A new self-replicating Malware (Virus and Worm) attacks!!!

[hanisimo]

Dear Sir or Madam,

A new computer worm is attacking the computers around the world, the
serious problem is the most of the anti viruses cannot detect & clean
it... also the removal tool was not available on the Internet... other
serious problem presents when some of current anti viruses detect this
virus as other kind of virus (Worm 32 family) ... and usually these
antivirus delete the whole infected file (exe & autorun.inf ... ext)...

This virus infects computer, for instance by:

- Infecting the local hard disk drivers & executable applications

- Carrying himself on a removable medium such as a floppy disk, CD, or
USB drive.

- Sending himself over a local network or the Internet. This virus can
spread to other computers by infecting files on a network file system
or a file system that is accessed by another computer.

- Adding keys into Windows registry

This virus is mixture between worms, virus and maybe Trojan; he is a
self-replicating computer program, attaches itself to existing
programs in the infected PC (modify files on a targeted computer). It
confused with computer worms. He can spread itself to other computers
without needing to be transferred as part of a host. And usually this
mixture of a computer worm and virus may be a Trojan horse too...

This virus blurring the line between viruses and worms (maybe Trojan
too) actually it is self-replicating Malware.

Description:
Nobody sure yet about the name of this new virus... Saturday, November
03, 2007 I submitted the virus exe file to "Virustotal" (Virustotal is
a service that analyzes suspicious files and facilitates the quick
detection of viruses, worms, Trojans, and all kinds of Malware
detected by antivirus engines) and I got these results:

Antivirus Result

AVG Worm/Generic.DKD

BitDefender Win32.Worm.P2P.VBT

CAT-QuickHeal Worm.AutoRun.tk

F-Secure Virus.Win32.AutoRun.tk

Ikarus Win32.Worm.P2P.VBT

Kaspersky Virus.Win32.AutoRun.tk

Panda Suspicious file

Sophos W32/Dawin-A

VBA32 Virus.Win32.AutoRun.tk

The manger antivirus engines give different name for this virus
(Malware); I think that means two things:

1- There is no specific name of this virus

2- Each antivirus engine handles this virus in a different way. And
does not detect the latest version of him (detects him as other kind
of virus - Worm 32 family)

Technical Details:

When executed, the virus drops file / component (a copy of itself)
"KB915865.exe" in all physical drives. That includes too all removable
drives, such as flash disks. It creates the folder "\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\" in drives it affects, and
drops a copy of itself as "KB915865.exe" This folder is set to Hidden
and System.

\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

Also it drops an AUTORUN.INF file to automatically execute dropped
copies when the drives are accessed. The said file contains the
following strings:

[AutoRun]

open=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shellexecute=.\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shell\Open\command=.\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shell=Open

open=.

This virus creates registry entries to enable its automatic execution
at every system startup.

Platform:

This worm affects systems running on Windows 98, ME, NT, 2000, XP, and
Server 2003.

Solution:
I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
it is free and available on my blog:

http://www.e-nil.com/blogs/?page_id=32


For more information or details please do not hesitation to contact me

Best regards and have a nice day,
Hani Simo

 

[Malke]

Dear Sir or Madam,

A new computer worm is attacking the computers around the world, the
serious problem is the most of the anti viruses cannot detect & clean
it... also the removal tool was not available on the Internet... other
serious problem presents when some of current anti viruses detect this
virus as other kind of virus (Worm 32 family) ... and usually these
antivirus delete the whole infected file (exe & autorun.inf ... ext)...

(snippage)

There's nothing new about this and there are tried and true ways of
removing the infection. Your tool might be 100% legitimate and excellent
but I wouldn't suggest that Windows users run an executable from an
unknown person. Please do not take this as an insult to your honor or
mad skilz; it is not meant that way at all.

You might want to post in one of the known specialty forums for fighting
malware to introduce yourself and your removal tool.

http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html


Malke

 

[Xandros]

Thank you.

 

[David B.]

For all we know this cleaning app may contain more viri or malware.

--

----
Crosspost, do not multipost http://www.blakjak.demon.co.uk/mul_crss.htm
How to ask a question http://support.microsoft.com/kb/555375
_________________________________________________________________________________

Thank you.

--

Xandros

Dear Sir or Madam,

A new computer worm is attacking the computers around the world, [snip]
Solution:
I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
it is free and available on my blog:

Best regards and have a nice day,
Hani Simo

 

[Xandros]

Well I just ran it and it does a lot of false reporting which makes it
malware to be certain!!!!!
--

Xandros

For all we know this cleaning app may contain more viri or malware.

--

----
Crosspost, do not multipost http://www.blakjak.demon.co.uk/mul_crss.htm
How to ask a question http://support.microsoft.com/kb/555375
_________________________________________________________________________________

Thank you.

--

Xandros

Dear Sir or Madam,

A new computer worm is attacking the computers around the world, [snip]
Solution:
I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
it is free and available on my blog:

Best regards and have a nice day,
Hani Simo

 

[Xandros]

Hey hanisimo. I take back me Thank you. I just ran your app and it is giving
off a ton of false reports! tsk, tsk, tsk

 

[Poprivet]

Hey hanisimo. I take back me Thank you. I just ran your app and it is
giving off a ton of false reports! tsk, tsk, tsk

I hope you're not really surprised. I also hope it didn't drop a bunch of
other malware on your machine in the process; that's typical of these kinds
of spams.

NEVER, EVER, respond to, or click any link in any unsolicited e-mails, in
newsgroups or in your Inbox. It's a sure way to become infected eventually,
and to propogate personal information to anyone from a spammer to an
identification theft outfit. Spammers even know now how to handle common
address obfuscations such as *REMOVE* and pull an address out of it.
You'd be much better off switching to an impossible address such as
invalid.invalid.invalid or one of the many others offered by various web
sites for the purpose. Check my Headers for one of those if you're curious;
I don't want to spam it here.

The ONLYresponses acceptable to spam is to delete it unread, or to submit
complaints about it to the relevant ISPs that originated it, but you have to
know how to parse for forged Headers to do that.

Pop`

 

[David B.]

Hopefully that's all it's doing.

 

[Gerry]

http://en.wikipedia.org/wiki/Xandros



~~~~


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Xandros]

I hope you're not really surprised. I also hope it didn't drop a bunch of
other malware on your machine in the process; that's typical of these
kinds of spams.

NEVER, EVER, respond to, or click any link in any unsolicited e-mails, in
newsgroups or in your Inbox. It's a sure way to become infected
eventually, and to propogate personal information to anyone from a spammer
to an identification theft outfit. Spammers even know now how to handle
common address obfuscations such as *REMOVE* and pull an address out of
it.
You'd be much better off switching to an impossible address such as
invalid.invalid.invalid or one of the many others offered by various web
sites for the purpose. Check my Headers for one of those if you're
curious; I don't want to spam it here.

The ONLYresponses acceptable to spam is to delete it unread, or to submit
complaints about it to the relevant ISPs that originated it, but you have
to know how to parse for forged Headers to do that.

Pop`

My arron.neus account is quite safe (erroneus) But thanks anyway.

 

[hanisimo]

Dear all,

Thanks Malke, Next time I will post in one of the known specialty
forums for fighting malware to introduce myself and my removal tool.
The URLs that you provided are very useful.

My removal tool Dos not contains viruses or malwares, please feel free
in scan (check) it using any antivirus, please use the original file
(http://www.e-nil.com/download/)

Dear Xandros, what do you mean in "false reporting"? Did you run it in
safe mode?

I am not SPAMER, I wanted to share my tool to stop the Malware that
effected my PC,

Sorry for the repetition "multipost" but when I created this removal
tool I was very excited & I wanted to share it ASAP

I know I am "unknown person", but that doesn't means I cannot help the
others!

Anyway Thanks all and have a nice day
Hani

 

[Stan Brown]

For all we know this cleaning app may contain more viri or malware.

In fact, that's a fairly standard way to distribute malware to
credulous persons: tell them it's a cleanup tool.

 

[Guest]

when no one could tell me how to get rid of,,these fake trojans/malware.i
figured it out on my own..useing restore point..after that i do a manual
restore point..now and then..when i get one of these things.i just do a
restore and its gone.simple and a easy fix..hey it works

 

[David B.]

Exactly, never trust any tools or utilities that appear out of the blue,
there are plenty of reviewed and known safe free tools out there to get the
job done, blindly trusting an app you've found on the web is a sure fire way
of making your problem worse.

 

[Sam Hobbs]

Do you provide the source code? For tools such as that, the source code is a
reasonable requirement.

Whether you provide the source code or not, you need to document the details
of what the program does, and provide as many references to recognized sites
as possible that explain what needs to be done in such a manner that
justifies what your program does.

Dear Sir or Madam,

A new computer worm is attacking the computers around the world, the
serious problem is the most of the anti viruses cannot detect & clean
it... also the removal tool was not available on the Internet... other
serious problem presents when some of current anti viruses detect this
virus as other kind of virus (Worm 32 family) ... and usually these
antivirus delete the whole infected file (exe & autorun.inf ... ext)...

This virus infects computer, for instance by:

- Infecting the local hard disk drivers & executable applications

- Carrying himself on a removable medium such as a floppy disk, CD, or
USB drive.

- Sending himself over a local network or the Internet. This virus can
spread to other computers by infecting files on a network file system
or a file system that is accessed by another computer.

- Adding keys into Windows registry

This virus is mixture between worms, virus and maybe Trojan; he is a
self-replicating computer program, attaches itself to existing
programs in the infected PC (modify files on a targeted computer). It
confused with computer worms. He can spread itself to other computers
without needing to be transferred as part of a host. And usually this
mixture of a computer worm and virus may be a Trojan horse too...

This virus blurring the line between viruses and worms (maybe Trojan
too) actually it is self-replicating Malware.

Description:
Nobody sure yet about the name of this new virus... Saturday, November
03, 2007 I submitted the virus exe file to "Virustotal" (Virustotal is
a service that analyzes suspicious files and facilitates the quick
detection of viruses, worms, Trojans, and all kinds of Malware
detected by antivirus engines) and I got these results:

Antivirus Result

AVG Worm/Generic.DKD

BitDefender Win32.Worm.P2P.VBT

CAT-QuickHeal Worm.AutoRun.tk

F-Secure Virus.Win32.AutoRun.tk

Ikarus Win32.Worm.P2P.VBT

Kaspersky Virus.Win32.AutoRun.tk

Panda Suspicious file

Sophos W32/Dawin-A

VBA32 Virus.Win32.AutoRun.tk

The manger antivirus engines give different name for this virus
(Malware); I think that means two things:

1- There is no specific name of this virus

2- Each antivirus engine handles this virus in a different way. And
does not detect the latest version of him (detects him as other kind
of virus - Worm 32 family)

Technical Details:

When executed, the virus drops file / component (a copy of itself)
"KB915865.exe" in all physical drives. That includes too all removable
drives, such as flash disks. It creates the folder "\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\" in drives it affects, and
drops a copy of itself as "KB915865.exe" This folder is set to Hidden
and System.

\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

Also it drops an AUTORUN.INF file to automatically execute dropped
copies when the drives are accessed. The said file contains the
following strings:

[AutoRun]

open=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shellexecute=.\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shell\Open\command=.\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shell=Open

open=.

This virus creates registry entries to enable its automatic execution
at every system startup.

Platform:

This worm affects systems running on Windows 98, ME, NT, 2000, XP, and
Server 2003.

Solution:
I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
it is free and available on my blog:

http://www.e-nil.com/blogs/?page_id=32


For more information or details please do not hesitation to contact me

Best regards and have a nice day,
Hani Simo