VSUB - Malware Submissions

Sunday 26th February, 2006

VS0602008 Possible new malware [Bagle/Mitglieder]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: RR-0922-014.exe
FileDateTime: 26/02/2006 12:08:52
Filesize: 5492
MD5: ebc2ba74578cb23af083c89b31060a28
CRC32: 14EE5F6A
File Type: PE Executable
Packer: FSG

Scan report of: RR-0922-014.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command W32/Zonko.A
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Zonko.A
F-Secure -
F-Secure (BETA) -
Fortinet PossibleThreat!01846
Fortinet (BETA) PossibleThreat!01846
Ikarus Email-Worm.Win32.Bagle.EZ
Kaspersky -
McAfee -
McAfee (BETA) -
Nod32 Win32/TrojanDownloader.Small.NIH trojan (variant)
Norman Suspicious_F.gen
Panda Suspicious file
Panda (BETA) Trj/Nabload.BR
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) TROJ_DLOADER.BSL
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Wednesday 22nd February, 2006

VS0602007 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: ucmd.exe
FileDateTime: 19/02/2006 07:31:58
Filesize: 162713
MD5: 3b1a2f689c630ace0200308c83e70d44
CRC32: 4774C81E
File Type: PE Executable RAR

Scan report of: ucmd.exe

@Proventia-VPS -
AntiVir -
Avast! Win32:SpyBot-A3042 [Trj]
AVG IRC/BackDoor.SdBot.XTC (Trojan horse)
BitDefender Backdoor.SDBot.AEBEC06D
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/SDBot!bdr
Fortinet (BETA) W32/SDBot!bdr
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 -
Norman -
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal -
Sophos -
Symantec Trojan.Dropper
Symantec (BETA) Trojan.Dropper
Trend Micro TROJ_DROPPER.AHE
Trend Micro (BETA) TROJ_DROPPER.AHE
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster Worm.DR.SdBot.BUW
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: gateve.exe
FileDateTime: 17/02/2006 23:05:33
Filesize: 35366
MD5: 28433f25b2b1f03fd2ea9f9b416a0e9f
CRC32: BB998920
File Type: PE Executable

Scan report of: gateve.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG IRC/BackDoor.SdBot.XTC (Trojan horse)
BitDefender Backdoor.SDBot.AEBEC06D
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Routine CRC-Mytob2
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet W32/SDBot!bdr
Fortinet (BETA) W32/SDBot!bdr
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.DMP
Trend Micro (BETA) WORM_SDBOT.DMP
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster Worm.SdBot.BUW
YY_Spybot -

============================================================

FileName: mouaek.exe
FileDateTime: 17/02/2006 23:05:20
Filesize: 61440
MD5: 1ff47708a3feee2966752c3e2f10403c
CRC32: 13C59FC0
File Type: PE Executable

Scan report of: mouaek.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Ranky.HN
Avast! Win32:SpyBot-A3042 [Trj]
AVG Packed.gen
BitDefender -
ClamAV -
Command -
Dr Web Trojan.NtRootKit.40
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/NTPacker.C
eTrust-VET (BETA) Win32/NTPacker.C
Ewido Backdoor.Bifrose.d
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/Ranky.EI!tr
Fortinet (BETA) W32/Ranky.EI!tr
Ikarus Backdoor.Win32.ProRat.B
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee New Malware.r (trojan or variant)
McAfee (BETA) New Malware.r (trojan or variant)
Nod32 Win32/TrojanDropper.ErPack trojan
Norman W32/Rank.VO
Panda Trj/Ranky.MG
Panda (BETA) Trj/Ranky.MG
QuickHeal -
Sophos -
Symantec Backdoor.Ranky
Symantec (BETA) Backdoor.Ranky
Trend Micro TROJ_RANKY.IO
Trend Micro (BETA) TROJ_RANKY.IO
VBA32 Malware.Delf.5 (suspected)
VirusBuster Trojan.PR.Ranck.HN
YY_Spybot -

============================================================

Monday 20th February, 2006

VS0602006 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

4 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: jarule.exe
FileDateTime: 17/02/2006 20:30:48
Filesize: 162658
MD5: ed889d9d147fae7ebee5e22cab354097
CRC32: E90E94A9
File Type: PE Executable RAR

Scan report of: jarule.exe

@Proventia-VPS -
AntiVir -
Avast! Win32:SpyBot-A3042 [Trj]
AVG IRC/BackDoor.SdBot.XOZ (Trojan horse)
BitDefender Backdoor.SDBot.1F9B5E58
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/Ranky.EI!tr
Fortinet (BETA) W32/Ranky.EI!tr
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee New Malware.r (trojan or variant)
McAfee (BETA) New Malware.r (trojan or variant)
Nod32 -
Norman -
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal -
Sophos -
Symantec Trojan.Dropper
Symantec (BETA) Trojan.Dropper
Trend Micro -
Trend Micro (BETA) TROJ_DROPPER.ALA
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster Worm.DR.SdBot.BUS
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: creah.exe
FileDateTime: 14/02/2006 13:59:01
Filesize: 35379
MD5: 19bbd0cc234f256b946210946e2db934
CRC32: A886F494
File Type: PE Executable

Scan report of: creah.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG IRC/BackDoor.SdBot.XOZ (Trojan horse)
BitDefender Backdoor.SDBot.1F9B5E58
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet W32/SDBot!bdr
Fortinet (BETA) W32/SDBot!bdr
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee -
McAfee (BETA) -
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro WORM_SDBOT.DHB
Trend Micro (BETA) WORM_SDBOT.DHB
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster Worm.SdBot.BUS
YY_Spybot -

============================================================
FileName: creat.exe
FileDateTime: 14/02/2006 13:58:49
Filesize: 61440
MD5: 64abbfc626189f3101aabe09ddcfcb95
CRC32: 926A1144
File Type: PE Executable

Scan report of: creat.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Ranky.EI.1
Avast! Win32:SpyBot-A3042 [Trj]
AVG Packed.gen
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV -
Command -
Dr Web Trojan.NtRootKit.40
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/NTPacker.C
eTrust-VET (BETA) Win32/NTPacker.C
Ewido Backdoor.Bifrose.d
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/Ranck.DO!tr
Fortinet (BETA) W32/Ranck.DO!tr
Ikarus Backdoor.Win32.ProRat.B
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee New Malware.r (trojan or variant)
McAfee (BETA) New Malware.r (trojan or variant)
Nod32 Win32/TrojanDropper.ErPack trojan
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Sophos Troj/Ranck-DO
Symantec Backdoor.Ranky
Symantec (BETA) Backdoor.Ranky
Trend Micro TROJ_RANKY.IH
Trend Micro (BETA) TROJ_RANKY.IH
VBA32 Malware.Delf.5 (suspected)
VirusBuster Trojan.PR.Ranck.HM
YY_Spybot -

============================================================

VS0602005 Possible new malware [Bancos]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
sent via an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: sexonaescada.scr
FileDateTime: 18/02/2006 14:48:32
Filesize: 814080
MD5: acb79dad14e675c5980465a406b37188
CRC32: 4C0A7E63
File Type: PE Executable
Packer: DoomPack

Scan report of: sexonaescada.scr

@Proventia-VPS -
AntiVir -
Avast! Win32:Banker-EL [Trj]
AVG -
BitDefender -
ClamAV Trojan.Spy.Banker-93
Command -
Dr Web BACKDOOR.Trojan (probably)
eSafe -
eTrust-INO Win32/Bancos.Variant!Trojan
eTrust-INO (BETA) Win32/Bancos.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Spy.Win32.Banker.anv
F-Secure (BETA) Trojan-Spy.Win32.Banker.anv
Fortinet -
Fortinet (BETA) -
Ikarus suspicious
Kaspersky Trojan-Spy.Win32.Banker.anv
McAfee -
McAfee (BETA) -
Nod32 Win32/Spy.Banker.AHY trojan (probably variant)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Sophos Troj/Bnkmr-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Spy.Banbra.25 (suspected)
VirusBuster -
YY_Spybot -

============================================================

VS0602004 Possible new malware [Bancos]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
sent via an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: plugin_8.0_macromedia.scr
FileDateTime: 20/02/2006 10:00:21
Filesize: 29650
MD5: 74a0e0605d25164e9fb08ef4e5cef007
CRC32: B6F147B2
File Type: PE Executable
Packer: DoomPack

Scan report of: plugin_8.0_macromedia.scr

@Proventia-VPS -
AntiVir TR/Dldr.Banload.OH.31
Avast! -
AVG -
BitDefender BehavesLike:Trojan.Downloader (suspected)
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Dadobra.kp
F-Prot -
F-Secure Trojan-Downloader.Win32.Banload.oh
F-Secure (BETA) Trojan-Downloader.Win32.Banload.oh
Fortinet W32/SmDown.OH!dldr
Fortinet (BETA) W32/SmDown.OH!dldr
Ikarus Backdoor.Win32.PcClient.GV
Kaspersky Trojan-Downloader.Win32.Banload.oh
McAfee -
McAfee (BETA) -
Nod32 Win32/TrojanDownloader.Dadobra.IA trojan (variant)
Norman W32/Downloader (Sandbox)
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Sophos Troj/SmDown-Fam
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 Trojan-Downloader.Win32.Banload.oh
VirusBuster -
YY_Spybot -

============================================================

Tuesday 14th February, 2006

VS0602003 Possible new malware [Bancos]

Filed under: All, Submitted

Data on is a sample of a suspected new malware being spread via a link
sent via an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: amor.scr
FileDateTime: 14/02/2006 11:17:32
Filesize: 496640
MD5: 9e2cff0bd561e2d984b9576067207d93
CRC32: 3832D684
File Type: PE Executable
Packer: DoomPack

Scan report of: amor.scr

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Spy.Banker.ark.201
Avast! -
AVG -
BitDefender Trojan.Banker.Delf.94B2CAB8
ClamAV Trojan.Spy.Banker-94
Command -
Dr Web Trojan.PWS.Banker.based
eSafe -
eTrust-INO Win32/Bancos.Variant!Trojan
eTrust-INO (BETA) Win32/Bancos.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido Logger.Banker.ark
F-Prot -
F-Secure Trojan-Spy.Win32.Banker.ark
F-Secure (BETA) Trojan-Spy.Win32.Banker.ark
Fortinet Spy/Bnkmr
Fortinet (BETA) Spy/Bnkmr
Ikarus Trojan-Spy.Win32.Banker.ARK
Kaspersky Trojan-Spy.Win32.Banker.ark
McAfee -
McAfee (BETA) -
Nod32 Win32/Spy.Banker.AHY trojan (probably variant)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Sophos Troj/Bnkmr-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Spy.Banbra.25 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Monday 13th February, 2006

VS0602002 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: foncun.exe
FileDateTime: 08/02/2006 21:43:43
Filesize: 164940
MD5: eb71c1433b8782aeb4209b144a97491a
CRC32: 38F77832
File Type: PE Executable RAR

Scan report of: foncun.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG Packed.gen
BitDefender Backdoor.SDBot.55325F9F
ClamAV Worm.Mytob.GH
Command -
Dr Web BackDoor.DarkMoon.66
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.Rbot.eb
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet W32/Dloader.PS!bdr
Fortinet (BETA) W32/Dloader.PS!bdr
Ikarus -
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee Downloader-PS trojan
McAfee (BETA) Proxy-FBSR trojan
Nod32 -
Norman -
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal -
Sophos -
Symantec Trojan.Dropper
Symantec (BETA) Trojan.Dropper
Trend Micro TROJ_RANKY.IQ
Trend Micro (BETA) TROJ_RANKY.IQ
VBA32 Backdoor.PcClient.34 (suspected)
VirusBuster Worm.DR.SdBot.BUN
YY_Spybot -

============================================================

Drops:-

============================================================
FileName: akfour.exe
FileDateTime: 06/02/2006 22:34:44
Filesize: 35381
MD5: 3b911b11fbdad124f40526fe47e444d5
CRC32: 8247AB39
File Type: PE Executable

Scan report of: akfour.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG IRC/BackDoor.SdBot.VHR (Trojan horse)
BitDefender Backdoor.SDBot.55325F9F
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Routine CRC-Mytob2
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet W32/SDBot!bdr
Fortinet (BETA) W32/SDBot!bdr
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec W32.Randex
Symantec (BETA) W32.Randex
Trend Micro WORM_SDBOT.DGC
Trend Micro (BETA) WORM_SDBOT.DGC
VBA32 Trojan-Spy.Banker.24 (suspected)
VirusBuster Worm.SdBot.BUN
YY_Spybot -

============================================================
FileName: hqybe.exe
FileDateTime: 06/02/2006 22:25:20
Filesize: 36864
MD5: 62fc9654938f7db786bf9e92ff66c5f1
CRC32: A81AFB
File Type: PE Executable
Packer: Standard PE File

Scan report of: hqybe.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Ranky.EI
Avast! -
AVG Packed.gen
BitDefender -
ClamAV -
Command -
Dr Web BackDoor.DarkMoon.66
eSafe Win32.Darkmoon.bw
eTrust-INO Win32/NTPacker.B!Trojan
eTrust-INO (BETA) Win32/NTPacker.B!Trojan
eTrust-VET Win32/NTPacker.B
eTrust-VET (BETA) Win32/NTPacker.B
Ewido Backdoor.Rbot.eb
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/Bifrose.D-bdr
Fortinet (BETA) W32/Bifrose.D-bdr
Ikarus Net-Worm.Win32.Mytob.BI
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee Downloader-PS trojan
McAfee (BETA) Proxy-FBSR trojan
Nod32 Win32/TrojanDropper.ErPack trojan
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Sophos -
Symantec Backdoor.Ranky
Symantec (BETA) Backdoor.Ranky
Trend Micro TROJ_RANKY.IR
Trend Micro (BETA) TROJ_RANKY.IR
VBA32 Backdoor.PcClient.34 (suspected)
VirusBuster Trojan.PR.Ranck.HG
YY_Spybot -

============================================================

VS0602001 Possible new malware [MicroJoiner]

Filed under: All, Submitted

Dat on a sample of a suspected new malware being spread via a link
sent via an e-mail. The malware was found on a bogus e-card site
mentioned in the e-mail. The executable file [data below] was in a CAB file.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: install.exe
FileDateTime: 13/02/2006 09:23:16
Filesize: 8589
MD5: 42e7f8596d87b55b00a550aaf7bbe8da
CRC32: D0345D6
File Type: PE Executable

Scan report of: install.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender Dropped:Generic.Malware.Bdld.46987E84 (suspected)
ClamAV -
Command -
Dr Web BackDoor.ProRat.19
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/MicroJoiner!generic
eTrust-VET (BETA) Win32/MicroJoiner!generic
Ewido -
F-Prot -
F-Secure Trojan-Dropper.Win32.Microjoin.aj
F-Secure (BETA) Trojan-Dropper.Win32.Microjoin.aj
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Trojan-Dropper.Win32.Microjoin.aj
McAfee MultiDropper-PO trojan
McAfee (BETA) MultiDropper-PO trojan
Nod32 Win32/Rootkit.Agent.AN trojan (variant)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 Malware.Microjoin.1 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Get free blog up and running in minutes with Blogsome | Theme designs available here