Discussion in 'other anti-virus software' started by IBK, Jun 21, 2006.
Inspector Clouseau saves the day once again!
Of course, otherwise you all get killed
Seriously, EVERYONE here got this morning this SMS. And this backdoor is quite nasty, contains special coded/manipulated things for his domain logging. Lots of people here got scared that they are getting charged every day $2 to their mobile phone bill and downloaded this critter. The result was a extending botnet which steals money and spams people. I called him and he claimed not to know what a webserver is ( he didn't know that i was aware that he works in software development ) At this time i was pretty sure the guy knows already he did something wrong. But this is not a joke anymore, lots of teenagers and especially womans fall for this trick since they are scared to have every day a $2 charge especially for a online dating service!
Excellent job, and congratulations!!
What do I say to this:
Of course, the old adage: NEVER EVER SCREW WITH MAD MIKE WHILE HE'S ON A BENDER.
rofl... love it...
Good Job, Mike. Still waiting for that beer BTW. lol
Good job, still laughting
good work, IC!
You're a true Inspector.
Keep the good work.
I hope the Authorities will do something with your info...
roflmao. Stroke of genius.
Is it safe to say now FProt > NOD? Anyone?
I'm buying a license of each (renewing in the case of NOD32) out of respect for the people who work for both companies. NOD32 has been phenomenal for me, and with what I've seen of F-Prot since the Inspector joined the ranks I'm quickly becoming impressed there too.
Now to convince the wife that I *need* to buy two different AVs!
Just say that NOD32 is a required addon for F-Prot to function properly.
If she's not exactly computer sawy she shoudn't suspect anything
Just say that F-Prot+NOD32 is the "Pro" version of the product will full protection.
F-Prot NOD edition
Good job Mike.
Give me your phone number and I'll wake you up at 5.am. inviting you to drink some beers.
Our Press Release for those critters
There's also a big article at
how my wife shouted at me because she thought that i subscribed her to this
here's a (bad) google online translation of it:
Here is the result for the antivirus scan for the backdoor, as of today..
Just a few AVs (Kaspersky, F-Prot, AVG, E-Trust, Fortinet) could detect it. Nod32 Heuristics could not see it...
Complete scanning result of "unregister.exe", received in VirusTotal at 06.24.2006, 15:17:05 (CET).
Antivirus Version Update Result
AntiVir 18.104.22.168 06.24.2006 no virus found
Authentium 4.93.8 06.23.2006 is a security risk or a "backdoor" program
Avast 4.7.844.0 06.23.2006 no virus found
AVG 386 06.23.2006 Downloader.Generic2.DJF
BitDefender 7.2 06.24.2006 no virus found
CAT-QuickHeal 8.00 06.24.2006 no virus found
ClamAV devel-20060426 06.23.2006 no virus found
DrWeb 4.33 06.24.2006 BackDoor.Dumaru.32
eTrust-InoculateIT 23.72.48 06.24.2006 Win32/Bambo.CF!Trojan
eTrust-Vet 12.6.2272 06.23.2006 Win32/Bambo.CF
Ewido 3.5 06.24.2006 Backdoor.Dumador.fa
Fortinet 22.214.171.124 06.24.2006 W32/DROPPER.BFE!tr
F-Prot 3.16f 06.23.2006 security risk or a "backdoor" program
Ikarus 0.2.65.0 06.23.2006 no virus found
Kaspersky 126.96.36.199 06.24.2006 Trojan-Downloader.Win32.Small.dcg
McAfee 4792 06.23.2006 no virus found
Microsoft 1.1481 06.24.2006 no virus found
NOD32v2 1.1620 06.24.2006 no virus found
Norman 5.90.21 06.23.2006 no virus found
Panda 188.8.131.52 06.24.2006 no virus found
Sophos 4.07.0 06.24.2006 no virus found
Symantec 8.0 06.24.2006 no virus found
TheHacker 184.108.40.206 06.23.2006 no virus found
UNA 1.83 06.23.2006 no virus found
VBA32 3.11.0 06.23.2006 BackDoor.Dumaru.32
VirusBuster 4.3.7:9 06.23.2006 no virus found
File size: 94720 bytes
Just a little side note... ewido detected it with a signature for that type of backdoor which is dated back to 12/07/2005
Yep, the Backdoor (irreal.exe, dropped) is old - it's a Dumaru Backdoor adjusted to upload and to log to irrealhost webserver. The Backdoor drops several things including the keylogger dll which gets injected via CreateRemoteProcess API into explorer.
Here is the result from Jotti..
I cannot see how respected AVs could not detect a variant of a known code.. Scary..
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: -
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Generic2.DJF
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.Dumaru.32
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.dcg
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found BackDoor.Dumaru.32
Don't play too much into it. Nothing detects everything. I find things daily that some av's miss, others don't, and the brands vary accordingly. I think this is where heuristics and proactive defenses come into play as being pretty important - for any product.
Unpack the SFX shell first. Results will be a lot different then...
Unpacked the package, scanned the "irreal.exe", results are the *same*.. By the way, McAfee detects the package with new signatures as "New Poly Win32".
I am not playing into it. This is an "In-The-Wild" Trojan. The link to it was sent to 150.000 people's cell phone last week via SMS in Europe. This is not a Zoo variant. All AVs should have protected their users in a few days time at the latest.
When Advanced Heuristics fail, they could at least release signatures before the month ends!!
Both Ewido and BOClean detect it.
Surprised NOD32 didn't detect it, so I submitted it to them.
I hope to see NOD32 detect it soon...
Separate names with a comma.