VS0801002 Possible New Malware [Nuwar?]

Data on a sample of a suspected new malware being seeded
via an e-mail with a link to a fake Valentine ecard.

I have included data on a sample of the file
offered on the site for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: withlove.exe
FileDateTime: 15/01/2008 18:47:22
Filesize: 114688
MD5: 62b32aaf553e515ba4967aaf64f84a6e
CRC32: 25C30FDE
File Type: PE Executable

============================================================

Scan report of: withlove.exe.1

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 Win32/Nuwar worm (variant)
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Sunbelt -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Win32.Malware.gen!88 (suspicious)
YY_A-Squared -
YY_Spybot -

============================================================

VS0801001 Possible New Malware [Agent?]

Data on a sample of a suspected new malware being seeded
via an e-mail with a link to a fake MySpace website.

I have included data on a sample of the file
offered on the site for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: install_flash_player.exe
FileDateTime: 15/01/2008 10:33:54
Filesize: 43008
MD5: 602e3b55391b8ac990c4c6620e9aac7a
CRC32: C36C8998
File Type: PE Executable
Packer: UPX

============================================================

Scan report of: install_flash_player.exe

@Proventia-VPS -
AntiVir TR/Agent.43008.15
Avast! -
AVG SHeur.AMSM (Trojan horse)
BitDefender DeepScan:Generic.Malware.FBldld.1B33C1C9
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [101] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Backdoor:W32/Agent.CTH
F-Secure (BETA) Backdoor:W32/Agent.CTH
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Win32.SuspectCrc
Kaspersky -
McAfee -
McAfee (BETA) Proxy-Agent.af trojan
Microsoft -
Nod32 -
Norman W32/Agent.DVRK
Panda -
Panda (BETA) -
QuickHeal Win32.Backdoor.Agent.aju
Rising -
Sophos Sus/Dropper-A (suspicious)
Sunbelt -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Trojan.Agent.43008.15
YY_A-Squared -
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

============================================================

VS0711003 Possible New Malware [Trojan.VB?]

Data on a sample of a suspected new malware being seeded
via an e-mail with a link to a fake Microsoft website.

I have included data on a sample of the file offered on
the site for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: WindowsXP-KB923810-x86-ENU.exe
FileDateTime: 13/11/2007 20:23:46
Filesize: 1057651
MD5: b59d788bc907d9aecb15375abe09c606
CRC32: 303D13C6
File Type: PE Executable
Packer: UPX

============================================================

Scan report of: WindowsXP-KB923810-x86-ENU.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [101] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus Trojan.Win32.VB.azd
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Sunbelt -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Win32.ModifiedUPX.gen!84 (suspicious)
YY_A-Squared -
YY_Spybot Smitfraud-C.,,Executable

============================================================
More details on this latest malware, including screenshots of both the e-mail and the website, and some commentary can be found here on my Momusings blog.

VS0711002 Possible New Malware [Agent?]

Data on a sample of a suspected new malware being seeded
via an e-mail with a link to a fake YouTube website.

I have included data on a sample of the file offered on
the site for your information and analysis.

2 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: install_flash_player.exe.1
FileDateTime: 12/11/2007 12:09:43
Filesize: 1228800
MD5: 29a8b08786a6a5bd253df5b2a42e7979
CRC32: E8ED5280
File Type: PE Executable

============================================================

Scan report of: install_flash_player.exe.1

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) Trojan-Dropper:W32/Agent.CPL
Fortinet -
Fortinet (BETA) -
Ikarus Win32.SuspectCrc
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Sunbelt -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher -
YY_A-Squared -
YY_Spybot -

============================================================

More details can be found here on my MoMusings blog.

VS0711001 Possible New Malware [Zhelatin?]

Data on a sample of a suspected new malware being seeded
via an e-mail with a link to a website.

I have included data on sample of the file offered on the
site for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: dancer.exe
FileDateTime: 08/11/2007 09:33:24
Filesize: 125283
MD5: bf9dfa4e8f6ea259b3aff05cf5509215
CRC32: 44507CCE
File Type: PE Executable

============================================================

Scan report of: dancer.exe

@Proventia-VPS -
AntiVir WORM/Zhelatin.Gen
Avast! -
AVG -
BitDefender Trojan.Peed.INS (suspected)
ClamAV -
Command -
Dr Web Trojan.Packed.209
eSafe File [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee New Malware.cn (trojan or variant)
McAfee (BETA) New Malware.cn (trojan or variant)
Microsoft TrojanDropper:Win32/Nuwar.gen!avkill (suspicious)
Nod32 NewHeur_PE (probably unknown virus)
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-F
Sunbelt -
Symantec -
Symantec (BETA) Trojan.Peacomm.D
Trend Micro WORM_NUCRP.GEN
Trend Micro (BETA) WORM_NUCRP.GEN
VBA32 -
VirusBuster -
WebWasher Worm.Zhelatin.Gen
YY_A-Squared -
YY_Spybot -

============================================================

VS0710002 Possible New Malware [BZub?]

Data on a sample of a suspected new malware being seeded
via an e-mail with a link to a website.

I have included data on a sample of the file being
offered on the site for your information and analysis.

6 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: behnert.exe
FileDateTime: 05/10/2007 14:30:03
Filesize: 122584
MD5: a1d660fa9ba56edd66b8387ba1574742
CRC32: B35A3AD1
File Type: PE Executable
Packer: Standard PE File

============================================================

Scan report of: behnert.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir DR/Delphi.Gen
Avast! -
AVG Generic8.FMB (Trojan horse)
BitDefender Trojan.Dropper.Delf.HT (suspected)
ClamAV Trojan.Dropper-2665
Command -
Dr Web -
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Spy.Win32.BZub.bmj
F-Secure (BETA) Trojan-Spy.Win32.BZub.bmj
Fortinet -
Fortinet (BETA) -
Ikarus Trojan-Spy.Win32.Goldun.lw
Kaspersky Trojan-Spy.Win32.BZub.bmj
McAfee -
McAfee (BETA) -
Microsoft PWS:Win32/Cimuz.D
Nod32 -
Norman W32/Malware.AZOM
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos Mal/Basine-C
Sunbelt -
Symantec -
Symantec (BETA) -
Trend Micro TSPY_CIMUZ.AT
Trend Micro (BETA) TSPY_CIMUZ.AT
VBA32 -
VirusBuster Trojan.DR.BZub.Gen.13
WebWasher Trojan.Delphi.Gen
YY_A-Squared -
YY_Spybot -

============================================================

VS0710001 Possible New Malware [Agent?]

Data on a sample of a suspected new malware being seeded
via an attachment to a new Storm Worm, Nuwar spam e-mail.

I have data on the attached zip file, and the file in the
zip for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: hent.zip
FileDateTime: 05/10/2007 11:54:09
Filesize: 18971
MD5: 285bce50962a29a65196285491816e7d
CRC32: CBB7DF5C
File Type: ZIP Archive File

Contains:

FileName: hent.exe
FileDateTime: 05/10/2007 12:16:46
Filesize: 20992
MD5: 083bb18514c67dd0d795aedfcac88477
CRC32: 72B5B404
File Type: PE Executable

============================================================

Scan report of: hent.exe

@Proventia-VPS -
AntiVir TR/Dropper.Gen
Avast! -
AVG -
BitDefender Trojan.Pandex.U
ClamAV Trojan.Dropper-2667
Command -
Dr Web BackDoor.Bulknet.78
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Downloader:W32/Agent.DTH
F-Secure (BETA) Trojan-Downloader:W32/Agent.DTH
Fortinet -
Fortinet (BETA) Pushdo!tr
Ikarus Win32.Outbreak
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos Troj/Pushdo-Gen
Sunbelt -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Trojan.Dropper.Gen
YY_A-Squared -
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

============================================================

VS0709003 Possible New Malware [Tibs/Nuwar?]

Data on a sample of a suspected new malware being seeded
via a link in a new Storm Worm, Nuwar spam e-mail.

I have included data on a sample downloaded from the website
in the link for your information and analysis.

Seems to be a new wave with a new or repacked file.

4 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: tracker.exe
FileDateTime: 11/09/2007 16:26:29
Filesize: 142095
MD5: 5a4ca687e45143d11dfff92d85bf6fc4
CRC32: 284A41
File Type: PE Executable

============================================================

Scan report of: tracker.exe

@Proventia-VPS -
AntiVir Worm/Storm.tcp
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET Win32/Sintun.AF
eTrust-VET (BETA) Win32/Sintun.AF
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) Tibs-Packed trojan
Microsoft TrojanDropper:Win32/Nuwar.gen!avkill (suspicious)
Nod32 -
Norman Tibs.gen134
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-D
Sunbelt VIPRE.Suspicious
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Worm.Storm.tcp
YY_A-Squared -
YY_Spybot -

============================================================

VS0709002 Possible New Malware [Tibs/Nuwar?]

Data on a sample of a suspected new malware being seeded
via a link in a new Storm Worm, Nuwar spam e-mail.

I have included data on a sample downloaded from the website
in the link for your information and analysis.

10 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: tracker.exe
FileDateTime: 09/09/2007 12:41:37
Filesize: 140456
MD5: c4b6c6cb417561135021cf5ee22625c5
CRC32: 3EB1AEC8
File Type: PE Executable

============================================================

Scan report of: tracker.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG Downloader.Tibs
BitDefender DeepScan:Generic.Zlob.0A51F123
ClamAV Trojan.Small-3688
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET Win32/Sintun.AF
eTrust-VET (BETA) Win32/Sintun.AF
Ewido -
F-Prot -
F-Secure Packed.Win32.Tibs.bs
F-Secure (BETA) Packed.Win32.Tibs.bs
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky Packed.Win32.Tibs.bs
McAfee -
McAfee (BETA) Tibs-Packed trojan
Microsoft TrojanDropper:Win32/Nuwar.gen!avkill (suspicious)
Nod32 -
Norman Tibs.gen134
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-D
Sunbelt VIPRE.Suspicious
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Win32.Malware.gen (suspicious)
YY_A-Squared -
YY_Spybot -

============================================================

More details can be found here, including screenshots of one of the e-mails and the website: http://momusings.com/momusings/2007/09/nfl-nuwar-file-link.html

VS0709001 Possible New Malware [Tibs/Nuwar?]

Data on a sample of a suspected new malware being seeded
via a link in a new Storm Worm, Nuwar spam e-mail.

I have included data on a sample downloaded from the website
in the link for your information and analysis.

4 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: tor.exe
FileDateTime: 06/09/2007 15:02:16
Filesize: 140608
MD5: 36825962ec1860a6c3da778b85f519d8
CRC32: FF6FA7A4
File Type: PE Executable

============================================================

Scan report of: tor.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET Win32/Sintun.AF
eTrust-VET (BETA) Win32/Sintun.AF
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee Tibs-Packed trojan
McAfee (BETA) Tibs-Packed trojan
Microsoft -
Nod32 Win32/Nuwar worm (probably variant)
Norman Tibs.gen134
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Dorf-E
Sunbelt VIPRE.Suspicious
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro Possible_Nucrp-3
Trend Micro (BETA) Possible_Nucrp-3
VBA32 -
VirusBuster -
WebWasher Win32.Malware.gen (suspicious)
YY_A-Squared -
YY_Spybot -

============================================================

VS0708001 Possible New malware [PolyCrypt?]

Data on a sample of a suspected new malware being seeded
via a spam e-mail with an attached rar file.

I have included data on a sample for your information and analysis.
Also included is data onn the file extracted from the RAR.

1 copy has been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Information (Money Gram).rar
FileDateTime: 12/08/2007 17:48:54
Filesize: 42949
MD5: 0a6f685bd13b8deb963e3c1a8270b66f
CRC32: 476C16CE
File Type: RAR Archive File

Contains:

FileName: MG information for my angel 20870432 5-32 PM 08.11.07 order number 11-0427. jpeg.scr
FileDateTime: 12/08/2007 08:23:30
Filesize: 65872
MD5: 35e750f66efa5edda40d5ed3e3c8694e
CRC32: B52AB8AA
File Type: PE Executable

============================================================

Scan report of: MG information for my angel 20870432 5-32 PM 08.11.07 order number 11-0427. jpeg.scr

@Proventia-VPS -
AntiVir TR/Crypt.CFI.Gen
Avast! -
AVG Win32/PolyCrypt
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-Downloader.Win32.Banload.ams
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman LdPinch.JVR
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising Packer.RyCrypt
Sophos Mal/Basine-C
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster Trojan.DR.Cimuz.Gen.1
WebWasher Trojan.Crypt.CFI.Gen
YY_A-Squared -
YY_Spybot -

============================================================

VS0707002 - Possible New Malware [Spambot?]

All,

Data on a sample of a suspected new malware being seeded
via a spam e-mail with a link to the attached sample.

URL used: http://[SITE NAME REMOVED]/media/cell_phone_prank.scr

4 copies have been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: cell_phone_prank.scr
FileDateTime: 20/07/2007 17:07:48
Filesize: 219256
MD5: 7c63924fdb8046940d77bfffa6772d7b
CRC32: B8574631
File Type: PE Executable

============================================================

Scan report of: cell_phone_prank.scr

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet Possible_MLWR.5
Fortinet (BETA) Possible_MLWR.5
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft Trojan:Win32/Mespam.B
Nod32 Win32/TrojanProxy.Jaber.NAD trojan
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos Sus/UnkPacker (suspicious)
Symantec -
Symantec (BETA) -
Trend Micro Possible_MLWR-5
Trend Micro (BETA) Possible_MLWR-5
VBA32 Trojan.Spambot
VirusBuster -
WebWasher Heuristic.Crypted
YY_A-Squared -
YY_Spybot -

============================================================

VS0707001 Possible New Malware [Bancos]

Data on a sample of a suspected new malware being seeded
via a spam e-mail with a link to the sample detailed below.

URL used: http://[SITE NAME REMOVED]/media/iphone.scr

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: iphone.scr
FileDateTime: 06/07/2007 15:19:52
Filesize: 41472
MD5: 2c6af05edab480d6a6ed3b9b7ea32f51
CRC32: D0A94CFB
File Type: PE Executable

============================================================

Scan report of: iphone.scr

@Proventia-VPS -
AntiVir TR/Crypt.XPACK.Gen
Avast! -
AVG -
BitDefender Trojan.Spy.Wsnpoem.A
ClamAV Trojan.Spy-8403
Command W32/Backdoor.ATPB
Dr Web Trojan.Proxy.1872
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Backdoor.ATPB
F-Secure Trojan-Spy.Win32.Bancos.aam
F-Secure (BETA) Trojan-Spy.Win32.Bancos.aam
Fortinet W32/Agent.BRW!tr
Fortinet (BETA) W32/Agent.BRW!tr
Ikarus Trojan-Spy.Win32.Bancos.aam
Kaspersky Trojan-Spy.Win32.Bancos.aam
McAfee New Malware.fh (trojan or variant)
McAfee (BETA) New Malware.fh (trojan or variant)
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/EncPk-W
Symantec Infostealer.Banker.C
Symantec (BETA) Infostealer.Banker.C
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
WebWasher Trojan.Crypt.XPACK.Gen
YY_A-Squared -
YY_Spybot Smitfraud-C.,,Executable

============================================================

The site has also been reported to the hosting company, hopefully they can remove the file or pull the site before too many people get infected.

VS0704001 Possible new malware [Small/Tibs?]

Data on three samples of a suspected new malware being seeded
via e-mail.

These were caught by my bayesian malware filter.

I have included multiple samples for your information and analysis.

3 copies have been trapped so far.

Subject lines seen:
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens

Attachment names seen:
Click Here.exe
Video.exe
Read Me.exe

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: Video.exe
FileDateTime: 08/04/2007 20:50:15
Filesize: 51342
MD5: 99cdc9be6334d73efc241ce93c7ed2fe
CRC32: B2A3D3A6
File Type: PE Executable

FileName: Click Here.exe
FileDateTime: 08/04/2007 20:59:17
Filesize: 51342
MD5: 4a32764f9165980e255a80ee63edf402
CRC32: 96651D8
File Type: PE Executable

FileName: Read Me.exe
FileDateTime: 08/04/2007 20:49:10
Filesize: 51342
MD5: 95c563731b7828d6e98eae81ee08869f
CRC32: ED8E7715
File Type: PE Executable

============================================================

Scan report of: Click Here.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender Trojan.Peed.Gen
ClamAV -
Command -
Dr Web Trojan.Packed.80
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Trojan.ADUB
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Win32.Malware.gen (suspicious)
YY_Spybot -

============================================================

Scan report of: Read Me.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender Trojan.Peed.Gen
ClamAV -
Command -
Dr Web Trojan.Packed.80
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Trojan.ADUB
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Win32.Malware.gen (suspicious)
YY_Spybot -

============================================================

Scan report of: Video.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender Trojan.Peed.Gen
ClamAV -
Command -
Dr Web Trojan.Packed.80
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot W32/Trojan.ADUB
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec Trojan.Packed.13
Symantec (BETA) Trojan.Packed.13
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Win32.Malware.gen (suspicious)
YY_Spybot -

============================================================

VS0703001 Possible new malware [Banload?]

Data on a sample of a suspected new malware being downloaded
from a fake e-card site.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: voxcards.exe
FileDateTime: 19/03/2007 08:44:25
Filesize: 148992
MD5: d9ef82e2e71375404b81e3c846b2461e
CRC32: 87379A9F
File Type: PE Executable
Packer: DoomPack
File Attributes: A

============================================================

Scan report of: voxcards.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender BehavesLike:Trojan.Downloader (suspected)
ClamAV Trojan.Downloader.Banload-11
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus BehavesLikeTrojan.Downloader
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman W32/Downloader (Sandbox)
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Win32.Malware.gen!94 (suspicious)
YY_Spybot -

============================================================

VS0702004 Possible new malware [Downloader?]

Data on a sample of a suspected new malware being seeded via a
fake valentine e-card link which arrives via e-mail.

Example links:
http:// [removed] .info/uk/view.pd.htm
[URL made safe.]

which downloads:
http:// [removed] .info/uk/flash/install_flash_player.exe
[URL made safe.]

This was caught by an end-user.

I have included data on a sample for your information and analysis.

2 copies have been trapped so far.

Screenshots and more details can be found on my momusings blog
http://momusings.blogsome.com/2007/02/13/stupid-cupid-stop-picking-on-me/

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: install_flash_player.exe
FileDateTime: 13/02/2007 14:56:25
Filesize: 9480
MD5: 95b221b32a46b3918c07e0e22a110f53
CRC32: 56D781F8
File Type: PE Executable


============================================================

Scan report of: install_flash_player.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher -
YY_Spybot -

============================================================

VS0702003 Possible new malware [Sdbot?]

Data on a sample of a suspected new malware from a suspected
infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: svrhost.exe
FileDateTime: 11/05/2003 21:12:10
Filesize: 337920
MD5: a37215501c4c8e08295d8407dd571aca
CRC32: DE48337
File Type: PE Executable
File Attributes: RHSA

============================================================

Scan report of: svrhost.exe

@Proventia-VPS -
AntiVir Worm/Sdbot.337920
Avast! Win32:Eggdrop-AC [Trj]
AVG -
BitDefender DeepScan:Generic.Sdbot.F305D174
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 NewHeur_PE (probably unknown virus)
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising Backdoor.SdBot.wkz
Sophos Troj/IRCBot-UB
Symantec -
Symantec (BETA) W32.Spybot.Worm
Trend Micro -
Trend Micro (BETA) TROJ_IRCBOT.PG
UNA -
VBA32 -
VirusBuster -
WebWasher Worm.Sdbot.337920
YY_Spybot -

============================================================

VS0702002 Possible new malware [Trojan BHO?]

Data on a sample of a suspected new malware being served via an FDIC
phishing site.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: safeConnect.exe
FileDateTime: 13/02/2007 10:34:54
Filesize: 817152
MD5: 454284b824688c9949ca58986c57a0b4
CRC32: 2F71CDC
File Type: PE Executable

============================================================

Scan report of: safeConnect.exe

@Proventia-VPS -
AntiVir TR/BHO.AC
Avast! -
AVG -
BitDefender Trojan.BHO.AC
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus Trojan.BHO.AC
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.BHO.AC
YY_Spybot -

============================================================

VS0702001 Possible new malware [Delf?]

Data on a sample of a suspected new malware from a suspected
infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: test.exe
FileDateTime: 12/02/2007 17:00:26
Filesize: 69120
MD5: 6cca05415f565cb252df71e2a588f722
CRC32: 8D748AF7
File Type: PE Executable

============================================================

Scan report of: test.exe

@Proventia-VPS -
AntiVir BDS/Hupigon.DP
Avast! Win32:Trojano-1315 [Trj]
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-PWS.Win32.Delf.of
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.Hupigon.DP
YY_Spybot -

============================================================

VS0701007 Possible New Malware [Sdbot?]

Data on a sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: msrdc.exe
FileDateTime: 26/01/2007 16:35:00
Filesize: 1262592
MD5: 7a108a8fda9ab48b5bcb23873530d480
CRC32: 3282F443
File Type: PE Executable

============================================================

Scan report of: msrdc.exe

@Proventia-VPS -
AntiVir Worm/Sdbot.1262592
Avast! -
AVG IRC/BackDoor.SdBot2.PLI (Trojan horse)
BitDefender -
ClamAV -
Command W32/Backdoor.ZLO
Dr Web -
eSafe Win32.SdBot.bcf
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Backdoor.SdBot.bcf
F-Prot W32/Backdoor.ZLO
F-Secure Backdoor.Win32.SdBot.bcf
F-Secure (BETA) Backdoor.Win32.SdBot.bcf
Fortinet W32/IRCBot.YW!tr.bdr
Fortinet (BETA) W32/IRCBot.YW!tr.bdr
Ikarus -
Kaspersky Backdoor.Win32.SdBot.bcf
McAfee W32/Sdbot.worm.gen.ca
McAfee (BETA) W32/Sdbot.worm.gen.ca
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro WORM_SDBOT.BTV
Trend Micro (BETA) WORM_SDBOT.BTV
UNA Backdoor.SdBot.EA0B
VBA32 Backdoor.Win32.SdBot.bcf
VirusBuster -
WebWasher Worm.Sdbot.1262592
YY_Spybot -

============================================================

VS0701006 Possible New Malware [Spybot?]

Data on a sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: jamesbond.exe
FileDateTime: 26/01/2007 16:35:00
Filesize: 1339392
MD5: deab1ca16db657329a183bfea8e1f92f
CRC32: EA59BBA6
File Type: PE Executable

============================================================

Scan report of: jamesbond.exe

@Proventia-VPS -
AntiVir PCK/Themida
Avast! -
AVG Worm/Spybot.AIQ
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Win32.Spybot
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet W32/RBot.FZO
Fortinet (BETA) W32/RBot.FZO
Ikarus -
Kaspersky -
McAfee W32/Spybot.worm.gen.p
McAfee (BETA) W32/Spybot.worm.gen.p
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos W32/Rbot-FZO
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

VS0701005 Possible New Malware [Sdbot?]

Data on a sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: rundll.exe
FileDateTime: 19/01/2007 14:05:00
Filesize: 1364992
MD5: 71fd1205f6d7550967bda6bf4491a50a
CRC32: 36E8176E
File Type: PE Executable

============================================================

Scan report of: rundll.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda W32/Sdbot.JHH.worm
Panda (BETA) W32/Sdbot.JHH.worm
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Heuristic.Crypted
YY_Spybot -

============================================================

VS0701004 Possible New Malware [Sdbot?]

Data ona sample of a suspected new malware from a suspected infected system.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven't had a chance to test them on a goat system yet.

============================================================

Details:

FileName: dflrwsxq.exe
FileDateTime: 11/05/2003 20:12:10
Filesize: 158720
MD5: 27376b472d43d2be1baf9eec9c130d93
CRC32: 30381941
File Type: PE Executable

============================================================

Scan report of: dflrwsxq.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir Worm/Sdbot.148609
Avast! -
AVG IRC/BackDoor.SdBot2.RHT (Trojan horse)
BitDefender GenPack:Generic.Sdbot.83DF54A9
ClamAV -
Command -
Dr Web Win32.HLLW.MyBot.based
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 Win32/Rbot trojan (variant)
Norman W32/Malware.HIY
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Mal/Packer
Symantec W32.Spybot.Worm
Symantec (BETA) W32.Spybot.Worm
Trend Micro -
Trend Micro (BETA) -
UNA Backdoor.SdBot.C625
VBA32 Win32.HLLW.MyBot.based
VirusBuster -
WebWasher Worm.Sdbot.148609
YY_Spybot -

============================================================

VS0701003 Possible New Malware [Small?]

Data on a sample of a suspected new malware being spread via an e-mail with an attachment.

This was caught by my Bayesian filter trained to catch e-mail borne malware.

I have included data on a sample for your information and analysis.

60 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Video.exe
FileDateTime: 19/01/2007 23:24:26
Filesize: 26624
MD5: 01a1115bcb0d5e32a98c76a50ac8868d
CRC32: 79C8760C
File Type: PE Executable
Packer: UPX

Subject Lines Seen:
Russian missle shot down Chinese satellite
Chinese missile shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!

Attachments Seen:
Full Story.exe
Read More.exe
Full Clip.exe
Video.exe
Full Text.exe

============================================================

Scan report of: Video.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web BackDoor.Groan
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster -
WebWasher Win32.ModifiedUPX.gen!90 (suspicious)
YY_Spybot Smitfraud-C.,,Installer

============================================================

This is a new variant of the threat reported as VS0701002 on this blog.

VS0701002 Possible New Malware [Small?]

Data on a sample of a suspected new malware being spread via an e-mail with an attachment.

This was caught by my Bayesian filter trained to catch e-mail borne malware.

I have included data on a sample for your information and analysis.

35 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Video.exe
FileDateTime: 18/01/2007 23:00:39
Filesize: 29347
MD5: 8cb9492e06662a7b4a072cbbe03bbffe
CRC32: 714168B3
File Type: PE Executable
Packer: UPX


Subject lines seen:
230 dead as storm batters Europe.
A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Naked teens attack home director.
British Muslims Genocide

Attachments seen:
Video.exe
Full Story.exe
Read More.exe
Full Clip.exe
Full Video.exe


============================================================

Scan report of: Video.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender MemScan:Trojan.Agent.AHS
ClamAV Trojan.Downloader-647
Command W32/Downloader.AYDY
Dr Web Trojan.Spambot
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/Tibs!generic
eTrust-VET (BETA) Win32/Pecoan.B
Ewido -
F-Prot W32/Downloader.AYDY
F-Secure Trojan-Downloader.Win32.Small.dam
F-Secure (BETA) Trojan-Downloader.Win32.Small.dam
Fortinet -
Fortinet (BETA) -
Ikarus Trojan-Downloader.Win32.Small.dam
Kaspersky Trojan-Downloader.Win32.Small.dam
McAfee -
McAfee (BETA) Downloader-BAI trojan
Microsoft -
Nod32 Win32/Nuwar.Q worm
Norman W32/Tibs.gen12
Panda -
Panda (BETA) Trj/Alanchum.NX
QuickHeal -
Rising -
Sophos Troj/DwnLdr-FYD
Symantec Trojan.Packed.8
Symantec (BETA) Trojan.Packed.8
Trend Micro TROJ_SMALL.EDW
Trend Micro (BETA) TROJ_SMALL.EDW
UNA -
VBA32 -
VirusBuster Trojan.DL.Tibs.Gen!Pac13
WebWasher Trojan.Dldr.Small.DBX
YY_Spybot Smitfraud-C.,,Installer

============================================================

More details and some commentary can be found here [on my other blog].

VS0701001 Possible New Malware [VSBot?]

Data on a sample of a suspected new malware being spread via a website,
using a fake e-card e-mail alert to tempt the user to download the fake e-card, whch is actually an executable.

This was caught by an end-user.

I have included data on a sample for your information and analysis.

12 copies have been trapped so far.

I haven't had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Greeting.gif.exe
FileDateTime: 11/01/2007 09:39:16
Filesize: 132838
MD5: c48cbb9ad058eb2d7d0166447b0a2ed9
CRC32: 4DE50071
File Type: PE Executable
Packer/Archiver: NSIS

============================================================

Scan report of: Greeting.gif.exe

@Proventia-VPS -
AntiVir TR/Drop.VB.apv.7
Avast! -
AVG -
BitDefender Backdoor.IRCBot.AG
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO Win32/VSBot.2ob!Trojan
eTrust-INO (BETA) Win32/VSBot.2ob!Trojan
eTrust-VET Win32/Veesbot.A
eTrust-VET (BETA) Win32/Veesbot.A
Ewido -
F-Prot -
F-Secure Backdoor.Win32.VB.apv
F-Secure (BETA) Backdoor.Win32.VB.apv
Fortinet W32/VB.APV!tr.bdr
Fortinet (BETA) W32/VB.APV!tr.bdr
Ikarus Backdoor.Win32.VB.apv
Kaspersky Backdoor.Win32.VB.apv
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) ERROR
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster Trojan.DR.VB.YYW
WebWasher Trojan.Drop.VB.apv.7
YY_Spybot -

============================================================