Home page logo
/

basics logo Security Basics mailing list archives

Re: New Virus?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 29 Jun 2005 01:52:19 +0200

On 2005-06-27 Hamish Stanaway wrote:
I recieved a mysterious email this morning at 1728 GMT which had headers as 
follows:
[...]
As you can guess, I'm hamish1 () webhosting net nz 
This email contained no text, only an attachment called legs.zip,
which Norton (fully updated to its' latest version and data files) did
not detect any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - this
again was not detected as a virus.
My girlfriend thought she would be smart and ran ds-rwe.exe, which
gave me a memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if it is a
virus that has already been identified? If not, I am willing to pass
it through to someone to take a look at in its' zip format.

The file names and headers don't mean much. I would suggest you test the
(original) file on [1]. If that doesn't give any insight: send it to the
AV vendor of your choice. Most of them provide an e-mail address for
this pupose (Nick FitzGerald posts a list of them from time to time,
e.g. [2]).

HTH

Otherwise if the effects cannot be reversed, I am afraid I will have
to reformat this machine *sigh* NOT AGAIN :(

Well, reinstalling is always your best (read as "safest") bet when
dealing with compromised hosts. Sorry.

focus-virus would have been a more appropriate list for this kind of
request, BTW.

[1] http://www.virustotal.com/
[2] http://www.securityfocus.com/archive/100/366231

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]