[Declude.Virus] Another forging malware, Scano

[Colbeck, Andrew]

Another mass-mailing worm, this time a variant of an .HTA attached worm that was first seen in April 2006.   F-Prot users who don't want to be bothered by their alerts for this sender-forging-malware can add this to their virus.cfg ...   FORGINGVIRUS VBS/Scano@   Here are there results of my submission of the attachment to http://www.virustotal.com/ if you see your antivirus scanner and wish to adapt the same line, e.g. for ClamAV:   FORGINGVIRUS Worm.Scano.     Complete scanning result of "Fotos.hta", received in VirusTotal at 10.05.2006, 21:59:18 (CET). Antivirus Version Update Result AntiVir 7.2.0.22 10.05.2006 no virus found Authentium 4.93.8 10.05.2006 VBS/[EMAIL PROTECTED] Avast 4.7.892.0 10.05.2006 no virus found AVG 386 10.05.2006 I-Worm/Scano BitDefender 7.2 10.05.2006 [EMAIL PROTECTED] CAT-QuickHeal 8.00 10.05.2006 VBS/Scano.E ClamAV devel-20060426 10.05.2006 Worm.Scano.AH-1 DrWeb 4.33 10.05.2006 Win32.HLLM.Perf eTrust-InoculateIT 23.73.14 10.05.2006 VBS/Areses!Worm eTrust-Vet 30.3.3115 10.05.2006 VBS/Areses!generic Ewido 4.0 10.05.2006 no virus found Fortinet 2.82.0.0 10.05.2006 no virus found F-Prot 3.16f 10.04.2006 VBS/[EMAIL PROTECTED] F-Prot4 4.2.1.29 10.05.2006 VBS/[EMAIL PROTECTED] Ikarus 0.2.65.0 10.05.2006 no virus found Kaspersky 4.0.2.24 10.05.2006 Email-Worm.Win32.Scano.gen McAfee 4867 10.05.2006 W32/Areses.dr Microsoft 1.1603 10.05.2006 TrojanDropper:VBS/Scano.gen NOD32v2 1.1791 10.05.2006 Win32/Scano.NBH Norman 5.80.02 10.05.2006 no virus found Sophos 4.10.0 10.05.2006 W32/Bagle-GY Symantec 8.0 10.04.2006 no virus found TheHacker 6.0.1.092 10.05.2006 no virus found UNA 1.83 10.05.2006 no virus found VBA32 3.11.1 10.05.2006 Email-Worm.Win32.Scano.e#6 VirusBuster 4.3.7:9 10.05.2006 VBS.Scano.AZ Aditional Information File size: 67370 bytes MD5: cbbae8aa1a224333a17c3051f9afc9b3 SHA1: 18e50e8fe39e20ee0e567e5dfd8f63609ce49d80   Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, October 02, 2006 5:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] stration work Exactly, John.   I should have stated that better; I supplied both variations because I assume that some people would prefer the specific line (the first in each sample) and some people would prefer the generic line to catch future variations.   Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, October 02, 2006 5:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] stration work Andrew, wouldn’t the second line include the first meaning only the second line is needed?   John T eServices For You   "Seek, and ye shall find!"   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, October 02, 2006 3:49 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] stration work   Those of us still running F-Prot* as a primary virus scanner will want to add one or both of these to their virus.cfg in order to block notifications for detection of the Stration malware:   FORGINGVIRUS W32/Tricky-Malware-based!Maximus FORGINGVIRUS Tricky-Malware-based!   The first is the most explicit, and the second is a fragment that will catch future detections that are based on heuristics.   And in the unlikely event that someone is using Trend Micro OfficeScan or SysClean:   FORGINGVIRUS Possible_Strat-2 FORGINGVIRUS Possible_     Andrew 8)   * The "new" price is unjustifiably high for using fpcmd on a mailserver.  Plan to switch to a different vendor before you renew this licence.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, October 02, 2006 7:27 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] stration work It looks like the Stration worm is causing backscatter today:   The W32/Stration.dr virus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file.   I've added it as a forging virus FORGINGVIRUS Stration ----------------------------------------------------- Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323   This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.     --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.