Re: Possible New Malware

[Nick FitzGerald <nick () virus-l demon co uk>]

Perrymon, Josh L. wrote:

> Anyone Heard of BackDoor-CIW?

Not until now, but I can tell you immediately that is an NAI/McAfee 
name...

> This is a piece of malware with the .exe of winstr32.exe that is causing 99%
> CPU on a couple machine at a remote location. I found that one infected
> machine does not have MS04-11 patched. So that could be an attack vector.
>
> I get no luck googling for the .exe or BackDoor-CIW   <----  This is what
> Postini identifies the file as.

Makes sense -- Postini uses NAI/McAfee (and maybe others?) for their 
virus scanning.  There is no entry in NAI's VIL (Virus Information 
Library) for this name either and other information available to me 
suggests it will be a new backdoor isolated within the last few days 
(unlikely more than a week ago).

> I'm trying to get a copy to put in my VMWare Lab.

Please make sure you do not have bridged networking setup between your 
VM and a live Internet connection.  Succh irresponsibility is 
apparently OK at SANS, but not anywhere in professional anti-malware 
research.

Also, please send a sample to the AV developers you trust to handle it 
properly.  Here is a list of the suspect file submission addresses for 
the better-known AV developers which may save you having to look up the 
necessary address(es):

   Authentium (Command Antivirus)  <virus () authentium com>
   Computer Associates (US)        <virus () ca com>
   Computer Associates (Vet/EZ)    <support () vet com au>
   DialogueScience (Dr. Web)       <Antivir () dials ru>
   Eset (NOD32)                    <sample () nod32 com>
   F-Secure Corp.                  <samples () f-secure com>
   Frisk Software (F-PROT)         <viruslab () f-prot com>
   Grisoft (AVG)                   <virus () grisoft cz>
   H+BEDV (AntiVir, Vexira engine) <virus () antivir de>
   Kaspersky Labs                  <newvirus () kaspersky com>
   Network Associates (McAfee)     <virus_research () nai com>
     (use a ZIP file with the password 'infected' without the quotes)
   Norman (NVC)                    <analysis () norman no>
   Panda Software                  <labs () pandasoftware com>
   Sophos Plc.                     <support () sophos com>
   Symantec (Norton)               <avsubmit () symantec com>
   Trend Micro (PC-cillin)         <virus_doctor () trendmicro com>
     (Trend may only accept files from users of its products)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html