CastleCops® Storm worm 5/16/08

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

Storm worm 5/16/08

All -> FavForums -> Unknown Files

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2662

Posted: Sat May 17, 2008 3:23 am Post subject: Storm worm 5/16/08

This is a copy of storm worm I just downloaded. There are two files on their sites, load.php, which is a short file that is well detected and was first submitted to VirusTotal on May 6, and this one, load2.php, which is longer and more poorly detected. (Both downloads are actually called devnull.exe when you actually download them.) VirusTotal devnull2.exe.txt received on 05.17.2008 04:55:02 (CET) Result: 9/32 (28.13%) Antivirus Version Last Update Result AhnLab-V3 2008.5.16.0 2008.05.16 - AntiVir 7.8.0.19 2008.05.16 TR/Dropper.Gen Authentium 5.1.0.4 2008.05.17 - Avast 4.8.1195.0 2008.05.17 - AVG 7.5.0.516 2008.05.16 I-Worm/Nuwar.R BitDefender 7.2 2008.05.17 Trojan.Peed.PJ CAT-QuickHeal 9.50 2008.05.16 - ClamAV 0.92.1 2008.05.17 - DrWeb 4.44.0.09170 2008.05.16 Trojan.Packed.460 eSafe 7.0.15.0 2008.05.16 Suspicious File eTrust-Vet 31.4.5798 2008.05.16 - Ewido 4.0 2008.05.14 - F-Prot 4.4.2.54 2008.05.16 - F-Secure 6.70.13260.0 2008.05.17 Email-Worm.Win32.Zhelatin.yu Fortinet 3.14.0.0 2008.05.15 - GData 2.0.7306.1023 2008.05.17 Email-Worm.Win32.Zhelatin.yu Ikarus T3.1.1.26.0 2008.05.17 - Kaspersky 7.0.0.125 2008.05.17 Email-Worm.Win32.Zhelatin.yu McAfee 5297 2008.05.17 - Microsoft 1.3408 2008.05.13 - NOD32v2 3106 2008.05.16 - Norman 5.80.02 2008.05.16 - Panda 9.0.0.4 2008.05.17 - Prevx1 V2 2008.05.17 - Rising 20.44.42.00 2008.05.17 - Sophos 4.29.0 2008.05.17 - Sunbelt 3.0.1123.1 2008.05.17 - Symantec 10 2008.05.17 - TheHacker 6.2.92.311 2008.05.15 - VBA32 3.12.6.6 2008.05.16 - VirusBuster 4.3.26:9 2008.05.16 - Webwasher-Gateway 6.6.2 2008.05.17 Trojan.Dropper.Gen Additional information File size: 147968 bytes MD5...: a66bbece993e384e53f082b809ac9d4b SHA1..: e3e7d1d8978f5b9e269c190b840c5c1825cdbe6c SHA256: aca48fb99de6e65151bc3a2ffd593197c88894758d7783a89faf0c36b626753e SHA512: 49f534644e786d4bc3559ab04e7a6d8371be70ce0ccc99bc60d82d0c5d390875 cefa35a84bef84684a3d8ce85744548a043ce34ac04434ddf7c07ed1070e8bd3 Jotti: Scan taken on 17 May 2008 02:57:10 (GMT) A-Squared Found nothing AntiVir Found TR/Dropper.Gen ArcaVir Found nothing Avast Found nothing AVG Antivirus Found I-Worm/Nuwar.R BitDefender Found Trojan.Peed.PJ ClamAV Found nothing CPsecure Found W32.Email.W.Zhelatin.yu Dr.Web Found Trojan.Packed.460 F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Email-Worm.Win32.Zhelatin.yu Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found Email-Worm.Win32.Zhelatin.yu NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2662

Posted: Sat May 17, 2008 3:25 am Post subject:

Actually, here is the load.php file just in case both are necessary for testing.

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5764

Posted: Sat May 17, 2008 3:14 pm Post subject:

I've added devnull.exe (the 145KB one) to the malware listserv. _________________ Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender. Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2662

Posted: Mon May 19, 2008 9:46 pm Post subject:

There's a round of spam going out. Payload=iloveyou.exe

VirusTotal:
Result: 10/32 (31.25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen
Authentium 5.1.0.4 2008.05.18 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R
BitDefender 7.2 2008.05.19 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460
eSafe 7.0.15.0 2008.05.19 Suspicious File
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.19 -
Prevx1 V2 2008.05.19 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen
Additional information
File size: 145920 bytes
MD5...: 437d274f0982baacf6104df3f1e37695
SHA1..: bcdb5dfd0502099f6ca89d5808287bab822640d2
SHA256: 228534573f1efefae24607f9d2ab7d49cba2cfab17e1028355ed1c383ccb9c76
SHA512: 6747a86db845a1a9e72290633b76b0a30912c9c64167616e6f868a632c1405d8
90989c257581e152f0d56e9dd8bf25b61449d82f0db0e7e255f2900541bd7a7b

Jotti:
Scan taken on 19 May 2008 21:19:04 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dropper.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found I-Worm/Nuwar.R
BitDefender
Found Trojan.Peed.PJ
ClamAV
Found nothing
CPsecure
Found W32.Email.W.Zhelatin.yu
Dr.Web
Found Trojan.Packed.460
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Email-Worm.Win32.Zhelatin.yu
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Email-Worm.Win32.Zhelatin.yu
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

spam=

Quote:

Subject: Missing you with every breath

The Mood for Love http://200.8.72.64/

No proxy or User Agent Switcher necessary to download this one.

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2662

Posted: Mon May 19, 2008 10:30 pm Post subject:

This is one tembow found on the same sites, sony.exe. The detection looks the same, but VirusTotal treated as a distinct malware sample: Result: 10/32 (31.25%) Antivirus Version Last Update Result AhnLab-V3 2008.5.20.0 2008.05.19 - AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen Authentium 5.1.0.4 2008.05.19 - Avast 4.8.1195.0 2008.05.19 - AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R BitDefender 7.2 2008.05.19 Trojan.Peed.PJ CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4 ClamAV 0.92.1 2008.05.19 - DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460 eSafe 7.0.15.0 2008.05.19 Suspicious File eTrust-Vet 31.4.5798 2008.05.16 - Ewido 4.0 2008.05.19 - F-Prot 4.4.2.54 2008.05.16 - F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu Fortinet 3.14.0.0 2008.05.19 - GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu Ikarus T3.1.1.26.0 2008.05.19 - Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu McAfee 5298 2008.05.19 - Microsoft 1.3408 2008.05.13 - NOD32v2 3110 2008.05.19 - Norman 5.80.02 2008.05.19 - Panda 9.0.0.4 2008.05.19 - Prevx1 V2 2008.05.19 - Rising 20.45.02.00 2008.05.19 - Sophos 4.29.0 2008.05.19 - Sunbelt 3.0.1123.1 2008.05.17 - Symantec 10 2008.05.19 - TheHacker 6.2.92.313 2008.05.19 - VBA32 3.12.6.6 2008.05.19 - VirusBuster 4.3.26:9 2008.05.19 - Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen Additional information File size: 145409 bytes MD5...: 1c5a206aab9299851bcae2ff0a549b9e SHA1..: 848e2ae9eb13fc0d930abfbb39b8e64b733d809d SHA256: ea9a110cd093f1442b49b96f3cfb81294cd7a35caaa407a3e5b96ef0518e9aa1 SHA512: 95bc6afe1708868acf8cae14e2161babb75b77fc4559d88b09012abef03a0b6f c2dfa1412b648adf92cd5a628eda20b1dd0fe404654dd24b73821a85f6b67457

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2662

Posted: Mon May 19, 2008 10:31 pm Post subject:

This is one tembow found on the same sites, sony.exe. The detection looks the same, but VirusTotal treated as a distinct malware sample: Result: 10/32 (31.25%) Antivirus Version Last Update Result AhnLab-V3 2008.5.20.0 2008.05.19 - AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen Authentium 5.1.0.4 2008.05.19 - Avast 4.8.1195.0 2008.05.19 - AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R BitDefender 7.2 2008.05.19 Trojan.Peed.PJ CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4 ClamAV 0.92.1 2008.05.19 - DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460 eSafe 7.0.15.0 2008.05.19 Suspicious File eTrust-Vet 31.4.5798 2008.05.16 - Ewido 4.0 2008.05.19 - F-Prot 4.4.2.54 2008.05.16 - F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu Fortinet 3.14.0.0 2008.05.19 - GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu Ikarus T3.1.1.26.0 2008.05.19 - Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu McAfee 5298 2008.05.19 - Microsoft 1.3408 2008.05.13 - NOD32v2 3110 2008.05.19 - Norman 5.80.02 2008.05.19 - Panda 9.0.0.4 2008.05.19 - Prevx1 V2 2008.05.19 - Rising 20.45.02.00 2008.05.19 - Sophos 4.29.0 2008.05.19 - Sunbelt 3.0.1123.1 2008.05.17 - Symantec 10 2008.05.19 - TheHacker 6.2.92.313 2008.05.19 - VBA32 3.12.6.6 2008.05.19 - VirusBuster 4.3.26:9 2008.05.19 - Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen Additional information File size: 145409 bytes MD5...: 1c5a206aab9299851bcae2ff0a549b9e SHA1..: 848e2ae9eb13fc0d930abfbb39b8e64b733d809d SHA256: ea9a110cd093f1442b49b96f3cfb81294cd7a35caaa407a3e5b96ef0518e9aa1 SHA512: 95bc6afe1708868acf8cae14e2161babb75b77fc4559d88b09012abef03a0b6f c2dfa1412b648adf92cd5a628eda20b1dd0fe404654dd24b73821a85f6b67457

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5764

Posted: Mon May 19, 2008 11:02 pm Post subject:

I've added loveyou.exe and sony.exe to the malware listserv. /t222044-MD5_9b97cf1e90921582bd3bfbe7f36c030f_loveyou_exe.html /p1090711-MD5_1c5a206aab9299851bcae2ff0a549b9e_sony_exe.html _________________ Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender. Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

	All -> FavForums -> Unknown Files	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 133ppm 0.486s (0.133s) Making cybercriminals unhappy since 2002*