throw alway your antiviruse programs

Discussion in 'other anti-virus software' started by Mr.Blaze, Aug 24, 2002.

Thread Status:
Not open for further replies.
  1. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    yup thats right there completly useless now i did an updated viruse check with nortion and nothing happend but when i ran a scan with tds Positive variant identification: YAB 2.00 yuck

    further investigation show that no av has it in there data bases turns out hackers or script kiddies and some piraters have been coating files and aplications with this and have been able to go completly under any av program the only thing that detected it was TDS
     
  2. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    this came from a script kiddy site and look what they say
    Using YAB v2.00 Binder , you can easily get the files to slip through anti-virus detection, and hence you can install trojans and backdoors without them realising.

    and its true cause i just got done deleting the little bugger only thing that found it was tds
     
  3. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    If no av vendor has info on this malware how did you find out this information on it?

    May I also suggest that you submit it to a few vendors for their examination, thats presuming it isn't a false positive.

    edit,I see,posted reply a tad too late. I still suggest you submit it to the vendors,if you have it still. Mind you all this is still supposing someone is idiot enough to run an executable or similar from unsolicited sources,hopefully the combination of Heuristics plus firewall should put pay to any antics at worst case.
     
  4. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    i just wanted it off my dang os i wasnt purposely playing with it i dont think it was a false positive im perty sure it the real deal espechially when the only guys with information on it was the bad guys.

    thank god we have galvin hes always up to date.

    as for submitting it i wont even dream of dowenloading that algain on purpose,

    but if a vendor wants it ill give him the link to dowenload it so long is my name is kept privatley and confedinthial as not to incriminate me typ thing lol=)

    still its geting perty scary out there people are munipulating varients of sub 7 and zombie with yab not to mention some dangeriouse mutations.

    if it was a false positive then it still strange that the bad guys are braging about it coincidence?
     
  5. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Re:throw alway your antivirus programs

    I will not be removing my AV as of yet. I had never received a Klez worm via email prior to 3 days ago and in the last three days I have received nothing short of 5 per day.

    Ifn' I hadn't a had my NOD32 I would be purchasing a new hard drive three times over.

    Edit- I just read me email for the first time today and had another 7 Klez emails. When it rains it pours.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sir Blaze,

    Well, IMHO it's not a nastie that a specific anti-virus needs to detect - rather an anti-trojan issue.

    Quite common these days - reason the more to have a good and updated anti-trojan installed and running ;)

    regards.

    paul
     

    Attached Files:

    • YAB2.gif
      YAB2.gif
      File size:
      19.9 KB
      Views:
      1,917
  7. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Maybe I'm lucky but I've never had a Klez infected mail yet.
    *Tinribs touches everything made of wood in sight*
     
  8. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Just in case I have downloaded a copy, password protected it and sent it to 6 different av vendors, I feel, although they may be aware, I have done the right thing.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That's the spirit! ;) Nevertheless: please be careful when visiting sites like these. In general I wouldn't recommend anyone visiting these and downloading stuff. :rolleyes:

    regards.

    paul
     
  10. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Dont worry Paul, I'm well aware of what I'm doing, its how I've built up my test collections,(as well as dissection and decompiling) But thanks for your concern and a valid point it is too.
    ;)
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Fingers crossed! ;)

    regards.

    paul
     
  12. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    I must be a lucky man,in all my years of pc use I have only ever had 4 virus alerts, all stopped and none infected. I'm very careful, always practice Safe Hex http://www.claymania.com/safe-hex.html and so far so good,I must be doing something right! ;)
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Yep, Clay does run a very nice site indeed!

    I'm sure you are. Nevertheless, from our 250+ MB databases there are several that could cause severe trouble :rolleyes:

    regards.

    paul
     
  14. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Then you keep them locked up tight Paul ;) :D
     
  15. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    no yab is a binder i think mainly to coat a trojan ect i belive.

    correct me if im wrong but arnt binders in evill doers hands meant to coat such nastys so there undetected=/

    still when yopu got guys like galvin and people at wilder for help its perty much a great relief=)
     
  16. controler

    controler Guest

    A binder does NOT a trojan make LOL

    All a binder does is bind one program to another , could be a trojan or not. The binding program itself is not a problem
    There is other binders out there Many of them
    Generically find any binder, then give a popup warning of it's existence, then you either delete or not, your choice...
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    True in essence. And there are lots of binders around.

    That said, binded executables are known to cause problems for AVs.

    regards.

    paul
     
  18. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Is this the same YAB ?

    12.08.2002
    14th addon for DrWeb 4.28
    Added 102 viruses to the DrWeb database. BAT.Generic.56,BackDoor.AnFTP.1(3),BackDoor.AntiLame.14(1-3), BackDoor.Fear.15, BackDoor.Glitch.10(1,2),BackDoor.BSSpy.109, BackDoor.Generic.69,70,71,72,73,74, BackDoor.Assassin.11 (1-4), BackDoor.Hunter.12(1-4), Trojan.PWS.AntiLame.10(3), BackDoor.Pigeon.3, BackDoor.Y3krat.1(1-3), HLLP.Birys.6773, Trojan.Aicore(1,2), Trojan.Aphex, Trojan.Gunsan.786, Trojan.Jason.10(1-3), Trojan.MulDrop.93,94,95, Trojan.KnetStat.32768, Trojan.Kcom(1-3),Trojan.KillProc.1536,W97M.WisMine(1,2), Trojan.Lameweb.1(1,2), Trojan.Mardam,Trojan.PWS.Platan(16),Win32.Radix.4100(2), Trojan.PWS.Zimenok.3(3-6),Trojan.Phrostic.102(1,2), :eek:******Trojan.YAB.201****** :eek:,W97M.Bobo(3), VBS.Generic.71,72,73,74,75,76,77,78,VBS.Redlof(2),W97M.Doctor,W97M.Minimal(25), W97M.Soob(1,2),W97M.Stamp,Win2K.Team.4096(2),Win32.HLLM.Bihup,Win32.HLLM.Higuy, Win32.HLLM.Buxtehude (1,2), Win32.HLLM.Frethem.17, Win32.HLLM.Generic.68, 69, Win32.HLLM.Glitch.62464, Win32.HLLM.Gunsan.1, 2, Win32.HLLO.Fixing.16384 (2), Win32.HLLM.Kitro.3,4, Win32.HLLM.Mi2(6), Win32.HLLW.Spreader, XM.Laroux(16-20).
     
  19. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    I've tested with DrWeb,fully updated,medium and deep heuristics and it fails to see it,at least the copy I have.
     
  20. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    ekkkkkkkkkkkk so the binder does work on avs thank god i got tds
     
Loading...
Thread Status:
Not open for further replies.