Kleines Experiment mit mwcollect
Ich habe mir mal den Spass gemacht und mwcollect auf dem Rechner installiert, der bei mir als Router und Eierlegende-Wollmilch-Sau-Server fungiert. Die externe IP-Adresse ist im IP-Pool für Telekom DSL Resale Anschlüsse und wechselt alle 24 Stunden. Wirklich überraschend sind die Ergebnisse aber nicht.
Gestartet habe ich mwcollectd am 22. Dezember um 22 Uhr. Bis jetzt (31.12.2005, 16:30 Uhr) ist das Logfile schlappe 5,528K groß. In dem Zeitraum von [b]9[/b] Tagen haben 2885 unterschiedliche IPs (nicht unbedingt auch soviele verschiedene Rechner) versucht, ihre Malware bei mir abzuladen. Dabei kamen 34 verschiedene Binaries (Würmer, Bots usw.) und 1089 Shellcodes (davon 323 unterschiedliche) zum Zuge, die ich jetzt auf meiner Festplatte zur Analyse habe.
Wäre der Rechner eine ungepatchte Windows-Büchse, würden sich die Schadprogramme und -routinen wohl schon gegenseitig auf die Füße treten, eine Art "Survival of the fittest".
[geshi lang=bash]router ~ # grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /var/log/mwcollectd.log|sort -u|wc -l 2885 router ~ # ls /var/lib/mwcollect/data/binaries/|wc -l 34 router ~ # ls /var/lib/mwcollect/data/shellcodes/|wc -l 1089 router ~ # md5sum /var/lib/mwcollect/data/shellcodes/*|cut -d " " -f 1|sort -u|wc -l 323[/geshi]
Ich habe dann 3 Virenscanner (AntiVir / Linux, F-Prot und ClamAV) jeweils mit aktuellen Signaturen über die heruntergeladenen Binaries laufen lassen. Leider schnitt ClamAV dabei nicht sonderlich gut ab. AntiVir erkannte 27, F-Prot 28 und ClamAV 19 von 34 Schädlingen. Dabei ließ sich F-Prot mit 1:27 Minuten am meisten Zeit, um die Dateien zu scannen. Eine Kombination verschiedener Virenscanner ist also unbedingt anzuraten. Keines der 3 von mir eingesetzten Programme hat alle Schädlinge erkannt.
mwcollectd wird bei mir noch eine Weile weiterlaufen. Ich bin gespannt, was noch so alles an Gesindel "reinschneien" wird.
Übersicht der Virenscanner
AntiVir:
[geshi lang=bash]router ~ # antivir /var/lib/mwcollect/data/binaries/ AntiVir / Linux Version 2.1.5-34 +gui Copyright (c) 1994-2005 by H+BEDV Datentechnik GmbH. All rights reserved. VDF version: 6.33.0.88 created 31 Dec 2005 For private, non-commercial use only. AntiVir license: XXXXXX for PersonalEdition Classic auto excluding /sys/ from scans (is a special fs) auto excluding /proc from scans (is a special fs) checking drive/path (list): /var/lib/mwcollect/data/binaries/ /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205 Date: 22.12.2005 Time: 22:13:14 Size: 215972 ALERT: [Worm/Rbot.215972 worm] /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205 <<< Contains signature of the worm Worm/Rbot.215972 /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae Date: 22.12.2005 Time: 22:14:26 Size: 89600 ALERT: [Worm/SDBot.212992.8 worm] /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae <<< Contains signature of the worm Worm/SDBot.212992.8 /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187 Date: 23.12.2005 Time: 02:46:40 Size: 73728 ALERT: [Trojan/Pakes.A.274 trojan] /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187 <<< Is the Trojan horse Trojan/Pakes.A.274 /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67 Date: 23.12.2005 Time: 10:17:58 Size: 19456 ALERT: [Worm/CodBot.19456 worm] /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67 <<< Contains signature of the worm Worm/CodBot.19456 /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0 Date: 23.12.2005 Time: 10:20:51 Size: 205312 ALERT: [Worm/SdBot.205312.2 worm] /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0 <<< Contains signature of the worm Worm/SdBot.205312.2 /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476 Date: 23.12.2005 Time: 11:05:46 Size: 247038 ALERT: [W32/Parite virus] /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476 <<< Contains code of the Windows virus W32/Parite /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816 Date: 23.12.2005 Time: 11:30:20 Size: 95762 ALERT: [Worm/RBot.95762 worm] /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816 <<< Contains signature of the worm Worm/RBot.95762 /var/lib/mwcollect/data/binaries/ccba19642771eec3c7d67e4c461e335b Date: 23.12.2005 Time: 12:19:48 Size: 78801 ALERT: [Worm/Rbot.78801 worm] /var/lib/mwcollect/data/binaries/ccba19642771eec3c7d67e4c461e335b <<< Contains signature of the worm Worm/Rbot.78801 /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4 Date: 23.12.2005 Time: 14:55:41 Size: 23040 ALERT: [Backdoor-Server/CodBot.AT backdoor] /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4 <<< Contains a signature of the (dangerous) backdoor program Backdoor-Server/CodBot.AT Backdoor server programs /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984 Date: 23.12.2005 Time: 17:57:39 Size: 19968 ALERT: [Worm/Codbot.AP worm] /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984 <<< Contains signature of the worm Worm/Codbot.AP /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8 Date: 23.12.2005 Time: 18:03:59 Size: 69120 ALERT: [Worm/SdBot.JG.1 worm] /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8 <<< Contains signature of the worm Worm/SdBot.JG.1 /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a Date: 23.12.2005 Time: 20:22:44 Size: 236158 ALERT: [Worm/RBot.236158 worm] /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a <<< Contains signature of the worm Worm/RBot.236158 /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95 Date: 23.12.2005 Time: 22:29:42 Size: 20480 ALERT: [Worm/Cobot.20480 worm] /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95 <<< Contains signature of the worm Worm/Cobot.20480 /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6 Date: 24.12.2005 Time: 05:11:54 Size: 174080 ALERT: [Worm/Rbot.174080.2 worm] /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6 <<< Contains signature of the worm Worm/Rbot.174080.2 /var/lib/mwcollect/data/binaries/b68e656d8281c44c1c04f3a1c8ad3cf4 Date: 24.12.2005 Time: 06:33:53 Size: 78808 ALERT: [Worm/Rbot.78808 worm] /var/lib/mwcollect/data/binaries/b68e656d8281c44c1c04f3a1c8ad3cf4 <<< Contains signature of the worm Worm/Rbot.78808 /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e Date: 24.12.2005 Time: 09:32:38 Size: 212992 ALERT: [Worm/SdBot.212992.7 worm] /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e <<< Contains signature of the worm Worm/SdBot.212992.7 /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8 Date: 24.12.2005 Time: 10:53:32 Size: 102400 ALERT: [Worm/RBot.102400.15 worm] /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8 <<< Contains signature of the worm Worm/RBot.102400.15 /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92 Date: 25.12.2005 Time: 00:28:50 Size: 104448 ALERT: [Worm/Rbot.aeu.68 worm] /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92 <<< Contains signature of the worm Worm/Rbot.aeu.68 /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515 Date: 25.12.2005 Time: 02:34:34 Size: 95811 ALERT: [Worm/Rbot.95811 worm] /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515 <<< Contains signature of the worm Worm/Rbot.95811 /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4 Date: 25.12.2005 Time: 11:34:39 Size: 135252 ALERT: [Worm/Rbot.136192.15 worm] /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4 <<< Contains signature of the worm Worm/Rbot.136192.15 /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a Date: 26.12.2005 Time: 20:30:19 Size: 22016 ALERT: [Backdoor-Server/Codbot.AZ.1 backdoor] /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a <<< Contains a signature of the (dangerous) backdoor program Backdoor-Server/Codbot.AZ.1 Backdoor server programs /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6 Date: 27.12.2005 Time: 00:29:58 Size: 179200 ALERT: [Worm/Rbot.JK worm] /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6 <<< Contains signature of the worm Worm/Rbot.JK /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac Date: 27.12.2005 Time: 01:04:03 Size: 262104 ALERT: [W32/Parite virus] /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac <<< Contains code of the Windows virus W32/Parite /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e Date: 27.12.2005 Time: 01:11:54 Size: 47616 ALERT: [Backdoor-Server/Codbot.AG.2 backdoor] /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e <<< Contains a signature of the (dangerous) backdoor program Backdoor-Server/Codbot.AG.2 Backdoor server programs /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184 Date: 27.12.2005 Time: 09:53:25 Size: 84480 ALERT: [Worm/Rbot.84480 worm] /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184 <<< Contains signature of the worm Worm/Rbot.84480 /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017 Date: 28.12.2005 Time: 13:14:54 Size: 19456 ALERT: [Worm/RBot.19456 worm] /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017 <<< Contains signature of the worm Worm/RBot.19456 /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce Date: 30.12.2005 Time: 23:25:10 Size: 82432 ALERT: [W32/Parite virus] /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce <<< Contains code of the Windows virus W32/Parite ------ scan results ------ directories: 1 scanned files: 34 alerts: 27 suspicious: 0 repaired: 0 deleted: 0 renamed: 0 scan time: 00:00:20 -------------------------- Thank you for using AntiVir.[/geshi]
F-Prot:
[geshi lang=bash]router ~ # f-prot /var/lib/mwcollect/data/binaries Virus scanning report - 31 December 2005 @ 17:04 F-PROT ANTIVIRUS Program version: 4.6.3 Engine version: 3.16.10 VIRUS SIGNATURE FILES SIGN.DEF created 30 December 2005 SIGN2.DEF created 30 December 2005 MACRO.DEF created 22 December 2005 Search: /var/lib/mwcollect/data/binaries Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205 is a security risk named W32/Sdbot.NVE /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae is a security risk named W32/Spybot.ISS /var/lib/mwcollect/data/binaries/efc8ec062d95057655b2880f37d9e690->(MEW)->(PCShrink) Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187 is a security risk named W32/Pakes.X /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67 is a security risk named W32/Sdbot.MII /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0 is a security risk named W32/Agobot.FDI /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476 Infection: W32/Parite.A /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816 is a security risk named W32/Sdbot.NRW /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4 is a security risk named W32/Sdbot.MAO /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984 is a security risk named W32/Sdbot.LXN /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8->(UPX) is a security risk named W32/Sdbot.KM /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a is a security risk named W32/Sdbot.LVD /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95 Infection: W32/Codbot.AN /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6 is a security risk named W32/Sdbot.KEF /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e is a security risk named W32/Spybot.LEX /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8->(Morphine)->(UPX) Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92 is a security risk named W32/Spybot.NMT /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515 is a security risk named W32/Spybot.NKB /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4 is a security risk named W32/Spybot.NQU /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a is a security risk named W32/Backdoor.FTY /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6 Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac is a security risk named W32/Spybot.SS /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e is a security risk named W32/Codbot.R /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184 is a security risk named W32/Spybot.SS /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017 is a security risk named W32/Codbot.V /var/lib/mwcollect/data/binaries/df8732b58bd245079dc2a071ff525a2f->(FSG) Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/9f0506eb8502c93805eae67627af53b2 is a security risk named W32/Spybot.NQQ /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce Infection: W32/Parite.B Results of virus scanning: Files: 34 MBRs: 0 Boot sectors: 0 Objects scanned: 35 Infected: 7 Suspicious: 21 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 1:37[/geshi]
ClamAV:
[geshi lang=bash]router ~ # clamscan /var/lib/mwcollect/data/binaries/ /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205: OK /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae: Trojan.Mybot-2635 FOUND /var/lib/mwcollect/data/binaries/efc8ec062d95057655b2880f37d9e690: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187: OK /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67: Exploit.DCOM.Gen FOUND /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0: Trojan.Mybot-2268 FOUND /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476: Trojan.Small-152 FOUND /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/ccba19642771eec3c7d67e4c461e335b: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4: OK /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984: OK /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8: Trojan.Small-152 FOUND /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a: Worm.Mytob.Crypt.Gen FOUND /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95: OK /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6: Trojan.Mybot-2395 FOUND /var/lib/mwcollect/data/binaries/b68e656d8281c44c1c04f3a1c8ad3cf4: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e: Trojan.Mybot-2482 FOUND /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8: Trojan.Mybot-2916 FOUND /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92: OK /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4: OK /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a: OK /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6: Trojan.Mybot.gen-77 FOUND /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac: Trojan.Mybot.gen-3 FOUND /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e: Trojan.Codbot-6 FOUND /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184: Trojan.Mybot.gen-3 FOUND /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017: OK /var/lib/mwcollect/data/binaries/df8732b58bd245079dc2a071ff525a2f: OK /var/lib/mwcollect/data/binaries/9f0506eb8502c93805eae67627af53b2: OK /var/lib/mwcollect/data/binaries/103962c79c7323fe2175f56bab0ed3ee: OK LibClamAV Warning: Broken PE header detected. /var/lib/mwcollect/data/binaries/a0497037fca3523c79796ef66db2e661: OK /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce: Trojan.Small-152 FOUND /var/lib/mwcollect/data/binaries/5956ca2f711a4553a7a39f086003fada: OK /var/lib/mwcollect/data/binaries/c79757fdca0454d43eece9a8165605a5: OK ----------- SCAN SUMMARY ----------- Known viruses: 42042 Engine version: 0.87.1 Scanned directories: 1 Scanned files: 34 Infected files: 19 Data scanned: 4.41 MB Time: 9.250 sec (0 m 9 s)[/geshi]
Wäre der Rechner eine ungepatchte Windows-Büchse, würden sich die Schadprogramme und -routinen wohl schon gegenseitig auf die Füße treten, eine Art "Survival of the fittest".
[geshi lang=bash]router ~ # grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /var/log/mwcollectd.log|sort -u|wc -l 2885 router ~ # ls /var/lib/mwcollect/data/binaries/|wc -l 34 router ~ # ls /var/lib/mwcollect/data/shellcodes/|wc -l 1089 router ~ # md5sum /var/lib/mwcollect/data/shellcodes/*|cut -d " " -f 1|sort -u|wc -l 323[/geshi]
Ich habe dann 3 Virenscanner (AntiVir / Linux, F-Prot und ClamAV) jeweils mit aktuellen Signaturen über die heruntergeladenen Binaries laufen lassen. Leider schnitt ClamAV dabei nicht sonderlich gut ab. AntiVir erkannte 27, F-Prot 28 und ClamAV 19 von 34 Schädlingen. Dabei ließ sich F-Prot mit 1:27 Minuten am meisten Zeit, um die Dateien zu scannen. Eine Kombination verschiedener Virenscanner ist also unbedingt anzuraten. Keines der 3 von mir eingesetzten Programme hat alle Schädlinge erkannt.
mwcollectd wird bei mir noch eine Weile weiterlaufen. Ich bin gespannt, was noch so alles an Gesindel "reinschneien" wird.
Übersicht der Virenscanner
AntiVir:
[geshi lang=bash]router ~ # antivir /var/lib/mwcollect/data/binaries/ AntiVir / Linux Version 2.1.5-34 +gui Copyright (c) 1994-2005 by H+BEDV Datentechnik GmbH. All rights reserved. VDF version: 6.33.0.88 created 31 Dec 2005 For private, non-commercial use only. AntiVir license: XXXXXX for PersonalEdition Classic auto excluding /sys/ from scans (is a special fs) auto excluding /proc from scans (is a special fs) checking drive/path (list): /var/lib/mwcollect/data/binaries/ /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205 Date: 22.12.2005 Time: 22:13:14 Size: 215972 ALERT: [Worm/Rbot.215972 worm] /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205 <<< Contains signature of the worm Worm/Rbot.215972 /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae Date: 22.12.2005 Time: 22:14:26 Size: 89600 ALERT: [Worm/SDBot.212992.8 worm] /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae <<< Contains signature of the worm Worm/SDBot.212992.8 /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187 Date: 23.12.2005 Time: 02:46:40 Size: 73728 ALERT: [Trojan/Pakes.A.274 trojan] /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187 <<< Is the Trojan horse Trojan/Pakes.A.274 /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67 Date: 23.12.2005 Time: 10:17:58 Size: 19456 ALERT: [Worm/CodBot.19456 worm] /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67 <<< Contains signature of the worm Worm/CodBot.19456 /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0 Date: 23.12.2005 Time: 10:20:51 Size: 205312 ALERT: [Worm/SdBot.205312.2 worm] /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0 <<< Contains signature of the worm Worm/SdBot.205312.2 /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476 Date: 23.12.2005 Time: 11:05:46 Size: 247038 ALERT: [W32/Parite virus] /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476 <<< Contains code of the Windows virus W32/Parite /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816 Date: 23.12.2005 Time: 11:30:20 Size: 95762 ALERT: [Worm/RBot.95762 worm] /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816 <<< Contains signature of the worm Worm/RBot.95762 /var/lib/mwcollect/data/binaries/ccba19642771eec3c7d67e4c461e335b Date: 23.12.2005 Time: 12:19:48 Size: 78801 ALERT: [Worm/Rbot.78801 worm] /var/lib/mwcollect/data/binaries/ccba19642771eec3c7d67e4c461e335b <<< Contains signature of the worm Worm/Rbot.78801 /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4 Date: 23.12.2005 Time: 14:55:41 Size: 23040 ALERT: [Backdoor-Server/CodBot.AT backdoor] /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4 <<< Contains a signature of the (dangerous) backdoor program Backdoor-Server/CodBot.AT Backdoor server programs /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984 Date: 23.12.2005 Time: 17:57:39 Size: 19968 ALERT: [Worm/Codbot.AP worm] /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984 <<< Contains signature of the worm Worm/Codbot.AP /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8 Date: 23.12.2005 Time: 18:03:59 Size: 69120 ALERT: [Worm/SdBot.JG.1 worm] /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8 <<< Contains signature of the worm Worm/SdBot.JG.1 /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a Date: 23.12.2005 Time: 20:22:44 Size: 236158 ALERT: [Worm/RBot.236158 worm] /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a <<< Contains signature of the worm Worm/RBot.236158 /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95 Date: 23.12.2005 Time: 22:29:42 Size: 20480 ALERT: [Worm/Cobot.20480 worm] /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95 <<< Contains signature of the worm Worm/Cobot.20480 /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6 Date: 24.12.2005 Time: 05:11:54 Size: 174080 ALERT: [Worm/Rbot.174080.2 worm] /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6 <<< Contains signature of the worm Worm/Rbot.174080.2 /var/lib/mwcollect/data/binaries/b68e656d8281c44c1c04f3a1c8ad3cf4 Date: 24.12.2005 Time: 06:33:53 Size: 78808 ALERT: [Worm/Rbot.78808 worm] /var/lib/mwcollect/data/binaries/b68e656d8281c44c1c04f3a1c8ad3cf4 <<< Contains signature of the worm Worm/Rbot.78808 /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e Date: 24.12.2005 Time: 09:32:38 Size: 212992 ALERT: [Worm/SdBot.212992.7 worm] /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e <<< Contains signature of the worm Worm/SdBot.212992.7 /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8 Date: 24.12.2005 Time: 10:53:32 Size: 102400 ALERT: [Worm/RBot.102400.15 worm] /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8 <<< Contains signature of the worm Worm/RBot.102400.15 /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92 Date: 25.12.2005 Time: 00:28:50 Size: 104448 ALERT: [Worm/Rbot.aeu.68 worm] /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92 <<< Contains signature of the worm Worm/Rbot.aeu.68 /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515 Date: 25.12.2005 Time: 02:34:34 Size: 95811 ALERT: [Worm/Rbot.95811 worm] /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515 <<< Contains signature of the worm Worm/Rbot.95811 /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4 Date: 25.12.2005 Time: 11:34:39 Size: 135252 ALERT: [Worm/Rbot.136192.15 worm] /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4 <<< Contains signature of the worm Worm/Rbot.136192.15 /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a Date: 26.12.2005 Time: 20:30:19 Size: 22016 ALERT: [Backdoor-Server/Codbot.AZ.1 backdoor] /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a <<< Contains a signature of the (dangerous) backdoor program Backdoor-Server/Codbot.AZ.1 Backdoor server programs /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6 Date: 27.12.2005 Time: 00:29:58 Size: 179200 ALERT: [Worm/Rbot.JK worm] /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6 <<< Contains signature of the worm Worm/Rbot.JK /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac Date: 27.12.2005 Time: 01:04:03 Size: 262104 ALERT: [W32/Parite virus] /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac <<< Contains code of the Windows virus W32/Parite /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e Date: 27.12.2005 Time: 01:11:54 Size: 47616 ALERT: [Backdoor-Server/Codbot.AG.2 backdoor] /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e <<< Contains a signature of the (dangerous) backdoor program Backdoor-Server/Codbot.AG.2 Backdoor server programs /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184 Date: 27.12.2005 Time: 09:53:25 Size: 84480 ALERT: [Worm/Rbot.84480 worm] /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184 <<< Contains signature of the worm Worm/Rbot.84480 /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017 Date: 28.12.2005 Time: 13:14:54 Size: 19456 ALERT: [Worm/RBot.19456 worm] /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017 <<< Contains signature of the worm Worm/RBot.19456 /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce Date: 30.12.2005 Time: 23:25:10 Size: 82432 ALERT: [W32/Parite virus] /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce <<< Contains code of the Windows virus W32/Parite ------ scan results ------ directories: 1 scanned files: 34 alerts: 27 suspicious: 0 repaired: 0 deleted: 0 renamed: 0 scan time: 00:00:20 -------------------------- Thank you for using AntiVir.[/geshi]
F-Prot:
[geshi lang=bash]router ~ # f-prot /var/lib/mwcollect/data/binaries Virus scanning report - 31 December 2005 @ 17:04 F-PROT ANTIVIRUS Program version: 4.6.3 Engine version: 3.16.10 VIRUS SIGNATURE FILES SIGN.DEF created 30 December 2005 SIGN2.DEF created 30 December 2005 MACRO.DEF created 22 December 2005 Search: /var/lib/mwcollect/data/binaries Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205 is a security risk named W32/Sdbot.NVE /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae is a security risk named W32/Spybot.ISS /var/lib/mwcollect/data/binaries/efc8ec062d95057655b2880f37d9e690->(MEW)->(PCShrink) Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187 is a security risk named W32/Pakes.X /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67 is a security risk named W32/Sdbot.MII /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0 is a security risk named W32/Agobot.FDI /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476 Infection: W32/Parite.A /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816 is a security risk named W32/Sdbot.NRW /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4 is a security risk named W32/Sdbot.MAO /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984 is a security risk named W32/Sdbot.LXN /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8->(UPX) is a security risk named W32/Sdbot.KM /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a is a security risk named W32/Sdbot.LVD /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95 Infection: W32/Codbot.AN /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6 is a security risk named W32/Sdbot.KEF /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e is a security risk named W32/Spybot.LEX /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8->(Morphine)->(UPX) Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92 is a security risk named W32/Spybot.NMT /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515 is a security risk named W32/Spybot.NKB /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4 is a security risk named W32/Spybot.NQU /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a is a security risk named W32/Backdoor.FTY /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6 Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac is a security risk named W32/Spybot.SS /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e is a security risk named W32/Codbot.R /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184 is a security risk named W32/Spybot.SS /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017 is a security risk named W32/Codbot.V /var/lib/mwcollect/data/binaries/df8732b58bd245079dc2a071ff525a2f->(FSG) Infection: W32/Ircbot1.gen /var/lib/mwcollect/data/binaries/9f0506eb8502c93805eae67627af53b2 is a security risk named W32/Spybot.NQQ /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce Infection: W32/Parite.B Results of virus scanning: Files: 34 MBRs: 0 Boot sectors: 0 Objects scanned: 35 Infected: 7 Suspicious: 21 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 1:37[/geshi]
ClamAV:
[geshi lang=bash]router ~ # clamscan /var/lib/mwcollect/data/binaries/ /var/lib/mwcollect/data/binaries/886f1b650cecfd4621581d687dd56205: OK /var/lib/mwcollect/data/binaries/3799434f10827ae73deb41faf72ba6ae: Trojan.Mybot-2635 FOUND /var/lib/mwcollect/data/binaries/efc8ec062d95057655b2880f37d9e690: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/27764a5d1e10bfac548f46bb5bad8187: OK /var/lib/mwcollect/data/binaries/36883c9c30142256d966fd4417b28c67: Exploit.DCOM.Gen FOUND /var/lib/mwcollect/data/binaries/41805c3fe378b19ebc93aa0f0339dfa0: Trojan.Mybot-2268 FOUND /var/lib/mwcollect/data/binaries/9ef4a49f003e950d8e4162ba1d13c476: Trojan.Small-152 FOUND /var/lib/mwcollect/data/binaries/178ef9541ea8a4ac2a52bacfcaeb2816: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/ccba19642771eec3c7d67e4c461e335b: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/7660f9342071051b5663d242cce8bcd4: OK /var/lib/mwcollect/data/binaries/c34b5ec44017814cb4b9718855267984: OK /var/lib/mwcollect/data/binaries/f1838cb025f428307fc16a9c9fc7e5f8: Trojan.Small-152 FOUND /var/lib/mwcollect/data/binaries/cb9e7a140d7e8a6b9db3298ba94c985a: Worm.Mytob.Crypt.Gen FOUND /var/lib/mwcollect/data/binaries/0c01728b7ecdd68dbf03e17cfec4db95: OK /var/lib/mwcollect/data/binaries/8f31a5bac11a46610194e29a7ab669e6: Trojan.Mybot-2395 FOUND /var/lib/mwcollect/data/binaries/b68e656d8281c44c1c04f3a1c8ad3cf4: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/01dc76ae0dd80a5a17ab44263e78dd3e: Trojan.Mybot-2482 FOUND /var/lib/mwcollect/data/binaries/f215593a90b170ebc56947333e2d7cc8: Trojan.Mybot-2916 FOUND /var/lib/mwcollect/data/binaries/d6da31a5bc3f91703f4056079c0fdf92: OK /var/lib/mwcollect/data/binaries/a43290c768a04a24465204b173378515: Worm.Mytob.GH FOUND /var/lib/mwcollect/data/binaries/8e34d18d7f07326fcfb7deea1fcaddb4: OK /var/lib/mwcollect/data/binaries/3ca89d469659b58e68bb8c83f5626b9a: OK /var/lib/mwcollect/data/binaries/044ef6acbeea9a269f81a75cd2745aa6: Trojan.Mybot.gen-77 FOUND /var/lib/mwcollect/data/binaries/9ec9bc7b69b383f7052d99faba80f5ac: Trojan.Mybot.gen-3 FOUND /var/lib/mwcollect/data/binaries/662aa805033bc28fd29f6f696131723e: Trojan.Codbot-6 FOUND /var/lib/mwcollect/data/binaries/fc728f4ac97ef25cf7e8729b1cfab184: Trojan.Mybot.gen-3 FOUND /var/lib/mwcollect/data/binaries/a99408e866c8115bc605c00446911017: OK /var/lib/mwcollect/data/binaries/df8732b58bd245079dc2a071ff525a2f: OK /var/lib/mwcollect/data/binaries/9f0506eb8502c93805eae67627af53b2: OK /var/lib/mwcollect/data/binaries/103962c79c7323fe2175f56bab0ed3ee: OK LibClamAV Warning: Broken PE header detected. /var/lib/mwcollect/data/binaries/a0497037fca3523c79796ef66db2e661: OK /var/lib/mwcollect/data/binaries/ec4e2fcc63ba79d479fda8631ccf75ce: Trojan.Small-152 FOUND /var/lib/mwcollect/data/binaries/5956ca2f711a4553a7a39f086003fada: OK /var/lib/mwcollect/data/binaries/c79757fdca0454d43eece9a8165605a5: OK ----------- SCAN SUMMARY ----------- Known viruses: 42042 Engine version: 0.87.1 Scanned directories: 1 Scanned files: 34 Infected files: 19 Data scanned: 4.41 MB Time: 9.250 sec (0 m 9 s)[/geshi]
Lena
7 Feb 2008
Mein Pc hat Virus Worm/rbot.174080
Wie mach ich den weg?
Jochen
19 Feb 2008