Full Disclosure mailing list archives

VX: Old worm in new shoes (AntiQFX)

From: X iniT <x1n1t () yahoo com>
Date: Fri, 25 Jun 2004 00:36:07 -0700 (PDT)

Hello all,


The attached file seems to be a variant of AntiQFX
worm.

AntiQFX Worm masquerades as 
an old dos utilitly "MSCDEX.EXE". Basically
spreads via shared networks and delets a few 
files which belong to a couple of Photo Editting
softwares.
Its PE-Packed and has an anti-deletion routine.

So you might be guessing whats the big deal!!

Look closely and you'll see that i've attached this
file using my yahoo account. Which happens to be 
protected by NAV !!!

The following link clearly states that NAV detects
this worm since 2002 !!! 
http://securityresponse.symantec.com/avcenter/venc/data/w32.antiqfx.f.worm.html

Same thing is with AVP, ClamV & F-Prot.

Only Sophos detects this file as AntiQFX.F variant.

So keep an eye friends, this incident has really
made me have second thoughts about antivirus softwares
and their reliability.


Regards,
X!


                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

Attachment: MSCDEX.zip
Description: MSCDEX.zip

Current thread:

VX: Old worm in new shoes (AntiQFX) X iniT (Jun 25)
- Re: VX: Old worm in new shoes (AntiQFX) Paolo A. Gallenga (Jun 25)
- Re: VX: Old worm in new shoes (AntiQFX) Duncan Hill (Jun 25)
- Re: VX: Old worm in new shoes (AntiQFX) Nick FitzGerald (Jun 25)
  - Re: VX: Old worm in new shoes (AntiQFX) Raymond Dijkxhoorn (Jun 25)
  - Re: VX: Old worm in new shoes (AntiQFX) Eric Paynter (Jun 25)
- <Possible follow-ups>
- RE: VX: Old worm in new shoes (AntiQFX) Randal, Phil (Jun 25)
  - RE: VX: Old worm in new shoes (AntiQFX) X iniT (Jun 26)