3 Replies Latest reply on Jul 26, 2010 2:53 PM by paullotion

    Virus detections escalating

      Last week Thursday we logged a call when we started detecting viruses on the network. Only Friday night we received an extra dat after re-submitting the example to https://www.webimmune.net. Over the weekend we submitted new samples, being given a variant name. This morning the exercise continue.

      From our point of view, this is the same virus. The fime being created in the shares are all 107kb. The actions are the same.

       

      The virus does the following.

      1. Adds the attrib H and S to directories.
      2. Create a shortcut with the same name as the directory
      3. Create "windows type" folders shortcuts (eg My documents, My Music)
      4. Create and SCR and EXE with a random name that all above shortcuts point to.

       

      The latest form https://www.webimmune.net

      Analysis ID: 6111640

      NameFindingsDetectionTypeExtra
      buasaa.exenew detectiongeneric.dx!tfjTrojanyes
      buasaa.scrnew detectiongeneric.dx!tfjTrojanyes
      buateey.exeinconclusiveno
      buateey.scrinconclusiveno
      heuihu.exenew detectiongeneric.dx!tfnTrojanyes
      heuihu.scrnew detectiongeneric.dx!tfnTrojanyes
      jeuiju.exenew detectiongeneric.dx!tfkTrojanyes
      jeuiju.scrnew detectiongeneric.dx!tfkTrojanyes
      joeufe.exenew detectiongeneric.dx!tfnTrojanyes
      joeufe.scrnew detectiongeneric.dx!tfnTrojanyes
      jousop.exenew detectiongeneric.dx!tfkTrojanyes
      jousop.scrcurrent detectiongeneric.dx!tfiTrojanno
      jwliep (2).exeinconclusiveno
      jwliep.exenew detectiongeneric.dx!tfjTrojanyes
      jwliep.scrcurrent detectiongeneric.dx!tfiTrojanno
      kuidi.exenew detectiongeneric.dx!tfkTrojanyes
      kuidi.scrnew detectiongeneric.dx!tfkTrojanyes
      leioquz.exenew detectiongeneric.dx!tfmTrojanyes
      leioquz.scrnew detectiongeneric.dx!tfmTrojanyes
      qeiobi.execurrent detectiongeneric.dx!tfiTrojanno
      qeiobi.scrcurrent detectiongeneric.dx!tfiTrojanno
      toeuv.exenew detectiongeneric.dx!tfjTrojanyes
      toeuv.scrnew detectiongeneric.dx!tfjTrojanyes
      youbu.exenew detectiongeneric.dx!tfkTrojanyes
      youbu.scrnew detectiongeneric.dx!tfkTrojanyes
      zeiozub.exenew detectiongeneric.dx!tfkTrojanyes
      zeiozub.scrnew detectiongeneric.dx!tfkTrojanyes
      zenil.exenew detectiongeneric.dx!tfkTrojanyes
      zenil.scrnew detectiongeneric.dx!tfkTrojanyes

       

      I have attached the Viruses in the Zip file. The password in infected

       

       

      Message was edited by: tonyb99 Removed zip file please dont attach malware samples to forum posts Also moved this to the malware forum on 26/07/10 10:29:56 IST
        • 1. Re: Virus detections escalating

          Analysis ID: 6111699

          NameFindingsDetectionTypeExtra
          buasaa.exenew detectiongeneric.dx!tfjTrojanyes
          buasaa.scrnew detectiongeneric.dx!tfjTrojanyes
          buateey.exeinconclusiveno
          buateey.scrinconclusiveno
          heuihu.exenew detectiongeneric.dx!tfnTrojanyes
          heuihu.scrnew detectiongeneric.dx!tfnTrojanyes
          jeuiju.exenew detectiongeneric.dx!tfkTrojanyes
          jeuiju.scrnew detectiongeneric.dx!tfkTrojanyes
          joeufe.exenew detectiongeneric.dx!tfnTrojanyes
          joeufe.scrnew detectiongeneric.dx!tfnTrojanyes
          jwliep.exeinconclusiveno
          leioquz.exenew detectiongeneric.dx!tfmTrojanyes
          leioquz.scrnew detectiongeneric.dx!tfmTrojanyes
          ndmok.exeinconclusiveno
          ndmok.scrinconclusiveno
          pieore.exeinconclusiveno
          pieore.scrinconclusiveno
          tiusor.exeinconclusiveno
          tiusor.scrinconclusiveno
          toeuv.exeinconclusiveno
          toeuv.scrinconclusiveno
          vouguu.exeinconclusiveno
          vouguu.scrinconclusiveno
          zaiom.exeinconclusiveno
          zaiom.scrinconclusiveno
          zeiozub.exenew detectiongeneric.dx!tfkTrojanyes
          zeiozub.scrnew detectiongeneric.dx!tfkTrojanyes
          zenil.exenew detectiongeneric.dx!tfkTrojanyes
          zenil.scrnew detectiongeneric.dx!tfkTrojanyes

           

           

          Message was edited by: tonyb99  Removed zip file please dont attach malware samples to forum posts on 26/07/10 14:06:15 IST
          • 2. Re: Virus detections escalating

            All previous detections are now being detected as Downloader-cjx.gen.f

             

            Analysis ID: 6112607

            NameFindingsDetectionTypeExtra
            tfj.exenew detectiondownloader-cjx.gen.fTrojanyes
            tfk.exenew detectiondownloader-cjx.gen.fTrojanyes
            tfm.exenew detectiondownloader-cjx.gen.fTrojanyes
            tfn.exenew detectiondownloader-cjx.gen.fTrojanyes
            tfp.exenew detectiondownloader-cjx.gen.fTrojanyes
            tfq.exenew detectiondownloader-cjx.gen.fTrojanyes
            • 3. Re: Virus detections escalating

              Hello,

               

              Could you PM(Private Message) me those samples if possible, thanks.

               

               

              on 26/07/10 20:53:40 IST