Computer virus uses European storms to spread quickly.

Discussion in 'malware problems & news' started by nadirah, Jan 20, 2007.

Thread Status:
Not open for further replies.
  1. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Another social engineering case:
    Story
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    More updates here:

    http://isc.sans.org/diary.html?storyid=2071

    This is a good opportunity to contact your ISP about getting executable attachments stripped,
    if not done already. I asked my ISP and he said that the filter is part of the AV server mailer program, MDaemon:

    http://www.urs2.net/rsj/computing/imgs/agent-storm.gif
    __________________________________________________________


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, I´ve received: "Full Clip.exe" and "Read More.exe" attachments. I´ve submited them to AV companies.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    And in turn, the reward is AV signature/definition updates. :D:eek::D
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    Part of the article:

    The virus was detected in Asia on Friday, where it was likely to have been created...

    Sounds as if they are talking bio warfare and not simple 0-1 code. Bloody fear-mongering. Rush to buy your innoculation. TBX and Atropine straight to the CPU.

    It's computer code! Not plague coming to savage 35% of European population ...

    Mrk
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    True, but from the sans.org diary:

    Complain to your ISP!


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    My ISP have AV scanning (I wonder which is the engine :rolleyes:), but they do not filter attachments. They don´t care.
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    A few my ISP caught using Postini and an antivirus. Looks like I had a couple of these in there.
     

    Attached Files:

  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I just looked up Postini. With solutions like this for all ISPs, much of the problem would disappear.

    Complain!!! and send them this link:

    http://www.postini.com/

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  10. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I don't know enough about what my ISP does to comment but www.netaddress.com removes most of the spam I receive and occasionally advises that an attachment has been cleaned or deleted. I hope they are doing a good job as I'm signed up until June 2010
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Their support is rubbish. They have problems with almost everything (DNS servers, latency, quality of connection, etc)
    Here, almost all ISP behave very similar.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As with most malware today, the aim is to install a trojan. Symantec has identified this one as Trojan.Peacomm

    In this excellent writeup you can analyze step-by-step how the trojan sets up to be part of a botnet and understand how these things work.

    From another article:

    However, other security in place could stop it from carrying out the payload, effectively localizing the damage.
    From Symantec:

    A properly configured firewall would catch this. I tested last year with Netsky:

    http://www.urs2.net/rsj/computing/imgs/outbound.gif

    A program like Process Guard would alert to this:

    http://diamondcs.com.au/processguard/index.php?page=attacks

    Recently, TNT posted an example of a trojan that aborted if it detected the existence of PG.

    The problem is, that most people having this type of security in place already know not to open unknown attachments, so we are back to square one: the social engineering thing, and how to educate users.

    from the MSNBC article:
    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  13. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
  14. ASpace

    ASpace Guest

    I have Windows Media Player and can't watch this video (sounds interesting) . WMP got an error downloading appropriate codec so is there another way to see it ?
     
  15. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Hi :)

    Assuming we're talking about the same thing - did you see the link to YouTube ?
     
  16. herbalist

    herbalist Guest

    I received several of these as well in a well spammed Yahoo mailbox. Their built in Norton AV has only recognized one of the attachments as infected. The Dr.Web browser extension shows them all clean, which suprised me as Dr Web did show the files infected when I uploaded them to VirusTotal. The number of "clean" scans there isn't encouraging. I'm not sure if the extension doesn't work on a Yahoo mailbox or if it doesn't work at all.
    I can accept an AV missing a new virus, but these aren't new anymore. The ones I have came early Friday. If anything, they show just how unreliable AVs are anymore. It apprears I have some social un-engineering to do before some of my clients open that stuff.
    Rick
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I received some also. NOD32 catched all except for the last one. Hope they'll add it fast.
     
  18. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i originally posted this question in the NOD32 forum but that thread got closed and referred to this one, so....

    the Virus Radar reports it was first captured on the 20th Jan, yet the virus was making the news on the morning of the 19th Jan (in the UK anyway: http://news.bbc.co.uk/1/hi/technology/6278079.stm.

    IF it is the same virus, then can anyone tell me if it was detected heuristically before a signature was created?

    thanks
     
    Last edited by a moderator: Jan 21, 2007
  19. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    It uses the Xvid codec, you can get it here:

    http://www.xvidmovies.com/codec/
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From Symantec analysis January 19:

    note: You need to edit your BBC hyperlink to remove the )


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: Jan 21, 2007
  21. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    thanks rmus. well if Symantec detected it heuristically then i'd hope NOD32 could. thought it was more a NOD32 support question really, but hey ho
     
  22. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    It is not actually a virus but a trojan dropper.

    The trojan when executed drops a malware rootkit(wincom32.sys) which equates to a hidden backdoor onto the then compromised PC if not blocked.

    The engineered email campaign *the storms* was not the trojans first appearance.It has been turning up in CWS infections for me since last Tuesday.Note the date of the following upload>>>
    http://www.castlecops.com/t177349-MD5_36b807caf4b20f3dc4e180c2555ebd46_wincom32_sys.html

    Todate 6/8 CWS harvesting runs: have imported the trojan dropper and subsequent rootkit for me...
    http://www.dslreports.com/forum/remark,17682020
     
  23. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    potato / potato....hmm, doesnt work very well typed out....malware then, just wondering whether my AV detected it initially via heuristics.
     
  24. danieleb

    danieleb Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    111
    I got a couple of them "Fuclip" the other day, which of course my NOD32 instantly took care of. But I always enjoy reading the posts by the above quoted gentleman, since he has a way of putting things in a different perspective. A computer/security noob like me find this calming. Makes one think, doesn't it?
     
  25. lano1

    lano1 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    1
    now.. anybody know how to remove it..?:rolleyes:
     
Loading...
Thread Status:
Not open for further replies.