New p2p-virus....Win32.Polipos ?

AntiVir W32/Regenig
BitDefender Win32.Polipos.A
Dr Web Win32.Polipos
eSafe Win32.Polipos.a
eTrust-INO Win32/Polipos!Worm
F-Secure P2P-Worm.Win32.Polipos.a
Fortinet W32/Polipos.V12
Kaspersky P2P-Worm.Win32.Polipos.a
McAfee (BETA) W32/Polipos
Panda (BETA) W32/Polipos.A
Sophos W32/Polipos-A
Symantec (BETA) W32.Polip
VBA32 Virus.Win32.Polipos.A

In red those that detect only some.

 

Makes me wonder why AntiVir detects it with different name. It's not like they detected it first...

 

W32/Regenig was added the 5th april.

 

TrendMicro notified me that they can both detect and clean "PE_POLIPOS.A". They also updated their "Discription and solution" page:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_POLIPOS.A

 

Well Polipos is certanly beyond just G1/G2 networks (Gnutella 1 and 2) as i already found it on ED2K/KAD (eMule). This shift was probably caused by hybrid clients like Shareaza that connect on both ED2K and G1/G2. Or by users that use Gnutella and eDonkey2000 clients with same shared folder.

 

AntiVir W32/Polipos
BitDefender Win32.Polipos.A
Dr Web Win32.Polipos
eSafe Win32.Polipos.a
eTrust-INO Win32/Polipos!Worm
F-Secure P2P-Worm.Win32.Polip.a
Fortinet W32/Polipos.V12
Ikarus P2P-Worm.Win32.Polipos.a
Kaspersky P2P-Worm.Win32.Polip.a
McAfee (BETA) W32/Polipos
Panda (BETA) W32/Polipos.A
Sophos W32/Polipos-A
Symantec W32.Polip
VBA32 Virus.Win32.Polipos.A
VirusBuster Win32.EPO-Generic.A

red means: detects not all.

 

@IBK
I see Trend Micro is not in your list, assuming you did not test their detection, right?

 

TrendMicro does not detect any of the samples used.
tried with patterns lpt382.zip and lpt381.zip

Those AV detect none or pratically none: Avast!, AVG, ClamAV, Command, eTrust-VET, Ewido, F-Prot, Microsoft, Nod32, Norman, QuickHeal, Trend Micro.

 

@IBK
That's pretty weird. I'm using the special engine and pattern here (8.0.1999 / 3.382.99) here. May I try any of the samples on this please? I'll e-mail my contact at Trend Micro right away.

 

kav decided to rename this worm from Polipos to Polip, and they hope that other antivirus vendors will follow suit. info

 

appears symantec have changed its name now

and while we're at it, if there is a write up it usually means that a detection is added

 

Can anybody please guide how to get rid of this w32.polipos. My network is badly affected and my team is in deap trouble. We have no option to bring down the entire network. Trand Micro and NAV were not a help. Dr. Web tried to cure some ( or just acted) but the problem was there as it is. ANy help in this regard is greatly appericiated.
Thanks & Regards
Vaneet

 

vaneet: I am sorry to say this, but yes you are in deep trouble. Since polipos trashes some files you will not be able to fully recover your network, and even a repair might leave some applications in a non-working state (those with self checks). Viruses are often flawed, and this one makes no exception.

You might want to send the files that were not cleaned successfully to DrWeb, they might be able to improve the removal tool to recover some more of them. Personally I think though that in the end, you will have to take down your network either way... how many systems are we talking about here ?

 

IBK - try to test Kaspersky now, maybe they improved something. Because yersterday i seen krnexe.avc updated.

 

NOD32 has also added detection, be interesting to see if they detect all the samples you (IBK) have there.

thanks, lee

 

hope they do.... regarding NOD32

 

AntiVir W32/Polipos
BitDefender Win32.Polipos.A
Dr Web Win32.Polipos
eSafe Win32.Polipos.sus
eTrust-INO Win32/Polipos!Worm
eTrust-VET (BETA) Win32/Polip.A
F-Secure P2P-Worm.Win32.Polip.a
Fortinet W32/Polipos.V12
Ikarus P2P-Worm.Win32.Polipos.a
Kaspersky P2P-Worm.Win32.Polip.a
McAfee W32/Polipos
Nod32 Win32/Polip virus
Panda (BETA) W32/Polipos.A
Sophos W32/Polipos-A
Symantec W32.Polip
VBA32 Virus.Win32.Polipos.A
VirusBuster Win32.EPO-Generic.A

 

Are you sure about Panda? Not sure if VT has the latest updates there...

Avira 6.34.1.58 04.25.2006 W32/Polipos
BitDefender 7.2 04.25.2006 Win32.Polipos.A
CAT-QuickHeal 8.00 04.24.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 04.24.2006 no virus found
DrWeb 4.33 04.25.2006 Win32.Polipos
eTrust-InoculateIT 23.71.138 04.25.2006 Win32/Polipos!Worm
eTrust-Vet 12.4.2175 04.24.2006 no virus found
Ewido 3.5 04.25.2006 no virus found
Fortinet 2.71.0.0 04.25.2006 W32/Polipos.V12
F-Prot 3.16c 04.21.2006 no virus found
Ikarus 0.2.59.0 04.24.2006 P2P-Worm.Win32.Polipos.a
Kaspersky 4.0.2.24 04.25.2006 no virus found
McAfee 4747 04.24.2006 W32/Polipos
NOD32v2 1.1505 04.25.2006 Win32/Polip
Norman 5.90.16 04.24.2006 no virus found
Panda 9.0.0.4 04.24.2006 no virus found
Sophos 4.05.0 04.25.2006 W32/Polipos-A
Symantec 8.0 04.25.2006 W32.Polip
TheHacker 5.9.7.134 04.24.2006 no virus found
UNA 1.83 04.21.2006 no virus found
VBA32 3.11.0 04.24.2006 Virus.Win32.Polipos.A

 

when 2 AV Experts are fighting only pykko can win. (joking of course)

 

Dear Frug
Thanks for your concern. We have around 30 servers and more than 1000 systems. Well for the time being we have decided to let it run as it is, as NAV is making EXE file unusable and its directly affecting our production.
Well the next thing I would like to know is, what is the risk if we continue to run our network with POLIP/POLIPOS. Its true that its spreading and making EXE file infected, but the question is am I compromising my security with this decision and am I on risk to completely endanger my OS? Please revert back asap, as we are running network completely with POLIP/POLIPOS in it.
Thanks once again.
Vaneet

 

Anybody aware of harms of running network with POLIP/POLIPOS? Please help as we need honest advice from experts like you. Trend Micro team surrendered yesterday and NAV is unable to find any patch though they were informed 2 days back.
Please Help !!!!!!!!!!!!!!!!!1

Thanks & Regards
Vaneet

 

Sounds like you need to take out section my section, then reconnect them all.

 

There is no 100% repair gurantee if you have dead infected executables. You can only delete such files. All my computer stuff except this apple laptop i'm writing from is on a ship right now, so i cannot help you right now in this moment with cleaner, but if you let infected machines in the network the risk always is there that you infected already cleaned machines again and again. Especially if you have infected files on the server in public folders. You run into the called Ping-Pong effect.

 

Basically block ALL WRITE ACCESS to the server via restrictions. Then clean first the server. Disable all Direct Connections accross the network such as mapped drives on other network clients. Then start cleaning the clients and don't allow any other access than only local access for time of cleaning. Basically you have to put here some priorities such as first server - then you clean some important workstations (yes i know everyone is important but you have to make this step by step) then connect these cleaned workstations back to the net and ONLY ALLOW FOR THOSE WORKSTATIONS write access.

 

As Frug and IC said, there is no reliable repair for Polip(os) infected executables. The virus damages files and there is no way to recover the missing data.

I would get a clean boot disk (Bart PE CD) and replace all infected files with clean copies from uninfected systems or installation cds. Be careful to use the exact same version of the executables. Alot of work.