Palm84 某所の日記

有為のクマにかくれり~

プチテスト

ウイルスバスター2007がスルーしたメールの添付ファイルをVIRUSTOTALでチェックした際のめも。結果はその時点でのものです。(※ノートンで確認してません。すみません)

AntiVir            7.3.0.26       01.20.2007  TR/Drop.Small.DBY
Authentium         4.93.8         01.20.2007  W32/Downloader.AYEN
Avast              4.7.936.0      01.18.2007  no virus found
AVG                386            01.20.2007  Downloader.Agent.ICB
BitDefender        7.2            01.20.2007  Trojan.Peed.A
CAT-QuickHeal      9.00           01.20.2007  no virus found
ClamAV             devel-20060426 01.20.2007  Trojan.Downloader-648
DrWeb              4.33           01.20.2007  BackDoor.Groan
eSafe              7.0.14.0       01.20.2007  suspicious Trojan/Worm
eTrust-InoculateIT 23.73.118      01.20.2007  no virus found
eTrust-Vet         30.3.3336      01.19.2007  no virus found
Ewido              4.0            01.19.2007  no virus found
Fortinet           2.82.0.0       01.20.2007  W32/BAI!tr.dldr
F-Prot             3.16f          01.20.2007  security risk named W32/Downloader.AYEN
F-Prot4            4.2.1.29       01.19.2007  no virus found
Ikarus             T3.1.0.27      01.09.2007  no virus found
Kaspersky          4.0.2.24       01.20.2007  Trojan-Downloader.Win32.Agent.bet
McAfee             4943           01.19.2007  no virus found
Microsoft          1.1904         01.20.2007  Win32/Nuwar.N!sys
NOD32v2            1992           01.20.2007  Win32/Fuclip.B
Norman             5.80.02        01.19.2007  no virus found
Panda              9.0.0.4        01.20.2007  Generic Trojan
Prevx1             V2             01.20.2007  Trojan.ADIRSS
Sophos             4.13.0         01.20.2007  Troj/Dorf-Fam
Sunbelt            2.2.907.0      01.12.2007  no virus found
TheHacker          6.0.3.151      01.19.2007  no virus found
UNA                1.83           01.19.2007  no virus found
VBA32              3.11.2         01.19.2007  no virus found
VirusBuster        4.3.19:9       01.20.2007  Trojan.DR.Tibs.Gen.15

Aditional Information
File size: 25332 bytes
MD5: 27b495e15f124b0b628f2ab6eeafb681
SHA1: 4228c0d2d8579bb4910dd98899703ef08f4d4c75
packers: UPX
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2fb971751263
AntiVir            7.3.0.26       01.20.2007  TR/Drop.Small.DBY
Authentium         4.93.8         01.20.2007  W32/Downloader.AYEN
Avast              4.7.936.0      01.18.2007  no virus found
AVG                386            01.19.2007  no virus found
BitDefender        7.2            01.20.2007  no virus found
CAT-QuickHeal      9.00           01.19.2007  no virus found
ClamAV             devel-20060426 01.19.2007  no virus found
DrWeb              4.33           01.20.2007  BackDoor.Groan
eSafe              7.0.14.0       01.20.2007  suspicious Trojan/Worm
eTrust-InoculateIT 23.73.118      01.20.2007  no virus found
eTrust-Vet         30.3.3336      01.19.2007  no virus found
Ewido              4.0            01.19.2007  no virus found
Fortinet           2.82.0.0       01.19.2007  suspicious
F-Prot             3.16f          01.20.2007  security risk named W32/Downloader.AYEN
F-Prot4            4.2.1.29       01.19.2007  no virus found
Ikarus             T3.1.0.27      01.09.2007  no virus found
Kaspersky          4.0.2.24       01.20.2007  Trojan-Downloader.Win32.Agent.bet
McAfee             4943           01.19.2007  no virus found
Microsoft          1.1904         01.20.2007  no virus found
NOD32v2            1991           01.19.2007  no virus found
Norman             5.80.02        01.19.2007  no virus found
Panda              9.0.0.4        01.19.2007  Suspicious file
Prevx1             V2             01.20.2007  Trojan.ADIRSS
Sophos             4.13.0         01.19.2007  no virus found
Sunbelt            2.2.907.0      01.12.2007  no virus found
TheHacker          6.0.3.151      01.19.2007  no virus found
UNA                1.83           01.19.2007  no virus found
VBA32              3.11.2         01.19.2007  no virus found
VirusBuster        4.3.19:9       01.20.2007  Trojan.DR.Tibs.Gen.15

Aditional Information
File size: 25332 bytes
MD5: 3019e3274e37e33e90b7321c732f706e
SHA1: e91188fd2249bd301aaf63e1f8e269e762bf43df
packers: UPX
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2fb971751263
AntiVir            7.3.0.26       01.18.2007  no virus found
Authentium         4.93.8         01.19.2007  W32/Downloader.AYDY
Avast              4.7.936.0      01.18.2007  no virus found
AVG                386            01.18.2007  no virus found
BitDefender        7.2            01.19.2007  MemScan:Trojan.Agent.AHS
CAT-QuickHeal      9.00           01.17.2007  no virus found
ClamAV             devel-20060426 01.19.2007  Trojan.Downloader-647
DrWeb              4.33           01.18.2007  no virus found
eSafe              7.0.14.0       01.19.2007  suspicious Trojan/Worm
eTrust-InoculateIT 23.73.117      01.19.2007  no virus found
eTrust-Vet         30.3.3334      01.18.2007  no virus found
Ewido              4.0            01.18.2007  no virus found
Fortinet           2.82.0.0       01.18.2007  no virus found
F-Prot             3.16f          01.19.2007  security risk named W32/Downloader.AYDY
F-Prot4            4.2.1.29       01.19.2007  W32/Downloader.AYDY
Ikarus             T3.1.0.27      01.09.2007  no virus found
Kaspersky          4.0.2.24       01.19.2007  Trojan-Downloader.Win32.Small.dam
McAfee             4942           01.18.2007  no virus found
Microsoft          1.1904         01.19.2007  no virus found
NOD32v2            1989           01.19.2007  no virus found
Norman             5.80.02        01.18.2007  W32/Tibs.gen12
Panda              9.0.0.4        01.18.2007  no virus found
Prevx1             V2             01.19.2007  no virus found
Sophos             4.13.0         01.19.2007  Troj/DwnLdr-FYD
Sunbelt            2.2.907.0      01.12.2007  no virus found
TheHacker          6.0.3.149      01.18.2007  no virus found
UNA                1.83           01.18.2007  no virus found
VBA32              3.11.2         01.18.2007  no virus found
VirusBuster        4.3.19:9       01.19.2007  Trojan.DL.Tibs.Gen!Pac13

Aditional Information
File size: 27941 bytes
MD5: 794c779e6fc2572a3bd3936dbe6ffc56
SHA1: 278c9bac3555d89aa341f9466d384e33903b4f8f

McAfee は原則週末更新なしなので土日は注意ですねぇ。

AntiVir            7.3.0.21       12.30.2006    TR/Dldr.Tibs.JZ  
Authentium         4.93.8         12.30.2006    W32/Tibs.gen4  
Avast              4.7.892.0      12.30.2006    no virus found
AVG                386            12.30.2006    Downloader.Tibs  
BitDefender        7.2            12.31.2006    Trojan.Downloader.Tibs.CT  
CAT-QuickHeal      8.00           12.30.2006    no virus found
ClamAV             devel-20060426 12.30.2006    Trojan.Downloader-390  
DrWeb              4.33           12.30.2006    Win32.Dref  
eSafe              7.0.14.0       12.30.2006    suspicious Trojan/Worm  
eTrust-InoculateIT 23.73.102      12.30.2006    no virus found
eTrust-Vet         30.3.3289      12.29.2006    Win32/Tibs!generic  
Ewido              4.0            12.30.2006    Downloader.Tibs.jy  
Fortinet           2.82.0.0       12.30.2006    W32/Tibs.JY!tr.dldr  
F-Prot             3.16f          12.30.2006    security risk named W32/Tibs.gen4  
F-Prot4            4.2.1.29       12.30.2006    W32/Tibs.gen4  
Ikarus             T3.1.0.27      12.30.2006    Trojan-Downloader.Win32.Tibs.jy  
Kaspersky          4.0.2.24       12.31.2006    Trojan-Downloader.Win32.Tibs.jy  
McAfee             4929           12.29.2006    no virus found
Microsoft          1.1904         12.30.2006    no virus found
NOD32v2            1949           12.30.2006    Win32/Nuwar.M  
Norman             5.80.02        12.29.2006    no virus found
Panda              9.0.0.4        12.30.2006    no virus found
Prevx1             V2             12.31.2006    Malicious  
Sophos             4.13.0         12.30.2006    no virus found
Sunbelt            2.2.907.0      12.18.2006    no virus found
TheHacker          6.0.3.139      12.29.2006    Trojan/Downloader.Generic  
UNA                1.83           12.29.2006    no virus found
VBA32              3.11.1         12.30.2006    no virus found
VirusBuster        4.3.19:9       12.30.2006    Trojan.DL.Tibs.Gen!Pac10  

Aditional Information
File size: 15925 bytes
MD5: 105f8eb0114283a550a995e09acd3b4b
SHA1: 1681e1323e1354e532022a16cc2c5661299a6ac1
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e57566769666

Avast の日付が12/21なのはなぜなんでしょう*1。BitDefender がスルーしてますね。

AntiVir            7.3.0.21       12.29.2006    TR/Dldr.Tibs.jy  
Authentium         4.93.8         12.29.2006    W32/Tibs.RA  
Avast              4.7.892.0      12.21.2006    no virus found
AVG                386            12.29.2006    Downloader.Generic3.EIY  
BitDefender        7.2            12.29.2006    no virus found
CAT-QuickHeal      8.00           12.29.2006    TrojanDownloader.Tibs.jy  
ClamAV             devel-20060426 12.29.2006    Trojan.Downloader-388  
DrWeb              4.33           12.29.2006    Trojan.DownLoader.17085  
eSafe              7.0.14.0       12.28.2006    suspicious Trojan/Worm  
eTrust-InoculateIT 23.73.101      12.29.2006    no virus found
eTrust-Vet         30.3.3289      12.29.2006    Win32/Luder.I  
Ewido              4.0            12.29.2006    Downloader.Tibs.jy  
Fortinet           2.82.0.0       12.29.2006    suspicious  
F-Prot             3.16f          12.29.2006    security risk named W32/Tibs.RA  
F-Prot4            4.2.1.29       12.29.2006    W32/Tibs.RA  
Ikarus             T3.1.0.27      12.29.2006    Trojan-Downloader.Win32.Tibs.jy  
Kaspersky          4.0.2.24       12.29.2006    Trojan-Downloader.Win32.Tibs.jy  
McAfee             4928           12.28.2006    no virus found
Microsoft          1.1904         12.27.2006    no virus found
NOD32v2            1945           12.29.2006    Win32/Nuwar.M  
Norman             5.80.02        12.29.2006    W32/Tibs.NJJ  
Panda              9.0.0.4        12.28.2006    no virus found
Prevx1             V2             12.29.2006    Trojan.Downloader  
Sophos             4.13.0         12.28.2006    no virus found
Sunbelt            2.2.907.0      12.18.2006    no virus found
TheHacker          6.0.3.139      12.29.2006    Trojan/Downloader.Generic  
UNA                1.83           12.28.2006    no virus found
VBA32              3.11.1         12.28.2006    no virus found
VirusBuster         4.3.19:9      12.29.2006    Trojan.Downloader!4adf  

Aditional Information
File size: 15895 bytes
MD5: 575e6f5a5d894e5645f581400bc8caf7
SHA1: eacc5fc4f223aa2f4cf3024ce814f5d88ce3ad21
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=7a8466450539

Kaspersky がスルーしてました。

AntiVir            7.3.0.21       12.24.2006    TR/Dldr.Stration.Gen  
Authentium         4.93.8         12.22.2006    W32/Warezov.gen3!W32DL  
Avast              4.7.892.0      12.21.2006    no virus found
AVG                386            12.24.2006    no virus found
BitDefender        7.2            12.25.2006    Generic.Malware.dld!!.FDC38EE1  
CAT-QuickHeal      8.00           12.23.2006    no virus found
ClamAV             devel-20060426 12.24.2006    no virus found
DrWeb              4.33           12.24.2006    DLOADER.Trojan  
eSafe              7.0.14.0       12.24.2006    no virus found
eTrust-InoculateIT 23.73.98       12.24.2006    no virus found
eTrust-Vet         30.3.3271      12.23.2006    no virus found
Ewido              4.0            12.24.2006    no virus found
Fortinet           2.82.0.0       12.24.2006    no virus found
F-Prot             3.16f          12.22.2006    W32/Warezov.gen3!W32DL  
F-Prot4            4.2.1.29       12.22.2006    W32/Warezov.gen3!W32DL  
Ikarus             T3.1.0.27      12.24.2006    no virus found
Kaspersky          4.0.2.24       12.25.2006    no virus found
McAfee             4925           12.22.2006    no virus found
Microsoft          1.1904         12.24.2006    no virus found
NOD32v2            1937           12.24.2006    no virus found
Norman             5.80.02        12.22.2006    W32/Downloader  
Panda              9.0.0.4        12.24.2006    Suspicious file  
Prevx1             V2             12.25.2006    no virus found
Sophos             4.12.0         12.24.2006    no virus found
Sunbelt            2.2.907.0      12.18.2006    no virus found
TheHacker          6.0.3.136      12.24.2006    no virus found
UNA                1.83           12.22.2006    no virus found
VBA32              3.11.1         12.25.2006    suspected of Win32.Trojan.Downloader   (http://...)
VirusBuster  4.3.19:9  12.23.2006  no virus found

Aditional Information
File size: 1401 bytes
MD5: 8e87e3a0a92210a5aecbc8aec70a79f3
SHA1: a08fd3506dae5ae8df4b903ef5ab3595814283bd
norman sandbox: [ General information ]
*1172220447* ***IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
*1172220448* File length: 3588 bytes.

[ Changes to filesystem ]
*1172220449* Creates file C:WINDOWSmodule.exe.

[ Network services ]
*1172220450* Opens URL: []http://<省略>/chr/893/nt.exe.[]

[ Security issues ]
*1172220451* Starting downloaded file - potential security problem.
  • 確認:1/3 12:00
  • ファイル名: svch.exe
  • TSPY_MARAN.D - 概 要 - 対応済みでした
  • Nortonは未対応でした

メールではなく、例のnifty偽装サイトのアレを確認。検出したとこだけ。

AntiVir     7.3.0.21  01.02.2007  TR/PSW.Maran.BY
Avast       4.7.892.0 12.30.2006  Win32:Maran
AVG         386       01.02.2007  PSW.Generic2.XAQ
BitDefender 7.2       01.03.2007  Trojan.Spy.Maran.BY
DrWeb       4.33      01.03.2007  Trojan.PWS.Maran
Ewido       4.0       01.02.2007  Trojan.Maran.by
Ikarus      T3.1.0.27 01.02.2007  Trojan-PSW.Win32.Lmir.AOE
Kaspersky   4.0.2.24  01.03.2007  Trojan-PSW.Win32.Maran.by
McAfee      4930      01.02.2007  Generic PWS.b
NOD32v2     1953      01.02.2007  probably a variant of Win32/PSW.Maran
Sophos      4.13.0    01.02.2007  Troj/Maran-Gen
VBA32       3.11.1    01.01.2007  Trojan-PSW.Win32.Maran.by

htmlファイル(VBScript)をチェック

AntiVir     7.3.0.21 01.02.2007  VBS/Dldr.Small.AY
BitDefender 7.2      01.03.2007  Exploit.ADODB.Stream.AZ
Ewido       4.0      01.02.2007  Downloader.Agent.m
McAfee      4930     01.02.2007  VBS/Psyme
UNA         1.83     12.29.2006  Exploit.JS.ADODB.Stream
VBA32       3.11.1   01.01.2007  Exploit.JS.ADODB.Stream.e#102

clsidが「BD96C556-65A3-11D0-983A-00C04FC29E36」だったのでMS06-014なのかな?

*1:まさか1週間も更新ないはずないよね?