Security Incidents mailing list archives

RE: New Virus? The AV Vendors respond (long post)

From: "Alex Arndt" <aarndt () rogers com>
Date: Tue, 16 Aug 2005 15:04:04 -0400

It would appear that the e-mail I described did in
fact hold an infected attachment.

Several list members have pointed out that I could
have done some analysis prior to submitting my post.
While this is true, it isn't as easy as some would
have us all believe. I'm not a malware guy, or even
a programmer, but an IDS guy. I don't tell folks to
analyse their own logs before they ask me to look
at something, since they may believe I might know
more than they do, but I digress. IMHO, there are
people on this list with far more expertise in
analyzing malware than I, which is why I made my
post without any attempt on my part to figure it
out...

Anyway, I've received some responses from some
AV vendors and thought I'd share. The unfortunate
thing is that, while they all agree it's malicious,
they don't agree as to what exactly it is. Here is
the list of direct responses I received:

Sophos - W32/MyDoom-Gen

CA - Win32.Qweasy.A (analyst comment says it may be
a MS05-039 worm...)

McAfee - BackDoor-CEB (extra.dat provided with their
response)

Here's the output from virustotal.com:

Results of a file scan
This is a report processed by VirusTotal on 08/15/2005
at 22:48:03 (CET) after scanning the "email-doc.zip"
file.

Antivirus       Version         Update  Result 
AntiVir         6.31.1.0        08.15.2005      no virus found 
Avast   4.6.695.0       08.15.2005      no virus found 
AVG             718             08.15.2005      no virus found 
Avira   6.31.1.0        08.15.2005      no virus found 
BitDefender 7.0                 08.15.2005      BehavesLike:Win32.SiteHijack 
CAT-QuickHeal 7.03      08.15.2005      no virus found 
ClamAV  devel-20050725  08.15.2005      Worm.Mydoom.AT 
DrWeb   4.32b   08.15.2005      no virus found 
eTrust-Iris 7.1.194.0   08.15.2005      no virus found 
eTrust-Vet      11.9.1.0        08.15.2005      no virus found 
Fortinet        2.36.0.0        08.15.2005      suspicious 
F-Prot  3.16c   08.15.2005      no virus found 
Ikarus  0.2.59.0        08.12.2005      no virus found 
Kaspersky       4.0.2.24        08.15.2005      Backdoor.Win32.Surila.x 
McAfee  4558            08.15.2005      Generic Malware.a!zip 
NOD32v2         1.1194  08.15.2005      probably unknown NewHeur_PE virus 
Norman  5.70.10         08.15.2005      no virus found 
Panda   8.02.00         08.15.2005      no virus found 
Sophos  3.96.0  08.15.2005      W32/MyDoom-Gen 
Sybari  7.5.1314        08.15.2005      W32/MyDoom-Gen 
Symantec        8.0             08.15.2005      no virus found 
TheHacker       5.8.2.088       08.15.2005      W32/Generic!zip-dobleextension 
VBA32   3.10.4  08.15.2005      no virus found 

As you can see, nothing concrete using virus the
definitions available as of yesterday.

A number of folks asked me to send them a copy.
I only forwarded to one person though, since I
knew who they were. All other such requests, I
must apologize, will not be answered. Sorry.

I hope this information proves useful. If any
of you out there have s a more concrete answer
as to what this is, please share.

Alex Arndt
CISSP, GCIA, GCIH

"Within all order is the potential for chaos..."

Current thread:

New Virus? Alex Arndt (Aug 15)
- Re: New Virus? Eduardo Vela (Aug 16)
- RE: New Virus? The AV Vendors respond (long post) Alex Arndt (Aug 16)
- RE: New Virus? James C Slora Jr (Aug 16)
  - Re: New Virus? James Polley (Aug 18)
    - RE: New Virus? James C Slora Jr (Aug 18)
    - Re: New Virus? Eduardo Vela (Aug 19)
- <Possible follow-ups>
- Re: New Virus? dave_mikesch (Aug 15)
- RE: New Virus? Ragnar Harper (Aug 15)
  - RE: New Virus? Harlan Carvey (Aug 15)