maybe FP

Discussion in 'ESET NOD32 Antivirus' started by apm, Jan 26, 2008.

Thread Status:
Not open for further replies.
  1. apm

    apm Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    162
    Last edited by a moderator: Jan 26, 2008
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    It does not like the OBJECT code contained in the beginning of the html file.

    AllapleWorm.gif
     
  3. apm

    apm Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    162
    "about[1].htm" from jotti's scan:

    ~Online scan results removed per Policy~

    when "about[1].txt" nod32 detects nothing, but when rename to "about[1].htm" nod32 detects as Win32/Allaple.Gen worm.
     
    Last edited by a moderator: Jan 27, 2008
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The link is still active but if one clicks on the link in the first post above it will not go anywhere since it was altered yesterday by Ronjor to prevent accidental clicking. The Object code mentioned above is also still active on the page this AM.
     

    Attached Files:

  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe it was a server glitch as I'm positive I used "http://... ". Anyway, we have analysed the html code and it really seems to contain Allaple's code.
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    So it is not an FP then?
     
  8. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Should this code (worm) also be detected by NOD2.7 and when using Firefox? I visited the same page and NOD didn't give a warning...
     
  9. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Both FireFox and Internet Explorer trigger the alarm over here.
    Edit: So does Opera.
     
  10. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i don't know if they did earlier, but more now detect this threat inc Kaspersky, Microsoft, AntiVir and McAfee, so looking less and less likely that it is an FP.
     
  11. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It is not a FP. The only reason I asked was that Marcos said it SEEMS to contain Allaple code, not it DOES, so I just wanted some clarification. Other vendors are adding it as well now.
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    True and since I am not a qualified analyzer, I'd still be curious to know what they are keying on if not the Object ID code :doubt:

    As mentioned above and as shown in the pic, the Object html code is what appears to be the trigger. In fact if one were to upload the below as an html file to Jotti\VT, same results are found, even with legit flash and media player clsid's.

    Code:
    <HTML>
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>
    
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>
    </HTML>
     
  13. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    According to the analysis report I got, the CLASSIDs are randomly generated each time the trojan is executed which adds to the difficulty in detecting it of course.
     
Thread Status:
Not open for further replies.