VSUB - Malware Submissions

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: newyear.exe
FileDateTime: 05/01/2006 16:10:40
Filesize: 155620
MD5: 75ff76d1b8b0d53f5901ecaab25dfb40
CRC32: 8DE88371
File Type: PE Executable RAR

Scan report of: newyear.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG IRC/BackDoor.SdBot.SBT (Trojan horse)
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web DLOADER.Trojan (probably)
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky Trojan-Proxy.Win32.Ranky.be (warning)
McAfee Proxy-FBSR trojan
McAfee (BETA) Proxy-FBSR trojan
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: smallko.exe
FileDateTime: 05/01/2006 00:46:49
Filesize: 22286
MD5: df67bfb04235d2f7b5b4898eb0acdfef
CRC32: A2A97F28
File Type: PE Executable

Scan report of: smallko.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web DLOADER.Trojan (probably)
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/Ranky.Variant!Trojan
eTrust-INO (BETA) Win32/Ranky.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.be
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.be
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Trojan-Proxy.Win32.Ranky.be (warning)
McAfee Proxy-FBSR trojan
McAfee (BETA) Proxy-FBSR trojan
Nod32 Win32/TrojanProxy.Ranky trojan (variant)
Norman W32/Suspicious_M.gen
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal TrojanProxy.Ranky.gen
Sophos Troj/Ranck-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster -
YY_Spybot -

============================================================
FileName: smallok.exe
FileDateTime: 05/01/2006 00:46:25
Filesize: 34382
MD5: 09e9474350284e6e5fe3dc76608177ea
CRC32: EF816634
File Type: PE Executable

Scan report of: smallok.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG IRC/BackDoor.SdBot.SBT (Trojan horse)
BitDefender Backdoor.SDBot.DF38CD19
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda W32/Gaobot.gen.worm
Panda (BETA) W32/Gaobot.gen.worm
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro Possible_Virus
Trend Micro (BETA) Possible_Virus
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster Worm.SdBot.BQZ
YY_Spybot -

============================================================