IRC-Flooder ?

Discussion in 'NOD32 version 2 Forum' started by basti, Jul 28, 2006.

Thread Status:
Not open for further replies.
  1. basti

    basti Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    48
    At what Sign. Update are we protect against this kind of Backdoor etc. ?

    Because, this are the results of other av-companies dated 27.07.2006

    AntiVir BDS/Zapchast.BT
    Avast! Win32:Hidewnd [Trj]
    AVG HideWindow (Trojan horse)
    BitDefender Spyware.Adspace.DLL
    ClamAV Trojan.IRC.Flood.AQ
    Command -/-
    Dr Web Trojan.Flood.22016
    eSafe Win32.Polipos.sus
    eTrust-INO Win32/IRCFLood.6ra!Dropper
    eTrust-VET -/-
    Ewido -/-
    F-Prot virus dropper
    F-Secure Backdoor.IRC.Zapchast
    Fortinet Misc/MIRC
    Ikarus -/-
    Kaspersky not-a-virus:RiskTool.Win32.HideWindows
    McAfee HideWindow (potentially unwanted program)
    Microsoft Tool:Win32/HideWindows
    Nod32 -/-
    Norman -/-
    Panda Trj/Multidropper.BLU
    QuickHeal -/-
    Sophos Troj/Zapchas-BT
    Symantec -/-
    Trend Micro -/-
    UNA -/-
    VBA32 BackDoor.IRC.based
    VirusBuster Trojan.DR.Flood.BM
    WebWasher Trojan.Zapchast.BT
     
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Backdoor? Why do you say that? Does the sample, when run, give outside users remote access to your PC? It doesn't look like a backdoor trojan according to most of the results in what you've listed (i.e. "not-a-virus...", "... potentially unwanted program", "Tool..." etc.)

    Where do you get your results from? NOD32 is usually good at detecting these "not-a-virus:RiskTool.Win32.HideWindows" samples if you have set it to also detect Potentially dangerous applications. NOD32 detects all 7 variants I have of this sample at least.
     
  3. basti

    basti Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    48
    @kjempen

    Sorry, you're right. I do not exactly know what it was, an trojan, Backdoor or something like that. I just find an article on an german Online Magazin. I cannot post the link, because i think it is forbidden here to post an extern link in an foreign, or another language than english.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No it is ok, just don't post links to live malware.

    Cheers :D
     
  5. basti

    basti Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    48
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    mmm...Panda calls it multidropper and Kaspersky not-a-virus. Let's see what ESET have to say. Perhaps they'll add it.
     
  7. ASpace

    ASpace Guest

    According to the names which other companies give to it , it seems it is not so dangerous PUP . I guess files dropped later are detected .
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, you guess ...but are they really detected? :D
     
  9. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Be aware that the article speaks of an archive containing 13 files; five INI files, six EXE files, one DLL file, and one COM file. There may be multiple baddies in this archive, probably not as harmless as I wrote earlier (before seeing the article).
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, is it an archive or a packed exe file? In the last case perhaps NOD doesn't have support for those packers.
     
  11. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    From what I can understand, it says in the article that it's a self-extracting archive. So maybe that's why NOD32 doesn't report anything.
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    perhaps. ;) Generally NOD should scan insidee SFX, but maybe this one is encrypted using a special method.
     
Thread Status:
Not open for further replies.