New Virus - Nasty Like Klez

[MarkHutch]

Here's a new virus that's just been upgraded via Norton. We got a few copies of this one today. Scanner stopped them, but it might be a good time to upgrade your definations.

New Virus

[teamantivir]

Mark,

There are two really nasty ones going around W32/Bugbear, and w32/OPASOFT.A. In both cases, all the major, and most minor vendors have detection out as of yesterday. Key is to keep your Anti-Virus software up-to-date and follow some simple safe hex proceedures, and you will be safe.

[paulselhi]

if a virus gets in before you have updated your def's can it do it's nasties then clean itself out and leave nasties behind, so that when you update and scan it is not seen?

if so how would you go about detecting this, would you see the damage from a scan shoeing a file has changed?

and what if the nasty leaves a bat file or exe file that are not viruses as such but do naughty things, these won't usually show up as a virus will they ?

[MarkHutch]

Usually the anti-virus software companies know which files are created and left behind on any virus. It's best to keep your definations up to date and not get one in the first place, but if you do new definations should detect the virus and get rid of it.

Also, Norton has a feature called Bloodhound. If enable, it checks computer code looking for viruses that may not yet be in the definations. Most viruses have similar type of activity and this feature looks for that activity and warns you if a program seems to be up to no good. I have this feature set as high as it goes.

[teamantivir]

Quote:

Originally posted by paulselhi
if a virus gets in before you have updated your def's can it do it's nasties then clean itself out and leave nasties behind, so that when you update and scan it is not seen?

if so how would you go about detecting this, would you see the damage from a scan shoeing a file has changed?

and what if the nasty leaves a bat file or exe file that are not viruses as such but do naughty things, these won't usually show up as a virus will they ?

The best thing to do after an infection is to boot off a know clean boot disk (CD or Diskette) then run a full virus scan on every file on the machine, and then after cleaned, scan all files on any network drives. Of course the best is a full restore from a known clean backup, but realism is that most people don't have backups.

[paulselhi]

of course i have backups

there they are on top of the fireplace, under the magnets next to the window in the sun lounge

[(jj)]

Teamantivir,

What ever happened to the old way of having a clean boot disk that could also have a small AV program to clean the boot sector of a hard drive?

I may be too far back in time with my thinking, but I think that there could still be such a program that did not require a CD or massive space to help remove viri from an infected system.

I know that virus definitions have grown so large that a complete set would be too much for a single floppy, but would you need a complete definition database of ALL viri.

Just random thoughts and wonderments

[paulselhi]

thanks guy's just updated my def's last night and caught the bugbear this morning. I have it in a bottle and am about to drop a couple of really mean spiders in

[teamantivir]

Quote:

Originally posted by (jj)

What ever happened to the old way of having a clean boot disk that could also have a small AV program to clean the boot sector of a hard drive?

I may be too far back in time with my thinking, but I think that there could still be such a program that did not require a CD or massive space to help remove viri from an infected system.

I know that virus definitions have grown so large that a complete set would be too much for a single floppy, but would you need a complete definition database of ALL viri.

Just random thoughts and wonderments

As you pointed out, the virus databases have grown so large that it's impossible to put them on diskette. However, there are several companies (NAI and F-Prot come to mind) that have either a scaled down, or manner to scale down the signatures so they can fit on a single floppy. In this case both scan only the critical systems areas, and files, the do not look for Macro and some script files. Another company Command Software has a Linux CD with a Linux Scanner that can do most Window machines. This may be the path of the future.

This was one of the dicussions we had in New Orleans last week. One researcher predicted that some signature databases would be 10M by the end of 2003, which strengthens my possition that the current vendors HAVE to do something to improve performance.

[teamantivir]

Quote:

Originally posted by paulselhi
thanks guy's just updated my def's last night and caught the bugbear this morning. I have it in a bottle and am about to drop a couple of really mean spiders in

If you haven't gotten rid of it, I know we're all still trying to get a handle on it, we're looking to see if it mutates or not, have you sent it to any of the AV vendors? Virus_research@nai.com, support@sophos.com, or even mine vsample@teamanti-virus.org will make sure the sample gets to all the industry researchers. Thsi could be a big help. Thanks.

[paulselhi]

i killed it, if i get another i quarantine it and let you know

nav 4.04 spotted it