Author Topic: Is avast! able to detect a dangerous polymorphic virus named Win32.Polipos?  (Read 16834 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi Dichromaru,

The running processes that are infected upon infection are:
  csrss
  ctfmon
  drwatson
  drwtsn32
  dumprep
  dwwin
  kernel32.dll
  savedump
  smss
  spoolsv
  temp

Everytime a executable or src file  is opened the malware code is injected there.

polonus
« Last Edit: April 28, 2006, 12:13:46 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11860
    • AVAST Software
I believe it's processes that are not infected (avoided) ;)

killerost

  • Guest
This virus really spreads like wildfire. When I did the boot-up scan avast filled up the chest storage area way before I was virusfree. So I have two questions,

it would be nice to be able to adjust the chest size while you did a boot-up scan.. since neither repair nor move worked I was "forced" to delete a lot of files. In my case the files were not that important, but they COULD have been  ;)

And all the files in chest, will a later upgrade of the virus library make avast able to repair these files?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
100% repair for all files is impossible.
Visit my webpage Angry Sheep Blog

killerost

  • Guest
bitdefender is able to repair many of them.. at least it reports so :)

TAP

  • Guest
Does the avast! VRDB help much in case of Win32:Polip virus? I think VRDB could help for a better repairing, at least with infected system files.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11860
    • AVAST Software
Not in this case, I'm afraid. This virus uses a "tricky" method to redirect the control from the original code to itself and may change virtually any part of the file. So, VRDB would have to store nearly the whole original files to be able to recover the infection (which is probably not what you want, because it would take a lot of disk space).

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi Igor,

You are right about the processes avoided, but the decription was changed later:
2006-04-24 11:44   Description was changed.

New:
"W32.Polip is a polymorphic virus that infects
.exe and .scr files when they are opened or
executed on the compromised computer."

Old:
"W32.Polip is a polymorphic virus that infects
.exe and .scr files when they are opened or
executed on the compromised computer. It
hides its presence on the compromised
computer by injecting its code into running
processes. "

But if avast has that detection rate with this polymorphic virus, it means the Avast GD must be very strong, and clever that you could isolate it to stand out. Congrats for the virus analyzer(s)!
Great job performed.

polonus



Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CharleyO

  • Guest
***

Yes, thanks for a great job!    :)


***

Dichromaru

  • Guest
:::Big Reply:::

I just got done doing a complete scan of my computer, and I have a list complied of all the files that were accordingly infected. I'm leaving out some of the files, due to the fact that not EVERYONE has the exact same files as me, but the skipped files will be explained below. Some files will be kept on the list due to thier popularity amongst the many folks about the net.


:::Program Files:::

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Alwil Software\Avast4\DATA\moved\TMPBSInstall5.2.1.2.exe.vir
C:\Program Files\Bearshare MP3\Downloads\bearshare_mp3_61.exe
C:\Program Files\Bethesda Softworks\Oblivion\Oblivion.exe
C:\Program Files\Bethesda Softworks\Oblivion\OblivionLauncher.exe
C:\Program Files\Dell\Media Experience\Plugins\WildTangent\wtsetup.exe
C:\Program Files\Dell Support\DSBrws.exe
C:\Program Files\Discreet\3ds max 7 English\3ds max 7 Plug-In\finalRender Stage-1 SP2d R7 Update setup.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\ICQLite\ICQLiteDBConverter.exe
C:\Program Files\ICQLite\ICQLiteUninstall.exe
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_05\bin\helper.exe
C:\Program Files\Java\jre1.5.0_06\bin\javaws.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMFWLaunch.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjblaunch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\wab.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
C:\Program Files\WordPerfect Office 12\Programs\CdrConv.exe
C:\Program Files\WordPerfect Office 12\Programs\ConvUtil.exe
C:\Program Files\WordPerfect Office 12\Programs\QPW.exe
C:\Program Files\WordPerfect Office 12\Programs\WPLDES12.exe
C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe
C:\Program Files\World of Warcraft\Launcher.exe
C:\Program Files\World of Warcraft\WowError.exe
C:\Program Files\World of Warcraft\Repair.exe
C:\Program Files\Yahoo!\Messenger\YServer.exe

::: C: Drive (Main Hard Drive>files without directories) :::
Clean (Nothing found to be infected)

::: i386 :::
C:\i386\accwiz.exe
C:\i386\agentsvr.exe
C:\i386\ahui.exeC:\i386\ahui.exe
C:\i386\Prounstl.exe
C:\i386\pxhpinst.exe
C:\i386\wuauclt.exe
C:\i386\wuauclt1.exe

::: inf :::
C:\WINDOWS\inf\unregmp2.exe

::: Microsoft.NET :::
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe

::: System 32 :::
C:\WINDOWS\system32\accwiz.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\clipbrd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\dmadmin.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\fsquirt.exe
C:\WINDOWS\system32\fsutil.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\fxsclnt.exe
C:\WINDOWS\system32\fxscover.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\mobsync.exe
C:\WINDOWS\system32\mshearts.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\tourstart.exe
C:\WINDOWS\system32\verifier.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wiaacmgr.exe
C:\WINDOWS\system32\wscript.exe

::: Temp :::
C:\WINDOWS\Temp\_avast4_\unp207121985.tmp
C:\WINDOWS\Temp\_avast4_\unp218037734.tmp

::: wt :::
C:\WINDOWS\wt\webdriver\wthost.exe

::: Windows :::
C:\WINDOWS\DIIUnin.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\regedit.exe
C:\WINDOWS\setpwrcg.exe
C:\WINDOWS\ST6UNST.EXE
C:\WINDOWS\UninstallFirefox.exe
C:\WINDOWS\unvise32.exe


That's everything. Some stuff was readily deleted on the spot, like the .tpm files, etc.
Files that were not included on the list were:
Any installer for Messengers, Program Updaters, Video Codec Installers, etc
File Expansions, IE programs used to add stuff to an existing program, like adding new models to Poser, or 3dsMAX, etc.

This thing appears to attack the most commonly used files, according to thier popularity online. Some files, however, I didn't even know I had.

I will be keeping things up to date as I continue onwards with this worm here. Now it's time to see if this is capable of spreading to my spare hard drive.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi Dichromaru,

If you have the files back-up and cleansed, establish the SHA-1 hashes of these files, using XCSC from http://www.irnis.net
This for later reference.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!