CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 940
Comments: 25
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

CapitalOne malware/phish

 
Post new topic   Reply to topic       All -> FavForums -> Unknown Files [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2703

Premium

PostPosted: Wed Jun 25, 2008 1:27 am    Post subject: CapitalOne malware/phish
Reply with quote

One of the phish sites that wants you to download an "update"

The file size seems small; possibly it is corrupted and that's why so few detect it?

Quote:
ATTENTION TO ALL CAPITAL ONE BANK CUSTOMERS
NECESSARY CRITICAL UPDATE
A critical update is available to remove unacceptable symbols from the wire submission page that is included with Capital One Bank Treasury Optimizer.
Critical Updates are intended to fix potential security risks in Business Objects Capital One Bank products.
These updates are highly recommended to ensure the security of Capital One Bank products.
Unless otherwise indicated, these updates apply to all languages.
For additional information about the latest service pack for Windows, click the following link to view the article in the Capital One Update Base:
To start update press NEXT

2008 Capital One Services, Inc.


the link is http://top.capitalonebank.compub.login.htmlbank.serv.manager.cgipage.showshow.380764097.type.activex.comprj.153session.y2384h6427dx316q3807w.mncmnbd.com/login.html

VirusTotal:
Result: 8/33 (24.25%)
AhnLab-V3 2008.6.25.0 2008.06.25 -
AntiVir 7.8.0.59 2008.06.24 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.06.24 -
Avast 4.8.1195.0 2008.06.24 -
AVG 7.5.0.516 2008.06.25 -
BitDefender 7.2 2008.06.25 -
CAT-QuickHeal 9.50 2008.06.23 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.06.24 -
DrWeb 4.44.0.09170 2008.06.24 -
eSafe 7.0.17.0 2008.06.24 Suspicious File
eTrust-Vet 31.6.5902 2008.06.25 -
Ewido 4.0 2008.06.24 -
F-Prot 4.4.4.56 2008.06.24 -
F-Secure 7.60.13501.0 2008.06.24 -
Fortinet 3.14.0.0 2008.06.24 -
GData 2.0.7306.1023 2008.06.25 -
Ikarus T3.1.1.26.0 2008.06.25 -
Kaspersky 7.0.0.125 2008.06.25 -
McAfee 5324 2008.06.24 -
Microsoft 1.3604 2008.06.25 VirTool:Win32/Obfuscator.BO
NOD32v2 3215 2008.06.24 -
Norman 5.80.02 2008.06.24 -
Panda 9.0.0.4 2008.06.24 -
Prevx1 V2 2008.06.25 -
Rising 20.50.10.00 2008.06.24 -
Sophos 4.30.0 2008.06.25 -
Sunbelt 3.0.1153.1 2008.06.15 VIPRE.Suspicious
Symantec 10 2008.06.25 Infostealer.Snifula
TheHacker 6.2.92.361 2008.06.25 -
TrendMicro 8.700.0.1004 2008.06.24 PAK_Generic.001
VBA32 3.12.6.8 2008.06.23 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.24 Trojan.Crypt.XPACK.Gen
Additional information
File size: 27648 bytes
MD5...: f5ce9e806ba61f77798aa99bca4c75e9
SHA1..: d234f5f145428fe65be09a9e7bf080c57f8809e8
SHA256: 36c9b48c955a66e909c13ce4b89cc4dd8cdc39f9c371ff8a09c30d9388658b45
SHA512: 1884f833232bdc62f86c4e4af13da62348c9652dc02b1221237e7b96a4f5c8df
a89076a9584443b9d091e984cb4d557ed17378de5b4b99c13e06ec6d40be566d

Jotti:
Scan taken on 25 Jun 2008 01:23:34 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Back to top
View users profile Send private message
DougCuk

Guest
IP: 79.76.*.*
PostPosted: Wed Jun 25, 2008 11:31 am    Post subject: Small but very active
Reply with quote

I have an infected file with the same detection names as you have in your scans - but is only 11,776 bytes in size - and very much active and not corrupted. Nasty little b****r - downloads all its friends (more spyware and a virus) and really screwed my computer. Disabled ability to run EXE files and embedded itself into the Winlogon service.

Mine also copied itself to a USB Stick I had plugged in - creating an Autorun INF and EXE in the root - set as Hidden and System files. All ready to infect any other PC I plugged into.
Back to top
AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2703

Premium

PostPosted: Wed Jun 25, 2008 12:21 pm    Post subject:
Reply with quote

Yech! And as I recall, this one was 25K. It did appear to have a lot of English commands at the end of the gobbledygook in text view that looked like it was getting files from elsewhere (and that it hadn't been truncated).

Interestingly, since only AntiVir detected it on Jotti, they said they weren't going to submit it to malware companies, as apparently AntiVir is considered more likely to have false positives. Whatever. This is why I switched from Panda to AntiVir.
Back to top
View users profile Send private message
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5773

MIRT Premium

PostPosted: Wed Jun 25, 2008 7:25 pm    Post subject:
Reply with quote

Thanks for uploading the file. I've added it to the malware listserv.

CastleCops Link/t224071-MD5_f5ce9e806ba61f77798aa99bca4c75e9_CVE_2008_5601_exe.html


_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Unknown Files All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
175ppm 0.312s (0.083s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer