New outbreaks

ThreatSense strikes against new outbreaks, detection by signatures has been added to update 1.1270:

Number of a variant of Win32/Bagle worm in 2005-11-01:
2005-11-01 22 : 4137
2005-11-01 21 : 1959
2005-11-01 20 : 3434
2005-11-01 19 : 2354
2005-11-01 18 : 1438
2005-11-01 17 : 407
2005-11-01 16 : 0

Number of a variant of Win32/Mytob worm in 2005-11-01:
2005-11-01 22 : 50
2005-11-01 21 : 23
2005-11-01 20 : 7
2005-11-01 19 : 2
2005-11-01 18 : 0

 

I'm just getting more and more satisfied with my purchase of NOD32.
It's heuristics kicks ass, support is priceless and the program itself is working like a charm

It's all good. Thanks for the info Marcos.

 

Posts like this make me happy I'm using Nod.

 

At 7am NOD32 was updated(NOD32 - 1.1270 (20051101)), and it contains the following updates "Win32/Bagle.DC, Win32/Bagle.DD, Win32/Maslan.D"

At 10am i recieve email "sms_text.zm9 > ZIP > t_535475.exe - Win32/Bagle.DC worm"

Yeah I am a lucky bastard
(not really, but thanks to NOD32)

 

Another one imminent, but this downloader shouldn't work on most systems.
Number of probably unknown NewHeur_PE virus in 2005-11-02:
2005-11-02 14 : 989
2005-11-02 13 : 995
2005-11-02 12 : 0

 

File: Health_and_knowledge.vzip
MD5 ce72c528291a863b037161e70b9c162b
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Worm.Beagle.CZ6
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Bagle.H
ClamAV Found Worm.Bagle.CA-1
Dr.Web Found Win32.HLLM.Beagle.38912
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.eb
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* File length: 9675 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\hloader_exe.exe.
* Creates file C:\WINDOWS\SYSTEM\hleader_dll.dll.

[ Changes to registry ]
* Creates value "auto__hloader__key"="C:\WINDOWS\SYSTEM\hloader_exe.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "auto__hloader__key"="C:\WINDOWS\SYSTEM\hloader_exe.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Enumerates running processes.
* Modifies other process memory.
* Creates a remote thread.
UNA Found nothing
VBA32 Found Email-Worm.Bagle.22 (paranoid heuristics) (probable variant

 

Yep, there're a lot of new bagle versions today.
So far all nailed by heuristics both the dropper (executable) and the downloader (dll) components from all new bagle versions

We've just updated to proper names right now. Bagle.DG is the latest so far - but more to expect today.

 

By the way - "good" news: The latest Bagle-Downloader will most likely not work The malware author uses a PUSH/RET trick to avoid a so called "Get Delta" function.

Well, since the DLL imagebase might change depending on the host system this trick does actually only work with PE Executables and not with Dynamic Link Libraries

The DLL code is always reloaded during runtime (attach to DLL request) into different memory addresses – therefore this virtual push address would be incorrect and the file might not initialize upon DLL loading process.

This Downloader DLL will most likely "kill" every explorer process after code injecting because of this "bug".

 

And more fun for you - how typical spreading of a worm looks like. Those two peaks are very typical. If you are able to give correct answer why every epidemics look like this, you just won a free beer (first correct answer only may apply). Times are in GMT+1 to help you a bit... Happy Byte is excluded from participation ...

 

By the way, i'm still angry with you because you tricked me into this stupid electro-shock tank games - my right hand is still under shock

 

OK, I'll give it a guess :

1st peak - U.S. users as they get home from work and check their email
1st dip after peak - Saturation as fewer machines are found to be infectable
2nd peak - Asia/Pacific Rim users get online
Sharp drop at end - Defs are deployed by AV vendors or patches are applied

Jack

 

nonono, is mentioned GMT + 1 which means is European Time....
Knowing that company networks are better protected than home computers first peak is Europeans coming home from work booting their computers. First drop is when they shutdown for the night. In the mean time US users started to return home from work booting up their computers... Second drop is result of shutting down US computers together with release of AV updates.

Just my guess.

Ciao
Itsme

 

1st peak is eastern europe, 2nd is USA, final peak is Asia.

My guess, and I don't drink beer, so it will have to be a tub of KAHLUA Mudslide; coffee liqueur blended through lusciously creamy ice cream, swirled with a mudslide of thick chocolate fudge.

Cheers

 

OK, since people have already used the "coming home from work" explanation, I will try another one. I still want to be eligible for the prize.

The first peak is an initial round of infection. Some of these people stop the worm in time, but other people don't. The people who do not stop this worm spread it around some more. This accounts for the bigger second peak. Eventually, antivirus programs are updated and step in, stopping the virus after the second peak.

 

Who says it's an email spreading worm that will propagate to others when run ?

 

is it because the virus "author" has released one strain as a test, signatures are updated and the first drop in infection rate occurs - next the author modifies the strain from knowledge known for a better infection means using the knowledge from the first round - ergo, they infect more, and the big die off occurs when AV providers have a generic signature to catch the "class" of threat...?

 

Thanks for the heads up on this Marcos. Good to know that NOD has us all protected.

 

Well at least you were not shoot at while standing in the door as you did 2 me. And your tank was bigger than mine two..

 

But my tank dosn't give electro shocks to people
It's only protecting our office room here from people which are trying to trick other people into electro shock tank games

Just come again into my office - we've many bullets to spare! I can also lunch the ground-2-ground missles, it smells then a bit in the office, but who cares?

 

lol, guys.... I can bring mine too? I have a real one

 

Picture?

 

btw, do you have any picture of your "eine sehr aber sehr kleine Panzerkollone" consisting of 1 tank ? ROTFL

 

Do you mean when we drived with this real Leopard to disco?

 

Hummm,

What is missing in this battle ?
Maybe a playmobil or Falcon ?

 

Another new one:
Number of probably unknown NewHeur_PE virus in 2005-11-03:
2005-11-03 13 : 1785
2005-11-03 12 : 1888
2005-11-03 11 : 0