lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs:  
| i think i found a new virus
my freind sent me a exe file he said scan this with my antivirus and then no virus so i open this file and two reg line came added this %sytemroot%\mgs.exe %sytemroot%\expolorer.exe to the start up and here the link to this file h**p://myweb.cableone.net/jaross15/untitled%5B1%5D.jpg.exe
tt in the ** for protestion
i need help plz
srry for my bad english
and btw i use mcafee |
|
Faram
Premium
join:2002-03-27
Sweden
clubs: | Submit suspected malware
It is only on the top of the forum. |
|
habya
Premium
join:2003-05-29
Huntsville, AL
clubs:
edit:
May 16th, @05:54PM
| reply to lol2004
Best to submit it to the AV vendors.
»Security »I think my computer is infected or hijacked. What should I do?
Edit: just saw the above post I was a little late in typing. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to lol2004
Virus-1 |
One of the interesting things is that my AVG picked it up Straightaway ! I'm well pleased with them.
Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| NAV detects it:
»securityresponse.symantec.com/av···m.a.html
W32.Allim.A is a worm that spreads a variant of the W32.Spybot.Worm through America Online Instant Messenger (AIM).
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs: | reply to lol2004
i send it them all 30 antivirus maker thx you, you guys are the best |
|
lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs: | reply to lol2004
but mcafee doesnt detest this is diffent from all of viruses andf it added a mgs.exe to the %systemroot% |
|
Quex
Premium
join:2005-02-21
Wayne, PA | reply to lol2004
F-Prot nailed it, despite its failure to detect anything in the jotti screenshot. |
|
KyeU
join:2003-12-31
Canada
edit:
May 16th, @06:37PM
| reply to lol2004
F-Prot |
EDIT: Quex posted before me  |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
edit:
May 16th, @06:46PM
| reply to lol2004
said by lol2004  :but mcafee doesnt detest this is diffent from all of viruses andf it added a mgs.exe to the %systemroot% This tool is useful if Virustotal or Jotti didn't find anything, but you are still suspicious about a file. You pick a file to upload and the tool watches it run on a test (sandbox) system. Then the tool sends a report on what it saw.
»sandbox.norman.no/live_4.html (Norman AV's SandBox analysis tool)
Interpreting the report requires some expertise, so post the sandbox results in this thread.
If the sandbox analysis does find something the other tools missed, it will be something very new.
 |
|
lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs: | reply to lol2004
im waiting for a new sandbox email...................... |
|
QS
join:2001-12-02
North Vancouver, BC | reply to lol2004
ya mcafee enterprise 8 with latest dat's doesn't detect it as a badee. Not like mcafee to be so slow |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to Quex
said by Quex :F-Prot nailed it, despite its failure to detect anything in the jotti screenshot. F-prot is detecting this worm heuristically; perhaps Jotti has heuristics turned off on F-prot.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs:
| reply to lol2004
what do i do with that stupid .dat |
|
lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs: | reply to lol2004
i did it mcafee send me this file it worked dat installed it scanning for that stupid virus |
|
RedXII1234
Premium,Mod
join:2001-02-26
localhost
edit:
May 16th, @08:21PM
| Does McAfee have a writeup of the virus? And the name too. |
|
lol2004
i have a screen shot of Leopard
join:2004-04-22
Fargo, ND
clubs: | reply to lol2004
w32/sdbot.worm.gen.bh
it doesnt have write out yet i think |
|
RedXII1234
Premium,Mod
join:2001-02-26
localhost
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
| I tracked the virus using RegMon. It does a major traverse of the registry. I only found the following to be edited by the file (keep in mind this log was done under a limited account):
687 4.64690685 untitled.jpg.ex:1960 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS BD 44 69 7E 34 27 02 7E ...
I have no clue what that does, however.
Also, it created up to 3000 or more new files in the Windows directory. I am unable to find where exactly in the Windows folders these files are stored. If I find out then I will post. These files were not created when I ran it under a limited account.
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD. Windows Security Blog |
|
HA Nut
Premium
join:2004-05-13
USA | reply to lol2004
As of 8am CDT in the US, NOD32, PC-cillin and Vet still do not detect this virus. (These are the AV's we use at work.) Hopefully soon... |
|
mboy
Premium
join:2001-04-13
Little Falls, NJ
edit:
May 17th, @04:20PM
| reply to lol2004
Kav nail'd it as did Panda. |
|
