Saiweb

Getting this email on a regular basis?

“Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Hannah ”

Yes it is a virus the attached .doc.exe file seems to vary daily in it’s choice of virus.

So far it has been:

TROJ_AGENT.ANID
TROJ_ZBOT.WB (No page exists for this variant at the moment)
WORM_SYSTEM.AA

All 3 of which were not detected in the most uptodate pattern from trend, having to instead resort to their CPR release (Controlled Pattern), after emailing these samples to their labs (Another unknown variant was received today, and sent to Trend labs).

This brings into question the validity of “Honey pot” accounts to catch these viruses, the only reason I am able to attain these “samples” before they become a problem is due to the fact I have a “Honey pot” email account with a generic often spammed address format for this purpose.

This is making “Honey pots” more of a NEED now instead of an “Über Techies” box of tricks the end user is afraid to go within 30 meters of.

If you run a windows based network I suggest you do some research into how to setup a good honey pot (DO not use an account on your exchnage server that would be REALY stupid), you can also post a comment or use the contact for for advice.

Once setup make it part of your daily routine to test samples as they some in against your anti virus solution, making sure you know how to send samples to the providers labs for analysis.

Trend Micro Page

After all the problems I had with Cryp-TAP-2 (here) I’m going strait for the COMBOFIX option! I’ll update with how I get on.

UPDATE: Everything looks good so far, booted into safe mode, and ran combofix, the system is now rebooting normally, now waiting on the log report.

UPDATE2: Combofix did the job YET again! getting a popup or too still about the system restore volume, from the look of the report this little bugger hooks itself into system processes (explorer.exe svchost.exe)

Nasty little bug this one, it’s a mutator, and despite having booted the machine into safe mode, used process explorer to kill every process it hooked into and finally having to use a command window to remove the offending .dll, once this thing got an active internet connection the fun and games started again!

The best thing you can do is go strait for the removal tool here

There is also links on that page for more information on the virus.

I suggest you remove the infected machine from having any network connection, download the removal tool to a known “good” workstation, and load the .exe onto removable storage (usb), to be run on the infected machine.

UPDATE: Just using the tool for me at least isn’t working! I am now trying this in safe mode.

UPDATE2: OK! Wonderfull the symantec removal tool is not working at all I am trying another tool VundoFix

I’ll post anoth update once the scan has finished

UPDATE3: Nope, role on tool #3 COMBOFIX

UPDATE4: Combofix did the job, this tool does advertise the fact that 1/100 machines die from running this tool, so if the symantec tool doesn’t work use combofix (at your own risk). NOTE: I ran this in safe mode, it then rebooted windows normally and ran the log dump, the system may hang while it does this, mine recovered after about 5 mins, I also copied the program to C:\ prior to running.