Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

New Virus today? Lots of people getting Zip files

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

New Virus today? Lots of people getting Zip files

Old 08-09-04, 01:22 PM
  #1  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
New Virus today? Lots of people getting Zip files

Anybody have problems with a virus today I have had several people get a "price.zip" file in their email today. When you open the zip file it contains a html file and an exe file; naturally when you open the html file it calls the exe file.


I tried scanning it with the latest Symantec and it did not pick up anything, however when I scanned it with InnoculateIT it did pick up a JScript /IE. VM Exploit

Anybody?
Lateralus is offline  
Old 08-09-04, 01:43 PM
  #2  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
I think it is a new version of this little snuggle bug:

http://www3.ca.com/securityadvisor/v....aspx?id=39724

When executed, Win32.Glieder copies itself to the %System% directory as WINdirect.exe.

It also drops another component to %System%\_dll.exe (this file is 11,776 bytes in size). The DLL is injected into explorer.exe process space, so as to run under the guise of Explorer.
Lateralus is offline  
Old 08-09-04, 02:19 PM
  #3  
DVD Talk Legend
 
matome's Avatar
 
Join Date: Oct 1999
Location: NY
Posts: 12,304
Just got one too. McAfee detected it.
matome is offline  
Old 08-09-04, 02:24 PM
  #4  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
8/09/04 UPDATE: New Virus Detected

ISSUE: price.exe is a hidden file.

BRIEF DESCRIPTION: The price.exe (encased in the zip) is a hidden file. By default, Windows does not display hidden files and folders. This means some could receive the attachment, open it, see only an HTML file and be lulled into a false sense of security.

To change the default settings - which is highly recommended - do the
following:

In Windows 95/98/NT, open Windows Explorer and select Tools | Folder Options. Click the View tab, select "Show all files" and deselect (uncheck) "Hide file extensions for known file types".

In Windows 2000/XP, open Windows Explorer and select Tools | Folder Options. Click the View tab, select "Show hidden files and folders" and deselect
(uncheck) "Hide file extensions for known file types".

This will also prevent being duped by the standard double extension ruse employed by so many email and file sharing worms.

NEXT UPDATE: Updates anticipated.

Thank you.




08/09/04 VIRUS ALERT: New Virus Detected

ISSUE DETECTED: New virus detected.

BRIEF DESCRIPTION OF ISSUE: Email carrying the following attachment
names is being seen in high numbers:

New_price.zip
Price_08.zip
Price2.zip
Newprice.zip
08_price.zip
Price.zip
New__price.zip
Price_new.zip

The zip includes two files, price.html and price.exe. When price.html
is opened, it contains code to automatically launch the price.exe file.

McAfee has indicated that this may be Bagle.AQ

From a packaging standpoint, it very closely resembles the Mimail worm.

At this time an exact virus name nor patch is available from any virus
vendor.

Blocking can be done via MD5:
2A736876EB916A9D12B810DBBC32D0EC

or by blocking any of the aforementioned attachment names. File size
is constant, 5.79 KB.

Note: when creating filename blocks in the content filter please do not use wildcards. Wildcards are not supported by this feature and will not have the desired effect.


Additional information will be posted here on the news page as it becomes available.

NEXT UPDATE: Updates anticipated.

Thank you.
Lateralus is offline  
Old 08-09-04, 02:26 PM
  #5  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,676
Who opens attached zip files that they're not expecting?
X is offline  
Old 08-09-04, 02:29 PM
  #6  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
Originally posted by X
Who opens attached zip files that they're not expecting?
Hopefully not very many people, even IE will block the Active X from running if somebody is dumb enough to double click on it.

It's just amazing to me that it got so far, we have a company that scans our email before it hits our servers and it blew right past Sophos, TrendMicro, Symantec and right past our Symantec mail protection.
Lateralus is offline  
Old 08-09-04, 02:58 PM
  #7  
DVD Talk Hall of Fame
 
Join Date: Oct 1999
Location: Michigan
Posts: 8,692
Originally posted by X
Who opens attached zip files that they're not expecting?
One guy from Product Repair and one Guy from Marketing. It snuck right by Trend Micro Scanmail and Symantec Corporate AV. I'm dealing with the effects at this moment. This sucks.
Goblincat is offline  
Old 08-09-04, 04:00 PM
  #8  
DVD Talk Gold Edition
 
Join Date: Jul 2002
Location: Exit 10, NJ
Posts: 2,753
Originally posted by X
Who opens attached zip files that they're not expecting?
It apparently looks innocent enough and appears to come from within one's intranet. We've had a few hits today but no one opened the attachment luckily.
garolo is offline  
Old 08-09-04, 04:04 PM
  #9  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,676
Originally posted by Goblincat
One guy from Product Repair and one Guy from Marketing.
It's always Marketing or Sales, isn't it?
X is offline  
Old 08-09-04, 05:29 PM
  #10  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
In a spoofing case like this does it even spoof the Exchange server? When I go in to my message tracking center in Exchange it says the email was from somebody on the intranet, but when I scanned her PC and looked for the virus I found nothing.
Lateralus is offline  
Old 08-09-04, 05:32 PM
  #11  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 74,264
Originally posted by X
Who opens attached zip files that they're not expecting?
An idiot at my work did too. I just got the email that they are working to fix it.
Deftones is offline  
Old 08-09-04, 05:52 PM
  #12  
DVD Talk Hall of Fame
 
Join Date: Apr 2001
Location: Eugene, OR
Posts: 8,242
I haven't had any calls about this.....yet
dancinns is offline  
Old 08-09-04, 07:43 PM
  #13  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,694
I just got the new price zip file
supposedly from [email protected]
no subject and no message text
mikehunt is offline  
Old 08-09-04, 07:45 PM
  #14  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
Originally posted by mikehunt
I just got the new price zip file
supposedly from [email protected]
no subject and no message text
Delete the damn thing!


Symantec finally has the updates out now.
Lateralus is offline  
Old 08-09-04, 08:03 PM
  #15  
DVD Talk Hall of Fame
 
Join Date: Oct 1999
Location: Michigan
Posts: 8,692
Originally posted by X
It's always Marketing or Sales, isn't it?
It just happened to be that the Marketing guy was expecting a price report from the guy the virus spoofed as the sender of the email. Once he executed it his computer started sending mail all over the company. Another guy executed his and both of there computers started bombing everyone on the network. We use Lotus Notes, so our address books are usually immune to these things, but not in this case.

To stop it all, I put a block on .zip attachments in email, read the headers on the bad emails to see who was sending them, pulled their Ethernet cables, sent out a company-wide warning, and did the manual fix from the McAfee site on the two offender's computers.

Then I had to explain to the President of the company how Symantec and Trendmicro both failed us (rare occurence).
Goblincat is offline  
Old 08-09-04, 09:55 PM
  #16  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,694
I did, and would have regardless of this thread, just thought I'd share that I received it too

Originally posted by Lateralus
Delete the damn thing!


Symantec finally has the updates out now.
mikehunt is offline  
Old 08-09-04, 10:02 PM
  #17  
DVD Talk Legend
 
Join Date: Oct 1999
Location: Second Star on the right, and straight on til' morning...
Posts: 14,795
yep - i got one - it even made me wonder, as it spoofed the from as from my spouse!
Seeker is offline  
Old 08-09-04, 10:04 PM
  #18  
DVD Talk Godfather
 
Michael Corvin's Avatar
 
Join Date: May 1999
Location: Louisville, KY
Posts: 56,700
Hmm. Nothing on my G5.


Michael Corvin is offline  
Old 08-09-04, 10:07 PM
  #19  
DVD Talk Legend
 
Join Date: Oct 1999
Location: Second Star on the right, and straight on til' morning...
Posts: 14,795
Originally posted by Michael Corvin
Hmm. Nothing on my G5.


Strange that. You'd think Macs would be first to get this, since they are so far ahead of everyone else.
Seeker is offline  
Old 08-09-04, 10:28 PM
  #20  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,694
macs could still receive this, it jsut wouldn't run in most cases

Last edited by mikehunt; 08-09-04 at 10:37 PM.
mikehunt is offline  
Old 08-09-04, 10:36 PM
  #21  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 74,264
I never get any cool viruses. Cox deletes them before they even get to my inbox.
Deftones is offline  
Old 08-09-04, 10:59 PM
  #22  
DVD Talk Gold Edition
 
Join Date: Nov 1999
Location: Stuck doing T.P.S. repots for Lumbergh!!!!
Posts: 2,483
Originally posted by X
Who opens attached zip files that they're not expecting?
There are a bunch dumb people out there!
TheKobra is offline  
Old 08-10-04, 06:40 AM
  #23  
DVD Talk Legend
 
Join Date: Aug 1999
Location: Chicago, IL
Posts: 17,204
I've been getting different zip files from people at cisco.com. (the address is spoofed of course)

Anybody else?
ChiTownAbs, Inc is offline  
Old 08-10-04, 07:26 AM
  #24  
DVD Talk Legend
 
AGuyNamedMike's Avatar
 
Join Date: Jul 2000
Location: (formerly known as Inglenook Hampendick) Fairbanks, Alaska!
Posts: 15,067
Originally posted by Michael Corvin
Hmm. Nothing on my G5.


It's all about market share. Teh h4xor5 are even writing attacks against linux. I guess the less than 4% of computer users that comprise the Apple community are just too few for them to bother with.
AGuyNamedMike is offline  
Old 08-10-04, 09:09 AM
  #25  
DVD Talk Special Edition
 
Join Date: Aug 2001
Location: Arlington, VA
Posts: 1,806
dammit. At least one of our salesmen ran it, and the company next door I also support opened it up. Looks like I'll be playing cleanup today.
kneijst1 is offline  

Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.