Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New Virus?

from [Ragnar Harper] Network Security [Permanent Link]
Subject: RE: New Virus?
Date: Mon, 15 Aug 2005 23:35:44 +0200 
I find http://sandbox.norman.no/live.html very useful for determining
unknown files. It gives you quite nice information about it.

Here is an example of output you will get with this:

Report created: 15.08.2005 23:38:35 

Automatic Sandbox analysis of unknown malware (W32/Downloader)
[ General information ]
* Creating several executable files on hard-drive.
* File length: 38982 bytes.

[ Changes to filesystem ]
* Deletes file autorun.inf.
* Creates file C:\WINDOWS\System\CSRSS.EXE.
* Creates file C:\TEMP\upd_0001.exe.

[ Changes to registry ]
* Creates value ".svchost"="C:\WINDOWS\System\CSRSS.EXE" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Opens URL: http://medabop.com/u/upd_0001.exe.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
* Creates a mutex 3676C64A-W454-122E-BFC6-083C2BF4S551.
* Will automatically restart after boot (I'll be back...).


Best regards,

Ragnar Harper

-----Original Message-----
From: Alex Arndt [mailto:aarndt@rogers.com] 
Sent: 15. august 2005 21:50
To: incidents@security-focus.com; focus-virus@security-focus.com
Subject: New Virus?

Good day,

I just received an e-mail (subject: test) with a ZIP archive attachment
that
claims to be from "MAILER-DAEMON@rogers.com", but it in reality from IP
66.31.78.168 (c-66-31-78-168.hsd1.nh.comcast.net).

ZIP Attachment, when opened contains an .EXE file that is attempting to
look
like a .DOC file by using a number of spaces in it. Filename in the
e-mail I
received is "aarndt@rogers.com.doc
.exe"

This is likely a Trojan or other backdoor program. The interesting thing
is
that my AV software (which is the free CA anti-virus provided by Rogers
Yahoo) is not picking it up, nor is the Symantec-based AV scanning that
Rogers uses on inbound e-mail.

I will be forwarding the e-mail to AV vendors as a sample. Just figured
I'd
give everyone a heads-up just in case...

FYI, a quick Google search of the .EXE filename came up with nothing. In
fact, I got this error message when I tried to search for
"rogers.com.doc
.exe":

<SAMPLE WEB PAGE>
403 Forbidden

We're sorry...
... but we can't process your request right now. A computer virus or
spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.

We'll restore your access as quickly as possible, so try again soon. In
the
meantime, you might want to run a virus checker or spyware remover to
make
sure that your computer is free of viruses and other spurious software.

We apologize for the inconvenience, and hope we'll see you again on
Google.
</SAMPLE WEB PAGE>

I hope this information proves useful,

Alex Arndt
CISSP, GCIA, GCIH

"Within all order is the potential for chaos..."
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New Virus?, dave_mikesch
Next by Date:  RE: New Virus?, Harlan Carvey
Previous by Thread:  Re: New Virus?, dave_mikesch
Next by Thread:  RE: New Virus?, Harlan Carvey
Indexes:  [Date] [Thread] [Top] [All Lists]