New virus or just old stuff witha new face

[Fred Brown]

I just got an alert message saying there are 2 new low level viruses. Is it low level because the guy writing this stuff has not got it yet in his home pc? Well here they are: W32/Cayam.worm!p2p, and W32/sober.b@MM. These look alike but change some of the code and wammo, we got a NEW viruse. But really it's the same, just some new code to work around the patch or fix.

Marry CHRISTmas

Freddy

[LapKitten]

Thanks Mr. brown. I'll keep an eye out for them.

[|The|Specialist]

Define low level. You mean what it was made with something such as assembly? Or are you talking about the threat level. Also what the hell are you talking about "guy writing this stuff has not got it yet in his home pc?" ummm... yeah I suppose you could have a old box to play around with just to see if it makes startup or launches payloads correctly. Do you mean if the author would have corrected some mistakes it would have a different threat level?

Also these worms don't have much in common from the AV reports I've just read. Hell just look at them... from the info you've already given me I can just look at your post and tell that one is a p2p worm and the other is a mass mailer. From what I've read in the AV report one uses the average and lame outlook/file shareing spreading and the other has its own SMTP engine.

Gee what a worthless thread you started. Was all of this a question or a heads up?

[Tiger Shark]

The Spec: Nice response.... Got anything constructive to add??

Glad to see your "genius" is still _helping_ everyone here.... Wish I could make myself a "fearsome" avatar like yours..... But I spend more time looking at security issues than making pretty little pictures...... which is your MO.... pictures..... When you feel the need to "vent"... try IRC... They will be more receptive to your unadulterated bullstuff....

[nihil]

To prevent SMTP mass mailers I use "Mail Control" by Yariv Kaplan.

http://www.internals.com

It asks you to confirm sending outgoing e-mails via SMTP, so you are warned if you are infected, and it stops you automatically infecting other people, so I like the social responsibility aspect.

As general second line defences I like:

http://www.diamondcs.com.au RegistryProt

http://www.analogx.com Script Defender

http://www.mo-ware.com MoOutlookSecurity

http://keir.net/software.html Scrip Trap

http://www.bitdefender.com/ Protection for popular P2P apps

Hey, don't get me wrong, you need an up to date AV and firewall as well. This stuff runs along side them.

Good luck

[tsunami]

Both of these virus releases look like they have been tweaked by some script kiddie somewhere. The differences in coding between these releases and the originals are marginal, and near enough come down to keys being put in a slightly different place, files having different names, and variables being constructed in a new way.
Nothing new, and actually quite boring.

Interesting fact :

Around 1997-1998 when the biggest threat were macro viruses, some clever fellows started to release virus SDK's. The company i work for analysed one of these kits, and within one week we identified a possible 15,000 viruses from this one kit. We detect them all with 3 identity files.

The majority of viruses we see on a day to day basis are variants of viruses. These have normally been changed by kids. For example the kid that "created" Blaster-F. Bet he wished he hadnt changed the file name when the FED's came knocking at his door.

[|The|Specialist]

Tiger Shark, whats up bud? Hey man I wasn't "venting". I was just saying that the content of the thread seemed a little off & was drifting into a dozen different directions. How the heck am I supposed to know what he means by "low level". And how are other peaple supposed to know if nobody asks... esspecially with peaple like you jumping around looking for a excuse to moan and cry about how I scare peaple with my big gun everytime someone like me asks.

Tsunami, come on dude. Sure the MSblaster & VBSWG thing was a mess... but either way how many times can you make a program copy itself to p2p shares, drop mirc scripts, or mail itself without being accused of being a lame kiddie who likes to C&P code from various open source groups and VX groups. I could write a program that has nothing to do with malware... then the next day I could be sued by XYZ-company just because out of the 30 to 90 lines of source code about 2 or 5 lines of the code are share something similiar to someone else's stuff.

[nihil]

Hey |The|Specialist ,

I think I see what you are saying.................I remember about five years or so ago when "re-usable code" and O-O were all the rage

Prior to that, if you went to a reasonably slick development site, or a software house, you would find libraries full of "standard routines".........date handling and the like. If you use standard routines it makes it easier for someone else to maintain the code?

Guess that changed some with C++ and the "disposable code" school of thought.

I still believe that a lot of current malware is the work of plagiaristic skiddies, which is why each major incidence ends up with numerous "variants" in the AV vendors encyclopaedias? Or is it just that the AV people are not so discriminating these days?

Cheers

[tsunami]

when i said that viruses seem to be getting tweaked by kiddies more and more i was reffering to the ever incresing rate that variants of the same virus come out. Take mimail for example, we went from variant A to variant J in 2 weeks. Thats not us releasing signitures for things that could be changed, but actual samples that we have, where someone has changed small parts of the code to make it ever so slightly different.

I definately wasnt talking about code that could be seen as being viral. Its unlikely that a legitamate program that you write is going to hide itself, replace other exe files with its own, and then using its own SMTP engine mail its self to every one in the address book.
Of course it is possible for a file to be seen as viral when it isnt, and thats called a False/Positive, anything that shows up as this should be sent to an AV company so they can rectify their signiture so it doesnt detect that file as viral.

At present code cannot be copyrighted, the only way to copy right it is to patent the purpose for the code in a specific context. So if you copyed some elses code, but used it in a different context, then you are perfectly within the law to do so. Nice loop hole dont you think.