Hi Kurt,


already shows an analysis of the suspicious filetype dll file.
Executable files exist in lib/locale.so, plugins/ ssavers/ and
of course in the ndn Linux executable itself. Clamscan Linux
only finds the dll suspicious, though.

Results: Antivir 1226, Avast Krile-5880, ClamAV DOS.PS-MPC.Gen1,
Fortinet suspicious, Webwasher 1226, received 2007.06.10 ...

I requested a re-analyis and now virustotal says:

a-squared Virus.Krile.5880!IK, AhnLab-V3 Win-Trojan/Xema.variant,
AntiVir 1226, Avast Krile-5880, ClamAV DOS.Benediction,
GData Krile-5880, Ikarus Virus.Krile.5880, Artemis!2dff4f88a041,
McAfee-GW Virus.1226, Panda suspicious, Sophos Mal/Generic-A.

This still means that many well-known scanners have nothing
to complain about the file - Prevx, Symantec, Trendmicro,
Kaspersky, DrWeb, BitDefender, AVG... to mention a few.

name viradd virsiz rawdsiz ntrpy md5
CODE32 0x1000 0x152c0 0x15400 6.23 0f8a49f974e93c4d91e050f9c697210e
CONST32 0x17000 0x21274 0xde00 6.18 f8f86c23fa95d8cb9fcd2d2dfe55a17f
.idata 0x39000 0x14 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.edata 0x3a000 0xc4 0x200 2.26 84eeb05e282546c09bef340e22a339b5
.reloc 0x3b000 0x1790 0x1800 6.77 54dedf3f810cd3a6b7e5c69eff9cdb3c

This leaves a kind of mixed feeling, so I looked inside the file:
NDN filetype detection plugin 1.0, 2001 based on GetTyp 1998 by
Philip Helger / PHaX ... it finds a number of un-unpackable exe
packers, so it probably also looks as if it is un-unpackable
itself to antivirus which do not look closely?

Some URLs:
Xema - but then more scanners would see it as Xema.

Krile - would be 5880 bytes and from 1997, overwrites first
5880 bytes of victim, puts original in encrypted form at end
McAfee would detect it, but it says only 1226...

The 1226 virus would steal information but is from 1990,
which means it would be unlikely to even know internet?
It would be polymorphic as well and would block some pages,
which again makes no sense for such an old virus... As the
name says, 1226 would be 1226 bytes in size.

Maybe the NDN people can change the file to make sure
nobody thinks it would be a virus. While they are at
it, they can check it for viruses themselves, too...
They probably should reduce the number of "protector"
and "hackish packer" detections, if you ask me.


> I have again downloaded: ndn_2_31_3836_bin_lnx.tgz; I got it from:
> http://ndn.muxe.com , which was furnished to me by rugxulo...

Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
Freedos-user mailing list

Reply via email to