ozzy

There's some info on the Symantec site.

More interestingly, going by the page update, they've know about it since the 9th October

Stefan

[Edited by ozzy - 11/6/2002 4:56:31 PM]

BuRR

As a few of you are no doubt aware of the problems I've been having lately, I'd like to attempt to satisfy my curiousity in relation to a virus-infected file. If you dare, and feel you ar4e qualified to deal with the potential consequences of downloading virus-infected files, please could someone tell me if the folling file is infected with a virus.

http://www.burratha.com/files/virus/n0tepad.zip

For your information, McAfee and Norton don't report anything untoward as far as I am aware. Kaspersky, however, reports it as the Backdoor.Hupigeon trojan.

Please don't open the zip, just scan it.

***DISCLAIMER***
I accept NO liability for any damage to any data that the use or misuse of the file may cause.

I'll take it down in about 24 hours.

Thanks in advance.

mega_stream

My Norton see's it as clean.

I'd send it to an AV supplier if I were you, they are normally happy to assist.

BuRR

Just got this reply from Kaspersky's online virus scanner:

Current object: n0tepad.zip


n0tepad.zip Archive: ZIP
n0tepad.zip/n0tepad.exe Archive: Instyler
n0tepad.zip/n0tepad.exe/aliases.ini Ok
n0tepad.zip/n0tepad.exe/bluelab.dat Ok
n0tepad.zip/n0tepad.exe/cs.dat Ok
n0tepad.zip/n0tepad.exe/cscan4.mrc Ok
n0tepad.zip/n0tepad.exe/iserver.bat Ok
n0tepad.zip/n0tepad.exe/ltns.exe Ok
n0tepad.zip/n0tepad.exe/mirc.ini Ok
n0tepad.zip/n0tepad.exe/moo.dll Packed: UPX
n0tepad.zip/n0tepad.exe/moo.dll Ok
n0tepad.zip/n0tepad.exe/n.dat Ok
n0tepad.zip/n0tepad.exe/ntcmd.exe Ok
n0tepad.zip/n0tepad.exe/PipeCmd.exe Ok
n0tepad.zip/n0tepad.exe/recv/share.bat Infected: Backdoor.IRC.SdBot.p
n0tepad.zip/n0tepad.exe/s.dat Ok
n0tepad.zip/n0tepad.exe/share.bat Infected: Backdoor.IRC.SdBot.p
n0tepad.zip/n0tepad.exe/share.dat Ok
n0tepad.zip/n0tepad.exe/shr.vxd Ok
n0tepad.zip/n0tepad.exe/sysd.exe Packed: UPX
n0tepad.zip/n0tepad.exe/sysd.exe Ok
n0tepad.zip/n0tepad.exe/ws.exe Packed: FSG
n0tepad.zip/n0tepad.exe/ws.exe Infected: TrojanDownloader.Win32.Aphex.10.c

IanW

NAI Virus Scan v4.5.1 with DAT 4.0.4231 and Scan Engine of 4.1.60 says its clean.

Send a copy to the guys at NAI, Jack posted the e-mail address to send it to earlier in the week.

suba

checked out OK on trend micro online scanner (housecall.antivirus.com).

BuRR

Things like this make you paranoid

Figment©

Sophos reported it clean

IWatkins

Looks clean to my Sophos

JackClark

In the labs now, should have a response soon.

gregh

interesting, my norton doesn't come up with anything either, virus def file is 23/10/2002.

Will be interested to see what the lab finds Jack.

Greg

ChrisB

My NAI setup (same setup as Ian) reported all clean as well...

JackClark

"This is a variant of IRC/Sdbot which drops a few folders and several files in C:\Windows\Temp. One of the files it drops is a Mirc client. BTW – Most of the malware which is dropped by the trojan is already detected by our scanners."

Not a great answer if I say so myself - most likely because it was me asking - but I'm guessing that if you ran it with our software you'd be fine. We just don't detect anything when it's packed.

I don't recommend testing the above by the way.

ozzy

Eh, why does my post say June

I didn't test the file BTW.

Stefan

merlin

I work for McAfee but not directly with viruses. Out of curiousity I've had a look at this one on an old PC at home. As Jack says it drops some files to the windows temp folder. It then adds an entry to the Run key in the registry to run one of the dropped files, ltns.exe This appears to be a version of mIRC.

Running VirusScan against the dropped files gives the following files that contain viruses:

iserver.bat IRC/Flood.bc
ntcmd.exe Fluxay.gen
share.bat IRC/Flood.bc
sysd.exe IRC/Flood.e

The original filename for sysd.exe was hidewndw.exe. My guess is this hides the mIRC window. McAfee don't say what the Flood virus variants do exactly, but they appear to be for use in remote DOS attacks using IRC to start the attack.

If anyone is tempted to "play" with this virus, don't do it while connected to the net.

JackClark

"I work for McAfee"

Really? Is that your P1 in the Slough car park?

BuRR

So - the file IS a virus then? and more importantly, all the software (apart from Kaspersky at this time) has missed it up until now - when hopefully the updated Virus definitions will cater for its removal.

I now feel like the 3 days grief its caused me hasn't been in vain

JackClark

If you had run it we - McAfee - would have stopped it. Just didn't give as early a warning as Kapersky.

BuRR

Ok - but I would have liked McAfee to have spotted the archive as it landed on my PC, if you understand? or at least found it on a system scan.

....or am I asking too much?

JackClark

Fully agree, and due to your request if you scan that file next week it'll find it You'll also be to blame if adding detection causes a false alarm

beemerboy

great, dont open up any files for a week, if your using mcafee folks!!!!

BB - (off for a 1 week holiday)

JackClark

"great, dont open up any files for a week, if your using mcafee folks!!!!"

Beemerboy, where did you get that attitude from!! Opening the file would trigger VirusScan, scanning the file in it's unpacked form would not.

As you're such a huge Sophos fan, what are they doing to help their customers? You do your best and still get **** about it. TFI Friday!

ozzy

Jack,

I think BB was asking (in his sarcastic way) what at least I was thinking - why do we have to wait until the next DAT release next week?

What are the reasons for 4233 not being released immediately with the update? or is that irrelevant since it would be detected, cleaned (or deleted) by the current version when it's opened?

Stefan

JackClark

If you double clicked that file, we'd detect the malicious components it contains. No need for an update.

To keep people happy I've had the whole file included in next weeks driver. If you'd like an extra driver to detect the file now I can get one sent to you. Chances are it's already in the hourly DAT files available from http://www.avertlabs.com