June 2009

Booyeah! Nailed one to the wall! Scratch one bot variant.

I gots me a trophy!

*** BEGIN MESSAGE ***

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:

Please find a detailed report concerning each individual sample below:

The file 'mucil_idle.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.F. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Alternatively you can see the analysis result here:

http://analysis.avira.com/samples/details.php?uniqueid=(REMOVED)

An overview of all your submissions can be found here:

http://analysis.avira.com/samples/details.php?uniqueid=(REMOVED)

Please note: If you have specific questions please address them to support@avira.com

Kind regards

Avira Virus Lab

*** END OF MESSAGE ***

Interesting things happen when I modify a version of ZB Block on another site to return a false success to a scanning probe... like actually taking some scum off the streets, rather than just stopping the attack their probes were trying.

I hereby declare PHP/IrcBot.F to be my first kill, in what I hope to be a string of many! And to those who might not like this news, all I can say is, you knew it was coming.

Zap!  

P.S. I might also mention here, that those of you running ZB Block were naturally immune to this infection vector. My modification just had to do with modifying the output of ZB Block to cause the virus to think it had found an infectable machine, by returning the proper code to it.