Urgent! Please add this detection

Discussion in 'NOD32 version 2 Forum' started by uc-icq, May 28, 2007.

Thread Status:
Not open for further replies.
  1. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    I, together with a big number of Chinese customers, have reported and submitted a sample of this virus to ESET. The earliest report dates back to February. At this moment NOD32 is still unable to detect/remove this virus, and protect users from its infection.

    Below is a letter sent 38 hours ago to samples@eset.com. No reply was made and no detection added so far. The letter ran as follows:

    'Dear sir,

    I'm writing to report a widespread and very destructive virus to you. The information regarding this virus runs hereunder:

    Virus Name: Trojan-Spy.Win32.Delf.uy (by KAV)

    The virus contains a .dll file and has its process invisible to users. It injects itself into system process to enable autorun with rundll32.exe.

    The virus activates itself by means of the autorun.inf file. Once activated, it repeatedly generates a file named sysinfo.dll in system32 folder. It injects itself into explorer.exe and winlogon.exe processes, generates sysinfo2.dll (same binary as sysinfo.dll) and autorun.inf files on each disk partition, and propagates via system built-in autorun feature.

    Registry changes: The virus repeatedly attempts to write HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377} key and subkeys, and HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377} key and subkeys to hijack browser. It also attempts to modify the value ShowSuperHidden to 4 under HKU\. DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced to disable viewing of hidden files.

    Please find attached a sample of this virus in .RAR format.

    I have reason to believe that this virus has been submitted multiple times by various users. At this hour it still can't be detected or successfully repelled/removed by NOD32 with the lastest signatures. I cannot stress enough how catastrophic, wide-spread and devastating it is to our computing lives. I'm from China, where folks refer it to 'USB Disk Virus', since it often migrates to and infects other computers through USB disk. It's such a common virus that nearly one third of local computers have been infected. Unable to cope with this threat, NOD32 is seeing a fast decrease in the number of user community.

    NOD32 is a great antivirus product that has always my thumbs up. With regard to this major ITW threat, I'm pleading for your immediate attention and updating signatures accordingly.

    I look forward to hearing from you.'

    Again, this is no zoo virus. This is an active, malignant, widespread ITW threat that brings down to its feet nearly 1/3 of computers running NOD32 throughout China! Throughout China, how does that compare?

    Please add this detection, now. Do your customers a favor and get them protected against this ~Snip~ threat. We don't want to reinstall Windows again!:mad: :mad:

    Thread Title adjusted ~ Blackspear
     
    Last edited by a moderator: May 29, 2007
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    we have tracked down all email we have received at samples to no avail. Nevertheless, there was one dll received from Virus Total that was detected under that name by Kaspersky. We will analyse and add detection for it if it turns out to be alright (not corrupted). However, we will also need the dropper (exe file). Please zip it, protect the archive with the password "infected" and submit it to samples[at]eset.com with this thread's url in its subject.
     
  3. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    Thank you for your attention, Marcos. This virus does not contain an .exe file, it's just a plain .dll which injects into system processes and enables autorun with rundll32.exe with help of autorun.inf file. Please double check, thanks again.
     
  4. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    Security experts and IT professionals may visit the following link to retrieve a live sample of this virus in compressed RAR format.

    Warning: Virus Sample
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send autorun.inf to support[at]eset.com with this thread's url in the subject. There must be another exe file that drops the dll and registers it to the system unless it runs regsvr32 directly.
     
  6. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    I've sent the email as per your instructions. The email reads,

    Dear Sir,

    I attach this virus as per Marcos instructions in the following thread:

    https://www.wilderssecurity.com/showthread.php?p=1014125#post1014125

    This is a scanning report from Virus Total.

    AntiVir Found TR/Crypt.FKM.Gen
    ArcaVir Found Trojan.Spy.Delf.Uy
    Avast Found nothing
    AVG Antivirus Found PSW.Generic4.HOS
    BitDefender Found BehavesLike:Win32.ExplorerHijack (probable variant)
    ClamAV Found nothing
    Dr.Web Found BACKDOOR.Trojan (probable variant)
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Trojan-Spy.Win32.Delf.uy
    Fortinet Found Spy/Delf
    Kaspersky Anti-Virus Found Trojan-Spy.Win32.Delf.uy
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found Trojan.Spy.Delf.cfa
    VirusBuster Found nothing
    VBA32 Found Trojan-Spy.Win32.Delf.uy

    This is an analysis report from Norman Sandbox.

    sysinfo2.dll : INFECTED with W32/Malware (Signature: W32/Delf.AGJM)

    [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: W32/Delf.AGJM

    [ General information ]
    * File might be compressed.
    * Decompressing ASPack.
    * Drops files in %WINSYS% folder.
    * File length: 197632 bytes.
    * MD5 hash: 074926bb5145549a9a34ba04c172c735.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\SysInfo.dll.

    [ Changes to registry ]
    * Creates key "HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}\InprocServer32".
    * Sets value ""="C:\WINDOWS\SYSTEM32\SysInfo.dll" in key "HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}\InprocServer32".
    * Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}\InprocServer32".
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377}".
    * Sets value ""="MyBHO_0.1" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377}".
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder".
    * Sets value "ShowSuperHidden"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced".

    [ Process/window information ]
    * Creates an event called .
    * Enumerates running processes.

    [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\SysInfo.dll (197632 bytes) : no signature detection.

    Let me know how you go. Thanks.

    Alan
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's still the dll only. Please send us autoruns.inf as well as I asked you in my previous post.
     
  8. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    Not on my box but I'll get one for you. Thanks.

    Edit: I sent another email containing the said 'autorun.inf' file.
     
    Last edited: May 29, 2007
  9. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    Marcos, please keep me updated. Thanks a bunch.
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Nice to see the sample was finally added, but with the kind of pleading one has to do to get a sample added by Eset, I'm still wondering whether it is worth the effort....:doubt:
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I don't see any of that, the email was not located, a 2nd email was requested, sent and received.

    Blackspear.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The last files you've sent are all clean even though one is flagged by some AVs at Virus Total.

    Edit: I just noticed that you've sent another bunch of files out of which some are already detected. We'll check the rest.
     
    Last edited: May 29, 2007
  13. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    Clean?! Everyday there's NOD32 user reporting to be hit by this virus. And once hit, they can no longer double click an HD partition to open it. If they do so an error message pops up saying Windows can't locate the file. One can still open a drive by right click and selecting 'open' option from the context menu. The default 'open' option has been replaced by 'play' command though there're no media file types to play. One can no longer view hidden files by going to file options since the virus has disabled the feature in the registry.

    This is not benign. Please check again. The .dll I sent first is undoubtedly a virus that is known to most AV vendors 3 months before, a virus that NOD32 is still unable to detect at the moment.

    Thanks for your time and effort but please, please care a bit more for your customers and look into this.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please note the sentence commencing with "Edit". As for the dll, detection was added to the update released 2 hours after you submitted it:

    29. 5. 2007 16:13:21 AMON file D:\TEMP\Rar$DI00.093\sysinfo2.dll Win32/Spy.Delf.UY trojan
     
  15. uc-icq

    uc-icq Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    129
    Great! You saved my day! I'm happy that NOD32 can now detect it so that customers don't have to suffer it any more. Thanks Marcos, well done!. :thumb:
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    ....thanking them for adding something old from February. :rolleyes: You really seem to have problems with e-mails received from users.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Uc-icq is not a virus collector, he found the sample on an actually infected PC and as such it has been dealt with instantly with much higher priority.
     
  18. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I also found many samples on infected PCs which you didn't add (I didn't mention the source of every file of course), but anyway it's up to you to decide.
     
  19. gjmveloso

    gjmveloso Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    26
    ESET analysis system must be improved. :thumbd:

    I did a test in the last week.

    I caught a sample detected heuristically by AntiVir and NOD32 only. I sent the same file to the companies at the same time.

    After 2 days, Avira contact me and after more 3 days a new virus signature was avaliable.

    ESET didn`t contact anyone. And after 11 days (today) passed no virus signature was avaliable.



    Other example:

    Other malwares undetected by NOD32 was sent to the lab in last week and no virus signature or ThreatSense engine was improved.


    And another question: The VirusTotal reports that ESET have access are not complete? Why ESET don`t use the reports to improve the malware database? o_O
     
  20. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Maybe ESET should have a special "collectors" edition as some seem disappointed.:rolleyes:
     
  21. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376

    It's very old and known problem, there is lot of posts like that.
    If you want that you receive answer and detection in few days don't loose your time with ESET!
    Samply switch in AV as you sad detected submitted threat in 3 days.
    If someone from ESET don't want see there such kind of advises, please work hard and improve virus response.
     
Thread Status:
Not open for further replies.