New virus - VERY DANGEROUS!

Nod32 does not know what it is, but sees it as a "Unknown win32 virus" and it still stops it. This virus replaces nearly ALL of the exe files on a machine with virus inefected files. Most AV products do not detect it; McAfee discovered it yesterday.


This ended up on three machines yesterday at a client of mine; I had not
been out in quite a while (he is incredibly cheap) so all his stuff was
out of date or broken. His Norton AV would not have caught it anyway.



FYI:

AntiVir 6.31.0.9 07.14.2005 W32/Stanit
AVG 718 07.14.2005 Win32/Gaelicum.A
Avira 6.31.0.9 07.14.2005 W32/Stanit
BitDefender 7.0 07.14.2005 no virus found
CAT-QuickHeal 7.03 07.14.2005 no virus found
ClamAV devel-20050501 07.14.2005 no virus found
DrWeb 4.32b 07.14.2005 Win32.Gael.3666
eTrust-Iris 7.1.194.0 07.13.2005 no virus found
eTrust-Vet 11.9.1.0 07.14.2005 no virus found
Fortinet 2.36.0.0 07.14.2005 suspicious
F-Prot 3.16c 07.14.2005 could be infected with an unknown virus
Ikarus 2.32 07.14.2005 no virus found
Kaspersky 4.0.2.24 07.14.2005 Virus.Win32.Tenga.a
McAfee 4535 07.14.2005 W32/Gael
NOD32v2 1.1168 07.14.2005 probably unknown WIN32 virus
Norman 5.70.10 07.14.2005 no virus found
Panda 8.02.00 07.14.2005 no virus found
Sybari 7.5.1314 07.14.2005 W32/Gael
Symantec 8.0 07.13.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.14.2005 no virus found

 

Well atleast NOD's heuristics stops it untill they add it to the signature db
If you can, send it to Eset for analysis.

 

Good to have that zero-hour protection.

 

I believe SARC is on this and have ID'd it as win32.licum.

At any rate, it appears they have a def:

Here

 

Does NOD detect Kirvo.B ?

Cannot nowhere find anything about that. Was this Version knwon by ESET ?

 

Here... Read this

 

Ok, thanks.

And you this http://www.zdnet.de/news/security/0,39023046,39135132,00.htm

btw. It's called NEWS from the Yellows

 

Ich verstehe kein Wort was Du mir versuchst in Englisch zu erzaehlen
Also nochmal - was ist los?

 

Very detailed description indeed

 

Says who?

 

There's always some background information and "educational" stuff in my virus descriptions. So basicly you can read them even if you are not infected

Example here - a trojan downloader description spammed 2 days ago:
http://www.eset.com/msgs/vidloq.htm

 

Says me. I didn't understand a word of it, so it must be detailed j/k

 

The title of that page is "Win32/Mytob.DQ"
It is the same for Win32.Mydoom.BI, Win95/Tenrobot.B and Win32/Tenga.A