Val says I can start this discussion, so here I go.
A number of features appear to be missing. Apologies if it's there and I didn't see it.
-There ought to be links to the various AV sites and their analysis and name(s) for the sample. I see some of them already have aggregate scan results, those should be turned into fields and links.
-I assume the scan is done once at submission time. There should be a backend process that periodically rescans samples, to reflects changes in the signature databases.
-There ought to be a bunch more cross-reference type fields. Specific examples:
NEW: I recommend reading this site for more defense information.
This thing is really really nasty. I completely destroyed a computer trying to analyse it and am almost done rebuilding it :) Luckily I keep my analysis computers segragated, and you should too!
These files were obtained at CastleCops.com and contain all of the related files of the Zero-day IE .wmf exploit. Haven't had time for analysis yet.
Included is a.exe, kl.exe, loaderadv562.exe, ms1.exe, paytime.exe, tool 1 through 5.exe, toolbar.exe, and
NEW: added more related files contributed by seville THANKS!
Scanning -> C:\malware\wmf\vscan\xpl.wmf
[-] File is NON executable..(non MZ)
- Scan Took : 0.0 Seconds
AntiVir Found Trojan/Dldr.WMF.Agent.D
ArcaVir Found nothing
Avast Found Win32:Exdown
AVG Antivirus Found nothing
BitDefender Found Exploit.Win32.WMF-PFV.C
ClamAV Found Exploit.WMF.A
Dr.Web Found Exploit.MS05-053
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found W32/WMF-exploit
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.acd
I noticed that my post finally hit Bugtraq today after several attempts. I just wanted to take a minute welcome all the new users. (11,000 hits in the last couple of hours!)
I also wanted to mention that you have to sign up for an account in order to view the malware posts. Its free and relativly painless and I promise not to sell your e-mail to spammers :)
Please send feedback, samples, etc. !
UPDATE: F-Secure now detects this worm C:\virus\dasher\new\lol.exe Infection: Net-Worm.Win32.Dasher.c Good job F-Secure guys!
NOTE: This worm specifically detects and attacks vmware systems to avoid analysis. More in the comments.
So thanks to tebodell we have a probable new varient of dasher. Many of the antivirus tools don't find anything and this was a real pain to analyze. Basically it crashed my packer detectors, ida found nothing, pe explorer couldnt open it at all and neither could objdump. It crashed my vmware by opening 10000000 cmd.exe windows. I submitted it to a couple of the a/v vendors in case they don't already have it.
First of all, huge thanks to tebodell for lots of contributions on this one.
So my first impressions of dasher are that its a poorly designed worm.
- The MSDTC exploit is not reliable which is strike one.
Alot of vulnerable hosts won't actually be exploited by this worm.
- The next thing is that the address randomizaion on the scanner sucks.
My sample begain immediatly and loudly scanning reserved IP
So theres no sample post tonight. Im busy trying to understand the 700 unknown "shellcode" i have from my mwcollect. I dont really understand how that part works. Nepenthes has a page http://nepenthes.sourceforge.net/howto:reversing_windows32_shellcodes that kind of explains what to do with them but its incomplete. If anyone has suggestions that would help.
also i need samples of like the pnp worm / dasher / etc. my collectors seem to be running dry lately.
ps we seem to be linked on Halvars blog wooo! thanks Halvar!