| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <404DEBCF.6060203@umn.edu> From: eckman at umn.edu (Brian Eckman) Subject: Re: New Virus? Nick FitzGerald wrote: ... > Here is a list of the suspicious file > submission addresses of several well-known AV developers -- send the > .HTA and the .EXEs to those you consider trustworthy: > > Command Software <virus@...mandcom.com> > Computer Associates (US) <virus@...com> > Computer Associates (Vet/EZ) <ipevirus@....com.au> > DialogueScience (Dr. Web) <Antivir@...ls.ru> > Eset (NOD32) <sample@...32.com> > F-Secure Corp. <samples@...ecure.com> > Frisk Software (F-PROT) <viruslab@...rot.com> > Grisoft (AVG) <virus@...soft.cz> > H+BEDV (AntiVir): <virus@...ivir.de> > Kaspersky Labs <newvirus@...persky.com> > Network Associates (McAfee) <virus_research@....com> > Norman (NVC) <analysis@...man.no> > Sophos Plc. <support@...hos.com> > Symantec (Norton) <avsubmit@...antec.com> > Trend Micro (PC-cillin) <virus_doctor@...ndmicro.com> > (Trend may only accept files from users of its products) ... First off, Nick, thanks a bunch for sharing that info with the list. FYI, I sent in a sample to NAI using the above address. I got an autoreply that it was received, then another autoreply that it was not a known threat and that it was being forwarded to an AVERT researcher. So, I deleted the backdoor trojan, as I had already submitted it to the company we have a site license with. (I sent it into NAI as the computer that was infected with it had McAfee on it.) Later, I got an E-mail that they had a virus gateway strip the sample out of my message as "potentially unsafe", and gave me further instructions. They suggested using http://www.webimmune.net and/or zipping it and password protecting it, using the password "infected". I imagine I'm not the only one amused by the fact that they want you to send malware to them in a password protected Zip file, (in light of recent Bagle variants :). I also find it oddly amusing (being that I am not a paying customer of theirs, and that only a few hundred or so people on my campus likely are) that they would filter potentially harmful attachments that were sent to a virus submission E-mail address. I'll have to tell the user to use our site licensed AV software instead if they want to detect this threat in the future. (Actually, it is probably still in my sent items, so I probably can comply with their request. I'm just a bit perturbed that they acknowledged receipt of it, then they deleted it. (Paying customers might want to take note that they had their hands on something that a competitor identified as a backdoor trojan, but NAI still cannot detect it because they filtered E-mail sent via a virus submission address.) Just thought I'd share my experience. Perhaps it will save someone else the frustration that I had. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't."
Powered by blists - more mailing lists