Monday, February 25, 2008

postcard.gif.exe - 63e8fe1363431d2e56f38141a35278d3

* name: postcard.gif.exe
* size: 878374
* md5.: 63e8fe1363431d2e56f38141a35278d3

AntiVir found [HIDDENEXT/Worm.Gen]
Authentium 4.93.8/20080226 found [could be infected with an unknown virus]
Avast 4.7.1098.0/20080225 found [IRC:Zapchast-D]
AVG found [IRC/BackDoor.Flood]
BitDefender 7.2/20080226 found [Backdoor.Zapchast.Z]
ClamAV 0.92.1/20080226 found [Trojan.IRCBot-96]
DrWeb found [Win32.Parite.2]
eSafe found [Win32.IRC.Zapchast]
Ewido 4.0/20080225 found [Backdoor.Zapchast.z]
F-Prot found [W32/Heuristic-300!Eldorado]
F-Secure 6.70.13260.0/20080226 found [Backdoor.IRC.Zapchast]
Fortinet found [REG/Zapchast.4D53!tr.bdr]
Ikarus T3.1.1.20/20080226 found [Backdoor.IRC.Zapchast]
Kaspersky found [Backdoor.IRC.Zapchast]
McAfee 5237/20080225 found [IRC/Generic Flooder]
Microsoft 1.3204/20080226 found [Backdoor:IRC/Zapchast.AN]
NOD32v2 2901/20080225 found [IRC/Zapchast.Z]
Norman 5.80.02/20080225 found [Pinfi.A.dropper]
Rising found [Win32.Parite.b]
Sophos 4.27.0/20080226 found [Mal/Zapchas-C]
Sunbelt 3.0.893.0/20080223 found [Trojan.Zapchas.F]
Symantec 10/20080226 found [IRC Trojan]
TheHacker found [Adware/2Search]
VBA32 found [Trojan.IRC.Zapchast.H]
VirusBuster 4.3.26:9/20080225 found [IRC.Zapchast.AQ]
Webwasher-Gateway 6.6.2/20080225 found [Virus.HIDDENEXT/Worm.Gen]

ekvgsnw.dll - 39bfebf001bfdd44830076e378958c4a

* name: ekvgsnw.dll
* size: 84451
* md5.: 39bfebf001bfdd44830076e378958c4a

AntiVir found [ADSPY/AdSpy.Gen]
AVG found [Downloader.Zlob.SE]
Microsoft 1.3204/20080226 found [Adware:Win32/Vapsup]
Prevx1 V2/20080226 found [KAVKOP:Trojan-A]
Sophos 4.27.0/20080226 found [Mal/Zlob-I]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.AdSpy.Gen]

dgtxrdfrmw.dll - 9432a1b6b11bf5247291e68763b25938

* name: dgtxrdfrmw.dll
* size: 108190
* md5.: 9432a1b6b11bf5247291e68763b25938

AVG found [Downloader.Zlob.AAQ]
Microsoft 1.3204/20080226 found [Trojan:Win32/Zlob.ZWY]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 found [suspected of Downloader.Zlob.8]

bxlrvps.dll - 8120d45ce090c65fd864ac8f48cf87cf

* name: bxlrvps.dll
* size: 108451
* md5.: 8120d45ce090c65fd864ac8f48cf87cf

AntiVir found [ADSPY/Agent.PB]
Avast 4.7.1098.0/20080225 found [Win32:Agent-LTS]
AVG found [Downloader.Zlob.AAS]
Prevx1 V2/20080226 found [Generic.Malware]
VBA32 found [suspected of Downloader.Zlob.5]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.Agent.PB]

alofkmn.dll - 0e962ef1d4eb86162cd02b72c4689d86

* name: alofkmn.dll
* size: 86422
* md5.: 0e962ef1d4eb86162cd02b72c4689d86

AVG found [Downloader.Zlob.AAM]
F-Prot found [W32/FakeAlert.E.gen!Eldorado]
Ikarus T3.1.1.20/20080226 found [Virus.Win32.Agent.LTS]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 found [suspected of Downloader.Zlob.5]

AlrtDrv.dll - 24326ce4cd6569dbc965c318c4c49d61

* name: AlrtDrv.dll
* size: 14326
* md5.: 24326ce4cd6569dbc965c318c4c49d61

AntiVir found [TR/Crypt.XPACK.Gen]
Ikarus T3.1.1.20/20080226 found [BehavesLikeTrojan.ShellObject]
Kaspersky found [Heur.Trojan.Generic]
Norman 5.80.02/20080225 found [W32/Smalltroj.CWNE]
Prevx1 V2/20080226 found [Downloader.Zlob]
Webwasher-Gateway 6.6.2/20080225 found [Trojan.Crypt.XPACK.Gen]

JavaCore.exe -

* name: JavaCore.exe
* size: 79801
* md5.: 780913add22a55b787f3eb9934e8207f

BitDefender 7.2/20080225 found [Adware.JCore.A]
DrWeb found [Trojan.Insider.origin]
Fortinet found [Adware/Insider]
Kaspersky found [not-a-virus:AdWare.Win32.Insider.b]
Prevx1 V2/20080225 found [Generic.Malware]
TheHacker found [Adware/Insider.b]

iqykxi.exe - ee3a48d89399e3ad6b1576a28db4d30d

* name: iqykxi.exe
* size: 183063
* md5.: ee3a48d89399e3ad6b1576a28db4d30d

AVG found [SHeur.ATOO]
eSafe found [Suspicious File]
F-Secure 6.70.13260.0/20080225 found [Backdoor.Win32.IRCBot.bol]
Fortinet found [W32/IRCBot.BOL!tr.bdr]
Kaspersky found [Backdoor.Win32.IRCBot.bol]
Microsoft 1.3204/20080226 found [Backdoor:Win32/Oderoor.gen!B]
NOD32v2 2901/20080225 found [Win32/Agent.NHE]
Panda found [W32/MSNPhoto.AB.worm]
Prevx1 V2/20080226 found [SHeur.ATOO]
Webwasher-Gateway 6.6.2/20080225 found [Win32.Malware.gen (suspicious)]

antivir.exe - 448ea9863debe13966a7f809e7f8f8ff

* name: antivir.exe
* size: 42358
* md5.: 448ea9863debe13966a7f809e7f8f8ff

AntiVir found [TR/Crypt.XPACK.Gen]
BitDefender 7.2/20080218 found [Trojan.Spy.ZBot.V]
eSafe found [Suspicious File]
Sophos 4.26.0/20080218 found [Sus/Behav-192]
Webwasher-Gateway 6.6.2/20080218 found [Trojan.Crypt.XPACK.Gen]

Sunday, February 17, 2008

Safe Strip Related Submissions (Rogue)

Earlier today we received these 4 files from a user at
The detection is extremely low. I started to analyze these in my VM and figured it was worth mentioning these because very little information was available on Google.

The reason I titled this post "Safe Strip Related Submissions" is the url I found in each of these files that takes you to the "Safe Strip" download page.

After running for about 15 minutes I finally started to get the balloon tips:

 Even some pretty error messages:

And of course I can't forget my pretty new desktop background:

Oh yeah and a popup for advanced cleaner:

Hijack This entries associated with these:

O4 - HKLM\..\Run: [SMSERIALWORKSTARTER] "C:\WINDOWS\comsysobj.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTART] "C:\WINDOWS\shellexcon.exe"
O4 - HKLM\..\Run: [SMSERIALSTARTER] "C:\WINDOWS\win32st.exe"
Virustotal Scans:
* name: winstrse.exe
* size: 13899
* md5.: ed5db9136e502a87bdc20f36c787a977

Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: comsysobj.exe
* size: 13477
* md5.: 17195c2104aee64b598aa815332bb6a4

Panda found [Adware/SpyBurner]
Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: shellexcon.exe
* size: 15479
* md5.: 3fe0e32201f34616edb7447e976df470

AntiVir found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]

* name: win32st.exe
* size: 36864 bytes
* md5.: 7dfb42300357f7b50ba763497e6c41c7

AntiVir found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]

The files had the following URL's in the strings:

http: //
http: //

Once the files finally started doing their thing I finally got a new IE window that opened to a SystemErrorFixer webpage:
http: //
swp_ges&eli=3948&eaf=pp_1685211491&eu=http%3A%2F%2F Dadctmp%26clone_name%3Dswpadcex %26led%3D3948%26afr% 3Dpp_1685211491&ed=0&ex=0&h=10&cmpname=null&mt_info= 4141_0_1556
and to
https ://

Which appears to be a fake Virtual Private Network manager.

Thanks to WlkingMan for submitting these files.

Surf Safe,

Saturday, February 16, 2008

svchost.exe - 9e3c13b6556d5636b745d3e466d47467

* name:
* size: 15783
* md5.: 9e3c13b6556d5636b745d3e466d47467

AntiVir found [W32/Hidrag.a]
Authentium 4.93.8/20080215 found [W32/Jeefo.A]
Avast 4.7.1098.0/20080215 found [Win32:Jeefo]
AVG found [Win32/Hidrag.A]
BitDefender 7.2/20080216 found [Win32.Jeefo.A]
CAT-QuickHeal None/20080216 found [W32.Jeefo.A]
ClamAV 0.92.1/20080216 found [W32.Jeefo-3]
DrWeb found [Win32.HLLP.Jeefo.36352]
eSafe found [Win32.Hidrag.a]
eTrust-Vet 31.3.5541/20080215 found [Win32/Jeefo.A]
Ewido 4.0/20080216 found []
F-Prot found [W32/Jeefo.A]
F-Secure 6.70.13260.0/20080215 found [Virus.Win32.Hidrag.a]
Fortinet found [W32/Jeefo.A]
Ikarus T3.1.1.20/20080216 found [Win32.Hidrag]
Kaspersky found [Virus.Win32.Hidrag.a]
McAfee 5231/20080215 found [W32/Jeefo]
Microsoft 1.3204/20080216 found [Virus:Win32/Jeefo.A]
NOD32v2 2880/20080215 found [Win32/Jeefo.A]
Norman 5.80.02/20080215 found [W32/Hidrag.A]
Panda found [W32/Jeefo.A.drp]
Prevx1 V2/20080216 found [Generic.Malware]
Rising found [Win32.Hidrag]
Sophos 4.26.0/20080216 found [W32/Jeefo-A]
Sunbelt 2.2.907.0/20080216 found [Jeefo (v)]
Symantec 10/20080216 found [W32.Jeefo]
TheHacker found [W32/Jeefo.gen]
VBA32 found [Win32.HLLP.Jeefo]
VirusBuster 4.3.26:9/20080215 found [Win32.Hidrag]
Webwasher-Gateway 6.6.2/20080215 found [Win32.Hidrag.a]

Ma72Pan.exe - 9b6a68204fa80c20d39ebd0da0024085

* name:
* size: 84508
* md5.: 9b6a68204fa80c20d39ebd0da0024085

Ikarus T3.1.1.20/20080217 found [Backdoor.Win32.Rbot.c]

Thursday, February 14, 2008

rjmtjp.exe - d54d475125f7f6aa48d42f3f1122193a

* name: rjmtjp.exe
* size: 11910
* md5.: d54d475125f7f6aa48d42f3f1122193a

AVG found [BackDoor.RBot.BI]
BitDefender 7.2/20080214 found [Backdoor.Irc.Sdbot.KC]
DrWeb found [BackDoor.IRC.Sdbot.945]
eSafe found [Suspicious File]
F-Secure 6.70.13260.0/20080214 found [W32/Ircbot.dam]
Norman 5.80.02/20080213 found [W32/Ircbot.dam]
Panda found [W32/Poebot.MW.worm]
Prevx1 V2/20080214 found [Worm.Ircbot.Gen]
Symantec 10/20080214 found [W32.IRCBot.Gen]
Webwasher-Gateway 6.6.2/20080214 found [Win32.Malware.dam (suspicious)]

packers: PE_Patch
Prevx info:

Wednesday, February 13, 2008

Setup.exe - dd13a676ffee2688d9046c3084362feb

* name: Setup.exe
* size: 58794
* md5.: dd13a676ffee2688d9046c3084362feb

AntiVir found [WORM/P2P.Kapucen.Gen]
Authentium 4.93.8/20080213 found [W32/Kapucen.gen1@p2p]
Avast 4.7.1098.0/20080213 found [Win32:Kapucen]
AVG found [Win32/Puce.C]
BitDefender 7.2/20080213 found [Win32.Worm.P2P.Puce.G]
CAT-QuickHeal None/20080213 found [I-Worm.Kapucen.b]
ClamAV 0.92/20080213 found [Worm.Puce.E]
DrWeb found [Win32.HLLW.Puce]
eTrust-Vet 31.3.5532/20080212 found [Win32/Puce.D]
F-Prot found [W32/Kapucen.gen1@p2p]
F-Secure 6.70.13260.0/20080213 found [P2P-Worm.Win32.Kapucen.b]
Fortinet found [W32/Kapucen.B!worm.p2p]
Ikarus T3.1.1.20/20080213 found [P2P-Worm.Win32.Kapucen.b]
Kaspersky found [P2P-Worm.Win32.Kapucen.b]
McAfee 5228/20080212 found [W32/Puce]
Microsoft 1.3204/20080213 found [Worm:Win32/Puce.Y]
NOD32v2 2872/20080213 found [Win32/Kapucen.B]
Norman 5.80.02/20080212 found [Kapucen.A]
Panda found [W32/Puce.E.worm]
Prevx1 V2/20080213 found [TROJAN.MUDROP.DU]
Sophos 4.26.0/20080213 found [W32/Puce-H]
Symantec 10/20080213 found [W32.Ecup]
VirusBuster 4.3.26:9/20080213 found [Worm.Kapucen.A]
Webwasher-Gateway 6.6.2/20080213 found [Worm.P2P.Kapucen.Gen]

Tuesday, February 12, 2008

AcroIEHelper.dll - 32929bace82a07c26c1d3877176cb2a9

* submitter: Milkdad
* name: AcroIEHelper.dll
* size: 227894
* md5.: 32929bace82a07c26c1d3877176cb2a9

AntiVir found [TR/Dldr.Delf.eqb.1]
AVG found [Downloader.Generic6.AICW]
BitDefender 7.2/20080212 found [Trojan.Downloader.Codec.E]
CAT-QuickHeal None/20080211 found [TrojanDownloader.Delf.eqb]
F-Prot found [W32/Banload.E.gen!Eldorado]
F-Secure 6.70.13260.0/20080212 found [Trojan-Downloader.Win32.Delf.eqb]
Fortinet found [W32/Delf.EQB!tr.dldr]
Ikarus T3.1.1.20/20080212 found [Trojan-Downloader.Delf.OGX]
Kaspersky found [Trojan-Downloader.Win32.Delf.eqb]
Microsoft 1.3204/20080211 found [Trojan:Win32/Delflob.I]
Prevx1 V2/20080212 found [Generic.Malware]
Webwasher-Gateway 6.6.2/20080212 found [Trojan.Dldr.Delf.eqb.1]

packers: ASPack
Av's that added because of your submission:

Avira: TR/Dldr.Delf.eqb.1

Monday, February 11, 2008

And so it begins.....

The new wave of storm is flowing just in time for Valentines. At the time of this post I've only recieved 3 emails for it and I imagine a lot more to come.

The first with the subject "Phone Love" and a body that simply contained the following:
Love Machine http://

I of course went to the page to get the newest version and this was the image I found

Onto the next one I received:
Subject: Valentine Invitation
Happy Valentine's Day! http://

<---And yet another pretty pic Now for the third:

Subject: Be My Valentine
Valentine Friends http://

Ahh another pretty pic, reminds me a elementary school.

The ones thing all of the files have in common is no detection at the time of the post!
Be very careful opening any valentines emails that you receive they could be more trouble than you ever wanted.

http:// - valentine.exe MD5: d1789d5bbc74bcf4def368f9b9db303e
http:// - valentine.exe MD5: 8ef7be6c05aca940b1e9cf677d471a41
http:// - valentine.exe MD5: 74ca598169f8fdee49d04e22c8ac7514

While I was writing this I received another one but it seems to be dead already. Here is the info from it.

Subject: You're Super Sweet
Love Rose http://

I've stayed away from the technical details here at least for now. Our friends over at have posted some details check it out at:


Here's some more if the images:

More subject lines and bodies:

Just you: Rockin' Valentine http://
Rockin' Valentine: My Love http://
Rockin' Valentine: Powerful Love http://
My Heart: World Love http://

Safe surfing!

The Mega-D botnet that everyone was led to believe was so huge apparently isn't according to a recent blog post at

SecureWorks: Ozdok/Mega-D Trojan Analysis

by Danny McPherson

Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D.

It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here, as well as some detailed bits on behaviors of the Trojan itself.

Based solely on the hostnames provided in the analysis we (Jose, actually) was able to find three samples in our database, with dates all well over a year old:

Read the full story at the link below.

video.exe - 9f36a92add503d6c08a97d5dc0d5eb8c

* name: video.exe
* size: 91831
* md5.: 9f36a92add503d6c08a97d5dc0d5eb8c

AntiVir found [TR/Dropper.Gen]
eSafe found [suspicious Trojan/Worm]
Ikarus T3.1.1.20/20080210 found [Trojan-Spy.Win32.Banker.caw]
Panda found [Suspicious file]
VBA32 found [suspected of Trojan-IM.VB.1 (paranoid heuristics)]
Webwasher-Gateway 6.6.2/20080209 found [Trojan.Dropper.Gen]

packers: UPX_LZMA
AV's that added because of your submission:


album_leticia.exe - 532c3c5674bb03464d4d990c291d8a14

* name: album_leticia.exe
* size: 14794
* md5.: 532c3c5674bb03464d4d990c291d8a14

ClamAV 0.92/20080210 found [Trojan.Downloader-13210]
Rising found [Trojan.DL.Win32.Agent.ejs]
Webwasher-Gateway 6.6.2/20080210 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

AV's that added based on your submission:

Avira Lab: TR/Dldr.Agent.iwf
Kaspersky: Trojan-Downloader.Win32.Agent.iwf

elxxfghg.dll- 227f6af6fb4ae8063b5f7348fd9694ee

* name: elxxfghg.dll
* size: 80084 bytes
* md5.: 227f6af6fb4ae8063b5f7348fd9694ee

AntiVir found [TR/Dldr.ConHook.Gen]
Avast 4.7.1098.0/20080210 found [Win32:TratBHO]
AVG found [Lop]
BitDefender 7.2/20080210 found [Trojan.Vundo.DYM]
DrWeb found [Trojan.Virtumod.272]
eTrust-Vet 31.3.5522/20080208 found [Win32/Vundo.MO]
F-Prot found [W32/Virtumonde.G.gen!Eldorado]
Ikarus T3.1.1.20/20080210 found [not-a-virus:AdWare.Win32.Virtumonde]
Kaspersky found [not-a-virus:AdWare.Win32.Virtumonde.gen]
Microsoft 1.3204/20080210 found [Trojan:Win32/Vundo.gen!A]
Norman 5.80.02/20080208 found [W32/Virtumonde.KYQ]
Panda found [Suspicious file]
Sophos 4.26.0/20080210 found [Troj/Virtum-Gen]
Symantec 10/20080210 found [Trojan.Adclicker]
TheHacker found [Adware/Virtumonde.gen]
VirusBuster 4.3.26:9/20080210 found [Adware.Vundo.V.Gen]
Webwasher-Gateway 6.6.2/20080210 found [Trojan.Dldr.ConHook.Gen]

sbsm.exe - ead7b53b7a67d39dfe74ff6fe981d389

* size: 2759 bytes
* md5.: ead7b53b7a67d39dfe74ff6fe981d389

AVG found [Downloader.Zlob]
F-Secure 6.70.13260.0/20080211 found [Trojan-Downloader.Win32.Zlob.hku]
Kaspersky found [Trojan-Downloader.Win32.Zlob.hku]
NOD32v2 2865/20080211 found [Win32/TrojanDownloader.Zlob.BPH]
Prevx1 V2/20080211 found [Downloader.Zlob]
Symantec 10/20080211 found [Trojan.Startpage]
VirusBuster 4.3.26:9/20080211 found [Trojan.DL.Zlob.Gen.34]

Edit 1: Added by Ikarus as Virus.Win32.Zlob.AJV
Edit 2: Added by Avira as TR/Dldr.Zlob.hku
Edit 3: Added by DrWeb as Virus: Trojan.Popuper