mailing list archives
Re: New Virus?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 29 Jun 2005 01:52:19 +0200
On 2005-06-27 Hamish Stanaway wrote:
I recieved a mysterious email this morning at 1728 GMT which had headers as
As you can guess, I'm hamish1 () webhosting net nz
This email contained no text, only an attachment called legs.zip,
which Norton (fully updated to its' latest version and data files) did
not detect any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - this
again was not detected as a virus.
My girlfriend thought she would be smart and ran ds-rwe.exe, which
gave me a memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if it is a
virus that has already been identified? If not, I am willing to pass
it through to someone to take a look at in its' zip format.
The file names and headers don't mean much. I would suggest you test the
(original) file on . If that doesn't give any insight: send it to the
AV vendor of your choice. Most of them provide an e-mail address for
this pupose (Nick FitzGerald posts a list of them from time to time,
Otherwise if the effects cannot be reversed, I am afraid I will have
to reformat this machine *sigh* NOT AGAIN :(
Well, reinstalling is always your best (read as "safest") bet when
dealing with compromised hosts. Sorry.
focus-virus would have been a more appropriate list for this kind of
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq