VSUB - Malware Submissions

Data on a sample of a suspected new malware being spread via e-mail.

This was caught by an end user.

I have included data on a sample of the file attachment for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: au.zl9
FileDateTime: 31/08/2006 10:20:51
Filesize: 21662
MD5: 7467cb4602a9bec41a93113748c54446
CRC32: E270C958
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: au.zl9

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender DeepScan:Generic.Malware.SYw.273566A3
ClamAV -
Command W32/Dropper.gen2
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Dropper.gen2
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-Spy.Win32.Gen
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 Win32/Spy.Goldun.LX trojan (probably variant)
Norman Suspicious_F.gen
Panda Suspicious file
Panda (BETA) Trj/Goldun.LA
QuickHeal Suspicious (warning)
Sophos Troj/Haxdoor-DC
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 Trojan-Spy.Banker.63 (suspected)
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: dvdafw.exe
FileDateTime: 25/08/2006 15:00:15
Filesize: 31364
MD5: f837afb65b5069e329c669e77af5ecc2
CRC32: 8E4A6561
File Type: PE Executable

============================================================

Scan report of: dvdafw.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir HEUR/Trojan.Downloader
Avast! Win32:SdBot-3366 [Trj]
AVG -
BitDefender DeepScan:Generic.Malware.SIWBdld.41EACFA7
ClamAV -
Command -
Dr Web Win32.IRC.Bot.based
eSafe Win32.Polipos.sus
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/Slinbot!generic
eTrust-VET (BETA) Win32/Slinbot!generic
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee -
McAfee (BETA) -
Microsoft Win32/NetWorm.gen
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_U.gen
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Trojan.Downloader
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample downloaded from the link for your information and analysis .

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: fotos.shs
FileDateTime: 27/08/2006 12:56:44
Filesize: 250368
MD5: ab159c80a805c2f4186044c2e1da17f4
CRC32: E732C669
File Type: Microsoft Word Document

============================================================

Scan report of: fotos.shs

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender Generic.Banker.VB.9534C67F
ClamAV -
Command -
Dr Web BackDoor.Generic.1408
eSafe SuspiciousScrapFile
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 BackDoor.Generic.1408
VirusBuster -
WebWasher Heuristic.Malware.FKM
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my bayesian filter.

I have included data on a sample of the excutable downloaded from the link in
the e-mail for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: fotos.exe
FileDateTime: 03/08/2006 10:11:24
Filesize: 47485
MD5: a881e92bfeef3e4c27159d5e12e9bd90
CRC32: E89E4C81
File Type: PE Executable

============================================================

Scan report of: fotos.exe

@Proventia-VPS -
AntiVir HEUR/Crypted.Layered.B
Avast! -
AVG -
BitDefender BehavesLike:Trojan.Downloader (suspected)
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Downloader.Win32.Banload.pu
F-Secure (BETA) Trojan-Downloader.Win32.Banload.pu
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Trojan-Downloader.Win32.Banload.pu
McAfee New Malware.n (trojan or variant)
McAfee (BETA) New Malware.n (trojan or variant)
Microsoft -
Nod32 NewHeur_PE (probably unknown virus)
Norman W32/Downloader (Sandbox)
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro TROJ_BANLOAD.AWN
Trend Micro (BETA) TROJ_BANLOAD.AWN
UNA -
VBA32 Trojan-Downloader.Win32.Banload.pu
VirusBuster -
WebWasher Heuristic.Crypted.Layered.B
YY_Spybot Dialer_XX,,Executable

============================================================