VSUB - Malware Submissions

Details on new malware submitted to anti-malware vendors for inclusion in their products...

Tuesday, 24 July 2007

VS0707002 - Possible New Malware [Spambot?]

All,

Data on a sample of a suspected new malware being seeded
via a spam e-mail with a link to the attached sample.

URL used: http://[SITE NAME REMOVED]/media/cell_phone_prank.scr

4 copies have been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: cell_phone_prank.scr
FileDateTime: 20/07/2007 17:07:48
Filesize: 219256
MD5: 7c63924fdb8046940d77bfffa6772d7b
CRC32: B8574631
File Type: PE Executable

============================================================

Scan report of: cell_phone_prank.scr

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet Possible_MLWR.5
Fortinet (BETA) Possible_MLWR.5
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft Trojan:Win32/Mespam.B
Nod32 Win32/TrojanProxy.Jaber.NAD trojan
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Sus/UnkPacker (suspicious)
Symantec -
Symantec (BETA) -
Trend Micro Possible_MLWR-5
Trend Micro (BETA) Possible_MLWR-5
VBA32 Trojan.Spambot
VirusBuster -
WebWasher Heuristic.Crypted
YY_A-Squared -
YY_Spybot -

============================================================

Labels: ,

Friday, 6 July 2007

VS0707001 Possible New Malware [Bancos]

Data on a sample of a suspected new malware being seeded
via a spam e-mail with a link to the sample detailed below.

URL used: http://[SITE NAME REMOVED]/media/iphone.scr

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: iphone.scr
FileDateTime: 06/07/2007 15:19:52
Filesize: 41472
MD5: 2c6af05edab480d6a6ed3b9b7ea32f51
CRC32: D0A94CFB
File Type: PE Executable

============================================================

Scan report of: iphone.scr

@Proventia-VPS -
AntiVir TR/Crypt.XPACK.Gen
Avast! -
AVG -
BitDefender Trojan.Spy.Wsnpoem.A
ClamAV Trojan.Spy-8403
Command W32/Backdoor.ATPB
Dr Web Trojan.Proxy.1872
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Backdoor.ATPB
F-Secure Trojan-Spy.Win32.Bancos.aam
F-Secure (BETA) Trojan-Spy.Win32.Bancos.aam
Fortinet W32/Agent.BRW!tr
Fortinet (BETA) W32/Agent.BRW!tr
Ikarus Trojan-Spy.Win32.Bancos.aam
Kaspersky Trojan-Spy.Win32.Bancos.aam
McAfee New Malware.fh (trojan or variant)
McAfee (BETA) New Malware.fh (trojan or variant)
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/EncPk-W
Symantec Infostealer.Banker.C
Symantec (BETA) Infostealer.Banker.C
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Trojan.Crypt.XPACK.Gen
YY_A-Squared -
YY_Spybot Smitfraud-C.,,Executable

============================================================

The site has also been reported to the hosting company, hopefully they can remove the file or pull the site before too many people get infected.

Labels: ,