CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 949
Comments: 28
block bottom
spacer spacer
image New fotosecretas.scr malware only 9 out of 24 scanners detect image
CastleCops
::...Aviso...:: I do not go to identify itself but I am a friend, this and only one acknowledgment, you this being traido I did not have the courage to count to you personally but as images speak but that a thousand words resolvie to send you these photos as test of that this happening.... My advice and that he looks at the photos...:::.. Click to see the photos here
The above is from a brand new email just now, which was sent natively in Portuguese and translated by Babelfish. See below for the original pre-translated text, and for the hyperlink which leads to an ".scr" file. This file was successfully recognized as malware/suspicious by 9 out of 24 virus scanners. Symantec failed, whereas others like Kaspersky found it.... more details below.

The untranslated text:
::...Aviso...:: Não vou me identificar mas sou um amigo, isso e apenas um aviso, você esta sendo traido não tive a coragem de te contar pessoalmente mas como imagens falam mas que mil palavras resolvie te enviar essas fotos como prova do que esta acontecendo.... Meu conselho e que olhe as fotos...:::.. Click aqui para ver as fotos


The link goes to here:

http://gospelprovider.info/

For vendors and researchers, the file has been attached here, in our Unknown Files forum. If you don't see it, email me for access. Grab it:

http://castlecops.com/t144736-new_malware_fotosecretas_scr.html

A scan at virustotal just now revealed 9 out of 24 scanners successfully finding it:

Antivirus Version Update Result
AntiVir 6.33.0.77 01.17.2006 no virus found
Avast 4.6.695.0 01.17.2006 Win32:Banker-WV
AVG 718 01.18.2006 no virus found
Avira 6.33.0.77 01.17.2006 no virus found
BitDefender 7.2 01.18.2006 Trojan.Banker.Delf.5CA290E7
CAT-QuickHeal 8.00 01.17.2006 no virus found
ClamAV devel-20051123 01.17.2006 no virus found
DrWeb 4.33 01.17.2006 Trojan.PWS.Banker.based
eTrust-InoculateIT 23.71.52 01.18.2006 no virus found
eTrust-Vet 12.4.2048 01.18.2006 no virus found
Ewido 3.5 01.17.2006 Logger.Banker.anv
Fortinet 2.54.0.0 01.18.2006 suspicious
F-Prot 3.16c 01.16.2006 no virus found
Ikarus 0.2.59.0 01.17.2006 no virus found
Kaspersky 4.0.2.24 01.18.2006 Trojan-Spy.Win32.Banker.anv
McAfee 4676 01.17.2006 New Malware.n
NOD32v2 1.1369 01.17.2006 no virus found
Norman 5.70.10 01.17.2006 no virus found
Panda 9.0.0.4 01.17.2006 Suspicious file
Sophos 4.01.0 01.18.2006 Troj/Bancb-Fam
Symantec 8.0 01.18.2006 no virus found
TheHacker 5.9.2.075 01.17.2006 no virus found
UNA 1.83 01.17.2006 no virus found
VBA32 3.10.5 01.17.2006 no virus found


Here is the email message and its header (click to enlarge):



Message digests:

SHA-1: b0e5b849ffb14d8021125ebb870a4e6830879b1a
MD5: 6516e55dffdf028855473fb6d8f5ab23

Careful to our readers please. This only reinforces to keep your AVs up-to-date, and be very careful.
Posted on Wednesday, 18 January 2006 @ 02:01:32 UTC by Paul (3904 reads)
[ Trackback ]		image

"New fotosecretas.scr malware only 9 out of 24 scanners detect" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· PHP HomePage
· HotScripts
· Babelfish Translator
· W3 Consortium
· CastleCops
· More about CastleCops
· News by Paul

Most read story about CastleCops:
Acceptable Use Policy
block bottom
Article Rating
spacer
Average Score: 3
Votes: 5


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
151ppm 0.127s (0.006s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer