At 10:04 AM -0400 5/12/09, Charles Gregory wrote: >Greetings! > >Received the following e-mail that looks like a phishing attempt, >with an attached zipped .exe file ... > >I've saved the file to: > http://www.hwcn.org/~cgregory/virus/MTCN_INVOICE.zip > >I don't have the facilities to test anything, but just the fact >that it is an attached exe in an obvious phish makes me wonder >if this is a brand new virus (or clever scheme that should still >be trapped)? > >So if someone can test/analyse the above file (it tests clean >with this morning's clamscan), I would be interested in how it >does its 'thing'.... > >- Charles
Charles, Its a Zbot Trojan. You can check by sending to [email protected] with the word SCAN as the subject and attach the suspected malware. virustotal will forward to AV vendors including ClamAV. If you want, you can forward to [email protected] and we'll make a temporary signature for it until ClamAV folks build a analyzed signature. These signatures are contained in winnow_malware.hdb distributed along with the sanesecurity sigs. We have submitted this one to ClamAV and build a temporary signature for it. Tom Complete scanning result of "MTCN_INVOICE.exe", processed in VirusTotal at 05/12/2009 16:28:26 (CET). [ file data ] * name..: MTCN_INVOICE.exe * size..: 91136 * md5...: e359b56297b6ab3fdde471a0eef79871 * sha1..: 05d3c96587011102685aaf4a6e5072f3bb539cdc * peid..: - [ scan result ] a-squared 4.0.0.101/20090512 found [Trojan-Spy.Win32.Zbot!IK] AhnLab-V3 5.0.0.2/20090512 found nothing AntiVir 7.9.0.166/20090512 found [TR/Spy.ZBot.hab] Antiy-AVL 2.0.3.1/20090512 found nothing Authentium 5.1.2.4/20090512 found [W32/Zbot.YI] Avast 4.8.1335.0/20090511 found nothing AVG 8.5.0.327/20090512 found nothing BitDefender 7.2/20090512 found [Trojan.Spy.Zbot.TP] CAT-QuickHeal 10.00/20090512 found [(Suspicious) - DNAScan] ClamAV 0.94.1/20090512 found nothing Comodo 1157/20090508 found nothing DrWeb 5.0.0.12182/20090512 found nothing eSafe 7.0.17.0/20090512 found [Suspicious File] eTrust-Vet 31.6.6501/20090512 found [Win32/Kollah.AIF] F-Prot 4.4.4.56/20090512 found [W32/Zbot.YI] F-Secure 8.0.14470.0/20090512 found [Trojan-Spy:W32/Zbot.OTC] Fortinet 3.117.0.0/20090512 found nothing GData 19/20090512 found [Trojan.Spy.Zbot.TP] Ikarus T3.1.1.49.0/20090512 found [Trojan-Spy.Win32.Zbot] K7AntiVirus 7.10.732/20090511 found nothing Kaspersky 7.0.0.125/20090512 found [Trojan-Spy.Win32.Zbot.tmu] McAfee 5612/20090511 found nothing McAfee+Artemis 5612/20090511 found [Artemis!E359B56297B6] McAfee-GW-Edition 6.7.6/20090512 found [Trojan.Spy.ZBot.hab] Microsoft 1.4602/20090512 found [PWS:Win32/Zbot.M] NOD32 4068/20090512 found [Win32/Spy.Zbot.NJ] Norman 6.01.05/20090512 found nothing nProtect 2009.1.8.0/20090512 found nothing Panda 10.0.0.14/20090511 found [Suspicious file] PCTools 4.4.2.0/20090507 found nothing Prevx 3.0/20090512 found nothing Rising 21.29.14.00/20090512 found nothing Sophos 4.41.0/20090512 found [Troj/Agent-JUZ] Sunbelt 3.2.1858.2/20090512 found [BehavesLike.Win32.Malware (v)] Symantec 1.4.4.12/20090512 found [Infostealer.Banker.C] TheHacker 6.3.4.1.324/20090509 found nothing TrendMicro 8.950.0.1092/20090512 found nothing VBA32 3.12.10.4/20090512 found nothing ViRobot 2009.5.12.1731/20090512 found nothing VirusBuster 4.6.5.0/20090511 found nothing _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
