Think I just discovered a new virus

Red Squirrel · Dec 1, 2008

Someone who never talks to me on msn sent me a link that went to this site:

www.kurci.info

It had my msn email in the link, probably as an ID to see if I clicked it.

I found it kinda odd as it was not even a picture or anything. It had .com as an extension but it was the end of my email, but that's still an executable file.

So I downloaded it and put it in a vm and ran it. It gives a picture viewer error, which is odd, as I'm not actually opening it with any picture viewer as it's an exe, so that error is clearly coded right into it.

Using filemon and regmon and briefly looking through it, it looks like it does some weird stuff to the system, but nothing really noticable.

Has anyone heard of this one before, or is this a new one? Avira does not detect as a virus. With some google research I found logs saying it is malware, but not more then that, no official report or anything.

If it's not well known guess I can dig deeper and code a repair util for it and put it on my site.

Thread moved from Software For Windows to Security.

AnandTech Moderator
mechBgon

RebateMonger · Dec 2, 2008

Did you consider sending it to your AV maker's research site for their analysis?

Red Squirrel · Dec 2, 2008

Yeah may do that, just don't want to waste time if it's actually a known one. I still have it in my recycle bin. Don't want to leave it out on my desktop in case I accidentally open it.

Sam25 · Dec 2, 2008

Yes, sending it to the research might be a good idea. I searched on google a bit and found only this which had a mention of the www.kurci.info website. Here's the link:

http://www.threatexpert.com/re...4405-9843-8364681a28a9

Red Squirrel · Dec 2, 2008

Yeah that's the one I found. Think I will go ahead and submit it.

Sam25 · Dec 2, 2008

Yup, do that but do post back with what they say mate.

Red Squirrel · Dec 2, 2008

Submitted to avira, nothing yet. Should I be submitting this to all companies, or do they talk to each other, then again, they compete, so would they keep this stuff secret from each other?

bsobel · Dec 2, 2008

Originally posted by: RedSquirrel
Submitted to avira, nothing yet. Should I be submitting this to all companies, or do they talk to each other, then again, they compete, so would they keep this stuff secret from each other?

Most of the malware we see now only targets a handful of systems before its morphed. Its likely just a relative of a known attack thats morphed enough that signatures arent catching it.

balloonshark · Dec 2, 2008

You can upload it to VirusTotal and/or Jotti and the file will be scanned by multiple scanners.

http://www.virustotal.com/

http://virusscan.jotti.org/

Sam25 · Dec 3, 2008

Originally posted by: RedSquirrel
Submitted to avira, nothing yet. Should I be submitting this to all companies, or do they talk to each other, then again, they compete, so would they keep this stuff secret from each other?

Any news yet?

Red Squirrel · Dec 4, 2008

Ha nice, it gets detected now. Not sure if it's because I submitted it, or if they were already working on a def file.

Out of curiosity I wonder if other AVs detect it too now.

If anyone wants to try go nuts:

http://www.iceteks.com/misc/virus.zip

Just extract (password q1w2e3r4). Most AVs will catch it before it even finishes extracting but if not obviously don't open it, but perform scan on it.

balloonshark · Dec 5, 2008

Originally posted by: RedSquirrel
Out of curiosity I wonder if other AVs detect it too now.

If anyone wants to try go nuts:

http://www.iceteks.com/misc/virus.zip

Just extract (password q1w2e3r4). Most AVs will catch it before it even finishes extracting but if not obviously don't open it, but perform scan on it.

It's detected by many of the vendors.
http://www.virustotal.com/anal...caceed5e50707b8268fd06

It looks to be a trojan of some sort. MBAM also detects it as backdoor.bot.

Sam25 · Dec 5, 2008

Originally posted by: RedSquirrel
Ha nice, it gets detected now. Not sure if it's because I submitted it, or if they were already working on a def file.

Out of curiosity I wonder if other AVs detect it too now.

If anyone wants to try go nuts:

http://www.iceteks.com/misc/virus.zip

Just extract (password q1w2e3r4). Most AVs will catch it before it even finishes extracting but if not obviously don't open it, but perform scan on it.

After extracting it, I scanned with Kaspersky Internet Security 2009 and it reported it as:
'Backdoor.Win32.IRCBot.grs'

Superantispyware (fully updated) did not detect anything harmful on it though.

Sam25 · Dec 5, 2008

So, I googled and found this about 'Backdoor.Win32.IRCBot.grs' :

http://www.threatexpert.com/re...123b888f06963788ff605a

Search

Think I just discovered a new virus

Red Squirrel

No Lifer

RebateMonger

Elite Member

Red Squirrel

No Lifer

Sam25

Golden Member

Red Squirrel

No Lifer

Sam25

Golden Member

Red Squirrel

No Lifer

bsobel

Moderator Emeritus<br>Elite Member

balloonshark

Diamond Member

Sam25

Golden Member

Red Squirrel

No Lifer

balloonshark

Diamond Member

Sam25

Golden Member

Sam25

Golden Member

TRENDING THREADS