VS0610001 Possible new malware [Agent?]
Data on a sample of a suspected new malware being spread via IM
using a website link in the IM [MSN].
Which uses a PHP script to download a file.
This was caught by an end-user.
I have included data on a sample for your information and analysis.
1 copy has been trapped so far.
I haven’t had a chance to test it on a goat system yet.
============================================================
Details:
FileName: photo211.pif
FileDateTime: 03/10/2006 17:03:30
Filesize: 137216
MD5: 50f685141c9252a13ece1febd372e491
CRC32: B2851914
File Type: PE Executable
============================================================
Scan report of: photo211.pif
@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! Win32:Agent-BNP [Trj]
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Win32.Malware.gen (suspicious)
YY_Spybot -
============================================================
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/vsub/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
Sends itself via msn message in the form of “Is this your pic? ”
Link allows you to download the .pif file, once run it sends the above message to all of your contacts then constantly reboots your machine.
Comment by Phoenix — Thursday 5th October, 2006 @ 21:49
Good catch. I can confirm this is doing the rounds *right now*. Thanks to Avast, which caught it in time, im safe. Everyone else I know are probably dropping like flies
Comment by Matt — Sunday 22nd October, 2006 @ 12:20