We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment. The second looks to be a Riler variant. Thanks Sven! His email to us says;
"The attached file contains an email that has been spammed into my mailbox >100 times this evening, so it aroused my interest. if one wgets the link in it one finds fotoalbum.exe which virustotal identifies as +++ Complete scanning result of "fotoalbum.exe", received in VirusTotal at 02.19.2007, 23:56:16 (CET). Antivirus Version Update Result AntiVir 7.3.1.37 02.19.2007 HEUR/Crypted Authentium 4.93.8 02.19.2007 W32/Downloader.gen10 Avast 4.7.936.0 02.19.2007 no virus found AVG 386 02.19.2007 no virus found BitDefender 7.2 02.19.2007 DeepScan:Generic.Malware.dld!!.7F0C2515 CAT-QuickHeal 9.00 02.19.2007 (Suspicious) - DNAScan ClamAV devel-20060426 02.19.2007 no virus found DrWeb 4.33 02.19.2007 no virus found eSafe 7.0.14.0 02.19.2007 no virus found eTrust-Vet 30.4.3412 02.19.2007 no virus found Ewido 4.0 02.19.2007 no virus found FileAdvisor 1 02.20.2007 no virus found Fortinet 2.85.0.0 02.19.2007 suspicious F-Prot 4.2.1.29 02.19.2007 W32/Downloader.gen10 F-Secure 6.70.13030.0 02.19.2007 Trojan-Downloader.Win32.Tiny.ft Ikarus T3.1.0.31 02.19.2007 Win32.SuspectCrc Kaspersky 4.0.2.24 02.19.2007 Trojan-Downloader.Win32.Tiny.ft McAfee 4966 02.19.2007 no virus found Microsoft 1.2204 02.19.2007 no virus found NOD32v2 2070 02.19.2007 Win32/TrojanDownloader.Tiny.NCF Norman 5.80.02 02.19.2007 W32/Downloader Panda 9.0.0.4 02.19.2007 Suspicious file Prevx1 V2 02.20.2007 no virus found Sophos 4.14.0 02.19.2007 no virus found Sunbelt 2.2.907.0 02.17.2007 no virus found Symantec 10 02.19.2007 no virus found TheHacker 6.1.6.060 02.19.2007 no virus found UNA 1.83 02.19.2007 no virus found VBA32 3.11.2 02.19.2007 suspected of Win32.Trojan.Downloader (http://...) VirusBuster 4.3.19:9 02.19.2007 no virus found Aditional Information File size: 2108 bytes MD5: 4b86679ded1718aac5f5bc4840da3e75 SHA1: f42d7eb0934388d65364d212735aae65db26cd5e norman sandbox: [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 2108 bytes. [ Changes to filesystem ] * Creates file C:WINDOWSTEMPzc2.exe. [ Network services ] **WARNING MALWARE AT THE FOLLOWING** * Downloads file from http://win20all.com/ar/zc2.exe as C:WINDOWSTEMPzc2.exe. * Connects to "win20all.com" on port 80 (TCP). * Opens URL: win20all.com/ar/zc2.exe. [ Security issues ] * Starting downloaded file - potential security problem. +++ and if one now takes a look at .... zc2.exe it gives us this littly nicety: +++ Complete scanning result of "zc2.exe", received in VirusTotal at 02.20.2007, 00:09:26 (CET). Antivirus Version Update Result AntiVir 7.3.1.37 02.19.2007 TR/Cimuz.B Authentium 4.93.8 02.19.2007 W32/Cimuz.gen1@dr Avast 4.7.936.0 02.19.2007 Win32:Agent-ENM AVG 386 02.19.2007 Proxy.KMB BitDefender 7.2 02.19.2007 Trojan.Cimuz.J CAT-QuickHeal 9.00 02.19.2007 no virus found ClamAV devel-20060426 02.19.2007 no virus found DrWeb 4.33 02.19.2007 no virus found eSafe 7.0.14.0 02.19.2007 Win32.Agent.ly eTrust-Vet 30.4.3412 02.19.2007 Win32/Difisim!generic Ewido 4.0 02.19.2007 Proxy.Agent.ly FileAdvisor 1 02.20.2007 no virus found Fortinet 2.85.0.0 02.19.2007 W32/Cimuz.BP!tr F-Prot 4.2.1.29 02.19.2007 W32/Cimuz.gen1@dr F-Secure 6.70.13030.0 02.19.2007 Trojan-Proxy.Win32.Agent.ly Ikarus T3.1.0.31 02.19.2007 Trojan-Proxy.Win32.Agent.ly Kaspersky 4.0.2.24 02.19.2007 Trojan-Proxy.Win32.Agent.ly McAfee 4966 02.19.2007 Proxy-Agent.o Microsoft 1.2204 02.19.2007 no virus found NOD32v2 2070 02.19.2007 Win32/TrojanProxy.Cimuz.NAF Norman 5.80.02 02.19.2007 W32/Agent.BBAA Panda 9.0.0.4 02.19.2007 Trj/Cimuz.CZ Prevx1 V2 02.20.2007 Malicious Sophos 4.14.0 02.19.2007 Troj/Cimuz-BP Sunbelt 2.2.907.0 02.17.2007 no virus found Symantec 10 02.20.2007 Trojan.Riler.F TheHacker 6.1.6.060 02.19.2007 Trojan/Proxy.Agent.ly UNA 1.83 02.19.2007 TrojanProxy.Win32.Agent.694F VBA32 3.11.2 02.19.2007 Trojan-Proxy.Win32.Agent.ly VirusBuster 4.3.19:9 02.19.2007 Trojan.PR.Agent.SCN Aditional Information File size: 69632 bytes MD5: d4862ca3b6f481141a2f3375ee237c81 SHA1: 97fc4d68b2432a2d0e7dd7750b67f3e4b0d9c166 Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=0bc376578083 |
Patrick 193 Posts Feb 19th 2007 |
Thread locked Subscribe |
Feb 19th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!