Is this NEW VIRUS? cxmkuww.exe

[Jerome Whelan]

I just got what appears to be a faked "bounced
mail message" from somewhere in the Netherlands.
( Inet Delivery System , (e-mail address removed) )

There is a encoded binary attachment "cxmkuww.exe"
which is mis-identified as a application/wav file.

What worries me is that my Symantec Corporate
antivirus with definitions from yesterday does not
see anything wrong with this .exe, but when I look
at the content with a text editor it seems to
contain a copy of the fake email message which
delivered it to me.

I called Symantec but their 800# redirected me to
a 900#, so I guess they are not interested in an
early heads-up on this....

 

[null]

I just got what appears to be a faked "bounced
mail message" from somewhere in the Netherlands.
( Inet Delivery System , (e-mail address removed) )

There is a encoded binary attachment "cxmkuww.exe"
which is mis-identified as a application/wav file.

What worries me is that my Symantec Corporate
antivirus with definitions from yesterday does not
see anything wrong with this .exe, but when I look
at the content with a text editor it seems to
contain a copy of the fake email message which
delivered it to me.

I called Symantec but their 800# redirected me to
a 900#, so I guess they are not interested in an
early heads-up on this....

Have you scanned the file with other updated av ...McAfee, KAV,
etc.? Did you send a copy of the file to Symantec for analysis?


Art
http://www.epix.net/~artnpeg

 

[Jerome Whelan]

No - I will do so. But what is the method for
sending to Symantec?

 

[null]

No - I will do so. But what is the method for
sending to Symantec?

They have a page up here.

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031615501306?OpenDocument&src=sec_web_nam

Watch out for line wrap.


Art
http://www.epix.net/~artnpeg

 

[Jerome Whelan]

Found it! I went to the Symantec site and
downloaded the "beta" definitions and then my SAV
Ce found it. The official definitions are not new
enough, so this must be a pretty recent virus....
Here is what the SAV CE showed for a manual scan
on the file I thought was suspicious:

Scan type: Manual Scan
Event: Virus Found!
Virus name: Worm.Automat.AHB
File: C:\Documents and Settings\Administrator\My
Documents\SUSPICIOUS\cxmkuww.exe
Location: Quarantine
Computer: P4
User: Administrator
Action taken: Clean failed : Quarantine succeeded
:
Date found: Thu Sep 18 13:57:43 2003




in message
news:[email protected]...

 

[Jim Satterfield]

After downloading the intelligent definition update when I got a fourth
e-mail with this worm it was caught. It's the same one you had. Oddly enough
there is no mention of this worm on the Symantec site.


Jim

 

[FromTheRafters]

After downloading the intelligent definition update when I got a fourth
e-mail with this worm it was caught. It's the same one you had. Oddly enough
there is no mention of this worm on the Symantec site.

Not really that odd if you think about it, first and foremost
would be their developing a signature for this for their new
definitions database ~ and making it available to their clients.
Only after that would analysis and write-ups be a priority.

 

[Tom Adams]

Found it! I went to the Symantec site and
downloaded the "beta" definitions and then my SAV
Ce found it. The official definitions are not new
enough, so this must be a pretty recent virus....
Here is what the SAV CE showed for a manual scan
on the file I thought was suspicious:

Scan type: Manual Scan
Event: Virus Found!
Virus name: Worm.Automat.AHB
File: C:\Documents and Settings\Administrator\My
Documents\SUSPICIOUS\cxmkuww.exe
Location: Quarantine
Computer: P4
User: Administrator
Action taken: Clean failed : Quarantine succeeded
:
Date found: Thu Sep 18 13:57:43 2003




in message

I am getting a burst of emails mostlynwith phony security patches on
my Yahoo mail account. These are showing no virus when scanned with
the Norton virus scan built into Yahoo.

 

[Thomas Krug]

After downloading the intelligent definition update when I got a
fourth e-mail with this worm it was caught. It's the same one you
had. Oddly enough there is no mention of this worm on the Symantec
site.

F-Prot, CAI and several others developed new signature files very fast.

Find info here:
http://www.symantec.com/avcenter/venc/data/[email protected]

Thomas.

 

[David]

I went to Symantec's site as soon as I saw emails with attachments coming in
that weren't being picked up in scans. Rather obvious these days to anyone
who frequents these NG's that security patches don't come via email. In any
case they had already id'ed Swen and put it into beta defs. Fairly quick
response, will be interesting to see how long before the def is put into the
live update defs.
Anyhow it is still possible that the heuristics engine would catch it upon
viewing or installation. It may catch the use of the mime header exploit,
although having IE up to date prevents that anyhow. And there is still the
chance that the heuristic engine will catch certain malicious activity that
the installation or virus itself is doing. Unfortunately this particular
one tries to disable NAV so that may not be the case. It general it takes a
few days of posts in here and other NG's and forums from infected users to
see which heuristics engines truly worked during the initial outbreak. Hard
to tell some times since the users who tend to open these emails in the
first place often tend to have their software set up wrong or out of date in
the first place.
I suspect their support lines gets extremely busy during an initial
outbreak. And they probably already had the virus working their honeypots
and in the lab being deassembled before most users had a clue that something
was astir.

 

[John Francis]

I went to Symantec's site as soon as I saw emails with attachments coming in
that weren't being picked up in scans. Rather obvious these days to anyone
who frequents these NG's that security patches don't come via email. In any
case they had already id'ed Swen and put it into beta defs. Fairly quick
response, will be interesting to see how long before the def is put into the
live update defs.

According to that very same web site, it will be in next week's live update
release, on Sept. 24th. Live Update releases happen once a week, on Wednesdays.

Is the fact that this worm began to spread on a Thursday just a coincidence,
or was it deliberately planned to leave Live Update clients unprotected for
as long as possible? I doubt if we'll ever know.

 

[Seth Goodman]

I am getting a burst of emails mostlynwith phony security patches on
my Yahoo mail account. These are showing no virus when scanned with
the Norton virus scan built into Yahoo.

I'm getting them too - the attachments are zero length files, which is
why no virus is detected - something along the path must have already
deleted the virus file.

 

[Seth Goodman]

I'm getting them too - the attachments are zero length files, which is
why no virus is detected - something along the path must have already
deleted the virus file.

Sorry to follow-up to myself - but I just re-checked my Yahoo account
and I had 63 additional phony security patches, all safely shunted to
the Bulk folder - most of them with payload still attached. I also had a
warning from Yahoo that I was at 117% of my mailbox quota, and would I
like to buy more space! Not for trojans, thank you!

I simply emptied my "Bulk" folder, then and there.

 

[onehalfmeg]

why dont you submit the binary attachment "cxmkuww.exe"
file to Symantec for evaluation?

 

[gspelvin]

Hello.
If it were me, if you were unsure what that file is, is to simply delete
it. Especially if you don't need it. GL.

 

[kurt wismer]

Hello.
If it were me, if you were unsure what that file is, is to simply delete
it. Especially if you don't need it. GL.

if you're unsure what it is, how are you supposed to know if you need
it or not?