Here's a screenshot from the new style spam:
If you go to the top level directory of the domain that's hosting the file, you can see an open directory:
What's interesting is the date of the actual "bad" RTF file, 9th May 2007... so as it's been there a while now, let see how the Anti-Virus scanners coped:
Complete scanning result of "superpages.rtf", received in VirusTotal at 05.26.2007, 08:23:20 (CET).Hopefully this will improve now that VirusTotal have the file. Until then... I've added a simple detection for this new type: Html.Malware.Sanesecurity.07052600
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.26.2007 Trojan.Spy.Agent.NDQ
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.26.2007 no virus found
Fortinet 2.85.0.0 05.26.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 W32/CrazyCrunch-based!Maximus
Ikarus T3.1.1.8 05.26.2007 no virus found
Kaspersky 4.0.2.24 05.26.2007 Trojan-Spy.Win32.Delf.jq
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.26.2007 TrojanSpy:Win32/Logsnif.gen
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.25.2007 Trj/Passtealer.DE
Prevx1 V2 05.26.2007 no virus found
Sophos 4.18.0 05.25.2007 Troj/Agent-FPG
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.26.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 suspected of Malware.Delf.43
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway 6.0.1 05.26.2007 Trojan.Spy.Delf.JQ.112 (suspicious)
Aditional Information
File size: 157686 bytes
MD5: d948f4b41be0aee7b3bd292e33082313
SHA1: 5e4f9655effbcb7ff8f03f05a6a4f778bf9a54f6
packers: UPX
packers: UPX, BINARYRES, UPX
packers: UPX
2 comments:
what an informative blog, keep it going - bookmarked!
This is now recognized by clamav signatures.
Post a Comment