One slipped by NOD32 Today.

Discussion in 'NOD32 version 2 Forum' started by Habiru, May 26, 2004.

Thread Status:
Not open for further replies.
  1. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    Hi,

    Did anyone else get a similiar zipped message with the subject line:

    re: Thanks,

    Zipped file,(Loves Money) 127 bytes and has a password of 24442. There are a number of worms/viruses that meet this requirement.

    If you know what it is, please let me know. I'm not infected but may have some to clean up since NOD didn't catch it. :-(
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    i'm 99.9% sure that its a worm probably a variant of Netsky or Bagle. NOD32 can't scan inside password protected archives so don't blame NOD32 now. but you can do one thing if you wish to. just decompress this zipped file with that password to a folder. now AMON might pick up the bug during the decompression. if no then scan that folder using the /AH switch. trust me Habiru in this scenario you won't be infected with just decompressing the zipped file. just remember not to RUN or EXECUTE the resultant file. if NOD32 is silent then remember to send it for virus analysis to ESET. however you can check it from DrWeb and Kaspersky. you'll just have to upload that decompressed file. here are the links:

    http://www.dials.ru/english
    http://www.kaspersky.com/scanforvirus.html
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    It's not true.
    NOD can't scan in compressed files if you manually protect this, however password protected worms can be scanned by NOD.

     
  4. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I forgave: NOD can scan in worms that spread using password protected files. Indeed, NOD was the first with KAV to analyze password protected worms.

     
  5. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    Hi AMRX,

    Well, its nailed p/w archives b4 or I was not paying attention. The reason for posting this is I got one last week that was NOT p/w protected and it was not recognized either. You are most probably correct on the p/w on the file though and I need my butt kicked for not giving it more thought. grrrrrr. It was a long day, but not an excuse. :rolleyes:

    I don't as a rule get many worm or virus attempts, but this last month has been the exception. I sent the file off to a number of organizations believing as you that its a variant of the above two that you listed. What I couldn't find was the -LOVES MONEY-. Perhaps, didn't search hard enought on that either.

    Thanks and take care,
     
  6. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    Hi,

    Finally found information that meets the requirment. Sorry guys.


    Beagle.X---- (not listed on Site, so makes sense it didn't catch it)

    The Beagle.X (W32/Bagle.aa@MM or Worm.Bagle.z) worm is yet another variant in what is now a long line of Beagle family worms that target Windows systems (Windows 9X, Me, NT, W2K, XP, and WS2003). This worm arrives in messages from spoofed addresses that it collects from address book files and other files it finds in systems it has infected with subjects such as “changes,” “FAX Message Received, “Incoming Message,” “Protected message,” “RE: Document,” and “Re: Yahoo!” The body of each message is also variable. If the attachment is a .zip file, message bodies include “Attached file is protected with the password for security reasons,” “Archive password,” “For security purposes the attached file is password protected. Password --,” and “In order to read the attachment you have to use the following password:”. If the attachment is not a .zip file, there is no message body. Attachment names are also variable; examples include “Counter_strike,” “Details,” “Document,” “Half_Live,” “Information,” “Loves money,” “text_document,” and “Your money.”

    ((Don't like the comment below about the properly updated a/v)

    When a user of a system that does not have properly updated anti-virus software opens an attachment in a message generated by this worm, Beagle.X infects the system by copying itself to the system folder as drvddll.exe. It displays a message box containing the following text:

    Can't find a viewer associated with the file.

    and then creates seven mutexes to keep other copies of Beagle as well as certain variants of the Netsky worm from running. It also creates numerous other files in the infected computer’s system folder:
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Habiru, let me citate you: "Zipped file,(Loves Money) 127 bytes and has a password of 24442" According to your statement, it seems the attachment didn't contain any data so IMON could not pick it up.
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas

    Makes sense to me!! :D
     
  9. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    Hi Marcos,

    Thanks for the info and indeed there was nothing in the zip file, although it was listed as 127btyes.Yes I finally did extract it. Now, the reason for the post. You can correct any assumptions or mistakes. In my defense, I was not crying wolf as I had been for the first time infected by a virus by checking out a payload, as I saw it.

    Last file. received 30/4/2004 was not detected by NOD32. I sent a sample and no answer was forthcoming. I transferred the file to my test machince and extracted it then deleting it seeing that there was a payload. Shut the machine down. Continued updating the machine being built and on the same network. As I use these machines for testing they are constantly being formatted and new O/S's installed for various tasks.

    Finish updating the machine with all win updates, install AV and AT and shut it down. Next day, crank it up and install the firewall. JAMMER2ND.EXE is noted as trying to connect to the internet by the firewall. Deny access and check out this file. Find out its Netsky Z through the net. Crank up the machine it was extracted on to find out the firewall is also indicating JAMMER2ND.EXE is trying to connect to the internet. The firewall that had been previously installed had been removed and another installed on the test machine. I know, should have waited.

    I had assumed by extracting the file only, it had infected both these clients that had been newly installed. The server was not infected which originally d/l the file since its is completely locked down. So, I had to assume that by extracting the file, it had infected my network on both new machines. Since I did not know how this happened, I was somewhat reluctant to do it again.

    After reading many of the posts here, I also had to believe that NOD has missed a new one. Don't get me wrong, I support this product 100% and perhaps my faith in its performance was diluted due to the Netsky Z infection and the other posts on trojans. So don't read this a malicious post, regard it as being more safe than sorry. I still have clients to look after, and it is in thier best interest that I posted it. I hope you feel the same.
     
Thread Status:
Not open for further replies.