[Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
Greetings! Received the following e-mail that looks like a phishing attempt, with an attached zipped .exe file ... I've saved the file to: http://www.hwcn.org/~cgregory/virus/MTCN_INVOICE.zip I don't have the facilities to test anything, but just the fact that it is an attached exe in an obvious phish makes me wonder if this is a brand new virus (or clever scheme that should still be trapped)? So if someone can test/analyse the above file (it tests clean with this morning's clamscan), I would be interested in how it does its 'thing' - Charles -- Forwarded message -- Date: Tue, 12 May 2009 10:59:31 +0200 From: Western Union hcha...@enviromedia.com To: cgreg...@hwcn.org Subject: [4.4] Western Union Transfer MTCN: 0258258718 Dear Customer! The money transfer you have sent on the 21st of March has not been received by the recipient. According to the Western Union agreement the transfers which are not collected in 30 business days are to be returned to sender. To collect cash you need to print the invoice attached to this e-mail and visit the nearest Western Union branch. Thank you! -- End of quote -- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
On Tuesday 12 May 2009 07:04:46 am Charles Gregory wrote: Greetings! Received the following e-mail that looks like a phishing attempt, with an attached zipped .exe file ... I've saved the file to: http://www.hwcn.org/~cgregory/virus/MTCN_INVOICE.zip I don't have the facilities to test anything, but just the fact that it is an attached exe in an obvious phish makes me wonder if this is a brand new virus (or clever scheme that should still be trapped)? So if someone can test/analyse the above file (it tests clean with this morning's clamscan), I would be interested in how it does its 'thing' - Charles -- Forwarded message -- Date: Tue, 12 May 2009 10:59:31 +0200 From: Western Union hcha...@enviromedia.com To: cgreg...@hwcn.org Subject: [4.4] Western Union Transfer MTCN: 0258258718 Dear Customer! The money transfer you have sent on the 21st of March has not been received by the recipient. According to the Western Union agreement the transfers which are not collected in 30 business days are to be returned to sender. To collect cash you need to print the invoice attached to this e-mail and visit the nearest Western Union branch. Thank you! -- End of quote -- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml I got several of these over the past couple of days. My ISP trapped them as Viruses, they never made it to my system. Be careful if you opened the attachment!. I run clamav but I'm on a Linux system so I don't worry as much, Also my ISP does a good jobs of filtering viruses and spam, etc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
Charles Gregory wrote: Greetings! Hi, The right place for malware and suspected malware submissions is: http://www.clamav.net/sendvirus/ aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
Greetings! Received the following e-mail that looks like a phishing attempt, with an attached zipped .exe file ... Hi Charles, It's been out since yesterday lunchtime... bit more info here: http://www.calendarofupdates.com/updates/index.php?showtopic=19142 Blocked yesterday as: Sanesecurity.Malware.11227 Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
At 10:04 AM -0400 5/12/09, Charles Gregory wrote: Greetings! Received the following e-mail that looks like a phishing attempt, with an attached zipped .exe file ... I've saved the file to: http://www.hwcn.org/~cgregory/virus/MTCN_INVOICE.zip I don't have the facilities to test anything, but just the fact that it is an attached exe in an obvious phish makes me wonder if this is a brand new virus (or clever scheme that should still be trapped)? So if someone can test/analyse the above file (it tests clean with this morning's clamscan), I would be interested in how it does its 'thing' - Charles Charles, Its a Zbot Trojan. You can check by sending to s...@virustotal.com with the word SCAN as the subject and attach the suspected malware. virustotal will forward to AV vendors including ClamAV. If you want, you can forward to virus-samp...@oitc.com and we'll make a temporary signature for it until ClamAV folks build a analyzed signature. These signatures are contained in winnow_malware.hdb distributed along with the sanesecurity sigs. We have submitted this one to ClamAV and build a temporary signature for it. Tom Complete scanning result of MTCN_INVOICE.exe, processed in VirusTotal at 05/12/2009 16:28:26 (CET). [ file data ] * name..: MTCN_INVOICE.exe * size..: 91136 * md5...: e359b56297b6ab3fdde471a0eef79871 * sha1..: 05d3c96587011102685aaf4a6e5072f3bb539cdc * peid..: - [ scan result ] a-squared 4.0.0.101/20090512 found [Trojan-Spy.Win32.Zbot!IK] AhnLab-V3 5.0.0.2/20090512found nothing AntiVir 7.9.0.166/20090512 found [TR/Spy.ZBot.hab] Antiy-AVL 2.0.3.1/20090512found nothing Authentium 5.1.2.4/20090512found [W32/Zbot.YI] Avast 4.8.1335.0/20090511 found nothing AVG 8.5.0.327/20090512 found nothing BitDefender 7.2/20090512found [Trojan.Spy.Zbot.TP] CAT-QuickHeal 10.00/20090512 found [(Suspicious) - DNAScan] ClamAV 0.94.1/20090512 found nothing Comodo 1157/20090508 found nothing DrWeb 5.0.0.12182/20090512found nothing eSafe 7.0.17.0/20090512 found [Suspicious File] eTrust-Vet 31.6.6501/20090512 found [Win32/Kollah.AIF] F-Prot 4.4.4.56/20090512 found [W32/Zbot.YI] F-Secure8.0.14470.0/20090512found [Trojan-Spy:W32/Zbot.OTC] Fortinet3.117.0.0/20090512 found nothing GData 19/20090512 found [Trojan.Spy.Zbot.TP] Ikarus T3.1.1.49.0/20090512found [Trojan-Spy.Win32.Zbot] K7AntiVirus 7.10.732/20090511 found nothing Kaspersky 7.0.0.125/20090512 found [Trojan-Spy.Win32.Zbot.tmu] McAfee 5612/20090511 found nothing McAfee+Artemis 5612/20090511 found [Artemis!E359B56297B6] McAfee-GW-Edition 6.7.6/20090512 found [Trojan.Spy.ZBot.hab] Microsoft 1.4602/20090512 found [PWS:Win32/Zbot.M] NOD32 4068/20090512 found [Win32/Spy.Zbot.NJ] Norman 6.01.05/20090512found nothing nProtect2009.1.8.0/20090512 found nothing Panda 10.0.0.14/20090511 found [Suspicious file] PCTools 4.4.2.0/20090507found nothing Prevx 3.0/20090512found nothing Rising 21.29.14.00/20090512found nothing Sophos 4.41.0/20090512 found [Troj/Agent-JUZ] Sunbelt 3.2.1858.2/20090512 found [BehavesLike.Win32.Malware (v)] Symantec1.4.4.12/20090512 found [Infostealer.Banker.C] TheHacker 6.3.4.1.324/20090509found nothing TrendMicro 8.950.0.1092/20090512 found nothing VBA32 3.12.10.4/20090512 found nothing ViRobot 2009.5.12.1731/20090512 found nothing VirusBuster 4.6.5.0/20090511found nothing ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
On Tue, 12 May 2009, aCaB wrote: The right place for malware and suspected malware submissions is: http://www.clamav.net/sendvirus/ At this point, I don't *know* if it's malware. Didn't want to waste the maintainer's time if this was just a social engineered phish. That, and because I'm only on text-based linux, it's a hassle to get the file pasted into the form. Is there a submission mechanism that can be accessed via lynx/shell? - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
On 2009-05-12 17:52, Charles Gregory wrote: On Tue, 12 May 2009, aCaB wrote: The right place for malware and suspected malware submissions is: http://www.clamav.net/sendvirus/ At this point, I don't *know* if it's malware. Didn't want to waste the maintainer's time if this was just a social engineered phish. That, and because I'm only on text-based linux, it's a hassle to get the file pasted into the form. Is there a submission mechanism that can be accessed via lynx/shell? You don't paste the file into the form, you attach the file, its like: /Attach raw message containing virus [Browse] /Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
On Tue, 12 May 2009, Steve Basford wrote: Received the following e-mail that looks like a phishing attempt, with an attached zipped .exe file ... It's been out since yesterday lunchtime... bit more info here: http://www.calendarofupdates.com/updates/index.php?showtopic=19142 Blocked yesterday as: Sanesecurity.Malware.11227 H. Different filename. Might be a variant that I got. Either way, clam isn't catching it yet. I'm going to throw some string-catchers into my spam filter Thanks. - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
On Tue, 12 May 2009, Tom Shaw wrote: At 10:04 AM -0400 5/12/09, Charles Gregory wrote: Received the following e-mail that looks like a phishing attempt, http://www.hwcn.org/~cgregory/virus/MTCN_INVOICE.zip Charles, Its a Zbot Trojan. You can check by sending to s...@virustotal.com with the word SCAN as the subject and attach the suspected malware. virustotal will forward to AV vendors including ClamAV. Excellent! That's a great service! It's rare I see a virus before Clam has a signature for it, but I will keep this in mind. Thanks! - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml