Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognized by Kaspersky
From: "Suresh Ponnusami" <surya () nsecure net>
Date: Wed, 3 Mar 2004 16:45:35 +0530

Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content), we humans tend to open it after reading the message.

Ok!, the analysis of the virus.
* Known as Beagle.H and another variant is Beagle.I
* Mcafee identifies it as W32/Bagle.gen () MM

* Packed with UPX
* Contains in-built smtp server
* Creates Authentic Looking Smart Messages which might
  _trick_ most people to execute the content.
(But when will user's get the knowledge about security??)
* Random zip password generation (all the passwords are
  5-6 digits)
* Contains "'Hey, NetSky, f**k off you b*t*h, don''t ruine our
  bussiness, wanna start a war?'
* Connects and downloads the password protected zip from
  http://postertog.de/scr.php or http://www.gfotxt.net/scr.php
  or from http://www.maiklibis.de/scr.php or from
  All the hosts were down at the time of this mail.
* Does not contain any dangerous payload and performs other
  common virus thingies.
* Auto starts via  SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Update your AV to the latest signatures. Do not open anything
that does not make any sense to you. Even if it is from any known
person. Especially when the zip contains files with .pif, .scr, .exe,
.com extensions and any other executable attachments.
Suresh Ponnusami,
Information Security Consultant,
nSecure Software (P) Ltd.
----- Original Message -----
From: "Kristian Hermansen" <khermansen () ht-technology com>
To: <full-disclosure () lists netsys com>
Sent: Wednesday, 03 March, 2004 04:04 AM
Subject: [Full-disclosure] Backdoor not recognized by Kaspersky

Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
this file recently, but Kaspersky did not detect malicious code.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]