New virus (price.cpl - Bagle varient) and current Virus-Total results

Discussion in 'Anti-Virus' started by Virus Guy, Sep 13, 2005.

  1. Virus Guy

    Virus Guy Guest

    This came in via e-mail today. Got past Symantec Corporate AV running
    on our server.

    I ran this through Virus Total earlier today (about 8-10 hours ago)
    and I think only 6 AV programs identified it. Many more are doing so
    now.

    The file (price2.zip) was attached to an e-mail with no subject. The
    file unzips to price.cpl (a control panel extension) with a time-stamp
    of Tuesday Sept 13 12:24:24 am. size = 14340 bytes.

    The only interesting bit of readable text inside it is "open
    \gfgdgfddfgdfgwe.exe".

    Anyways, here are the virus total results. I'll check again in a week
    and see how the various vendors are doing with this one.

    ---------------

    Scanned Sept 12 / 10pm EST:

    BitDefender 7.0 09.02.2005 no virus found
    CAT-QuickHeal 8.00 09.12.2005 no virus found
    eTrust-Iris 7.1.194.0 09.13.2005 no virus found
    eTrust-Vet 11.9.1.0 09.12.2005 no virus found
    Ikarus 0.2.59.0 09.12.2005 no virus found
    McAfee 4579 09.12.2005 no virus found
    VBA32 3.10.4 09.12.2005 no virus found
    The Cleaner v3843 09.12.2005 no virus found
    Fortinet 2.41.0.0 09.07.2005 suspicious


    ClamAV devel-20050725 09.13.2005 Worm.Bagle.BB-gen
    DrWeb 4.32b 09.12.2005 Win32.HLLM.Beagle.12288
    AntiVir 6.31.1.0 09.12.2005 DR/Bagle.P
    Avast 4.6.695.0 09.12.2005 Win32:Mitglieder-BK
    AVG 718 09.12.2005 I-Worm/Bagle.EQ
    Avira 6.31.1.0 09.12.2005 DR/Bagle.P
    F-Prot 3.16c 09.13.2005 security risk named W32/Mitglieder.FB
    Kaspersky 4.0.2.24 09.13.2005 Email-Worm.Win32.Bagle.cs
    NOD32v2 1.1214 09.12.2005 Win32/Bagle.BI
    Norman 5.70.10 09.12.2005 W32/Bagle.CS
    Panda 8.02.00 09.12.2005 W32/Bagle.EK.worm
    Sophos 3.97.0 09.13.2005 Troj/Dropper-BC
    Symantec 8.0 09.13.2005 Trojan.Tooso.N
    TheHacker 5.8.2.105 09.12.2005 W32/Bagle.cs
     
    Virus Guy, Sep 13, 2005
    #1
    1. Advertisements

  2. On that special day, Virus Guy, () said...
    Already identified as Bagle-Downloader. See

    Gabriele Neukam

     
    Gabriele Neukam, Sep 13, 2005
    #2
    1. Advertisements

  3. Hey Virus Guy-I would like to test one of my systems with a live
    specimen.Have AVG/eTrust/Anti-Vir/BitDefender/ClamWin installed. Can
    you send me a copy? maxpro4u@neoDOTrrDotcom(remove the DOTs).
    -max
    --
    Playing Nice on Usenet:
    http://oakroadsystems.com/genl/unice.htm#xpost
    My Pages: http://home.neo.rr.com/manna4u/
    http://home.neo.rr.com/manna4u/keepingclean.html
    http://home.neo.rr.com/manna4u/virusprevention.html
    http://home.neo.rr.com/manna4u/tools.html
    Change nomail.afraid.org to yahoo.com to reply.
    Registered Linux User #393236
     
    What's in a Name?, Sep 13, 2005
    #3
  4. Virus Guy

    Virus Guy Guest

    Look for it.
     
    Virus Guy, Sep 14, 2005
    #4
  5. Virus Guy

    kurt wismer Guest

    What's in a Name? wrote:
    [snip]
    in other words, you want him to send samples to people he doesn't know
    he can trust and potentially contribute to the virus problem rather than
    the solution...

    go troll for viruses elsewhere, please...
     
    kurt wismer, Sep 14, 2005
    #5
  6. I guess he trusts me.By the way,all the AV's caught it and AVG was
    the first one to go "off".
    -max
    --
    Playing Nice on Usenet:
    http://oakroadsystems.com/genl/unice.htm#xpost
    My Pages: http://home.neo.rr.com/manna4u/
    http://home.neo.rr.com/manna4u/keepingclean.html
    http://home.neo.rr.com/manna4u/virusprevention.html
    http://home.neo.rr.com/manna4u/tools.html
    Change nomail.afraid.org to yahoo.com to reply.
    Registered Linux User #393236
     
    What's in a Name?, Sep 14, 2005
    #6
  7. Thanks-On this system(win2000)with AVG/eTrust/AntiVir/Avast all
    running as resident-AVG was the first to popup with warnings.
    I am going to resend it to myself because I forgot I had set AVG to
    move any password protected files to vault.
    -max
    --
    Playing Nice on Usenet:
    http://oakroadsystems.com/genl/unice.htm#xpost
    My Pages: http://home.neo.rr.com/manna4u/
    http://home.neo.rr.com/manna4u/keepingclean.html
    http://home.neo.rr.com/manna4u/virusprevention.html
    http://home.neo.rr.com/manna4u/tools.html
    Change nomail.afraid.org to yahoo.com to reply.
    Registered Linux User #393236
     
    What's in a Name?, Sep 14, 2005
    #7
  8. From: "kurt wismer" <>


    |
    | in other words, you want him to send samples to people he doesn't know
    | he can trust and potentially contribute to the virus problem rather than
    | the solution...
    |
    | go troll for viruses elsewhere, please...
    |
    | --
    | "they threw a rope around yer neck to watch you dance the jig of death
    | then left ya for the starvin' crows, hoverin' like hungry whores
    | one flew down plucked out yer eye, the other he had in his sights
    | ya snarled at him, said leave me be - i need the bugger so i can see"

    Max has been around for a "long time" and can be trusted. He is not Trolling to add to a
    collection.
     
    David H. Lipman, Sep 14, 2005
    #8
  9. Virus Guy

    kurt wismer Guest

    that doesn't mean he can be trusted... raid was around for a long time,
    would you trust him?

    if there was a pre-existing relationship of trust between max and virus
    guy then he could have made that request in private... arguably he
    should have made the request in private so as to not lend credence to
    the idea that this is a place where people share viruses...

    and frankly, if the only issue was whether or not he was going to add it
    to a collection then it would be a non-issue - i don't care what people
    collect or how big their collections are... the issue is trust - in
    motives and in competency... can virus guy be adequately certain that
    max doesn't have nefarious motives and/or that max is competent to
    handle live samples safely? i seriously suspect the answer is no (i also
    suspect that virus guy could care less, but that's another matter
    entirely)...
     
    kurt wismer, Sep 15, 2005
    #9
  10. Virus Guy

    Virus Guy Guest

    I had a quick look at his posting history (sorted my display by
    Sender) and became reasonably sure that "What's in a name" wasn't a
    fly-by lurker or someone with little or no posting history. Someone
    with nefarious motives would probably be too busy writing mal-ware or
    chatting with buddies on Sekret Forumz or controlling his/her army of
    zombies rather than reading these ng's (that would be lame).
    I did think about it (for maybe 30 seconds) but I rationalize it like
    this:

    1) the people that author the mal-ware I'm sure would like it if we
    were too afraid to handle (and share) their crap and experiment with
    it (from a detection or protection point of view). Real-life labs
    send samples of real viruses to each other all the time for the same
    reasons.

    2) anyone that _can_ reverse-engineer or modify a mal-file such that
    ->they<- can benefit or take advantage of it's functionality for their
    own ends probably doesn't need to have samples sent to them. Anyone
    who simply takes a mal-file and passes it (un-modified) to someone
    else will have gained nothing because presumably only the original
    author knows and has programmed it for specific functionality that
    he/she will benefit from in a covert way.

    3) Anyone asking for a mal-file, and reading these ng's (and the
    specific thread) probably knows how to handle them so that they don't
    infect themselves (granted, this is the weakest of the 3 suppositions,
    but it doesn't involve bad intentions on the part of the requester).

    4) how do we really know that Virus Total isin't a front for nefarious
    interests?
     
    Virus Guy, Sep 15, 2005
    #10
  11. As I said I just wanted to test my setup with a live subject because
    I only tested with a test file. By the way, I don't collect malware,
    only coins ;)
    -max
    --
    Playing Nice on Usenet:
    http://oakroadsystems.com/genl/unice.htm#xpost
    My Pages: http://home.neo.rr.com/manna4u/
    http://home.neo.rr.com/manna4u/keepingclean.html
    http://home.neo.rr.com/manna4u/virusprevention.html
    http://home.neo.rr.com/manna4u/tools.html
    Change nomail.afraid.org to yahoo.com to reply.
    Registered Linux User #393236
     
    What's in a Name?, Sep 15, 2005
    #11
  12. From: "What's in a Name?" <>


    | As I said I just wanted to test my setup with a live subject because
    | I only tested with a test file. By the way, I don't collect malware,
    | only coins ;)
    | -max
    | --
    | Playing Nice on Usenet:
    | http://oakroadsystems.com/genl/unice.htm#xpost
    | My Pages: http://home.neo.rr.com/manna4u/
    | http://home.neo.rr.com/manna4u/keepingclean.html
    | http://home.neo.rr.com/manna4u/virusprevention.html
    | http://home.neo.rr.com/manna4u/tools.html
    | Change nomail.afraid.org to yahoo.com to reply.
    | Registered Linux User #393236

    I bet you would like a 1909 VDB -- wouldn't 'ya ! ;-)
     
    David H. Lipman, Sep 15, 2005
    #12
  13. Did you know that 10 or so 1909's are put into circulation every
    year?
    -max
    --
    Playing Nice on Usenet:
    http://oakroadsystems.com/genl/unice.htm#xpost
    My Pages: http://home.neo.rr.com/manna4u/
    http://home.neo.rr.com/manna4u/keepingclean.html
    http://home.neo.rr.com/manna4u/virusprevention.html
    http://home.neo.rr.com/manna4u/tools.html
    Change nomail.afraid.org to yahoo.com to reply.
    Registered Linux User #393236
     
    What's in a Name?, Sep 15, 2005
    #13
  14. Virus Guy

    Art Guest

    Reminds me of a old Maxwell Smart program where Max busts up a spy
    ring associated with a Chinese laundry. At the end he says, "Yes
    chief, it turned out that the spy ring was just a front. The real
    money was in the laundry business".

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 15, 2005
    #14
  15. From: "What's in a Name?" <>


    | Did you know that 10 or so 1909's are put into circulation every
    | year?
    | -max
    | --
    | Playing Nice on Usenet:
    | http://oakroadsystems.com/genl/unice.htm#xpost
    | My Pages: http://home.neo.rr.com/manna4u/
    | http://home.neo.rr.com/manna4u/keepingclean.html
    | http://home.neo.rr.com/manna4u/virusprevention.html
    | http://home.neo.rr.com/manna4u/tools.html
    | Change nomail.afraid.org to yahoo.com to reply.
    | Registered Linux User #393236

    But does it have the initials of Victor David Brenner ?
    How about it being minted in San Francisco and not in Philly ?
     
    David H. Lipman, Sep 15, 2005
    #15
  16. Virus Guy

    kurt wismer Guest

    congratulations on your superficial analysis...
    as a point of fact, alt.comp.virus started out it's life as a virus
    trading newsgroup... it *was* one of those "sekret forumz"... there have
    been many high profile vx members participating here over the years and
    it would be foolish to assume they were the only ones on that side of
    the line who did and/or that there aren't still some around...
    no, actually they encourage everyone to do so... they are not interested
    in limiting the spread of those materials because they wouldn't be able
    to justify their own irresponsible sharing if they did...
    real-life labs send samples through channels where there are established
    trust relationships... it's not a case of mcafee labs sharing samples
    with symantec labs, it's a case of someone at mcafee and someone at
    symantec knowing and trusting each other (or better still, both
    belonging to CARO)...
    right, because having skill but no connections just isn't possible...
    and still they do it anyways...
    spoken like someone who hasn't been here very long...
    who said they aren't? not me... however they're a little too high
    profile to escape the scrutiny of the various anti-virus companies - the
    fact that they aren't leveling accusations of that type against virus
    total suggests that (at least for now) there's no evidence of nefarious
    interests there...
     
    kurt wismer, Sep 16, 2005
    #16
  17. Virus Guy

    kurt wismer Guest

    What's in a Name? wrote:
    [snip]
    which (after 'educational purposes') is one of the more popular reasons
    given...
     
    kurt wismer, Sep 16, 2005
    #17
  18. Virus Guy

    Virus Guy Guest

    I'm only doing this because you bothered to irritate me with your last
    post.

    -------------------

    Search keywords:

    virus samples archive download library

    http://groups.google.ca/groups?q=virus%20samples%20archive%20download%20library&hl=en&lr=&sa=N&tab=wg

    Last result on page 1:

    http://vx.netlux.org/
    .... updated collection of magazines, virus samples, virus sources,
    polymorphic engines, virus generators, virus writing tutorials ...
    articles, books, news archives etc ... fido7.su.cm - Mar 1 2004,
    6:31 am by Igor Dikshev - 4 messages - 4 authors

    ---------

    http://vx.netlux.org/

    "Welcome to VX Heavens! This site is dedicated to providing
    information about computer viruses (or virii, as some would prefer) to
    anyone who is interested in this topic.

    This site contains a massive, continuously updated collection of
    magazines, virus samples, virus sources, polymorphic engines, virus
    generators, virus writing tutorials, articles, books, news archives
    etc.

    Some of you might reasonably say that it is illegal to offer such
    content on the net. Or that this information can be misused by
    "malicious people". I only want to ask that person: "Is ignorance a
    defence?"

    ----------

    Nuf said.

    When I become the last source on the internet for virus samples, come
    back and bark at me some more.
     
    Virus Guy, Sep 16, 2005
    #18
  19. Virus Guy

    kurt wismer Guest

    Virus Guy wrote:
    [snip]
    providing virus samples carelessly is like littering - ever little bit
    counts...
     
    kurt wismer, Sep 17, 2005
    #19
  20. From: "kurt wismer" <>

    | Virus Guy wrote:
    | [snip]|
    | providing virus samples carelessly is like littering - ever little bit
    | counts...
    |
    | --
    | "they threw a rope around yer neck to watch you dance the jig of death
    | then left ya for the starvin' crows, hoverin' like hungry whores
    | one flew down plucked out yer eye, the other he had in his sights
    | ya snarled at him, said leave me be - i need the bugger so i can see"

    Kurt the wiseman.

    The problem with you Kurt is that you are correct all too often ! :)
     
    David H. Lipman, Sep 17, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.