VSUB - Malware Submissions

Details on new malware submitted to anti-malware vendors for inclusion in their products...

Tuesday, 11 September 2007

VS0709003 Possible New Malware [Tibs/Nuwar?]

Data on a sample of a suspected new malware being seeded
via a link in a new Storm Worm, Nuwar spam e-mail.

I have included data on a sample downloaded from the website
in the link for your information and analysis.

Seems to be a new wave with a new or repacked file.

4 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: tracker.exe
FileDateTime: 11/09/2007 16:26:29
Filesize: 142095
MD5: 5a4ca687e45143d11dfff92d85bf6fc4
CRC32: 284A41
File Type: PE Executable

============================================================

Scan report of: tracker.exe

@Proventia-VPS -
AntiVir Worm/Storm.tcp
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET Win32/Sintun.AF
eTrust-VET (BETA) Win32/Sintun.AF
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) Tibs-Packed trojan
Microsoft TrojanDropper:Win32/Nuwar.gen!avkill (suspicious)
Nod32 -
Norman Tibs.gen134
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-D
Sunbelt VIPRE.Suspicious
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Worm.Storm.tcp
YY_A-Squared -
YY_Spybot -

============================================================

Labels: ,

Sunday, 9 September 2007

VS0709002 Possible New Malware [Tibs/Nuwar?]

Data on a sample of a suspected new malware being seeded
via a link in a new Storm Worm, Nuwar spam e-mail.

I have included data on a sample downloaded from the website
in the link for your information and analysis.

10 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: tracker.exe
FileDateTime: 09/09/2007 12:41:37
Filesize: 140456
MD5: c4b6c6cb417561135021cf5ee22625c5
CRC32: 3EB1AEC8
File Type: PE Executable

============================================================

Scan report of: tracker.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG Downloader.Tibs
BitDefender DeepScan:Generic.Zlob.0A51F123
ClamAV Trojan.Small-3688
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET Win32/Sintun.AF
eTrust-VET (BETA) Win32/Sintun.AF
Ewido -
F-Prot -
F-Secure Packed.Win32.Tibs.bs
F-Secure (BETA) Packed.Win32.Tibs.bs
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Packed.Win32.Tibs.bs
McAfee -
McAfee (BETA) Tibs-Packed trojan
Microsoft TrojanDropper:Win32/Nuwar.gen!avkill (suspicious)
Nod32 -
Norman Tibs.gen134
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-D
Sunbelt VIPRE.Suspicious
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Win32.Malware.gen (suspicious)
YY_A-Squared -
YY_Spybot -

============================================================

More details can be found here, including screenshots of one of the e-mails and the website: http://momusings.com/momusings/2007/09/nfl-nuwar-file-link.html

Labels: ,

Thursday, 6 September 2007

VS0709001 Possible New Malware [Tibs/Nuwar?]

Data on a sample of a suspected new malware being seeded
via a link in a new Storm Worm, Nuwar spam e-mail.

I have included data on a sample downloaded from the website
in the link for your information and analysis.

4 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: tor.exe
FileDateTime: 06/09/2007 15:02:16
Filesize: 140608
MD5: 36825962ec1860a6c3da778b85f519d8
CRC32: FF6FA7A4
File Type: PE Executable

============================================================

Scan report of: tor.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET Win32/Sintun.AF
eTrust-VET (BETA) Win32/Sintun.AF
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee Tibs-Packed trojan
McAfee (BETA) Tibs-Packed trojan
Microsoft -
Nod32 Win32/Nuwar worm (probably variant)
Norman Tibs.gen134
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-E
Sunbelt VIPRE.Suspicious
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro Possible_Nucrp-3
Trend Micro (BETA) Possible_Nucrp-3
VBA32 -
VirusBuster -
WebWasher Win32.Malware.gen (suspicious)
YY_A-Squared -
YY_Spybot -

============================================================

Labels: ,