[Dshield] Trendmicro Venting

Paul Marsh pmarsh at nmefdn.org
Thu Jun 9 16:22:40 GMT 2005


 	12 hrs and counting........

  	I tried their CPR and it does not detect it.  Below is the sandbox findings.......

	 Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated  2/05-2005

Your message ID (for later reference): 20050609-426

information.htm                                                                      .exe : [SANDBOX] infected with unknown worm - W32/Mytob.gen (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:        53886 bytes.

 [ Changes to filesystem ]
    * Creates file bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.
    * Creates file ý.
    * Creates file C:\WINDOWS\TEMP\tmp1891.tmp.

 [ Changes to registry ]
    * Creates value "default"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "default"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Sets value "Start"="" in key "HKLM\System\CurrentControlSet\Services\SharedAccess".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "CONFIGURED_DNS" on port 53 (UDP).

 [ Network ]
    * **Uses IPHLPAPI services.

 [ Process/window information ]
    * Creates a mutex 3-1-3-3-7.
    * Enumerates running processes.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by pmarsh at nmefdn.org to sandbox.
Received 9.June 2005 at 18.00 - processed 9.June 2005 at 18.00.

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] On Behalf Of Holmes, Alan
Sent: Thursday, June 09, 2005 11:38 AM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] Trendmicro Venting

For TrendMicro I think 11 hours is WAY slow.  By Symantec and other AV vendors, 11 hours is fast.  I use TrendMicro at home and am always pleased to see that they normally have patterns released within 4-hours of a new threat discovery.

Symantec, which we use at work, sometimes takes more than a day.

What really sucks about that is, like clockwork, any time Trend elevates an email borne threat to "Medium," we have about 45-90 minutes until we start receiving those viruses at work.  We hold our breath every time hoping Symantec comes out with definitions quickly.

(Of course, we also update email filters and whatnot to catch the messages if subject lines, message body, or attachment name all are known
quantities.)

So, in my book, 11 hours is slow.

Alan





More information about the list mailing list