| Can YOU Crack The Gauss Uber-Virus Encryption? From The Register:
Antivirus experts have called on cryptographers and other clever bods for help after admitting they are no closer to figuring out the main purpose of the newly discovered Gauss supervirus.
“The purpose and functions of the encrypted payload currently remain a mystery,” explained Aleks Gostev, chief security expert at Kaspersky Lab. “The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile. The size of the payload is also a concern. It’s big enough to contain coding that could be used for cyber-sabotage, similar to Stuxnet’s SCADA [industrial machine controller] code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”
Antivirus experts at the Russian security outfit launched an appeal today for anyone with an interest in cryptography, reverse engineering or mathematics to help find the decryption keys and unlock the hidden payload. More details and a technical description of the problem are available in a blog post here. |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 | Some AV Vendor have Gauss detection in place |
|
 jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:22 | ESET seems to be the only one listed. Do you happen to know if others have caught up and added Gauss to their repertoire and what they might be? |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to siljaline
Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm. But what are gsava.exe, gssm32.exe and abcd.exe? pic.twitter.com/b9aL8rEQ
»Gauss: Nation-state cyber-surveillance meets banking Trojan |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
 ·Bell Sympatico
| I don't know what your graph represents but I can say with some certainty that ESET does protect from Gauss
There are stand-alone removal tools floating around that I know of but this malware requires a full-bore AV to detect and fully remove. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | That is not a graph it is the name of AV's and their .exe file..when Gauss sees them installed on a PC...it backs off and will not infect your PC or system just because they are present...and it is built into Gauss to do that..now do you understand ?
That is why I also posted...Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm.
Your other comment is wrong. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to FF4m3
Mikko Hypponen, chief research officer of Finnish security firm F-Secure, noted that "Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm" on a system, according to an array of filenames that the malware checks for. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to FF4m3
To detect Gauss on you system just go to these sites in the first link below...it is easy to dectect....and the sites will let you know immediately since...
"Both CrySys and Kaspersky sniff out Gauss by looking for a custom-built font, dubbed "Palida Narrow," that the malware adds to infected machines.
CrySys first posted a detection tool that relied on the Palida Narrow strategy; Kaspersky took the same approach, but simplified it by inserting an IFRAME element into a Web page. The IFRAME uses JavaScript to check for the presence of the font."
http://www.computerworld.com/s/article/9230170/Security_experts_push_free_Gauss_detection_tools
And for removal..Bit Defender has a good tool and there are others out there...
http://www.bitdefender.com/news/gauss-removal-tool-powered-by-bitdefender-2556.html
--
Gladiator Security Forum
http://www.gladiator-antivirus.com/
|
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 | reply to Name Game
My other comment that there are stand-alone tools to remove Gauss ? I've yet to see one that works.
|
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to FF4m3
Researchers Seek Help Cracking Gauss Mystery Payload
The Mystery of the Encrypted Gauss Payload
Gauss malware - What you need to know
Kaspersky Lab Needs Help Decrypting Gauss
Researchers seek help decoding "encrypted warhead" |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
3 edits | reply to siljaline
Troajn.Gauss.Spy.Gen Removal Tool 2.2.0.6
said by siljaline:My other comment that there are stand-alone tools to remove Gauss ? I've yet to see one that works.
which ones have you tried ?
Also..
Kaspersky updated its free Virus Removal Tool 2011 to deal with Gauss.
»support.kaspersky.com/viruses/av···?level=2
They call it" setup_11.0.0.1245.x01_2012_08_13_13_37.exe" and updated it on Aug 13, 2012 |
|
| reply to jaykaykay
Symantec products detect it »www.symantec.com/connect/blogs/c···w32gauss |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to Name Game
Nope, ain't gonna be running anything non ESET. 
I've used ESET's ESET Rogue Application Remover with some success.
As cited elsewhere, ESET detects Gauss, anyway. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | guess you don't have a copy of the badboy to test then...oh well..it just reminded me of some years ago here at dslr when I started praising the Panda removal tools and many of the self styled security gurus and even wildcatboy took me to task on their standalones. I told them they were good tools..I had even tested them..and besides they cleaned in the "MSDOS" mode and did a very clean job...no reboot needed. 
In the end many people then used the tools from panda..and for years we even had a direct link at the top of this forum to download them.
Glad you like your ESET tool..did it clean all the Gauss for you ? Glad ESET cleans this one ..since Gauss won't back off and not install if you are running it.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Reviews:
·WestNet Broadband
| You should know by now sijaline is pro ESET. Any time there is a new big nasty, it is all ESET. We get called fanboyz for being one-eyed and narrow minded it doesn't help the users out there looking for info......you will have to just get used to the new ESET clan, better late than never, as it was a lot better program once; but then we say that about a lot of A/V's over time.  |
|
 owlynPremium,MVM
join:2004-06-05
Newtown, PA
 ·Comcast
| reply to FF4m3
From Norton:
Discovered:
August 9, 2012
Updated:
August 15, 2012 2:40:23 AM
Also Known As:
TSPY_GAUSS.A [Trend]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Gauss is a worm that opens a back door and collects confidential information from the compromised computer.
Antivirus Protection Dates
Initial Rapid Release version August 9, 2012 revision 016
Latest Rapid Release version August 9, 2012 revision 039
Initial Daily Certified version August 9, 2012 revision 018
Latest Daily Certified version August 10, 2012 revision 001
Initial Weekly Certified release date August 15, 2012
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Payload: Opens a back door.
Releases Confidential Info: Steals system information, browser history, passwords, and cookies.
Distribution
Distribution Level: Low
Shared Drives: Spreads through removable drives.
Discovered:
August 9, 2012
Updated:
August 15, 2012 2:40:23 AM
Also Known As:
TSPY_GAUSS.A [Trend]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When the worm is executed, it creates the following files:
%System%\wbem\wmihlp32.dll
%System%\wbem\wmiqry32.dll
%System%\dskapi.ocx
%System%\winshell.ocx
%System%\devwiz.ocx
%System%\lanhlp32.ocx
%System%\mcdmn.ocx
%System%\smdk.ocx
%System%\windig.ocx
%UserProfile%\Local Settings\Temp\~shw.tmp
%UserProfile%\Local Settings\Temp\~gdl.tmp
%UserProfile%\Local Settings\Temp\~mdk.tmp
%Temp%\s61cs3.dat
%Temp%\~ZM6AD3.tmp
%System%\fonts\pldnrfn.ttf
%Temp%\ws1bin.dat
The worm creates the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\"(Default)" = "wbemsvc.dll"
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\"(Default)" = "wmihlp32.dll"
The worm is modular and has the following functionalities and components:
Loads other components and contains connection functionality (%System%\wbem\wmiqry32.ocx, %system32%\wbem\wmihlp32.ocx)
Collects hardware information about the CMOS and the BIOS (%System%\devwiz.ocx)
Spreads through removable drives and collects removable drive information (%System%\dskapi.ocx, contains 32 and 64-bit components)
Collects network related information (%System%\lanhlp32.ocx)
Collects information about the user domain (%System%\mcdmn.ocx)
Collects information on computer drives (%System%\smdk.ocx)
Installs a custom Palida Narrow font (%System%\windig.ocx)
Collects browser and cookie information from Firefox and Internet Explorer (%System%\winshell.ocx)
The worm steals the following from Internet Explorer:
Browsing history
Passwords
Text in data fields from loaded pages
The worm installs its own Firefox plugin that performs the following actions:
Extracts browsing history
Extracts passwords
Extracts cookies
The worm (%System%\winshell.ocx) searches for cookies from the following list:
maktoob
ebay
hotmail
gmail
facebook
amazon
creditlibanais
yahoo
fransabank
citibank
byblosbank
blombank
eblf
bankofbeirut
americanexpress
aisa
eurocard
mastercard
paypal
Note: Collected cookies are encrypted and saved to:
%Temp%\ws1bin.dat
The worm is associated with the following command-and-control servers:
gowin7.com
secuurity.net
datajunction.org
bestcomputeradvisor.com
dotnetadvisor.info
guest-access.net |
|
dwomack
join:2012-07-03
San Diego, CA | reply to FF4m3
It looks like a majority of AV vendors already detect it:
»www.virustotal.com/file/5198c225···nalysis/
So far it seems to only be directed at the Middle East but why wait for it to hit elsewhere before creating tools and/or methods to clean it? |
|
|
|
jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:22
1 edit | reply to windaz
Kind of a shame that so few have figured out how to do and include it.
Guess many more cover it than I knew. |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to norwegian
I am an ESET user and do ESET support at Wilders as many know, norwegian  . That's not to say ESET is the end-all of A/V's.
Simply because ESET detects Gauss while others don't or I am not aware of does not qualify me as an ESET fanboy |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | exactly..you like what you got and a happy with it. But many others detected and cleaned Gauss even before it was a glint in ESET eye..that is a fact. |
|
