Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Thursday, 19 May 2011

fake dhl email using pif

Another round of fake DHL emails... but this time... it's got a PIF attachment, instead of the
normal zipped exe variety.

Here's the email....

Submitted to Threatexpert:
http://www.threatexpert.com/report.aspx?md5=8b7c994f4d5b0b5e35216bd68d87edb3

Submitted to VirusTotal (7/43)
http://www.virustotal.com/file-scan/report.html?id=2936d561853db9119ac2d5e7120f80d4e8ed39fa191365b5d8be83cfa4f95343-1305796256

It seems to be interested in the following banks:
http://eureka.cyber-ta.org/OUTPUT/8b7c994f4d5b0b5e35216bd68d87edb3/dns.txt

Detected as:

Sanesecurity.Rogue.2050 and Sanesecurity.Malware.16418

Cheers,

Steve
Sanesecurity

Wednesday, 30 March 2011

strange facebook emails

Received this interesting and very simple email today...

From the source code you can see, that the link doesn't go to facebook...

... It instead, takes you to a forum... which has been hacked (which you can see when you look into the source code)

The forum then re-directs you, via a 302 re-redirect... to another site (seen with httpfox)

The final site you end up with... is a fake anti-virus site, which are generally a pain to remove :(

Checking the actual fake anti-virus site (in bold) with urlvoid.com...

You can see that out of 21 url checkers... they all come up clean....

It's not nice out there.... but Sanesecurity.Malware.15890 and Sanesecurity.Malware.15891 are currently blocking these emails.

Cheers,

Steve
Sanesecurity

Tuesday, 14 September 2010

birth certificate malware

Here's a birth certificate email:

Inside the zip... is surprise, surprise... an exe file:

Submitted to VirusTotal:

Added detection as:

Sanesecurity.Rogue.0hr.0914v32427 (rogue.hdb)

Cheers,

Steve
Sanesecurity

Thursday, 26 August 2010

New FedEx malware run... Zbot

Been a while since I've posted to here, so thought it was about time...

A new malware run *just* came in... with a nice jpg and a not-so-nice exe in a zip file...

Submitted the exe to VirusTotal and the detection, isn't great...

Already being detected as: Sanesecurity.Malware.14529.UNOFFICIAL

Cheers,

Steve
Sanesecurity

Tuesday, 27 October 2009

Fake Facebook Password Reset Confirmation

Hi,

Has loads of these hit the inbox this morning....

Virus Total:

Antivirus	Version	Last Update	Result
a-squared	4.5.0.41	2009.10.27	-
AhnLab-V3	5.0.0.2	2009.10.26	-
AntiVir	7.9.1.44	2009.10.26	-
Antiy-AVL	2.0.3.7	2009.10.26	-
Authentium	5.1.2.4	2009.10.27	W32/Bredolab!Generic
Avast	4.8.1351.0	2009.10.26	-
AVG	8.5.0.423	2009.10.26	Win32/Heur
BitDefender	7.2	2009.10.27	Trojan.Downloader.Bredolab.AZ
CAT-QuickHeal	10.00	2009.10.27	-
ClamAV	0.94.1	2009.10.27	-
Comodo	2744	2009.10.27	Heur.Packed.Unknown
DrWeb	5.0.0.12182	2009.10.27	-
eSafe	7.0.17.0	2009.10.25	Suspicious File
eTrust-Vet	35.1.7084	2009.10.26	-
F-Prot	4.5.1.85	2009.10.26	-
F-Secure	9.0.15370.0	2009.10.22	Trojan.Downloader.Bredolab.AZ
Fortinet	3.120.0.0	2009.10.26	-
GData	19	2009.10.27	Trojan.Downloader.Bredolab.AZ
Ikarus	T3.1.1.72.0	2009.10.27	-
Jiangmin	11.0.800	2009.10.26	-
K7AntiVirus	7.10.879	2009.10.24	-
Kaspersky	7.0.0.125	2009.10.27	Packed.Win32.Krap.w
McAfee	5783	2009.10.26	Bredolab.gen.a
McAfee+Artemis	5783	2009.10.26	Bredolab.gen.a
McAfee-GW-Edition	6.8.5	2009.10.27	-
Microsoft	1.5202	2009.10.27	TrojanDownloader:Win32/Bredolab.X
NOD32	4545	2009.10.26	-
Norman	6.03.02	2009.10.26	W32/Obfuscated.D2!genr
nProtect	2009.1.8.0	2009.10.26	-
Panda	10.0.2.2	2009.10.26	-
PCTools	4.4.2.0	2009.10.19	-
Prevx	3.0	2009.10.27	-
Rising	21.53.10.00	2009.10.27	-
Sophos	4.46.0	2009.10.27	Mal/Bredo-A
Sunbelt	3.2.1858.2	2009.10.26	Trojan.Win32.Bredolab.Gen.1 (v)
Symantec	1.4.4.12	2009.10.27	-
TheHacker	6.5.0.2.054	2009.10.26	-
TrendMicro	8.950.0.1094	2009.10.27	TROJ_BREDLAB.SMF
VBA32	3.12.10.11	2009.10.26	-
ViRobot	2009.10.27.2006	2009.10.27	-
VirusBuster	4.6.5.0	2009.10.26	-

Detected as:

Sanesecurity.Malware.12841
Sanesecurity.Malware.12842