Theres a nasty out there at the moment identified as Worm.Zhelatin.Gen, Worm.Zhelatin.Gen, Win32.Email-Worm.Zhelatin.uv4 and other names by other AVS, however not currently by Avast!.

I have emailed a sample to the lab so hopefully it’ll get sorted soon.

It seems to be a dropper and exists in the %windir%system32 directory as file name n2ewma1xxsv234.exe or n2ewma1xxsv2234.exe.

Registy entry is in HKLM/Software/Microsoft/Windows/Current Version/Run

I’ve got one PC infected so far, it’s been isolated and manually cleaned, but it seems to have done something a bit more critical to it as it crashes when a malware scan is run.

Jotti online scan shows thusly. Still no resolution from the labs. They must be snowed under.

A-Squared Found nothing
AntiVir Found WORM/Zhelatin.Gen
ArcaVir Found Trojan.Packed.Tibs.Ia
Avast Found nothing
AVG Antivirus Found SHeur.ASDG
BitDefender Found Trojan.Peed.IWT
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Packed.Win32.Tibs.ia
Fortinet Found nothing
Ikarus Found Virus.Packed.Win32.Tibs.ia
Kaspersky Anti-Virus Found Packed.Win32.Tibs.ia
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/TibsPak
VirusBuster Found Trojan.Tibs.Gen!Pac.E
VBA32 Found nothing

It appears that the Tibs.IA virus (which I think this is) has been around since late December last year (2007).

Isn’t that a bit long for Avast! to come up with a signature file?

zhelatin needs an update of its generic detection… it will be done, but i don’t know when exactly (very soon, hopefully)…

I had to wipe the PC in the end, just couldn’t shift it.

Do you mean reformat and clean install?
What a pity…