homepage Welcome to WebmasterWorld Guest from 107.22.37.143
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Watch Out for New Virus
"price"
rogerd




msg:340891
 5:36 pm on Aug 9, 2004 (gmt 0)

We've seen a rapid spread of a new virus that Symantec/Norton isn't stopping (yet). It may have "price" in the message body and an attachment called "price.exe". It looks like a Bagle variant, but I'm no expert.

The sender address is spoofed, so users should be cautioned to open NO attachments they aren't expecting, even from people they trust.

 

Leosghost




msg:340892
 5:42 pm on Aug 9, 2004 (gmt 0)

while we are on the subject ..apparently from some of the more recent call outs I have had to deal with CD trays going wiggy and "possessed" ..net bus ( client side control ) has been discovered by a new generation of kiddies ...Think BO did this aswell? ...

what is the target ( apart from Doze in general of Price ..rogerd? )

rogerd




msg:340893
 5:47 pm on Aug 9, 2004 (gmt 0)

Target? I don't know, Leosghost, but I can forward one for you to open & find out... ;)

I'm guessing it's similar to the Bagle: [software.silicon.com...]

txbakers




msg:340894
 6:20 pm on Aug 9, 2004 (gmt 0)

I received it in a "zip" file something like "newprice.zip" which I immediately deleted.

Nasty stuff.

bakedjake




msg:340895
 6:39 pm on Aug 9, 2004 (gmt 0)

[isc.sans.org...]

All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'.

Nice catch Roger.

bakedjake




msg:340896
 7:31 pm on Aug 9, 2004 (gmt 0)

More info from SANS:

the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe

rogerd




msg:340897
 8:18 pm on Aug 9, 2004 (gmt 0)

Still not much out there, but eWeek is reporting that some users are being inundated by the worm: [eweek.com...]

McAfee now calls it a medium threat, but it doesn't seem to be on the radar at Symantec yet.

BReflection




msg:340898
 8:49 pm on Aug 9, 2004 (gmt 0)

My Mcafee updated itself about 5 minutes ago with a definition of it.

AmericanBulldog




msg:340899
 8:55 pm on Aug 9, 2004 (gmt 0)

Received several dozen this afternoon, it's certainly taking off.

christopher w




msg:340900
 8:58 pm on Aug 9, 2004 (gmt 0)

Yeah this one is going fast - received about 50 in the last few hours. This one's going for a real minimalist look to it...

bcolflesh




msg:340901
 9:02 pm on Aug 9, 2004 (gmt 0)

According to Full Disclosure, this is another Bagel variant, so expect updated defs from all vendors in a few hours.

<edit>
In fact, defs are out:

[sophos.com...]
</edit>

StupidScript




msg:340902
 9:04 pm on Aug 9, 2004 (gmt 0)

Edited because we just said the same thing! (Beat me to it...)
:)

nosense




msg:340903
 9:28 pm on Aug 9, 2004 (gmt 0)

Our EMail Virus Scanner has blocked every instance, “We are quite safe from their pathetic insignificant virus rebellion.”

GaryK




msg:340904
 9:49 pm on Aug 9, 2004 (gmt 0)

AVG has an critical update for it too. Thanks for the heads-up.

amythepoet




msg:340905
 10:12 pm on Aug 9, 2004 (gmt 0)

I've received it all day, with the attachment price.zip

jecasc




msg:340906
 10:14 pm on Aug 9, 2004 (gmt 0)

Youp. Had several of them in my mail today, now in my paperbasket.

Oh this viruses nowadays suck. I remember the first virus I ever had on my PC it seems like decades ago. It was called the Stoned Virus. And everytime the PC started it said something like: "Your PC is now stoned. Legalize Marijuana!"

At least it had some message... Ah the good old times...

jecasc




msg:340907
 10:31 pm on Aug 9, 2004 (gmt 0)

Ha! just found it on Symantec. (Stoned Virus)

[securityresponse.symantec.com...]

They still have it there. 1987... O god i'm getting old.

(Sorry for getting a little off topic...)

EliteWeb




msg:340908
 10:34 pm on Aug 9, 2004 (gmt 0)

lol our clients are loven this one.

adfree




msg:340909
 10:48 pm on Aug 9, 2004 (gmt 0)

Had one too, when are the big AV's catching up? Hope tonight.

vkaryl




msg:340910
 11:19 pm on Aug 9, 2004 (gmt 0)

Haven't received it either at home or at work - at work is a real surprise considering....

hannamyluv




msg:340911
 11:36 pm on Aug 9, 2004 (gmt 0)

So, is it just me, or do you think that this could be targeted at affiliates?

The reason I ask is because my affiliate email address that I use to communicate with merchants is getting hammered by this, some looking like it came from the merchant, and, hmmm.. price.exe or variation would be something that an affiliate might want to open. Then again, it could be just strange luck that only the affiliate address has been hit.

rogerd




msg:340912
 12:01 am on Aug 10, 2004 (gmt 0)

I don't think there's any affiliate spin on this, hannymyluv. The earliest copies I saw came via a political organization, and then I began seeing them from other random sources. Kind of the luck o' the address book.

incall




msg:340913
 12:19 am on Aug 10, 2004 (gmt 0)

i got this email and open teh folder.. but i didn't touch the exe file... hopefully that didn't do anything to my computer.

Robert Charlton




msg:340914
 6:53 am on Aug 10, 2004 (gmt 0)

Norton has a new LiveUpdate virus definitions file dated today. It's getting to be a pretty large file.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved