OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: New Virus? The AV Vendors respond (long post)

From: Alex Arndt (aarndtrogers.com)
Date: Tue Aug 16 2005 - 14:04:04 CDT


It would appear that the e-mail I described did in
fact hold an infected attachment.

Several list members have pointed out that I could
have done some analysis prior to submitting my post.
While this is true, it isn't as easy as some would
have us all believe. I'm not a malware guy, or even
a programmer, but an IDS guy. I don't tell folks to
analyse their own logs before they ask me to look
at something, since they may believe I might know
more than they do, but I digress. IMHO, there are
people on this list with far more expertise in
analyzing malware than I, which is why I made my
post without any attempt on my part to figure it
out...

Anyway, I've received some responses from some
AV vendors and thought I'd share. The unfortunate
thing is that, while they all agree it's malicious,
they don't agree as to what exactly it is. Here is
the list of direct responses I received:

Sophos - W32/MyDoom-Gen

CA - Win32.Qweasy.A (analyst comment says it may be
a MS05-039 worm...)

McAfee - BackDoor-CEB (extra.dat provided with their
response)

Here's the output from virustotal.com:

Results of a file scan
This is a report processed by VirusTotal on 08/15/2005
at 22:48:03 (CET) after scanning the "email-doc.zip"
file.

Antivirus Version Update Result
AntiVir 6.31.1.0 08.15.2005 no virus found
Avast 4.6.695.0 08.15.2005 no virus found
AVG 718 08.15.2005 no virus found
Avira 6.31.1.0 08.15.2005 no virus found
BitDefender 7.0 08.15.2005 BehavesLike:Win32.SiteHijack
CAT-QuickHeal 7.03 08.15.2005 no virus found
ClamAV devel-20050725 08.15.2005 Worm.Mydoom.AT
DrWeb 4.32b 08.15.2005 no virus found
eTrust-Iris 7.1.194.0 08.15.2005 no virus found
eTrust-Vet 11.9.1.0 08.15.2005 no virus found
Fortinet 2.36.0.0 08.15.2005 suspicious
F-Prot 3.16c 08.15.2005 no virus found
Ikarus 0.2.59.0 08.12.2005 no virus found
Kaspersky 4.0.2.24 08.15.2005 Backdoor.Win32.Surila.x
McAfee 4558 08.15.2005 Generic Malware.a!zip
NOD32v2 1.1194 08.15.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 08.15.2005 no virus found
Panda 8.02.00 08.15.2005 no virus found
Sophos 3.96.0 08.15.2005 W32/MyDoom-Gen
Sybari 7.5.1314 08.15.2005 W32/MyDoom-Gen
Symantec 8.0 08.15.2005 no virus found
TheHacker 5.8.2.088 08.15.2005 W32/Generic!zip-dobleextension
VBA32 3.10.4 08.15.2005 no virus found

As you can see, nothing concrete using virus the
definitions available as of yesterday.

A number of folks asked me to send them a copy.
I only forwarded to one person though, since I
knew who they were. All other such requests, I
must apologize, will not be answered. Sorry.

I hope this information proves useful. If any
of you out there have s a more concrete answer
as to what this is, please share.

Alex Arndt
CISSP, GCIA, GCIH

"Within all order is the potential for chaos..."