WORM DESOS.A

Discussion in 'Trojan Defence Suite' started by Q Section, May 26, 2003.

Thread Status:
Not open for further replies.
  1. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Just scanned and found WORM DESOS.A. Suggestions on how to get rid of it?
    Info found here: http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99458
     
  2. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Here's a link to some info on it:

    http://securityresponse.symantec.com/avcenter/venc/data/w95.stoogy.worm@mm.html

    But I would wait for a response from someone in the know-how first.

    Regards, Jade.

    BTW, just noticed the link only works if you cut & paste it.


    *tried to repair URL -Jooske*
     
  3. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello Bowserman
    We must have posted at about the same time (as our edit). :)
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    The information at that Symantec link is pretty good. You can use it to determine whether or not you are actually infected with that worm (check to see if you do in fact have the registry keys noted, for instance), or if you simply have a single infected file that has not yet been executed.

    I'm assuming TDS told you about this infection since you posted here in the TDS forum, what file did it say this infection was in?
     
  5. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello Low Water Mark

    Scan Control Dumped @ 17:59:15 26-05-03
    Positive identification: Worm.Desos.a
    File: c:\windows\asd.exe

    We will now check the registry and report back. :)
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    By the way, you should save a copy of that file before you do attempt a cleanup. Maybe throw it into a .ZIP file for safe keeping. I'm sure someone (maybe multiple people) will ask for a copy of the file to check it out for you.
     
  7. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Registry shows no extra files there. We are having a problem with our zip program (Freezip) so we may just get another program in a few minutes before we can send the file to DCS.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No problems this is NOT a worm. My apologies.

    Now I have seen this, I think the worm writer actually hacked a legitimate EXE file to create his worm, there are too many similarities (huge chunks of identical code)

    The fixed RADIUS database will be released early today, in about an hour or 2 :)
     
  9. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Wonderful - Thank you very much Gavin for your work and quick service. We had not yet done anything until we heard from you. Keep up the good work. BTW - WormGuard did not notice this.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    New update is out.. :)

    Wormguard shouldn't :)

    Hmm all that black on that pic.. painful almost :) Do you mind editing it ? Or even remove the image :)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might like to look for the "crop" function in an image editor, like Irfanview www.irfanview.com (one of the most wonderful image/sound thingies i know, and FREE!)
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D Agreed Jooske Infranview is a great tool, I also like it's ability to load a plugin that does away with real player ;)

    Gavin, Will the introduction of incremental backups in TDS4 improve the false positive situation? Or is it purely the complicated business of decoding and verifying these nasties?
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It'll mean a smaller download and a quicker fix :)

    This case was rare though, I was surprised to see the asd.exe and the worm sample have a lot of perfect code matches all through the file. Only some changes and a little extra code. So i did presume it is a hacked version of the system file tweaked to do the worm writers needs :rolleyes:
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I grabbed the image, cropped it out and made it 75% of the original, but as it is a copy it became twice as many Kb! from 15 to 31!
    Thought that only happened with jpg so i just deleted them from my system.


    Good that you found out about the "enhanced" system file. Refining your database all the time, over 25,xxx refs now already!
     
Thread Status:
Not open for further replies.