Results 1 to 9 of 9

Thread: Virus Circulating Via Email

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915

    Virus Circulating Via Email

    Hey Hey,

    I was just about to head off to work when I did one last check of my email… and what do I see but an email with the subject ‘Mail Server Report’… The address doesn’t look familiar, but I’ve received a few of these lately from various mailing list submissions. This was the content of the email I opened:

    —-

    Mail server report.

    Our firewall determined the e-mails containing worm copies are being sent from your computer.

    Nowadays it happens from many computers, because this is a new virus type (Network Worms).

    Using the new bug in the Windows, these viruses infect the computer unnoticeably.
    After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
    addresses

    Please install updates for worm elimination and your computer restoring.

    Best regards,
    Customers support service
    —-

    I’m rather impressed…. these bastards are getting slicker and slicker…. or maybe this has been around for a while and I just don’t pay much attention… Attached to the email was the file Update-KB8375-x86.zip.


    I submitted the file to VirusTotal and here’s what I got back:
    Code:
    Complete scanning result of “Update-KB8375-x86.exe”, received in VirusTotal at 09.25.2006, 15:50:55 (CET).
    Antivirus 	Version 	Update 	Result AntiVir 	7.2.0.18 	09.25.2006 	Worm/Stration.C
    Authentium 	4.93.8 	09.25.2006 	no virus found
    Avast 	4.7.844.0 	09.25.2006 	no virus found
    AVG 	386 	09.22.2006 	no virus found
    BitDefender 	7.2 	09.25.2006 	DeepScan:Generic.Stration.F614E1C9
    CAT-QuickHeal 	8.00 	09.25.2006 	(Suspicious) - DNAScan
    ClamAV 	devel-20060426 	09.25.2006 	no virus found
    eTrust-InoculateIT 	23.73.4 	09.24.2006 	Win32/Stration.Variant!Worm
    eTrust-Vet 	30.3.3098 	09.25.2006 	no virus found
    DrWeb 	4.33 	09.22.2006 	no virus found
    Ewido 	4.0 	09.25.2006 	no virus found
    Fortinet 	2.82.0.0 	09.25.2006 	suspicious
    F-Prot 	3.16f 	09.25.2006 	no virus found
    F-Prot4 	4.2.1.29 	09.25.2006 	no virus found
    Ikarus 	0.2.65.0 	09.25.2006 	no virus found
    Kaspersky 	4.0.2.24 	09.25.2006 	no virus found
    McAfee 	4858 	09.22.2006 	New Malware.n
    Microsoft 	1.1560 	09.24.2006 	no virus found
    NOD32v2 	1.1774 	09.25.2006 	a variant of Win32/Stration
    Norman 	5.80.02 	09.25.2006 	no virus found
    Panda 	9.0.0.4 	09.25.2006 	Suspicious file
    Sophos 	4.09.0 	09.25.2006 	W32/Stratio-AN
    Symantec 	8.0 	09.25.2006 	no virus found
    TheHacker 	6.0.1.079 	09.25.2006 	no virus found
    UNA 	1.83 	09.22.2006 	no virus found
    VBA32 	3.11.1 	09.25.2006 	no virus found
    VirusBuster 	4.3.7:9 	09.25.2006 	Trojan.Opnis.Gen!Pac2
    	Aditional Information File size: 116144 bytes
    MD5: 633f4b2991ebdfd9e1611f4ec841a687
    SHA1: bb77b78d54c8319caba19302f25ea72135797e18
    It’s great to know that Symantec (one of the more favoured corporate AVs) and AVG (a very popular Free scanner) knew nothing of this virus yet…. If anyone is interested in the file for research or just to play with, let me know

    Peace,
    HT

    PS, a nicely formatted version of this is available @ http://www.computerdefense.org/?p=111

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Symantec does know about it HT:

    http://www.symantec.com/security_res...525-99&tabid=2

    Cheers:
    DjM

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by DjM
    Symantec does know about it HT:

    http://www.symantec.com/security_res...525-99&tabid=2

    Cheers:
    Odd.. perhaps this is a different variant? According to VirusTotal the definitions are newer than the ones Symantec.com lists..

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    First saw some of these on the 11th and it WAS NOT detected by Symantec or McAfee...

    While investigating what it was , after an AV update on either the 12th or the 13th, Symantec all of a sudden detected it as W32.Stration.A@mm...

    Just letting you guys know what I saw...of course there are always mutations and variations as each asshat adds their own variations, but all basically the same...

    Saw .scr attachments and saw attachments of .exe (masquarding as a MS KB article related patch), but the text of the ones I saw all indicated something to the effect of 'mail server logs'.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I've done some sniffing while executing the virus and posted a "network walkthrough" @ http://www.computerdefense.org/?p=113

    Peace,
    HT

  6. #6
    Junior Member
    Join Date
    Sep 2006
    Posts
    9
    I may be asking a dumb question, but I am curious. Generally, when I run a new program, my firewall will alert me saying it is trying to broadcast on the internet. I know you are probably running a firewall, so when you ran this program, did it still not catch it? If not, I wonder how many programs do get past our firewalls? Any clue?

    I'm running Sygate.

    -Cowbaal

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    HT,

    Places like VirusTotal don't use the daily updates or the rapid release signatures when looking at the online submissions. They use the "plain Jane" signatures which is why you normally see Symantec show up as clueless on their report. These can be days or even a week old.

    I use Symantec daily releases which is one step below rapid release.

    FWIW,

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by thehorse13
    HT,

    Places like VirusTotal don't use the daily updates or the rapid release signatures when looking at the online submissions. They use the "plain Jane" signatures which is why you normally see Symantec show up as clueless on their report. These can be days or even a week old.

    I use Symantec daily releases which is one step below rapid release.

    FWIW,

    --TH13
    I ran these on the 25th... which was the date on the AV signatures so they were the daily release.

  9. #9
    Isn't it possible to prevent this by disabling the windows scripting host?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •