new (?) worm 

10nico · 2006-09-23T09:28:14.000Z

Hi all, a week ago I sent a sample (using virus chest) of a virus/worm/trojan that avast didn’t detect at all.
At that time it was already detected by several other AVs (I checked using virustotal webpage) and had already infected a friend’s pc (using avast too).
It was detected with the following names:

AntiVir 7.2.0.18 09.22.2006 TR/Bagle.DP
Authentium 4.93.8 09.23.2006 W32/Downloader.AGKP
Avast 4.7.844.0 09.22.2006 no virus found
AVG 386 09.22.2006 Proxy.FSC
BitDefender 7.2 09.23.2006 no virus found
CAT-QuickHeal 8.00 09.22.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 09.23.2006 no virus found
eTrust-InoculateIT 23.73.3 09.23.2006 Win32/Glieder.DX!Trojan
eTrust-Vet 30.3.3093 09.22.2006 Win32/Glieder.DX
DrWeb 4.33 09.22.2006 Trojan.BeagleProxy
Ewido 4.0 09.23.2006 Proxy.Mitglieder.ei
Fortinet 2.82.0.0 09.23.2006 W32/Mitglieder.EI!tr
F-Prot 3.16f 09.22.2006 security risk named W32/Downloader.AGKP
F-Prot4 4.2.1.29 09.23.2006 W32/Downloader.AGKP
Ikarus 0.2.65.0 09.23.2006 Backdoor.Win32.Rbot.awg
Kaspersky 4.0.2.24 09.23.2006 Trojan-Proxy.Win32.Mitglieder.ei
McAfee 4858 09.22.2006 no virus found
Microsoft 1.1560 09.23.2006 no virus found
NOD32v2 1.1768 09.22.2006 Win32/Bagle.GX
Norman 5.80.02 09.22.2006 W32/Mitglied.ZV
Panda 9.0.0.4 09.23.2006 Trj/Mitglieder.KZ
Sophos 4.09.0 09.23.2006 no virus found
Symantec 8.0 09.23.2006 no virus found
TheHacker 6.0.1.077 09.22.2006 no virus found
UNA 1.83 09.22.2006 TrojanProxy.Win32.Mitglieder.6300
VBA32 3.11.1 09.23.2006 Trojan-Proxy.Win32.Mitglieder.ei
VirusBuster 4.3.7:9 09.22.2006 Trojan.DL.Bagle.KO

Now a week and two avast updates have gone by and the virus is still not detected…what should I do?
Resend it through virus@avast.com?
Pray a lot?

I can also add that it is a very nasty virus, I had to scan the infected pc with 3 other AVs from another fresh install of XP in another partition to get rid of it, and then again I had to replace several windows system files using SFC /SCANNOW.

Please do something!

Thank you

DavidR · 2006-09-23T12:49:50.000Z

It won’t hurt to send it again from the chest.

Where was the original file found, e.g. (C:\windows\system32\infected-file-name.xxx) ?

If it was in a system folder and it is effectively able to infect other system files, it needs permissions to do that and it gets that by inheriting the permission of the user account, if you log on and have administrative privileges so does the worm.

Prevention is obviously better than cure. Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc. So if it can’t get established it can’t inherit permission to infect system files.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

10nico · 2006-09-23T13:48:13.000Z

The virus was in a file downloaded thru P2P.
Since it was an .exe it was scanned with avast and since avast didn’t detect anything my friend executed it…and got infected.
The real symptoms began after a reboot, when he reconnected to internet: a lot of IE popups began to open all by themselves.
His user is member Administrators group (he’s the only user anyway) so the virus got all the rights.

I’m resending it now.

Thank you

Lisandro · 2006-09-23T14:01:28.000Z

Alwil team, please, if possible/needed, improve detection of this

DavidR · 2006-09-23T14:10:22.000Z

Thanks for the feed back, since many of the virus names from VirusTotal mention downloader this could also be downloading more of the same or worse.
What firewall are they using (I suspect just XP) ?

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

10nico · 2006-09-23T14:28:47.000Z

Needless to say, the pc had only windows firewall…
And , I’m sure of it, it was enabled before the infection, so the virus, or some of his “self invited friends”, must have disabled it. (and kept disabling it at every reboot!!! :o

I’ll have him install ZA free (I didn’t know there was one free from them!).

Thanks again to all!

10nico · 2006-09-26T13:21:32.000Z

Just an update

Even after the cleaning from another xp install on another partition the pc still kept reinfecting itself, so I was forced to format (ARGH!) and reinstall…
And in the meantime the VPS updates keep passing by but the virus isn’t detected :-\ :-\ :-
As of today there remain only 4 AVs that don’t detect the virus:

Avast , Sophos , Mcafee and Norton…

I’ve sent the sample several times but still no good news…so…
PLEASE DO SOMETHING ABOUT THIS!
We have more than 300 clients and 30 servers (that’s not only my friend’s problem anymore) and this means we are VULNERABLE!

Thanks again and excuse my rant…but it feels bad to be exposed.

Live long and prosper,

Michele

system · 2006-09-26T15:43:45.000Z

Hi Michele :

  Your friend's use of P2P is high risk behavior, especially
  when he only had the Windows "half" firewall . Hopefully
  you have "ranted" at him !? Are there antiSPYWARE
  and/or antiTROJAN program(s) on his computer ?
  These should be his 1st line of Defense against the
  "trojan downloader" that is being reported by the other
   AV's .

10nico · 2006-09-26T16:49:47.000Z

You’re perfectly right, but he’s one of those “download freaks” (one of those people that since have a faaast line to internet they MUST download every possible think they can)…
Actually I always managed to “save” him (and this adds to his false sense of security, I know :-[ ), not this time.

By the way he had AdAware , Spybot and Avast and all MS patches.

Now he has a clean formatted (already patched) pc and yes, I menaced to bite him in his back if he does it again!!! (plus a good verbal “rant”)

Luckyly here at work we don’t have a direct connection to internet (IE: the client’s default gateway doesn’t allow to establish a direct tcp/ip connection with the internet, we use a dansguardian+squid proxy to access the web.
And we don’t use Outlook express for the mail etc etc…
We also have a WSUS server.

But the possibility of an infection still exists and this keeps me from sleeping well!

We changed antivirus because the old one (mc**ee) didn’t catch some viruses and now it feels we’re back to square one…

Goodbye

system · 2006-09-26T21:34:52.000Z

i got the same Trojan the name is Win32:VB-MT [Wrm] and i cant remove it i need help for this

DavidR · 2006-09-26T22:06:35.000Z

How do you know it is the same trojan as the originator of this thread, avast didn’t detect his ?
Why can’t you remove it ?

And we need information to help you.
What Operating System are you using ? is it up to date ?
What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?
What was the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx)?
What actions have you taken to try and resolve the problem ?

10nico · 2006-09-28T12:36:10.000Z

Just a little update:

With today’s VPS (0639-3) the virus is properly detected as:
Win32:Mitglieder-CV [Trj]

AT LAST!

Many thanks to all Avast! crew and to all the forum users who answered

Michele

DavidR · 2006-09-28T13:12:18.000Z

Your welcome, thanks for the update.

Announcements