Re: Virus on web site

[Nick FitzGerald <nick () virus-l demon co uk>]

Johannes Schneider to Peter B. Harvey:

> > This virus at the time of my posting this is only detedted by
> > Kasperski and I cannot find any detail on the virus. Came in the
> > email as given below.
> >
> > URL for the virus http://www.alias-search.com/images/msits.exe
> > Also found was the following url also the same virus
> > http://www.alias-search.com/images/msitsa.exe
> >
> > Kasperski detects it as  msits.exe - infected by
> > Backdoor.Win32.Haxdoor.dw
> >
> > Anyone with info on this virus?
>
> infos about msits.exe
> http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=39520

Note that Kaspersky thought it was a "Haxdoor" variant.  Most AV 
engines use that name for this family (except McAfee's BackDoor-BAC).

While the URL you refer to does mention msits.exe, it seems very 
unlikely on its face to be relevant to Peter's request.  The msits.exe 
that was available from the URL Peter posted was approx 50KB (and FSG-
packed at that) but the web page you offerred refers to an msits.exe of 
a mere 6656 bytes, which is quite likley packed too, but it doesn't 
say.  Mind you, there are several non-packed Win32 PE downloaders (and 
the msits.exe described at that ZL URL is a downloader) that weigh in 
at 4096 or fewer bytes...

Anyway, basic malware point -- filenames alone are not sufficiently 
diagnostic for something like what you did to _generally_ be helpful.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/