VSUB - Malware Submissions :: March

VS0603010 Possible new malware [Banload]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: conhecer.exe
FileDateTime: 31/03/2006 09:27:20
Filesize: 39417
MD5: d4d02fc949d1d0d6b92c5e4dd37465c2
CRC32: 3578141D
File Type: PE Executable

Scan report of: conhecer.exe

@Proventia-VPS -
AntiVir Heuristic/Trojan.Downloader
Avast! -
AVG Downloader.Generic.WEY (Trojan horse)
BitDefender Trojan.Download.L
ClamAV -
Command -
Dr Web DLOADER.Trojan (probably)
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Banload.ms
F-Prot -
F-Secure Trojan-Downloader.Win32.Banload.aee
F-Secure (BETA) Trojan-Downloader.Win32.Banload.aee
Fortinet W32/Banload.AEE!dldr
Fortinet (BETA) W32/Banload.AEE!dldr
Ikarus -
Kaspersky Trojan-Downloader.Win32.Banload.aee
McAfee -
McAfee (BETA) -
Nod32 NewHeur_PE (probably unknown virus)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 Trojan-Downloader.Win32.Banload.aee
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603009 Possible new malware [Downloader]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: canc.scr
FileDateTime: 31/03/2006 09:25:48
Filesize: 150528
MD5: d5541f9d349bf4d0e107176c9858a289
CRC32: 17042D09
File Type: PE Executable
Packer: DoomPack

Scan report of: canc.scr

@Proventia-VPS -
AntiVir -
Avast! -
AVG Downloader.Generic.WFH (Trojan horse)
BitDefender -
ClamAV -
Command -
Dr Web Trojan.DownLoader.7123
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Delf.adg
F-Prot -
F-Secure Trojan-Downloader.Win32.Dadobra.lg
F-Secure (BETA) Trojan-Downloader.Win32.Dadobra.lg
Fortinet W32/Dadobra.LG!dldr
Fortinet (BETA) W32/Dadobra.LG!dldr
Ikarus Trojan-Downloader.Win32.Delf.ADG
Kaspersky Trojan-Downloader.Win32.Dadobra.lg
McAfee -
McAfee (BETA) -
Nod32 -
Norman W32/Dadobra.ALE
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 Trojan-Downloader.Win32.Delf.adg
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603008 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: dgmail.exe
FileDateTime: 30/03/2006 07:01:06
Filesize: 156526
MD5: aa884eddf6a6383f1edfe0ef9c3124d3
CRC32: 882FD654
File Type: PE Executable RAR

Scan report of: dgmail.exe

@Proventia-VPS -
AntiVir -
Avast! Win32:SdBot-3366 [Trj]
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV -
Command -
Dr Web BACKDOOR.Trojan (probably)
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.SdBot
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee Proxy-FBSR trojan
McAfee (BETA) Proxy-FBSR trojan
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Trj/Multidropper.BGW
QuickHeal -
Sophos -
Symantec Trojan.Dropper
Symantec (BETA) Trojan.Dropper
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: featur.exe
FileDateTime: 28/03/2006 23:29:18
Filesize: 22201
MD5: 8870cecb013ca60854c2c1512d5da491
CRC32: DCAD31A7
File Type: PE Executable

Scan report of: featur.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Ranky.QT.1
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV -
Command -
Dr Web BACKDOOR.Trojan (probably)
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/Ranky.Variant!Trojan
eTrust-INO (BETA) Win32/Ranky.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.GEN
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee Proxy-FBSR trojan
McAfee (BETA) Proxy-FBSR trojan
Nod32 Win32/TrojanProxy.Ranky trojan (variant)
Norman W32/Suspicious_M.gen
Panda Suspicious file
Panda (BETA) Trj/Ranky.NH
QuickHeal W32.Bobic.L
Sophos Troj/Ranck-Fam
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

FileName: jenlope.exe
FileDateTime: 28/03/2006 23:29:44
Filesize: 35373
MD5: ecb8ea5d1d935162ce550f240be91c7f
CRC32: 961731A5
File Type: PE Executable

Scan report of: jenlope.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! Win32:SdBot-3366 [Trj]
AVG -
BitDefender Backdoor.SDBot.E201CFED
ClamAV -
Command -
Dr Web Win32.IRC.Bot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.SdBot
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.GEN
Kaspersky Backdoor.Win32.SdBot.gen
McAfee -
McAfee (BETA) -
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-AZA
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.GEN
Trend Micro (BETA) WORM_SDBOT.GEN
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603007 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: feurer.exe
FileDateTime: 24/03/2006 07:35:54
Filesize: 156519
MD5: 68d2c94222dcc78ecdf3906795dd07ea
CRC32: C0B3C3A8
File Type: PE Executable RAR

Scan report of: feurer.exe

@Proventia-VPS -
AntiVir -
Avast! Win32:SdBot-3366 [Trj]
AVG -
BitDefender Backdoor.SDBot.532451D8
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 -
Norman -
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: pearlmen.exe
FileDateTime: 23/03/2006 14:04:59
Filesize: 22205
MD5: 40885e226740497a61a8fc004fdce8de
CRC32: 97661BA4
File Type: PE Executable

Scan report of: pearlmen.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Ranky.QT.1
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web Trojan.Proxy.753
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/Ranky.Variant!Trojan
eTrust-INO (BETA) Win32/Ranky.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee -
McAfee (BETA) -
Nod32 Win32/TrojanProxy.Ranky trojan (variant)
Norman W32/Suspicious_M.gen
Panda Trj/Downloader.IAB
Panda (BETA) Trj/Downloader.IAB
QuickHeal W32.Bobic.L
Sophos Troj/Ranck-Fam
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

FileName: pudday.exe
FileDateTime: 23/03/2006 14:00:34
Filesize: 35393
MD5: 18d3c410d6b3db715f6e5c15bd654765
CRC32: EF9E46C8
File Type: PE Executable

Scan report of: pudday.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! Win32:SdBot-3366 [Trj]
AVG -
BitDefender Backdoor.SDBot.532451D8
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.GEN
Trend Micro (BETA) WORM_SDBOT.GEN
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603006 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

3 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

Scan report of: Conncted.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web Trojan.Proxy.753
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 -
Norman -
Panda Trj/Downloader.IAB
Panda (BETA) Trj/Downloader.IAB
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: ctwar.exe
FileDateTime: 15/03/2006 23:20:38
Filesize: 35396
MD5: 2ff0492255f829a4ff92f51e33c94a9a
CRC32: 6D999802
File Type: PE Executable

Scan report of: ctwar.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG -
BitDefender Backdoor.SDBot.FF28F0D2
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.GEN
Trend Micro (BETA) WORM_SDBOT.GEN
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

FileName: warct.exe
FileDateTime: 15/03/2006 23:20:33
Filesize: 22207
MD5: e9bd73e6eeb57252c30de4ac89e75e65
CRC32: D533BBBE
File Type: PE Executable

Scan report of: warct.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Proxy.Ranky.QT.1
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web Trojan.Proxy.753
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO Win32/Ranky.Variant!Trojan
eTrust-INO (BETA) Win32/Ranky.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee -
McAfee (BETA) -
Nod32 Win32/TrojanProxy.Ranky trojan (variant)
Norman W32/Suspicious_M.gen
Panda Trj/Downloader.IAB
Panda (BETA) Trj/Downloader.IAB
QuickHeal W32.Bobic.L
Sophos Troj/Ranck-Fam
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603005 Possible new malware [Bancos]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: AbrirCartao.exe
FileDateTime: 17/03/2006 09:47:14
Filesize: 334848
MD5: c7ab59cdd311f12a6bd2e9c6dafcedbd
CRC32: 910D22F1
File Type: PE Executable
Packer: DoomPack

Scan report of: AbrirCartao.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Spy.Bank.ark.397
Avast! -
AVG -
BitDefender Trojan.Spy.Banker.ARK
ClamAV Trojan.Spy.Banker-608
Command -
Dr Web Trojan.PWS.Banker
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Logger.Banker.ark
F-Prot -
F-Secure Trojan-Spy.Win32.Banker.ark
F-Secure (BETA) Trojan-Spy.Win32.Banker.ark
Fortinet Spy/Banker
Fortinet (BETA) Spy/Banker
Ikarus Trojan-Spy.Win32.Banker.ARK
Kaspersky Trojan-Spy.Win32.Banker.ark
McAfee PWS-Banker.gen.h trojan
McAfee (BETA) PWS-Banker.gen.h trojan
Nod32 Win32/Spy.Banker.AHY trojan (probably variant)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Sophos Troj/Bnkmr-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Spy.Banker.138 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603004 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

3 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: headers.exe
FileDateTime: 09/03/2006 21:44:51
Filesize: 156517
MD5: ce4b317a569f497d9eec7370487dc209
CRC32: 81D2D508
File Type: PE Executable RAR

Scan report of: headers.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web BACKDOOR.Trojan (probably)
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Trj/Multidropper.BFO
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: bluemond.exe
FileDateTime: 08/03/2006 00:39:46
Filesize: 35391
MD5: c6f4849850486b5432fc06a715eb7337
CRC32: 998E7B2E
File Type: PE Executable

Scan report of: bluemond.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG -
BitDefender Backdoor.SDBot.7B67573B
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Routine CRC-Mytob2
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee W32/Sdbot.worm.gen.by
McAfee (BETA) W32/Sdbot.worm.gen.by
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal Backdoor.SdBot.gen
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.GEN
Trend Micro (BETA) WORM_SDBOT.GEN
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

FileName: redmond.exe
FileDateTime: 08/03/2006 00:39:55
Filesize: 22198
MD5: 617aa9c0fb4aa898ad0a742abd6e55f4
CRC32: DD6BCD53
File Type: PE Executable

Scan report of: redmond.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG -
BitDefender BehavesLike:Win32.Backdoor (suspected)
ClamAV Worm.Mytob.GH
Command -
Dr Web BACKDOOR.Trojan (probably)
eSafe Routine CRC-Mytob2
eTrust-INO Win32/Ranky.Variant!Trojan
eTrust-INO (BETA) Win32/Ranky.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet - (1 copy attached)
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee -
McAfee (BETA) -
Nod32 Win32/TrojanProxy.Ranky trojan (variant)
Norman W32/Suspicious_M.gen
Panda Suspicious file
Panda (BETA) Trj/Downloader.IAB
QuickHeal W32.Bobic.L
Sophos Troj/Ranck-Fam
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Comments (1)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603003 Possible new malware [Bancos]

Filed under: All, Submitted

Dat on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: cartao_virtual.scr
FileDateTime: 10/03/2006 09:50:22
Filesize: 586240
MD5: 1eddb353345e2e148a4e90dc4b069efd
CRC32: 5256751C
File Type: PE Executable
Packer: DoomPack

Scan report of: cartao_virtual.scr

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! Win32:Banker-EL [Trj]
AVG -
BitDefender Trojan.Banker.Delf.0444DCA8
ClamAV Trojan.Spy.Banker-94
Command -
Dr Web Trojan.PWS.Banker.based
eSafe -
eTrust-INO Win32/Bancos.Variant!Trojan
eTrust-INO (BETA) Win32/Bancos.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Spy.Win32.Banker.ark
F-Secure (BETA) Trojan-Spy.Win32.Banker.ark
Fortinet -
Fortinet (BETA) -
Ikarus suspicious
Kaspersky Trojan-Spy.Win32.Banker.ark
McAfee -
McAfee (BETA) -
Nod32 Win32/Spy.Banker.AHY trojan (probably variant)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Sophos Troj/Bnkmr-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Spy.Banbra.24 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603002 Possible new malware [Downloader?]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================
Details:

FileName: meu amor.exe
FileDateTime: 09/03/2006 08:52:56
Filesize: 57344
MD5: decfd5c4b0985ac7801c708442ff42fc
CRC32: 23EEEEC7
File Type: PE Executable

Scan report of: meu amor.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender BehavesLike:Trojan.Downloader (suspected)
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [106] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Banload.rz
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Nod32 NewHeur_PE (probably unknown virus)
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro PAK_Generic.001
Trend Micro (BETA) PAK_Generic.001
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VS0603001 Possible new malware [Ranky and Sdbot Dropper]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample of the dropper and the files extracted from the
RAR SFX dropper for your information and analysis.

3 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: soundmanager.exe
FileDateTime: 02/03/2006 13:19:28
Filesize: 164921
MD5: 29eb4d237b3cd8b6374564163a06136f
CRC32: 3D408BEF
File Type: PE Executable RAR

Scan report of: soundmanager.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG Packed.gen
BitDefender Backdoor.SDBot.F622AF84
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/Bifrose.D-bdr
Fortinet (BETA) W32/Bifrose.D-bdr
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee New Malware.r (trojan or variant)
McAfee (BETA) New Malware.r (trojan or variant)
Nod32 -
Norman -
Panda Bck/Sdbot.GGX
Panda (BETA) Trj/Multidropper.BFD
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Backdoor.PcClient.34 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Drops:-

============================================================

FileName: inkjet.exe
FileDateTime: 28/02/2006 22:34:34
Filesize: 36864
MD5: 6aa437621c6f2205114f335da9021061
CRC32: 2C1B99B1
File Type: PE Executable

Scan report of: inkjet.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG Packed.gen
BitDefender Trojan.Proxy.Ranky.EK
ClamAV -
Command -
Dr Web BackDoor.DarkMoon.66
eSafe Win32.Darkmoon.bw
eTrust-INO Win32/NTPacker.B!Trojan
eTrust-INO (BETA) Win32/NTPacker.B!Trojan
eTrust-VET Win32/NTPacker.B
eTrust-VET (BETA) Win32/NTPacker.B
Ewido Backdoor.Rbot.eb
F-Prot -
F-Secure Trojan-Proxy.Win32.Ranky.ei
F-Secure (BETA) Trojan-Proxy.Win32.Ranky.ei
Fortinet W32/Bifrose.D-bdr
Fortinet (BETA) W32/Bifrose.D-bdr
Ikarus Net-Worm.Win32.Mytob.BI
Kaspersky Trojan-Proxy.Win32.Ranky.ei
McAfee New Malware.r (trojan or variant)
McAfee (BETA) New Malware.r (trojan or variant)
Nod32 Win32/TrojanDropper.ErPack trojan
Norman W32/Rank.VH
Panda -
Panda (BETA) Trj/Ranky.MG
QuickHeal -
Sophos Troj/Ranck-DW
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Backdoor.PcClient.34 (suspected)
VirusBuster -
YY_Spybot -

============================================================

FileName: inoname.exe
FileDateTime: 28/02/2006 22:31:12
Filesize: 35381
MD5: f78f10348ddb0b3ceca1f46d6f05d2c7
CRC32: 28025D0
File Type: PE Executable

Scan report of: inoname.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir PCK/MEW
Avast! -
AVG -
BitDefender Backdoor.SDBot.F622AF84
ClamAV Worm.Mytob.GH
Command -
Dr Web Win32.IRC.Bot.based
eSafe Routine CRC-Mytob2
eTrust-INO Win32/IRCBot.Variant!Trojan
eTrust-INO (BETA) Win32/IRCBot.Variant!Trojan
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet -
Fortinet (BETA) -
Ikarus Backdoor.Win32.Rbot.Gen
Kaspersky Backdoor.Win32.SdBot.gen
McAfee -
McAfee (BETA) -
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_M.gen
Panda Bck/Sdbot.GGX
Panda (BETA) Bck/Sdbot.GGX
QuickHeal W32.Bobic.L
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro WORM_SDBOT.GEN
Trend Micro (BETA) WORM_SDBOT.GEN
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Comments (0)

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

VSUB - Malware Submissions

Friday 31st March, 2006

VS0603010 Possible new malware [Banload]

VS0603009 Possible new malware [Downloader]

VS0603008 Possible new malware [Ranky and Sdbot Dropper]

Friday 24th March, 2006

VS0603007 Possible new malware [Ranky and Sdbot Dropper]

VS0603006 Possible new malware [Ranky and Sdbot Dropper]

VS0603005 Possible new malware [Bancos]

Monday 13th March, 2006

VS0603004 Possible new malware [Ranky and Sdbot Dropper]

Friday 10th March, 2006

VS0603003 Possible new malware [Bancos]

VS0603002 Possible new malware [Downloader?]

Friday 3rd March, 2006

VS0603001 Possible new malware [Ranky and Sdbot Dropper]

March 2006
M	T	W	T	F	S	S
« Feb				Apr »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31