VS0601006 Possible new malware [Ranky and Sdbot Dropper]
Data on a sample of a suspected new malware being spread via SMB.
This was caught by my WormCharmer.
I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.
1 copy has been trapped so far.
I haven’t had a chance to test it on a goat system yet.
============================================================
Details:
FileName: moonshine.exe
FileDateTime: 27/01/2006 09:19:52
Filesize: 164870
MD5: e382af0f14c12563cfea229b9cacba66
CRC32: 3099EBB0
File Type: PE Executable RAR
Scan report of: moonshine.exe
@Proventia-VPS -
AntiVir -
Avast! -
AVG Packed.gen
BitDefender Backdoor.SDBot.532451D8
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.SdBot
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet W32/SDBot!bdr
Fortinet (BETA) W32/SDBot!bdr
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee Downloader-PS trojan
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 -
Norman -
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Backdoor.Win32.SdBot.gen
VirusBuster -
YY_Spybot -
============================================================
Drops:-
============================================================
FileName: ciaraf.exe
FileDateTime: 25/01/2006 17:43:01
Filesize: 35391
MD5: b75c6b285daf3fb97b12ab328b5d11c0
CRC32: 6B9FB36B
File Type: PE Executable
Scan report of: ciaraf.exe
@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG -
BitDefender Backdoor.SDBot.532451D8
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.SdBot
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet W32/SDBot!bdr
Fortinet (BETA) W32/SDBot!bdr
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee -
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan (variant)
Norman Bofra.C@mm
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.GEN
Trend Micro (BETA) WORM_SDBOT.GEN
VBA32 Backdoor.Win32.SdBot.gen
VirusBuster -
YY_Spybot -
============================================================
FileName: fciara.exe
FileDateTime: 25/01/2006 17:43:41
Filesize: 36864
MD5: b9cd72ee34e9d16eb35bfa3541a1deae
CRC32: E0ED83F5
File Type: PE Executable
Packer: Standard PE File
Scan report of: fciara.exe
@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Agent.AR
Avast! -
AVG Packed.gen
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV -
Command -
Dr Web BackDoor.DarkMoon.66
eSafe Win32.Darkmoon.bw
eTrust-INO Win32/NTPacker.B!Trojan
eTrust-INO (BETA) Win32/NTPacker.B!Trojan
eTrust-VET Win32/NTPacker.B
eTrust-VET (BETA) Win32/NTPacker.B
Ewido Backdoor.Bifrose.d
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet W32/Bifrose.D-bdr
Fortinet (BETA) W32/Bifrose.D-bdr
Ikarus Net-Worm.Win32.Mytob.BI
Kaspersky -
McAfee Downloader-PS trojan
McAfee (BETA) Downloader-PS trojan
Nod32 Win32/TrojanDropper.ErPack trojan
Norman -
Panda -
Panda (BETA) Trj/Ranky.LL
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Backdoor.PcClient.34 (suspected)
VirusBuster -
YY_Spybot -
============================================================
The following updates have been used for the test (all times in GMT):
@Proventia-VPS VPS.rar 2005-12-31 23:59
AntiVir ifusebundle_de.zip 2006-01-30 07:58
Avast! 400.vps 2006-01-28 23:47
AVG avg7mmav375a699.zip 2006-01-27 11:53
BitDefender cumulative.zip 2006-01-30 08:25
ClamAV daily.cvd 2006-01-30 09:09
Command DEFFILES.ZIP 2006-01-28 17:51
Dr Web drwtoday.zip 2006-01-29 20:43
eSafe com_evsvsp_vtest.upd 2006-01-29 12:51
eTrust-INO fi_nt86.exe 2006-01-29 15:40
eTrust-INO (BETA) fi_nt86.exe 2006-01-29 13:50
eTrust-VET fv_nt86.exe 2006-01-30 04:35
eTrust-VET (BETA) fv_nt86.exe 2006-01-30 02:12
Ewido ewidoscan.zip 2006-01-29 16:12
F-Prot fp-def.zip 2006-01-28 16:49
F-Secure latest.zip 2006-01-30 08:29
F-Secure (BETA) latest.zip 2006-01-30 08:10
Fortinet vir_high 2006-01-30 01:06
Fortinet (BETA) vir_high 2006-01-30 08:23
Ikarus pd060127.exe 2006-01-27 16:42
Kaspersky daily.zip 2006-01-30 09:07
McAfee dat-4684.zip 2006-01-27 18:33
McAfee (BETA) win_netware_betadat.zip 2006-01-30 08:25
Nod32 minnt.exe 2006-01-29 13:37
Norman nvc5oem.zip 2006-01-30 08:33
Panda pav.zip 2006-01-29 13:51
Panda (BETA) pav.zip 2006-01-30 09:04
QuickHeal qhadvdef.zip 2006-01-27 17:15
Sophos ides.zip 2006-01-30 04:54
Symantec 20060129-004-i32.exe 2006-01-29 22:05
Symantec (BETA) symrapidreleasedefsi32.exe 2006-01-30 08:35
Trend Micro lpt183.zip 2006-01-30 04:32
Trend Micro (BETA) lpt184.zip 2006-01-30 05:16
VBA32 vba32w-latest.rar 2006-01-29 23:48
VirusBuster vbuster8.vdb 2006-01-29 15:46
YY_Spybot includes.zip 2006-01-27 10:04
============================================================
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
