lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200403031118.i23BIKP04053@netsys.com>
From: surya at nsecure.net (Suresh Ponnusami)
Subject: Backdoor not recognized by Kaspersky

Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content), we humans tend to open it after reading the message.

Ok!, the analysis of the virus.
* Known as Beagle.H and another variant is Beagle.I
* Mcafee identifies it as W32/Bagle.gen@MM

* Packed with UPX
* Contains in-built smtp server
* Creates Authentic Looking Smart Messages which might
  _trick_ most people to execute the content.
(But when will user's get the knowledge about security??)
:((
* Random zip password generation (all the passwords are
  5-6 digits)
* Contains "'Hey, NetSky, f**k off you b*t*h, don''t ruine our
  bussiness, wanna start a war?'
* Connects and downloads the password protected zip from
  http://postertog.de/scr.php or http://www.gfotxt.net/scr.php
  or from http://www.maiklibis.de/scr.php or from http://151.201.0.39/
  All the hosts were down at the time of this mail.
* Does not contain any dangerous payload and performs other
  common virus thingies.
* Auto starts via  SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  open

Update your AV to the latest signatures. Do not open anything
that does not make any sense to you. Even if it is from any known
person. Especially when the zip contains files with .pif, .scr, .exe,
.com extensions and any other executable attachments.
-
Suresh Ponnusami,
Information Security Consultant,
nSecure Software (P) Ltd.
INDIA
----- Original Message -----
From: "Kristian Hermansen" <khermansen@...technology.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, 03 March, 2004 04:04 AM
Subject: [Full-Disclosure] Backdoor not recognized by Kaspersky


> Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
> this file recently, but Kaspersky did not detect malicious code.
Wondering
>



Powered by blists - more mailing lists