Full Disclosure mailing list archives
Re: Possible New Malware
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 15 Sep 2004 11:52:41 +1200
Perrymon, Josh L. wrote:
Anyone Heard of BackDoor-CIW?
Not until now, but I can tell you immediately that is an NAI/McAfee name...
This is a piece of malware with the .exe of winstr32.exe that is causing 99% CPU on a couple machine at a remote location. I found that one infected machine does not have MS04-11 patched. So that could be an attack vector. I get no luck googling for the .exe or BackDoor-CIW <---- This is what Postini identifies the file as.
Makes sense -- Postini uses NAI/McAfee (and maybe others?) for their virus scanning. There is no entry in NAI's VIL (Virus Information Library) for this name either and other information available to me suggests it will be a new backdoor isolated within the last few days (unlikely more than a week ago).
I'm trying to get a copy to put in my VMWare Lab.
Please make sure you do not have bridged networking setup between your VM and a live Internet connection. Succh irresponsibility is apparently OK at SANS, but not anywhere in professional anti-malware research. Also, please send a sample to the AV developers you trust to handle it properly. Here is a list of the suspect file submission addresses for the better-known AV developers which may save you having to look up the necessary address(es): Authentium (Command Antivirus) <virus () authentium com> Computer Associates (US) <virus () ca com> Computer Associates (Vet/EZ) <support () vet com au> DialogueScience (Dr. Web) <Antivir () dials ru> Eset (NOD32) <sample () nod32 com> F-Secure Corp. <samples () f-secure com> Frisk Software (F-PROT) <viruslab () f-prot com> Grisoft (AVG) <virus () grisoft cz> H+BEDV (AntiVir, Vexira engine) <virus () antivir de> Kaspersky Labs <newvirus () kaspersky com> Network Associates (McAfee) <virus_research () nai com> (use a ZIP file with the password 'infected' without the quotes) Norman (NVC) <analysis () norman no> Panda Software <labs () pandasoftware com> Sophos Plc. <support () sophos com> Symantec (Norton) <avsubmit () symantec com> Trend Micro (PC-cillin) <virus_doctor () trendmicro com> (Trend may only accept files from users of its products) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Possible New Malware Perrymon, Josh L. (Sep 14)
- Re: Possible New Malware Ty Bodell (Sep 14)
- Re: Possible New Malware GuidoZ (Sep 14)
- Re: Possible New Malware Nick FitzGerald (Sep 14)
- <Possible follow-ups>
- RE: Possible New Malware Perrymon, Josh L. (Sep 14)
- RE: Possible New Malware Jesse Valentin (Sep 14)
- Re: Possible New Malware Ty Bodell (Sep 14)