Backdoor.Hackarmy.gen not detected by many

Discussion in 'other anti-virus software' started by Mack Jones, Jul 25, 2004.

Thread Status:
Not open for further replies.
  1. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    o_O

    Gents,
    I've heard about a new virus called Backdoor.Hackarmy.gen by KAV online scanner, which is not detected by DrWeb online, NOD32 [EDIT: NOW DETECTED BY NOD] ...but by McAfee and by Norman heuristically using its sandbox.
    Take care, it's a 12 ko archive named "ArnoldSchwarzenegger.zip".
     
    Last edited: Jul 26, 2004
  2. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    The latest variant seems to have been added in todays update.

    25.07.2004 Twenty-sixth add-on for Dr.Web® 4.31
    Twenty-sixth add-on increases number of Dr.Web® virus records on 224:
    BackDoor.Hackamy(15)

    http://www.sald.com/news1.html
     
  3. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Hell !
    something's wrong...
    here is what I get:

    Virus records: 52557
    ArnoldSchwarzenegger.zip - archive ZIP
    >>ArnoldSchwarzenegger.zip/Arnold Schwarzenegger.scr - Ok
    ArnoldSchwarzenegger.zip - Ok

    online scanner test at 10:57 PM (GMT)
     
  4. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    This is detected by NOD32 as of this writing.

    EDIT: The version detected is a variant. At this end, as of now, the above file isn't detected by NOD32--at least not on my box.
     
    Last edited: Jul 25, 2004
  5. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    thank you for your help JimIT ! :)
     
  6. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Maybe it is not the same as the sample you have o_O
    Might be time for submission perhaps?... http://www.dials.ru/english/support/
     
  7. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    DrWeb detects it now :)

    Virus records: 52571
    ArnoldSchwarzenegger.zip - archive ZIP
    >>ArnoldSchwarzenegger.zip/Arnold Schwarzenegger.scr infected BackDoor.Hackamy

    What about NOD32 ? (my licence expired)
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    Backdoor.Hackarmy.gen = a GENERIC detection of kav engine. this means that it's a large signature to detect many different variants of the same backdoor.
     
  9. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Thank you Illukka for this remark :)
    That proves that KAV is a step ahead in terms in sig. detection

    I just hope Eset will include it as soon as possible.
     
  10. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Norman Virus Control is real great thing! Strange that it isn't so well-known as KAV or F-prot.
     
  11. alien8

    alien8 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    15
    Hi,

    As a side note to this, you could submit the file here:

    http://virusscan.jotti.dhs.org/

    OsamaFoundDead.zip has been submitted 11 times aleady but it's a good
    site to use when you have a new virus that doesn't seem to be picked up,
    as it scans with various AV vendors.

    Don't abuse the service as Jotti is doing all this for free!

    ClamAV (and other AV vendors on the site) also get to see the "missed"/"new" viruses that people submit using the service, so we can all benefit :)

    Cheers,

    Steve
     
  12. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Well, I would say due to its flaws when it comes to find ITW virus.
    Norman shows to be -Excellent- in heuristic, only good for ITW.

    And I think I'll choose NVC instead of renewing my NOD32 licence ;)
    but it's worth 60 bucks... :doubt:
     
  13. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Yes, it's detected now.
    ;)
     
  14. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    eTrust detects it since yesterday (Ithink :rolleyes: :doubt: )

    Info.
     
  15. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice

    What is an ITW ?
     
  16. Stephan123

    Stephan123 Registered Member

    Joined:
    May 15, 2004
    Posts:
    135
    Location:
    The netherlands
    Avast can't detect this one :-(
     
  17. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
  18. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    how is that? It's added on July 23 :rolleyes:
    VPS history
     
  19. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Maybe a variant...
    I got one but I'll not post it here, and you know why :rolleyes:
    This file comes with an archive called ArnoldSchwarzenegger.zip

    Edit:
    Now this topic could be closed, this trojan is now detected by most vendors.

    AntiVir BDS/Hackarmy.D (1.23 seconds taken)
    BitDefender Backdoor.SDBot.Gen (probable variant) (3.11 seconds taken)
    ClamAV Trojan.SdBot.Gen-94 (5.13 seconds taken)
    Dr.Web BackDoor.Hackamy (6.31 seconds taken)
    F-Prot Antivirus security risk or a "backdoor" program (0.37 seconds taken)
    F-Secure Anti-Virus Backdoor.Hackarmy.gen (4.02 seconds taken)
    Kaspersky Anti-Virus Backdoor.Hackarmy.gen (3.92 seconds taken)
    McAfee VirusScan BackDoor-AZV (3.02 seconds taken)
    Norman Sandbox: W32/Backdoor

    ;)
     
    Last edited: Jul 26, 2004
  20. dos

    dos Registered Member

    Joined:
    Oct 17, 2003
    Posts:
    43
  21. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    i'd say it proves just that KAV has received more samples of this backdoor than other vendors. you really need a lot of samples/variants to make a generic detection that is worth something.. a LOT that is
     
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hackarmy is a (slightly) stripped down variant of SDBot ;)
     
  23. Stephan123

    Stephan123 Registered Member

    Joined:
    May 15, 2004
    Posts:
    135
    Location:
    The netherlands
    No.Avast can't detect him now.He only detects of Osamafoundead and not the Arnold file
     
  24. Benvan45

    Benvan45 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    556
    Sorry not to see Panda mentioned, as Titanium caught this bugger rightaway.

    Panda is doing a great job for me for a long time already and it surprises me not to read much about it!
    Great scanner, light, fast, simple, great updates, malware detection, mail scan! It's not highly configurable, but it does the job perfectly as far as I'm concerned.

    ;)

    Putin
     
  25. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
Loading...
Thread Status:
Not open for further replies.