What game? Trojan.Downloader-13141

I am always suspicious when I see an oversell for an attachment;

… Play this game in your attachment, 100% satisfaction!

A scan with VirusScan 8.5.0i shows nothing. Running DAT 5106 … this is the latest on our mirror, McAfee has DAT 5108! Once again our DAT mirror lets us down Skipping our mirror and updating from NAI gives the same detection as shown below.

Still suspicious I move along to ClamAV portable v0.91.2 and Gotcha!

Scan Started Thu Aug 30 10:22:08 2007
-------------------------------------------------------------------------------
C:\%path%\game.zip: Trojan.Downloader-13141 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 149596
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 1
Skipped non-executable files: 0
Infected files: 1

Data scanned: 0.02 MB
Time: 4.547 sec (0 m 4 s)
--------------------------------------
Completed
--------------------------------------

Kaspersky online scan picks it up as Trojan-Downloader.Win32.Agent.cnh

Fortinet detects an infection but doesn’t identify it.

CA (VET) finds Win32/Cutwail!generic

And virustotal.com for a shot gun approach:


File game.zip received on 08.30.2007 03:02:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 19/32 (59.38%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.29.0 2007.08.29 -
AntiVir 7.4.1.66 2007.08.29 Worm/Ntech.G
Authentium 4.93.8 2007.08.29 W32/Downldr2.AOUA
Avast 4.7.1029.0 2007.08.29 Win32:Agent-KKK
AVG 7.5.0.484 2007.08.29 Downloader.Generic6.ZE
BitDefender 7.2 2007.08.30 Trojan.Kobcka.C
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91.2 2007.08.29 Trojan.Downloader-13141
DrWeb 4.33 2007.08.30 BackDoor.Bulknet.60
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 Win32/Cutwail!generic
Ewido 4.0 2007.08.29 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.29 W32/Agent.CEO!tr.dldr
F-Prot 4.3.2.48 2007.08.29 W32/Downldr2.AOUA
F-Secure 6.70.13030.0 2007.08.30 Trojan-Downloader.Win32.Agent.cnh
Ikarus T3.1.1.12 2007.08.30 Win32.Outbreak
Kaspersky 4.0.2.24 2007.08.30 Trojan-Downloader.Win32.Agent.cnh
McAfee 5108 2007.08.29 Spy-Agent.bv.dldr
Microsoft 1.2803 2007.08.30 -
NOD32v2 2491 2007.08.30 a variant of Win32/TrojanDownloader.Agent.BRK
Norman 5.80.02 2007.08.29 -
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.30 -
Rising 19.38.22.00 2007.08.29 -
Sophos 4.21.0 2007.08.29 Troj/Agent-GBX
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.30 Trojan.Pandex
TheHacker 6.1.9.175 2007.08.29 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.29 Trojan.DL.Agent.Gen.8
Webwasher-Gateway 6.0.1 2007.08.29 Worm.Ntech.G

Additional information
File size: 19535 bytes
MD5: ae40360f22fe752249725ae43857e7ce
SHA1: 1623939307fa72120ee08ef647a32aa0ee40a0c1

[1] Trojan-Downloader:W32/Agent.CMK poorly detected [CastleCops]
[2] Pros and Cons of Free Online Virus Scanners [Productivity Portfolio]

VirusScan 5.2.00 AV Engine Update

Back on the 24th July 2007 I initially touched on the McAfee 5.2.00 AV Scan Engine update;

5.2.00 AV ENGINE UPDATE

McAfee will release the 5.2.00 AV Scan Engine for elective download on August 1, 2007. At this time, you will be able to download 5.2.00 Engine packages for manual installation. This includes Engine-only packages that can be used with ePO, Engine-only SuperDAT packages, and Command Line Scanners.

The McAfee AutoUpdate sites will be updated to the 5.2.00 Engine on September 5, 2007. If you do not wish to receive this update, please reconfigure your update procedures accordingly before September 5, 2007. The daily SuperDATs and downloadable daily ePO updates will also contain the 5.2.00 Engine from this date forward. [McAfee Document ID: 613441]

The manual install process is basically downloading 5200eng.exe and executing the file. The install creates SuperDAT.log which gives an overview of the changes;

Extracting Zip file from stub file, C:\SRC\McAfee\5200 Engine\5200eng.exe.
Performing self validation ...
Retrieving file, NAISCRIP.NSC from zip file.
Loading and parsing script file : C:\DOCUME~1\user\LOCALS~1\Temp\10E8\NAISCRIP.NSC
Retrieving file, Globals.nsg from zip file.
Loading and parsing globals file : Globals.nsg
Searching for all Installed anti-virus products.
Pre-notifying for 5.2.00 update.
Retrieving file, MCSCAN32.DLL from zip file.
Installing Anti-Virus files...
Backing up file into C:\Program Files\Common Files\McAfee\Engine\OldEngine\MCSCAN32.DLL
File C:\Program Files\Common Files\McAfee\Engine\MCSCAN32.DLL NOT REPLACED.
File is in use and will be replaced after system reboot.
Retrieving file, CONFIG.DAT from zip file.
Backing up file into C:\Program Files\Common Files\McAfee\Engine\OldEngine\CONFIG.DAT
File C:\Program Files\Common Files\McAfee\Engine\CONFIG.DAT NOT REPLACED.
File is in use and will be replaced after system reboot.
Retrieving file, SIGNLIC.TXT from zip file.
Backing up file into C:\Program Files\Common Files\McAfee\Engine\OldEngine\SIGNLIC.TXT
File C:\Program Files\Common Files\McAfee\Engine\SIGNLIC.TXT NOT REPLACED.
File is in use and will be replaced after system reboot.
Installing Anti-Virus files...
Retrieving file, SCAN.EXE from zip file.
File C:\Program Files\Common Files\McAfee\Engine\SCAN.EXE NOT REPLACED.
File is in use and will be replaced after system reboot.
Retrieving file, MCTOOL.EXE from zip file.
File C:\Program Files\Common Files\McAfee\Engine\MCTOOL.EXE NOT REPLACED.
File is in use and will be replaced after system reboot.
Retrieving file, LICENSE.DAT from zip file.
Backing up file into C:\Program Files\Common Files\McAfee\Engine\OldEngine\LICENSE.DAT
File C:\Program Files\Common Files\McAfee\Engine\LICENSE.DAT NOT REPLACED.
File is in use and will be replaced after system reboot.
Retrieving file, MESSAGES.DAT from zip file.
Backing up file into C:\Program Files\Common Files\McAfee\Engine\OldEngine\MESSAGES.DAT
File C:\Program Files\Common Files\McAfee\Engine\MESSAGES.DAT NOT REPLACED.
File is in use and will be replaced after system reboot.
Installing Anti-Virus files...
Retrieving file, SDATPACK.LST from zip file.
File C:\Program Files\McAfee\VirusScan Enterprise\SDATPACK.LST NOT REPLACED.
File is in use and will be replaced after system reboot.
Post-notifying for 5.2.00 update.
Sending update success notification for version 5200.
Deleting...C:\DOCUME~1\user\LOCALS~1\Temp\NAIA3.tmp
Deleting...C:\DOCUME~1\user\LOCALS~1\Temp\10E8
Update process completed successfully.

[1] Anti-Virus Scan Engine 5.2.00 Release information [McAfee]
[2] Manually upgrading the Anti-Virus Scanning Engine in VirusScan Enterprise 8.0i [McAfee]
[3] Download Engine Updates [McAfee]

scanemal.dll could not be found

VirusScan had been updated from v8.0 to v8.5. The next day the user has the following error when launching Outlook;

‘The add-in “C:\Program Files\Network Associates\VirusScan\scanemal.dll could not be installed or loaded. This problem may be resolved by using Detect and Repair in the Help menu.’ error message when starting Outlook

PROBLEM:
This problem is caused by the Outlook plugin from VirusScan v8.0 still being called when v8.0 is replaced with v8.5 which used a new path and filename.

The v8.0 plugin is listed in the Add-In Manager as “Exchange Scan”

The v8.5 plugin is listed in the Add-In Manager as “Outlook Scan”

FIX:
1. In Outlook, click Options on the Tools menu.
2. Click the Other tab, click Advanced Options, and then click Add-In Manager.
3. Click to clear the Exchange Scan check box, click OK, and then click OK.
4. Click OK.

REFERENCE:

[1] You receive the “The add-in C:\Program Files\McAfee\McAfeeVirusScan\scanemal.dll could not be found” error message when you start Outlook [MS KB 315046]
[2] Scanemal dll error when opening Outlook (scanemal cannot be installed / loaded / found or is missing) [McAfee KB45646]

Eclipse of the Moon – August 2007

Australians will have the prime viewing position for the total lunar eclipse set to appear on Tuesday evening, August 28. According to the National Science Week website, this is the best chance to witness a total lunar eclipse in Australia since 2000, and the best until 2011. — ABC [1]

For tonight in Melbourne;

6:51 Begins
7:52 Well covered
8:37 Full Eclipse
9:22 Well covered
10:24 Ending
11:21 Finished

Mooncam 1 James Cook University, Townsville (ABC)
Mooncam 2 Sydney (ABC)

Almost there (James Cook University, Townsville)

We had too much cloud at 7:00pm and the Moon was popping in and out of sight until about 8:30pm. By 9:00pm the sky had cleared and we had a great view, even managed a few photos.

Pink Moon (Melbourne, Australia)
Eltham_Mob Flickr Pool : Eclipse of the Moon – August 2007

[1] Total lunar eclipse 2007 [ABC: Backyard]
[2] Eclipse of the moon, August 2007 [ABC: Science]
[3] Don’t Miss Tonight’s Lunar Eclipse [WIRED]

2007-Aug-26 Hurstbridge Wattle Festival

Have a look at the Wattle Festival 2007 Photo set on Flickr

[1] 2007 Hurstbridge Wattle Festival

Learning 2.0 – 23 Things – Week #5

Week 5: Play Week
# Play around with an online image generator.
# Take a look at LibraryThing and catalog some of your favorite books.
# Roll your own search tool with Rollyo.

On-line image generators
i.) Sign Generator Widgets & Image Generators
ii.) fd’s Flickr Toys
iii.) Sign Generator Collection

Library Thing
Rather than Library Thing, I use Anobii which is a similar type of site.
You can view the Visible Procrastinations bookshelf

While investigating this section, I stumbled across Library 2.0 in 15 minutes a day [Library Instruction Wiki] which seems to be a good overview. I like their …stop reinventing the wheel… tag line.

Roll Your Own Search Engine
tbc

[1] Learning 2.0 – The Things [Learning 2.0]

This weeks links: 2007-08-27

Drink Large
Send up of Melbourne University Dream Large Ad Campaign for Prosh Week 2007 by Pent Up at Band Camp
Drink Large, not to be confused with Dream large

Quote an authority … ?
Remember always point to a reputable source

World University Rankings
Largely based on its research performance, the University of Adelaide has received a higher ranking in the 2007 Academic Ranking of World Universities released by the Institute of Higher Education, Shanghai Jiao Tong University. The University is now ranked in the top 151-202 universities worldwide compared to the top 201-300 last year. It is also in the top 19-24 in the Asia Pacific (in the top 25-40 last year), and equal sixth among Australian universities (in the top 7-9 last year).

– DVC&VP(A) Newsletter 04/2007 (August) [University of Adelaide]

Best Practices for Skype Users

This will be an ever changing post determining best practices for using Skype in our environment;

# Before installing of Skype you should have the authorization of your system and network managers who allocate resources to you. The University Policy states that you must “seek permission to use Skype on the University Network by applying in writing to the Vice-Principal (Information) and any relevant Local Authority”

# Your machine should have bandwidth management measures in place. In most cases this will require measures to prevent Skype acting as a “super-node”. Currently we have a solution for Windows users, and are working on a solution for Macintosh users.

# Skype performs on a wide variety of network connections, best performance is obtained on high bandwidth networks. Do not expect good performance from Skype on a dial-in connection, or other low bandwidth networks.

# Voice quality can be significantly improved by using a headset.

# Voice quality can be significantly improved by a good microphone.

# A common recommendation is to only start Skype for pre-arranged calls and to shut it down when it is not being used. Shutting Skype down helps to prevent your system from being promoted to a super-node and consuming resources on behalf of others. If you are expecting an incoming call, coordinate it through other means.

# Skype passwords should not be the same as your University, Faculty or other important (eg. banking) passwords. Use a different password and change it regularly, especially if you have Skype credits associated with your account.

# Skype has regular updates of bug fixes, security patches and new features – keep your version up to date and patched.

# As a user of Skype you will be required to setup a profile for entry into the directory. The profile information is organized into information that all Skype users will see, information that only your contacts will see and private information. Be aware of how much information you can expose about your self … play it safe.

Some people are very private, whilst others take to the limelight like ducks to water. Skype keeps both kinds happy as our privacy levels allow users to either keep a low profile, or meet new people in the vast Skype network. [Skype]

# File Transfer – not a good idea (disable this feature) Disable this feature.

[1] Skype on the University Network (PDF) [Unimelb]
[2] Security – Observations re: Skype [University of Waterloo]
[3] Safe Computing: Skype [University of Minnesota]
[4] Guide for Network Administrators (PDF) (2005) [Skype]

Learning 2.0 – 23 Things – Week #4

Now I know that the last post on this topic was back on the 24th April, but I have actually managed to get back to the topic … eventually.

Week 4: RSS & Newsreaders
# Learn about RSS feeds and setup your own Bloglines newsreader account.
# Locate a few useful library related blogs and/or news feeds.

RSS – Really Simple Syndication
You’ve heard of RSS? You’ve seen those small funny tags on websites? You’ve heard co-workers and acquaintances swear by it, but still have no idea what RSS is? Well don’t worry, according to a recent survey you’re still in the majority, but this is changing rapidly. — (2006-Aug-08) #8 Make life “really simple” with RSS & a newsreader

I guess I am way outside of the original demographic for this investigation having moved beyond merely exploring RSS, at the time of the task being originally posted I had already moved into writing PHP RSS readers and manually coding the XML of RSS feeds *chuckle*

How do I use RSS? For my RSS reader I tend to use two distinct features in my Firefox browser.

1.) I have a Live Bookmarks feed folder “RSS-FEEDS” in my Bookmarks toolbar folder. This is divided up into News, IT Security and General IT feeds. The advantage of this approach is that I also use a Bookmark synchronizer so within a few seconds I can have this environment on any machine I am using … and keep my portable devices sync’ed as well.

2.) I also use the SAGE Firefox Add-on as a more dedicated RSS reader.

3.) iTunes for Podcasts

4.) If you have a server with PHP this earlier post is also worth a look PHP RSS feed reader.

Feed me, Seymour!
– Audrey II (Little Shop of Horrors)

OTR, Pulp, RPG and miniatures

I have been sick for a fair bit of this week so I thought that I’d catch up on listening to some OTR which I haven’t done for a while. I was listening to Philip Marlowe, Paul Temple, and a few others. Now I don’t think you should be allowed access to the ‘net and Google while you’re on the medication because all of a sudden I was thinking about the whole Pulp genre.

Continue reading ‘OTR, Pulp, RPG and miniatures’