Security Incidents mailing list archives
RE: New Virus? The AV Vendors respond (long post)
From: "Alex Arndt" <aarndt () rogers com>
Date: Tue, 16 Aug 2005 15:04:04 -0400
It would appear that the e-mail I described did in fact hold an infected attachment. Several list members have pointed out that I could have done some analysis prior to submitting my post. While this is true, it isn't as easy as some would have us all believe. I'm not a malware guy, or even a programmer, but an IDS guy. I don't tell folks to analyse their own logs before they ask me to look at something, since they may believe I might know more than they do, but I digress. IMHO, there are people on this list with far more expertise in analyzing malware than I, which is why I made my post without any attempt on my part to figure it out... Anyway, I've received some responses from some AV vendors and thought I'd share. The unfortunate thing is that, while they all agree it's malicious, they don't agree as to what exactly it is. Here is the list of direct responses I received: Sophos - W32/MyDoom-Gen CA - Win32.Qweasy.A (analyst comment says it may be a MS05-039 worm...) McAfee - BackDoor-CEB (extra.dat provided with their response) Here's the output from virustotal.com: Results of a file scan This is a report processed by VirusTotal on 08/15/2005 at 22:48:03 (CET) after scanning the "email-doc.zip" file. Antivirus Version Update Result AntiVir 6.31.1.0 08.15.2005 no virus found Avast 4.6.695.0 08.15.2005 no virus found AVG 718 08.15.2005 no virus found Avira 6.31.1.0 08.15.2005 no virus found BitDefender 7.0 08.15.2005 BehavesLike:Win32.SiteHijack CAT-QuickHeal 7.03 08.15.2005 no virus found ClamAV devel-20050725 08.15.2005 Worm.Mydoom.AT DrWeb 4.32b 08.15.2005 no virus found eTrust-Iris 7.1.194.0 08.15.2005 no virus found eTrust-Vet 11.9.1.0 08.15.2005 no virus found Fortinet 2.36.0.0 08.15.2005 suspicious F-Prot 3.16c 08.15.2005 no virus found Ikarus 0.2.59.0 08.12.2005 no virus found Kaspersky 4.0.2.24 08.15.2005 Backdoor.Win32.Surila.x McAfee 4558 08.15.2005 Generic Malware.a!zip NOD32v2 1.1194 08.15.2005 probably unknown NewHeur_PE virus Norman 5.70.10 08.15.2005 no virus found Panda 8.02.00 08.15.2005 no virus found Sophos 3.96.0 08.15.2005 W32/MyDoom-Gen Sybari 7.5.1314 08.15.2005 W32/MyDoom-Gen Symantec 8.0 08.15.2005 no virus found TheHacker 5.8.2.088 08.15.2005 W32/Generic!zip-dobleextension VBA32 3.10.4 08.15.2005 no virus found As you can see, nothing concrete using virus the definitions available as of yesterday. A number of folks asked me to send them a copy. I only forwarded to one person though, since I knew who they were. All other such requests, I must apologize, will not be answered. Sorry. I hope this information proves useful. If any of you out there have s a more concrete answer as to what this is, please share. Alex Arndt CISSP, GCIA, GCIH "Within all order is the potential for chaos..."
Current thread:
- New Virus? Alex Arndt (Aug 15)
- Re: New Virus? Eduardo Vela (Aug 16)
- RE: New Virus? The AV Vendors respond (long post) Alex Arndt (Aug 16)
- RE: New Virus? James C Slora Jr (Aug 16)
- Re: New Virus? James Polley (Aug 18)
- RE: New Virus? James C Slora Jr (Aug 18)
- Re: New Virus? Eduardo Vela (Aug 19)
- Re: New Virus? James Polley (Aug 18)
- <Possible follow-ups>
- Re: New Virus? dave_mikesch (Aug 15)
- RE: New Virus? Ragnar Harper (Aug 15)
- RE: New Virus? Harlan Carvey (Aug 15)