RE: Potential New Virus

i would be interested in seeing a list of the 20 odd scanners you use.

-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] Sent: Sunday, November 10, 2002 1:12 AM
To: focus-virus@lists.securityfocus.com
Cc: Justin Bloom
Subject: Re: Potential New Virus

Justin Bloom <shock@shock.ddts.net> replied to me:

> > > TROJ/Topmine.A 5 24.71.228.144 2002-11-02 18:32 2002-11-02
19:00
> >
> > Where did you get TROJ/Topmine.A from? None of the 20-odd scanners I

Dude, I know that...

In fact, it's kinda my job to know such things... And as I said, I had 20-odd scanners check a sample (I just double-checked and it was 22 scanners). The first time I checked the names returned were TrojanClicker.Win32.Zasil, Trojan.Mine.46080, Downloader-BN.dr and Win32.TrojanRunner.L.

Some comments...

The TrojanClicker.Win32.Zasil and Win32.TrojanRunner.L names are "best" as the EXE that was being mailed around actually a drops an "ad clicker Trojan". Aside from dropping and running its "payload" EXE, the dropper code also displays a bad picture of an ugly, naked middle-aged woman.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Thus, the "TrojanClicker" name is not bad, as it describes the functionality of what you really end up with if you run the delivery (dropper) EXE. The TrojanRunner name is not bad, as it describes the "wrapper" around the actual Trojan (that product detected the dropper "wrapper" but not the thing that was dropped -- no problem so long as you had its on-access component running and set to prevent access to detected objects). The non-standard ".dr" modifier on the Downloader-BN.dr name may seem like a reasonable hit but the EXE that is dropped is not a "downloader" in the usual sense. It does pull a file from a web server, but does not execute it as "real" downloaders do -- that file tells it the URL(s) to access and thus rack up page impressions or click throughs for the owner (and presumably, the writer or shipper of the Trojan).

As to my original question -- it seems "TopMine" is a name someone at MessageLabs made up all by themselves...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854