Oops. Did I just run a SWF Trojan named"egg.swf"?

03/20/2007 12:29:59 PM · #1

Someone I work with sent me a link to a "easter message" that was a SWF. I am normally suspicious of these things, but for some reason, I went to see what it was.

I watched for a few moments, but the animation itself made me suspicious. It was a chicken on a nest, an egg nearby, and it was just slowly putting up new text. I closed the window (running in firefox) when it got to the part about "it's a conspiracy against you..."

I've been searching, and I found some information about a vulnerability and the code for it on the web, called, egg.swf. But it was a realplayer vulnerability. I ran it within firefox, presumably with adobe flash plugin.

I can't find any recent reports, and now, while I'm rerunning all my virus checks and spyware checks, I am still at a loss as to what to look for in this case, whether I got out in time, or whether it was actually nothing.

The link was to SWF was posted on d21c.com, it seems to be some sort of server.

Anyone know of any recent security alerts for egg.swf, or d21c.com.

The link, if you want to check the file - DONT DISPLAY IT - was

d21c.com / scratch / holidays / egg.swf

Any help and advice appreciated.

Canon EF-S 18-200mm f/3.5-5.6 IS

03/20/2007 12:31:58 PM · #2

well of course an SWF is a flash program.

Flash programs are typically embedded into a web page through a short bit of code. They can also be player inside of flash player or in most web browsers.

I WILL RUN THE PROGRAM FOR YOU Dont worry its not my pc.

Message edited by author 2007-03-20 12:33:09.

CEJ

Canon EOS-40D

03/20/2007 12:37:01 PM · #3

Originally posted by RainMotorsports:

I WILL RUN THE PROGRAM FOR YOU Dont worry its not my pc.

Gotta love the fearless! ;)

03/20/2007 12:37:59 PM · #4

It's fine
as far as i can tell.

All is it is a flash animation in its web distrbutable format.

You open these many times a year withiout even knowing it.

Message edited by author 2007-03-20 12:38:45.

Canon EF 100-400mm f/4.5-5.6L IS

03/20/2007 12:46:06 PM · #5

Well, the dull slow way it progressed and text seemed very suspicious to me.

I downloaded it and ran it through a hosting site which checks with a number of Antiviruses, and it got a clean report, though it could just be a "new" virus or trojan.

Complete scanning result of "egg.swf", received in VirusTotal at 03.20.2007, 17:40:02 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.21.0 03.20.2007 no virus found
AntiVir 7.3.1.44 03.20.2007 no virus found
Authentium 4.93.8 03.20.2007 no virus found
Avast 4.7.936.0 03.19.2007 no virus found
AVG 7.5.0.447 03.20.2007 no virus found
BitDefender 7.2 03.20.2007 no virus found
CAT-QuickHeal 9.00 03.20.2007 no virus found
ClamAV devel-20070312 03.20.2007 no virus found
DrWeb 4.33 03.20.2007 no virus found
eSafe 7.0.14.0 03.20.2007 no virus found
eTrust-Vet 30.6.3494 03.20.2007 no virus found
Ewido 4.0 03.20.2007 no virus found
FileAdvisor 1 03.20.2007 no virus found
Fortinet 2.85.0.0 03.20.2007 no virus found
F-Prot 4.3.1.45 03.20.2007 no virus found
F-Secure 6.70.13030.0 03.20.2007 no virus found
Ikarus T3.1.1.3 03.20.2007 no virus found
Kaspersky 4.0.2.24 03.20.2007 no virus found
McAfee 4987 03.19.2007 no virus found
Microsoft 1.2306 03.20.2007 no virus found
NOD32v2 2129 03.20.2007 no virus found
Norman 5.80.02 03.20.2007 no virus found
Panda 9.0.0.4 03.20.2007 no virus found
Prevx1 V2 03.20.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 no virus found
Symantec 10 03.20.2007 no virus found
TheHacker 6.1.6.078 03.20.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.19.2007 no virus found
VirusBuster 4.3.7:9 03.20.2007 no virus found
Webwasher-Gateway 6.0.1 03.20.2007 no virus found

Aditional Information
File size: 187515 bytes
MD5: ac1853e844ebc75a817a646d40e996f9
SHA1: 7526be5fc957032c380a12d2977890ab1f539235
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Jeff, if you ran it, which I don't recommend, what did it do at the end? Was it a real joke or was the joke on you?

Strikeslip

Canon EOS-5D

03/20/2007 12:50:50 PM · #6

All your base are belong to me.

03/20/2007 12:53:04 PM · #7

Originally posted by Strikeslip:

All your base are belong to me.

What does that mean? Was that what it said at the end?

If so, then it sounds like a password/file stealing trojan?

bigalpha

Sony DSC-S60

03/20/2007 12:54:49 PM · #8

Originally posted by Strikeslip:

All your base are belong to me.

It's a quote from an old NES game. The translation was all jacked up. Try googling "all your base are belong to us" and you'll get all sorts of hits.

Mattel Barbie Photo Designer Digital Camera

03/20/2007 01:05:39 PM · #9

Message edited by author 2007-03-20 13:07:33.

digitalknight

03/20/2007 01:13:02 PM · #10

it's good to own a mac

03/20/2007 01:13:35 PM · #11

Thanks Jeff. So was there actually a joke? It sure wasn't interesting or funny up to the part I got too. I am still wondering about this one...

It still seems suspicious to me...

(I presume strikeslip was kidding then and it did not contain any text such as "All your base are belong to me.")

Canon EF 100-400mm f/4.5-5.6L IS

03/20/2007 01:33:58 PM · #12

Originally posted by nshapiro:

Im pretty sure its just an easter holiday christmas card.

But if you ever sto hearing from me then y..........

just kidding!

Strikeslip

Canon EOS-5D

03/20/2007 01:34:40 PM · #13

Originally posted by nshapiro:

(I presume strikeslip was kidding then and it did not contain any text such as "All your base are belong to me.")

Oops, sorry, I just assume everyone online is familiar with the old NES quote. I wrote it with the (humorous, just-kidding) meaning that it is my Trojan and I now have control of your computer. But it's all in jest, as I don't know anything about this SWF file, which by the sound of it, is benign.

taterbug

Nikon D300

Nikon AF Nikkor 50mm f/1.4D

03/20/2007 01:37:42 PM · #14

I got that from my in-laws. Just a cute little joke, as far as I know. I kind of enjoyed it...but then again, I am kind of silly :-)

sher

Canon EOS-300D Rebel

Tamron AF 28-300mm f/3.5-6.3 XR Di LD Aspherical IF for Canon

03/20/2007 01:43:38 PM · #15

Originally posted by nshapiro:

All Your Base

Mattel Barbie Photo Designer Digital Camera

03/20/2007 02:17:05 PM · #16

Originally posted by sher:

Originally posted by nshapiro:
Thanks Jeff. So was there actually a joke? It sure wasn't interesting or funny up to the part I got too. I am still wondering about this one...

It still seems suspicious to me...

(I presume strikeslip was kidding then and it did not contain any text such as "All your base are belong to me.")

All Your Base

Now that *was* funny. But I don't play video games so I didn't know anything about this "all your base".

Well, I am still hoping that the SWF was indeed benign. I was just kicking myself because I generally refuse to run animation links people email me. But for some reason, because of who this person was, I did.

digitalknight

03/21/2007 12:52:43 AM · #17

thanks sher - that's priceless - now I'll giggle in bed and get kicked!

Neil, I think your fear of viruses might be worse that the virus! My kids catch them for me all the time - a pain to be sure - but dude, you gotta relax! Go take some photos, you'll feel better. ;-)

ClubJuggle

Canon EOS-400D Rebel XTi

Canon EF 28-135mm f/3.5-5.6 IS USM

03/21/2007 01:34:52 AM · #18

Originally posted by digitalknight:

it's good to own a mac

Not to revive the OS holy wars, but when it comes to security, complacency is never a good thing, on any platform.

Personally, I'm pretty much OS-agnostic, given that I own an XP box and a Linux box, that my next computer will likely be a Mac.

~Terry