Author Topic: worse virus ever  (Read 10492 times)

0 Members and 1 Guest are viewing this topic.

Offline hungrylilboy

  • Jr. Member
  • **
  • Posts: 28
worse virus ever
« on: June 25, 2004, 12:29:01 AM »
i have just had to re-install windows after a virus deleted every single .exe, .mp3, .avi, .mpeg i had on my computer in about an hour.

I sat there and watched as they simply disappeared and avast! couldnt find a thing wrong. Neither did the online scan at Trend.

When i re-started my comp after seeing it first, nearly every running process crashed.

Some processes also started loading a c prompt before crashing.

none of my programs would load including avast!

all of my restore points had been deleted

some programs were changed back to original factory settings such as msn (i had 6.2) was suddenly 4.2

i would love to know what this was, and what i can do to stop it happening again. I have never seen anything like this before

Offline Kobra

  • Full Member
  • ***
  • Posts: 185
  • No Text
Re:worse virus ever
« Reply #1 on: June 25, 2004, 12:35:41 AM »
Hate to say it, but i've seen a few trojans like this.  In fact, I have many many samples of them. Most of which were sent to Avast a week ago and still aren't in the doggon database!  What up?

If you caught a name of it, let me know, i'll check it with my records to see if its one of the hundreds I sent to Avast. Mighta prevented this maybe, ugh.

Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!


Offline hungrylilboy

  • Jr. Member
  • **
  • Posts: 28
Re:worse virus ever
« Reply #2 on: June 25, 2004, 12:40:23 AM »
Hate to say it, but i've seen a few trojans like this.  In fact, I have many many samples of them. Most of which were sent to Avast a week ago and still aren't in the doggon database!  What up?

If you caught a name of it, let me know, i'll check it with my records to see if its one of the hundreds I sent to Avast. Mighta prevented this maybe, ugh.

Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!


sorry i didnt get a name as nothing was found before i formatted. why arent they in the database? what are we paying for then??

Offline lee20

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2326
  • The only true failure is when you give up
Re:worse virus ever
« Reply #3 on: June 25, 2004, 11:42:11 AM »
Im sure they are in the process of added them, btw i was just like to ask how you came about finding these hundreads of trojens?

"Anyone who has never made a mistake has never tried anything new."-Albert Einstein

Comodo Firewall, Avast 4.8, SpywareBlaster, Spybot + superantispyware, PeerGuardian and ALL software patched!

Offline Stephan123

  • Full Member
  • ***
  • Posts: 179
  • I am the virus reporter
Re:worse virus ever
« Reply #4 on: June 25, 2004, 11:51:01 AM »
The people by working Avast are quite busy at the moment.You can see here http://www.avast.com/eng/viruses/vps_history.html What for virusses is in the database

Offline hungrylilboy

  • Jr. Member
  • **
  • Posts: 28
Re:worse virus ever
« Reply #5 on: June 25, 2004, 12:41:22 PM »
The people by working Avast are quite busy at the moment.You can see here http://www.avast.com/eng/viruses/vps_history.html What for virusses is in the database

not being rude, ok yes i am, but i couldnt care less whether they are busy or not. Thats what we pay for, or supposedly.

I am now re-installing everything including windows for the second time in 24 hours after it infected my backups too. I have lost years of work, photos and everything. Simply because they dont have old records added...what a joke guys. how about a refund?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:worse virus ever
« Reply #6 on: June 25, 2004, 12:52:22 PM »
Quote
Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!

That's simply not true. We don't really care about the age of the malware...

I doubt it was a Trojan either...

Quote
not being rude, ok yes i am, but i couldnt care less whether they are busy or not. Thats what we pay for, or supposedly.

Of course, I agree.

Now I'd recommend focusing on the main thing -- getting back the data.
Are you saying that your backups contain files that are already truncated/overwritten? What I'd need is some kind of trace from the beast. So that we could tell what it was. Is it still on the back ups then?



« Last Edit: June 25, 2004, 12:52:34 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline hungrylilboy

  • Jr. Member
  • **
  • Posts: 28
Re:worse virus ever
« Reply #7 on: June 25, 2004, 03:39:58 PM »
Quote
Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!

That's simply not true. We don't really care about the age of the malware...

I doubt it was a Trojan either...

Quote
not being rude, ok yes i am, but i couldnt care less whether they are busy or not. Thats what we pay for, or supposedly.

Of course, I agree.

Now I'd recommend focusing on the main thing -- getting back the data.
Are you saying that your backups contain files that are already truncated/overwritten? What I'd need is some kind of trace from the beast. So that we could tell what it was. Is it still on the back ups then?


ok sorry for the above. have calmed down now. I went to a cyber cafe and transfered my data from one disc to another without touching any .exes.

they are running nortan anti virus and it picked it up straight away, labeling it as w32.axon.B

is this in our viruses and if so how come it didnt pick it up?

edit. i do have the file still on my back ups, but unless u want me to send a cd-r through the snail mail, i am afraid i am going no where near it
« Last Edit: June 25, 2004, 03:40:46 PM by hungrylilboy »

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:worse virus ever
« Reply #8 on: June 25, 2004, 04:23:01 PM »

w32.axon.B


Seems like avast detects AXON(.A) as "Win32:Xenon", but not AXON.B
That's a pity..

I'm sorry about your files, hungrylilboy,
and avast SHOULD have detected it,
and you will neither like this, nor does it help you at present,
but as a hint for the future:

a) we don't live in a perfect world:
b) FACT: no AV-scanner offers 100% detection/protection
c) if I look at your past postings & at the description of AXON.B:
"This virus has been distributed on peer-to-peer file-sharing networks, using deceptive filenames such as "Keygen.exe."

-> you should exercise some more caution when using your PC & moving about the internet

P.S.: I hope your MP3 & AVI on (external ?) backup media are still intact ?



P.P.S: According to the date when Win32:XENON was included in avast's database, it could also be that this includes BOTH AXON/XENON-variants ?
Mabe VLK could comment..

HLB: Your resident shield & P2P-Provider was always on & configured correctly ?

 ;)
« Last Edit: June 25, 2004, 04:48:43 PM by whocares »

Staind

  • Guest
Re:worse virus ever
« Reply #9 on: June 25, 2004, 04:47:02 PM »
Is it possible that Avast! was infected and wasn't working right? I know this happens to my dad's norton quite often..

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:worse virus ever
« Reply #10 on: June 25, 2004, 05:45:14 PM »
Is it possible that Avast! was infected and wasn't working right? I know this happens to my dad's norton quite often..

I don't think so but it's recommended by any antivirus to scan just after the installation or even before, by a clean CD  :-\

hungrylilboy, is there anything more we can help you?  :-\
The best things in life are free.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 85964
  • No support PMs thanks
Re:worse virus ever
« Reply #11 on: June 25, 2004, 05:49:40 PM »
If you haven't already done so you should patch a vulnerability which this virus exploits.

Quote
Virus Prepends Itself to Files With .Exe Extensions

W32.Axon.B is a virus that prepends itself to the files with the .exe extension. It also deletes the files with .mp3 and .avi extensions.

Technical details are at this Symantec page.

Worm Exploits Microsoft Vulnerability

W32/Cycle.worm is a worm that spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

The worm copies itself to the Windows system directory as SVCHOST.EXE, for example:

%SysDir%\SVCHOST.EXE

It installs itself as a service ("Host Service") on the victim machine:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\Host Service

The service bears the following characteristics:
Display name: Host Service
Image path: %SysDir%\SVCHOST.EXE
Startup: automatic

A text file containing a political message is dropped to %WinDir% as CYCLONE.TXT:

%WinDir%\CYCLONE.TXT (3,316 bytes)

A side-effect of the worm is for LSASS.EXE to crash, by default such a system will reboot after the crash occurs.

The following Microsoft update should be installed to be protected from the exploit used by this worm. See this Microsoft page.

This patch has been on the MS windows update site for some time. Everyone should ensure that their OS is fully updated.

David
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:worse virus ever
« Reply #12 on: June 25, 2004, 05:51:47 PM »
I was told by the virus guys that Axon is detected by avast as Win32.Xenon. I'm not sure about the .B variant, though... :-\
If at first you don't succeed, then skydiving's not for you.

Offline Kobra

  • Full Member
  • ***
  • Posts: 185
  • No Text
Re:worse virus ever
« Reply #13 on: June 25, 2004, 08:06:00 PM »
Looking over my data I see that I submitted Axon.b to Avast about a week ago.  

 :'(
« Last Edit: June 25, 2004, 08:06:12 PM by Kobra »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:worse virus ever
« Reply #14 on: June 25, 2004, 08:53:00 PM »
hungrylilboy, do you have any idea about how you got infected (email, P2P, web download, ...). The Axon virus is not exactly common... :-\
If at first you don't succeed, then skydiving's not for you.