VSUB - Malware Submissions

Details on new malware submitted to anti-malware vendors for inclusion in their products...

Saturday, 27 January 2007

VS0701007 Possible New Malware [Sdbot?]

Data on a sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: msrdc.exe
FileDateTime: 26/01/2007 16:35:00
Filesize: 1262592
MD5: 7a108a8fda9ab48b5bcb23873530d480
CRC32: 3282F443
File Type: PE Executable

============================================================

Scan report of: msrdc.exe

@Proventia-VPS -
AntiVir Worm/Sdbot.1262592
Avast! -
AVG IRC/BackDoor.SdBot2.PLI (Trojan horse)
BitDefender -
ClamAV -
Command W32/Backdoor.ZLO
Dr Web -
eSafe Win32.SdBot.bcf
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.SdBot.bcf
F-Prot W32/Backdoor.ZLO
F-Secure Backdoor.Win32.SdBot.bcf
F-Secure (BETA) Backdoor.Win32.SdBot.bcf
Fortinet W32/IRCBot.YW!tr.bdr
Fortinet (BETA) W32/IRCBot.YW!tr.bdr
Ikarus -
Kaspersky Backdoor.Win32.SdBot.bcf
McAfee W32/Sdbot.worm.gen.ca
McAfee (BETA) W32/Sdbot.worm.gen.ca
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro WORM_SDBOT.BTV
Trend Micro (BETA) WORM_SDBOT.BTV
UNA Backdoor.SdBot.EA0B
VBA32 Backdoor.Win32.SdBot.bcf
VirusBuster -
WebWasher Worm.Sdbot.1262592
YY_Spybot -

============================================================

Labels: ,

VS0701006 Possible New Malware [Spybot?]

Data on a sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: jamesbond.exe
FileDateTime: 26/01/2007 16:35:00
Filesize: 1339392
MD5: deab1ca16db657329a183bfea8e1f92f
CRC32: EA59BBA6
File Type: PE Executable

============================================================

Scan report of: jamesbond.exe

@Proventia-VPS -
AntiVir PCK/Themida
Avast! -
AVG Worm/Spybot.AIQ
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Win32.Spybot
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet W32/RBot.FZO
Fortinet (BETA) W32/RBot.FZO
Ikarus -
Kaspersky -
McAfee W32/Spybot.worm.gen.p
McAfee (BETA) W32/Spybot.worm.gen.p
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos W32/Rbot-FZO
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

Labels: ,

Wednesday, 24 January 2007

VS0701005 Possible New Malware [Sdbot?]

Data on a sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: rundll.exe
FileDateTime: 19/01/2007 14:05:00
Filesize: 1364992
MD5: 71fd1205f6d7550967bda6bf4491a50a
CRC32: 36E8176E
File Type: PE Executable

============================================================

Scan report of: rundll.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda W32/Sdbot.JHH.worm
Panda (BETA) W32/Sdbot.JHH.worm
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

Labels: ,

VS0701004 Possible New Malware [Sdbot?]

Data ona sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: dflrwsxq.exe
FileDateTime: 11/05/2003 20:12:10
Filesize: 158720
MD5: 27376b472d43d2be1baf9eec9c130d93
CRC32: 30381941
File Type: PE Executable

============================================================

Scan report of: dflrwsxq.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir Worm/Sdbot.148609
Avast! -
AVG IRC/BackDoor.SdBot2.RHT (Trojan horse)
BitDefender GenPack:Generic.Sdbot.83DF54A9
ClamAV -
Command -
Dr Web Win32.HLLW.MyBot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 Win32/Rbot trojan (variant)
Norman W32/Malware.HIY
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Packer
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro -
Trend Micro (BETA) -
UNA Backdoor.SdBot.C625
VBA32 Win32.HLLW.MyBot.based
VirusBuster -
WebWasher Worm.Sdbot.148609
YY_Spybot -

============================================================

Labels: ,

Saturday, 20 January 2007

VS0701003 Possible New Malware [Small?]

Data on a sample of a suspected new malware being spread via an e-mail with an attachment.

This was caught by my Bayesian filter trained to catch e-mail borne malware.

I have included data on a sample for your information and analysis.

60 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Video.exe
FileDateTime: 19/01/2007 23:24:26
Filesize: 26624
MD5: 01a1115bcb0d5e32a98c76a50ac8868d
CRC32: 79C8760C
File Type: PE Executable
Packer: UPX

Subject Lines Seen:
Russian missle shot down Chinese satellite
Chinese missile shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!

Attachments Seen:
Full Story.exe
Read More.exe
Full Clip.exe
Video.exe
Full Text.exe

============================================================

Scan report of: Video.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web BackDoor.Groan
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Win32.ModifiedUPX.gen!90 (suspicious)
YY_Spybot Smitfraud-C.,,Installer

============================================================

This is a new variant of the threat reported as VS0701002 on this blog.

Labels: ,

Friday, 19 January 2007

VS0701002 Possible New Malware [Small?]

Data on a sample of a suspected new malware being spread via an e-mail with an attachment.

This was caught by my Bayesian filter trained to catch e-mail borne malware.

I have included data on a sample for your information and analysis.

35 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Video.exe
FileDateTime: 18/01/2007 23:00:39
Filesize: 29347
MD5: 8cb9492e06662a7b4a072cbbe03bbffe
CRC32: 714168B3
File Type: PE Executable
Packer: UPX


Subject lines seen:
230 dead as storm batters Europe.
A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Naked teens attack home director.
British Muslims Genocide

Attachments seen:
Video.exe
Full Story.exe
Read More.exe
Full Clip.exe
Full Video.exe


============================================================

Scan report of: Video.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender MemScan:Trojan.Agent.AHS
ClamAV Trojan.Downloader-647
Command W32/Downloader.AYDY
Dr Web Trojan.Spambot
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/Tibs!generic
eTrust-VET (BETA) Win32/Pecoan.B
Ewido -
F-Prot W32/Downloader.AYDY
F-Secure Trojan-Downloader.Win32.Small.dam
F-Secure (BETA) Trojan-Downloader.Win32.Small.dam
Fortinet -
Fortinet (BETA) -
Ikarus Trojan-Downloader.Win32.Small.dam
Kaspersky Trojan-Downloader.Win32.Small.dam
McAfee -
McAfee (BETA) Downloader-BAI trojan
Microsoft -
Nod32 Win32/Nuwar.Q worm
Norman W32/Tibs.gen12
Panda -
Panda (BETA) Trj/Alanchum.NX
QuickHeal -
Rising -
Sophos Troj/DwnLdr-FYD
Symantec Trojan.Packed.8
Symantec (BETA) Trojan.Packed.8
Trend Micro TROJ_SMALL.EDW
Trend Micro (BETA) TROJ_SMALL.EDW
UNA -
VBA32 -
VirusBuster Trojan.DL.Tibs.Gen!Pac13
WebWasher Trojan.Dldr.Small.DBX
YY_Spybot Smitfraud-C.,,Installer

============================================================

More details and some commentary can be found here [on my other blog].

Labels: ,

Friday, 12 January 2007

VS0701001 Possible New Malware [VSBot?]

Data on a sample of a suspected new malware being spread via a website,
using a fake e-card e-mail alert to tempt the user to download the fake e-card, whch is actually an executable.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

12 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Greeting.gif.exe
FileDateTime: 11/01/2007 09:39:16
Filesize: 132838
MD5: c48cbb9ad058eb2d7d0166447b0a2ed9
CRC32: 4DE50071
File Type: PE Executable
Packer/Archiver: NSIS

============================================================

Scan report of: Greeting.gif.exe

@Proventia-VPS -
AntiVir TR/Drop.VB.apv.7
Avast! -
AVG -
BitDefender Backdoor.IRCBot.AG
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO Win32/VSBot.2ob!Trojan
eTrust-INO (BETA) Win32/VSBot.2ob!Trojan
eTrust-VET Win32/Veesbot.A
eTrust-VET (BETA) Win32/Veesbot.A
Ewido -
F-Prot -
F-Secure Backdoor.Win32.VB.apv
F-Secure (BETA) Backdoor.Win32.VB.apv
Fortinet W32/VB.APV!tr.bdr
Fortinet (BETA) W32/VB.APV!tr.bdr
Ikarus Backdoor.Win32.VB.apv
Kaspersky Backdoor.Win32.VB.apv
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) ERROR
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster Trojan.DR.VB.YYW
WebWasher Trojan.Drop.VB.apv.7
YY_Spybot -

============================================================

Labels: ,