Unknown Virus

Its not detected by norton, sophos, nod32 nor avast. It keeps on writing itself to RUN registry. It affects NT/2000 which floods services.exe which causes the server to restart which was a symptom of sasser but it wasn’t. On XP machines, it disconnects it from the network, you cannot connect unless you restart the box. I have reported and sent this sample to nod32 and symantec, but haven’t received any news from them.

I hope you could shed some light for it was pestering us for almost a week.

http://rapidshare.com/files/31429313/winpatch.zip
No password

If you haven’t already done so, send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Or

you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Complete scanning result of “winpatch.exe”, received in VirusTotal at 05.15.2007, 14:52:06 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.15.1 05.15.2007 Win32/IRCBot.worm.282112
AntiVir 7.4.0.15 05.15.2007 BDS/Vanbot.X.8
Authentium 4.93.8 05.14.2007 no virus found
Avast 4.7.997.0 05.15.2007 no virus found
AVG 7.5.0.467 05.15.2007 Win32/CryptExe
BitDefender 7.2 05.15.2007 Backdoor.Vanbot.X
CAT-QuickHeal 9.00 05.14.2007 no virus found
ClamAV devel-20070416 05.15.2007 no virus found
DrWeb 4.33 05.15.2007 BackDoor.IRC.Sdbot.1360
eSafe 7.0.15.0 05.15.2007 no virus found
eTrust-Vet 30.7.3634 05.15.2007 no virus found
Ewido 4.0 05.15.2007 no virus found
FileAdvisor 1 05.15.2007 No threat detected
Fortinet 2.85.0.0 05.15.2007 W32/VanBot.BX!worm
F-Prot 4.3.2.48 05.14.2007 no virus found
F-Secure 6.70.13030.0 05.15.2007 Backdoor.Win32.SdBot.bif
Ikarus T3.1.1.7 05.15.2007 Backdoor.Win32.SdBot.bif
Kaspersky 4.0.2.24 05.15.2007 Backdoor.Win32.SdBot.bif
McAfee 5030 05.14.2007 W32/Nirbot.worm.gen
Microsoft 1.2503 05.15.2007 no virus found
NOD32v2 2267 05.15.2007 no virus found
Norman 5.80.02 05.15.2007 no virus found
Panda 9.0.0.4 05.15.2007 Suspicious file
Prevx1 V2 05.15.2007 Covert.Sys.Exec
Sophos 4.17.0 05.11.2007 W32/ExDns-Fam
Sunbelt 2.2.907.0 05.12.2007 no virus found
Symantec 10 05.15.2007 W32.Rinbot.BC
TheHacker 6.1.6.115 05.15.2007 no virus found
VBA32 3.12.0 05.14.2007 no virus found
VirusBuster 4.3.7:9 05.14.2007 no virus found
Webwasher-Gateway 6.0.1 05.15.2007 Trojan.Vanbot.X.8

Installing multi antivirus programs will mess your computer…
Some of them - specially Norton - isn’t fully uninstalled only by Control Panel > Add/Remove programs applet. Take care.

Please, don’t post live links to malware!!!

@ Frank
Your submission must have been in the queue before mine (just finished), VT is very busy at the moment.

I have also sent the sample to avast.

@DavidR - any updates?

You don’t normally get any feed back from avast unless they require more information.

I have just scanned the sample I put in the User Files section of the chest, but it still isn’t detected in today’s VPS update, I would have been surprised if I had.

This should answer my questions, http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
but it still doesn’t solve my problem.

Please read because it is a critical update. The virus/worm still lurks in our network. I’ve also sent the sample for analysis, haven’t heard from them.

@Tech - antivirus were not installed in one unit.

This critical update is for windows server OS versions. So I can’t see how it would solve your problem unless your network server if effected and hasn’t had the patch applied. It may be that the network shares are infected but I know very little about networks and systems using the share are getting infected.

Non-Affected Software: • Microsoft Windows 2000 Professional Service Pack 4 • Microsoft Windows XP Service Pack 2 • Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition Service Pack 2 • Windows Vista • Windows Vista x64 Edition

It answered my question but didn’t solved my problem.

This is now detected.

Virus has been detected! File Name: winpatch.exe FileID: 20 Virus Description: Win32:Sdbot-4459 [Trj]

How long does it take since submition?

You only have to look at the date and time of the post and it will be close to the submission, I sent one in on “« Reply #4 on: May 15, 2007, 02:38:55 PM »” and Frank reported it detected on « Reply #10 on: May 18, 2007, 06:55:16 PM » which will be after that previous VPS update (18.5.2007 - 0741-1). So roughly that makes it probably a little under three days, not great but better than some that we have see of as many weeks.

Thanks David.

thanks for the help :slight_smile:

No problem, glad we could help.

A belated welcome to the forums.

hello, eventhough avast deletes it, it keeps coming back. attacks stopped for a week and now its on the rampage again.

Well there could either by another element downloading the malware again (you have to find that) or you keep visiting the same site that infected the system to start with. Or it could be being re-infected via your network, other systems not clean.

What is your firewall ?

You might also consider proactive protection (if this is possible on your network), in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

If you haven’t already got this software (freeware) to try and find any other elements of this infection, download, install, update and run it, preferably in safe mode.

  1. AVG anti-spyware (formerly Ewido) If using winXP. or a-Squared free if using win98/ME.

I’ve noticed that it’s attacking servers with SQL server installed. It copies itself from temporary internet files of another user account and writes itself to drive C:\ with x.exe.

I don’t know enough about networks to be of much help, but you are battling to keep systems clean when the server needs to protected with it’s own AV solution.

Is x.exe being detected by avast ?
If not send the sample to avast and upload it to VirusToial or Jotti.

Are you saying that the winpatch.exe is coming back (as that seems a little removed from x.exe?) if so what location is it going to ?
You never mentioned what the location was in your original post.

Sorry I’m calling it a late nigh now, 3:25 am here.