Dangerous Virus Question
#2
Scooby Regular
As a few of you are no doubt aware of the problems I've been having lately, I'd like to attempt to satisfy my curiousity in relation to a virus-infected file. If you dare, and feel you ar4e qualified to deal with the potential consequences of downloading virus-infected files, please could someone tell me if the folling file is infected with a virus.
http://www.burratha.com/files/virus/n0tepad.zip
For your information, McAfee and Norton don't report anything untoward as far as I am aware. Kaspersky, however, reports it as the Backdoor.Hupigeon trojan.
Please don't open the zip, just scan it.
***DISCLAIMER***
I accept NO liability for any damage to any data that the use or misuse of the file may cause.
I'll take it down in about 24 hours.
Thanks in advance.
http://www.burratha.com/files/virus/n0tepad.zip
For your information, McAfee and Norton don't report anything untoward as far as I am aware. Kaspersky, however, reports it as the Backdoor.Hupigeon trojan.
Please don't open the zip, just scan it.
***DISCLAIMER***
I accept NO liability for any damage to any data that the use or misuse of the file may cause.
I'll take it down in about 24 hours.
Thanks in advance.
#4
Scooby Regular
Just got this reply from Kaspersky's online virus scanner:
Current object: n0tepad.zip
n0tepad.zip Archive: ZIP
n0tepad.zip/n0tepad.exe Archive: Instyler
n0tepad.zip/n0tepad.exe/aliases.ini Ok
n0tepad.zip/n0tepad.exe/bluelab.dat Ok
n0tepad.zip/n0tepad.exe/cs.dat Ok
n0tepad.zip/n0tepad.exe/cscan4.mrc Ok
n0tepad.zip/n0tepad.exe/iserver.bat Ok
n0tepad.zip/n0tepad.exe/ltns.exe Ok
n0tepad.zip/n0tepad.exe/mirc.ini Ok
n0tepad.zip/n0tepad.exe/moo.dll Packed: UPX
n0tepad.zip/n0tepad.exe/moo.dll Ok
n0tepad.zip/n0tepad.exe/n.dat Ok
n0tepad.zip/n0tepad.exe/ntcmd.exe Ok
n0tepad.zip/n0tepad.exe/PipeCmd.exe Ok
n0tepad.zip/n0tepad.exe/recv/share.bat Infected: Backdoor.IRC.SdBot.p
n0tepad.zip/n0tepad.exe/s.dat Ok
n0tepad.zip/n0tepad.exe/share.bat Infected: Backdoor.IRC.SdBot.p
n0tepad.zip/n0tepad.exe/share.dat Ok
n0tepad.zip/n0tepad.exe/shr.vxd Ok
n0tepad.zip/n0tepad.exe/sysd.exe Packed: UPX
n0tepad.zip/n0tepad.exe/sysd.exe Ok
n0tepad.zip/n0tepad.exe/ws.exe Packed: FSG
n0tepad.zip/n0tepad.exe/ws.exe Infected: TrojanDownloader.Win32.Aphex.10.c
Current object: n0tepad.zip
n0tepad.zip Archive: ZIP
n0tepad.zip/n0tepad.exe Archive: Instyler
n0tepad.zip/n0tepad.exe/aliases.ini Ok
n0tepad.zip/n0tepad.exe/bluelab.dat Ok
n0tepad.zip/n0tepad.exe/cs.dat Ok
n0tepad.zip/n0tepad.exe/cscan4.mrc Ok
n0tepad.zip/n0tepad.exe/iserver.bat Ok
n0tepad.zip/n0tepad.exe/ltns.exe Ok
n0tepad.zip/n0tepad.exe/mirc.ini Ok
n0tepad.zip/n0tepad.exe/moo.dll Packed: UPX
n0tepad.zip/n0tepad.exe/moo.dll Ok
n0tepad.zip/n0tepad.exe/n.dat Ok
n0tepad.zip/n0tepad.exe/ntcmd.exe Ok
n0tepad.zip/n0tepad.exe/PipeCmd.exe Ok
n0tepad.zip/n0tepad.exe/recv/share.bat Infected: Backdoor.IRC.SdBot.p
n0tepad.zip/n0tepad.exe/s.dat Ok
n0tepad.zip/n0tepad.exe/share.bat Infected: Backdoor.IRC.SdBot.p
n0tepad.zip/n0tepad.exe/share.dat Ok
n0tepad.zip/n0tepad.exe/shr.vxd Ok
n0tepad.zip/n0tepad.exe/sysd.exe Packed: UPX
n0tepad.zip/n0tepad.exe/sysd.exe Ok
n0tepad.zip/n0tepad.exe/ws.exe Packed: FSG
n0tepad.zip/n0tepad.exe/ws.exe Infected: TrojanDownloader.Win32.Aphex.10.c
#5
NAI Virus Scan v4.5.1 with DAT 4.0.4231 and Scan Engine of 4.1.60 says its clean.
Send a copy to the guys at NAI, Jack posted the e-mail address to send it to earlier in the week.
Send a copy to the guys at NAI, Jack posted the e-mail address to send it to earlier in the week.
Trending Topics
#13
Scooby Senior
"This is a variant of IRC/Sdbot which drops a few folders and several files in C:\Windows\Temp. One of the files it drops is a Mirc client. BTW – Most of the malware which is dropped by the trojan is already detected by our scanners."
Not a great answer if I say so myself - most likely because it was me asking - but I'm guessing that if you ran it with our software you'd be fine. We just don't detect anything when it's packed.
I don't recommend testing the above by the way.
Not a great answer if I say so myself - most likely because it was me asking - but I'm guessing that if you ran it with our software you'd be fine. We just don't detect anything when it's packed.
I don't recommend testing the above by the way.
#15
I work for McAfee but not directly with viruses. Out of curiousity I've had a look at this one on an old PC at home. As Jack says it drops some files to the windows temp folder. It then adds an entry to the Run key in the registry to run one of the dropped files, ltns.exe This appears to be a version of mIRC.
Running VirusScan against the dropped files gives the following files that contain viruses:
iserver.bat IRC/Flood.bc
ntcmd.exe Fluxay.gen
share.bat IRC/Flood.bc
sysd.exe IRC/Flood.e
The original filename for sysd.exe was hidewndw.exe. My guess is this hides the mIRC window. McAfee don't say what the Flood virus variants do exactly, but they appear to be for use in remote DOS attacks using IRC to start the attack.
If anyone is tempted to "play" with this virus, don't do it while connected to the net.
Running VirusScan against the dropped files gives the following files that contain viruses:
iserver.bat IRC/Flood.bc
ntcmd.exe Fluxay.gen
share.bat IRC/Flood.bc
sysd.exe IRC/Flood.e
The original filename for sysd.exe was hidewndw.exe. My guess is this hides the mIRC window. McAfee don't say what the Flood virus variants do exactly, but they appear to be for use in remote DOS attacks using IRC to start the attack.
If anyone is tempted to "play" with this virus, don't do it while connected to the net.
#17
Scooby Regular
So - the file IS a virus then? and more importantly, all the software (apart from Kaspersky at this time) has missed it up until now - when hopefully the updated Virus definitions will cater for its removal.
I now feel like the 3 days grief its caused me hasn't been in vain
I now feel like the 3 days grief its caused me hasn't been in vain
#19
Scooby Regular
Ok - but I would have liked McAfee to have spotted the archive as it landed on my PC, if you understand? or at least found it on a system scan.
....or am I asking too much?
....or am I asking too much?
#20
Scooby Senior
Fully agree, and due to your request if you scan that file next week it'll find it You'll also be to blame if adding detection causes a false alarm
#22
Scooby Senior
"great, dont open up any files for a week, if your using mcafee folks!!!!"
Beemerboy, where did you get that attitude from!! Opening the file would trigger VirusScan, scanning the file in it's unpacked form would not.
As you're such a huge Sophos fan, what are they doing to help their customers? You do your best and still get **** about it. TFI Friday!
Beemerboy, where did you get that attitude from!! Opening the file would trigger VirusScan, scanning the file in it's unpacked form would not.
As you're such a huge Sophos fan, what are they doing to help their customers? You do your best and still get **** about it. TFI Friday!
#23
Scooby Regular
Thread Starter
Jack,
I think BB was asking (in his sarcastic way) what at least I was thinking - why do we have to wait until the next DAT release next week?
What are the reasons for 4233 not being released immediately with the update? or is that irrelevant since it would be detected, cleaned (or deleted) by the current version when it's opened?
Stefan
I think BB was asking (in his sarcastic way) what at least I was thinking - why do we have to wait until the next DAT release next week?
What are the reasons for 4233 not being released immediately with the update? or is that irrelevant since it would be detected, cleaned (or deleted) by the current version when it's opened?
Stefan
#24
Scooby Senior
If you double clicked that file, we'd detect the malicious components it contains. No need for an update.
To keep people happy I've had the whole file included in next weeks driver. If you'd like an extra driver to detect the file now I can get one sent to you. Chances are it's already in the hourly DAT files available from http://www.avertlabs.com
To keep people happy I've had the whole file included in next weeks driver. If you'd like an extra driver to detect the file now I can get one sent to you. Chances are it's already in the hourly DAT files available from http://www.avertlabs.com
Thread
Thread Starter
Forum
Replies
Last Post
Brzoza
Engine Management and ECU Remapping
1
02 October 2015 05:26 PM