TROJAN UNDETECTED BY AD-AWARE

Discussion in 'Computer Security' started by sam1967, Feb 18, 2004.

  1. sam1967

    sam1967 Guest

    I picked up a trojan called rem2c4.exe which is not picked up by AVG
    or Ez-av or ad-aware.
    when run it connects to a gambling website.
    should I send it anywhere for analysis ?
    it is 212 kb.
     
    sam1967, Feb 18, 2004
    #1
    1. Advertisements

  2. You can submit it to AVERT/McAfee at: https://www.webimmune.net/default.asp

    or you can ZIP the file with the password: infected

    Them email it to:

    In the US, send to:
    In the UK, send to:
    In Germany send to:
    In Japan send to:
    In Australia send to:
    In the Netherlands:

    http://vil.nai.com/vil/submit-sample.asp

    In addition...
    If you post to UseNet with your TRUE, not a munged, email address then you are inviting the
    Swen worm to visit you.

    The Swen is news spelled backwards. The reason it is called this is because the Swen worm
    harvests email addresses from UseNet News Groups. It has an engine that allows it to post
    itself to UseNet News Groups as well as it has its own email engine. From the list of
    email addresses that it has harvested, it will then email itself to those addresses.


    Dave



    | I picked up a trojan called rem2c4.exe which is not picked up by AVG
    | or Ez-av or ad-aware.
    | when run it connects to a gambling website.
    | should I send it anywhere for analysis ?
    | it is 212 kb.
    |
     
    David H. Lipman, Feb 18, 2004
    #2
    1. Advertisements

  3. sam1967

    sam1967 Guest

    of course i dont use a real email address.
    this trojan was downloaded automatically from a web site (i use opera
    but opera is blameless).
    the web site i visited was a warez site and it first downloaded a 7k
    downloader trojan call small.download.h which AVG identified straight
    away.
    i turned off AVG and ran this 7k trojan to see what it would do.
    it contacted a download site (casino stuff etc) and downloaded its big
    brother called rem2c4.exe which connected to the same web site.
    i didnt analayse the packets to see what it was sending.
    funny thing is it rem2c4.exe wont run now. maybe it only runs at
    certain times of the day.
    AVG, ad-aware, spybot and EZ-AV were unable to identify it as harmful.
    ill post it off as you recommend.
     
    sam1967, Feb 18, 2004
    #3
  4. sam1967

    Gary Guest

    addresses.

    I have a puzzle. I have neer munged by e-mail address, and I have never
    gotten a virus or other malware (except one I dumbly "invited" in by opening
    a file I asked my brother to send to me to check out). Does my firewall and
    active AVG protect me that well? Or am I "lucky" some way? I'm glad, but I
    wonder why I have never had any uninvited trouble. (It sounds like I'm
    complaining for being left alone. I'll probably get it in spades now.)
     
    Gary, Feb 18, 2004
    #4
  5. sam1967

    null Guest

    You receive worm attackments via email when your email addy exists on
    the PCs of infested users. The number of these you receive depends on
    the number of infested users that have your email addy on their PCs.
    If you are fairly new to the internet and/or you don't have a web site
    with your email addy available there, you'll rarely receive any email
    attackments. The _receipt_ of these via email has nothing to do with
    your firewall and antivirus program(s). Some users avoid _seeing_ them
    by using automated "email washers" :) But they still _receive_ them.
    Only your ISP can literally block them and keep them off your email
    server if that service is provided. .

    Now, Dave has explained harvesting email addys from newsgroups in the
    case of Swen. If you've been posting on newsgroups with your real
    addy, you can bet that infested users are inadvertently harvesting
    your addy, and you can expect to receive some of those particular
    attackments. Currently, I'm not receiving any even though my wife has
    our real email addy published at her web site, and we receive tons of
    email from all kinds of users via her various genealogy lists. Our
    receipts of attackments vary considerably. Each worm activity dies
    down after a time.

    Munging has long been done to rediuce spam, and only somewhat recently
    to cut down on the received volume of the new breeds of internet
    worms.


    Art
    http://www.epix.net/~artnpeg
     
    null, Feb 18, 2004
    #5
  6. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Idiot.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2
    Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

    iQA/AwUBQDOPCaRseRzHUwOaEQLpEwCg3wmWcUAAXD6uvHyr3r6BboxMM1AAoOGk
    UkqqD3U9VNccS2om/Uruli3i
    =7g4u
    -----END PGP SIGNATURE-----

    --
    Laura Fredericks
    PGP key ID - DH/DSS 2048/1024: 0xC753039A

    alt.comp.virus photo gallery:
    http://www.queenofcyberspace.com/acvgallery/

    usenet flamewars:
    http://www.queenofcyberspace.com/usenet/

    Remove CLOTHES to reply.
     
    Laura Fredericks, Feb 18, 2004
    #6
  7. sam1967

    Gladys Pump Guest

    You or him ?

    Regs, Pete.
     
    Gladys Pump, Feb 18, 2004
    #7
  8. sam1967

    sam1967 Guest

    Thanks Laura. Keep your informed posts coming.
    Ever considered that some people are not as afraid of virii/trojans as
    others and have enough analaysis tools to handle them and run them if
    they are curious enough.
     
    sam1967, Feb 18, 2004
    #8
  9. sam1967

    johns Guest

    It doesn't matter what you do. AdAware and Spybot
    know all about the droppers .. and they do nothing.
    Don't believe me? Go get Bargain Buddy and see if
    AdAware or Spybot can remove it ... same exact
    thing. Those programs are only removing part of the
    problem .. so your system will be constantly reinfected.

    johns
     
    johns, Feb 18, 2004
    #9
  10. sam1967

    Leythos Guest

    With Spybot Search and Destroy being a free application, you can't
    really complain about it.

    I find that SBS&D removes about 99.9% of the things home users get hit
    with. The rest of it is stuff they installed while not understanding
    what they were doing.

    If you know something about a "dropper" and are just here complaining,
    then how about a different track - post a note the the developer of
    SBS&D on his site and tell him about it. I'm sure that he will add it to
    the collection of almost 13,000 things SBS&D does handle.
     
    Leythos, Feb 18, 2004
    #10
  11. sam1967

    werner stern Guest

    This is scumware and if you find it delete it. Anytime you go on a warez
    site you need to clean your computer up afterwards. That's what night time
    is for. To run all kinds of cleaning programs most are free and you should
    set up a separate desktop just loaded with these programs.

    Spybot should take care of this one.
     
    werner stern, Feb 18, 2004
    #11

  12. anyone that needs to ask "where to send it to" is by no means someone
    capable of doing proper analysis.



    --
    John Holstein,
    http://www.cotse.net
    A very unique privacy service, no other service
    compares. E-mail, Usenet, Anon Proxies, Web Hosting,
    and more. No one gives you more control over your
    e-mail than we do!
    http://www.cotse.net/servicedetails.html

    New Online Store:
    www.cotse.com/store
     
    Colonel Flagg, Feb 18, 2004
    #12
  13. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I see. You forgot to mention that you ran it from a
    test box, i.e. a stand-alone pc that isn't networked
    to other computers and doesn't have an always-on
    internet connection like cable or dsl, and in fact,
    doesn't have a dial-up modem attached, either.

    Thanks for clearing that up.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2
    Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

    iQA/AwUBQDP5HaRseRzHUwOaEQK3OQCfcPZ2Gu/MO3j6s1i33bzxqb992YkAoN6t
    UfRDn+Yjk9yS8pKDM+KY0CHJ
    =Z/8R
    -----END PGP SIGNATURE-----

    --
    Laura Fredericks
    PGP key ID - DH/DSS 2048/1024: 0xC753039A

    alt.comp.virus photo gallery:
    http://www.queenofcyberspace.com/acvgallery/

    usenet flamewars:
    http://www.queenofcyberspace.com/usenet/

    Remove CLOTHES to reply.
     
    Laura Fredericks, Feb 18, 2004
    #13
  14. sam1967

    Offbreed Guest

    <G>, True, but people have to start somewhere to learn.

    Although, in this case, lessons 1 - 10 should involve searching Google.
     
    Offbreed, Feb 19, 2004
    #14
  15. Sam 1967:

    Please read the following URL:
    http://www.perl.com/language/misc/virus.html

    Thanx...
    Dave



    | On Wed, 18 Feb 2004 16:13:10 GMT, Laura Fredericks
    |
    | >-----BEGIN PGP SIGNED MESSAGE-----
    | >Hash: SHA1
    | >
    | >On Wed, 18 Feb 2004 12:55:37 +0000,
    | >>i turned off AVG and ran this 7k trojan to see what
    | >>it would do.
    | >
    | >Idiot.
    | >
    | Thanks Laura. Keep your informed posts coming.
    | Ever considered that some people are not as afraid of virii/trojans as
    | others and have enough analaysis tools to handle them and run them if
    | they are curious enough.
    |
    |
     
    David H. Lipman, Feb 19, 2004
    #15
  16. sam1967

    optikl Guest

    Well, I guess you found out, eh?
     
    optikl, Feb 19, 2004
    #16
  17. sam1967

    optikl Guest

    This guy must think he's Super Dave Osbourne.
     
    optikl, Feb 19, 2004
    #17
  18. Oh thats BS. i can do the analysis (and frequently do as part of my
    work) but i do not know right off the top of my head where to send it
    though i can guess or "google" it.
     
    NoneOfBusiness, Feb 19, 2004
    #18
  19.  
    Colonel Flagg, Feb 19, 2004
    #19
  20. sam1967

    Tracker Guest

    of course i dont use a real email address.
    You can "NEVER" trust a warez website nor any website or newsgroup which hackers list on Usenet
    since most are owned by malicious hackers. The malicious hackers post in Security, Anti-Virus
    and Hackers Newsgroups, Egroups and Message Boards along with Telnet IP listings; to name a
    few. I exposed someone hackers website listing where the hacker wanted to learn from and the
    files had four Backdoors. Beware all if you want to learn how to hack. No AVG, ad-aware or
    spybot can protect you and PLEASE learn this.

    Tracker
     
    Tracker, Feb 19, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.