New virus (price.cpl - Bagle varient) and current Virus-Total results

[Virus Guy]

This came in via e-mail today. Got past Symantec Corporate AV running
on our server.

I ran this through Virus Total earlier today (about 8-10 hours ago)
and I think only 6 AV programs identified it. Many more are doing so
now.

The file (price2.zip) was attached to an e-mail with no subject. The
file unzips to price.cpl (a control panel extension) with a time-stamp
of Tuesday Sept 13 12:24:24 am. size = 14340 bytes.

The only interesting bit of readable text inside it is "open
\gfgdgfddfgdfgwe.exe".

Anyways, here are the virus total results. I'll check again in a week
and see how the various vendors are doing with this one.

---------------

Scanned Sept 12 / 10pm EST:

BitDefender 7.0 09.02.2005 no virus found
CAT-QuickHeal 8.00 09.12.2005 no virus found
eTrust-Iris 7.1.194.0 09.13.2005 no virus found
eTrust-Vet 11.9.1.0 09.12.2005 no virus found
Ikarus 0.2.59.0 09.12.2005 no virus found
McAfee 4579 09.12.2005 no virus found
VBA32 3.10.4 09.12.2005 no virus found
The Cleaner v3843 09.12.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 suspicious


ClamAV devel-20050725 09.13.2005 Worm.Bagle.BB-gen
DrWeb 4.32b 09.12.2005 Win32.HLLM.Beagle.12288
AntiVir 6.31.1.0 09.12.2005 DR/Bagle.P
Avast 4.6.695.0 09.12.2005 Win32:Mitglieder-BK
AVG 718 09.12.2005 I-Worm/Bagle.EQ
Avira 6.31.1.0 09.12.2005 DR/Bagle.P
F-Prot 3.16c 09.13.2005 security risk named W32/Mitglieder.FB
Kaspersky 4.0.2.24 09.13.2005 Email-Worm.Win32.Bagle.cs
NOD32v2 1.1214 09.12.2005 Win32/Bagle.BI
Norman 5.70.10 09.12.2005 W32/Bagle.CS
Panda 8.02.00 09.12.2005 W32/Bagle.EK.worm
Sophos 3.97.0 09.13.2005 Troj/Dropper-BC
Symantec 8.0 09.13.2005 Trojan.Tooso.N
TheHacker 5.8.2.105 09.12.2005 W32/Bagle.cs

 

[Gabriele Neukam]

On that special day, Virus Guy, ([email protected]) said...

I ran this through Virus Total earlier today (about 8-10 hours ago)
and I think only 6 AV programs identified it. Many more are doing so
now.

Already identified as Bagle-Downloader. See

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.CZ
http://www.f-secure.com/weblog/

Gabriele Neukam

(e-mail address removed)

 

[What's in a Name?]

This came in via e-mail today. Got past Symantec Corporate AV
running on our server.

I ran this through Virus Total earlier today (about 8-10 hours
ago) and I think only 6 AV programs identified it. Many more are
doing so now.

The file (price2.zip) was attached to an e-mail with no subject.
The file unzips to price.cpl (a control panel extension) with a
time-stamp of Tuesday Sept 13 12:24:24 am. size = 14340 bytes.

The only interesting bit of readable text inside it is "open
\gfgdgfddfgdfgwe.exe".

Anyways, here are the virus total results. I'll check again in a
week and see how the various vendors are doing with this one.

---------------

Scanned Sept 12 / 10pm EST:

BitDefender 7.0 09.02.2005 no virus found
CAT-QuickHeal 8.00 09.12.2005 no virus found
eTrust-Iris 7.1.194.0 09.13.2005 no virus found
eTrust-Vet 11.9.1.0 09.12.2005 no virus found
Ikarus 0.2.59.0 09.12.2005 no virus found
McAfee 4579 09.12.2005 no virus found
VBA32 3.10.4 09.12.2005 no virus found
The Cleaner v3843 09.12.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 suspicious


ClamAV devel-20050725 09.13.2005 Worm.Bagle.BB-gen
DrWeb 4.32b 09.12.2005 Win32.HLLM.Beagle.12288
AntiVir 6.31.1.0 09.12.2005 DR/Bagle.P
Avast 4.6.695.0 09.12.2005 Win32:Mitglieder-BK
AVG 718 09.12.2005 I-Worm/Bagle.EQ
Avira 6.31.1.0 09.12.2005 DR/Bagle.P
F-Prot 3.16c 09.13.2005 security risk named W32/Mitglieder.FB
Kaspersky 4.0.2.24 09.13.2005 Email-Worm.Win32.Bagle.cs
NOD32v2 1.1214 09.12.2005 Win32/Bagle.BI
Norman 5.70.10 09.12.2005 W32/Bagle.CS
Panda 8.02.00 09.12.2005 W32/Bagle.EK.worm
Sophos 3.97.0 09.13.2005 Troj/Dropper-BC
Symantec 8.0 09.13.2005 Trojan.Tooso.N
TheHacker 5.8.2.105 09.12.2005 W32/Bagle.cs

Hey Virus Guy-I would like to test one of my systems with a live
specimen.Have AVG/eTrust/Anti-Vir/BitDefender/ClamWin installed. Can
you send me a copy? maxpro4u@neoDOTrrDotcom(remove the DOTs).
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
http://home.neo.rr.com/manna4u/keepingclean.html
http://home.neo.rr.com/manna4u/virusprevention.html
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

 

[Virus Guy]

Hey Virus Guy-I would like to test one of my systems with a live
specimen.Have AVG/eTrust/Anti-Vir/BitDefender/ClamWin installed.
Can you send me a copy? maxpro4u@neoDOTrrDotcom(remove the DOTs).
-max

Look for it.

 

[kurt wismer]

What's in a Name? wrote:
[snip]

Hey Virus Guy-I would like to test one of my systems with a live
specimen.Have AVG/eTrust/Anti-Vir/BitDefender/ClamWin installed. Can
you send me a copy? maxpro4u@neoDOTrrDotcom(remove the DOTs).

in other words, you want him to send samples to people he doesn't know
he can trust and potentially contribute to the virus problem rather than
the solution...

go troll for viruses elsewhere, please...

 

[What's in a Name?]

What's in a Name? wrote:
[snip]

Hey Virus Guy-I would like to test one of my systems with a live
specimen.Have AVG/eTrust/Anti-Vir/BitDefender/ClamWin installed.
Can you send me a copy? maxpro4u@neoDOTrrDotcom(remove the DOTs).

in other words, you want him to send samples to people he doesn't
know he can trust and potentially contribute to the virus problem
rather than the solution...

go troll for viruses elsewhere, please...

I guess he trusts me.By the way,all the AV's caught it and AVG was
the first one to go "off".
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
http://home.neo.rr.com/manna4u/keepingclean.html
http://home.neo.rr.com/manna4u/virusprevention.html
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

 

[What's in a Name?]

Look for it.

Thanks-On this system(win2000)with AVG/eTrust/AntiVir/Avast all
running as resident-AVG was the first to popup with warnings.
I am going to resend it to myself because I forgot I had set AVG to
move any password protected files to vault.
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
http://home.neo.rr.com/manna4u/keepingclean.html
http://home.neo.rr.com/manna4u/virusprevention.html
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

 

[David H. Lipman]

From: "kurt wismer" <[email protected]>


|
| in other words, you want him to send samples to people he doesn't know
| he can trust and potentially contribute to the virus problem rather than
| the solution...
|
| go troll for viruses elsewhere, please...
|
| --
| "they threw a rope around yer neck to watch you dance the jig of death
| then left ya for the starvin' crows, hoverin' like hungry whores
| one flew down plucked out yer eye, the other he had in his sights
| ya snarled at him, said leave me be - i need the bugger so i can see"

Max has been around for a "long time" and can be trusted. He is not Trolling to add to a
collection.

 

[Roger Wilco]

I guess he trusts me.By the way,all the AV's caught it and AVG was
the first one to go "off".

In what order did you install them? I would expect the last installed to
be the first in line to scan on access and be the first to alert unless
some feature such as e-mail scanning was enabled. Being the first to 'go
off' really means very little when multple AVs are enabled for on-access
scanning and the feature set and configuration varies so much between
programs.

 

[kurt wismer]

From: "kurt wismer" <[email protected]>
| in other words, you want him to send samples to people he doesn't know
| he can trust and potentially contribute to the virus problem rather than
| the solution...
|
| go troll for viruses elsewhere, please...

Max has been around for a "long time" and can be trusted. He is not Trolling to add to a
collection.

that doesn't mean he can be trusted... raid was around for a long time,
would you trust him?

if there was a pre-existing relationship of trust between max and virus
guy then he could have made that request in private... arguably he
should have made the request in private so as to not lend credence to
the idea that this is a place where people share viruses...

and frankly, if the only issue was whether or not he was going to add it
to a collection then it would be a non-issue - i don't care what people
collect or how big their collections are... the issue is trust - in
motives and in competency... can virus guy be adequately certain that
max doesn't have nefarious motives and/or that max is competent to
handle live samples safely? i seriously suspect the answer is no (i also
suspect that virus guy could care less, but that's another matter
entirely)...

 

[Virus Guy]

can virus guy be adequately certain that max doesn't have
nefarious motives and/or that max is competent to handle
live samples safely? i seriously suspect the answer is no

I had a quick look at his posting history (sorted my display by
Sender) and became reasonably sure that "What's in a name" wasn't a
fly-by lurker or someone with little or no posting history. Someone
with nefarious motives would probably be too busy writing mal-ware or
chatting with buddies on Sekret Forumz or controlling his/her army of
zombies rather than reading these ng's (that would be lame).

(i also suspect that virus guy could care less

I did think about it (for maybe 30 seconds) but I rationalize it like
this:

1) the people that author the mal-ware I'm sure would like it if we
were too afraid to handle (and share) their crap and experiment with
it (from a detection or protection point of view). Real-life labs
send samples of real viruses to each other all the time for the same
reasons.

2) anyone that _can_ reverse-engineer or modify a mal-file such that
->they<- can benefit or take advantage of it's functionality for their
own ends probably doesn't need to have samples sent to them. Anyone
who simply takes a mal-file and passes it (un-modified) to someone
else will have gained nothing because presumably only the original
author knows and has programmed it for specific functionality that
he/she will benefit from in a covert way.

3) Anyone asking for a mal-file, and reading these ng's (and the
specific thread) probably knows how to handle them so that they don't
infect themselves (granted, this is the weakest of the 3 suppositions,
but it doesn't involve bad intentions on the part of the requester).

4) how do we really know that Virus Total isin't a front for nefarious
interests?

 

[What's in a Name?]

that doesn't mean he can be trusted... raid was around for a long
time, would you trust him?

if there was a pre-existing relationship of trust between max and
virus guy then he could have made that request in private...
arguably he should have made the request in private so as to not
lend credence to the idea that this is a place where people share
viruses...

and frankly, if the only issue was whether or not he was going to
add it to a collection then it would be a non-issue - i don't care
what people collect or how big their collections are... the issue
is trust - in motives and in competency... can virus guy be
adequately certain that max doesn't have nefarious motives and/or
that max is competent to handle live samples safely? i seriously
suspect the answer is no (i also suspect that virus guy could care
less, but that's another matter entirely)...

As I said I just wanted to test my setup with a live subject because
I only tested with a test file. By the way, I don't collect malware,
only coins
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
http://home.neo.rr.com/manna4u/keepingclean.html
http://home.neo.rr.com/manna4u/virusprevention.html
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

 

[David H. Lipman]

From: "What's in a Name?" <[email protected]>


| As I said I just wanted to test my setup with a live subject because
| I only tested with a test file. By the way, I don't collect malware,
| only coins
| -max
| --
| Playing Nice on Usenet:
| http://oakroadsystems.com/genl/unice.htm#xpost
| My Pages: http://home.neo.rr.com/manna4u/
| http://home.neo.rr.com/manna4u/keepingclean.html
| http://home.neo.rr.com/manna4u/virusprevention.html
| http://home.neo.rr.com/manna4u/tools.html
| Change nomail.afraid.org to yahoo.com to reply.
| Registered Linux User #393236

I bet you would like a 1909 VDB -- wouldn't 'ya ! ;-)

 

[What's in a Name?]

From: "What's in a Name?" <[email protected]>


| As I said I just wanted to test my setup with a live subject because
| I only tested with a test file. By the way, I don't collect malware,
| only coins
| -max

I bet you would like a 1909 VDB -- wouldn't 'ya ! ;-)

Did you know that 10 or so 1909's are put into circulation every
year?
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
http://home.neo.rr.com/manna4u/keepingclean.html
http://home.neo.rr.com/manna4u/virusprevention.html
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

 

[Art]

4) how do we really know that Virus Total isin't a front for nefarious
interests?

Reminds me of a old Maxwell Smart program where Max busts up a spy
ring associated with a Chinese laundry. At the end he says, "Yes
chief, it turned out that the spy ring was just a front. The real
money was in the laundry business".

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "What's in a Name?" <[email protected]>


| Did you know that 10 or so 1909's are put into circulation every
| year?
| -max
| --
| Playing Nice on Usenet:
| http://oakroadsystems.com/genl/unice.htm#xpost
| My Pages: http://home.neo.rr.com/manna4u/
| http://home.neo.rr.com/manna4u/keepingclean.html
| http://home.neo.rr.com/manna4u/virusprevention.html
| http://home.neo.rr.com/manna4u/tools.html
| Change nomail.afraid.org to yahoo.com to reply.
| Registered Linux User #393236

But does it have the initials of Victor David Brenner ?
How about it being minted in San Francisco and not in Philly ?

 

[kurt wismer]

I had a quick look at his posting history (sorted my display by
Sender) and became reasonably sure that "What's in a name" wasn't a
fly-by lurker or someone with little or no posting history.

congratulations on your superficial analysis...

Someone
with nefarious motives would probably be too busy writing mal-ware or
chatting with buddies on Sekret Forumz or controlling his/her army of
zombies rather than reading these ng's (that would be lame).

as a point of fact, alt.comp.virus started out it's life as a virus
trading newsgroup... it *was* one of those "sekret forumz"... there have
been many high profile vx members participating here over the years and
it would be foolish to assume they were the only ones on that side of
the line who did and/or that there aren't still some around...

I did think about it (for maybe 30 seconds) but I rationalize it like
this:

1) the people that author the mal-ware I'm sure would like it if we
were too afraid to handle (and share) their crap and experiment with
it (from a detection or protection point of view).

no, actually they encourage everyone to do so... they are not interested
in limiting the spread of those materials because they wouldn't be able
to justify their own irresponsible sharing if they did...

Real-life labs
send samples of real viruses to each other all the time for the same
reasons.

real-life labs send samples through channels where there are established
trust relationships... it's not a case of mcafee labs sharing samples
with symantec labs, it's a case of someone at mcafee and someone at
symantec knowing and trusting each other (or better still, both
belonging to CARO)...

2) anyone that _can_ reverse-engineer or modify a mal-file such that
->they<- can benefit or take advantage of it's functionality for their
own ends probably doesn't need to have samples sent to them.

right, because having skill but no connections just isn't possible...

Anyone
who simply takes a mal-file and passes it (un-modified) to someone
else will have gained nothing because presumably only the original
author knows and has programmed it for specific functionality that
he/she will benefit from in a covert way.

and still they do it anyways...

3) Anyone asking for a mal-file, and reading these ng's (and the
specific thread) probably knows how to handle them so that they don't
infect themselves (granted, this is the weakest of the 3 suppositions,
but it doesn't involve bad intentions on the part of the requester).

spoken like someone who hasn't been here very long...

4) how do we really know that Virus Total isin't a front for nefarious
interests?

who said they aren't? not me... however they're a little too high
profile to escape the scrutiny of the various anti-virus companies - the
fact that they aren't leveling accusations of that type against virus
total suggests that (at least for now) there's no evidence of nefarious
interests there...

 

[kurt wismer]

What's in a Name? wrote:
[snip]

As I said I just wanted to test my setup with a live subject because
I only tested with a test file.

which (after 'educational purposes') is one of the more popular reasons
given...

 

[Virus Guy]

I'm only doing this because you bothered to irritate me with your last
post.

-------------------

Search keywords:

virus samples archive download library

http://groups.google.ca/groups?q=virus samples archive download library&hl=en&lr=&sa=N&tab=wg

Last result on page 1:

http://vx.netlux.org/
.... updated collection of magazines, virus samples, virus sources,
polymorphic engines, virus generators, virus writing tutorials ...
articles, books, news archives etc ... fido7.su.cm - Mar 1 2004,
6:31 am by Igor Dikshev - 4 messages - 4 authors

---------

http://vx.netlux.org/

"Welcome to VX Heavens! This site is dedicated to providing
information about computer viruses (or virii, as some would prefer) to
anyone who is interested in this topic.

This site contains a massive, continuously updated collection of
magazines, virus samples, virus sources, polymorphic engines, virus
generators, virus writing tutorials, articles, books, news archives
etc.

Some of you might reasonably say that it is illegal to offer such
content on the net. Or that this information can be misused by
"malicious people". I only want to ask that person: "Is ignorance a
defence?"

----------

Nuf said.

When I become the last source on the internet for virus samples, come
back and bark at me some more.

 

[kurt wismer]

Virus Guy wrote:
[snip]

When I become the last source on the internet for virus samples, come
back and bark at me some more.

providing virus samples carelessly is like littering - ever little bit
counts...