[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon Aug 8 19:48:42 2005
From: michael.hale at gmail.com (Michael Hale)
Subject: What is this
Anti virus doesn't detect it because its packed with ASProtect 1.2.x
(using StudPE). You can see the difference when it's dumped out of RAM
into it's uncompressed/decrypted form (see VirusTotal results below).
My interest is where you came across this URL. Can you provide that
information?
Scan results
File: DUMPED.php
Date: 08/08/2005 20:39:56 (CET)
----
AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus]
Avast 4.6.695.0/20050808 found nothing
AVG 718/20050807 found nothing
Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus]
BitDefender 7.0/20050808 found nothing
CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan]
ClamAV devel-20050725/20050808 found [Trojan.Mybot-312]
DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118]
eTrust-Iris 7.1.194.0/20050806 found nothing
eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot]
Fortinet 2.36.0.0/20050808 found [suspicious]
F-Prot 3.16c/20050808 found nothing
Ikarus 0.2.59.0/20050808 found nothing
Kaspersky 4.0.2.24/20050808 found nothing
McAfee 4552/20050808 found [New Malware.b]
NOD32v2 1.1187/20050805 found [BAT/NoShare.L]
Norman 5.70.10/20050805 found nothing
Panda 8.02.00/20050808 found nothing
Sophos 3.96.0/20050808 found nothing
Sybari 7.5.1314/20050808 found [Win32.Slinbot]
Symantec 8.0/20050808 found [W32.Randex]
TheHacker 5.8.2.082/20050808 found nothing
VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2]
On 8/8/05, trains@...torunix.com <trains@...torunix.com> wrote:
> Quoting Armando Rogerio Brand?o Guimaraes Junior <arjunior@...ps.com.br>:
>
> > Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php
> > AntiVirus and SpyBot doesn?t detect!!!
> >
> > Armando Guimar?es Jr
>
> It is an MS-EXE executable program. Anti virus doesn't find it because
> it is not an virus. Spybot for the same reason. To block these you
> need an smtp policy that does not allow executable attachments to
> incoming emails.
>
> "What it does" could be anything from typing "hello world" in a dialog
> box (unlikely) to creating a new Administrator account on your
> corporate AD server and posting the entire contents thereof to an IRC
> channel (somewhat more likely). But at first glance it looks like it
> is going to open a backdoor shell on the recipient's PC.
>
> tc
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists