CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

ISC: WoW

 
Post new topic   Reply to topic       All -> FavForums -> Unknown Files [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
MysteryFCM

Sergeant
Sergeant


Joined: Feb 07, 2007
Posts: 125
Location: Tyneside, UK
PostPosted: Mon Nov 12, 2007 2:56 am    Post subject: ISC: WoW
Reply with quote

Ref: http://isc.sans.org/diary.html?storyid=3630

File's attached

Only one I had problems grabbing was NZ.exe ..... kept freezing the FTP client at 100% (seems to be all here though).


_________________
Regards

Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View users profile Send private message Visit posters website
MysteryFCM

Sergeant
Sergeant


Joined: Feb 07, 2007
Posts: 125
Location: Tyneside, UK
PostPosted: Mon Nov 12, 2007 3:31 am    Post subject:
Reply with quote

DB.exe


Quote:
AhnLab-V3 2007.11.10.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.11 - Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 - AVG 7.5.0.503 2007.11.11 - BitDefender 7.2 2007.11.12 - CAT-QuickHeal 9.00 2007.11.10 - ClamAV 0.91.2 2007.11.11 PUA.Packed.Themida DrWeb 4.44.0.09170 2007.11.11 - eSafe 7.0.15.0 2007.11.08 Win32.QuickBatch.c eTrust-Vet 31.2.5284 2007.11.09 - Ewido 4.0 2007.11.11 - FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.10 - F-Secure 6.70.13030.0 2007.11.12 Backdoor.Win32.Agent.cpl Ikarus T3.1.1.12 2007.11.12 - Kaspersky 7.0.0.125 2007.11.12 Backdoor.Win32.Agent.cpl McAfee 5160 2007.11.09 - Microsoft 1.3007 2007.11.12 - NOD32v2 2652 2007.11.11 - Norman 5.80.02 2007.11.09 - Rising 20.17.62.00 2007.11.11 Worm.BAT.CopyRun.a Sophos 4.23.0 2007.11.11 - Sunbelt 2.2.907.0 2007.11.09 - Symantec 10 2007.11.12 Trojan.Dropper TheHacker 6.2.9.123 2007.11.10 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.11 - Webwasher-Gateway 6.0.1 2007.11.12 Win32.EPO.gen (suspicious)


hirc.exe;


Quote:
AhnLab-V3 2007.11.10.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.11 - Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 - AVG 7.5.0.503 2007.11.11 - BitDefender 7.2 2007.11.12 - CAT-QuickHeal 9.00 2007.11.10 - ClamAV 0.91.2 2007.11.11 - DrWeb 4.44.0.09170 2007.11.11 - eSafe 7.0.15.0 2007.11.08 - eTrust-Vet 31.2.5284 2007.11.09 - Ewido 4.0 2007.11.11 - FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.10 - F-Secure 6.70.13030.0 2007.11.12 - Ikarus T3.1.1.12 2007.11.12 - Kaspersky 7.0.0.125 2007.11.12 - McAfee 5160 2007.11.09 - Microsoft 1.3007 2007.11.12 - NOD32v2 2652 2007.11.11 - Norman 5.80.02 2007.11.09 - Rising 20.17.62.00 2007.11.11 - Sophos 4.23.0 2007.11.11 - Sunbelt 2.2.907.0 2007.11.09 - Symantec 10 2007.11.12 - TheHacker 6.2.9.123 2007.11.10 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.11 - Webwasher-Gateway 6.0.1 2007.11.12 -


nc.exe


Quote:
AhnLab-V3 2007.11.10.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.11 - Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 - AVG 7.5.0.503 2007.11.11 Potentially harmful program RemoteAdmin.GJ BitDefender 7.2 2007.11.12 Application.NTSniff.110 CAT-QuickHeal 9.00 2007.11.10 - ClamAV 0.91.2 2007.11.11 PUA.NetTool.Netcat-19 DrWeb 4.44.0.09170 2007.11.11 - eSafe 7.0.15.0 2007.11.08 - eTrust-Vet 31.2.5284 2007.11.09 - Ewido 4.0 2007.11.11 Backdoor.Ncx.a FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 RAT/Netcat F-Prot 4.4.2.54 2007.11.10 W32/Netcat F-Secure 6.70.13030.0 2007.11.12 - Ikarus T3.1.1.12 2007.11.12 not-a-virus:RemoteAdmin.Win32.NetCat.110 Kaspersky 7.0.0.125 2007.11.12 not-a-virus:RemoteAdmin.Win32.NetCat.110 McAfee 5160 2007.11.09 potentially unwanted program Generic PUP Microsoft 1.3007 2007.11.12 - NOD32v2 2652 2007.11.11 Win32/RemoteAdmin Norman 5.80.02 2007.11.09 - Panda 9.0.0.4 2007.11.11 HackTool/NetCat.A Prevx1 V2 2007.11.12 - Rising 20.17.62.00 2007.11.11 Trojan.Mnless.ktr Sophos 4.23.0 2007.11.11 - Sunbelt 2.2.907.0 2007.11.09 - Symantec 10 2007.11.12 NetCat TheHacker 6.2.9.123 2007.11.10 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.11 - Webwasher-Gateway 6.0.1 2007.11.12 Riskware.RemoteAdmin.Net


vnckiller.exe


Quote:
AhnLab-V3 2007.11.10.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.11 - Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 - AVG 7.5.0.503 2007.11.11 - BitDefender 7.2 2007.11.12 - CAT-QuickHeal 9.00 2007.11.10 Trojan.Runner.b ClamAV 0.91.2 2007.11.11 - DrWeb 4.44.0.09170 2007.11.11 - eSafe 7.0.15.0 2007.11.08 Win32.QuickBatch.c eTrust-Vet 31.2.5284 2007.11.09 - Ewido 4.0 2007.11.11 - FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.10 - F-Secure 6.70.13030.0 2007.11.12 - Ikarus T3.1.1.12 2007.11.12 - Kaspersky 7.0.0.125 2007.11.12 - McAfee 5160 2007.11.09 - Microsoft 1.3007 2007.11.12 - NOD32v2 2652 2007.11.11 - Norman 5.80.02 2007.11.09 - Panda 9.0.0.4 2007.11.11 Suspicious file Prevx1 V2 2007.11.12 - Rising 20.17.62.00 2007.11.11 Worm.BAT.CopyRun.a Sophos 4.23.0 2007.11.11 - Sunbelt 2.2.907.0 2007.11.09 - Symantec 10 2007.11.12 Trojan.Killfiles TheHacker 6.2.9.123 2007.11.10 Trojan/Dropper.QuickBatch.b VBA32 3.12.2.4 2007.11.11 BackDoor.Pcih VirusBuster 4.3.26:9 2007.11.11 - Webwasher-Gateway 6.0.1 2007.11.12 -


PI.exe


Quote:
AhnLab-V3 2007.11.10.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.11 - Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 - AVG 7.5.0.503 2007.11.11 SHeur.ZWY BitDefender 7.2 2007.11.12 - CAT-QuickHeal 9.00 2007.11.10 - ClamAV 0.91.2 2007.11.11 PUA.Packed.Themida DrWeb 4.44.0.09170 2007.11.11 - eSafe 7.0.15.0 2007.11.08 - eTrust-Vet 31.2.5284 2007.11.09 - Ewido 4.0 2007.11.11 - FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.10 W32/Heuristic-162!Eldorado F-Secure 6.70.13030.0 2007.11.12 Backdoor.Win32.Bifrose.bia Ikarus T3.1.1.12 2007.11.12 - Kaspersky 7.0.0.125 2007.11.12 Backdoor.Win32.Bifrose.bia McAfee 5160 2007.11.09 - Microsoft 1.3007 2007.11.12 - NOD32v2 2652 2007.11.11 - Norman 5.80.02 2007.11.09 - Panda 9.0.0.4 2007.11.11 - Prevx1 V2 2007.11.12 Heuristic: Suspicious Self Modifying EXE Rising 20.17.62.00 2007.11.11 - Sophos 4.23.0 2007.11.11 - Sunbelt 2.2.907.0 2007.11.09 VIPRE.Suspicious Symantec 10 2007.11.12 Backdoor.Trojan TheHacker 6.2.9.123 2007.11.10 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.11 - Webwasher-Gateway 6.0.1 2007.11.12 Win32.EPO.gen (suspicious)


NZ.exe


Quote:
AhnLab-V3 2007.11.10.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.11 - Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 - AVG 7.5.0.503 2007.11.11 - BitDefender 7.2 2007.11.12 - CAT-QuickHeal 9.00 2007.11.10 - ClamAV 0.91.2 2007.11.11 PUA.Packed.Themida DrWeb 4.44.0.09170 2007.11.11 - eSafe 7.0.15.0 2007.11.08 Win32.QuickBatch.c eTrust-Vet 31.2.5284 2007.11.09 - Ewido 4.0 2007.11.11 - FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.10 - F-Secure 6.70.13030.0 2007.11.12 Backdoor.Win32.Rbot.ewl Ikarus T3.1.1.12 2007.11.12 - Kaspersky 7.0.0.125 2007.11.12 Backdoor.Win32.Rbot.ewl McAfee 5160 2007.11.09 - Microsoft 1.3007 2007.11.12 - NOD32v2 2652 2007.11.11 - Norman 5.80.02 2007.11.09 - Panda 9.0.0.4 2007.11.11 - Prevx1 V2 2007.11.12 Heuristic: Suspicious Self Modifying EXE Rising 20.17.62.00 2007.11.11 Worm.BAT.CopyRun.a Sophos 4.23.0 2007.11.11 - Sunbelt 2.2.907.0 2007.11.09 - Symantec 10 2007.11.12 - TheHacker 6.2.9.123 2007.11.10 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.11 - Webwasher-Gateway 6.0.1 2007.11.12 Win32.EPO.gen (suspicious)


_________________
Regards

Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View users profile Send private message Visit posters website
MysteryFCM

Sergeant
Sergeant


Joined: Feb 07, 2007
Posts: 125
Location: Tyneside, UK
PostPosted: Mon Nov 12, 2007 3:32 am    Post subject:
Reply with quote

Wierd .... formatting went to pot ....


_________________
Regards

Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View users profile Send private message Visit posters website
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5865

MIRT Premium

PostPosted: Mon Nov 12, 2007 4:28 am    Post subject:
Reply with quote

Thanks for posting the files.

I'll add them to the malware listserv.


_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Back to top
View users profile Send private message
MysteryFCM

Sergeant
Sergeant


Joined: Feb 07, 2007
Posts: 125
Location: Tyneside, UK
PostPosted: Mon Nov 12, 2007 4:34 am    Post subject:
Reply with quote

np Smile


_________________
Regards

Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View users profile Send private message Visit posters website
MysteryFCM

Sergeant
Sergeant


Joined: Feb 07, 2007
Posts: 125
Location: Tyneside, UK
PostPosted: Wed Dec 26, 2007 6:07 pm    Post subject:
Reply with quote

2 file's dated 24th and 25th respectively ..... detection is pretty good, but could be better.

DB.exe = rBot
DBx.exe = IRCBot

DBx.exe

Code:
AhnLab-V3 2007.12.27.10 2007.12.26 Win32/Fuas.worm.81408
AntiVir 7.6.0.46 2007.12.26 DR/Delphi.Gen
Authentium 4.93.8 2007.12.26 W32/Backdoor.BOZV
Avast 4.7.1098.0 2007.12.26 -
AVG 7.5.0.516 2007.12.25 BackDoor.Ircbot.BAF
BitDefender 7.2 2007.12.26 -
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.26 Trojan.Dropper-2317
DrWeb 4.44.0.09170 2007.12.26 BackDoor.Poison
eSafe 7.0.15.0 2007.12.26 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.26 -
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.26 -
F-Prot 4.4.2.54 2007.12.25 W32/Backdoor.BOZV
F-Secure 6.70.13030.0 2007.12.26 Backdoor.Win32.IRCBot.adi
Ikarus T3.1.1.15 2007.12.26 Backdoor.Win32.IRCBot.adi
Kaspersky 7.0.0.125 2007.12.26 Backdoor.Win32.IRCBot.adi
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.26 Backdoor:Win32/IRCbot.OV
NOD32v2 2747 2007.12.25 Win32/IRCBot.YZ
Norman 5.80.02 2007.12.26 -
Panda 9.0.0.4 2007.12.25 Bck/IRCbot.BCX
Prevx1 V2 2007.12.26 -
Rising 20.24.21.00 2007.12.26 Backdoor.Win32.IRCbot.adi
Sophos 4.24.0 2007.12.26 Mal/Behav-154
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.26 W32.IRCbot
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.26 Backdoor.Win32.IRCBot.adi
VirusBuster 4.3.26:9 2007.12.26 Backdoor.IRCBot.BEE
Webwasher-Gateway 6.6.2 2007.12.26 Trojan.Dropper.Delphi.Gen


DB.exe

Code:
AhnLab-V3 2007.12.27.10 2007.12.26 -
AntiVir 7.6.0.46 2007.12.26 -
Authentium 4.93.8 2007.12.26 -
Avast 4.7.1098.0 2007.12.26 Win32:SdBot-gen44
AVG 7.5.0.516 2007.12.25 -
BitDefender 7.2 2007.12.26 Generic.Sdbot.73574655
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.26 -
DrWeb 4.44.0.09170 2007.12.26 -
eSafe 7.0.15.0 2007.12.25 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.26 Dropper.VB.ky
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.26 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.26 Backdoor.Win32.Rbot.gen
Ikarus T3.1.1.15 2007.12.26 -
Kaspersky 7.0.0.125 2007.12.26 Backdoor.Win32.Rbot.gen
McAfee 5192 2007.12.24 New Malware.dq
Microsoft 1.3109 2007.12.26 Backdoor:Win32/Rbot.gen
NOD32v2 2747 2007.12.25 probably a variant of Win32/Rbot
Norman 5.80.02 2007.12.26 -
Panda 9.0.0.4 2007.12.25 -
Prevx1 V2 2007.12.26 -
Rising 20.24.21.00 2007.12.26 -
Sophos 4.24.0 2007.12.26 Mal/EncPk-AA
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.26 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.26 -
VirusBuster 4.3.26:9 2007.12.26 -
Webwasher-Gateway 6.6.2 2007.12.26 Packer.Expressor


_________________
Regards

Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View users profile Send private message Visit posters website
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5865

MIRT Premium

PostPosted: Wed Dec 26, 2007 7:15 pm    Post subject:
Reply with quote

I've added DB.exe to the malware listserv.

CastleCops Link/p1037712-MD5_7fc4f01a9d3891ac1b028643cf3a9ff5_DB_exe.html


_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Unknown Files All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
81ppm 0.243s (0.062s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer