New Virus - vt100.exe

Discussion in 'NOD32 version 2 Forum' started by auriell, May 6, 2006.

Thread Status:
Not open for further replies.
  1. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    I heard of new virus with rootkit capabilities. So far NOD does not detect it:

    The virus consist of 2 parts:

    1) vt100.exe ( 50 kB EXE ) - hidden process
    2) code of about 8 kB which is used to infect EXE files.
    3) it also tries to connect to some IP.

    I asked my friend to send a sample to ESET (but not sure he will), so I hope it will be detected soon.
     
  2. ASpace

    ASpace Guest

    Please , submit this file to
    support(at)eset.com
    samples(at)eset.com

    (at) means @

    Write as a subject possible new virus .

    Include the VirusTotal image and explain them why you think it for suspicious.

    Nice day!
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    At the first sight, the file appears to be very similar to the English version of cmd.exe (apart from the Polish text). We'll see what the guys in the lab say.
     
  4. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    I do not have the sample, so I asked my frien to send it. I will try to monitor if he does it.

    Edit: Oh, now I see Marcos wrote somebody already sent the sample.
     
    Last edited: May 6, 2006
  5. ASpace

    ASpace Guest


    This "somebody" is called VirusTotal . When you submit a file to VirusTotal , by default , a sample is given to these AV vendors which participate in this service . ESET is one these vendors so when you or your friend submitted the file , Virus Total sent a sample to ESET labs.

    I just told you to manually submit the file just in case , to be more sure all NOD32 customers are well-protected :)
     
  6. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    Thx, but I am aware of sending samples and I always do it if I can :)

    To not open a new thread I will write about some NOD unpacking problem I have discovered yesterday. It happened afrer I downloaded a CCleaner installer:

    http://img413.imageshack.us/img413/7306/nod3rr.jpg

    The text marked with red color means: "error - unknown compression method"

    I know NOD would detect it if it was something dangerous while extracting.
     
    Last edited: May 6, 2006
  7. ASpace

    ASpace Guest

    I don't think it is a problem . Also I would never use CCleaner , though:D
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have used CCleaner for a very long time and never had an issue, nor have the 100's of clients that I have installed CCleaner on their PC's.

    Cheers :D
     
  9. ASpace

    ASpace Guest

    great
     
  10. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Same here....one of my tools on my USB thumb drive...have used it hundreds 'n hundreds of times...excellent program.
     
  11. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Gotta love CCleaner.....one of the best.
     
  12. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hello.

    I just send you cmd_vt100.exe and vt100.exe to samples(at)eset.com.

    cmd_vt100.exe is infected windows cmd.exe file.
    vt100.exe is proper virus-rootkit .

    Here is log from my program:
    Code:
    GMER 1.0.10.9819 - http://www.gmer.net
    Rootkit 2006-05-04 18:30:25
    Windows 5.1.2600 Dodatek Service Pack 2
    
    
    ---- Processes - GMER 1.0.10 ----
    
    Process  C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) 3004 <-- ROOTKIT !!!
    Library  C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) @ C:\WINDOWS\system32\VT100.EXE [3004] 0x00400000 <-- ROOTKIT !!!
    
    ---- Registry - GMER 1.0.10 ----
    
    Reg      \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100 Emulator C:\WINDOWS\system32\VT100.EXE
    
    ---- Files - GMER 1.0.10 ----
    
    File     C:\WINDOWS\system32\VT100.EXE
    
    ---- EOF - GMER 1.0.10 ----
    
    As you can see, virus-rootkit hides its process, file, and registry key.
    After start, vt100.exe infects almost all files on all possible disks.
    Virus also send some data over network to host located in *pl domain.

    Here is another report but in polish:
    http://www.gmer.net/vt100.exe.php

    Regards
     
Thread Status:
Not open for further replies.