W32.SpyBot.Worm

Discussion in 'NOD32 version 2 Forum' started by codpet, Jul 10, 2007.

Thread Status:
Not open for further replies.
  1. codpet

    codpet Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    28
    I have submitted several files that a *new* variant of the W32.SpyBot.Worm file generates to samples@nod32.com, and sample@nod32.com. I have not heard a response, yet the virus continues to crush our corporate network. Symantec, and NOD32 stand by and do nothing to stop it.

    What do I have to do for attention on this matter? It's hard to convince my Director to switch to NOD32 entirely if your product fails to protect.

    The worm spreads fast, and generates the following files:
    C:\exec.exe
    C:\Windows\sys32.exe
    C:\Windows\sys33.exe
    C:\Windows\iexplorer.exe

    It's identified only in part by NOD32 as a rootkit worm. NOD32, and Symantec both can't stop the worm, or clean it.
     
  2. ASpace

    ASpace Guest

    Hello !

    It is an Eset policy and you won't hear from the Virus Lab at all . They just receive the samples but do not answer people. In such an emergency , please , submit the files to Eset Technical Support , email support[at]eset[dot]com

    Attach the suspected files and as much information as you may think of . Depending on the situation they will provide you with solution appropriate to kill the parasite :thumb:
     
    Last edited by a moderator: Jul 10, 2007
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please email support[at]eset.com and enclose the subject and time/date you sent that email on.
     
  4. codpet

    codpet Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    28
    They wrote back and had my test the files against virustotal.com. Several virus scanners picked the files up, NOD32 was not one of them. After a few hours of the phone with Symantec, it's now one of the several that detects the new variant.

    I sent the SHA1/MD5 information to ESET. I haven't heard anything back.
     
  5. codpet

    codpet Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    28
    File sys32.exe received on 07.11.2007 15:09:39 (CET)
    Antivirus Versión Last Update Result

    AhnLab-V3 2007.7.11.1 20070711 no virus found
    AntiVir 7.4.0.39 20070711 TR/Drop.RHE.4
    Authentium 4.93.8 20070710 no virus found
    Avast 4.7.997.0 20070711 no virus found
    AVG 7.5.0.476 20070710 no virus found
    BitDefender 7.2 20070711 Trojan.Dropper.RHE
    CAT-QuickHeal 9.00 20070711 no virus found
    ClamAV devel-20070416 20070711 Trojan.SdBot-6507
    DrWeb 4.33 20070711 Trojan.MulDrop.7389
    eSafe 7.0.15.0 20070710 no virus found
    eTrust-Vet 30.8.3779 20070711 Win32/Injeven
    Ewido 4.0 20070711 no virus found
    FileAdvisor 1 20070711 no virus found
    Fortinet 2.91.0.0 20070711 no virus found
    F-Prot 4.3.2.48 20070710 no virus found
    Ikarus T3.1.1.8 20070711 Trojan.MulDrop.7389
    Kaspersky 4.0.2.24 20070711 no virus found
    McAfee 5071 20070710 no virus found
    Microsoft 1.2704 20070711 no virus found
    NOD32v2 2392 20070711 no virus found
    Norman 5.80.02 20070711 no virus found
    Panda 9.0.0.4 20070711 Trj/ADSdropper.A
    Sophos 4.19.0 20070706 no virus found
    Sunbelt 2.2.907.0 20070711 no virus found
    Symantec 10 20070711 W32.Spybot.Worm
    TheHacker 6.1.6.144 20070709 no virus found
    VBA32 3.12.0.2 20070710 Trojan.MulDrop.7389
    VirusBuster 4.3.23:9 20070710 no virus found
    Webwasher-Gateway 6.0.1 20070711 Trojan.Drop.RHE.4

    Aditional information
    File size: 125526 bytes
    MD5: 5997298a35ef417a240551e94a3338e9
    SHA1: 44e1dab608547c63e277c3156534778133e2a6c8
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Yes... you're not in their priorities, or maybe they thought you're a VX collector. :rolleyes:
     
  7. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    It may be a good idea to send samples from a new/different email address, in my experience after I'd emailed a few samples over the course of several weeks; very few samples I submit are added, it's possible submitting multiple samples using the same email puts your email on their "VX collector list" meaning your submissions will have lowest priority.

    Londonbeat
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Don't stir up a hornet's nest, Codpet is not a virus collector; he has asked us to assist him in removing an infiltration from his network and all the functional samples he has submitted are actually detected:

    AhnLab-V3 2007.7.11.1 20070711 no virus found
    AntiVir 7.4.0.39 20070711 TR/Drop.RHE.4
    Authentium 4.93.8 20070711 no virus found
    Avast 4.7.997.0 20070711 no virus found
    AVG 7.5.0.476 20070711 no virus found
    BitDefender 7.2 20070711 Trojan.Dropper.RHE
    CAT-QuickHeal 9.00 20070711 no virus found
    ClamAV devel-20070416 20070711 Trojan.SdBot-6507
    DrWeb 4.33 20070711 Trojan.MulDrop.7389
    eSafe 7.0.15.0 20070710 no virus found
    eTrust-Vet 30.8.3780 20070711 Win32/Injeven
    Ewido 4.0 20070711 no virus found
    FileAdvisor 1 20070711 no virus found
    Fortinet 2.91.0.0 20070711 no virus found
    F-Prot 4.3.2.48 20070711 no virus found
    Ikarus T3.1.1.8 20070711 Trojan.MulDrop.7389
    Kaspersky 4.0.2.24 20070711 no virus found
    McAfee 5072 20070711 no virus found
    Microsoft 1.2704 20070711 no virus found
    NOD32v2 2394 20070711 Win32/Rbot
    Norman 5.80.02 20070711 no virus found
    Panda 9.0.0.4 20070711 Trj/ADSdropper.A
    Sophos 4.19.0 20070706 no virus found
    Sunbelt 2.2.907.0 20070711 no virus found
    Symantec 10 20070711 W32.Spybot.Worm
    TheHacker 6.1.6.144 20070709 no virus found
    VBA32 3.12.0.2 20070710 Trojan.MulDrop.7389
    VirusBuster 4.3.23:9 20070711 no virus found
    Webwasher-Gateway 6.0.1 20070711 Trojan.Drop.RHE.4

    Aditional information
    File size: 125526 bytes
    MD5: 5997298a35ef417a240551e94a3338e9
    SHA1: 44e1dab608547c63e277c3156534778133e2a6c8


    Since the problem has been resolved, I'll draw this case to a close.
     
Thread Status:
Not open for further replies.