Bagle and KAV

  • Thread starter Thread starter null
  • Start date Start date
N

null

Received my first Bagle this morning and was surprised that KAVDOS32
alerted on the password protected zip as:

INFO.ZIP /refssyqv.exe suspicion: PSW-Worm

After unzipping, it alerted on the exe file as:

REFSSYQV.EXE infected: I-Worm.Bagle.g

F-Prot alerts on the exe file as W32/Bagle.H@mm
McAfee alerts on the exe file as W32/Bagle.h@mm

Looks like, contrary to the rule that av scanners can't handle
password protected zips at all, KAV "finds enough" to take a heuristic
stab at it and guess that the archived exe "within" the zip file is
some kind of password stealing worm.


Art
http://www.epix.net/~artnpeg
 
I believe PWS means Password Stealer and PSW is Password Protected.

Dave



| Received my first Bagle this morning and was surprised that KAVDOS32
| alerted on the password protected zip as:
|
| INFO.ZIP /refssyqv.exe suspicion: PSW-Worm
|
| After unzipping, it alerted on the exe file as:
|
| REFSSYQV.EXE infected: I-Worm.Bagle.g
|
| F-Prot alerts on the exe file as W32/Bagle.H@mm
| McAfee alerts on the exe file as W32/Bagle.h@mm
|
| Looks like, contrary to the rule that av scanners can't handle
| password protected zips at all, KAV "finds enough" to take a heuristic
| stab at it and guess that the archived exe "within" the zip file is
| some kind of password stealing worm.
|
|
| Art
| http://www.epix.net/~artnpeg
 
Try making yourself a passworded zip with Calc.exe and the password
[non-trivial] in the body of an email to send yourself, and see what K does
with that.
Click to expand...

I don't intend to do their testing work for them. Instead, I think
I'll send KAV a copy of the zip since that would be more productive.


Art
http://www.epix.net/~artnpeg
 
Try making yourself a passworded zip with Calc.exe and the password
[non-trivial] in the body of an email to send yourself, and see what K does
with that.
Click to expand...

I don't intend to do their testing work for them. Instead, I think
I'll send KAV a copy of the zip since that would be more productive.


Art
http://www.epix.net/~artnpeg
Click to expand...

You aren't at all interested in how well this new overhyped technology works
on your AV?
And what's KAV going to do with another Bagel.X, anyway?

- Jack
 
You aren't at all interested in how well this new overhyped technology works
on your AV?
Click to expand...

Overhyped? Looks to me like it just needs improvement. I can see value
in it for typical users.
And what's KAV going to do with another Bagel.X, anyway?
Click to expand...

I really couldn't care less for my own personal use. I just delete
unsolicited attackments unless I notice something new or different
that I want to scan and look into out of curiosity. I sometimes try to
help out my favorite av vendors (and the internet) by sending them
samples.


Art
http://www.epix.net/~artnpeg
 
What makes you think that it works at all with KAVDOS32?
Click to expand...

When I scanned the zip using KAVDOS32 I got a heuristic alert, as you
can see by my original post. I could see that the scanner had unzipped
and was working with the exe file "inside".

Then I was made aware of the KAV web page announcing the new
technology with a description of how it is done ... using the message
portion of the email to find the password. I submitted the zip with
the password to KAV, and Eugene himself responded (claimed he just
happened to be one of the 6 virus analysts that received my email :))

When the password isn't known, KAV will still flag suspicious exe
files in zips, according to Eugene.

As you can see by my result though, it doesn't necessarily produce the
same alert message.


Art
http://www.epix.net/~artnpeg
 
When I scanned the zip using KAVDOS32 I got a heuristic alert,
Click to expand...

which should have been your first clue that it wasn't doing what is
described in that press release...
as you
can see by my original post. I could see that the scanner had unzipped
and was working with the exe file "inside".
Click to expand...

from your original post it should be clear that if kavdos32 had really
unzipped the file and scanned the exe within it it would have found
bagle, rather than giving a heuristic alert...

the fact that it gave some other warning suggests to me that it was
instead getting a file listing (which you can do without the password)
and putting 2 and 2 together to form it's 'suspicion'...
 
which should have been your first clue that it wasn't doing what is
described in that press release...
Click to expand...

Didn't see the press release until later, as I said.
from your original post it should be clear that if kavdos32 had really
unzipped the file and scanned the exe within it it would have found
bagle, rather than giving a heuristic alert...
Click to expand...

You're right. I was deceived by what I saw on the screen. And I was
confused. That's why I submitted and asked for an explanation.
the fact that it gave some other warning suggests to me that it was
instead getting a file listing (which you can do without the password)
and putting 2 and 2 together to form it's 'suspicion'...
Click to expand...

A file listing? In what form? Exactly how much info (code) can be
extracted in order to do a "decent" heuristic or "reasonable guess"?
It seems that it determined enough to guess at a password stealing
worm. That strikes me as quite a feat.


Art
http://www.epix.net/~artnpeg
 
which should have been your first clue that it wasn't doing what is
described in that press release...
Click to expand...

Didn't see the press release until later, as I said.[/QUOTE]

your first clue when you were coming to the conclusion that kavdos32
was doing what was described in the press release...

[snip]
A file listing? In what form?
Click to expand...

a list of files in the archive...
Exactly how much info (code) can be
extracted in order to do a "decent" heuristic or "reasonable guess"?
It seems that it determined enough to guess at a password stealing
worm. That strikes me as quite a feat.
Click to expand...

files in a password protected zip file are, essentially, encrypted...
their internals cannot be seen, but other information about them is
stored in unencrypted form, such as the filename, the original file
size, etc...

a password protected archive coupled with an executable filename that
looks randomly generated would certainly cause me to be suspicious (the
random filename alone would do it, actually), perhaps that's the same
criteria kavdos32 used...
 
a list of files in the archive...


files in a password protected zip file are, essentially, encrypted...
their internals cannot be seen, but other information about them is
stored in unencrypted form, such as the filename, the original file
size, etc...

a password protected archive coupled with an executable filename that
looks randomly generated would certainly cause me to be suspicious (the
random filename alone would do it, actually), perhaps that's the same
criteria kavdos32 used...
Click to expand...

What if some new malware meeting that criteria isn't a password
stealing worm? Is that a misidentification? :) I wonder why KAV
bothers to guess so specifically.


Art
http://www.epix.net/~artnpeg
 
[snip]
files in a password protected zip file are, essentially, encrypted...
their internals cannot be seen, but other information about them is
stored in unencrypted form, such as the filename, the original file
size, etc...

a password protected archive coupled with an executable filename that
looks randomly generated would certainly cause me to be suspicious (the
random filename alone would do it, actually), perhaps that's the same
criteria kavdos32 used...
Click to expand...


What if some new malware meeting that criteria isn't a password
stealing worm?
Click to expand...

is bagle a password stealing worm? not that i can see... seems that
criterion has already been met...
Is that a misidentification?
Click to expand...

hard to say... heuristics don't technically 'identify' anything so i
wouldn't call it a misidentification... and since it would be malware
it wouldn't even technically be a heuristic false alarm - though it
would be a misleading/confusing alarm...
:) I wonder why KAV
bothers to guess so specifically.
Click to expand...

only eugene knows why (or even if) it works that way...

on the one hand, i can see how being open about how your heuristic
alarms work (like tbav did) would be nice (for some of us)... but on
the other hand, i can see that it doesn't really gain anyone any
security and in fact gives malware makers ideas about how to avoid
heuristic detection...

i think it's probably for the best that the inner details of kav's
heuristics remain a black box...
 
What if some new malware meeting that criteria isn't a password
stealing worm? Is that a misidentification? :) I wonder why KAV
bothers to guess so specifically.


Art
http://www.epix.net/~artnpeg
Click to expand...
Actually,

In recent updates by Kaspersky (today) they have released a password
scanning module which searches the body of the mail and tries numerous
combinations of the text found in the body to unzip the archive and scan
the contents. This is already available using their update facility.

Regards, Ian.
 
a password protected archive coupled with an executable filename that
looks randomly generated would certainly cause me to be suspicious (the
random filename alone would do it, actually), perhaps that's the same
criteria kavdos32 used...
Click to expand...

Nope. I just tried it and it doesn't work. I renamed Notepad.exe. I
used the same random name and the same password. KAV just says it's a
password protected zip.


Art
http://www.epix.net/~artnpeg
 
~Art~ said in said:
Received my first Bagle this morning and was surprised that
KAVDOS32 alerted on the password protected zip as:

INFO.ZIP /refssyqv.exe suspicion: PSW-Worm

After unzipping, it alerted on the exe file as:

REFSSYQV.EXE infected: I-Worm.Bagle.g

F-Prot alerts on the exe file as W32/Bagle.H@mm
McAfee alerts on the exe file as W32/Bagle.h@mm
Click to expand...

On Thursday (4th of March) I updated all my virus scanners - AVG Free
Edition, F-prot DOS and KAVDOS - before I checked email. My ISP scans
all email for viruses (they use F-Secure Anti-virus), but one slipped
through. It had an attachment called "TextDocument.zip".
AVG saw nothing wrong with it.
F-prot DOS said: "TextDocument.zip->fycpqxv.scr Not scanned
(encrypted)".
KAVDOS declared it as "I-Worm.Bagle".
I didn't scan the zip-file itself, but the "raw" msg-file in Hamster. I
practise safe hex, you see :-)
MyDoom was the first virus I got via email and this I-Worm.Bagle is the
second, so this is all new to me, though I've had a computer and
Internet connection > 5 years. It just makes me think of those virus
writers and their decapitated heads in a nice, neat row.

Art, once again, thank you for those updaters! They make life so much
easier.
 
Art, once again, thank you for those updaters! They make life so much
easier.
Click to expand...

You're welcome. I dunno how much longer the DOS scanners will be
effective. Seems the vendors are letting them just die a slow death as
the Win 9x series fades away into the twilight zone :) But I'm hanging
in there myself since I'm perfectly happy with my current Win ME PC.


Art
http://www.epix.net/~artnpeg
 
Back
Top