-
April 15th, 2004, 02:46 PM
#31
I have received the same stuff back from Symantec before.
NAV with the latest beta definition detects this.
I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
April 15th, 2004, 02:50 PM
#32
Ah.
Backdoor.Berbew is a Backdoor Trojan Horse that is downloaded from the Internet by Trojan.Download.Berbew. The Backdoor Trojan steals passwords and delivers them in the form of URL requests to the Web site of the Trojan's creator. Port numbers 7714 and 8546 may be opened for listening (the port numbers may vary).
That explains the html-forms and the WNetEnumCachedPasswords I found inside.
Interresting code, it'll keep me busy for a while
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 15th, 2004, 02:54 PM
#33
Originally posted here by Tiger Shark
I have received the same stuff back from Symantec before.
I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????
Think this says it all:
We have created beta definitions that will detect this threat.
So I would take that to mean it is new
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
April 15th, 2004, 03:03 PM
#34
Dambed.. I may have to change my deoderant.... haven't recieved a reply..yet..
may also have a name with sophos.. this is for earlier versions..
http://www.sophos.com/virusinfo/anal...ojwebberd.html
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 15th, 2004, 03:21 PM
#35
Senior Member
I knew that it was a password stealing trojan thats why it was turning auto complete on so that it Could get cached passwords
I got it off my computer
and it was worth opening the file I learned alot
-
April 15th, 2004, 03:37 PM
#36
Senior Member
-
April 24th, 2004, 09:18 AM
#37
a little over a week later:
NAV now detects it..
AVG..???? says clean
trend micro..???? was still in the cue being analysed 2 days ago
And I noticed that NAV have listed a D version .. info here
http://securityresponse.symantec.com....berbew.d.html
Can't find jack for the c version we found....yet..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 25th, 2004, 08:35 AM
#38
Just for information, e-trust EZ armor detects it as:
Win32.webber.trojan
And won't let you download it
Cheers
-
April 25th, 2004, 03:23 PM
#39
Interesting thread!
Might be interesting to find out what kind of network traffic it sends out and receive and perhaps make a snort sig out of it... (Although I don't have time; studying for finals...)
Ammo
Credit travels up, blame travels down -- The Boss
-
April 26th, 2004, 12:07 AM
#40
Yep Johnno,
this is the list of AKA's from CA..
http://www3.ca.com/threatinfo/virusi....aspx?ID=35848
Also known as: Downloader-DI (McAfee), Trojan.Downloader.Berbew (Symantec), Troj/Downloader.DI!38c6 (MessageLabs), W32/Heloc.A@m (F-Secure), W32/Heloc@mm (MessageLabs), Win32/Webber.10.Trojan , Win32/Webber.D.Dowlnoader.Trojan, Win32.Webber.E , Win32/Webber.ELoan.Downloader.Trojan, Win32/Webber.HookDLL.Variant, Win32/Webber.Trojan, TrojanProxy.Win32.Webber.10 (Kaspersky)
So the AKA's are Berbew, webber, Heloc, Padodor ............................................. missed any?
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|