Be your own antivirus scanner!



January 30th, 2006

It's vitally important to be your own [tag]antivirus[/tag] scanner because antivirus programs can be a bit slow on the uptake.

Here's an example of why.

About an hour ago I got the following email:

Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of the Guardians business section. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Kind regards,

William Morrison

Editor

www.Guardian.com

This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sende

Wormy email

Now there were a few telltales in that email that made me suspicious.  The email had made it all the way through my defenses but that doesn't mean anything.  It was still suspect:

  • It was sent to me by someone I don't know.
  • They obviously don't know me (just a plain "Hello" greeting gives that away).
  • The Guardian newspaper website is not the .com but .co.uk.
  • I've never submitted them a photo.
  • The "privileged info" stuff in the footer of the email was cut off.

The email had two attachments:

  • A Zip file
  • A text file (that was blank)

OK.  I'm suspicious but I'm also curious.  I save the Zip file to my PC and open it with WinZip (rather than double-clicking on it I right-clicked on it and selected Open with ... and picked [tag]WinZip[/tag]).

Inside the Zip file was a file - an executable file!

Wormy email

Hmmm ... my spider senses were truly tingling by now.  Careful not to run it I extracted the file into a folder and saw an .exe file that has the icon of a PDF document. 

Wormy email

Sneaky.

I ran a manual scan of the file using Norton AntiVirus 2006 with up-to-date definitions but still it came up clean:

Wormy email

Now my suspicions were high so I turned to a very useful service run by [tag]VirusTotal[/tag].com.  These folks have a great service where you can send them a suspicious file by email (to [email protected], adding the word SCAN to the subject line) and they will automatically scan it with a variety of scanners for you. 

I did this and got the following result:

Results of a file scan

This is a report processed by VirusTotal on 01/30/2006 at 18:50:09 (CET) after scanning the file "Photo and Article.exe" file.

Antivirus Version Update Result

AntiVir 6.33.0.81 01.30.2006 Worm/Breplibot.I
Avast 4.6.695.0 01.30.2006 no virus found
AVG 718 01.30.2006 no virus found
Avira 6.33.0.81 01.30.2006 no virus found
BitDefender 7.2 01.30.2006 BehavesLike:Win32.IRC-Backdoor
CAT-QuickHeal 8.00 01.27.2006 (Suspicious) - DNAScan
ClamAV devel-20051123 01.30.2006 Trojan.Brepibot.P
DrWeb 4.33 01.30.2006 no virus found
eTrust-InoculateIT 23.71.63 01.29.2006 no virus found
eTrust-Vet 12.4.2060 01.30.2006 no virus found
Ewido 3.5 01.30.2006 no virus found
Fortinet 2.54.0.0 01.30.2006 suspicious
F-Prot 3.16c 01.30.2006 security risk named W32/Brepibot.U
Ikarus 0.2.59.0 01.30.2006 no virus found
Kaspersky 4.0.2.24 01.30.2006 Backdoor.Win32.Breplibot.z
McAfee 4684 01.27.2006 no virus found
NOD32v2 1.1388 01.30.2006 probably a variant of Win32/IRCBot.PH
Norman 5.70.10 01.30.2006 no virus found
Panda 9.0.0.4 01.30.2006 Suspicious file
Sophos 4.02.0 01.30.2006 Troj/Stinx-Q
Symantec 8.0 01.30.2006 no virus found
TheHacker 5.9.3.084 01.29.2006 no virus found
UNA 1.83 01.27.2006 no virus found
VBA32 3.10.5 01.30.2006 suspected of Backdoor.xBot.11

Bingo! The confirmation I was waiting for!  Symantec didn't pick up on it but a number of others did.  Even though the file passed my defences it was still a nasty one and could have meant problems if I'd run it.

Now all I need to do is to figure out how an email address that I have only ever used with [tag]Nikon[/tag] got into the wild and send me a dodgy [tag]payload[/tag]!

This entry was posted on Monday, January 30th, 2006 at 18:51 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.