New outbreaks

Discussion in 'NOD32 version 2 Forum' started by Marcos, Nov 1, 2005.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    ThreatSense strikes against new outbreaks, detection by signatures has been added to update 1.1270:

    Number of a variant of Win32/Bagle worm in 2005-11-01:
    2005-11-01 22 : 4137
    2005-11-01 21 : 1959
    2005-11-01 20 : 3434
    2005-11-01 19 : 2354
    2005-11-01 18 : 1438
    2005-11-01 17 : 407
    2005-11-01 16 : 0

    Number of a variant of Win32/Mytob worm in 2005-11-01:
    2005-11-01 22 : 50
    2005-11-01 21 : 23
    2005-11-01 20 : 7
    2005-11-01 19 : 2
    2005-11-01 18 : 0
     

    Attached Files:

    Last edited: Nov 2, 2005
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I'm just getting more and more satisfied with my purchase of NOD32.
    It's heuristics kicks ass, support is priceless and the program itself is working like a charm ;)

    It's all good. Thanks for the info Marcos.
     
  3. rawr

    rawr Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    128
    Location:
    Illinois, U.S.A
    Posts like this make me happy I'm using Nod. :D
     
  4. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    At 7am NOD32 was updated(NOD32 - 1.1270 (20051101)), and it contains the following updates "Win32/Bagle.DC, Win32/Bagle.DD, Win32/Maslan.D"

    At 10am i recieve email "sms_text.zm9 > ZIP > t_535475.exe - Win32/Bagle.DC worm"

    Yeah I am a lucky bastard :D
    (not really, but thanks to NOD32)
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Another one imminent, but this downloader shouldn't work on most systems.
    Number of probably unknown NewHeur_PE virus in 2005-11-02:
    2005-11-02 14 : 989
    2005-11-02 13 : 995
    2005-11-02 12 : 0
     
  6. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    File: Health_and_knowledge.vzip
    MD5 ce72c528291a863b037161e70b9c162b
    Packers detected: -
    Scanner results
    AntiVir Found nothing
    ArcaVir Found Worm.Beagle.CZ6
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found Trojan.Downloader.Bagle.H
    ClamAV Found Worm.Bagle.CA-1
    Dr.Web Found Win32.HLLM.Beagle.38912
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.eb
    NOD32 Found probably unknown NewHeur_PE (probable variant)
    Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

    * File length: 9675 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\hloader_exe.exe.
    * Creates file C:\WINDOWS\SYSTEM\hleader_dll.dll.

    [ Changes to registry ]
    * Creates value "auto__hloader__key"="C:\WINDOWS\SYSTEM\hloader_exe.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "auto__hloader__key"="C:\WINDOWS\SYSTEM\hloader_exe.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Enumerates running processes.
    * Modifies other process memory.
    * Creates a remote thread.
    UNA Found nothing
    VBA32 Found Email-Worm.Bagle.22 (paranoid heuristics) (probable variant
     
  7. Happy Bytes

    Happy Bytes Guest

    Yep, there're a lot of new bagle versions today.
    So far all nailed by heuristics both the dropper (executable) and the downloader (dll) components from all new bagle versions :D

    We've just updated to proper names right now. Bagle.DG is the latest so far - but more to expect today.
     
  8. Happy Bytes

    Happy Bytes Guest

    By the way - "good" news: The latest Bagle-Downloader will most likely not work :D :D :D The malware author uses a PUSH/RET trick to avoid a so called "Get Delta" function.

    Well, since the DLL imagebase might change depending on the host system this trick does actually only work with PE Executables and not with Dynamic Link Libraries :D

    The DLL code is always reloaded during runtime (attach to DLL request) into different memory addresses – therefore this virtual push address would be incorrect and the file might not initialize upon DLL loading process. :D

    This Downloader DLL will most likely "kill" every explorer process after code injecting because of this "bug".
     
  9. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    And more fun for you - how typical spreading of a worm looks like. Those two peaks are very typical. If you are able to give correct answer why every epidemics look like this, you just won a free beer (first correct answer only may apply). Times are in GMT+1 to help you a bit... Happy Byte is excluded from participation ...
     

    Attached Files:

  10. Happy Bytes

    Happy Bytes Guest

    :mad: :mad: :mad: By the way, i'm still angry with you because you tricked me into this stupid electro-shock tank games - my right hand is still under shock :eek: :eek: :eek:
     
  11. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    OK, I'll give it a guess :

    1st peak - U.S. users as they get home from work and check their email
    1st dip after peak - Saturation as fewer machines are found to be infectable
    2nd peak - Asia/Pacific Rim users get online
    Sharp drop at end - Defs are deployed by AV vendors or patches are applied

    Jack
     
  12. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    nonono, is mentioned GMT + 1 which means is European Time....
    Knowing that company networks are better protected than home computers first peak is Europeans coming home from work booting their computers. First drop is when they shutdown for the night. In the mean time US users started to return home from work booting up their computers... Second drop is result of shutting down US computers together with release of AV updates.

    Just my guess.

    Ciao
    Itsme
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    1st peak is eastern europe, 2nd is USA, final peak is Asia.

    My guess, and I don't drink beer, so it will have to be a tub of KAHLUA Mudslide; coffee liqueur blended through lusciously creamy ice cream, swirled with a mudslide of thick chocolate fudge.

    Cheers :D
     
  14. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    OK, since people have already used the "coming home from work" explanation, I will try another one. I still want to be eligible for the prize. ;)

    The first peak is an initial round of infection. Some of these people stop the worm in time, but other people don't. The people who do not stop this worm spread it around some more. This accounts for the bigger second peak. Eventually, antivirus programs are updated and step in, stopping the virus after the second peak.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Who says it's an email spreading worm that will propagate to others when run ? :)
     
  16. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    is it because the virus "author" has released one strain as a test, signatures are updated and the first drop in infection rate occurs - next the author modifies the strain from knowledge known for a better infection means using the knowledge from the first round - ergo, they infect more, and the big die off occurs when AV providers have a generic signature to catch the "class" of threat...?
     
  17. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Thanks for the heads up on this Marcos. Good to know that NOD has us all protected. :D
     
  18. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Well at least you were not shoot at while standing in the door as you did 2 me. And your tank was bigger than mine two..
     

    Attached Files:

    • tank.jpg
      tank.jpg
      File size:
      37.1 KB
      Views:
      142
  19. Happy Bytes

    Happy Bytes Guest

    But my tank dosn't give electro shocks to people :rolleyes:
    It's only protecting our office room here from people which are trying to trick other people into electro shock tank games :rolleyes:

    Just come again into my office - we've many bullets to spare! I can also lunch the ground-2-ground missles, it smells then a bit in the office, but who cares? :D
     

    Attached Files:

  20. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    lol, guys.... I can bring mine too? :p I have a real one :D
     
  21. Happy Bytes

    Happy Bytes Guest

    Picture? :D
     
  22. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    btw, do you have any picture of your "eine sehr aber sehr kleine Panzerkollone" consisting of 1 tank ? ROTFL
     
  23. Happy Bytes

    Happy Bytes Guest

    Do you mean when we drived with this real Leopard to disco? :D
     
  24. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Hummm,

    What is missing in this battle ?
    Maybe a playmobil or Falcon ?:D
     
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Another new one:
    Number of probably unknown NewHeur_PE virus in 2005-11-03:
    2005-11-03 13 : 1785
    2005-11-03 12 : 1888
    2005-11-03 11 : 0
     
Thread Status:
Not open for further replies.