[Dshield] New Variant of Backdoor.Haxdoor

Jay Stamps jstamps at stanford.edu
Wed Aug 16 18:50:41 GMT 2006


I got the same Z3566043.zip attachment yesterday, accompanied by the 
same e-mail text in a message evidently originating from a German 
dial-up network. The MD5 of the zipped PE file is 
a06f64cc3047015b82e15005512c47bf. I didn't try very hard to find out 
what it does, but my (lame) attempt to disassemble it was mostly 
defeated by some kind of encoding or encryption. -Jay

>Sorry..
>https://submit.symantec.com/retail/
>
>J
>
>On 8/16/06, Joel Esler <eslerj at gmail.com> wrote:
>>  Not true.
>>
>>  http://securityresponse.symantec.com/avcenter/submit.html
>>
>>  J
>>
>>  On 8/15/06, Stasiniewicz, Adam <stasinia at msoe.edu> wrote:
>>  > Symantec does not have a web based submission app.  You need to use the
>>  > "Quarantine and Restore" utility that is installed with all Symantec AV
>>  > products.  It has the ability to quarantine undetected viruses and
>>  > submit them to Symantec.
>>  >
>>  > Regards,
>>  > Adam Stasiniewicz
>>  >
>>  >
>>  > -----Original Message-----
>>  > From: list-bounces at lists.dshield.org
>>  > [mailto:list-bounces at lists.dshield.org] On Behalf Of Jenkins, Matt
>>  > Sent: Tuesday, August 15, 2006 9:38 PM
>>  > To: General DShield Discussion List; General DShield Discussion List
>>  > Subject: Re: [Dshield] New Variant of Backdoor.Haxdoor
>>  >
>>  > I just received this variant also.  I updated Symantec's definitions and
>>  > it still does not detect it.  Who should these samples be sent to?  I
>>  > looked all over Symantec's site and cannot find any address to use for
>>  > sending new samples to.
>>  >
>>  > Matt
>>  >
>>  > ________________________________
>>  >
>>  > From: list-bounces at lists.dshield.org on behalf of Chris Wright
>>  > Sent: Tue 8/15/2006 6:12 PM
>>  > To: 'General DShield Discussion List'
>>  > Subject: [Dshield] New Variant of Backdoor.Haxdoor
>>  >
>>  >
>>  >
>>  > Martin Forest posted a message on 26th July about a new virus.
>>  > (Backdoor.Haxdoor.O or variant there of)
>>  >
>>  > Just had a new variant drop in one of my spamtraps that wasn't picked up
>>  > by
>>  > AVG.
>>  > Email me off list if you want the zip/binary.
>>  > Ran through VirusTotal and it appears to be quite new:
>>  >
>>  > AntiVir 6.35.1.0 08.15.2006  no virus found
>>  > ****Authentium 4.93.8 08.15.2006 W32/Haxdoor.LB at bd
>>  > Avast 4.7.844.0 08.15.2006  no virus found
>>  > AVG 386 08.15.2006  no virus found
>>  > BitDefender 7.2 08.15.2006  no virus found
>>  > ****CAT-QuickHeal 8.00 08.14.2006 (Suspicious) - DNAScan
>>  > ClamAV devel-20060426 08.15.2006  no virus found
>>  > DrWeb 4.33 08.15.2006  no virus found
>>  > eTrust-InoculateIT 23.72.98 08.15.2006  no virus found
>>  > eTrust-Vet 30.3.3021 08.15.2006  no virus found
>>  > Ewido 4.0 08.15.2006  no virus found
>>  > ****Fortinet 2.77.0.0 08.15.2006 suspicious
>>  > ****F-Prot 3.16f 08.15.2006 security risk named W32/Haxdoor.LB at bd
>>  > F-Prot4 4.2.1.29 08.15.2006  no virus found
>>  > Ikarus 0.2.65.0 08.15.2006  no virus found
>>  > Kaspersky 4.0.2.24 08.15.2006  no virus found
>>  > McAfee 4830 08.15.2006  no virus found
>>  > Microsoft 1.1560 08.14.2006  no virus found
>>  > ****NOD32v2 1.1707 08.15.2006 a variant of Win32/Haxdoor
>>  > ****Norman 5.90.23 08.15.2006 Suspicious_F.gen
>>  > Panda 9.0.0.4 08.15.2006 Suspicious file
>>  > Sophos 4.08.0 08.15.2006  no virus found
>>  > ****Symantec 8.0 08.15.2006 Backdoor.Trojan
>>  > TheHacker 5.9.8.192 08.14.2006  no virus found
>>  > UNA 1.83 08.15.2006  no virus found
>>  > ****VBA32 3.11.0 08.15.2006 suspected of Trojan-Dropper.Microjoin.2
>>  > VirusBuster 4.3.7:9 08.15.2006 no virus found
>>  >
>>  > The email has a similar format to the previous one:
>>  >
>>  > Has a zip file with an executable within, named in my case Z3566043.zip
>>  >
>>  > <begin mail>
>>  > Dear Customer,
>>  >
>>  > Thank you for shopping at our shop !
>>  > This e-mail is to inform you that your order has been shipped out.
>>  > The following information is for your reference (see details in the
>>  > attachment):
>>  > * Order No.:  Z3566043
>>  > * Order Date:  08/13/2006
>>  > ------------------------------
>  > >    SUBTOTAL : $1,769.99
>>  >    SALESTAX : $0.00
>>  >    SHIPPING : $16.81
>>  >    TOTAL    : $1,786.80
>>  > ------------------------------
>>  > * Ship Via:  FDX Overnight Delivery
>>  >
>>  > [Ship Date :] 08/14/2006 [Tracking No:] 708745655472 Please note that if
>>  > your order includes more than one package, the packages may not be
>>  > delivered
>>  > at the same time due to the shipping carrier's schedule and the delivery
>>  > method, and this is out of our control.
>>  > In addition, backordered items will be shipped separately.
>>  > You may check the status of your package's progress at our website.
>>  > Simply click on "Customer Service", then log into the "Member Center".
>>  > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>  > Customers who leave comments for us at either ResellerRatings.com or
>>  > Pricegrabber will be eligible to receive a flash drive or other cool
>>  > prize!
>>  > FOUR drawings will take place every month -- one drawing from each
>>  > review
>>  > site on the 1st and the 15th of every calendar month.
>>  > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>  > Thank you for shopping with us!
>>  > 15% restocking fee applies to all refunds. All products must be returned
>>  > in
>>  > like-new condition, including original packaging and all documentation
>>  > and
>>  > accessories. Charges will be applied for all missing accessories or
>>  > parts.
>>  > Our shop will not accept items that have been physically damaged or
>>  > misused.
>>  > Return periods for different product categories range from zero to 30
>>  > days.
>>  > <end mail>
>>  >
>>  > _________________________________________
>>  >
>>  > SANS Network Security 2006 - Las Vegas NV October 1st-9th.
>>  > Wide selection of 1-6 Day Courses. Top Instructors!
>>  >
>>  > Details: isc.sans.org/clickcount.php?ad=1
>>  > (use Brochurcode "ISC")
>>  >
>>  > "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
>>  > _______________________________________________
>>  >
>>  >
>>  > _________________________________________
>>  >
>>  > SANS Network Security 2006 - Las Vegas NV October 1st-9th.
>>  > Wide selection of 1-6 Day Courses. Top Instructors!
>>  >
>>  > Details: isc.sans.org/clickcount.php?ad=1
>>  > (use Brochurcode "ISC")
>>  >
>>  > "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
>>  > _______________________________________________
>>  >
>>  > _________________________________________
>>  >
>>  > SANS Network Security 2006 - Las Vegas NV October 1st-9th.
>>  > Wide selection of 1-6 Day Courses. Top Instructors!
>>  >
>>  > Details: isc.sans.org/clickcount.php?ad=1
>>  > (use Brochurcode "ISC")
>>  >
>>  > "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
>>  > _______________________________________________
>>  >
>>
>>
>>  --
>>  --Joel
>>
>
>
>--
>--Joel
>_________________________________________
>
>SANS Network Security 2006 - Las Vegas NV October 1st-9th.
>Wide selection of 1-6 Day Courses. Top Instructors! 
>
>Details: isc.sans.org/clickcount.php?ad=1
>(use Brochurcode "ISC")
>
>"Best IT Security return on Investment" (Mario Chiock, Schlumberger)
>_______________________________________________



More information about the list mailing list