C
C.News
Anybody? we just had an outbreak and we have symantec corp 8 def dated aug 4
2004
2004
D
Duane Lambe
C.News said:
Same thing here, few systems internally have it (those that aren't 100%
"good" at recognition yet
. No news yet, but both SAV Corp 9, andFrisk on our mail server missed it.
Our defs are the same as yours, rev 34, and they're ineffective against
whatever this is - all that's known is that's it's a mass-mailer.
D
Duane Lambe
C.News said:
Subject: VIRUS (Trojan.JS.RunMe, Trojan.JS.RunMe, Trojan.RunMe) FROM
<?@[xxx.xxx.xxx.xxx]>
3 viruses were found.
A banned name (price_new.zip) was found.
Scanner detecting a virus: Clam Antivirus-clamd
The mail originated from: <?@[xxx.xxx.xxx.xxx]>
According to the 'Received:' trace, the message originated at:
1JC1741.com (avignon-ext.ilog.com [xxx.xxx.xxx.xxx] (may be forged)
Notification to sender will not be mailed.
The message WAS NOT delivered to:
<[email protected]>:
250 2.7.1 Ok, discarded, id=30490-53 - VIRUS: Trojan.JS.RunMe,
Trojan.JS.RunMe, Trojan.RunMe
Virus scanner output:
/opt/amavis/work/amavis-20040809T164804-30490/parts/part-00000:
Trojan.JS.RunMe FOUND
/opt/amavis/work/amavis-20040809T164804-30490/parts/part-00003:
Trojan.JS.RunMe FOUND
/opt/amavis/work/amavis-20040809T164804-30490/parts/part-00004:
Trojan.RunMe FOUND
The message has been quarantined as:
/var/amavis/virusmails
G
Gary
Just received this message today with new_price.zip file attached. I assumed
it was a virus., but was not caught by anti-virus. Using Proxy server with
Antivirus from Sophos, Mcafee, and Panda. Last update 8/4
Gary
it was a virus., but was not caught by anti-virus. Using Proxy server with
Antivirus from Sophos, Mcafee, and Panda. Last update 8/4
Gary
F
Frederic Bonroy
N
null
Yes, I've received two zipped email attackments today with names
price.zip and price1.zip. McAfee alerts as JS/IllWill on a JS portion
of the HTML file. F-Prot alerted with a "suspicion" message on the
EXE. KAV didn't alert and I've sent them a sample. So they will
probably have detection very shortly. Here's McAfee's description:
http://vil.nai.com/vil/content/v_99242.htm
and here with more details:
http://vil.nai.com/vil/content/v_127423.htm
McAfee is now treating this as a Bagle variant.
Art
http://www.epix.net/~artnpeg
N
null
Here's an update on what a few scanners are naming the malware along
with a Norman Sandbox report useful for manual removal info:
Dr.Web Win32.HLLM.Price.14848
f-prot dropper for W32/Mitglieder.W
KAV Exploit.CodeBaseExec, I-Worm.Bagle.al
Norman Virus Control Sandbox: W32/Malware
* Attemps to open C:\WINDOWS\SYSTEM\WINdirect.exe NULL
* **Locates window "NULL [class Shell_TrayWnd]" on desktop
* Creating several executable files on hard-drive
* File length: 14848 bytes
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\WINdirect.exe
* Creates file C:\WINDOWS\SYSTEM\_dll.exe
[ Changes to registry ]<br> * Creates value
"win_upd2.exe"="C:\WINDOWS\SYSTEM\WINdirect.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
* Creates value "win_upd2.exe"="C:\WINDOWS\SYSTEM\WINdirect.exe"
in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
[ Process/window information ]
* Modifies other process memory
* Creates a remote thread.
Art
http://www.epix.net/~artnpeg
G
Gary
Trendmicro A/V now reports the virus TROJ_BAGLE.AC in price\price.exe
The latest A/v Signature file was dated 1:04 this afternoon.
Gary
The latest A/v Signature file was dated 1:04 this afternoon.
Gary
B
barretta
You are in good company. We are moving from Command Antibirus to SAV
CE but the 8/4 ver 34 def files aren't picking up the price_new.zip
and 08_price.zip attachments.
Okay Symantec Def builders, time to get to work!
CE but the 8/4 ver 34 def files aren't picking up the price_new.zip
and 08_price.zip attachments.
Okay Symantec Def builders, time to get to work!
Duane Lambe said:
B
Buffalo
I just used 'Intelligent Updater' and now Symantec picks it up.
I had just tried the regulat Update button, but it didn't download the
latest def dated 9Aug04.
C'mon Symantec.
I had just tried the regulat Update button, but it didn't download the
latest def dated 9Aug04.
C'mon Symantec.
B
Buffalo
Symantec identifies it as W32Beagle.AO@mmGary said:
D
D. T.
You can say that again! Symantec was really asleep at the wheel today.
After all their competitors already had defs out for this one, Symantec
finally got it together. Here's my experience:
1. email arrives this morning with "new_price.zip" attachment and not
much else...Norton blissfully ignores it on the way in, so I carefully
save the Zip file to my Desktop and try a scan....nothing...so I extract
the "price.exe" to the Desktop (I like living dangerously) and scan
it...nothing. (see below for interesting aside about the source of this
first copy...especially if you're a Bank One - J.P. Morgan Chase & Co.
customer...)
2. I check sarc.com, and no mention of a new worm...I then scanned
Google and "Google groups" and nothing...I try a LiveUpdate and it still
thinks that my 8/4 defs are just fine.
3. Another infected message arrives, so this time, I go to sarc.com and
do a full "Intelligent Update" (8/9/2004 rev. 19) and scan the
files....nothing.
4. By now, McAfee has identified this as a new Bagle variant....another
infected message arrives, so I go to another computer on my network and
this time, I can do a Live Update and actually get something dated
today, so I go back to my own PC and try Live Update...nothing...but I
see that the Intelligent Update rev. number has changed so I grab that.
Now all I had to do was touch the live files on my Desktop with my
cursor and NAV deleted them with a dire warning....about time!
Here's the scoop on the Bank One connection....the first copy of this
new Bagle worm that I received came from a computer at Sigma Marketing
in NY, and it was sent to an address that I have only given to Bank One
for online access to their site, so I went to the sigmamarketing.com
site and look at their clients list, and there's Bank One. That means
that some idiot at Sigma clicked on the darn ZIP file and executed the
EXE, and then their computer proceeded to spew worms "From" one Bank One
customer's email address "To" another customer address. I called them
and got them to confess, and then I reported it to Bank One's Corportate
Security folks...I don't think they're having a very good Monday...
I had a similar thing happen with the address that I only gave to the
Bank of America for their "portal" -- back in May, I received a worm at
that address and so I did some digging and found that the worm
originated in India, on the computer of an employee of "Yodlee," a
company that does "aggregation" of financial info for many banks. They
were all in denial for a long time about that one, but I had
incontrovertible proof abuout the origin of the infection.
I guess the security procedures for both of those big banks need a
little overhaul.
DT in AZ
B
Buffalo
WOW.
I like living a little on the 'unknown' side also.
I usually don't open attachments from anyone I don't know. I many
times even call them (the ones I know and trust) to see if they
actually sent me something with an attachment).
Yeah, I checked to see who sent this one, and it was not normal.
I saved it (Zone Alarm's Mail Safe already renamed the extension so I
couldn't open it without several warnings) (DUH) and used Norton to
check the zip file and it found nothing. I then unzipped it and had
Norton scan it again. Still nothing. I then used the Norton
'live-update' feature and there was no update.
So, I figured, wrongly of course, that I would try to open the .html
file and also the .exe file.
Well, nothing seemed to have happened, so (stupidly) I did it again
(ha ha LOL).
Now I look at my Inbox again and I have another email (actually both
arrived about the same time) from myself. It also has a zip file. I
check it and it is the same file,
Damn, now I know I made a MISTAKE. 'Curses'
At least I didn't unzip and run the .exe of the .html file on this
one. (now I'm embarrassed )
I then edited the 'worm' and was going to post the results in this NG
when I noticed that it was already mentioned.
I deleted the two files mentioned by Art and then did a Registry
restore (Win98SE) and I 'seems' to be fine, even after several scans.
I will check on the files that this 'worm' disables to see if I have
more things to 'fix'. (I will have to keep my Ghost Image updated more
often)
When I tried the Intelligent Updater, it promptly found the 'virus'.
You mean like you or me? hee hee.( I know you mean 'business' and not
a home machine)
Amazing that you mention Bank One.
I just started an account with them about one month ago.
I rarely receive any SPAM. The first instance of an increase was after
I signed up with Bank One (coincidence?) .
Probably is.
Live and learn.
I'm still adventurous and always 'breaking' and fixing my home PC, so
it's no big deal to me.
However, it is the first 'virus' that has ever gotten on my machine.
It probably won't be the last.
Buffalo
PS: Thanks for your post.
D. T. said:
I like living a little on the 'unknown' side also.
I usually don't open attachments from anyone I don't know. I many
times even call them (the ones I know and trust) to see if they
actually sent me something with an attachment).
Yeah, I checked to see who sent this one, and it was not normal.
I saved it (Zone Alarm's Mail Safe already renamed the extension so I
couldn't open it without several warnings) (DUH) and used Norton to
check the zip file and it found nothing. I then unzipped it and had
Norton scan it again. Still nothing. I then used the Norton
'live-update' feature and there was no update.
So, I figured, wrongly of course, that I would try to open the .html
file and also the .exe file.
Well, nothing seemed to have happened, so (stupidly) I did it again
(ha ha LOL).
Now I look at my Inbox again and I have another email (actually both
arrived about the same time) from myself. It also has a zip file. I
check it and it is the same file,
Damn, now I know I made a MISTAKE. 'Curses'
At least I didn't unzip and run the .exe of the .html file on this
one. (now I'm embarrassed
)I then edited the 'worm' and was going to post the results in this NG
when I noticed that it was already mentioned.
I deleted the two files mentioned by Art and then did a Registry
restore (Win98SE) and I 'seems' to be fine, even after several scans.
I will check on the files that this 'worm' disables to see if I have
more things to 'fix'. (I will have to keep my Ghost Image updated more
often)
When I tried the Intelligent Updater, it promptly found the 'virus'.
You mean like you or me? hee hee.( I know you mean 'business' and not
a home machine)
Amazing that you mention Bank One.
I just started an account with them about one month ago.
I rarely receive any SPAM. The first instance of an increase was after
I signed up with Bank One (coincidence?) .
Probably is.
Live and learn.
I'm still adventurous and always 'breaking' and fixing my home PC, so
it's no big deal to me.
However, it is the first 'virus' that has ever gotten on my machine.
It probably won't be the last.
Buffalo
PS: Thanks for your post.
N
Netuser 58
What were the files inside the zip files?
McAfee alerts as JS/IllWill on a JS portion
N
Netuser 58
Netuser said:
Just read Buffalo's post. I know now...a little hasty this time.
D
Don Corleone
I am running Symantec Antivirus CE. I have the latest virus
definitions from Symantec 8/9/2004 rev 37 (60809ak), but when I detach
the newprice.zip and new__price.zip files to my desktop, and run virus
scan, there are no viruses found. Does anyone have an explanation to
this?
I have also scanned my computer in SAFE MODE, and no viruses were
found.
To other employees in my company have received these files by e-mail,
before the latest virus definitions were released by Symantec, and the
sender were another guy working in my company.
After running LiveUpdate and made sure that the virus definition file
was the latest one, I have scanned these computers as well, but no
virus found.
Isn't it a bit strange that the virus is not detected, even if the
files are on our computers?
definitions from Symantec 8/9/2004 rev 37 (60809ak), but when I detach
the newprice.zip and new__price.zip files to my desktop, and run virus
scan, there are no viruses found. Does anyone have an explanation to
this?
I have also scanned my computer in SAFE MODE, and no viruses were
found.
To other employees in my company have received these files by e-mail,
before the latest virus definitions were released by Symantec, and the
sender were another guy working in my company.
After running LiveUpdate and made sure that the virus definition file
was the latest one, I have scanned these computers as well, but no
virus found.
Isn't it a bit strange that the virus is not detected, even if the
files are on our computers?
D
Don Corleone
Duane Lambe said:Same thing here, few systems internally have it (those that aren't 100%
"good" at recognition yet
Frisk on our mail server missed it.
Our defs are the same as yours, rev 34, and they're ineffective against
whatever this is - all that's known is that's it's a mass-mailer.
I've also got these files in different mails today, as well as other
users in my company. But the files that I am receiving are empty. I
have scanned them with the latest virus definitions from Symantec
(8/9/2004 v37 aka 60809ak) installed, and no viruses are found. There
are no files in the zip file.
In our Symantec Gateway, the policy is set to delete every attachments
of the .exe and .html types, are these kind of files deleted within
the zip files as well? Is that why we don't get any files in the
newprice.zip and similar files from this virus?
Is there a chance that we are infected?
B
Buffalo
Use the Intelligent Updater on the Symantec site for the very latest
definitions and then run it again.
It sounds as if Symantec had two definitions released on the 9th, the
first one (which you most likely had) didn't detect it but the later
one did.
definitions and then run it again.
It sounds as if Symantec had two definitions released on the 9th, the
first one (which you most likely had) didn't detect it but the later
one did.