Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Dialogues with AVs

Changeling

[Back to index] [Comments]

[When I had finished writing Win32.ZerNeboGus I sent it in an infected file to several AVs to be analysed. I was very curious about how they worked and what they would say about my little baby. Bob gave me the most interesting stuff and he also lied to me! Hey Bob, your scan string is really:

"Dedicated to all those who, yet, don't understand the PE format.
Win32.ZerNeboGus (c) 1999 by the Changeling"

Btw, what kind of scan-string is that?! And here's the extra.dat file he sent me (all hex now!):

2020353720313738203132392031373720203239202035312031393720323535
2020363520313033203136332031333520203631202031302031383720203232
0A20203239203231392031313420203730203136382031343820203430202032
3220313638203134362020343020203235203136382031303520323135202032
320A203136382020373120203935203138322020313320203939203230372020
3736202020322020363220203135203138322020313320203939203230372020
37360A2020203220203339202033302031383220313632202033352031343120
31373920313831202035320A353530302032353620202031303036372020484C
4C542E343039360A0A

I didn't manage to understand how this stuff really works, but maybe you will. Hint: Take a close look at 2020 and 2031(maybe also 2032) and 0A... And yes, some AVs haven't reported back etc. and some stuff are duplicates... I've just pasted it all somehow together... :( Anyway, have fun!

				the Changeling, Oct.99
				[email protected]]
Date: Tue, 1 Jan 1980 02:25:32 +0100 (GMT+01:00)
Subject: A new virus?
From: [email protected]
To: [email protected]

Hi!

A few days ago I noticed how some files in my windows directory started 
to change size. But I'm not sure if this a virus, may windows do this?
Anyway, I'm sending you a file that has recently changed its size. Although 
I haven't noticed any 'strange' occurrences besides the file increases I 
fear this all may be the work of a virus.
The password of the zip file is "virus" (not the parenthesis). 
Will it be removable?

Thanks for your help

Anja Bache

============================
This message has 1 attachment(s)
============================

Date: Tue, 1 Jan 1980 02:14:40 +0100 (GMT+01:00)
Subject: New virus?
From: [email protected]
To: [email protected]

Hi!

Some days ago I discovered strange filesize increases in my windows directory. 
I'm not sure if this is a virus, may windows do this?
Anyway, I'm sending you this file which has changed in size. I haven't noticed 
any other strange behaviours.

Thanks in advance for the help

Julie Summers

============================
This message has 1 attachment(s)
============================

Date: Tue, 1 Jan 1980 02:39:08 +0100 (GMT+01:00)
Subject: VIRUS RESEARCH NEEDS...
From: [email protected]
To: [email protected]

Hi!

Some days ago I watched in horror as more and more files in my windows directory 
started to change their size. I fear its the work of a virus, windows shouldn't 
do this or? I haven't noticed any other 'strange' behaviours on my computer. 
My computer is really new, is it then possible that I got the virus from 
DELL (that's where I bought the computer)?
Anyway, I'm sending you an 'infected' file with the password INFECTED.

Thanks for your help

Natasha Winther

============================
This message has 1 attachment(s)
============================

Date: Mon, 27 Sep 1999 19:03:22 +0100 (GMT+02:00)
Subject: More W32/Bogus viruses?!
From: [email protected]
To: "Eirik Amundsen" <[email protected]>

Hi Eirik!

I've only found one other file in the windows directory that also has increased 
in size. It's the only directory I've looked in,so maybe the virus has spread 
to other parts of my computer?
The password of the zip file is "virus" (not the parenthesis).
Can the virus be removed? Is it dangerous?

Thanks for your help

Anja Bache


============================
This message has 1 attachment(s)
============================

Date: Fri, 24 Sep 1999 05:06:54 -0700
Subject: ** AVERT - attachment received AUTOREPLY **
From: Virus Research <[email protected]>
To: [email protected]

Thank you for sending your sample(s) to AVERT for analysis. While you are
waiting for a reply, you may want to check out our website for information,
which may provide the answer to your question, or information about your
problem. 
 
You can go to http://www.nai.com/asp_set/anti_virus/introduction/default.asp
<http://www.nai.com/asp_set/anti_virus/introduction/default.asp>  and visit
our web site. At this site you will find the latest DATS, and other helpful
information as well.
 
Warm regards,

AVERT
A Division of NAI Labs

Date: Fri, 24 Sep 1999 05:21:49 -0700
Subject: SARC Automation: Tracking #48558
From: [email protected]
To: [email protected]

This message is an automatically generated reply.  This system is designed 
to analyze and process virus submissions into the Symantec AntiVirus
Research Center (SARC) and cannot accept correspondence or inquiries. 
Please contact your Technical Support representative if more detailed 
information about your submission is required.  Do not reply to this
message.

Below is a status update on your virus submission:

Date: Fri Sep 24 05:21:49 PDT 1999
Tore Pinnaas
Dear Tore Pinnaas
Your submission has been received and is being processed.  Your tracking
number is in the subject line of this message.  You should refer to this
tracking number if you need to contact technical support.

Should you have any questions about your submission, please contact 
technical support at the appropriate number listed below and give them 
the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by SARC automation.


Symantec worldwide technical support numbers
--------------------------------------------
USA           (+1)   541 465 8420
UK            (+44)  0171 616 5813
FRANCE        (+33)  1 64 53 80 63
GERMANY       (+49)  069 6641 0353
HOLLAND       (+31)  071 408 3952
SOUTH AFRICA  (+27)  11784 9856
SWEDEN        (+46)  8 735 5024
ITALY         (+39)  0 542 28062
SWITZERLAND   (+41)  12 12 1847
BELGIUM       (+32)  27 131 701
NORWAY        (+47)  23 05 33 30
DENMARK       (+45)  35 44 57 20
SPAIN         (+34)  9 1662 5255
AUSTRIA       (+43)  150 137 5023
AUSTRALIA     (+61)  2 9850 1050
HONG KONG     (+852) 2528 6206
KOREA         (+82)  2 3420 8650
MALAYSIA      (+60)  3 704 9273
NEW ZEALAND          0800 442 795
SINGAPORE     (+65)  239 2099
TAIWAN        (+886) 2 2739 6068


NOTE: This message contains decoded data which may not be readable with some
versions of HushMail.  The most current version of HushMail is accessible at
"http://www.hushmail.com/attachments".

Date: Fri, 24 Sep 1999 05:23:04 -0700
Subject: SARC Automation: Tracking #48558
From: [email protected]
To: [email protected]

This message is an automatically generated reply.  This system is designed 
to analyze and process virus submissions into the Symantec AntiVirus
Research Center (SARC) and cannot accept correspondence or inquiries. 
Please contact your Technical Support representative if more detailed 
information about your submission is required.  Do not reply to this
message.

Below is a status update on your virus submission:

Date: Fri Sep 24 05:23:04 PDT 1999
Tore Pinnaas
Dear Tore Pinnaas
We have analyzed your submission.  The following is a report of our
findings for each file you have submitted:

filename: F:\Mlink32.exe
machine: TEST
result: This file is clean 

We have determined that no virus exists on the samples provided.

Developer notes:
F:\Mlink32.exe does not appear to be infected.


Should you have any questions about your submission, please contact 
technical support at the appropriate number listed below and give them 
the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by SARC automation.


Symantec worldwide technical support numbers
--------------------------------------------
USA           (+1)   541 465 8420
UK            (+44)  0171 616 5813
FRANCE        (+33)  1 64 53 80 63
GERMANY       (+49)  069 6641 0353
HOLLAND       (+31)  071 408 3952
SOUTH AFRICA  (+27)  11784 9856
SWEDEN        (+46)  8 735 5024
ITALY         (+39)  0 542 28062
SWITZERLAND   (+41)  12 12 1847
BELGIUM       (+32)  27 131 701
NORWAY        (+47)  23 05 33 30
DENMARK       (+45)  35 44 57 20
SPAIN         (+34)  9 1662 5255
AUSTRIA       (+43)  150 137 5023
AUSTRALIA     (+61)  2 9850 1050
HONG KONG     (+852) 2528 6206
KOREA         (+82)  2 3420 8650
MALAYSIA      (+60)  3 704 9273
NEW ZEALAND          0800 442 795
SINGAPORE     (+65)  239 2099
TAIWAN        (+886) 2 2739 6068


NOTE: This message contains decoded data which may not be readable with some
versions of HushMail.  The most current version of HushMail is accessible at
"http://www.hushmail.com/attachments".

Date: Mon, 27 Sep 1999 09:23:23 +0100
Subject: Re: A new virus?
From: "Eirik Amundsen" <[email protected]>
To: [email protected]

Hi,

YES. This is an entirely new, and unheard or Win32 infector, W32/Bogus. Can you
please send us more infected files?

Best,
Eirik Amundsen
Norman ASA

Hi!

A few days ago I noticed how some files in my windows directory started
to change size. But I'm not sure if this a virus, may windows do this?
Anyway, I'm sending you a file that has recently changed its size. Although
I haven't noticed any 'strange' occurrences besides the file increases I
fear this all may be the work of a virus.
The password of the zip file is "virus" (not the parenthesis).
Will it be removable?

Thanks for your help

Anja Bache

Get HushMail. The world's first free, fully encrypted, web-based email system.
Speak freely with HushMail.... http://www.hushmail.com

NOTE: This message contains decoded data which may not be readable with some
versions of HushMail.  The most current version of HushMail is accessible at
"http://www.hushmail.com/attachments".

============================
This message has 1 attachment(s)
============================

Date: Mon, 27 Sep 1999 19:05:59 +0100
Subject: Re: More W32/Bogus viruses?!
From: "Eirik Amundsen" <[email protected]>
To: [email protected]

Hi,

The file is sent to Analysis. You will get feedback as sonn as the analysis is
finished.

Eirik

Date: Mon, 27 Sep 1999 10:15:46 -0700
Subject: RE: A9924019 - VIRUS RESEARCH NEEDS...
From: Virus Research <[email protected]>
Reply-to: Virus Research <[email protected]>
To: "'[email protected]'" <[email protected]>

Dear Natasha,

Thank you for sending in your suspicious file, issue number A9924019 

I am forwarding the file to a Senior Virus Research Engineer for further
review.  We will get back to you once the researcher has completed the
evaluation.   

If you need additional assistance with your Network Associates product
please contact technical support at either 408-988-3832 or
[email protected]

Allysa Myers
Virus Research Analyst
AVERT - A division of NAI Labs
Network Associates, Inc.

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, December 31, 1979 5:39 PM
To: [email protected]
Subject: A9924019 - VIRUS RESEARCH NEEDS...

Hi!

Some days ago I watched in horror as more and more files in my windows
directory 
started to change their size. I fear its the work of a virus, windows
shouldn't 
do this or? I haven't noticed any other 'strange' behaviours on my computer.

My computer is really new, is it then possible that I got the virus from 
DELL (that's where I bought the computer)?
Anyway, I'm sending you an 'infected' file with the password INFECTED.

Thanks for your help

Natasha Winther
   
Get HushMail. The world's first free, fully encrypted, web-based email
system.
Speak freely with HushMail.... http://www.hushmail.com

Date: Tue, 28 Sep 1999 16:43:47 -0700
Subject: RE: A9924019 - VIRUS RESEARCH NEEDS...
From: "Krampetz, Bob" <[email protected]>
To: "'[email protected]'" <[email protected]>

Natasha:

      The program you sent us, NOTEPAD.EXE,  when run created another
      program by using the NOTEPAD.EXE that was on the test system (not
      the one you sent) and gave it the name of "ZerNeboGus.exe"

      Nothing else on the test system was altered.

      This is very unusual activity.   But it is not a virus,  nor harmful.

      The program you sent also has suspicious text inside it that though
not 
      displayed leads me to believe this is a trojan or a virus that can
only run 
      in a specific environment.   I've run this on W95 and W98 but cannot
get 
      any virus results other than the strange action described above.
   
      You do have a problem,  but what I find does not match what you
      describe.    If you can package several additional executables that
      you believe are infected,  and describe what release of windows you 
      are running and anything additional 'strangeness'.    If you can
recall 
      any 'new programs' you downloaded and run before this started,  that
      may be the 'master virus' that we need to examine.

Bob Krampetz
Senior Anti-Virus Research Engineer
AVERT  -   Network Associates, inc.

-----Original Message-----
From: Virus Research 
Sent: Monday, September 27, 1999 10:16 AM
To: '[email protected]'
Subject: RE: A9924019 - VIRUS RESEARCH NEEDS...

Dear Natasha,

Thank you for sending in your suspicious file, issue number A9924019 

I am forwarding the file to a Senior Virus Research Engineer for further
review.  We will get back to you once the researcher has completed the
evaluation.   

If you need additional assistance with your Network Associates product
please contact technical support at either 408-988-3832 or
[email protected]

Allysa Myers
Virus Research Analyst
AVERT - A division of NAI Labs
Network Associates, Inc.

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, December 31, 1979 5:39 PM
To: [email protected]
Subject: A9924019 - VIRUS RESEARCH NEEDS...

Hi!

Some days ago I watched in horror as more and more files in my windows
directory 
started to change their size. I fear its the work of a virus, windows
shouldn't 
do this or? I haven't noticed any other 'strange' behaviours on my computer.

My computer is really new, is it then possible that I got the virus from 
DELL (that's where I bought the computer)?
Anyway, I'm sending you an 'infected' file with the password INFECTED.

Thanks for your help

Natasha Winther
   
Get HushMail. The world's first free, fully encrypted, web-based email
system.
Speak freely with HushMail.... http://www.hushmail.com

Date: Thu, 30 Sep 1999 11:58:13 -0700
Subject: RE: A9924019 - VIRUS RESEARCH NEEDS...
From: "Krampetz, Bob" <[email protected]>
To: "'[email protected]'" <[email protected]>

Natasha:
 
After discussing and retesting the programs you sent,  two of us did manage
to get the 
virus to come out of its hiding.     It is a 'slow' infector that only
infects one
file at a time (on our test system).   We managed to produce enough to
confirm that we understand enough to detect the virus mechanism.

The test string inside the file is:
 "to all those who, yet, don't understand the PE format.    1999 by the
Changeling" 

It is a very sloppy and buggy virus that will infect the first *.EXE program
found
in the directory.  When that program was 'removed'  and the NOTEPAD run
again,
the next *.EXE was infected.   We continued this until enough changes were 
collected to create an analysis and detection.    But during this process,
most
of the 'infected' programs were corrupted by the virus and the only
reasonable
recovery is to replace the detected programs with their backup.

The virus moves 4096 bytes of the beginning of the infected .EXE to the end
of the
file,  it then prepends itself to the beginning of the file.    It sometimes
prepends
all hex zeros instead of itself,  it was also found to 'forget' to append
the original
beginning of the infected program.    All in all a slow destructive and
amaturish
attempt at virus writing.

Place the attached EXTRA.DAT in the same subdirectory that you keep your
other V4 DAT files and it will detect the virus as HLLT.4096.

Bob Krampetz
Senior Anti-Virus Research Engineer
AVERT  -   Network Associates, inc.

-----Original Message-----

Hi Bob!

> If you can package several additional executables
I've only seen one additional file that has increased in size, I'm including

it in the zipfile with the password INFECTED

> describe what release of windows
I'm using Windows 98.

> anything additional 'strangeness'
There doesn't seem to be anything strange going on. I've not run into
problems 
or something similar.

>recall any 'new programs' you downloaded and run before this started
I'm not on the Internet at all (I'm using a friend's computer to send you 
this e-mail) and I haven't gotten  any 'new programs' except those that 
were on the CDs when I bought the computer.

Is it easy to remove this 'virus'? Or should I re-install everything from 
CD?

Thanks for your help Bob

Natasha Winther
   
Get HushMail. The world's first free, fully encrypted, web-based email
system.
Speak freely with HushMail.... http://www.hushmail.com

-----Original Message-----
From: Krampetz, Bob 
Sent: Tuesday, September 28, 1999 4:44 PM
To: '[email protected]'
Subject: RE: A9924019 - VIRUS RESEARCH NEEDS...


Natasha:

      The program you sent us, NOTEPAD.EXE,  when run created another
      program by using the NOTEPAD.EXE that was on the test system (not
      the one you sent) and gave it the name of "ZerNeboGus.exe"

      Nothing else on the test system was altered.

      This is very unusual activity.   But it is not a virus,  nor harmful.

      The program you sent also has suspicious text inside it that though
not 
      displayed leads me to believe this is a trojan or a virus that can
only run 
      in a specific environment.   I've run this on W95 and W98 but cannot
get 
      any virus results other than the strange action described above.
   
      You do have a problem,  but what I find does not match what you
      describe.    If you can package several additional executables that
      you believe are infected,  and describe what release of windows you 
      are running and anything additional 'strangeness'.    If you can
recall 
      any 'new programs' you downloaded and run before this started,  that
      may be the 'master virus' that we need to examine.

Bob Krampetz
Senior Anti-Virus Research Engineer
AVERT  -   Network Associates, inc.

-----Original Message-----
From: Virus Research 
Sent: Monday, September 27, 1999 10:16 AM
To: '[email protected]'
Subject: RE: A9924019 - VIRUS RESEARCH NEEDS...

Dear Natasha,

Thank you for sending in your suspicious file, issue number A9924019 

I am forwarding the file to a Senior Virus Research Engineer for further
review.  We will get back to you once the researcher has completed the
evaluation.   

If you need additional assistance with your Network Associates product
please contact technical support at either 408-988-3832 or
[email protected]


Allysa Myers
Virus Research Analyst
AVERT - A division of NAI Labs
Network Associates, Inc.

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, December 31, 1979 5:39 PM
To: [email protected]
Subject: A9924019 - VIRUS RESEARCH NEEDS...

Hi!

Some days ago I watched in horror as more and more files in my windows
directory 
started to change their size. I fear its the work of a virus, windows
shouldn't 
do this or? I haven't noticed any other 'strange' behaviours on my computer.

My computer is really new, is it then possible that I got the virus from 
DELL (that's where I bought the computer)?
Anyway, I'm sending you an 'infected' file with the password INFECTED.

Thanks for your help

Natasha Winther
   
Get HushMail. The world's first free, fully encrypted, web-based email
system.
Speak freely with HushMail.... http://www.hushmail.com

NOTE: This message contains decoded data which may not be readable with some
versions of HushMail.  The most current version of HushMail is accessible at
"http://www.hushmail.com/attachments".

============================
This message has 1 attachment(s)
============================

[email protected] on 27/09/99 08:03:22 PM

To:   Eirik Amundsen/[email protected]_No
cc:

Subject:  More W32/Bogus viruses?!

sendt analyse 270999

Hi Eirik!

I've only found one other file in the windows directory that also has increased
in size. It's the only directory I've looked in,so maybe the virus has spread
to other parts of my computer?
The password of the zip file is "virus" (not the parenthesis).
Can the virus be removed? Is it dangerous?

Thanks for your help

Anja Bache

Get HushMail. The world's first free, fully encrypted, web-based email system.
Speak freely with HushMail.... http://www.hushmail.com


NOTE: This message contains decoded data which may not be readable with some
versions of HushMail.  The most current version of HushMail is accessible at
"http://www.hushmail.com/attachments".

============================
This message has 1 attachment(s)
===========================
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua