The opinions expressed herein are entirely my own and do not represent the opinions of any other entity with which I am affiliated. Opinions expressed in comments and trackbacks are those of their respective authors and do not necessarily reflect my own point of view.
All works are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
© Copyright 2006-2009 MalwareTeks
Normally when I receive Spam mail in my admin account for the site, I simply delete it; but today one particular spam mail caught my attention. Subject: Spyware Alert!, text of the message was simply AbuseReport with 2 attachments: AbuseReport.gif and patch-2135.zip.
OK, now you have my attention.
patch-2135.zip contains patch2135.exe
Using a password protected archive is a fairly common tactic for slipping Malware past email AV scanners.
Complete scanning result of “patch-2135.exe”, received in VirusTotal at 04.12.2007, 20:46:37 (CET).
| Antivirus | Version | Update | Result |
| AhnLab-V3 | 2007.4.12.0 | 04.12.2007 | no virus found |
| Authentium | 4.93.8 | 04.12.2007 | W32/Trojan.AEJW |
| Avast | 4.7.936.0 | 04.11.2007 | no virus found |
| AVG | 7.5.0.447 | 04.12.2007 | no virus found |
| BitDefender | 7.2 | 04.12.2007 | Trojan.Peed.Gen |
| CAT-QuickHeal | 9.00 | 04.12.2007 | (Suspicious) - DNAScan |
| ClamAV | devel-20070312 | 04.12.2007 | Trojan.Small-1641 |
| DrWeb | 4.33 | 04.12.2007 | no virus found |
| eSafe | 7.0.15.0 | 04.12.2007 | Suspicious Trojan/Worm |
| eTrust-Vet | 30.7.3562 | 04.12.2007 | Win32/Pecoan.R |
| Ewido | 4.0 | 04.12.2007 | no virus found |
| FileAdvisor | 1 | 04.12.2007 | no virus found |
| Fortinet | 2.85.0.0 | 04.12.2007 | suspicious |
| F-Prot | 4.3.2.48 | 04.12.2007 | W32/Trojan.AEJW |
| F-Secure | 6.70.13030.0 | 04.12.2007 | Email-Worm.Win32.Zhelatin.ct |
| Ikarus | T3.1.1.5 | 04.12.2007 | no virus found |
| Kaspersky | 4.0.2.24 | 04.12.2007 | Email-Worm.Win32.Zhelatin.ct |
| McAfee | 5006 | 04.11.2007 | no virus found |
| Microsoft | 1.2405 | 04.12.2007 | no virus found |
| NOD32v2 | 2184 | 04.12.2007 | Win32/Nuwar.Gen |
| Norman | 5.80.02 | 04.12.2007 | no virus found |
| Panda | 9.0.0.4 | 04.12.2007 | Suspicious file |
| Prevx1 | V2 | 04.12.2007 | no virus found |
| Sophos | 4.16.0 | 04.12.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 04.07.2007 | no virus found |
| Symantec | 10 | 04.12.2007 | Trojan.Packed.13 |
| TheHacker | 6.1.6.088 | 04.09.2007 | no virus found |
| VBA32 | 3.11.3 | 04.12.2007 | no virus found |
| VirusBuster | 4.3.7:9 | 04.12.2007 | no virus found |
| Webwasher-Gateway | 6.0.1 | 04.12.2007 | Trojan.Small.DBY.BW |
| Aditional Information |
| File size: 40649 bytes |
| MD5: 6335fea1792a2f4523323d54acc14f77 |
| SHA1: a5d5bc891a0994cba2952710707b19e98fcebd7b |
Yep, Storm Worm and a new variant.
W32.Worm.Nuwar.Gen
| Name: | W32.Worm.Nuwar.Gen |
| Aliases: | Trojan.Peed.Gen (BitDefender), Email-Worm.Win32.Zhelatin (Fortinet), Email-Worm.Win32.Zhelatin (Kaspersky), Win32/Nuwar.gen (Nod32), W32.Mixor (Symantec) |
| Brief description: | W32.Worm.Nuwar.Gen is a mass-mailing worm which harvests email addresses from the affected system and then send a copy of itself to these harvested email addresses. Additionally, it injects code into executable files (.exe and .scr) so that when these modified executables are executed, a copy of W32.Worm.Nuwar will be executed. Furthermore, it drops an additional trojan component which has a rootkit capability and also capable of downloading additional files, this dropped trojan component is known as W32.Trojan.Peacomm. |
| Affected Platforms: |
|
The Subject of the email, so far, states:
“Worm Alert!”
“Worm Detected”
“Virus Alert”
“ATTN!”
“Trojan Detected!”
“Worm Activity Detected!”
“Spyware Detected!”
“Dream of You”
“Virus Activity Detected!”
There are two attachments, one being is an image with ‘panic-worded text’, and the other is a password protected zip file, whose password is revealed in the image.
The zip file names, so far:
“patch-<random 4 or 5 digit number>.zip”
“bugfix-<random 4 or 5 digit number>.zip”
“hotfix-<random 4 or 5 digit number>.zip”
“removal-<random 4 or 5 digit number>.zip”
If you have received one of these email messages and have fallen prey to their tactics and are now infected. Please see our Malware Cleaning Guide and post in our Malware Removal Forum. There is a RootKit element of this infection that will require special handling to remove.
You must be a registered member of our site; in order to post in the Forums. This is a Free service to all. Registration is simply required to keep the spam bots from flooding the site.
XHTML:
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous: 
Next: 
Comment Meta:
Last 50 Posts 
Back
11:53 pm - April 12th, 2007
[...] Read more at ShadowPuterDude [...]