[Emerging-Sigs] Possible mislabeled Sig's Current Events?

Jeremy cjeremy at gmail.com
Sat Jan 5 20:02:49 EST 2008 

Well I only checked this one: VideoAccessCodecInstall.exe which is
identified by VirusTotal as Zlob:
http://www.virustotal.com/analisis/19399e1d8b9a61465adff81cefc32e13

Summary: Zlob
##################################################################
File VideoAccessCodecInstall.exe received on 01.06.2008 01:48:06 (CET)

Antivirus;Version;Last Update;Result
Avast;4.7.1098.0;2008.01.05;Win32:Zlob-AHQ
eSafe;7.0.15.0;2008.01.03;suspicious Trojan/Worm
Microsoft;1.3109;2008.01.05;Adware:Win32/SmitFraud
Panda;9.0.0.4;2008.01.05;Suspicious file

Additional information
File size: 60960 bytes
MD5: 74844b99c47a5cf431c20f74b7f60579
SHA1: 850d51845c3ab575b26d66d1cedb86f055fb52f6
PEiD: UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar
& John Reiser
packers: UPX
packers: UPX_LZMA
###################################################################

Here is the latest storm worm results from VirusTotal
(happy_2008.exe):
http://www.virustotal.com/analisis/35d7934efcc34bed3019b5af096fc8bd

Summary: Storm/Peed/Nuwar/Tibs/Peacomm
####################################################################
File happy_2008.exe received on 01.06.2008 01:39:47 (CET)

Antivirus;Version;Last Update;Result
AntiVir;7.6.0.46;2008.01.04;TR/Crypt.XDR.Gen
BitDefender;7.2;2008.01.06;Trojan.Peed.IRX
DrWeb;4.44.0.09170;2008.01.05;Trojan.Spambot.2559
eTrust-Vet;31.3.5432;2008.01.04;Win32/Sintun!generic
Fortinet;3.14.0.0;2008.01.05;W32/Tibs.G at mm
F-Prot;4.4.2.54;2008.01.05;W32/Stormworm.A.gen!GSA
Kaspersky;7.0.0.125;2008.01.06;Email-Worm.Win32.Zhelatin.qe
McAfee;5200;2008.01.04;W32/Nuwar at MM
Microsoft;1.3109;2008.01.05;Backdoor:Win32/Nuwar.gen!A
NOD32v2;2766;2008.01.04;probably a variant of Win32/Nuwar
Norman;5.80.02;2008.01.04;Tibs.BGDI
Panda;9.0.0.4;2008.01.05;Suspicious file
Sophos;4.24.0;2008.01.05;Mal/Dorf-H
Symantec;10;2008.01.06;Trojan.Peacomm.D
Webwasher-Gateway;6.6.2;2008.01.04;Trojan.Crypt.XDR.Gen

Additional information
File size: 142336 bytes
MD5: 6e182b2d3c48c98ce5b22f1730cfbb15
SHA1: c7e29751f092f9881ef1e3043877f3e7246a6434
PEiD: -
########################################################################

--jeremy




On Jan 5, 2008 7:20 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> I was thinking that as well, but the AV results are Tibs, Peacomm,
> Storm, Sintun, etc. The AV industry's difficult way of saying Storm.
>
> Matt
>
>
> Jeremy wrote:
> > Aren't these all Zlob associated files and not storm?
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (VideoAccessCodecInstall.exe)"; flow:established,to_server;
> > uricontent:"/VideoAccessCodecInstall.exe"; nocase; sid:2007729;
> > rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (codecultra1123.exe)"; flow:established,to_server;
> > uricontent:"/codecultra"; nocase; uricontent:".exe"; nocase;
> > sid:2007730; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (codecultra1123.dmg)"; flow:established,to_server;
> > uricontent:"/codecultra"; nocase; uricontent:".dmg"; nocase;
> > sid:2007731; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (codecnice1126.exe)"; flow:established,to_server;
> > uricontent:"/codecnice"; nocase; uricontent:".exe"; nocase;
> > sid:2007732; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (codecnice1126.dmg)"; flow:established,to_server;
> > uricontent:"/codecnice"; nocase; uricontent:".dmg"; nocase;
> > sid:2007733; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (Install_video_3913230.exe)"; flow:established,to_server;
> > uricontent:"/Install_video_"; nocase; uricontent:".exe"; nocase;
> > sid:2007734; rev:1;)
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> > (virusranger.exe)"; flow:established,to_server;
> > uricontent:"/virusranger.exe"; nocase; sid:2007735; rev:1;)
> >
> >
> > --jeremy
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Fax 61-29-4750-026
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>

More information about the Emerging-sigs mailing list