[Community-sigs] Community-sigs Digest, Vol 11, Issue 9

David Sicks franklin_6 at msn.com
Tue Mar 24 12:54:00 EDT 2015 

Question #1.

I have repeatedly received a popup message that states my version of ClamWin is out 
of date and should be upgraded by downloading a new version via a 7.zip file.

I was advised by a systems expert friend not to download / open the file as nobody 
much less Clam upgrades AV software w/ zip files.  

I recently disinfected my PC (or so I thought) with ClamWin, but if so, and if the 
7zip clamwin is a malware imposter, why did ClamWin not find and quarantine the 
imposter?

Question #2.

ClamWin found and I  submitted to Clam three false-positives.  I then received a 
reply notice from Clam requesting that I verify my submission. I did not respond 
within three days and apparently my three false-positive submission lapsed. Now, 
I cannot find out if my false positives were in fact, false positives and, until 
now, I have not been able to contact someone at Clam with questions.

Can I now find out the status of my three false positives ... and if so, how? 
 		 	   		  
> From: community-sigs-request at lists.clamav.net
> Subject: Community-sigs Digest, Vol 11, Issue 9
> To: community-sigs at lists.clamav.net
> Date: Tue, 24 Mar 2015 12:00:01 -0400
> 
> Send Community-sigs mailing list submissions to
> 	community-sigs at lists.clamav.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> or, via email, send a message with subject or body 'help' to
> 	community-sigs-request at lists.clamav.net
> 
> You can reach the person managing the list at
> 	community-sigs-owner at lists.clamav.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Community-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. linux backdoors trapped by kippo (Janos Cservenak)
>    2. router backdoor/ddos (Janos Cservenak)
>    3. linux backdoor program (Janos Cservenak)
>    4. linux backdoor program received (Janos Cservenak)
>    5. Windows trojan / Win32/Emotet.AD (Janos Cservenak)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 24 Mar 2015 11:36:14 +0100
> From: Janos Cservenak <hawk at hwk.hu>
> To: community-sigs at lists.clamav.net
> Subject: [Community-sigs] linux backdoors trapped by kippo
> Message-ID: <55113E1E.6070106 at hwk.hu>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Filename: npc
> Architecture: x86
> Detected actions:
>   - it copies itself as /usr/bin/acpid
>   - start running itself many copies (as npc and as acpid too)
>   - connecting to remote server: 182.92.26.210 / port 12027
>      inetnum:        182.92.0.0 - 182.92.255.255
>      netname:        ALISOFT
>      descr:          Aliyun Computing Co., LTD
>      country:        CN
> 
> External virus scanners knowledge:
> https://www.virustotal.com/en/file/4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea/analysis/1427192727/
> 
> Signatures:
> md5: 0c2fced6cd1b58dc85669dae1736a19e:1135000:Linux.Backdoor.I
> sha1: 775a3e0e4c5e0b53c7adf2e81ab13b0994338e0a:1135000:Linux.Backdoor.I
> sha256: 
> 4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea:1135000:Linux.Backdoor.I
> 
> ------------------------
> 
> Filename: npc1
> Architecture: x86
> Detected actions:
>   - it copies itself as /usr/bin/acpid
>   - start running itself many copies (as npc and as acpid too)
>   - connecting to remote server: 182.92.26.210 / port 12027
>      inetnum:        182.92.0.0 - 182.92.255.255
>      netname:        ALISOFT
>      descr:          Aliyun Computing Co., LTD
>      country:        CN
> 
> External virus scanners knowledge:
> https://www.virustotal.com/en/file/d17f05e997d869f7e632b88f2d93bb4a1a3519cc4dad8cf319d0e7ac19aecba4/analysis/1427192846/
> 
> Signatures:
> md5: 0837d98901aa7ccf84d416d9ffdfe402:1521642:Backdoor.Linux.Gates.B
> sha1: 
> 7de0e5037c53c9e44f61c90e24bfeeaa324e55ba:1521642:Backdoor.Linux.Gates.B
> sha256: 
> d17f05e997d869f7e632b88f2d93bb4a1a3519cc4dad8cf319d0e7ac19aecba4:1521642:Backdoor.Linux.Gates.B
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Tue, 24 Mar 2015 11:47:04 +0100
> From: Janos Cservenak <hawk at hwk.hu>
> To: community-sigs at lists.clamav.net
> Subject: [Community-sigs] router backdoor/ddos
> Message-ID: <551140A8.1030408 at hwk.hu>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Filename: 20150320152114_http___103_42_13_253_DDos
> Architecture: MIPS
> Detected actions: I was not able to run
> 
> External virus scanner results:
> https://www.virustotal.com/en/file/31d51cca6a90a0fdf0da4d88350ad42765a2c5de49df4380078447947333b0f0/analysis/1427191922/
> 
> md5: f3edeb1604a955f6f733b2bba2389918:763528:Backdoor.Linux.Agent.N
> sha1: 
> 7b29213df6ca97ecf50b7450ef95d239c0b101ad:763528:20150320152114_http___103_42_13_253_DDos
> sha256: 
> 31d51cca6a90a0fdf0da4d88350ad42765a2c5de49df4380078447947333b0f0:763528:Backdoor.Linux.Agent.N
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Tue, 24 Mar 2015 12:27:34 +0100
> From: Janos Cservenak <hawk at hwk.hu>
> To: community-sigs at lists.clamav.net
> Subject: [Community-sigs] linux backdoor program
> Message-ID: <55114A26.3090905 at hwk.hu>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Filename: amra8
> Architecture: x86
> Detected actions:
>   - copies itself as /usr/bin/.sEhd
>   - start running itself many copies (as amra8 and as .sEhd too)
>   - connecting to 222.186.56.69 port 36000
>      inetnum:        222.186.0.0 - 222.191.255.255
>      netname:        CHINANET-JS
>      descr:          China Telecom
>      country:        CN
> 
> External virus scanner results:
> https://www.virustotal.com/en/file/3f06e4c6cd8126d47485d62647230dfdf1ddbbe438ed9149223103ccd1f7f797/analysis/1427196228/
> 
> Signatures:
> md5: 68ef39590112a1764dc7a8746441cd46:73063:Backdoor.Linux.Gates.B
> sha1: aa23fdf6d1280deef19c851d337b93de7be06b1a:73063:Backdoor.Linux.Gates.B
> sha256: 
> 3f06e4c6cd8126d47485d62647230dfdf1ddbbe438ed9149223103ccd1f7f797:73063:Backdoor.Linux.Gates.B
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Tue, 24 Mar 2015 12:48:54 +0100
> From: Janos Cservenak <hawk at hwk.hu>
> To: community-sigs at lists.clamav.net
> Subject: [Community-sigs] linux backdoor program received
> Message-ID: <55114F26.5060901 at hwk.hu>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Filename: Systee32
> Original source: http://222.186.56.69:9987/Systee32
> Architecture: x86
> Detected actions:
>   - copy itself as freeBSD in the same directory
>       start running like this "/tmp/freeBSD /tmp/freeBSD 1"
>       after that delete itself
>   - copy itself as Systee32a in the same directory
>       and start itself like this "/tmp/Systee32a /tmp/Systee32"
>   - after 10 minutes of running, no network traffic detected
> 
> External virus scanner results:
> https://www.virustotal.com/en/file/479d8822fdf34a9daed8cd1ead77e77f0d3808f65b9c26098ea6ee3359a47246/analysis/1427194212/
> 
> Signatures:
> md5: 440a60df19dcc800ce00f36de5397801:1128808:Linux.Trojan.Agent.5TAP9C
> sha1: 
> 91bc3fa241bf4ca3d01267eb58b8c0dd40d45f7a:1128808:Linux.Trojan.Agent.5TAP9C
> sha256: 
> 479d8822fdf34a9daed8cd1ead77e77f0d3808f65b9c26098ea6ee3359a47246:1128808:Linux.Trojan.Agent.5TAP9C
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Tue, 24 Mar 2015 15:09:28 +0100
> From: Janos Cservenak <hawk at hwk.hu>
> To: community-sigs at lists.clamav.net
> Subject: [Community-sigs] Windows trojan / Win32/Emotet.AD
> Message-ID: <55117018.9070101 at hwk.hu>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Original source: http://petiteboutique.nl/Q21qOTtBJN
> Filename: DHL_Sendungsverfolgung_DE_0024000035548028.zip
> Architecture: x86
> Operating system: windows
> 
> External virus scanner results:
> https://www.virustotal.com/en/file/886e45ae10145908077829d0a76ffaaef7ce88fc07216c3a3b82cd98966b3331/analysis/
> 
> Signatures:
> md5: 2fcd24fa2039d83a0326c2f36196abc4:169859: Win32/Emotet.AD
> sha1: 3f5221ec06659df9ed4234bcfa6ed27cc089249b:169859:Win32/Emotet.AD
> sha256: 
> 886e45ae10145908077829d0a76ffaaef7ce88fc07216c3a3b82cd98966b3331:169859:Win32/Emotet.AD 
> 
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> 
> http://www.clamav.net/contact.html#ml
> 
> ------------------------------
> 
> End of Community-sigs Digest, Vol 11, Issue 9
> *********************************************

More information about the Community-sigs mailing list