[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Backdoor not recognized by Kaspersky

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
From: "Suresh Ponnusami" <surya@xxxxxxxxxxx>
Date: Wed, 3 Mar 2004 16:45:35 +0530

Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content), we humans tend to open it after reading the message.

Ok!, the analysis of the virus.
* Known as Beagle.H and another variant is Beagle.I
* Mcafee identifies it as W32/Bagle.gen@MM

* Packed with UPX
* Contains in-built smtp server
* Creates Authentic Looking Smart Messages which might
  _trick_ most people to execute the content.
(But when will user's get the knowledge about security??)
:((
* Random zip password generation (all the passwords are
  5-6 digits)
* Contains "'Hey, NetSky, f**k off you b*t*h, don''t ruine our
  bussiness, wanna start a war?'
* Connects and downloads the password protected zip from
  http://postertog.de/scr.php or http://www.gfotxt.net/scr.php
  or from http://www.maiklibis.de/scr.php or from http://151.201.0.39/
  All the hosts were down at the time of this mail.
* Does not contain any dangerous payload and performs other
  common virus thingies.
* Auto starts via  SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  open

Update your AV to the latest signatures. Do not open anything
that does not make any sense to you. Even if it is from any known
person. Especially when the zip contains files with .pif, .scr, .exe,
.com extensions and any other executable attachments.
-
Suresh Ponnusami,
Information Security Consultant,
nSecure Software (P) Ltd.
INDIA
----- Original Message -----
From: "Kristian Hermansen" <khermansen@xxxxxxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Sent: Wednesday, 03 March, 2004 04:04 AM
Subject: [Full-Disclosure] Backdoor not recognized by Kaspersky


> Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
> this file recently, but Kaspersky did not detect malicious code.
Wondering
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
  - From: Gregor Lawatscheck

Prev by Date: [Full-Disclosure] Re: [Plugins-writers] loose source routing problem
Next by Date: Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
Previous by thread: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
Next by thread: Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
Index(es):
- Date
- Thread