The opinions expressed herein are entirely my own and do not represent the opinions of any other entity with which I am affiliated. Opinions expressed in comments and trackbacks are those of their respective authors and do not necessarily reflect my own point of view.
All works are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
© Copyright 2006-2009 MalwareTeks
Normally when I receive Spam mail in my admin account for the site, I simply delete it; but today one particular spam mail caught my attention. Subject: Spyware Alert!, text of the message was simply AbuseReport with 2 attachments: AbuseReport.gif and patch-2135.zip.
OK, now you have my attention.
patch-2135.zip contains patch2135.exe
Using a password protected archive is a fairly common tactic for slipping Malware past email AV scanners.
Complete scanning result of “patch-2135.exe”, received in VirusTotal at 04.12.2007, 20:46:37 (CET).
| Antivirus | Version | Update | Result |
| AhnLab-V3 | 2007.4.12.0 | 04.12.2007 | no virus found |
| Authentium | 4.93.8 | 04.12.2007 | W32/Trojan.AEJW |
| Avast | 4.7.936.0 | 04.11.2007 | no virus found |
| AVG | 7.5.0.447 | 04.12.2007 | no virus found |
| BitDefender | 7.2 | 04.12.2007 | Trojan.Peed.Gen |
| CAT-QuickHeal | 9.00 | 04.12.2007 | (Suspicious) - DNAScan |
| ClamAV | devel-20070312 | 04.12.2007 | Trojan.Small-1641 |
| DrWeb | 4.33 | 04.12.2007 | no virus found |
| eSafe | 7.0.15.0 | 04.12.2007 | Suspicious Trojan/Worm |
| eTrust-Vet | 30.7.3562 | 04.12.2007 | Win32/Pecoan.R |
| Ewido | 4.0 | 04.12.2007 | no virus found |
| FileAdvisor | 1 | 04.12.2007 | no virus found |
| Fortinet | 2.85.0.0 | 04.12.2007 | suspicious |
| F-Prot | 4.3.2.48 | 04.12.2007 | W32/Trojan.AEJW |
| F-Secure | 6.70.13030.0 | 04.12.2007 | Email-Worm.Win32.Zhelatin.ct |
| Ikarus | T3.1.1.5 | 04.12.2007 | no virus found |
| Kaspersky | 4.0.2.24 | 04.12.2007 | Email-Worm.Win32.Zhelatin.ct |
| McAfee | 5006 | 04.11.2007 | no virus found |
| Microsoft | 1.2405 | 04.12.2007 | no virus found |
| NOD32v2 | 2184 | 04.12.2007 | Win32/Nuwar.Gen |
| Norman | 5.80.02 | 04.12.2007 | no virus found |
| Panda | 9.0.0.4 | 04.12.2007 | Suspicious file |
| Prevx1 | V2 | 04.12.2007 | no virus found |
| Sophos | 4.16.0 | 04.12.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 04.07.2007 | no virus found |
| Symantec | 10 | 04.12.2007 | Trojan.Packed.13 |
| TheHacker | 6.1.6.088 | 04.09.2007 | no virus found |
| VBA32 | 3.11.3 | 04.12.2007 | no virus found |
| VirusBuster | 4.3.7:9 | 04.12.2007 | no virus found |
| Webwasher-Gateway | 6.0.1 | 04.12.2007 | Trojan.Small.DBY.BW |
| Aditional Information |
| File size: 40649 bytes |
| MD5: 6335fea1792a2f4523323d54acc14f77 |
| SHA1: a5d5bc891a0994cba2952710707b19e98fcebd7b |
Yep, Storm Worm and a new variant.
W32.Worm.Nuwar.Gen
| Name: | W32.Worm.Nuwar.Gen |
| Aliases: | Trojan.Peed.Gen (BitDefender), Email-Worm.Win32.Zhelatin (Fortinet), Email-Worm.Win32.Zhelatin (Kaspersky), Win32/Nuwar.gen (Nod32), W32.Mixor (Symantec) |
| Brief description: | W32.Worm.Nuwar.Gen is a mass-mailing worm which harvests email addresses from the affected system and then send a copy of itself to these harvested email addresses. Additionally, it injects code into executable files (.exe and .scr) so that when these modified executables are executed, a copy of W32.Worm.Nuwar will be executed. Furthermore, it drops an additional trojan component which has a rootkit capability and also capable of downloading additional files, this dropped trojan component is known as W32.Trojan.Peacomm. |
| Affected Platforms: |
|
The Subject of the email, so far, states:
“Worm Alert!”
“Worm Detected”
“Virus Alert”
“ATTN!”
“Trojan Detected!”
“Worm Activity Detected!”
“Spyware Detected!”
“Dream of You”
“Virus Activity Detected!”
There are two attachments, one being is an image with ‘panic-worded text’, and the other is a password protected zip file, whose password is revealed in the image.
The zip file names, so far:
“patch-<random 4 or 5 digit number>.zip”
“bugfix-<random 4 or 5 digit number>.zip”
“hotfix-<random 4 or 5 digit number>.zip”
“removal-<random 4 or 5 digit number>.zip”
If you have received one of these email messages and have fallen prey to their tactics and are now infected. Please see our Malware Cleaning Guide and post in our Malware Removal Forum. There is a RootKit element of this infection that will require special handling to remove.
You must be a registered member of our site; in order to post in the Forums. This is a Free service to all. Registration is simply required to keep the spam bots from flooding the site.
SpyHunter by Enigma Software Group (ESG) has been receiving quite a bit of attention in the security circles of late.
Spyhunter finds & removes Spyware, Adware, Keyloggers. Prevent credit card theft due to Spyware. Protect your privacy and secure your computer. …
This is what ESG claims SpyHunter can do.
SpyHunter was once listed as a “Rogue” Anti-Spyware Application by Eric Howes on his
Rogue/Suspect Anti-Spyware Products & Web Sites list; here is what was said:
Enigma’s SpyHunter anti-spyware application was listed on this page primarily because of the company’s history of employing aggressive, deceptive advertising. The company was also known for exploiting the name “spybot” in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.
Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the “spybot” domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).
While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users’ PCs, we can no longer classify this application as “rogue/suspect.” Nonetheless, SpyHunter — at least in its current state — cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize. Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.
Domains: enigmasoftwaregroup.com, spywareremove.com, uninstallxupiter.com
In recent days it has come to light that someone has been posting spam links to SpyHunter. Individuals from 411-spyware.com have posted on several forums, misleading people seeking help in removing SpyLocked and similar rogue applications, with links to this FreeSpywareScanner. When you go to install the FreeSpywareScanner it becomes readily apparent that the tool being installed is the former “Rogue” Anti-Spyware Application SpyHunter.
It is precisely this type of behavior that got SpyHunter listed as a Rogue Application in the first place. Well it seems that the makers of Spybot Search & Destroy think SpyHunter is Malware. As of 11 April 2007 with the release of Spybot S&Ds updates SpyHunter is now listed as Malware and is targeted for removal.
Updates 11. April 2007 2007-04-11
Adware
++ Zango.AntiSpamBar ++ Zango.Seekmo
Keylogger
+ Perfect Keylogger (2) ++ WideStep
Malware
++ Free-Key-Logger + InetLoader + Smitfraud-C. (2) + SpyDawn + SpyHunter ++ Win32.Agent.ahd ++ Win32.Optix.b
Trojan
+ 1und1Bill.Fake + Hupigon + NumbSoft + Win32.Lager.aq ++ Zlob.MovieBox + Zlob.PrivateVideo + WarezP2P
Total: 373599 fingerprints in 64879 rules for 2804 products
To answer my own question: SpyHunter, should this be listed as a Rogue Anti-Spyware Application?
YES
For further coverage of this story:
411-spyware.com - The new forum spammers?
Spyware Help: Intent Matters Alot:Part 2
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Last 50 Posts 
Back