VSUB - Malware Submissions

Details on new malware submitted to anti-malware vendors for inclusion in their products...

Thursday, 15 February 2007

Re: VS0702004 Possible new malware [Downloader?]

Response from F-Secure:
The file is indeed a downloader of a password stealer, namely the bzub malware.

We are adding detection for this file. And this will be included in our next
database update.

I will update this if get any further resposnses from the AV vendors.

Labels: ,

Wednesday, 14 February 2007

VS0702004 Possible new malware [Downloader?]

Data on a sample of a suspected new malware being seeded via a
fake valentine e-card link which arrives via e-mail.

Example links:
http:// [removed] .info/uk/view.pd.htm
[URL made safe.]

which downloads:
http:// [removed] .info/uk/flash/install_flash_player.exe
[URL made safe.]

This was caught by an end-user.

I have included data on a sample for your information and analysis.

2 copies have been trapped so far.

Screenshots and more details can be found on my momusings blog
http://momusings.blogsome.com/2007/02/13/stupid-cupid-stop-picking-on-me/

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: install_flash_player.exe
FileDateTime: 13/02/2007 14:56:25
Filesize: 9480
MD5: 95b221b32a46b3918c07e0e22a110f53
CRC32: 56D781F8
File Type: PE Executable


============================================================

Scan report of: install_flash_player.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher -
YY_Spybot -

============================================================

Labels: ,

Tuesday, 13 February 2007

VS0702003 Possible new malware [Sdbot?]

Data on a sample of a suspected new malware from a suspected
infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: svrhost.exe
FileDateTime: 11/05/2003 21:12:10
Filesize: 337920
MD5: a37215501c4c8e08295d8407dd571aca
CRC32: DE48337
File Type: PE Executable
File Attributes: RHSA

============================================================

Scan report of: svrhost.exe

@Proventia-VPS -
AntiVir Worm/Sdbot.337920
Avast! Win32:Eggdrop-AC [Trj]
AVG -
BitDefender DeepScan:Generic.Sdbot.F305D174
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 NewHeur_PE (probably unknown virus)
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising Backdoor.SdBot.wkz
Sophos Troj/IRCBot-UB
Symantec -
Symantec (BETA) W32.Spybot.Worm
Trend Micro -
Trend Micro (BETA) TROJ_IRCBOT.PG
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Sdbot.337920
YY_Spybot -

============================================================

Labels: ,

VS0702002 Possible new malware [Trojan BHO?]

Data on a sample of a suspected new malware being served via an FDIC
phishing site.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: safeConnect.exe
FileDateTime: 13/02/2007 10:34:54
Filesize: 817152
MD5: 454284b824688c9949ca58986c57a0b4
CRC32: 2F71CDC
File Type: PE Executable

============================================================

Scan report of: safeConnect.exe

@Proventia-VPS -
AntiVir TR/BHO.AC
Avast! -
AVG -
BitDefender Trojan.BHO.AC
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus Trojan.BHO.AC
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.BHO.AC
YY_Spybot -

============================================================

Labels: ,

Monday, 12 February 2007

VS0702001 Possible new malware [Delf?]

Data on a sample of a suspected new malware from a suspected
infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: test.exe
FileDateTime: 12/02/2007 17:00:26
Filesize: 69120
MD5: 6cca05415f565cb252df71e2a588f722
CRC32: 8D748AF7
File Type: PE Executable

============================================================

Scan report of: test.exe

@Proventia-VPS -
AntiVir BDS/Hupigon.DP
Avast! Win32:Trojano-1315 [Trj]
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-PWS.Win32.Delf.of
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.Hupigon.DP
YY_Spybot -

============================================================

Labels: ,