Re: New Virus?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-06-27 Hamish Stanaway wrote:
> I recieved a mysterious email this morning at 1728 GMT which had headers as 
> follows:
[...]
> As you can guess, I'm hamish1 () webhosting net nz.
> This email contained no text, only an attachment called legs.zip,
> which Norton (fully updated to its' latest version and data files) did
> not detect any viruses in.
> Within the legs.zip file there is a file called ds-rwe.exe - this
> again was not detected as a virus.
> My girlfriend thought she would be smart and ran ds-rwe.exe, which
> gave me a memory overflow message for explorer.exe immidiately.
> Does anyone have any idea of what this might be, and also if it is a
> virus that has already been identified? If not, I am willing to pass
> it through to someone to take a look at in its' zip format.

The file names and headers don't mean much. I would suggest you test the
(original) file on [1]. If that doesn't give any insight: send it to the
AV vendor of your choice. Most of them provide an e-mail address for
this pupose (Nick FitzGerald posts a list of them from time to time,
e.g. [2]).

HTH

> Otherwise if the effects cannot be reversed, I am afraid I will have
> to reformat this machine *sigh* NOT AGAIN :(

Well, reinstalling is always your best (read as "safest") bet when
dealing with compromised hosts. Sorry.

focus-virus would have been a more appropriate list for this kind of
request, BTW.

[1] http://www.virustotal.com/
[2] http://www.securityfocus.com/archive/100/366231

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq