-
September 25th, 2006, 04:55 PM
#1
Virus Circulating Via Email
Hey Hey,
I was just about to head off to work when I did one last check of my email… and what do I see but an email with the subject ‘Mail Server Report’… The address doesn’t look familiar, but I’ve received a few of these lately from various mailing list submissions. This was the content of the email I opened:
—-
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
—-
I’m rather impressed…. these bastards are getting slicker and slicker…. or maybe this has been around for a while and I just don’t pay much attention… Attached to the email was the file Update-KB8375-x86.zip.
I submitted the file to VirusTotal and here’s what I got back:
Code:
Complete scanning result of “Update-KB8375-x86.exe”, received in VirusTotal at 09.25.2006, 15:50:55 (CET).
Antivirus Version Update Result AntiVir 7.2.0.18 09.25.2006 Worm/Stration.C
Authentium 4.93.8 09.25.2006 no virus found
Avast 4.7.844.0 09.25.2006 no virus found
AVG 386 09.22.2006 no virus found
BitDefender 7.2 09.25.2006 DeepScan:Generic.Stration.F614E1C9
CAT-QuickHeal 8.00 09.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 09.25.2006 no virus found
eTrust-InoculateIT 23.73.4 09.24.2006 Win32/Stration.Variant!Worm
eTrust-Vet 30.3.3098 09.25.2006 no virus found
DrWeb 4.33 09.22.2006 no virus found
Ewido 4.0 09.25.2006 no virus found
Fortinet 2.82.0.0 09.25.2006 suspicious
F-Prot 3.16f 09.25.2006 no virus found
F-Prot4 4.2.1.29 09.25.2006 no virus found
Ikarus 0.2.65.0 09.25.2006 no virus found
Kaspersky 4.0.2.24 09.25.2006 no virus found
McAfee 4858 09.22.2006 New Malware.n
Microsoft 1.1560 09.24.2006 no virus found
NOD32v2 1.1774 09.25.2006 a variant of Win32/Stration
Norman 5.80.02 09.25.2006 no virus found
Panda 9.0.0.4 09.25.2006 Suspicious file
Sophos 4.09.0 09.25.2006 W32/Stratio-AN
Symantec 8.0 09.25.2006 no virus found
TheHacker 6.0.1.079 09.25.2006 no virus found
UNA 1.83 09.22.2006 no virus found
VBA32 3.11.1 09.25.2006 no virus found
VirusBuster 4.3.7:9 09.25.2006 Trojan.Opnis.Gen!Pac2
Aditional Information File size: 116144 bytes
MD5: 633f4b2991ebdfd9e1611f4ec841a687
SHA1: bb77b78d54c8319caba19302f25ea72135797e18
It’s great to know that Symantec (one of the more favoured corporate AVs) and AVG (a very popular Free scanner) knew nothing of this virus yet…. If anyone is interested in the file for research or just to play with, let me know
Peace,
HT
PS, a nicely formatted version of this is available @ http://www.computerdefense.org/?p=111
-
September 25th, 2006, 05:05 PM
#2
-
September 25th, 2006, 05:11 PM
#3
Odd.. perhaps this is a different variant? According to VirusTotal the definitions are newer than the ones Symantec.com lists..
-
September 25th, 2006, 05:48 PM
#4
First saw some of these on the 11th and it WAS NOT detected by Symantec or McAfee...
While investigating what it was , after an AV update on either the 12th or the 13th, Symantec all of a sudden detected it as W32.Stration.A@mm...
Just letting you guys know what I saw...of course there are always mutations and variations as each asshat adds their own variations, but all basically the same...
Saw .scr attachments and saw attachments of .exe (masquarding as a MS KB article related patch), but the text of the ones I saw all indicated something to the effect of 'mail server logs'.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 26th, 2006, 03:43 AM
#5
Hey Hey,
I've done some sniffing while executing the virus and posted a "network walkthrough" @ http://www.computerdefense.org/?p=113
Peace,
HT
-
September 26th, 2006, 03:50 PM
#6
Junior Member
I may be asking a dumb question, but I am curious. Generally, when I run a new program, my firewall will alert me saying it is trying to broadcast on the internet. I know you are probably running a firewall, so when you ran this program, did it still not catch it? If not, I wonder how many programs do get past our firewalls? Any clue?
I'm running Sygate.
-Cowbaal
-
September 26th, 2006, 04:35 PM
#7
HT,
Places like VirusTotal don't use the daily updates or the rapid release signatures when looking at the online submissions. They use the "plain Jane" signatures which is why you normally see Symantec show up as clueless on their report. These can be days or even a week old.
I use Symantec daily releases which is one step below rapid release.
FWIW,
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 26th, 2006, 08:10 PM
#8
Originally posted here by thehorse13
HT,
Places like VirusTotal don't use the daily updates or the rapid release signatures when looking at the online submissions. They use the "plain Jane" signatures which is why you normally see Symantec show up as clueless on their report. These can be days or even a week old.
I use Symantec daily releases which is one step below rapid release.
FWIW,
--TH13
I ran these on the 25th... which was the date on the AV signatures so they were the daily release.
-
September 26th, 2006, 09:28 PM
#9
Banned
Isn't it possible to prevent this by disabling the windows scripting host?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|