VS0607004 Possible new malware [IRCFlooder?]
Data on a sample of a suspected new malware being spread via a link
in an e-mail.
This was caught by an end user.
I have included data on the excutable downloaded from the link in the e-mail, and the files
extracted from the RAR-SFX for your information and analysis.
1 copy has been trapped so far.
I haven’t had a chance to test it on a goat system yet.
============================================================
Details:
FileName: update.exe
FileDateTime: 26/07/2006 11:22:18
Filesize: 717558
MD5: 69406abece50099bb54143528eb7adfd
CRC32: 4CCC2BF7
File Type: PE Executable RAR
Packer: UPX
Contains:-
FileName: control.ini
FileDateTime: 10/03/2006 14:16:28
Filesize: 61
MD5: f5d1a3af67f05f5af2b0fca009887a97
CRC32: 885F5848
File Type: INI File
FileName: id.exe
FileDateTime: 09/07/2006 22:53:00
Filesize: 141260
MD5: 429ca729bd5c2707443965f6998883ce
CRC32: 7ABF7113
File Type: Unknown text file
FileName: mirc.ini
FileDateTime: 11/07/2006 20:56:38
Filesize: 2643
MD5: 527d999707095fdb32eb331989ecf6cf
CRC32: 2C38AC77
File Type: INI File
FileName: reg.dll
FileDateTime: 19/04/2003 11:43:12
Filesize: 81621
MD5: f2803769872afd580dbcf4dd5569296e
CRC32: A1A5BB75
File Type: PE Executable
FileName: remote.ini
FileDateTime: 26/07/2006 03:15:36
Filesize: 285
MD5: 2acee5f13b4ee0993744c29f2836ff7f
CRC32: 7D2BFAA5
File Type: INI File
FileName: rundll.exe
FileDateTime: 11/07/2006 20:57:48
Filesize: 326
MD5: 72217eb69692459541d90f7beb137dd4
CRC32: 2FC75B8F
File Type: Unknown text file
FileName: rundll32.exe
FileDateTime: 25/04/1999 23:48:20
Filesize: 40960
MD5: 6a7d2cbd8111bc7080c832f8a3442256
CRC32: 4E7C8819
File Type: PE Executable
FileName: script1.ini
FileDateTime: 12/05/2005 06:42:42
Filesize: 221
MD5: 86f27715c17b963a520384c14bc45bf4
CRC32: 583A9AFC
File Type: INI File
FileName: svchost.exe
FileDateTime: 12/04/2005 04:29:24
Filesize: 500224
MD5: c54c4adc3ebec0c4642912dad8e39318
CRC32: 73963C36
File Type: PE Executable
FileName: users.exe
FileDateTime: 11/07/2006 20:58:59
Filesize: 856
MD5: 2f9cd96bc38c2c46c3e3396776fa9fde
CRC32: D22462F
File Type: Unknown binary file
Packer: PECompact
FileName: vir.exe
FileDateTime: 11/07/2006 20:59:35
Filesize: 19933
MD5: 21b5b1a3164160b7b7b9744ed25e5d02
CRC32: BB907970
File Type: Unknown text file
FileName: win.com
FileDateTime: 11/07/2006 21:00:42
Filesize: 93
MD5: 440e042868e03d830dd71dd229b49d09
CRC32: 37413A6B
File Type: Unknown text file
FileName: win.ini
FileDateTime: 26/07/2006 02:34:20
Filesize: 12303
MD5: bb69660f07cb4125ebc7b2f4da8fdd73
CRC32: 67FD2F46
File Type: INI File
============================================================
Scan report of: update.exe
@Proventia-VPS -
AntiVir -
Avast! Win32:Hidewnd [Trj]
AVG HideWindow (Trojan horse)
BitDefender Spyware.Adspace.DLL
ClamAV Trojan.IRC.Flood.AQ
Command -
Dr Web Trojan.Flood.22016
eSafe Win32.Polipos.sus
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.IRC.Zapchast
F-Secure (BETA) Backdoor.IRC.Zapchast
Fortinet Misc/MIRC
Fortinet (BETA) Misc/MIRC
Ikarus -
Kaspersky not-a-virus:RiskTool.Win32.HideWindows
McAfee HideWindow (potentially unwanted program)
McAfee (BETA) HideWindow (potentially unwanted program)
Microsoft Tool:Win32/HideWindows
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 BackDoor.IRC.based
VirusBuster -
WebWasher Win32.Malware.gen#Upack!94 (suspicious)
YY_Spybot -
============================================================
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
