I have received the same stuff back from Symantec before.
I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????Quote:
NAV with the latest beta definition detects this.
Printable View
I have received the same stuff back from Symantec before.
I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????Quote:
NAV with the latest beta definition detects this.
Ah.
That explains the html-forms and the WNetEnumCachedPasswords I found inside.Quote:
Backdoor.Berbew is a Backdoor Trojan Horse that is downloaded from the Internet by Trojan.Download.Berbew. The Backdoor Trojan steals passwords and delivers them in the form of URL requests to the Web site of the Trojan's creator. Port numbers 7714 and 8546 may be opened for listening (the port numbers may vary).
Interresting code, it'll keep me busy for a while ;)
Think this says it all:Quote:
Originally posted here by Tiger Shark
I have received the same stuff back from Symantec before.
I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????
So I would take that to mean it is new :)Quote:
We have created beta definitions that will detect this threat.
Dambed.. I may have to change my deoderant.... haven't recieved a reply..yet..
may also have a name with sophos.. this is for earlier versions..
http://www.sophos.com/virusinfo/anal...ojwebberd.html
cheers
I knew that it was a password stealing trojan thats why it was turning auto complete on so that it Could get cached passwords
I got it off my computer
and it was worth opening the file I learned alot
http://vil.nai.com/vil/content/v_100488.htm
theirs alot of information on the trojan
a little over a week later:
NAV now detects it..
AVG..???? says clean
trend micro..???? was still in the cue being analysed 2 days ago
And I noticed that NAV have listed a D version .. info here
http://securityresponse.symantec.com....berbew.d.html
Can't find jack for the c version we found....yet..
Cheers
Just for information, e-trust EZ armor detects it as:
Win32.webber.trojan
And won't let you download it
Cheers
Interesting thread!
Might be interesting to find out what kind of network traffic it sends out and receive and perhaps make a snort sig out of it... (Although I don't have time; studying for finals...)
Ammo
Yep Johnno,
this is the list of AKA's from CA..
http://www3.ca.com/threatinfo/virusi....aspx?ID=35848
So the AKA's are Berbew, webber, Heloc, Padodor ............................................. missed any?Quote:
Also known as: Downloader-DI (McAfee), Trojan.Downloader.Berbew (Symantec), Troj/Downloader.DI!38c6 (MessageLabs), W32/Heloc.A@m (F-Secure), W32/Heloc@mm (MessageLabs), Win32/Webber.10.Trojan , Win32/Webber.D.Dowlnoader.Trojan, Win32.Webber.E , Win32/Webber.ELoan.Downloader.Trojan, Win32/Webber.HookDLL.Variant, Win32/Webber.Trojan, TrojanProxy.Win32.Webber.10 (Kaspersky)
Cheers