To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In general (not directed at anyone in particular), some suggestions when submitting files to VirusTotal and posting the results: 1. Do not change the original file name prior to submitting. There is no advantage to doing this and will only lead to confusion and hinder pattern and trend analysis, at least initially. 2. When posting the VT results, post the ENTIRE results page (all sections), not just the section that reports which AV companies detect and do not detect. This includes the one sentence summary at the top of the page "STATUS: FINISHEDComplete scanning result of "sex-cum-4free.pif", received in VirusTotal at 04.19.2006, 21:51:42 (CET)." As well as the section at the bottom that includes the file size, MD5 & SHA1 hashes (newly added feature at VT). This way if someone else is experiencing something similar, referencing the information you posted might help them with their analysis. Many people troll this list and including the ENTIRE results page is very helpful. 3. There's really no compelling need to click the "Do not distribute to antivirus companies" button. Chances are that if you're submitting to VT anyway, your desire or hope is that it is detected, or will be in the near future. If your desire is for AV companies to not detect your sample, you're probably not going to send it to VT anyway. And don't worry, you're not going to get in trouble for submitting a virus to VT. AV companies are not going to track you down for submitting to VT. - -Cyrus - - Original Message - From: [EMAIL PROTECTED] To: [email protected] Sent: April 19, 2006 5:24:16 PM Subject: [botnets] Rbot with .pif extension To report a botnet PRIVATELY please email: [EMAIL PROTECTED] - ---------- I was recently offered a bot with a .pif extension while trolling IRC recently. The name on this one is "sex-cum-4free.pif" but I saw other with .pif as well. Virus total scans it as (it's packaged fairly well): AntiVir 6.34.0.24 04.19.2006 Worm/Rbot.284672 Avast 4.6.695.0 04.18.2006 no virus found AVG 386 04.19.2006 IRC/BackDoor.SdBot2.AFJ Avira 6.34.0.56 04.19.2006 Worm/Rbot.284672 BitDefender 7.2 04.20.2006 no virus found ClamAV devel-20060202 04.19.2006 no virus found DrWeb 4.33 04.19.2006 no virus found eTrust-InoculateIT 23.71.134 04.19.2006 no virus found eTrust-Vet 12.4.2167 04.19.2006 no virus found Ewido 3.5 04.19.2006 no virus found Fortinet 2.71.0.0 04.20.2006 no virus found F-Prot 3.16c 04.19.2006 no virus found Ikarus n - no virus found Kaspersky 4.0.2.24 04.20.2006 no virus found McAfee 4744 04.19.2006 no virus found NOD32v2 1.1497 04.19.2006 no virus found Norman 5.90.15 04.19.2006 no virus found Panda 9.0.0.4 04.19.2006 no virus found Sophos 4.04.0 04.19.2006 no virus found Symantec 8.0 04.20.2006 no virus found TheHacker 5.9.7.131 04.19.2006 no virus found UNA 1.83 04.18.2006 no virus found VBA32 3.10.5 04.19.2006 no virus found Norman Sandbox is down at the moment, I'll run it through there when it comes back up and post results. thanks, bf -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkRHjcgACgkQUZmP8t5Ad2N8XwCfc8SmtM+zaKEkkOcAOOgvsfLzoTkA oLJ4ewurFB8vr51l5lVIZ+tmX798 =Tk1t -----END PGP SIGNATURE----- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
