[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Virus loading through ActiveX-Exploit

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Re: Virus loading through ActiveX-Exploit
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Sep 2004 13:21:53 +1200

Feher Tamas wrote:

> ... server.exe
> file is
> TrojanSpy.Win32.Small.AZ (AVP)

Perhaps at the the time or shortly before you posted this close to 12 
hours after the OP wrote his message, but when he wrote AVP/KAV did not 
detect it at all.  In fact, it was the only one of what I consider the 
"major" scanners to not detect the .EXE when, almost exactly two hours 
after the OP wrote his message, I had the file scanned by 20-odd 
scanners that (mostly) run up-to-the-minute (well, hour) 
research/beta/pre-release DEF/DAT/etc files...

Oh, and as for the name -- the unique names reported in that multi-
scanner test were:

   TR/Small.AZ.1
   W32/Chty.A@bd
   Uploader-S
   TrojanSpy.Win32.Small.AZ
   Backdoor.Trojan           [this one is a heuristic detection]
   Troj/Bizex-E
   Win32.Reign.Z

There was one more generic/heuristic detection but I'm not sure I can 
publicly discuss it, and as it has a rather distinctive reporting style 
for this type of thing, I've removed that entry from the list...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Re: Virus loading through ActiveX-Exploit
  - From: Feher Tamas

Prev by Date: [Full-Disclosure] [ GLSA 200409-11 ] star: Suid root vulnerability
Next by Date: [Full-Disclosure] MDKSA-2004:091 - Updated cdrecord packages fix local root vulnerability
Previous by thread: [Full-Disclosure] Re: Virus loading through ActiveX-Exploit
Next by thread: [Full-Disclosure] Short Paper on "the warez scene"
Index(es):
- Date
- Thread