new Virus/worm in MSN ?

[webfaqtory]

This is not malware but a real honest to goodness virus W32/Culler-C that IS NOT detected by Avast




W32/Culler-C is a worm for the Windows platform that spreads via MSN Messenger.

W32/Culler-C includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Culler-C attempts to terminate and disable various security software applications and Windows processes such as Task Manager.

When first run, W32/Culler-C will display the following error message:

"Component "COMDLG32.OCX" or one of its dependencies no correctly registered a file is missing or invalid."

It then copies itself to:

<Windows>\Cfreer.exe
<Windows>\Nzil.exe
<System>\Juegs.exe
<System>\Negdo.exe

W32/Culler-C attempts to download and execute files from a remote location. At the time of writing, these files were unavailable for download.

The worm sets the following registry entries to run at system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows
<Windows>\Cfreer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
<Windows>\Nzil.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
<System>\Juegs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemUpdate
<System>\Negdo.exe

W32/Culler-C sets the following registry entry:

HKCU\Software\VB and VBA Program Settings\SysUpdate\sistema
Marcar
1

[Lisandro]

Virus W32/Culler-C that IS NOT detected by Avast

Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

[webfaqtory]

Sent an example.

If anybody wants to play its available from http://www.webfaqtory.com/bush.zip Password=Culler. Unless you want to be _REAL_ popular with friends and family, close MSN messenger first

To get rid of this worm you will need to download Process Explorer from http://download.sysinternals.com/Files/ProcessExplorer.zip as the worm hooks into Taskmanager and regedit and prevents them from running.

From Process Explorer look for Juegs.exe or Cfreer.exe or (less likely) Nzil.exe or Negdo.exe. Terminate this process. The worm is now disabled and you can run regedit to delete the following keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows
<Windows>\Cfreer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
<Windows>\Nzil.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
<System>\Juegs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemUpdate
<System>\Negdo.exe

Then delete the following files:

<Windows>\Cfreer.exe
<Windows>\Nzil.exe
<System>\Juegs.exe
<System>\Negdo.exe

Reboot and check that taskmanager and regedit start OK and none of the above files are running.

There will also be a copy of bush.exe in your cache, depending on your browser settings. It would be best to delete the cache to remove this copy

[FreewheelinFrank]

Complete scanning result of "bush.exe", received in VirusTotal at 05.10.2007, 11:29:05 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.5.10.0   05.10.2007   no virus found
AntiVir   7.4.0.15   05.10.2007   Worm/VB.AU.62
Authentium   4.93.8   05.10.2007   no virus found
Avast   4.7.997.0   05.10.2007   no virus found
AVG   7.5.0.467   05.09.2007   Worm/VB.BDH
BitDefender   7.2   05.10.2007   Win32.Worm.IM.VB.I
CAT-QuickHeal   9.00   05.09.2007   I-Worm.VB.au
ClamAV   devel-20070416   05.10.2007   no virus found
DrWeb   4.33   05.09.2007   no virus found
eSafe   7.0.15.0   05.08.2007   Win32.Adclicker
eTrust-Vet   30.7.3624   05.10.2007   Win32/Subaso.J
Ewido   4.0   05.10.2007   Worm.VB.au
FileAdvisor   1   05.10.2007   no virus found
Fortinet   2.85.0.0   05.10.2007   W32/VB.AU!worm.im
F-Prot   4.3.2.48   05.10.2007   no virus found
F-Secure   6.70.13030.0   05.10.2007   IM-Worm.Win32.VB.au
Ikarus   T3.1.1.7   05.10.2007   IM-Worm.Win32.VB.au
Kaspersky   4.0.2.24   05.10.2007   IM-Worm.Win32.VB.au
McAfee   5027   05.09.2007   W32/Culler
Microsoft   1.2503   05.10.2007   no virus found
NOD32v2   2255   05.09.2007   Win32/VB.NKS
Norman   5.80.02   05.09.2007   no virus found
Panda   9.0.0.4   05.09.2007   W32/MSNDiablo.A.worm
Prevx1   V2   05.10.2007   Polynomial.Code.Exploit
Sophos   4.17.0   05.08.2007   W32/Culler-C
Sunbelt   2.2.907.0   05.05.2007   no virus found
Symantec   10   05.10.2007   Trojan.Adclicker
TheHacker   6.1.6.112   05.10.2007   no virus found
VBA32   3.12.0   05.09.2007   IM-Worm.Win32.VB.au
VirusBuster   4.3.7:9   05.09.2007   no virus found
Webwasher-Gateway   6.0.1   05.10.2007   Worm.VB.AU.62

[ifihadonechance]

Yea, this problem with the link happened to me and my other friends as well, except it said "OMG Is that you?  " with a link (this happened a while ago, forgot link.)

When i clicked on it, all of a sudden the computer was in control and started to install crap (sorry for the language) like search bars, games, etc.

Unfortunately I didn't have avast then. I had Windows Defender and no AdAware.

That shows that windows defender isnt that strong. 

[ifihadonechance]

Yea, this problem with the link happened to me and my other friends as well, except it said "OMG Is that you?  " with a link (this happened a while ago, forgot link.)

When i clicked on it, all of a sudden the computer was in control and started to install crap (sorry for the language) like search bars, games, etc.

Unfortunately I didn't have avast then. I had Windows Defender and no AdAware.

That shows that windows defender isnt that strong. 

Now it's gone, thanks to avast. Phew! 

[FreewheelinFrank]

webfaqtory's sample is still undetected. I think the avast! team needs to add these samples submitted on the forum as a priority, as it gives a very bad impressions when they remain undetected days or even weeks later. 

[Lisandro]

As it gives a very bad impressions when they remain undetected days or even weeks later. 

Fully agree.

[DavidR]

I think the avast! team needs to add these samples submitted on the forum as a priority, as it gives a very bad impressions when they remain undetected days or even weeks later. 

I couldn't agree more and any that I submit to avast I also include the forum topics URL as what I consider a gentle nudge in the vain hope it might get some priority over the thousands of other submissions to virus @ avast.com each and every day.

But, forum submissions aside, there really needs to be greater effort in the adding of new/undetected malware submissions across the board.

Yes avast has brought on new staff to the labs and there are (or appear to be) a greatly increased number of VPS updates and signatures, but the submission response seems as a result to have slowed.