lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Possible New Malware

Perrymon, Josh L. wrote:

> Anyone Heard of BackDoor-CIW?

Not until now, but I can tell you immediately that is an NAI/McAfee 
name...

> This is a piece of malware with the .exe of winstr32.exe that is causing 99%
> CPU on a couple machine at a remote location. I found that one infected
> machine does not have MS04-11 patched. So that could be an attack vector.
> 
> I get no luck googling for the .exe or BackDoor-CIW   <----  This is what
> Postini identifies the file as.

Makes sense -- Postini uses NAI/McAfee (and maybe others?) for their 
virus scanning.  There is no entry in NAI's VIL (Virus Information 
Library) for this name either and other information available to me 
suggests it will be a new backdoor isolated within the last few days 
(unlikely more than a week ago).

> I'm trying to get a copy to put in my VMWare Lab.

Please make sure you do not have bridged networking setup between your 
VM and a live Internet connection.  Succh irresponsibility is 
apparently OK at SANS, but not anywhere in professional anti-malware 
research.

Also, please send a sample to the AV developers you trust to handle it 
properly.  Here is a list of the suspect file submission addresses for 
the better-known AV developers which may save you having to look up the 
necessary address(es):

   Authentium (Command Antivirus)  <virus@...hentium.com>
   Computer Associates (US)        <virus@...com>
   Computer Associates (Vet/EZ)    <support@....com.au>
   DialogueScience (Dr. Web)       <Antivir@...ls.ru>
   Eset (NOD32)                    <sample@...32.com>
   F-Secure Corp.                  <samples@...ecure.com>
   Frisk Software (F-PROT)         <viruslab@...rot.com>
   Grisoft (AVG)                   <virus@...soft.cz>
   H+BEDV (AntiVir, Vexira engine) <virus@...ivir.de>
   Kaspersky Labs                  <newvirus@...persky.com>
   Network Associates (McAfee)     <virus_research@....com>
     (use a ZIP file with the password 'infected' without the quotes)
   Norman (NVC)                    <analysis@...man.no>
   Panda Software                  <labs@...dasoftware.com>
   Sophos Plc.                     <support@...hos.com>
   Symantec (Norton)               <avsubmit@...antec.com>
   Trend Micro (PC-cillin)         <virus_doctor@...ndmicro.com>
     (Trend may only accept files from users of its products)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ