Attention new worm ! W32/Rizalof.B.worm

[Markus Weissbecker]

This is not a hoax !

Yesterday I got a program on Emule and it was a virus, it was not discovered
with NAV 2005 and the last virus update on 02/03/2006. As the Symantec Site
was a little blocked and NAV was disabled, i made an online scan with Panda
Antivirus which didn't discover this virus (now it do ;-)
I submit the Virus, they told me it was a W32/Rizalof.B.worm (that's what
they called it).
I better buied Panda than Norton ... ;-)

Below the original of the mail, so you can detect and eliminate it.
Spread the word not the program ;-)

I hope this free ad will mean one year of subscription for Panda Antivirus
;-)
---
Dear client,

After analysing the message you sent to PandaLabs, we inform you that a new
malware was detected in it.

A Panda ActiveScan update, shortly available, will successfully detect and
delete this threat from your computer.

The file D:\eMule\Studio Mediasuite 10 Crack Patch Serial Keygen.exe belongs
to the worm W32/Rizalof.B.worm, due to the nature of the file, it can only
be deleted.

The following advice will help you to eliminate the W32/Rizalof.B.worm and
protect yourself against it in future.

Visit our web page with information about the malware:

http://www.pandasoftware.com/virus_info/enc/overview.aspx?idvirus=110603

Follow the instructions on how to eliminate the malware:

http://www.pandasoftware.com/virus_info/enc/solution.aspx?idvirus=110603

If your computer has Windows Millennium or Windows XP installed, you can
find information to permanently remove all trace of the virus in the
following URL:

Windows Milenium

http://www.pandasoftware.com/support/card.aspx?id=17&IdIdioma=2

Windows XP

http://www.pandasoftware.com/support/card.aspx?id=18&IdIdioma=2



At http://www.pandasoftware.com/virus_info there is extensive information on
all malware detected by our antivirus, as well as the steps to take to
remove them from your system.

If you want more information on how to update your antivirus and the action
to take when new viruses appear, visit our Support pages at:
http://www.pandasoftware.com/support/. You will also find full information
and FAQs about your product.

We hope this answer has been helpful and do not hesitate to contact us
should you need any suspicious file analyzed in future.

If you do not have an antivirus program or you would like to receive
up-to-date information about the characteristics of our new products and
which types of malware detects each of them, we offer you the Panda
antivirus solution that best meets your needs.

http://www.pandasoftware.com/products

Best regards,

PandaLabs

mailto:[email protected]

Panda Software

Buenos Aires 12

48001 BILBAO - SPAIN

http://www.pandasoftware.com

Panda Software, a world leader in virus and intrusion prevention, presents
its new family of solutions. The new range of IT security products boasts a
series of outstanding technological innovations and caters for all clients,
from the largest corporations to home users. More information at:
http://www.pandasoftware.com/products

Protect yourself now against viruses and intrusions! Try our products, FREE!
at http://www.pandasoftware.com/downloads/

 

[Virus Guy]

The file
D:\eMule\Studio Mediasuite 10 Crack Patch Serial Keygen.exe
belongs to the worm W32/Rizalof.B.worm

Where did you get the file?

Can you isolate that file and:

1) post the file properties (the file created or modified date)

2) go to www.virustotal.com and submit that file and report
which AV software picks it up (and which doesn't).

I'm unable to locate that file (or anything like it) on the net.

Why would a file with that name be part of eMule?

I assume the file is purporting to be a hack or crack for Pinnacle
Mediasuite 10.

This touches on what we were talking about in another thread - how
vigilant is AV software when it comes to malware detection within hack
and crack files.

 

[Gabriele Neukam]

On that special day, Markus Weissbecker, ([email protected]) said...

I submit the Virus, they told me it was a W32/Rizalof.B.worm (that's what
they called it)

FYI: McAfee writes about it
"The trojan attempts to update itself if a new version is available at
rizalof.com"

This domain has a history in
http://www.joewein.de/sw/bl-log-2005-03-09.htm
(look for rizalof)

Or, in other words, the worm fetches its updates from a notorious
spammer domain, which has been active for a year. Very interesting.


Gabriele Neukam

(e-mail address removed)

 

[Markus Weissbecker]

I didn't know that, anyway Norton didn't detect this worm and always don't
(I kept the file) I searched for the program which tented to access on
Internet and didn't found anything neither ...

 

[Markus Weissbecker]

Where did you get the file? Emule

Can you isolate that file and:

1) post the file properties (the file created or modified date)

57,5 KB (58 880 bytes), file created, when I downloaded it : 4th march

2) go to www.virustotal.com and submit that file and report
which AV software picks it up (and which doesn't).

I uploaded it. The Virus/Worm/Backdoor whatever it is has several names :
Worm/IRCBot.NW.80, BackDoor.Generic2.LNJ, BackDoor.IRC.Gym,
Backdoor.Win32.IRCBot.NW, Win32/Agent.TV, W32/Ircbot.ACB, and
W32/Rizalof.B.worm.

Programs that detected it :
AntiVir, AVG, Avira, Dr Web, Ewido, Ikarus, Kaspersky, NOD32v2, Norman,
Panda, VBA32

The others don't.

I'm unable to locate that file (or anything like it) on the net.

Why would a file with that name be part of eMule?

It isn't.

I assume the file is purporting to be a hack or crack for Pinnacle
Mediasuite 10.
Right

This touches on what we were talking about in another thread - how
vigilant is AV software when it comes to malware detection within hack
and crack files.

Interesting, I will have a look on this thread, thank you.

Markus