Other MALWARES Part 13
Most of these malwares try to install themselves and are easily blocked by the "Trojan Generic" procative alert.
Some malwares only open connections, and are not blocked by the proactive module (F1 results).
Unfortunately, most .jpg has been lost for most of these sample tests.
-BacktoDemon: P1/P2
-Wolf telnEt backdoor (Backdoor.Win32 Wolf.14): P1/P2
-Trojan Downloader DSWeb: P1/P2
-Backdoor AnalFTP: F1/P2
-Backdoor Bushtrommel: P1/P2
-Lame Rat: P1/P2
-Elite Rat: P1/P2
-PsyRat: P1/P2
-NetControl: P1/P2
-SkryptyRat: P1/P2
The malware was not known by Kaspersky lab during the test (2006/08), but the PDM has done its job (trojan generic).
-TequilaBandita (Win32 Banitos): P1/P2
-Trojan INotifier: P1/P2
-ConsoleDevil backdoor: P1/P2
Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 Win-Trojan/Downloader.10788
AntiVir 7.4.0.29 06.01.2007 TR/Hijack.Explor.273
Authentium 4.93.8 05.23.2007 Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus
Avast 4.7.997.0 06.01.2007 Win32:Small-APV
AVG 7.5.0.467 06.01.2007 BackDoor.Generic3.CKI
BitDefender 7.2 06.02.2007 Backdoor.Small.CP
CAT-QuickHeal 9.00 06.01.2007 no virus found
ClamAV devel-20070416 06.02.2007 Trojan.Small-272
DrWeb 4.33 06.02.2007 BackDoor.Chaos
eSafe 7.0.15.0 05.31.2007 Win32.Small.mg
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 Backdoor.Small.mg
FileAdvisor 1 06.02.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 W32/Bdoor.MG!tr.bdr
F-Prot 4.3.2.48 06.01.2007 W32/SecRisk-ProcessPatcher-Sml-based!Maximus
F-Secure 6.70.13030.0 06.01.2007 Backdoor.Win32.Small.mg
Ikarus T3.1.1.8 06.02.2007 Backdoor.Win32.Small.mg
Kaspersky 4.0.2.24 06.02.2007 Backdoor.Win32.Small.mg
McAfee 5044 06.01.2007 BackDoor-DJJ.svr
Microsoft 1.2503 06.02.2007 no virus found
NOD32v2 2305 06.01.2007 Win32/Small.MG
Norman 5.80.02 06.01.2007 W32/Smalldoor.FVQ
Panda 9.0.0.4 06.02.2007 Malware Generic
Prevx1 V2 06.02.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 Email-Worm.Win32.GOPworm.196
Symantec 10 06.02.2007 Backdoor.Trojan
TheHacker 6.1.6.128 05.31.2007 Backdoor/Small.mg
VBA32 3.12.0 06.01.2007 Backdoor.Win32.Small.mg
VirusBuster 4.3.23:9 06.02.2007 Backdoor.Small.DTD
Webwasher-Gateway 6.0.1 06.02.2007 Trojan.Hijack.Explor.273
We build the server with default option.
-RTelv backdoor: F1/P2
-Y3KRat: P1/P2
-KAOS Web downloader: P1/P2
-Ultimate Rat: P1/P2
-Trojan Wincabras (backdoor Servidor.f): P1/P2
-Kaotan Trojan Downloader: P1/P2
-ElfRat: P1/P2
-Backdoor Bandok.d: P1/P2
-ExploitDoor.103: P1/P2
-Backdoor Gobot.u: F1/P2
-Generic IRCBot: P1/P2
-Backdoor NetBoy.10: P1/P2
-Backdoor.delf.fv: P1/P2
-Trojan Downloader Win32.VB.ai: P1/P2
Windows firewall does its job too:
-Backdoor Penumbra/Shadow.a: P1/P2
-Backdoor Uhil.c: P1/P2
-Niwamp backdoor: P1/P2
This backdoor is interesting: it can be sent as a simple plugin to a target victim: the victim copy the dll in Winamp folder, and the attacker will get a remote command on 24501 port...
And as only a few antivirus detects it (see above), we can be sure that this backdoor was really used in the wild.
If we allow the dll (the effectiveness of HIPS is often user's knowledge dependent):
NEXT : Rootkit tests