This is a copy of the malware that was being distributed by the phishing sites that were trying to get people to download an "update" instead of collecting data, and that were taken down Friday evening by TodayNIC. It's still not really well detected (10/32):
http://www.virustotal.com/analisis/c19187456899ae5514a2f4de1d0bdeb3

Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.28 -
AntiVir 7.8.0.10 2008.04.28 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.28 -
AVG 7.5.0.516 2008.04.28 Downloader.Small.CIF
BitDefender 7.2 2008.04.28 -
CAT-QuickHeal 9.50 2008.04.26 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.28 -
DrWeb 4.44.0.09170 2008.04.28 -
eSafe 7.0.15.0 2008.04.27 Suspicious File
eTrust-Vet 31.3.5741 2008.04.28 -
Ewido 4.0 2008.04.28 -
F-Prot 4.4.2.54 2008.04.27 -
F-Secure 6.70.13260.0 2008.04.28 Trojan-PSW.Win32.Papras.dk
FileAdvisor 1 2008.04.28 -
Fortinet 3.14.0.0 2008.04.28 W32/Papras.DK!tr.pws
Ikarus T3.1.1.26.0 2008.04.28 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.04.28 Trojan-PSW.Win32.Papras.dk
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3060 2008.04.28 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.27 -
Prevx1 V2 2008.04.28 -
Rising 20.42.01.00 2008.04.28 -
Sophos 4.28.0 2008.04.28 Mal/EncPk-DB
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.28 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.28 -
VirusBuster 4.3.26:9 2008.04.28 -
Webwasher-Gateway 6.6.2 2008.04.28 Trojan.Crypt.XPACK.Gen
Additional information
File size: 22528 bytes
MD5...: 0f3cb17b799c3e1b673698abb1b50490
SHA1..: 06082ac7d71d8a2fd7dd5e046db5bf63edc0996d
SHA256: 80243707a86e75ef3f262ba6ffbcb3afb6975671a63023f24b26b6308a4d3202
SHA512: e05b6bd0c4cd99ea2732406941bd9579ac382f5ff6b909c120e0f2887efb4a3f
b8b68dfc9351d47e13d0d69a80ec62024c55b9f79c4ea6201fe33b1157d85f56

So far I haven't seen any new versions of the same sites, but since the nameservers were also taken down, I can only check by IP address, and possibly they were shared with some legit sites.

I got spammed with another one today; looks like the same VirusTotal results. I submitted the URLs to MIRT:
http://www.virustotal.com/analisis/c19187456899ae5514a2f4de1d0bdeb3

http://comerica.tmcconnectweb.login.cgi.discuss39501.parent.115005.technet.security.bulletin.ms67-888.secureserv.05626-05567233.htmltag.fd-prodlink.cdlpid.54gd.com/logon.htm
http://comerica.tmcconnectweb.login.cgi.discuss39501.parent.115005.technet.security.bulletin.ms67-888.secureserv.05626-05567233.htmltag.fd-prodlink.cdlpid.sdfs44.com/logon.htm
http://comerica.tmcconnectweb.login.cgi.discuss39501.parent.115005.technet.security.bulletin.ms67-888.secureserv.05626-05567233.htmltag.fd-prodlink.cdlpid.onlinetreasury77.com/logon.htm

Here's the payload from today just in case it is different.

Here's the payload from today just in case it is different.

I've added the file to the malware listserv, the 2 files were the same.

/p1083933-MD5_0f3cb17b799c3e1b673698abb1b50490.html

phish malware for "suntrust online treasury"

phish with trojan download

submitted to both mirt and pirt

submitted to unknown files forum

MD5: dd3778278cc473e591d2e26b2f0455d4
First received: 06.10.2008 14:40:50 (CET)
Date: 06.10.2008 16:31:17 (CET) [<1D]
Results: 6/32
Permalink: analisis/a1333ff9d213621ebf2f2b527507cae4

http://www.siteadvisor.com/sites/34iuyrd.com/

The upload appears to be corrupt, if yot still have the file, could you upload it again?

trying again

This is from a Suntrust phish. It looks like it gets a number of files from http://124.217.249.5

The reverse dns on that is webstat12.com
Both webstat12.com and 124.217.249.5 are blank except for the word, "hi!"
If you try to look for any files that don't exist, its 404-not-found page reveals it is running nginx/0.5.34, which is used by storm worm and Canadian Pharmacy sites, among others.

Registration for webstat12.com shows:
Administrative Contact:
Liang
liu bin
wu han huoche zhan
wu han Beijing 410214
CN
tel: 101 2345678
fax: 101 2345678
cncliup@21cn.com

That registration looked familiar. It turns out to be the same info used to register Express Herbal, Luxury Fashion, and Prestige Footwear domains with Xin Net. Seekaybee pointed out in his SIRT reports that "Wu Han Huoche Zhan" means "Wu Han Train Station."

The Elite Herbal folks seem to have been going out of their way to connect themselves with malware sites lately.

Thanks for uploading it again, it's now detected by most AV companies.

colonial bank malware phish

ColonialBankECERTv04510.exe

MD5: ea86c574f31c363d5d891edc8fb99286
First received: 06.24.2008 23:27:20 (CET)
Date: 06.24.2008 23:27:23 (CET) [<1D]
Results: 8/32
Permalink: analisis/47172c39cdde90d9af7216b7e81f81c7

I've added the file to the malware listserv.

/p1100771-MD5_ea86c574f31c363d5d891edc8fb99286_ColonialBankECERT.html