This virus replaces nearly ALL of the exe files on a machine with virus
infected files. Most AV products do not detect it;
AntiVir 6.31.0.9 07.14.2005 W32/Stanit
AVG 718 07.14.2005 Win32/Gaelicum.A
Avira 6.31.0.9 07.14.2005 W32/Stanit
BitDefender 7.0 07.14.2005 no virus found
CAT-QuickHeal 7.03 07.14.2005 no virus found
ClamAV devel-20050501 07.14.2005 no virus found
DrWeb 4.32b 07.14.2005 Win32.Gael.3666
eTrust-Iris 7.1.194.0 07.13.2005 no virus found
eTrust-Vet 11.9.1.0 07.14.2005 no virus found
Fortinet 2.36.0.0 07.14.2005 suspicious
F-Prot 3.16c 07.14.2005 could be infected with an unknown virus
Ikarus 2.32 07.14.2005 no virus found
Kaspersky 4.0.2.24 07.14.2005 Virus.Win32.Tenga.a
McAfee 4535 07.14.2005 W32/Gael
NOD32v2 1.1168 07.14.2005 probably unknown WIN32 virus
Norman 5.70.10 07.14.2005 no virus found
Panda 8.02.00 07.14.2005 no virus found
Sybari 7.5.1314 07.14.2005 W32/Gael
Symantec 8.0 07.13.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.14.2005 no virus found
[/i]
Since there is no universal naming convention for virus names it may not be called this by avast so difficult to check by name alone, it is too new to have been included in Virus Bulletin’s VGREP resource (shows alias for other AVs).
Since there is no listing on this for avast in your post, I assume that you didn’t Jotti (has avast as one of its scanners), if you still have the source file you could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
This will have the dual benefit of confirming your question and if not detected by avast the sample should be sent to avast.
You could also send it to avast, you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem, the fact that you believe it to be a new virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
Well the current risk assessment for many AV companies is low, for corporate and home users alike, a good firewall should curtail some of its activity by blocking outbound connections and by blocking NETBIOS traffic.
CHARACTERISTIC
When it is executed tries to infect feasible in shared resources of networks.
Also via tries to infect archives NetBios, and directions IP at random, through port TCP 139.
It uses the vulnerability in the component Remote Procedure Call (RPC), which allows the exchange of information between equipment in Windows NT 4,0, 2000 and the XP.
This vulnerability was corrected by Microsoft in the bulletin of later security MS03-026 and:
Vulnerability RPC/DCOM: MS03-026
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
The virus tries to unload and to execute a file from a remote servant, this is detected by like Win32/Small.GL.
Also it can receive lines of commandos of a remote attacker, from a predefined servant.
Finally, also it tries to deactivate the file protections of Windows.
Note that it is taking advantage of a vulnerability patched by windows in 2003, so ensure that you OS is up to date.
The true concern is that it infects in a few minutes the exe files and that it is not possible to repair them.
Windows ended up being freezed.
Therefore, formatting and reinstalment.
One of my friends has or had this virus, i took his hard drive out put it in another pc as a secondary drive, scanned it, cleaned it, scanned with 4 scanners and was clean, gave him back his pc, it was clean 24 hours, then bam infected again! Now i have avast free running on his pc, and he still ended up with it again? It now test clean after a few scans, i have turned on the firewall now and i assume this will stop future infections? but how did the second infection get thru avast?
Firewall is necessary but you need to keep your Windows update, avast! update and running, some antispyware application…
Well, safe surving won’t make that bad for the computer
In fact, the infection (if any) is inside of your computer and just ‘come back’, be activated…
Do a full avast! scanning, including archives, clean your temporary files, disable system restore, boot and enable it again…
All of these will protect you agains reinfection 8)