Anybody seen this one? I can't find it in any data basses.
Carl

It is so new that symantec lists it but there is no additional info.
Did you get it?

Where did you find it?

I ran PC-Cillin yesterday and it was clear. This morning, there was an update from PCC. After I loaded the files, I ran a scan and thats what came up. It was found in C:\Program Files and was quarantined.
Also it there was a file Eudora.Align listed and quarantined.

Carl

Correction:
The name quarantined is VBS_SLUG.B

So far nothing at Trend, but I'm gonna keep a close eye out.

Carl

:: perks:: Let's take it apart and see how it works

kittyfire,
My thoughts would be that since you have all the software experience, I could send it to you and you could dissect it it and let us know.:eek:
Carl

::searching for her old copy of bubblechamber::

Send it over... ::laughs:: kittyfire@bellsouth.net

kittyfire where did you get bubblechamber at .I have a lot of tools but have never herd of that one. does it make it a non exe so you can open it.

Decompiler. ::nodnodnods:: And I got it by skittering along under someone's feet as they were taking classes on it. ::grins:: I got this thing for protecting people. My best success story ever was catching someone while they were hacking someone else. Had some little girl scared because he said if she IMed anyone or didn't keep typing he'd erase her hard drive and crash her computer. Her mother was busy calling for help. Imagine his surprise when I popped up on his screen with "You're real good at scaring little girls, let's see what you can do with a woman." lol@me. I got righteous indignation down to an art.

kittyfire,
I submitted the virus name to Trend's submission site and recieved an email stating that this one would take some research.
I had told them that their anti-virus had caught it.
Carl

That's what I like to hear . At least you're on the good side of things. Me I just like to know how they work so I can have a better under standing of how to protect my self and teach my kids what not to do and what to look out for and also how to deal with it. But I still have a lot to learn my self.

I'm no hacker by any stretch of the imagination. This guy was just arrogant enough to be stupid and leave a trail a mile wide that even I could follow... and so I did. :: beams:: There's hackers and then there's hacker vigilantes and I know what side of the fence I'm on. And you're right... the only way to beat it is to understand it.

DeCompiler for which languages?

You will have zero luck for any C-based language, or Java if they have used an obstacator.

Interesting things though =)

Kittyfire, you rock.

Go Kitty!! W00t!!

Here is the answer from Trend-Micro:


Thank you for contacting TrendLabs HQ.

We have checked the file you have sent

20021203.upg 21 bytes

Based on our tests, the file contains nothing more than the string 20021203,0623,2,1. This string is not executable and probably provides the date after a certain action has been performed.

With regards to your query about VBS_SLUG.B, we already posted our virus report for this virus.

VBS_SLUG.B is an encrypted malware written in Visual Basic Script that infects HTM, HTML, HTT, and VBS files. It has a destructive payload that deletes all files in the Windows directory, formats the hard drive, and crashes the system. It drops an unencrypted copy of itself that we can detect as VBS_SLUG.A. Both malwares has the capability to spread through mIRC channels.

The information regarding both variants can be viewed at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_SLUG.A and http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_SLUG.B

The said sites also contain removal instructions for these malwares.

Our latest Control Patch (408 version 26) can also detect both variants. This Control Patch can be downloaded at http://www.antivirus.com/download/pattern_cpr.asp

Carl