[Dshield] A new Netsky variant ?

Tom dshield at oitc.com
Fri May 11 13:38:40 GMT 2007


Andreas,

If you use SCAN in subject to VirusTotal they will forward a copy to 
all who participate.

As for linux zip, just download source from 
http://www.info-zip.org/Zip.html and compile

I'd love to see a copy. gzip and send to dshield at oitc.com

Tom

At 1:59 PM +0200 5/11/07, Andreas Maus wrote:
>Content-Type: multipart/signed; micalg=pgp-sha1;
>	protocol="application/pgp-signature"; boundary="iFRdW5/EC4oqxDHL"
>Content-Disposition: inline
>
>Hi *!
>
>Simple question ;)
>
>Is there a new Netsky variant making the round?
>I received multiple mails with the subject "Private document"
>and an "obfuscated" attachment called your_document.doc<many,many 
>with spaces>.pif
>
>The attachment passes my AV scan (clamav) and so I submitted it to a
>online scan. According to virustotal.com and virusscan.jotti.org 
>most AV vendors
>will not detect this:
>
>virustotal.com:
>
>STATUS: FINISHED
>Complete scanning result of "your_document.doc.pif", received in 
>VirusTotal at 05.11.2007, 13:23:00 (CET).
>
>Antivirus	Version	Update	Result
>AhnLab-V3	2007.5.10.0	05.11.2007	no virus found
>AntiVir	7.4.0.15	05.11.2007	no virus found
>Authentium	4.93.8	05.10.2007	W32/Netsky.gen
>Avast	4.7.997.0	05.11.2007	no virus found
>AVG	7.5.0.467	05.10.2007	no virus found
>BitDefender	7.2	05.11.2007	no virus found
>CAT-QuickHeal	9.00	05.10.2007	no virus found
>ClamAV	devel-20070416	05.11.2007	no virus found
>DrWeb	4.33	05.11.2007	no virus found
>eSafe	7.0.15.0	05.10.2007	Win32.Netsky.p
>eTrust-Vet	30.7.3627	05.11.2007	no virus found
>Ewido	4.0	05.11.2007	no virus found
>FileAdvisor	1	05.11.2007	no virus found
>Fortinet	2.85.0.0	05.11.2007	suspicious
>F-Prot	4.3.2.48	05.10.2007	W32/Netsky.gen
>F-Secure	6.70.13030.0	05.11.2007	no virus found
>Ikarus	T3.1.1.7	05.11.2007	no virus found
>Kaspersky	4.0.2.24	05.11.2007	no virus found
>McAfee	5028	05.10.2007	no virus found
>Microsoft	1.2503	05.11.2007	no virus found
>NOD32v2	2257	05.11.2007	no virus found
>Norman	5.80.02	05.11.2007	no virus found
>Panda	9.0.0.4	05.10.2007	Suspicious file
>Prevx1	V2	05.11.2007	no virus found
>Sophos	4.17.0	05.08.2007	no virus found
>Sunbelt	2.2.907.0	05.05.2007	no virus found
>Symantec	10	05.11.2007	no virus found
>TheHacker	6.1.6.112	05.10.2007	no virus found
>VBA32	3.12.0	05.10.2007	no virus found
>VirusBuster	4.3.7:9	05.10.2007	no virus found
>Webwasher-Gateway	6.0.1	05.11.2007	Win32.Malware.gen (suspicious)
>
>virusscan.jotti.org:
>
>File: your_document.doc.pif
>Status: POSSIBLY INFECTED/MALWARE(Note: this file was only 
>classified as malware by scanners known to generate more false 
>positives than the average scanner. Do not consider these results 
>definately accurate. Also, because of this, results of this scan 
>will not be recorded in the database.)
>MD5	e65a7bef415b10790cbb9227d20f9062
>Packers detected:
>PE_PATCH
>Scanner results
>Scan taken on 11 May 2007 11:24:00 (GMT)
>A-Squared	Found nothing
>AntiVir	Found nothing
>ArcaVir	Found nothing
>Avast		Found nothing
>AVG Antivirus	Found nothing
>BitDefender	Found nothing
>ClamAV		Found nothing
>Dr.Web		Found nothing
>F-Prot Antivirus	Found W32/Netsky.gen
>F-Secure Anti-Virus	Found nothing
>Fortinet	Found nothing
>Kaspersky Anti-Virus	Found nothing
>NOD32	Found nothing
>Norman Virus Control	Found nothing
>Panda Antivirus	Found nothing
>Rising Antivirus	Found nothing
>VirusBuster	Found nothing
>VBA32	Found nothing
>
>I attach the file to this mail if someone will take a look at this.
>It is encrypted using GnuPG with the password "infected". (sorry I do
>not have a Linux version of zip with an option to make an encrypted
>archive).
>
>Questions, opinions, comments?
>
>So long,
>
>Andreas.
>
>P.S.: Is there a central site for submitting unknown samples to AV vendors
>or do I really have to visit each AV and search for a submit form ?
>
>--
>"Things that try to look like things often do
>  look more like things than things. Well-known fact."
>Granny Weatherwax - "Wyrd sisters"
>
>Attachment converted: Macintosh HD:Untitled 102 (    /    ) (00F29BFB)
>_________________________________________
>
>SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>taught by our top rated instructors plus a huge vendor tools expo.
>Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
skype: trshaw


More information about the list mailing list