Saturday, 26 May 2007

rtf malware spam

This seems to be a new formatted malware spam going around, along the same lines as the "Better Business Bureau targeted malware spam" that SANS reported today.

Here's a screenshot from the new style spam:

If you go to the top level directory of the domain that's hosting the file, you can see an open directory:

What's interesting is the date of the actual "bad" RTF file, 9th May 2007... so as it's been there a while now, let see how the Anti-Virus scanners coped:

Complete scanning result of "superpages.rtf", received in VirusTotal at 05.26.2007, 08:23:20 (CET).

AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.997.0 05.25.2007 no virus found
AVG 05.25.2007 no virus found
BitDefender 7.2 05.26.2007 Trojan.Spy.Agent.NDQ
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 05.24.2007 no virus found
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.26.2007 no virus found
Fortinet 05.26.2007 no virus found
F-Prot 05.25.2007 W32/CrazyCrunch-based!Maximus
Ikarus T3.1.1.8 05.26.2007 no virus found
Kaspersky 05.26.2007 Trojan-Spy.Win32.Delf.jq
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.26.2007 TrojanSpy:Win32/Logsnif.gen
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 05.25.2007 Trj/Passtealer.DE
Prevx1 V2 05.26.2007 no virus found
Sophos 4.18.0 05.25.2007 Troj/Agent-FPG
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.26.2007 no virus found
TheHacker 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 suspected of Malware.Delf.43
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway 6.0.1 05.26.2007 Trojan.Spy.Delf.JQ.112 (suspicious)

Aditional Information
File size: 157686 bytes
MD5: d948f4b41be0aee7b3bd292e33082313
SHA1: 5e4f9655effbcb7ff8f03f05a6a4f778bf9a54f6
packers: UPX
packers: UPX
Hopefully this will improve now that VirusTotal have the file. Until then... I've added a simple detection for this new type: Html.Malware.Sanesecurity.07052600


Map said...

what an informative blog, keep it going - bookmarked!

Anonymous said...

This is now recognized by clamav signatures.