Re: New Virus?

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 06/29/05

Next message: Hayden Searle: "FW: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos website"

Previous message: michaelfabila_at_gmail.com: "Re: Finding a content filter that does not show administrator message contents"
In reply to: Hamish Stanaway: "New Virus?"
Next in thread: cc: "Re: New Virus?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 29 Jun 2005 01:52:19 +0200
To: security-basics@securityfocus.com

On 2005-06-27 Hamish Stanaway wrote:
> I recieved a mysterious email this morning at 1728 GMT which had headers as
> follows:
[...]
> As you can guess, I'm hamish1@webhosting.net.nz.
> This email contained no text, only an attachment called legs.zip,
> which Norton (fully updated to its' latest version and data files) did
> not detect any viruses in.
> Within the legs.zip file there is a file called ds-rwe.exe - this
> again was not detected as a virus.
> My girlfriend thought she would be smart and ran ds-rwe.exe, which
> gave me a memory overflow message for explorer.exe immidiately.
> Does anyone have any idea of what this might be, and also if it is a
> virus that has already been identified? If not, I am willing to pass
> it through to someone to take a look at in its' zip format.

The file names and headers don't mean much. I would suggest you test the
(original) file on [1]. If that doesn't give any insight: send it to the
AV vendor of your choice. Most of them provide an e-mail address for
this pupose (Nick FitzGerald posts a list of them from time to time,
e.g. [2]).

HTH

> Otherwise if the effects cannot be reversed, I am afraid I will have
> to reformat this machine *sigh* NOT AGAIN :(

Well, reinstalling is always your best (read as "safest") bet when
dealing with compromised hosts. Sorry.

focus-virus would have been a more appropriate list for this kind of
request, BTW.

[1] http://www.virustotal.com/
[2] http://www.securityfocus.com/archive/100/366231

Regards
Ansgar Wiechers

-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Next message: Hayden Searle: "FW: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos website"

Previous message: michaelfabila_at_gmail.com: "Re: Finding a content filter that does not show administrator message contents"
In reply to: Hamish Stanaway: "New Virus?"
Next in thread: cc: "Re: New Virus?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: New Virus?
... Hamish Stanaway wrote: ... The picture is sent on SMS ... > was not detected as a virus. ...
(Security-Basics)
sort us out pls
... my girlfriend found herself with almost a hundred users in her ... I cannot find any virus at first sight, ... running on het PC. ...
(microsoft.public.windowsxp.messenger)
Re: Outlook XP
... thnaks for your response: see below - ... > girlfriend. ... What is the patch level of ... > the (insert latest virus name here) virus, all mail sent to my personal ...
(microsoft.public.office.misc)
There Is A Better Way
... often-updated virus scanner and it can't get rid of. ... I have to jump through to get rid of the damn thing once and for all. ... microcontroller software development app). ... The one my girlfriend uses is another story. ...
(microsoft.public.security)
Re: Outlook XP
... What is the patch level of ... Milly Staples [MVP - Outlook] ... the (insert latest virus name here) virus, all mail sent to my personal ... | Help me get my girlfriend out of trouble with this, ...
(microsoft.public.office.misc)