Inspector Clouseau found another bad guy :)

http://www.av-experts.org/weblog/?p=32

 

Inspector Clouseau saves the day once again!

 

Of course, otherwise you all get killed

Seriously, EVERYONE here got this morning this SMS. And this backdoor is quite nasty, contains special coded/manipulated things for his domain logging. Lots of people here got scared that they are getting charged every day $2 to their mobile phone bill and downloaded this critter. The result was a extending botnet which steals money and spams people. I called him and he claimed not to know what a webserver is ( he didn't know that i was aware that he works in software development ) At this time i was pretty sure the guy knows already he did something wrong. But this is not a joke anymore, lots of teenagers and especially womans fall for this trick since they are scared to have every day a $2 charge especially for a online dating service!

 

Excellent job, and congratulations!!

 

What do I say to this:

SIMPLY BRILLIANT

Of course, the old adage: NEVER EVER SCREW WITH MAD MIKE WHILE HE'S ON A BENDER.

rofl... love it...

 

Good Job, Mike. Still waiting for that beer BTW. lol

 

Good job, still laughting

 

good work, IC!
You're a true Inspector.
Keep the good work.

 

Nice work!

I hope the Authorities will do something with your info...

 

roflmao. Stroke of genius.

Is it safe to say now FProt > NOD? Anyone?

 

I'm buying a license of each (renewing in the case of NOD32) out of respect for the people who work for both companies. NOD32 has been phenomenal for me, and with what I've seen of F-Prot since the Inspector joined the ranks I'm quickly becoming impressed there too.

Now to convince the wife that I *need* to buy two different AVs!

 

Just say that NOD32 is a required addon for F-Prot to function properly.
If she's not exactly computer sawy she shoudn't suspect anything

 

Just say that F-Prot+NOD32 is the "Pro" version of the product will full protection.

F-Prot NOD edition

 

LOL.

Good job Mike.
Give me your phone number and I'll wake you up at 5.am. inviting you to drink some beers.

 

http://www.f-prot.com/news/vir_alert/060622_sms_irreal_dating.html

Our Press Release for those critters

 

There's also a big article at
http://www.onlinekosten.de/news/artikel/21669
how my wife shouted at me because she thought that i subscribed her to this

here's a (bad) google online translation of it:
http://translate.google.com/transla...&hl=en&ie=UTF-8&oe=UTF-8&prev=/language_tools

 

Here is the result for the antivirus scan for the backdoor, as of today..

Just a few AVs (Kaspersky, F-Prot, AVG, E-Trust, Fortinet) could detect it. Nod32 Heuristics could not see it...



STATUS: FINISHED

Complete scanning result of "unregister.exe", received in VirusTotal at 06.24.2006, 15:17:05 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.16 06.24.2006 no virus found
Authentium 4.93.8 06.23.2006 is a security risk or a "backdoor" program
Avast 4.7.844.0 06.23.2006 no virus found
AVG 386 06.23.2006 Downloader.Generic2.DJF
BitDefender 7.2 06.24.2006 no virus found
CAT-QuickHeal 8.00 06.24.2006 no virus found
ClamAV devel-20060426 06.23.2006 no virus found
DrWeb 4.33 06.24.2006 BackDoor.Dumaru.32
eTrust-InoculateIT 23.72.48 06.24.2006 Win32/Bambo.CF!Trojan
eTrust-Vet 12.6.2272 06.23.2006 Win32/Bambo.CF
Ewido 3.5 06.24.2006 Backdoor.Dumador.fa
Fortinet 2.77.0.0 06.24.2006 W32/DROPPER.BFE!tr
F-Prot 3.16f 06.23.2006 security risk or a "backdoor" program
Ikarus 0.2.65.0 06.23.2006 no virus found
Kaspersky 4.0.2.24 06.24.2006 Trojan-Downloader.Win32.Small.dcg
McAfee 4792 06.23.2006 no virus found
Microsoft 1.1481 06.24.2006 no virus found
NOD32v2 1.1620 06.24.2006 no virus found
Norman 5.90.21 06.23.2006 no virus found
Panda 9.0.0.4 06.24.2006 no virus found
Sophos 4.07.0 06.24.2006 no virus found
Symantec 8.0 06.24.2006 no virus found
TheHacker 5.9.8.164 06.23.2006 no virus found
UNA 1.83 06.23.2006 no virus found
VBA32 3.11.0 06.23.2006 BackDoor.Dumaru.32
VirusBuster 4.3.7:9 06.23.2006 no virus found


Aditional Information
File size: 94720 bytes
MD5: 7d2cab34fdb70fdad5ba05045d7adf96
SHA1: 0e0ccb8a1a0c556a5fd6c96d36f19e3016712e88

 

Just a little side note... ewido detected it with a signature for that type of backdoor which is dated back to 12/07/2005

 

Yep, the Backdoor (irreal.exe, dropped) is old - it's a Dumaru Backdoor adjusted to upload and to log to irrealhost webserver. The Backdoor drops several things including the keylogger dll which gets injected via CreateRemoteProcess API into explorer.

 

Here is the result from Jotti..

I cannot see how respected AVs could not detect a variant of a known code.. Scary..



File: unregister.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 7d2cab34fdb70fdad5ba05045d7adf96

Packers detected: -

Scanner results

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Generic2.DJF
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.Dumaru.32
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.dcg
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found BackDoor.Dumaru.32

 

Don't play too much into it. Nothing detects everything. I find things daily that some av's miss, others don't, and the brands vary accordingly. I think this is where heuristics and proactive defenses come into play as being pretty important - for any product.

 

@kurdadam
Unpack the SFX shell first. Results will be a lot different then...

 

Unpacked the package, scanned the "irreal.exe", results are the *same*.. By the way, McAfee detects the package with new signatures as "New Poly Win32".

I am not playing into it. This is an "In-The-Wild" Trojan. The link to it was sent to 150.000 people's cell phone last week via SMS in Europe. This is not a Zoo variant. All AVs should have protected their users in a few days time at the latest.

When Advanced Heuristics fail, they could at least release signatures before the month ends!!

 

Both Ewido and BOClean detect it.

 

Surprised NOD32 didn't detect it, so I submitted it to them.

I hope to see NOD32 detect it soon...

http://img54.imageshack.us/img54/5246/virustotal2ea.th.png