new (?) worm

[10nico]

Hi all, a week ago I sent a sample (using virus chest) of a virus/worm/trojan that avast didn't detect at all.
At that time it was already detected by several other AVs (I checked using virustotal webpage) and had already infected a friend's pc (using avast too).
It was detected with the following names:

AntiVir   7.2.0.18   09.22.2006   TR/Bagle.DP
Authentium   4.93.8   09.23.2006   W32/Downloader.AGKP
Avast   4.7.844.0   09.22.2006   no virus found
AVG   386   09.22.2006   Proxy.FSC
BitDefender   7.2   09.23.2006   no virus found
CAT-QuickHeal   8.00   09.22.2006   (Suspicious) - DNAScan
ClamAV   devel-20060426   09.23.2006   no virus found
eTrust-InoculateIT   23.73.3   09.23.2006   Win32/Glieder.DX!Trojan
eTrust-Vet   30.3.3093   09.22.2006   Win32/Glieder.DX
DrWeb   4.33   09.22.2006   Trojan.BeagleProxy
Ewido   4.0   09.23.2006   Proxy.Mitglieder.ei
Fortinet   2.82.0.0   09.23.2006   W32/Mitglieder.EI!tr
F-Prot   3.16f   09.22.2006   security risk named W32/Downloader.AGKP
F-Prot4   4.2.1.29   09.23.2006   W32/Downloader.AGKP
Ikarus   0.2.65.0   09.23.2006   Backdoor.Win32.Rbot.awg
Kaspersky   4.0.2.24   09.23.2006   Trojan-Proxy.Win32.Mitglieder.ei
McAfee   4858   09.22.2006   no virus found
Microsoft   1.1560   09.23.2006   no virus found
NOD32v2   1.1768   09.22.2006   Win32/Bagle.GX
Norman   5.80.02   09.22.2006   W32/Mitglied.ZV
Panda   9.0.0.4   09.23.2006   Trj/Mitglieder.KZ
Sophos   4.09.0   09.23.2006   no virus found
Symantec   8.0   09.23.2006   no virus found
TheHacker   6.0.1.077   09.22.2006   no virus found
UNA   1.83   09.22.2006   TrojanProxy.Win32.Mitglieder.6300
VBA32   3.11.1   09.23.2006   Trojan-Proxy.Win32.Mitglieder.ei
VirusBuster   4.3.7:9   09.22.2006   Trojan.DL.Bagle.KO

Now a week and two avast updates have gone by and the virus is still not detected...what should I do?
Resend it through virus@avast.com?
Pray a lot? 8-)

I can also add that it is a very nasty virus, I had to scan the infected pc with 3 other AVs from another fresh install of XP in another partition to get rid of it, and then again I had to replace several windows system files using SFC /SCANNOW.

Please do something!

Thank you

[DavidR]

It won't hurt to send it again from the chest.

Where was the original file found, e.g. (C:\windows\system32\infected-file-name.xxx) ?

If it was in a system folder and it is effectively able to infect other system files, it needs permissions to do that and it gets that by inheriting the permission of the user account, if you log on and have administrative privileges so does the worm.

Prevention is obviously better than cure. Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc. So if it can't get established it can't inherit permission to infect system files.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

[10nico]

The virus was in a file downloaded thru P2P.
Since it was an .exe it was scanned with avast and since avast didn't detect anything my friend executed it...and got infected.
The real symptoms began after a reboot, when he reconnected to internet: a lot of IE popups began to open all by themselves.
His user is member Administrators group (he's the only user anyway) so the virus got all the rights.

I'm resending it now.

Thank you

[Lisandro]

Alwil team, please, if possible/needed, improve detection of this 

[DavidR]

Thanks for the feed back, since many of the virus names from VirusTotal mention downloader this could also be downloading more of the same or worse.
What firewall are they using (I suspect just XP) ?

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

[10nico]

Needless to say, the pc had only windows firewall...
And , I'm sure of it, it was enabled before the infection, so the virus, or some of his "self invited friends", must have disabled it. (and kept disabling it at every reboot!!! 

I'll have him install ZA free (I didn't know there was one free from them!).

Thanks again to all!

[10nico]

Just an update

Even after the cleaning from another xp install on another partition the pc still kept reinfecting itself, so I was forced to format (ARGH!) and reinstall...
And in the meantime the VPS updates keep passing by but the virus isn't detected 
As of today there remain only 4 AVs that don't detect the virus:

Avast , Sophos , Mcafee and Norton....

I've sent the sample several times but still no good news...so...
PLEASE DO SOMETHING ABOUT THIS!
We have more than 300 clients and 30 servers (that's not only my friend's problem anymore) and this means we are VULNERABLE!

Thanks again and excuse my rant...but it feels bad to be exposed.

Live long and prosper,

Michele

[Spiritsongs]

   Hi Michele :

      Your friend's use of P2P is high risk behavior, especially
      when he only had the Windows "half" firewall . Hopefully
      you have "ranted" at him !? Are there antiSPYWARE
      and/or antiTROJAN program(s) on his computer ?
      These should be his 1st line of Defense against the
      "trojan downloader" that is being reported by the other
       AV's .

[10nico]

You're perfectly right, but he's one of those "download freaks" (one of those people that since have a faaast line to internet they MUST download every possible think they can)...
Actually I always managed to "save" him (and this adds to his false sense of security, I know  ), not this time.

By the way he had AdAware , Spybot and Avast and *all MS patches*.

Now he has a clean formatted (already patched) pc and yes, I menaced to bite him in his back if he does it again!!! (plus a good verbal "rant")

Luckyly here at work we don't have a direct connection to internet (IE: the client's default gateway doesn't allow to establish a direct tcp/ip connection with the internet, we use a dansguardian+squid proxy to access the web.
And we don't use Outlook express for the mail etc etc...
We also have a WSUS server.

But the possibility of an infection still exists and this keeps me from sleeping well!

We changed antivirus because the old one (mc**ee) didn't catch some viruses and now it feels we're back to square one...

Goodbye

[Belagio]

i got the same Trojan the name is Win32:VB-MT [Wrm] and i cant remove it i need help for this

[DavidR]

How do you know it is the same trojan as the originator of this thread, avast didn't detect his ?
Why can't you remove it ?

And we need information to help you.
What Operating System are you using ? is it up to date ?
What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?
What was the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx)?
What actions have you taken to try and resolve the problem ?

[10nico]

Just a little update:

With today's VPS (0639-3) the virus is properly detected as:
Win32:Mitglieder-CV [Trj]

AT LAST!

Many thanks to all Avast! crew and to all the forum users who answered :-)

Michele

[DavidR]

Your welcome, thanks for the update.