WORM DESOS.A

Just scanned and found WORM DESOS.A. Suggestions on how to get rid of it?
Info found here: http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99458

 

Here's a link to some info on it:

http://securityresponse.symantec.com/avcenter/venc/data/w95.stoogy.worm@mm.html

But I would wait for a response from someone in the know-how first.

Regards, Jade.

BTW, just noticed the link only works if you cut & paste it.


*tried to repair URL -Jooske*

 

Hello Bowserman
We must have posted at about the same time (as our edit).

 

Hello Low Water Mark

Scan Control Dumped @ 17:59:15 26-05-03
Positive identification: Worm.Desos.a
File: c:\windows\asd.exe

We will now check the registry and report back.

 

Registry shows no extra files there. We are having a problem with our zip program (Freezip) so we may just get another program in a few minutes before we can send the file to DCS.

 

No problems this is NOT a worm. My apologies.

Now I have seen this, I think the worm writer actually hacked a legitimate EXE file to create his worm, there are too many similarities (huge chunks of identical code)

The fixed RADIUS database will be released early today, in about an hour or 2

 

Wonderful - Thank you very much Gavin for your work and quick service. We had not yet done anything until we heard from you. Keep up the good work. BTW - WormGuard did not notice this.

 

New update is out..

Wormguard shouldn't

Hmm all that black on that pic.. painful almost Do you mind editing it ? Or even remove the image

 

You might like to look for the "crop" function in an image editor, like Irfanview www.irfanview.com (one of the most wonderful image/sound thingies i know, and FREE!)

 

Agreed Jooske Infranview is a great tool, I also like it's ability to load a plugin that does away with real player

Gavin, Will the introduction of incremental backups in TDS4 improve the false positive situation? Or is it purely the complicated business of decoding and verifying these nasties?

 

It'll mean a smaller download and a quicker fix

This case was rare though, I was surprised to see the asd.exe and the worm sample have a lot of perfect code matches all through the file. Only some changes and a little extra code. So i did presume it is a hacked version of the system file tweaked to do the worm writers needs

 

I grabbed the image, cropped it out and made it 75% of the original, but as it is a copy it became twice as many Kb! from 15 to 31!
Thought that only happened with jpg so i just deleted them from my system.


Good that you found out about the "enhanced" system file. Refining your database all the time, over 25,xxx refs now already!