VSUB - Malware Submissions

IMPORTANT - UPDATED

Please note that this blog has now moved to my own hosted domain here: http://momuings.com/vsub/. A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home. ALL future postings will only be available at the new site.

Apologies if this causes you any problems.

Data on a sample of a suspected new malware being spread via an e-mail with an attachment.

This was caught by an end-user.

I have included data on a sample for your information and analysis, and an example of the e-mail received.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: ERR 05241.exe
FileDateTime: 13/12/2006 11:18:27
Filesize: 7905
MD5: 23248cca970c08250e6a38bb1a2d41ec
CRC32: EB404282
File Type: PE Executable
Packer: DoomPack

============================================================

Scan report of: ERR 05241.exe

@Proventia-VPS -
AntiVir TR/Dldr.EbayBill.R
Avast! -
AVG -
BitDefender -
ClamAV -
Command W32/Downloader.gen9
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Downloader.gen9
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus Win32.Outbreak
Kaspersky -
McAfee -
McAfee (BETA) Generic Downloader.ab trojan
Microsoft -
Nod32 Win32/TrojanDownloader.Small.NQS trojan
Norman -
Panda Suspicious file
Panda (BETA) Trj/Nabload.ZB
QuickHeal Suspicious (warning)
Rising -
Sophos Troj/Clagge-Gen
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.Dldr.EbayBill.R
YY_Spybot -

============================================================

Example of the e-mail received:

From: billing@jewelryadviser.com
To: user@somewhere.com
Subject: ERROR 05241: [VISA OVERDRAFT HAS EXCEED]

Dear Customer,

We are unable to obtain payment from the credit card on file for your Jewelry Adviser account. Your credit card company
returned the following error to us:

The Overdraft Exceed

Please contact your credit card company to resolve this matter, or log into your account now to change your credit card
information.
(See your account details as well as the transaction details in the attachment)

Order details:

Date: Dec 12, 2006
Order number is: 05241

Shopping cart content
Now in your cart 2 items:

14K White Gold Blue Topaz Teardrop-Shaped & Diamond Earrings $149.50
14K White Gold Journey Diamond Graduated Bezel Set Pendant $450.00

FedEx International Shipping (including VAT) $135.20
_____________________________
Total: $734.70

Thank you for your prompt attention to this matter, and for being a member of the world’s leading jewelers shop service.

Sincerely,
Jewelry Adviser Billing Service.
_____________________________

Thank you for choosing CCBill as the eMerchant for your subscription!

Attachment: ERR 05241.exe

Data on a sample of a suspected new malware being spread via a link in an e-mail.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: fotos.scr
FileDateTime: 20/11/2006 03:42:14
Filesize: 197632
MD5: c3f5d3e1f4859fd862ba87fe9cb3ba08
CRC32: 1E72E632
File Type: PE Executable

============================================================

Scan report of: fotos.scr

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender BehavesLike:Trojan.Downloader (suspected)
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [106] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Banload.app
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec Downloader.Bancos!gen
Symantec (BETA) Downloader.Bancos!gen
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Win32.Malware.gen!94 (suspicious)
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via a phishing site.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Guardv10.exe
FileDateTime: 16/11/2006 17:44:35
Filesize: 149254
MD5: 2fadb5a4f3c80e78197d733255136ba7
CRC32: 7B3A6C60
File Type: PE Executable
Packer: Standard PE File

============================================================

Scan report of: Guardv10.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA Trojan.BAT.Small.BC0B
VBA32 -
VirusBuster -
WebWasher -
YY_Spybot Jupilites,,Installer

============================================================

Data on a sample of a suspected new malware being spread via e-mail
using a website link in the e-mail.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: postcards.exe
FileDateTime: 26/10/2006 11:52:45
Filesize: 647943
MD5: 71d2dc1e6fb0ae9f54ca40ef4220ab28
CRC32: 8ABFA1EC
File Type: PE Executable RAR
Packer: UPX

============================================================
Scan report of: postcards.exe

@Proventia-VPS -
AntiVir -
Avast! Win32:Mechbot [Trj]
AVG BackDoor.Generic2.CGZ (Trojan horse)
BitDefender Application.Vtext.12
ClamAV -
Command -
Dr Web BackDoor.IRC.Mech
eSafe Win32.Mechbot.d
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor.Win32.Mechbot.d
F-Secure (BETA) Backdoor.Win32.Mechbot.d
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Backdoor.Win32.Mechbot.d
McAfee VText.12 (potentially unwanted program)
McAfee (BETA) VText.12 (potentially unwanted program)
Microsoft Backdoor:Win32/IRCbot!E2AB
Nod32 -
Norman -
Panda W32/IRCBot.PN.worm
Panda (BETA) W32/IRCBot.PN.worm
QuickHeal -
Rising Backdoor.Mechbot.a
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 Backdoor.Win32.Mechbot.d
VirusBuster -
WebWasher Worm.Ircbot.PN
YY_Spybot ERROR

============================================================

Data on a sample of a suspected new malware being spread via e-mail
using a website link in the e-mail.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: newfoto.exe
FileDateTime: 16/10/2006 17:41:34
Filesize: 182089
MD5: f27e13acf595fe5fdb9a1dbac8dfbf8f
CRC32: 40B774F3
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: newfoto.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir TR/Delphi.Downloader.Gen
Avast! -
AVG Downloader.Generic2.SKL (Trojan horse)
BitDefender -
ClamAV ERROR
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Banload.aoo
F-Prot -
F-Secure Trojan-Downloader.Win32.Banload.aoo
F-Secure (BETA) Trojan-Downloader.Win32.Banload.aoo
Fortinet W32/Banload.AOO!tr.dldr
Fortinet (BETA) W32/Banload.AOO!tr.dldr
Ikarus suspicious
Kaspersky Trojan-Downloader.Win32.Banload.aoo
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 Win32/TrojanDownloader.Banload.AOO trojan (variant)
Norman W32/Banload.HKN
Panda Trj/Nabload.QE
Panda (BETA) Trj/Nabload.QE
QuickHeal Suspicious (warning)
Rising Trojan.DL.Banload.iun
Sophos Mal/Packer
Symantec -
Symantec (BETA) -
Trend Micro Possible_Virus
Trend Micro (BETA) Possible_Virus
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Malware
YY_Spybot ERROR
============================================================

Data on a sample of a suspected new malware being spread via IM
using a website link in the IM [MSN].

Which uses a PHP script to download a file.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: photo211.pif
FileDateTime: 03/10/2006 17:03:30
Filesize: 137216
MD5: 50f685141c9252a13ece1febd372e491
CRC32: B2851914
File Type: PE Executable

============================================================

Scan report of: photo211.pif

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! Win32:Agent-BNP [Trj]
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Win32.Malware.gen (suspicious)
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via a
website link in a phishing e-mail.

This was caught by my Bayesian filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: ghost11.exe
FileDateTime: 23/09/2006 20:43:03
Filesize: 20812
MD5: c9c11bfc6e455c5e5ed9fbbdd0582d3b
CRC32: A22C5684
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: ghost11.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender DeepScan:Generic.Malware.SYw.BAA446B2
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus suspicious
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 NewHeur_PE (probably unknown virus)
Norman Suspicious_F.gen
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 Malware.Agent.41 (suspected)
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via e-mail.

This was caught by an end user.

I have included data on a sample of the file attachment for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: au.zl9
FileDateTime: 31/08/2006 10:20:51
Filesize: 21662
MD5: 7467cb4602a9bec41a93113748c54446
CRC32: E270C958
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: au.zl9

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender DeepScan:Generic.Malware.SYw.273566A3
ClamAV -
Command W32/Dropper.gen2
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Dropper.gen2
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-Spy.Win32.Gen
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 Win32/Spy.Goldun.LX trojan (probably variant)
Norman Suspicious_F.gen
Panda Suspicious file
Panda (BETA) Trj/Goldun.LA
QuickHeal Suspicious (warning)
Sophos Troj/Haxdoor-DC
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 Trojan-Spy.Banker.63 (suspected)
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

Data on a sample of a suspected new malware being spread via SMB.

This was caught by my WormCharmer.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: dvdafw.exe
FileDateTime: 25/08/2006 15:00:15
Filesize: 31364
MD5: f837afb65b5069e329c669e77af5ecc2
CRC32: 8E4A6561
File Type: PE Executable

============================================================

Scan report of: dvdafw.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir HEUR/Trojan.Downloader
Avast! Win32:SdBot-3366 [Trj]
AVG -
BitDefender DeepScan:Generic.Malware.SIWBdld.41EACFA7
ClamAV -
Command -
Dr Web Win32.IRC.Bot.based
eSafe Win32.Polipos.sus
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/Slinbot!generic
eTrust-VET (BETA) Win32/Slinbot!generic
Ewido -
F-Prot -
F-Secure Backdoor.Win32.SdBot.gen
F-Secure (BETA) Backdoor.Win32.SdBot.gen
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Backdoor.Win32.SdBot.gen
McAfee -
McAfee (BETA) -
Microsoft Win32/NetWorm.gen
Nod32 IRC/SdBot trojan (variant)
Norman W32/Suspicious_U.gen
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos W32/Sdbot-Fam
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Trojan.Downloader
YY_Spybot -

============================================================