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\SysInfo.dll (197632 bytes) : no signature detection.

Let me know how you go. Thanks.

Alan

 

It's still the dll only. Please send us autoruns.inf as well as I asked you in my previous post.

 

Not on my box but I'll get one for you. Thanks.

Edit: I sent another email containing the said 'autorun.inf' file.

 

Marcos, please keep me updated. Thanks a bunch.

 

Nice to see the sample was finally added, but with the kind of pleading one has to do to get a sample added by Eset, I'm still wondering whether it is worth the effort....

 

I don't see any of that, the email was not located, a 2nd email was requested, sent and received.

Blackspear.

 

The last files you've sent are all clean even though one is flagged by some AVs at Virus Total.

Edit: I just noticed that you've sent another bunch of files out of which some are already detected. We'll check the rest.

 

Clean?! Everyday there's NOD32 user reporting to be hit by this virus. And once hit, they can no longer double click an HD partition to open it. If they do so an error message pops up saying Windows can't locate the file. One can still open a drive by right click and selecting 'open' option from the context menu. The default 'open' option has been replaced by 'play' command though there're no media file types to play. One can no longer view hidden files by going to file options since the virus has disabled the feature in the registry.

This is not benign. Please check again. The .dll I sent first is undoubtedly a virus that is known to most AV vendors 3 months before, a virus that NOD32 is still unable to detect at the moment.

Thanks for your time and effort but please, please care a bit more for your customers and look into this.

 

Please note the sentence commencing with "Edit". As for the dll, detection was added to the update released 2 hours after you submitted it:

29. 5. 2007 16:13:21 AMON file D:\TEMP\Rar$DI00.093\sysinfo2.dll Win32/Spy.Delf.UY trojan

 

Great! You saved my day! I'm happy that NOD32 can now detect it so that customers don't have to suffer it any more. Thanks Marcos, well done!.

 

....thanking them for adding something old from February. You really seem to have problems with e-mails received from users.

 

Uc-icq is not a virus collector, he found the sample on an actually infected PC and as such it has been dealt with instantly with much higher priority.

 

I also found many samples on infected PCs which you didn't add (I didn't mention the source of every file of course), but anyway it's up to you to decide.

 

ESET analysis system must be improved.

I did a test in the last week.

I caught a sample detected heuristically by AntiVir and NOD32 only. I sent the same file to the companies at the same time.

After 2 days, Avira contact me and after more 3 days a new virus signature was avaliable.

ESET didn`t contact anyone. And after 11 days (today) passed no virus signature was avaliable.



Other example:

Other malwares undetected by NOD32 was sent to the lab in last week and no virus signature or ThreatSense engine was improved.


And another question: The VirusTotal reports that ESET have access are not complete? Why ESET don`t use the reports to improve the malware database?

 

Maybe ESET should have a special "collectors" edition as some seem disappointed.

 

It's very old and known problem, there is lot of posts like that.
If you want that you receive answer and detection in few days don't loose your time with ESET!
Samply switch in AV as you sad detected submitted threat in 3 days.
If someone from ESET don't want see there such kind of advises, please work hard and improve virus response.