CastleCops :: View topic - CapitalOne malware/phish

CapitalOne malware/phish

CastleCops -> Unknown Files

Author: AlphaCentauri,

Posted: Wed Jun 25, 2008 1:27 am Post subject: CapitalOne malware/phish

One of the phish sites that wants you to download an "update"

The file size seems small; possibly it is corrupted and that's why so few detect it?

Quote:

ATTENTION TO ALL CAPITAL ONE BANK CUSTOMERS
NECESSARY CRITICAL UPDATE
A critical update is available to remove unacceptable symbols from the wire submission page that is included with Capital One Bank Treasury Optimizer.
Critical Updates are intended to fix potential security risks in Business Objects Capital One Bank products.
These updates are highly recommended to ensure the security of Capital One Bank products.
Unless otherwise indicated, these updates apply to all languages.
For additional information about the latest service pack for Windows, click the following link to view the article in the Capital One Update Base:
To start update press NEXT

2008 Capital One Services, Inc.

the link is http://top.capitalonebank.compub.login.htmlbank.serv.manager.cgipage.showshow.380764097.type.activex.comprj.153session.y2384h6427dx316q3807w.mncmnbd.com/login.html

VirusTotal:
Result: 8/33 (24.25%)
AhnLab-V3 2008.6.25.0 2008.06.25 -
AntiVir 7.8.0.59 2008.06.24 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.06.24 -
Avast 4.8.1195.0 2008.06.24 -
AVG 7.5.0.516 2008.06.25 -
BitDefender 7.2 2008.06.25 -
CAT-QuickHeal 9.50 2008.06.23 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.06.24 -
DrWeb 4.44.0.09170 2008.06.24 -
eSafe 7.0.17.0 2008.06.24 Suspicious File
eTrust-Vet 31.6.5902 2008.06.25 -
Ewido 4.0 2008.06.24 -
F-Prot 4.4.4.56 2008.06.24 -
F-Secure 7.60.13501.0 2008.06.24 -
Fortinet 3.14.0.0 2008.06.24 -
GData 2.0.7306.1023 2008.06.25 -
Ikarus T3.1.1.26.0 2008.06.25 -
Kaspersky 7.0.0.125 2008.06.25 -
McAfee 5324 2008.06.24 -
Microsoft 1.3604 2008.06.25 VirTool:Win32/Obfuscator.BO
NOD32v2 3215 2008.06.24 -
Norman 5.80.02 2008.06.24 -
Panda 9.0.0.4 2008.06.24 -
Prevx1 V2 2008.06.25 -
Rising 20.50.10.00 2008.06.24 -
Sophos 4.30.0 2008.06.25 -
Sunbelt 3.0.1153.1 2008.06.15 VIPRE.Suspicious
Symantec 10 2008.06.25 Infostealer.Snifula
TheHacker 6.2.92.361 2008.06.25 -
TrendMicro 8.700.0.1004 2008.06.24 PAK_Generic.001
VBA32 3.12.6.8 2008.06.23 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.24 Trojan.Crypt.XPACK.Gen
Additional information
File size: 27648 bytes
MD5...: f5ce9e806ba61f77798aa99bca4c75e9
SHA1..: d234f5f145428fe65be09a9e7bf080c57f8809e8
SHA256: 36c9b48c955a66e909c13ce4b89cc4dd8cdc39f9c371ff8a09c30d9388658b45
SHA512: 1884f833232bdc62f86c4e4af13da62348c9652dc02b1221237e7b96a4f5c8df
a89076a9584443b9d091e984cb4d557ed17378de5b4b99c13e06ec6d40be566d

Jotti:
Scan taken on 25 Jun 2008 01:23:34 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Author: DougCuk,

Posted: Wed Jun 25, 2008 11:31 am Post subject: Small but very active

I have an infected file with the same detection names as you have in your scans - but is only 11,776 bytes in size - and very much active and not corrupted. Nasty little b****r - downloads all its friends (more spyware and a virus) and really screwed my computer. Disabled ability to run EXE files and embedded itself into the Winlogon service.

Mine also copied itself to a USB Stick I had plugged in - creating an Autorun INF and EXE in the root - set as Hidden and System files. All ready to infect any other PC I plugged into.

Author: AlphaCentauri,

Posted: Wed Jun 25, 2008 12:21 pm Post subject:

Yech! And as I recall, this one was 25K. It did appear to have a lot of English commands at the end of the gobbledygook in text view that looked like it was getting files from elsewhere (and that it hadn't been truncated).

Interestingly, since only AntiVir detected it on Jotti, they said they weren't going to submit it to malware companies, as apparently AntiVir is considered more likely to have false positives. Whatever. This is why I switched from Panda to AntiVir.

Author: tetak,

Posted: Wed Jun 25, 2008 7:25 pm Post subject:

Thanks for uploading the file. I've added it to the malware listserv.

CastleCops Link

/t224071-MD5_f5ce9e806ba61f77798aa99bca4c75e9_CVE_2008_5601_exe.html

CastleCops -> Unknown Files

All times are GMT

Page 1 of 1