Hey Hey,

I was just about to head off to work when I did one last check of my email… and what do I see but an email with the subject ‘Mail Server Report’… The address doesn’t look familiar, but I’ve received a few of these lately from various mailing list submissions. This was the content of the email I opened:

—-

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service
—-

I’m rather impressed…. these bastards are getting slicker and slicker…. or maybe this has been around for a while and I just don’t pay much attention… Attached to the email was the file Update-KB8375-x86.zip.


I submitted the file to VirusTotal and here’s what I got back:

Complete scanning result of “Update-KB8375-x86.exe”, received in VirusTotal at 09.25.2006, 15:50:55 (CET).
Antivirus Version Update Result AntiVir 7.2.0.18 09.25.2006 Worm/Stration.C
Authentium 4.93.8 09.25.2006 no virus found
Avast 4.7.844.0 09.25.2006 no virus found
AVG 386 09.22.2006 no virus found
BitDefender 7.2 09.25.2006 DeepScan:Generic.Stration.F614E1C9
CAT-QuickHeal 8.00 09.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 09.25.2006 no virus found
eTrust-InoculateIT 23.73.4 09.24.2006 Win32/Stration.Variant!Worm
eTrust-Vet 30.3.3098 09.25.2006 no virus found
DrWeb 4.33 09.22.2006 no virus found
Ewido 4.0 09.25.2006 no virus found
Fortinet 2.82.0.0 09.25.2006 suspicious
F-Prot 3.16f 09.25.2006 no virus found
F-Prot4 4.2.1.29 09.25.2006 no virus found
Ikarus 0.2.65.0 09.25.2006 no virus found
Kaspersky 4.0.2.24 09.25.2006 no virus found
McAfee 4858 09.22.2006 New Malware.n
Microsoft 1.1560 09.24.2006 no virus found
NOD32v2 1.1774 09.25.2006 a variant of Win32/Stration
Norman 5.80.02 09.25.2006 no virus found
Panda 9.0.0.4 09.25.2006 Suspicious file
Sophos 4.09.0 09.25.2006 W32/Stratio-AN
Symantec 8.0 09.25.2006 no virus found
TheHacker 6.0.1.079 09.25.2006 no virus found
UNA 1.83 09.22.2006 no virus found
VBA32 3.11.1 09.25.2006 no virus found
VirusBuster 4.3.7:9 09.25.2006 Trojan.Opnis.Gen!Pac2
Aditional Information File size: 116144 bytes
MD5: 633f4b2991ebdfd9e1611f4ec841a687
SHA1: bb77b78d54c8319caba19302f25ea72135797e18


It’s great to know that Symantec (one of the more favoured corporate AVs) and AVG (a very popular Free scanner) knew nothing of this virus yet…. If anyone is interested in the file for research or just to play with, let me know

Peace,
HT

PS, a nicely formatted version of this is available @ http://www.computerdefense.org/?p=111

Symantec does know about it HT:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-092111-0525-99&tabid=2

Cheers:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276650#post913230) by DjM
Symantec does know about it HT:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-092111-0525-99&tabid=2

Cheers:

Odd.. perhaps this is a different variant? According to VirusTotal the definitions are newer than the ones Symantec.com lists..

First saw some of these on the 11th and it WAS NOT detected by Symantec or McAfee...

While investigating what it was , after an AV update on either the 12th or the 13th, Symantec all of a sudden detected it as W32.Stration.A@mm...

Just letting you guys know what I saw...of course there are always mutations and variations as each asshat adds their own variations, but all basically the same...

Saw .scr attachments and saw attachments of .exe (masquarding as a MS KB article related patch), but the text of the ones I saw all indicated something to the effect of 'mail server logs'.

Hey Hey,

I've done some sniffing while executing the virus and posted a "network walkthrough" @ http://www.computerdefense.org/?p=113

Peace,
HT

I may be asking a dumb question, but I am curious. Generally, when I run a new program, my firewall will alert me saying it is trying to broadcast on the internet. I know you are probably running a firewall, so when you ran this program, did it still not catch it? If not, I wonder how many programs do get past our firewalls? Any clue?

I'm running Sygate.

-Cowbaal

HT,

Places like VirusTotal don't use the daily updates or the rapid release signatures when looking at the online submissions. They use the "plain Jane" signatures which is why you normally see Symantec show up as clueless on their report. These can be days or even a week old.

I use Symantec daily releases which is one step below rapid release.

FWIW,

--TH13

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276650#post913322) by thehorse13
HT,

Places like VirusTotal don't use the daily updates or the rapid release signatures when looking at the online submissions. They use the "plain Jane" signatures which is why you normally see Symantec show up as clueless on their report. These can be days or even a week old.

I use Symantec daily releases which is one step below rapid release.

FWIW,

--TH13

I ran these on the 25th... which was the date on the AV signatures so they were the daily release. ;)

Isn't it possible to prevent this by disabling the windows scripting host?