CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

"The video is crazy!"

 
Post new topic   Reply to topic       All -> FavForums -> Unknown Files [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2899

Premium

PostPosted: Tue Feb 05, 2008 12:45 am    Post subject: "The video is crazy!"
Reply with quote

One of a series of spams linking to a website that will download "iclk.html." About 50/50 detection, but I think it's particularly dangerous because although people know that .exe files are dangerous, they may not suspect an html file ... well, presuming there are people who get porn video links in email from strangers and aren't suspicious. Rolling Eyes And the google redirection fools the spamcop parser.

Virus total:
Result: 16/32 (50%)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.5.10 2008.02.04 Win-Trojan/Exchanger.41472
AntiVir 7.6.0.62 2008.02.04 TR/Crypt.FKM.Gen
Authentium 4.93.8 2008.02.04 -
Avast 4.7.1098.0 2008.02.04 Win32:Agent-RUB
AVG 7.5.0.516 2008.02.04 Generic9.AXKW
BitDefender 7.2 2008.02.05 Trojan.Downloader.Exchanger.A
CAT-QuickHeal 9.00 2008.02.04 (Suspicious) - DNAScan
ClamAV 0.92 2008.02.05 -
DrWeb 4.44.0.09170 2008.02.04 -
eSafe 7.0.15.0 2008.01.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5511 2008.02.04 -
Ewido 4.0 2008.02.04 -
FileAdvisor 1 2008.02.05 -
Fortinet 3.14.0.0 2008.02.04 W32/Dload.B!tr.dldr
F-Prot 4.4.2.54 2008.02.04 -
F-Secure 6.70.13260.0 2008.02.04 Trojan-Downloader.Win32.Exchanger.b
Ikarus T3.1.1.20 2008.02.04 Trojan-Downloader.Win32.Exchanger.b
Kaspersky 7.0.0.125 2008.02.05 Trojan-Downloader.Win32.Exchanger.b
McAfee 5222 2008.02.04 -
Microsoft 1.3204 2008.02.04 -
NOD32v2 2848 2008.02.04 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.02.04 W32/DLoader.FMCK
Panda 9.0.0.4 2008.02.04 -
Prevx1 V2 2008.02.05 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.04 Troj/Dload-BA
Sunbelt 2.2.907.0 2008.02.02 -
Symantec 10 2008.02.05 Downloader
TheHacker 6.2.9.208 2008.02.04 -
VBA32 3.12.6.0 2008.02.03 -
VirusBuster 4.3.26:9 2008.02.04 -
Webwasher-Gateway 6.6.2 2008.02.04 Trojan.Crypt.FKM.Gen
Additional information
File size: 41472 bytes
MD5: 267d43112cb6a53e9e02a5280eaf9c31
SHA1: 500275ac465a71734e64ecf31ed87035084d4591
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX

Jotti:
Scanner results
Scan taken on 05 Feb 2008 00:22:24 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.FKM.Gen
ArcaVir
Found nothing
Avast
Found Win32:Agent-RUB
AVG Antivirus
Found Generic9.AXKW
BitDefender
Found Trojan.Downloader.Exchanger.A
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Exchanger.b
Fortinet
Found W32/Dload.B!tr.dldr
Ikarus
Found Trojan-Downloader.Win32.Exchanger.b
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Exchanger.b
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found W32/DLoader.FMCK
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/Dload-BA
VirusBuster
Found nothing
VBA32
Found nothing

Spam:

Quote:
Paris Hilton New Video Auditioning Topless.
The video is crazy!
Only 1 day trial - get this full video now!

Download it now! [links to http://www.google.com/pagead/iclk?sa=3Dl&ai=3Dtrailhead&num=3D698=
03&adurl=3Dhttp://58.65.239.98/download.php]

Back to top
View users profile Send private message
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5879

MIRT Premium

PostPosted: Tue Feb 05, 2008 2:06 am    Post subject:
Reply with quote

Added to malware listserv - CastleCops Link/p1053524-MD5_267d43112cb6a53e9e02a5280eaf9c31_trailer_exe.html

Added to McAfee SiteAdvisor - http://www.siteadvisor.com/sites/58.65.239.98

MIRT Report completed - CastleCops Link/p1053525-MIRT_7804_Trojan_Downloader_on_58_65_239_98_AS27595.html


_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Unknown Files All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
92ppm 0.278s (0.04s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer