Welcome to WebmasterWorld Guest from 54.196.232.162

Forum Moderators: phranque

Message Too Old, No Replies

Watch Out for New Virus

"price"

     
5:36 pm on Aug 9, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


We've seen a rapid spread of a new virus that Symantec/Norton isn't stopping (yet). It may have "price" in the message body and an attachment called "price.exe". It looks like a Bagle variant, but I'm no expert.

The sender address is spoofed, so users should be cautioned to open NO attachments they aren't expecting, even from people they trust.

5:42 pm on Aug 9, 2004 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


while we are on the subject ..apparently from some of the more recent call outs I have had to deal with CD trays going wiggy and "possessed" ..net bus ( client side control ) has been discovered by a new generation of kiddies ...Think BO did this aswell? ...

what is the target ( apart from Doze in general of Price ..rogerd? )

5:47 pm on Aug 9, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


Target? I don't know, Leosghost, but I can forward one for you to open & find out... ;)

I'm guessing it's similar to the Bagle: [software.silicon.com...]

6:20 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member txbakers is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Sept 1, 2001
posts:4392
votes: 0


I received it in a "zip" file something like "newprice.zip" which I immediately deleted.

Nasty stuff.

6:39 pm on Aug 9, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


[isc.sans.org...]

All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'.

Nice catch Roger.

7:31 pm on Aug 9, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


More info from SANS:

the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe
8:18 pm on Aug 9, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


Still not much out there, but eWeek is reporting that some users are being inundated by the worm: [eweek.com...]

McAfee now calls it a medium threat, but it doesn't seem to be on the radar at Symantec yet.

8:49 pm on Aug 9, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 1, 2004
posts:190
votes: 0


My Mcafee updated itself about 5 minutes ago with a definition of it.
8:55 pm on Aug 9, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 22, 2002
posts:403
votes: 0


Received several dozen this afternoon, it's certainly taking off.
8:58 pm on Aug 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Mar 7, 2004
posts:285
votes: 0


Yeah this one is going fast - received about 50 in the last few hours. This one's going for a real minimalist look to it...
9:02 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2003
posts:2355
votes: 0


According to Full Disclosure, this is another Bagel variant, so expect updated defs from all vendors in a few hours.

<edit>
In fact, defs are out:

[sophos.com...]
</edit>

9:04 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 20, 2004
posts:1475
votes: 0


Edited because we just said the same thing! (Beat me to it...)
:)
9:28 pm on Aug 9, 2004 (gmt 0)

New User

10+ Year Member

joined:June 24, 2004
posts:30
votes: 0


Our EMail Virus Scanner has blocked every instance, “We are quite safe from their pathetic insignificant virus rebellion.”
9:49 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 17, 2002
posts:2251
votes: 0


AVG has an critical update for it too. Thanks for the heads-up.
10:12 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 25, 2003
posts:896
votes: 1


I've received it all day, with the attachment price.zip
10:14 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 8, 2003
posts:1141
votes: 0


Youp. Had several of them in my mail today, now in my paperbasket.

Oh this viruses nowadays suck. I remember the first virus I ever had on my PC it seems like decades ago. It was called the Stoned Virus. And everytime the PC started it said something like: "Your PC is now stoned. Legalize Marijuana!"

At least it had some message... Ah the good old times...

10:31 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 8, 2003
posts:1141
votes: 0


Ha! just found it on Symantec. (Stoned Virus)

[securityresponse.symantec.com...]

They still have it there. 1987... O god i'm getting old.

(Sorry for getting a little off topic...)

10:34 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 5, 2001
posts:2723
votes: 0


lol our clients are loven this one.
10:48 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 30, 2003
posts:1067
votes: 0


Had one too, when are the big AV's catching up? Hope tonight.
11:19 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 19, 2003
posts:1747
votes: 0


Haven't received it either at home or at work - at work is a real surprise considering....
11:36 pm on Aug 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 18, 2002
posts:2283
votes: 3


So, is it just me, or do you think that this could be targeted at affiliates?

The reason I ask is because my affiliate email address that I use to communicate with merchants is getting hammered by this, some looking like it came from the merchant, and, hmmm.. price.exe or variation would be something that an affiliate might want to open. Then again, it could be just strange luck that only the affiliate address has been hit.

12:01 am on Aug 10, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


I don't think there's any affiliate spin on this, hannymyluv. The earliest copies I saw came via a political organization, and then I began seeing them from other random sources. Kind of the luck o' the address book.

incall

12:19 am on Aug 10, 2004 (gmt 0)

Inactive Member
Account Expired

 
 


i got this email and open teh folder.. but i didn't touch the exe file... hopefully that didn't do anything to my computer.
6:53 am on Aug 10, 2004 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11317
votes: 167


Norton has a new LiveUpdate virus definitions file dated today. It's getting to be a pretty large file.