[Dshield] Srv.SSA-KeyLogger

John LaCour johnlacour at gmail.com
Fri Aug 12 22:29:16 GMT 2005


On 8/11/05, Paul Marsh <pmarsh at nmefdn.org> wrote:
>         1.  Will the other AV vendors release a def, tool or what ever
> with detailed information for their customers regarding this thing?  I
> can just see it now a user's av or spyware scan quarantines the thing
> but never tells them "hey this thing is nasty and you need to
> understand":
> 
>                 a.  Your system is owned
>                 b.  YOU ARE OWNED!

There are actually several different variants of this thing that each
upload to different locations.   I have 3 of them.   See below for the
AV scanner results of each.


>         2.  How long has this thing been around collecting info and
> calling home to mama?

I have no idea.   Two of the 3 that I know about appear to still be
logging actively.

Here's the AV scan results of the 3 binaries (courtesy of A. Marx):

= = = = = = =

Scan report of: 1.exe

*Proventia-VPS	Malicious (Success)
AntiVir	BDS/Dumador.DF
AVG	BackDoor.Generic.IQL (Trojan horse)
BitDefender	Backdoor.Dumador.DF
ClamAV	Trojan.Dumador-37-1
Command	W32/Dumador.AG at bd
Dr Web	BackDoor.Dumaru.20
eSafe	Trojan/Worm
eTrust-INO	Win32/Bambo.26112!PWS!Trojan
eTrust-INO (BETA)	Win32/Bambo.26112!PWS!Trojan
eTrust-VET	Win32.Bambo
eTrust-VET (BETA)	Win32.Bambo
F-Prot	W32/Dumador.AG at bd
Fortinet	W32/Dumador.DH-tr
Fortinet (BETA)	W32/Dumador.DH-tr
Ikarus	-
Kaspersky	Backdoor.Win32.Dumador.df
McAfee	BackDoor-CCT trojan
McAfee (BETA)	BackDoor-CCT trojan
Nod32	Win32/Dumador trojan
Norman	W32/Dumador.IK
Panda	Bck/Dumador.CV
Panda (BETA)	Bck/Dumador.CV
QuickHeal	Backdoor.Dumador.df
Sophos	Troj/Dumaru-J
Symantec	-
Symantec (BETA)	-
Trend Micro	BKDR_DUMADOR.AX
Trend Micro (BETA)	BKDR_DUMADOR.AX
VirusBuster	Backdoor.Dumador.BV
ZZ_RAV	-

============================================================

Scan report of: 2.exe

*Proventia-VPS	Malicious (Success)
AntiVir	BDS/Dumador.DO
AVG	BackDoor.Generic.IUH (Trojan horse)
BitDefender	Backdoor.Dumador.DO
ClamAV	Trojan.Dumador-37-2
Command	W32/Dumador.AG at bd
Dr Web	BackDoor.Dumaru.20
eSafe	Trojan/Worm
eTrust-INO	Win32/DlWreck.K!Trojan
eTrust-INO (BETA)	Win32/DlWreck.K!Trojan
eTrust-VET	Win32.DlWreck.K
eTrust-VET (BETA)	Win32.DlWreck.K
F-Prot	W32/Dumador.AG at bd
Fortinet	W32/Finaldo.B
Fortinet (BETA)	W32/Finaldo.B
Ikarus	Backdoor.Win32.Dumador.DO
Kaspersky	Backdoor.Win32.Dumador.do
McAfee	BackDoor-CCT trojan
McAfee (BETA)	BackDoor-CCT trojan
Nod32	Win32/Dumador trojan
Norman	W32/Dumador.IK
Panda	Bck/Dumador.CU
Panda (BETA)	Bck/Dumador.CU
QuickHeal	Backdoor.Dumador.do
Sophos	-
Symantec	Backdoor.Nibu
Symantec (BETA)	Backdoor.Nibu
Trend Micro	PE_FINALDO.B
Trend Micro (BETA)	PE_FINALDO.B
VirusBuster	Backdoor.Dumador.BT
ZZ_RAV	-

============================================================

Scan report of: 3.exe

*Proventia-VPS	Malicious (Success)
AntiVir	BDS/Dumador.DO.1
AVG	BackDoor.Generic.IUI (Trojan horse)
BitDefender	Backdoor.Dumador.DO
ClamAV	Trojan.Dumador-37-3
Command	W32/Dumador.AG at bd
Dr Web	BackDoor.Dumaru.20
eSafe	Trojan/Worm
eTrust-INO	Win32/Bambo!PWS!Trojan
eTrust-INO (BETA)	Win32/Bambo!PWS!Trojan
eTrust-VET	Win32.Bambo
eTrust-VET (BETA)	Win32.Bambo
F-Prot	W32/Dumador.AG at bd
Fortinet	W32/Dumador.DO-bdr
Fortinet (BETA)	W32/Dumador.DO-bdr
Ikarus	Backdoor.Win32.Dumador.DO
Kaspersky	Backdoor.Win32.Dumador.do
McAfee	BackDoor-CCT trojan
McAfee (BETA)	BackDoor-CCT trojan
Nod32	Win32/Dumador trojan
Norman	W32/Dumador.IK
Panda	Bck/Dumador.CU
Panda (BETA)	Bck/Dumador.CU
QuickHeal	Backdoor.Dumador.do
Sophos	-
Symantec	-
Symantec (BETA)	-
Trend Micro	BKDR_DUMADOR.AX
Trend Micro (BETA)	BKDR_DUMADOR.AX
VirusBuster	Backdoor.Dumador.BU
ZZ_RAV	-

============================================================

The following updates have been used for the test (all times in GMT):

*Proventia-VPS	VPS.rar	2005-07-14	17:47
AntiVir	fuse.zip	2005-08-12	13:42
AVG	avg7mmav338a613.zip	2005-08-12	11:39
BitDefender	cumulative.zip	2005-08-12	20:46
ClamAV	daily.cvd	2005-08-12	21:18
Command	DEFFILES.ZIP	2005-08-12	12:13
Dr Web	drwtoday.zip	2005-08-12	21:24
eSafe	com_evsvsp_latest.upd	2005-08-10	08:33
eTrust-INO	fi_nt86.exe	2005-08-12	21:15
eTrust-INO (BETA)	fi_nt86.exe	2005-08-12	19:45
eTrust-VET	fv_nt86.exe	2005-08-12	06:23
eTrust-VET (BETA)	fv_nt86.exe	2005-08-12	11:21
F-Prot	fp-def.zip	2005-08-12	11:55
Fortinet	vir_high	2005-08-12	17:26
Fortinet (BETA)	vir_high	2005-08-12	21:37
Ikarus	pd050812.exe	2005-08-12	09:54
Kaspersky	daily.zip	2005-08-12	20:36
McAfee	dat-4557.zip	2005-08-12	17:12
McAfee (BETA)	win_netware_betadat.zip	2005-08-12	21:00
Nod32	minnt.exe	2005-08-12	19:00
Norman	nvc5oem.zip	2005-08-12	17:18
Panda	pav.zip	2005-08-12	12:07
Panda (BETA)	pav.zip	2005-08-12	21:35
QuickHeal	qhadvdef.zip	2005-08-12	15:52
Sophos	ides.zip	2005-08-12	21:24
Symantec	20050812-020-i32.exe	2005-08-12	21:04
Symantec (BETA)	symrapidreleasedefsi32.exe	2005-08-12	21:39
Trend Micro	lpt777.zip	2005-08-12	21:13
Trend Micro (BETA)	lpt777.zip	2005-08-12	21:13
VirusBuster	vbuster8.vdb	2005-08-12	15:04
ZZ_RAV	rave.zip	2005-06-12	15:45
:



More information about the list mailing list