Worms, Part 3
Sunday, April 22, 2007
So...looks like Mr. Rinbot has decided to release a new version of the beastie through computers already infected with the recent Rinbot.BC variant. Symantec is supposedly detecting this one as Rinbot.BF, though the variant mentioned in the write-up is NOT the same as the recent nasty, which runs from a file named "norantivirus.exe" in the Windows\System32 directory.
File name: norantivirus.exe
| File size: 252416 bytes |
| MD5: e0fd62d3d4c0258547690524563d8419 |
| SHA1: a63f017a3ab3405465ba90ba5377f30674aedbd3 |
| packers: EXECryptor |
| AhnLab-V3 | 2007.4.21.0 | 04.20.2007 | no virus found |
| AntiVir | 7.3.1.53 | 04.22.2007 | BDS/VanBot.CN |
| Authentium | 4.93.8 | 04.20.2007 | no virus found |
| Avast | 4.7.981.0 | 04.21.2007 | no virus found |
| AVG | 7.5.0.464 | 04.22.2007 | Win32/CryptExe |
| BitDefender | 7.2 | 04.22.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 04.21.2007 | Backdoor.VanBot.cn |
| ClamAV | devel-20070416 | 04.23.2007 | no virus found |
| DrWeb | 4.33 | 04.22.2007 | BackDoor.IRC.Sdbot.1323 |
| eSafe | 7.0.15.0 | 04.22.2007 | Win32.VanBot.cn |
| eTrust-Vet | 30.7.3585 | 04.21.2007 | Win32/Nirbot.AZ |
| Ewido | 4.0 | 04.22.2007 | Backdoor.VanBot.cn |
| FileAdvisor | 1 | 04.23.2007 | no virus found |
| Fortinet | 2.85.0.0 | 04.23.2007 | W32/VanBot.BX!worm |
| F-Prot | 4.3.2.48 | 04.20.2007 | no virus found |
| F-Secure | 6.70.13030.0 | 04.23.2007 | Backdoor.Win32.VanBot.cn |
| Ikarus | T3.1.1.5 | 04.23.2007 | Backdoor.Win32.VanBot.cn |
| Kaspersky | 4.0.2.24 | 04.23.2007 | Backdoor.Win32.VanBot.cn |
| McAfee | 5014 | 04.20.2007 | W32/Nirbot.worm.gen |
| Microsoft | 1.2405 | 04.23.2007 | no virus found |
| NOD32v2 | 2210 | 04.22.2007 | no virus found |
| Norman | 5.80.02 | 04.21.2007 | W32/Malware.PXQ |
| Panda | 9.0.0.4 | 04.22.2007 | no virus found |
| Prevx1 | V2 | 04.23.2007 | Malware.Trojan.Backdoor.Gen |
| Sophos | 4.16.0 | 04.20.2007 | W32/ExDns-Fam |
| Sunbelt | 2.2.907.0 | 04.19.2007 | no virus found |
| Symantec | 10 | 04.23.2007 | W32.Rinbot.BF |
| TheHacker | 6.1.6.095 | 04.15.2007 | no virus found |
| VBA32 | 3.11.4 | 04.21.2007 | no virus found |
| VirusBuster | 4.3.7:9 | 04.22.2007 | no virus found |
| Webwasher-Gateway | 6.0.1 | 04.23.2007 | Trojan.VanBot.CN |
In addition, it was found active on a system running a vulnerable version of Symantec Client Security, but with NEW definitions loaded -- it was not detected upon a manual scan, either. Strange. Many of the vulnerable systems have already been exploited, cleaned, and patched with the BC run, though, so this one may have a harder time of things. Until there's a new 0-day to target, and there remains one dormant backdoored system on the network...
If nothing else, this is a reminder that a backdoor on a system is not just a risk for the user -- it's a backdoor into an entire network, and, conceivably, any and every computer on it.
- David
posted by David @ 7:23 PM,
