probably unknown NewHeur_PE virus on Virus Radar

Discussion in 'NOD32 version 2 Forum' started by NOD32 user, Jun 15, 2006.

Thread Status:
Not open for further replies.
  1. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Anybody else seen this probably unknown NewHeur_PE virus on Virus Radar Or know what it is
    It's aparently been spreading for about 7 hours only at the moment.
    Any Info?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No, but it is quick :eek:
     

    Attached Files:

  3. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Wait till morning when all those without NOD32 check their emails....then it will really spike!!! ...maybe :)
     
    Last edited: Jun 16, 2006
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Seems it is a new Bagle.GK
    Good work ESET - another potentially bad situation averted thanks to Advanced Heuristics :)
     

    Attached Files:

  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    good work ESET :thumb:
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Re: a variant of Win32/Bagle worm on Virus Radar

    And another *big bump* in the radar that is no doubt related
    - a heuristic detection of a Bagle variant...!!!



    :)
     

    Attached Files:

    • Bump.jpg
      Bump.jpg
      File size:
      36.1 KB
      Views:
      3,096
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    From Eset blog: http://www.eset.com/threat-center/blog/index.php

    Excel Zero Day Exploit Reported…Have a bagle with it too

    June 16th, 2006

    It’s been a busy day in anti-virus land. There is a reported zero-day vulnerability in Microsoft Excel. Currently the exploit of the vulnerability comes in email as an attached Excel spreadsheet. When a user opens the spreadsheet the vulnerability is exploited and malicious software is downloaded. So far the malicious downloads have been proactively detected by the signatures and/or advanced heuristic capabilities of NOD32, so if you use NOD32 you are protected. Just for added security, and not to tempt fate, we recommend that you never open unsolicited attachments from anyone. If your best friend, your mom, or anyone you know sends you an attachment in email it is always good to verify that they meant to send it to you -BEFORE- you open it.
    We have also been seeing a lot of Bagle activity. Take a look at www.virusradar.com. You will see that at the time of this writing the number one threat is Bagle.gk, and number two is “a variant of Win32/Bagle worm”. Why does one have a name and the other is just a variant? That’s heuristics at work for you. We have had a sample of the GK variant long enough to develop signatures for it and give it a name. The one titled “a variant of Win32/Bagle worm” is brand new. We didn’t have a signature for the specific worm, but the heuristics were smart enough to know that it was bad and that it was very similar to the other bagle worms. You may not have a signature for the exact bagle, but NOD32 is protecting you anyway. That is the point of heuristics. It is far better to black malicious software now and name it later than to wait until you have a name and clean it up later.
    Currently in the number 5 position is “probably unknown NewHeur_PE virus”. This one isn’t like any bagle we’ve seen before, but we know it is nothing you want running on your PC. We’ll take a look at it later and give it a name, but for now we’ll just make sure it does not cause you any harm.
    Have a happy, safe computing, weekend!
    Randy Abrams
    Director of Technical Education
     
  8. Zaniemac

    Zaniemac Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    3
    Hi Sir_Carew, now in 2007 how many are infected? And do you know what to do if you just installed nod32 and find that you have the NewHeur_PE virus and your virus protection never noticed it? It is in a Locals temp cryptfg.exe file and I can't even find it to send it to eset samples and support! It is messing up my internet and e-mails and if I delete it I have trouble too. If you do, thanks...if you don't I'll keep looking. Anyway,
    You too have a happy and safe computing weekend.
    Suzie Kelly
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should be able to delete it using the on-demand scanner at least, or you might want to try the new ESS beta which has an option for automatic cleaning (www.eset.com/beta)
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Answering to your previous thread, I made a Google search of cryptfg.exe and it seems that you'll need to post a Hijackthis log in a specialized forum (do not post it here, it's not allowed)
    In the meantime, you could try the Castlecops' Malware Removal suggestions. I recommend you SUPERAntiSpyware and AVG Antispyware.

    After you clean your computer, join Wilders and learn how to avoid such annoying headaches ;)
     
  11. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Yes, I'm agreed with Marcos and also, restart Windows in safe mode and do a full scan to your hard drive and delete all infected and suspicious files using NOD32.
    Cheers

     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Which reminds me, I gotta install NOD after a fresh XP install :p
     
Thread Status:
Not open for further replies.