Storm worm 5/16/08

 CastleCops -> Unknown Files
Author: AlphaCentauri PostPosted: Sat May 17, 2008 3:23 am    Post subject: Storm worm 5/16/08
This is a copy of storm worm I just downloaded. There are two files on their sites, load.php, which is a short file that is well detected and was first submitted to VirusTotal on May 6, and this one, load2.php, which is longer and more poorly detected. (Both downloads are actually called devnull.exe when you actually download them.)

VirusTotal
devnull2.exe.txt received on 05.17.2008 04:55:02 (CET)
Result: 9/32 (28.13%)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.16 TR/Dropper.Gen
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 -
AVG 7.5.0.516 2008.05.16 I-Worm/Nuwar.R
BitDefender 7.2 2008.05.17 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.05.16 -
ClamAV 0.92.1 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.16 Trojan.Packed.460
eSafe 7.0.15.0 2008.05.16 Suspicious File
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.17 Email-Worm.Win32.Zhelatin.yu
Fortinet 3.14.0.0 2008.05.15 -
GData 2.0.7306.1023 2008.05.17 Email-Worm.Win32.Zhelatin.yu
Ikarus T3.1.1.26.0 2008.05.17 -
Kaspersky 7.0.0.125 2008.05.17 Email-Worm.Win32.Zhelatin.yu
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 -
Panda 9.0.0.4 2008.05.17 -
Prevx1 V2 2008.05.17 -
Rising 20.44.42.00 2008.05.17 -
Sophos 4.29.0 2008.05.17 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.16 -
VirusBuster 4.3.26:9 2008.05.16 -
Webwasher-Gateway 6.6.2 2008.05.17 Trojan.Dropper.Gen
Additional information
File size: 147968 bytes
MD5...: a66bbece993e384e53f082b809ac9d4b
SHA1..: e3e7d1d8978f5b9e269c190b840c5c1825cdbe6c
SHA256: aca48fb99de6e65151bc3a2ffd593197c88894758d7783a89faf0c36b626753e
SHA512: 49f534644e786d4bc3559ab04e7a6d8371be70ce0ccc99bc60d82d0c5d390875
cefa35a84bef84684a3d8ce85744548a043ce34ac04434ddf7c07ed1070e8bd3

Jotti:
Scan taken on 17 May 2008 02:57:10 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dropper.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found I-Worm/Nuwar.R
BitDefender
Found Trojan.Peed.PJ
ClamAV
Found nothing
CPsecure
Found W32.Email.W.Zhelatin.yu
Dr.Web
Found Trojan.Packed.460
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Email-Worm.Win32.Zhelatin.yu
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Email-Worm.Win32.Zhelatin.yu
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Author: AlphaCentauri PostPosted: Sat May 17, 2008 3:25 am    Post subject:
Actually, here is the load.php file just in case both are necessary for testing.
Author: tetak PostPosted: Sat May 17, 2008 3:14 pm    Post subject:
I've added devnull.exe (the 145KB one) to the malware listserv.
Author: AlphaCentauri PostPosted: Mon May 19, 2008 9:46 pm    Post subject:
There's a round of spam going out. Payload=iloveyou.exe

VirusTotal:
Result: 10/32 (31.25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen
Authentium 5.1.0.4 2008.05.18 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R
BitDefender 7.2 2008.05.19 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460
eSafe 7.0.15.0 2008.05.19 Suspicious File
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.19 -
Prevx1 V2 2008.05.19 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen
Additional information
File size: 145920 bytes
MD5...: 437d274f0982baacf6104df3f1e37695
SHA1..: bcdb5dfd0502099f6ca89d5808287bab822640d2
SHA256: 228534573f1efefae24607f9d2ab7d49cba2cfab17e1028355ed1c383ccb9c76
SHA512: 6747a86db845a1a9e72290633b76b0a30912c9c64167616e6f868a632c1405d8
90989c257581e152f0d56e9dd8bf25b61449d82f0db0e7e255f2900541bd7a7b

Jotti:
Scan taken on 19 May 2008 21:19:04 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dropper.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found I-Worm/Nuwar.R
BitDefender
Found Trojan.Peed.PJ
ClamAV
Found nothing
CPsecure
Found W32.Email.W.Zhelatin.yu
Dr.Web
Found Trojan.Packed.460
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Email-Worm.Win32.Zhelatin.yu
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Email-Worm.Win32.Zhelatin.yu
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

spam=
Quote:
Subject: Missing you with every breath


The Mood for Love http://200.8.72.64/


No proxy or User Agent Switcher necessary to download this one.
Author: AlphaCentauri PostPosted: Mon May 19, 2008 10:30 pm    Post subject:
This is one tembow found on the same sites, sony.exe.
The detection looks the same, but VirusTotal treated as a distinct malware sample:

Result: 10/32 (31.25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R
BitDefender 7.2 2008.05.19 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460
eSafe 7.0.15.0 2008.05.19 Suspicious File
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.19 -
Prevx1 V2 2008.05.19 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen
Additional information
File size: 145409 bytes
MD5...: 1c5a206aab9299851bcae2ff0a549b9e
SHA1..: 848e2ae9eb13fc0d930abfbb39b8e64b733d809d
SHA256: ea9a110cd093f1442b49b96f3cfb81294cd7a35caaa407a3e5b96ef0518e9aa1
SHA512: 95bc6afe1708868acf8cae14e2161babb75b77fc4559d88b09012abef03a0b6f
c2dfa1412b648adf92cd5a628eda20b1dd0fe404654dd24b73821a85f6b67457
Author: AlphaCentauri PostPosted: Mon May 19, 2008 10:31 pm    Post subject:
This is one tembow found on the same sites, sony.exe.
The detection looks the same, but VirusTotal treated as a distinct malware sample:

Result: 10/32 (31.25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R
BitDefender 7.2 2008.05.19 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460
eSafe 7.0.15.0 2008.05.19 Suspicious File
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.19 -
Prevx1 V2 2008.05.19 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen
Additional information
File size: 145409 bytes
MD5...: 1c5a206aab9299851bcae2ff0a549b9e
SHA1..: 848e2ae9eb13fc0d930abfbb39b8e64b733d809d
SHA256: ea9a110cd093f1442b49b96f3cfb81294cd7a35caaa407a3e5b96ef0518e9aa1
SHA512: 95bc6afe1708868acf8cae14e2161babb75b77fc4559d88b09012abef03a0b6f
c2dfa1412b648adf92cd5a628eda20b1dd0fe404654dd24b73821a85f6b67457
Author: tetak PostPosted: Mon May 19, 2008 11:02 pm    Post subject:
I've added loveyou.exe and sony.exe to the malware listserv.

CastleCops Link/t222044-MD5_9b97cf1e90921582bd3bfbe7f36c030f_loveyou_exe.html

CastleCops Link/p1090711-MD5_1c5a206aab9299851bcae2ff0a549b9e_sony_exe.html
CastleCops -> Unknown Files

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group