Inspector Clouseau found another bad guy :)

Discussion in 'other anti-virus software' started by IBK, Jun 21, 2006.

Thread Status:
Not open for further replies.
  1. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Inspector Clouseau saves the day once again! :D
     
  3. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Of course, otherwise you all get killed :D

    Seriously, EVERYONE here got this morning this SMS. And this backdoor is quite nasty, contains special coded/manipulated things for his domain logging. Lots of people here got scared that they are getting charged every day $2 to their mobile phone bill and downloaded this critter. The result was a extending botnet which steals money and spams people. I called him and he claimed not to know what a webserver is ( he didn't know that i was aware that he works in software development :D ) At this time i was pretty sure the guy knows already he did something wrong. But this is not a joke anymore, lots of teenagers and especially womans fall for this trick since they are scared to have every day a $2 charge especially for a online dating service!
     
  4. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Excellent job, and congratulations!! :eek:

    :D
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    What do I say to this:

    SIMPLY BRILLIANT

    Of course, the old adage: NEVER EVER SCREW WITH MAD MIKE WHILE HE'S ON A BENDER.

    rofl... love it...
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Good Job, Mike. Still waiting for that beer BTW. lol
     
  7. ElPapyo

    ElPapyo Registered Member

    Joined:
    Sep 24, 2003
    Posts:
    8
    Good job, still laughting :)
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    good work, IC!
    You're a true Inspector. :p
    Keep the good work. :thumb:
     
  9. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Nice work! :D

    I hope the Authorities will do something with your info...
     
  10. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    roflmao. Stroke of genius.

    Is it safe to say now FProt > NOD? Anyone? *puppy*
     
  11. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN

    I'm buying a license of each (renewing in the case of NOD32) out of respect for the people who work for both companies. NOD32 has been phenomenal for me, and with what I've seen of F-Prot since the Inspector joined the ranks I'm quickly becoming impressed there too.

    Now to convince the wife that I *need* to buy two different AVs! :-*
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Just say that NOD32 is a required addon for F-Prot to function properly.
    If she's not exactly computer sawy she shoudn't suspect anything ;)
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Just say that F-Prot+NOD32 is the "Pro" version of the product will full protection.

    F-Prot NOD edition :D
     
  14. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    LOL.

    Good job Mike.
    Give me your phone number and I'll wake you up at 5.am. inviting you to drink some beers.:D
     
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
  16. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
  17. kurdadam

    kurdadam Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    26
    Here is the result for the antivirus scan for the backdoor, as of today..

    Just a few AVs (Kaspersky, F-Prot, AVG, E-Trust, Fortinet) could detect it. Nod32 Heuristics could not see it...



    STATUS: FINISHED

    Complete scanning result of "unregister.exe", received in VirusTotal at 06.24.2006, 15:17:05 (CET).

    Antivirus Version Update Result
    AntiVir 6.35.0.16 06.24.2006 no virus found
    Authentium 4.93.8 06.23.2006 is a security risk or a "backdoor" program
    Avast 4.7.844.0 06.23.2006 no virus found
    AVG 386 06.23.2006 Downloader.Generic2.DJF
    BitDefender 7.2 06.24.2006 no virus found
    CAT-QuickHeal 8.00 06.24.2006 no virus found
    ClamAV devel-20060426 06.23.2006 no virus found
    DrWeb 4.33 06.24.2006 BackDoor.Dumaru.32
    eTrust-InoculateIT 23.72.48 06.24.2006 Win32/Bambo.CF!Trojan
    eTrust-Vet 12.6.2272 06.23.2006 Win32/Bambo.CF
    Ewido 3.5 06.24.2006 Backdoor.Dumador.fa
    Fortinet 2.77.0.0 06.24.2006 W32/DROPPER.BFE!tr
    F-Prot 3.16f 06.23.2006 security risk or a "backdoor" program
    Ikarus 0.2.65.0 06.23.2006 no virus found
    Kaspersky 4.0.2.24 06.24.2006 Trojan-Downloader.Win32.Small.dcg
    McAfee 4792 06.23.2006 no virus found
    Microsoft 1.1481 06.24.2006 no virus found
    NOD32v2 1.1620 06.24.2006 no virus found
    Norman 5.90.21 06.23.2006 no virus found
    Panda 9.0.0.4 06.24.2006 no virus found
    Sophos 4.07.0 06.24.2006 no virus found
    Symantec 8.0 06.24.2006 no virus found
    TheHacker 5.9.8.164 06.23.2006 no virus found
    UNA 1.83 06.23.2006 no virus found
    VBA32 3.11.0 06.23.2006 BackDoor.Dumaru.32
    VirusBuster 4.3.7:9 06.23.2006 no virus found


    Aditional Information
    File size: 94720 bytes
    MD5: 7d2cab34fdb70fdad5ba05045d7adf96
    SHA1: 0e0ccb8a1a0c556a5fd6c96d36f19e3016712e88
     
  18. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Just a little side note... ewido detected it with a signature for that type of backdoor which is dated back to 12/07/2005 :)
     
  19. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Yep, the Backdoor (irreal.exe, dropped) is old - it's a Dumaru Backdoor adjusted to upload and to log to irrealhost webserver. The Backdoor drops several things including the keylogger dll which gets injected via CreateRemoteProcess API into explorer.
     
  20. kurdadam

    kurdadam Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    26
    Here is the result from Jotti..

    I cannot see how respected AVs could not detect a variant of a known code.. Scary..



    File: unregister.exe
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 7d2cab34fdb70fdad5ba05045d7adf96

    Packers detected: -

    Scanner results

    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found Downloader.Generic2.DJF
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found BackDoor.Dumaru.32
    F-Prot Antivirus Found security risk or a "backdoor" program
    Fortinet Found nothing
    Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.dcg
    NOD32 Found nothing
    Norman Virus Control Found nothing
    UNA Found nothing
    VirusBuster Found nothing
    VBA32 Found BackDoor.Dumaru.32
     
  21. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Don't play too much into it. Nothing detects everything. I find things daily that some av's miss, others don't, and the brands vary accordingly. I think this is where heuristics and proactive defenses come into play as being pretty important - for any product.
     
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    @kurdadam
    Unpack the SFX shell first. Results will be a lot different then...
     
  23. kurdadam

    kurdadam Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    26
    Unpacked the package, scanned the "irreal.exe", results are the *same*.. By the way, McAfee detects the package with new signatures as "New Poly Win32".

    I am not playing into it. This is an "In-The-Wild" Trojan. The link to it was sent to 150.000 people's cell phone last week via SMS in Europe. This is not a Zoo variant. All AVs should have protected their users in a few days time at the latest.

    When Advanced Heuristics fail, they could at least release signatures before the month ends!!
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Both Ewido and BOClean detect it.
     
  25. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
Loading...
Thread Status:
Not open for further replies.