Urgent moaphie worm/trojan spreading like hell

[bitlover]

Hi everybody,

There is new worm/trojan out since october 2006 (mainly asia region) called moaphie (W32/VB.AL!worm.im, W32/Foamer.A Worm, IM.Win32.Agent.h) and avast does not detect it. It spreads through email attachments with the subject "victim". After a systems has been compromised you will not be able to open taskmanager, cmd.exe and registry tools. It also disable Contextmenu in explorer. It creates following entries in Run section:

"shell" = "%System%\explorer.exe"
"winnt" = "%Windir%\winnt.exe"
"svchost" = "%Windir%\svchost.exe"

It will copy itself to mapped shared folders and removable drives and creates a moaphie.exe and an autorun.inf which calls moaphie.exe. It also overwrites all executables on removable drives with the contents of moaphie.exe. All files are the same and are 16Kb in size and containing in the version description the name of Britney Spears  . I did submit the file two weeks ago to virus@avast.com, but still AVAST does not detect it. In the mean time there is more and more people getting this virus here in Asia (also tourist, which will bring that home to Europe). My question is how long it takes AVAST to implement a new virus in the database?

regrads rachanee

[Lisandro]

My question is how long it takes AVAST to implement a new virus in the database?

It depends... from some hours to few days...
Depends on how is the virus spreading, the possibility to get a signature of it, etc.
I hope in your case they could give some priority 

[polonus]

Hi bitlover,

Here the removal instructions for Foamer alias moaphie:
http://www.2-spyware.com/remove-foamer.html

polonus

[bitlover]

Thanx Polonus & Tech for the quick reply,

Polonus: I do now how to remove it, but the point is that the virus should acually never get that far, that it enters the system.

Tech: Is it enough to send the file to virus@avast.com, so they can get the signature for that virus or do they need something else? Sorry, I am from Thailand and my expirence with such things are limited. So please enlighten me 

greetings rachanee

[Lisandro]

Tech: Is it enough to send the file to virus@avast.com, so they can get the signature for that virus or do they need something else? Sorry, I am from Thailand and my expirence with such things are limited. So please enlighten me 

It should be enough... you can write, in the email body, a link to this thread and then they can know what you're talking about.
I hope they add this signature quickly 

[DavidR]

Too right it shouldn't get that far, with pre-emptive action you can help limit the damage of first/zero day attacks until AVs catch up.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.