homepage Welcome to WebmasterWorld Guest from 184.73.104.82
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Watch Out for New Virus
"price"
rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 5:36 pm on Aug 9, 2004 (gmt 0)

We've seen a rapid spread of a new virus that Symantec/Norton isn't stopping (yet). It may have "price" in the message body and an attachment called "price.exe". It looks like a Bagle variant, but I'm no expert.

The sender address is spoofed, so users should be cautioned to open NO attachments they aren't expecting, even from people they trust.

 

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 5:42 pm on Aug 9, 2004 (gmt 0)

while we are on the subject ..apparently from some of the more recent call outs I have had to deal with CD trays going wiggy and "possessed" ..net bus ( client side control ) has been discovered by a new generation of kiddies ...Think BO did this aswell? ...

what is the target ( apart from Doze in general of Price ..rogerd? )

rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 5:47 pm on Aug 9, 2004 (gmt 0)

Target? I don't know, Leosghost, but I can forward one for you to open & find out... ;)

I'm guessing it's similar to the Bagle: [software.silicon.com...]

txbakers

WebmasterWorld Senior Member txbakers us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 6:20 pm on Aug 9, 2004 (gmt 0)

I received it in a "zip" file something like "newprice.zip" which I immediately deleted.

Nasty stuff.

bakedjake

WebmasterWorld Administrator bakedjake us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 6:39 pm on Aug 9, 2004 (gmt 0)

[isc.sans.org...]

All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'.

Nice catch Roger.

bakedjake

WebmasterWorld Administrator bakedjake us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 7:31 pm on Aug 9, 2004 (gmt 0)

More info from SANS:

the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe

rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 8:18 pm on Aug 9, 2004 (gmt 0)

Still not much out there, but eWeek is reporting that some users are being inundated by the worm: [eweek.com...]

McAfee now calls it a medium threat, but it doesn't seem to be on the radar at Symantec yet.

BReflection

10+ Year Member



 
Msg#: 6288 posted 8:49 pm on Aug 9, 2004 (gmt 0)

My Mcafee updated itself about 5 minutes ago with a definition of it.

AmericanBulldog

10+ Year Member



 
Msg#: 6288 posted 8:55 pm on Aug 9, 2004 (gmt 0)

Received several dozen this afternoon, it's certainly taking off.

christopher w

10+ Year Member



 
Msg#: 6288 posted 8:58 pm on Aug 9, 2004 (gmt 0)

Yeah this one is going fast - received about 50 in the last few hours. This one's going for a real minimalist look to it...

bcolflesh

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 9:02 pm on Aug 9, 2004 (gmt 0)

According to Full Disclosure, this is another Bagel variant, so expect updated defs from all vendors in a few hours.

<edit>
In fact, defs are out:

[sophos.com...]
</edit>

StupidScript

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 9:04 pm on Aug 9, 2004 (gmt 0)

Edited because we just said the same thing! (Beat me to it...)
:)

nosense

10+ Year Member



 
Msg#: 6288 posted 9:28 pm on Aug 9, 2004 (gmt 0)

Our EMail Virus Scanner has blocked every instance, “We are quite safe from their pathetic insignificant virus rebellion.”

GaryK

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 9:49 pm on Aug 9, 2004 (gmt 0)

AVG has an critical update for it too. Thanks for the heads-up.

amythepoet

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 10:12 pm on Aug 9, 2004 (gmt 0)

I've received it all day, with the attachment price.zip

jecasc

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 10:14 pm on Aug 9, 2004 (gmt 0)

Youp. Had several of them in my mail today, now in my paperbasket.

Oh this viruses nowadays suck. I remember the first virus I ever had on my PC it seems like decades ago. It was called the Stoned Virus. And everytime the PC started it said something like: "Your PC is now stoned. Legalize Marijuana!"

At least it had some message... Ah the good old times...

jecasc

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 10:31 pm on Aug 9, 2004 (gmt 0)

Ha! just found it on Symantec. (Stoned Virus)

[securityresponse.symantec.com...]

They still have it there. 1987... O god i'm getting old.

(Sorry for getting a little off topic...)

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 10:34 pm on Aug 9, 2004 (gmt 0)

lol our clients are loven this one.

adfree

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 10:48 pm on Aug 9, 2004 (gmt 0)

Had one too, when are the big AV's catching up? Hope tonight.

vkaryl

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 11:19 pm on Aug 9, 2004 (gmt 0)

Haven't received it either at home or at work - at work is a real surprise considering....

hannamyluv

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 6288 posted 11:36 pm on Aug 9, 2004 (gmt 0)

So, is it just me, or do you think that this could be targeted at affiliates?

The reason I ask is because my affiliate email address that I use to communicate with merchants is getting hammered by this, some looking like it came from the merchant, and, hmmm.. price.exe or variation would be something that an affiliate might want to open. Then again, it could be just strange luck that only the affiliate address has been hit.

rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 6288 posted 12:01 am on Aug 10, 2004 (gmt 0)

I don't think there's any affiliate spin on this, hannymyluv. The earliest copies I saw came via a political organization, and then I began seeing them from other random sources. Kind of the luck o' the address book.

incall

10+ Year Member



 
Msg#: 6288 posted 12:19 am on Aug 10, 2004 (gmt 0)

i got this email and open teh folder.. but i didn't touch the exe file... hopefully that didn't do anything to my computer.

Robert Charlton

WebmasterWorld Administrator robert_charlton us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 6288 posted 6:53 am on Aug 10, 2004 (gmt 0)

Norton has a new LiveUpdate virus definitions file dated today. It's getting to be a pretty large file.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved