Article from ZD Net Australia (Security News) possible new threat to target Windows and Linux
Kaspersky has added detection for the malicious software to its antivirus databasesHas Alwil done the same for avast! users ???
Also basically the same info on ZD Net US …
http://news.zdnet.com/2100-1009_22-6059140.html?tag=nl.e622
What’s important is weather or not we are protected.
;D Good question Bob thats why I put it there
http://img26.exs.cx/img26/2245/thumbsup8de.gif
Unfortunately we still don’t have an answer from Alwil… :‘( :’(
Since we still haven’t heard from Alwil, does that mean we aren’t protected againt this attack???
Hi malware fighters,
It is only a proof of concept, Bob. It does not do anything yet. But as soon as the rabbit is out of the hat, the malware authors will follow with their bunch of “nasties”.
Crossplatform virus - the latest proof of concept
Kostya April 07, 2006 | 07:32 GMT
comments (5)
We’ve received a new sample: another cross platform virus. This sample is the latest attempt to create malicious code which will infect both Linux and Win32 systems. It’s therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a
The virus is written in assembler and is relatively simple: it only infects files in the current directory. However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows - ELF and PE format files respectively.
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file.
Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.
The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code to the final section, and gains control by again changing the entry point. Infected PE files contain the same 2-byte signature as ELF files; the signature is placed in the PE TimeDateStamp header.
Infected files contain the following text strings:
[CAPZLOQ TEKNIQ 1.0] (c) 2006 JPanic:
This is Sepultura signing off…
This is The Soul Manager saying goodbye…
Greetz to: Immortal Riot, #RuxCon!
The infector itself contains the following strings:
[CAPZLOQ TEKNIQ 1.0] VIRUS DROPPER (c) 2006 JPanic
[CAPZLOQ TEKNIQ 1.0] VIRUS SUCCESFULLY EXECUTED!
The virus doesn’t have any practical application - it’s classic Proof of Concept code, written to show that it is possible to create a cross platform virus.
However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.
Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the Kaspersky Anti-Virus databases shortly after the sample was received. And Avast?
polonus
Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the Kaspersky Anti-Virus databases shortly after the sample was received.My point exactly. I'd like protection (since we know it's available by Kaspersky's example) before it comes out. Prevention is better than trying to clean up a mess after the fact.
I think that the virus was added to the VPS 0615-2 
;D
12.04.2006 - 0615-2Agent [Trj], Win32/ELF:BI, Win32:Agent-MP [Trj], Win32:Bancos-RZ [Trj], Win32:Banker-AHG [Trj], Win32:Banker-AHH [Trj], Win32:Banker-AHI [Trj], Win32:Banker-AHJ [Trj], Win32:Banker-AHK [Trj], Win32:Banload-GH [Trj], Win32:Banload-GI [Trj], Win32:Beagle-KB2 [Wrm], Win32:Beagle-KK [Wrm], Win32:Beagle-KL [Wrm], Win32:Beagle-KM [Wrm], Win32:Beagle-KN [Wrm], Win32:Beagle-KO [Wrm], Win32:BotCrypt-gen [Trj], Win32:Delf-WT [Trj], Win32:Kelino-D [Wrm], Win32:Mytob-QE [Wrm], Win32:Nahata-E [Wrm], Win32:Rbot-BKT [Trj], Win32:Rbot-BKU [Trj], Win32:Rbot-BKV [Trj], Win32:Rbot-BKW [Trj], Win32:Rbot-BKX [Trj], Win32:Rbot-BKY [Trj], Win32:Rbot-BKZ [Trj], Win32:Rbot-BLA [Trj], Win32:Rbot-BLB [Trj], Win32:Rbot-BLC [Trj], Win32:Rbot-BLD [Trj], Win32:Rbot-BLE [Trj], Win32:Rbot-BLF [Trj], Win32:Rbot-BLG [Trj], Win32:Rbot-BLH [Trj], Win32:Rbot-BLI [Trj], Win32:Rbot-BLJ [Trj], Win32:Rbot-BLK [Trj], Win32:Rbot-BLL [Trj], Win32:Rbot-BLM [Trj], Win32:Rbot-BLN [Trj], Win32:Rbot-BLO [Trj], Win32:Rbot-BLP [Trj], Win32:Rbot-BLQ [Trj], Win32:Rbot-BLR [Trj], Win32:Sdbot-3342 [Trj], Win32:Sters-C [Trj], Win32:Swizzor-gen [Trj], Win32:Trojano-N [Trj], Win32:Trojano-O [Trj], Win32:Trojano-P [Trj]
Thanks XMAS but it wouldn’t have hurt for someone from Alwil to answer. 
Alwil added this virus on April 12 (12.04.2006 - 0615-2), while Antivir (Avira) & CA -for example- added it on April 11 :
http://www.avira.com/en/threats/index.html
http://www3.ca.com/securityadvisor/virusinfo/
just got on the board. Well, I got the Win32:Trojan-P, Trojen-gen, Trojen.intell32, last evening. Avast alerted me, but couldn’t do anything to clean, repair, or delete the infected files. And believe me, these are running through my system, XP pro, like water in a pipe. I need help bad. Ran Avast at start up, turned off system restore, ran Avast and at least 4 spyware programs in safe mode, and its still back.
Any help out there?
Tony
Ok.
Which ones?
Oh, why don’t you start a new thread instead of hijacking this one?
Did you try running a boot scan? If you’re unsure how to:
Go to Start Avast! Antivirus
(Depending on the skin you have) Settings > Schedule Boot Time Scan
Restart the computer
Hope this helps.
Tech, I will, sorry.
I am at the office, so just going my memory…xspysoft, adware, spykiller,spybot
Oh, I did run the boot scan. Also, how do u start a new thread. Sorry, but new to board, but relatively competent with computers, so to speak.
I, particulary, don’t like these ones.
I use these.
But you need a trojan remover: www.ewido.net and better if you use a2 either (www.emsisoft.com/en/software/free/)
thanks Tech. I will try them this evening when I get home, assuming I can my eyes aren’t still burned from jacking with this thing for about 6 hours last night and early this am.
Welcome to the forums, tonykf.
At the top of each forum catagory list is a new topic button. Click this and fill in the form (subject, text, additional options, etc) when it opens. It is much like the reply button except you get to choose the subject.
Please come back often, learn more, and maybe help others.