Bryan Murphy writes:
> I just received an email that looks fairly legit at first glance. It states
> that a rape occurred on campus and that attached you will find an image of
> the suspect as captured from campus CCTV. The attached file (suspect
> image.exe) very well may be a virus (im sure as heck not going to run it to
> find out). Mail.msu.edu's clam did not pick it up nor did NAV10 with dats
> dated yesterday.
>
> I am not able to pull much useful information from the exe via the unix
> strings command or ida pro. If anyone has any more experience then I do
> with virus disassembly I would be happy to forward the idapro file.
>
> What I am able to pull from ida's hex view is some registry writing, file
> deletion, file creation and process manipulation, but no details.
>
> The contents of the email are attached bellow, you may want to warn your
> users on this (although I'm not sure how prevalent it is yet).
>
> Thanks.
Bryan,
This is definitely a virus. It was just recently added to ClamAV virus
definitions as Trojan.Brepibot.L, BehavesLike:Win32.IRC-Backdoor
(Bitdefender).
Looks to be a variant of this virus from November.
"A backdoor Trojan that is remotely controlled via Internet Relay Chat
(IRC). It exploits Sony BMG Digital Rights Management (DRM) software to hide
its presence."
The mail.msu.edu system is catching these now as of around 1pm. If anyone
would like to help out with updates to ClamAV, we first try the online
scanner to make sure there's nothing wrong with our version of ClamAV:
http://test-clamav.power-netz.de/
and if the online scanner doesn't detect the file/message as a virus we then
submit the sample at: http://cgi.clamav.net/sendvirus.cgi (all links from
the main www.clamav.net webpage)
You can also send possible virus samples to [log in to unmask] if you'd rather
have us look at the virus and submit it to ClamAV.
-Ed
|