{"id":21105,"date":"2009-12-17T11:29:56","date_gmt":"2009-12-17T15:29:56","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/security\/protect\/bestpractice\/identifying-and-reporting-new-viruses\/"},"modified":"2015-02-03T09:24:15","modified_gmt":"2015-02-03T14:24:15","slug":"new-virus","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/about\/security-resources\/bestpractice\/new-virus\/","title":{"rendered":"Identifying and Reporting New Viruses"},"content":{"rendered":"<p><strong>How to Submit new virus\/worm\/Trojan samples<\/strong><\/p>\n<p>Use a program such as <a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb897437.aspx\">TCPview<\/a> to uncover where the suspect executable(s) are running from (see example below).<\/p>\n<div id=\"attachment27346\" style=\"width: 646px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment27346\" loading=\"lazy\" alt=\"Example of TCPView\" src=\"\/tech\/files\/2010\/01\/tcpview-636x498.png\" class=\"size-medium wp-image-27346\" height=\"498\" width=\"636\" srcset=\"https:\/\/www.bu.edu\/tech\/files\/2010\/01\/tcpview-636x498.png 636w, https:\/\/www.bu.edu\/tech\/files\/2010\/01\/tcpview.png 816w\" sizes=\"(max-width: 636px) 100vw, 636px\" \/><p id=\"caption-attachment27346\" class=\"wp-caption-text\">Example of TCPView<\/p><\/div>\n<p>From TCPView:<\/p>\n<ul>\n<li><strong>Right click<\/strong> the suspect process to review the<strong>Process Properties<\/strong><\/li>\n<li>Navigate to the folder containing the suspect executable(s)<\/li>\n<li><strong>Right click<\/strong> on the executable (.exe)<\/li>\n<li>Select <strong>Properties<\/strong><\/li>\n<li>Note the creation date and time.<\/li>\n<li>Use the creation date and time to perform a full search of <strong>all local drives<\/strong>to discover more files that may have been installed with the new virus\/worm\/Trojan<\/li>\n<li>Create a password protected (password <strong>infected<\/strong>) zip file that contains a copy of all suspect files you have uncovered<\/li>\n<\/ul>\n<p><strong>Submitting A Sample Electronically<\/strong><br \/>\nAttach the password protected .ZIP you have created above to an email to <a href=\"mailto:virus_research@avertlabs.com\">virus_research@avertlabs.com<\/a> with the following information<\/p>\n<ul>\n<li>What symptoms cause you to suspect that your machine is infected?\n<ul>\n<li>Example: IRT detected virus\/worm related IRC sessions.<\/li>\n<\/ul>\n<\/li>\n<li>Whether any products find a virus (version number, company, results)\n<ul>\n<li>Example: No viruses were found using McAfee 7.1.<\/li>\n<\/ul>\n<\/li>\n<li>Your Virus Scan information\n<ul>\n<li>Version number and DAT set number<\/li>\n<li>We are using McAfee ______________________________<\/li>\n<\/ul>\n<\/li>\n<li>Details that may be relevant about your system\n<ul>\n<li>The system is running Windows ______ with Service Pack _______<\/li>\n<\/ul>\n<\/li>\n<li>Your name, company name, phone number and email address if possible<\/li>\n<li>A list of all items contained in the package\/message you are composing\n<ul>\n<li>We used Sysinternal&#8217;s TCPView Utility to discover the following rogue services were running on TCP ports ______________________ and UDP ports______________________<\/li>\n<li>We used the creation date of the rogue services to discover all the files installed by the new worm\/variant. The zip contains a copy of these files.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>How to Submit new virus\/worm\/Trojan samples Use a program such as TCPview to uncover where the suspect executable(s) are running from (see example below). From TCPView: Right click the suspect process to review theProcess Properties Navigate to the folder containing the suspect executable(s) Right click on the executable (.exe) Select Properties Note the creation date&#8230;<\/p>\n","protected":false},"author":2620,"featured_media":0,"parent":6549,"menu_order":11,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/21105"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/2620"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=21105"}],"version-history":[{"count":11,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/21105\/revisions"}],"predecessor-version":[{"id":89489,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/21105\/revisions\/89489"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/6549"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=21105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}