http://www.virustotal.com says:
AntiVir 6.32.0.3 09.13.2005 no virus found Avast 4.6.695.0 09.12.2005 no virus found AVG 718 09.13.2005 no virus found Avira 6.32.0.3 09.13.2005 no virus found BitDefender 7.0 09.02.2005 no virus found CAT-QuickHeal 8.00 09.12.2005 no virus found ClamAV devel-20050725 09.13.2005 Trojan.Spy.Banker-94 DrWeb 4.32b 09.13.2005 no virus found eTrust-Iris 7.1.194.0 09.13.2005 no virus found eTrust-Vet 11.9.1.0 09.13.2005 no virus found Fortinet 2.41.0.0 09.07.2005 no virus found F-Prot 3.16c 09.13.2005 no virus found Ikarus 0.2.59.0 09.13.2005 Trojan-Spy.Win32.Bancos.JU Kaspersky 4.0.2.24 09.13.2005 Trojan-Spy.Win32.Banker.ju McAfee 4580 09.13.2005 no virus found NOD32v2 1.1215 09.13.2005 a variant of Win32/Spy.Banker.VJ Norman 5.70.10 09.13.2005 no virus found Panda 8.02.00 09.13.2005 no virus found Sophos 3.97.0 09.13.2005 no virus found Symantec 8.0 09.13.2005 no virus found TheHacker 5.8.2.105 09.12.2005 no virus found VBA32 3.10.4 09.12.2005 MalwareScope.Trojan-Spy.Banker.43 Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Pedro Hugo > Sent: 13 September 2005 17:03 > To: [email protected] > Subject: [Full-disclosure] "New" Brazilian Home Banking Trojan > > Hello, > I'm receiving an homebanking trojan from Brazil. The email is > disguised as a patch for Orkut Bad Server and Errors. > The download location is at > http://69.57.154.130/~arquivo/orkut-patch.exe . > AVG detects it, Norton doesn't. Didn't had the opportunity to > test with other AV. > > Some quick notes about this one: > - It's packed with PECOMPACT 2.x. It can easily be unpacked > with Olly, using the PECOMPACT scripts (www.openrce.org for > example) and Ollydump. > - You can extract a few Jpeg's from the unpacked binary. It > confirms it tries to attack homebanking accounts. > - Strings reveals some 4 or 5 banks addresses. > - Seems to be coded in Delphi. > - It appears to email the stolen accounts to 2 accounts. At > least they are in the code. > > I think it should be interesting for Malware Reverse > Engineering practice. > No much spare time at the moment to give a look at it, so no > much details. > > It could be useful to AV vendors, since I'm not sure it's > being detected by all. I thought it was a new one in the > wild, until I tested with AVG :( > > Best Regards, > Pedro Hugo > > P.S.: The first copy arrived 3 weeks ago, and today I have > received two more. > If you want the original email, I can forward it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
