IRC Bot not flagged by NOD32

dvk01 · May 21, 2005

full details here
https://www.wilderssecurity.com/showthread.php?t=80066

we had the fix posted ( May 14th, 2005, 10:51 AM ) a few days before Norton "Discovered" it May 17, 2005

Primrose · May 21, 2005

dvk01 said:

the picrate can be detected as there is code there even though it's corrupt

the alcan worm aka W32.Alcra.A

http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

the 2 byte files only contain 2 letters MZ

no av can detect a 2 byte file reliably as the MZ is the start of most executable files and it's no good going by name as the names can be legit
Click to expand...

And when that one is clean off by Norton..is the PC then crippled..or are they just left..I am trying to figure out the need to detect them if the exploit is stopped.

Primrose · May 21, 2005

dvk01 said:

full details here
https://www.wilderssecurity.com/showthread.php?t=80066

we had the fix posted ( May 14th, 2005, 10:51 AM ) a few days before Norton "Discovered" it May 17, 2005
Click to expand...

Yes I know

dvk01 · May 21, 2005

if they are not removed then the usual way of running the legitimate process by start/run and just typing the name won't work

so CMD
netstat
ping
regedit
tasklist
taskkill
tracert

won't work

the authors of the worm obviously thought that by disabling the ability to remove it easily & it's reg keys etc it would continue to do it's deeds

You know that it's almost impossible to delete a running file and if taskkill is disabled to stop it running and regedit is disabled to stop the start up keys being fixed then it's harder to kill off

Primrose · May 21, 2005

Thanks..yup seen many do the hijackthis having to deal with that problem left since not many type in cmd.exe etc etc..but I did not think that if Norton cleaned the PC of the p2p thingie..that it would then leave a PC still crippled.

But doing it all manually does create a problem..and have seen people who had parts of it cleaned..find out later they could not do a regedit..ping or cmd...unles the typed in the full regedit.exe.

http://www.wiscnet.net/cl-ping

BTW · May 21, 2005

Primrose said:

You missed one since there are three.
Click to expand...

Maybe, after seeing one, I thought it was a netsky variant and did not pay much more attention

Primrose said:

I guess you do not then even have NOD ..but best I guess to give "your customer" the benefit of the doubt his NOD was updated and set up correctly.
Click to expand...

Yes I do : it's my resident for years and KAV on demand. At least it's well set on my machine. It was not detected by NOD32 on demand with advanced heuristic till added to the DB

Primrose said:

Thanks again for submitting it..best to you in your own bizness.

It is strange that your customer would not know where he/she got picture_14.exe.

I suspect it was from Messenger..hope you warned them to be careful.

I don't think anyone else will ever be hit with picture_14.exe.

What do you think ?
Click to expand...

Lot of lambda users click like lucky Luke and don't remember after five minutes what they have done and why
When you tell them, they never listen and if by any chance they listen , they never learn, alas ;(
I think this little bot like many others is just a poor SK job unpacking and repacking a stupid trojan written with the feeds. No chance for wide spreading for this one :-D

Cheers,

Log in or Sign up

IRC Bot not flagged by NOD32

dvk01 Global Moderator

Primrose Registered Member

Primrose Registered Member

dvk01 Global Moderator

Primrose Registered Member

BTW Guest

Log in or Sign up

IRC Bot not flagged by NOD32

dvk01 Global Moderator

Primrose Registered Member

Primrose Registered Member

dvk01 Global Moderator

Primrose Registered Member

BTW Guest

Useful Searches