Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognized by Kaspersky
From: "Bernardo Quintero" <bernardo () hispasec com>
Date: Wed, 3 Mar 2004 13:48:07 +0100

It's Bagle/Beagle.J. The problem is that the file is password-protected, so it's not
obvious how a scanner will get it until it's opened. Notice that the e-mail includes the
password ("65316"). In fact Norton finds it when the ZIP is opened and the extracted
file hits the file system.

The problem is the antivirus installed in the perimeter, that does not
detect those samples. Exist some antivirus that detects the ZIP infected
without knowing the password:

Scan results
 File: TextDocument.zip
 Date: 03/03/2004 13:14:16
InoculateIT 4625/20040302 found nothing
NOD32 1.648/20040303 found [Win32/Bagle.gen.zip]
Kaspersky 3.0/20040303 found nothing
McAfee 4.2.60/20040302 found nothing
Norton 8.0/20040302 found nothing
Panda 7.02.00/20040303 found [W32/Bagle.pwdzip]
Sybari 7.50.1138/20040303 found nothing
TrendMicro 1.00/20040302 found nothing

Bernardo Quintero
bernardo () hispasec com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]