Page 4 of 4 FirstFirst ... 234
Results 31 to 40 of 40

Thread: ** Ok What could this Be? **

  1. #31
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I have received the same stuff back from Symantec before.

    NAV with the latest beta definition detects this.
    I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #32
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Ah.
    Backdoor.Berbew is a Backdoor Trojan Horse that is downloaded from the Internet by Trojan.Download.Berbew. The Backdoor Trojan steals passwords and delivers them in the form of URL requests to the Web site of the Trojan's creator. Port numbers 7714 and 8546 may be opened for listening (the port numbers may vary).
    That explains the html-forms and the WNetEnumCachedPasswords I found inside.
    Interresting code, it'll keep me busy for a while
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #33
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by Tiger Shark
    I have received the same stuff back from Symantec before.



    I take this to mean that this is a new threat.... Or do Symantec expect people to be using the beta definitions all the time?????
    Think this says it all:

    We have created beta definitions that will detect this threat.
    So I would take that to mean it is new
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #34
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Dambed.. I may have to change my deoderant.... haven't recieved a reply..yet..

    may also have a name with sophos.. this is for earlier versions..

    http://www.sophos.com/virusinfo/anal...ojwebberd.html


    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #35
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    I knew that it was a password stealing trojan thats why it was turning auto complete on so that it Could get cached passwords

    I got it off my computer



    and it was worth opening the file I learned alot

  6. #36
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    http://vil.nai.com/vil/content/v_100488.htm

    theirs alot of information on the trojan

  7. #37
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    a little over a week later:

    NAV now detects it..
    AVG..???? says clean
    trend micro..???? was still in the cue being analysed 2 days ago

    And I noticed that NAV have listed a D version .. info here

    http://securityresponse.symantec.com....berbew.d.html

    Can't find jack for the c version we found....yet..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #38
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Just for information, e-trust EZ armor detects it as:

    Win32.webber.trojan

    And won't let you download it

    Cheers

  9. #39
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Interesting thread!

    Might be interesting to find out what kind of network traffic it sends out and receive and perhaps make a snort sig out of it... (Although I don't have time; studying for finals...)

    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #40
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Yep Johnno,

    this is the list of AKA's from CA..

    http://www3.ca.com/threatinfo/virusi....aspx?ID=35848

    Also known as: Downloader-DI (McAfee), Trojan.Downloader.Berbew (Symantec), Troj/Downloader.DI!38c6 (MessageLabs), W32/Heloc.A@m (F-Secure), W32/Heloc@mm (MessageLabs), Win32/Webber.10.Trojan , Win32/Webber.D.Dowlnoader.Trojan, Win32.Webber.E , Win32/Webber.ELoan.Downloader.Trojan, Win32/Webber.HookDLL.Variant, Win32/Webber.Trojan, TrojanProxy.Win32.Webber.10 (Kaspersky)
    So the AKA's are Berbew, webber, Heloc, Padodor ............................................. missed any?



    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •