Will summer break bring the normal malware influx?

Summer break is just around the corner and I started to ask myself if we would notice the normal influx of malware we used to see from students out on break in the not too distant past.

With large crime-ware groups operating most of the malware we see and hear about daily, it seems like we forgot about the so called “script kiddies” who used to bring so much burden to the anti-malware world at this time of year.

Last summer it seems like the script kiddies had dropped off the face of the planet, but maybe they were just over shadowed by all the hype and media attention that the RBN and Storm were drawing last year. I personally think that this was the case, they weren’t gone we just didn’t hear anything about them because they weren’t the huge impact they had been in the past. With thousands of new malwares being seen daily would the few extra hundred a week (or month) be really that noticeable in the overall picture.

I guess only time will tell, but look out for new malware to come out this summer!

Mass File Injection - Redirecting to DNSChanger Download

Mike from UploadMalware.com's team has discovered a mass file injection attack going around injecting the 2 urls below into sites running any version of phpbb forum software

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

The 2 urls point to a javascript redirect script that automatically redirect visitors to a fake codec download site. These fake codecs are known as DNSChanger. Anyone running phpbb should check out their servers.

At the time of this writing over 400,000 hits are shown in Google when you search for the urls.

If anyone has any information as to how the scripts are being injected or which exploit is being used please contact me at dnelson(shift+2)uploadmalware.com

Antivirus Version Last Update Result
AntiVir 7.8.0.17 2008.05.11 DR/Dldr.DNSChanger.Gen
AVG 7.5.0.516 2008.05.11 DNSChanger.AE
ClamAV 0.92.1 2008.05.11 Trojan.Dropper-6806
F-Secure 6.70.13260.0 2008.05.12
 Trojan.Win32.DNSChanger.clm
Ikarus T3.1.1.26.0 2008.05.12
  Virus.Trojan.Win32.DNSChanger.chg
Kaspersky 7.0.0.125 2008.05.12
  Trojan.Win32.DNSChanger.clm
Norman 5.80.02 2008.05.09 Vundo.gen171.dropper
Prevx1 V2 2008.05.12 Cloaked Malware
Sophos 4.29.0 2008.05.11 Troj/Zlobar-Fam
TheHacker 6.2.92.307 2008.05.11 Trojan/DNSChanger.chg
Webwasher-Gateway 6.6.2 2008.05.11
  Trojan.Dropper.Dldr.DNSChanger.Gen

New Storm Moving In – Presumably for Mother’s Day

One of our researchers at UploadMalware.com has found indications of a new storm worm variant moving in.

At the time of this posting we have not had any reports of spam from the botnet using the 3 domains that were found in the research, but the files are definitely there and the domains are fast fluxing as per the normal method. We can only presume they are gearing up for a mother’s day storm campaign to raise their numbers.

The three domains we have found to this point are: (visit at your own risk)

stateandfed.cn, apartment-mall.cn and centerprop.cn

The file load.exe on execution copies itself to %windir%\libor.exe and drops the standard peers.ini as gogora.config. Libor.exe is then added to the run key in the registry to allow execution every reboot.

So not to add to the problem I personally only ran the exe with an internet connection for about 1 minute and it contacted ~1700 other infected boxes. Other research done by members of UploadMalware.com indicates approximately 100,000 or more which are still infected (number was taken by methods other than running the file).

This proves contrary to computerword.com’s article that Microsoft had killed the storm worm.

The article had already been strongly disputed by researchers.

Storm worm is alive and well, it may be smaller then when it first came onto the scene, but it seems when their numbers dwindle they come back with another holiday targeted mail campaign and boost the numbers back up. The storm group isn’t going anywhere as far as I can tell.

Jeremy over at sudosecure.net has posted some more info here.

postcard.gif.exe - 63e8fe1363431d2e56f38141a35278d3

* name: postcard.gif.exe
* size: 878374
* md5.: 63e8fe1363431d2e56f38141a35278d3

AntiVir 7.6.0.67/20080225 found [HIDDENEXT/Worm.Gen]
Authentium 4.93.8/20080226 found [could be infected with an unknown virus]
Avast 4.7.1098.0/20080225 found [IRC:Zapchast-D]
AVG 7.5.0.516/20080226 found [IRC/BackDoor.Flood]
BitDefender 7.2/20080226 found [Backdoor.Zapchast.Z]
ClamAV 0.92.1/20080226 found [Trojan.IRCBot-96]
DrWeb 4.44.0.09170/20080225 found [Win32.Parite.2]
eSafe 7.0.15.0/20080226 found [Win32.IRC.Zapchast]
Ewido 4.0/20080225 found [Backdoor.Zapchast.z]
F-Prot 4.4.2.54/20080225 found [W32/Heuristic-300!Eldorado]
F-Secure 6.70.13260.0/20080226 found [Backdoor.IRC.Zapchast]
Fortinet 3.14.0.0/20080225 found [REG/Zapchast.4D53!tr.bdr]
Ikarus T3.1.1.20/20080226 found [Backdoor.IRC.Zapchast]
Kaspersky 7.0.0.125/20080226 found [Backdoor.IRC.Zapchast]
McAfee 5237/20080225 found [IRC/Generic Flooder]
Microsoft 1.3204/20080226 found [Backdoor:IRC/Zapchast.AN]
NOD32v2 2901/20080225 found [IRC/Zapchast.Z]
Norman 5.80.02/20080225 found [Pinfi.A.dropper]
Rising 20.33.02.00/20080225 found [Win32.Parite.b]
Sophos 4.27.0/20080226 found [Mal/Zapchas-C]
Sunbelt 3.0.893.0/20080223 found [Trojan.Zapchas.F]
Symantec 10/20080226 found [IRC Trojan]
TheHacker 6.2.9.229/20080225 found [Adware/2Search]
VBA32 3.12.6.2/20080226 found [Trojan.IRC.Zapchast.H]
VirusBuster 4.3.26:9/20080225 found [IRC.Zapchast.AQ]
Webwasher-Gateway 6.6.2/20080225 found [Virus.HIDDENEXT/Worm.Gen]

ekvgsnw.dll - 39bfebf001bfdd44830076e378958c4a

* name: ekvgsnw.dll
* size: 84451
* md5.: 39bfebf001bfdd44830076e378958c4a


AntiVir 7.6.0.67/20080225 found [ADSPY/AdSpy.Gen]
AVG 7.5.0.516/20080226 found [Downloader.Zlob.SE]
Microsoft 1.3204/20080226 found [Adware:Win32/Vapsup]
Prevx1 V2/20080226 found [KAVKOP:Trojan-A]
Sophos 4.27.0/20080226 found [Mal/Zlob-I]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.AdSpy.Gen]

dgtxrdfrmw.dll - 9432a1b6b11bf5247291e68763b25938

* name: dgtxrdfrmw.dll
* size: 108190
* md5.: 9432a1b6b11bf5247291e68763b25938

AVG 7.5.0.516/20080226 found [Downloader.Zlob.AAQ]
Microsoft 1.3204/20080226 found [Trojan:Win32/Zlob.ZWY]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 3.12.6.2/20080226 found [suspected of Downloader.Zlob.8]

bxlrvps.dll - 8120d45ce090c65fd864ac8f48cf87cf

* name: bxlrvps.dll
* size: 108451
* md5.: 8120d45ce090c65fd864ac8f48cf87cf

AntiVir 7.6.0.67/20080225 found [ADSPY/Agent.PB]
Avast 4.7.1098.0/20080225 found [Win32:Agent-LTS]
AVG 7.5.0.516/20080226 found [Downloader.Zlob.AAS]
Prevx1 V2/20080226 found [Generic.Malware]
VBA32 3.12.6.2/20080226 found [suspected of Downloader.Zlob.5]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.Agent.PB]

alofkmn.dll - 0e962ef1d4eb86162cd02b72c4689d86

* name: alofkmn.dll
* size: 86422
* md5.: 0e962ef1d4eb86162cd02b72c4689d86

AVG 7.5.0.516/20080226 found [Downloader.Zlob.AAM]
F-Prot 4.4.2.54/20080225 found [W32/FakeAlert.E.gen!Eldorado]
Ikarus T3.1.1.20/20080226 found [Virus.Win32.Agent.LTS]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 3.12.6.2/20080226 found [suspected of Downloader.Zlob.5]

AlrtDrv.dll - 24326ce4cd6569dbc965c318c4c49d61

* name: AlrtDrv.dll
* size: 14326
* md5.: 24326ce4cd6569dbc965c318c4c49d61

AntiVir 7.6.0.67/20080225 found [TR/Crypt.XPACK.Gen]
Ikarus T3.1.1.20/20080226 found [BehavesLikeTrojan.ShellObject]
Kaspersky 7.0.0.125/20080226 found [Heur.Trojan.Generic]
Norman 5.80.02/20080225 found [W32/Smalltroj.CWNE]
Prevx1 V2/20080226 found [Downloader.Zlob]
Webwasher-Gateway 6.6.2/20080225 found [Trojan.Crypt.XPACK.Gen]

JavaCore.exe -

* name: JavaCore.exe
* size: 79801
* md5.: 780913add22a55b787f3eb9934e8207f

BitDefender 7.2/20080225 found [Adware.JCore.A]
DrWeb 4.44.0.09170/20080224 found [Trojan.Insider.origin]
Fortinet 3.14.0.0/20080224 found [Adware/Insider]
Kaspersky 7.0.0.125/20080225 found [not-a-virus:AdWare.Win32.Insider.b]
Prevx1 V2/20080225 found [Generic.Malware]
TheHacker 6.2.9.228/20080223 found [Adware/Insider.b]

iqykxi.exe - ee3a48d89399e3ad6b1576a28db4d30d

* name: iqykxi.exe
* size: 183063
* md5.: ee3a48d89399e3ad6b1576a28db4d30d



AVG 7.5.0.516/20080226 found [SHeur.ATOO]
eSafe 7.0.15.0/20080221 found [Suspicious File]
F-Secure 6.70.13260.0/20080225 found [Backdoor.Win32.IRCBot.bol]
Fortinet 3.14.0.0/20080225 found [W32/IRCBot.BOL!tr.bdr]
Kaspersky 7.0.0.125/20080226 found [Backdoor.Win32.IRCBot.bol]
Microsoft 1.3204/20080226 found [Backdoor:Win32/Oderoor.gen!B]
NOD32v2 2901/20080225 found [Win32/Agent.NHE]
Panda 9.0.0.4/20080225 found [W32/MSNPhoto.AB.worm]
Prevx1 V2/20080226 found [SHeur.ATOO]
Webwasher-Gateway 6.6.2/20080225 found [Win32.Malware.gen (suspicious)]

antivir.exe - 448ea9863debe13966a7f809e7f8f8ff

* name: antivir.exe
* size: 42358
* md5.: 448ea9863debe13966a7f809e7f8f8ff

AntiVir 7.6.0.67/20080218 found [TR/Crypt.XPACK.Gen]
BitDefender 7.2/20080218 found [Trojan.Spy.ZBot.V]
eSafe 7.0.15.0/20080217 found [Suspicious File]
Sophos 4.26.0/20080218 found [Sus/Behav-192]
Webwasher-Gateway 6.6.2/20080218 found [Trojan.Crypt.XPACK.Gen]

Safe Strip Related Submissions (Rogue)

Earlier today we received these 4 files from a user at BleepingComputer.com
The detection is extremely low. I started to analyze these in my VM and figured it was worth mentioning these because very little information was available on Google.

The reason I titled this post "Safe Strip Related Submissions" is the url I found in each of these files that takes you to the "Safe Strip" download page.

After running for about 15 minutes I finally started to get the balloon tips:

 Even some pretty error messages:

And of course I can't forget my pretty new desktop background:

Oh yeah and a popup for advanced cleaner:

Hijack This entries associated with these:

O4 - HKLM\..\Run: [SMSERIALWORKSTARTER] "C:\WINDOWS\comsysobj.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTART] "C:\WINDOWS\shellexcon.exe"
O4 - HKLM\..\Run: [SMSERIALSTARTER] "C:\WINDOWS\win32st.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTARTER] "C:\WINDOWS\winstrse.exe"
Virustotal Scans:
* name: winstrse.exe
* size: 13899
* md5.: ed5db9136e502a87bdc20f36c787a977


Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: comsysobj.exe
* size: 13477
* md5.: 17195c2104aee64b598aa815332bb6a4


Panda 9.0.0.4/20080217 found [Adware/SpyBurner]
Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: shellexcon.exe
* size: 15479
* md5.: 3fe0e32201f34616edb7447e976df470

AntiVir 7.6.0.67/20080215 found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]


* name: win32st.exe
* size: 36864 bytes
* md5.: 7dfb42300357f7b50ba763497e6c41c7

AntiVir 7.6.0.67/20080215 found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]

The files had the following URL's in the strings:

http: //theonlybookmark.com/in.cgi
http: //safe-strip-download.com/soft/in.cgi


Once the files finally started doing their thing I finally got a new IE window that opened to a SystemErrorFixer webpage:
http: //systemerrorfixer.com/clean/?cmpname=swpges31&eai=
swp_ges&eli=3948&eaf=pp_1685211491&eu=http%3A%2F%2F advancedcleaner.com%2F.cleaner%2Findex.php%3Ftmn%3 Dadctmp%26clone_name%3Dswpadcex %26led%3D3948%26afr% 3Dpp_1685211491&ed=0&ex=0&h=10&cmpname=null&mt_info= 4141_0_1556
 and to
https ://www.anonymouschannel.com/home?pin=anzf3e
Which appears to be a fake Virtual Private Network manager.

Thanks to WlkingMan for submitting these files.


Surf Safe,
Dave

svchost.exe - 9e3c13b6556d5636b745d3e466d47467

* name: svchost.exe-submit.zip
* size: 15783
* md5.: 9e3c13b6556d5636b745d3e466d47467


AntiVir 7.6.0.67/20080215 found [W32/Hidrag.a]
Authentium 4.93.8/20080215 found [W32/Jeefo.A]
Avast 4.7.1098.0/20080215 found [Win32:Jeefo]
AVG 7.5.0.516/20080216 found [Win32/Hidrag.A]
BitDefender 7.2/20080216 found [Win32.Jeefo.A]
CAT-QuickHeal None/20080216 found [W32.Jeefo.A]
ClamAV 0.92.1/20080216 found [W32.Jeefo-3]
DrWeb 4.44.0.09170/20080216 found [Win32.HLLP.Jeefo.36352]
eSafe 7.0.15.0/20080214 found [Win32.Hidrag.a]
eTrust-Vet 31.3.5541/20080215 found [Win32/Jeefo.A]
Ewido 4.0/20080216 found [Worm.VB.dz]
F-Prot 4.4.2.54/20080215 found [W32/Jeefo.A]
F-Secure 6.70.13260.0/20080215 found [Virus.Win32.Hidrag.a]
Fortinet 3.14.0.0/20080216 found [W32/Jeefo.A]
Ikarus T3.1.1.20/20080216 found [Win32.Hidrag]
Kaspersky 7.0.0.125/20080216 found [Virus.Win32.Hidrag.a]
McAfee 5231/20080215 found [W32/Jeefo]
Microsoft 1.3204/20080216 found [Virus:Win32/Jeefo.A]
NOD32v2 2880/20080215 found [Win32/Jeefo.A]
Norman 5.80.02/20080215 found [W32/Hidrag.A]
Panda 9.0.0.4/20080216 found [W32/Jeefo.A.drp]
Prevx1 V2/20080216 found [Generic.Malware]
Rising 20.31.50.00/20080216 found [Win32.Hidrag]
Sophos 4.26.0/20080216 found [W32/Jeefo-A]
Sunbelt 2.2.907.0/20080216 found [Jeefo (v)]
Symantec 10/20080216 found [W32.Jeefo]
TheHacker 6.2.9.221/20080215 found [W32/Jeefo.gen]
VBA32 3.12.6.1/20080214 found [Win32.HLLP.Jeefo]
VirusBuster 4.3.26:9/20080215 found [Win32.Hidrag]
Webwasher-Gateway 6.6.2/20080215 found [Win32.Hidrag.a]

Ma72Pan.exe - 9b6a68204fa80c20d39ebd0da0024085

* name: Ma72Pan.exe-submit.zip
* size: 84508
* md5.: 9b6a68204fa80c20d39ebd0da0024085


Ikarus T3.1.1.20/20080217 found [Backdoor.Win32.Rbot.c]

rjmtjp.exe - d54d475125f7f6aa48d42f3f1122193a

* name: rjmtjp.exe
* size: 11910
* md5.: d54d475125f7f6aa48d42f3f1122193a

AVG 7.5.0.516/20080213 found [BackDoor.RBot.BI]
BitDefender 7.2/20080214 found [Backdoor.Irc.Sdbot.KC]
DrWeb 4.44.0.09170/20080213 found [BackDoor.IRC.Sdbot.945]
eSafe 7.0.15.0/20080213 found [Suspicious File]
F-Secure 6.70.13260.0/20080214 found [W32/Ircbot.dam]
Norman 5.80.02/20080213 found [W32/Ircbot.dam]
Panda 9.0.0.4/20080214 found [W32/Poebot.MW.worm]
Prevx1 V2/20080214 found [Worm.Ircbot.Gen]
Symantec 10/20080214 found [W32.IRCBot.Gen]
Webwasher-Gateway 6.6.2/20080214 found [Win32.Malware.dam (suspicious)]

packers: PE_Patch
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AFC4ACC53825F0C930750061744E5E003D313D9A

Setup.exe - dd13a676ffee2688d9046c3084362feb

* name: Setup.exe
* size: 58794
* md5.: dd13a676ffee2688d9046c3084362feb

AntiVir 7.6.0.65/20080213 found [WORM/P2P.Kapucen.Gen]
Authentium 4.93.8/20080213 found [W32/Kapucen.gen1@p2p]
Avast 4.7.1098.0/20080213 found [Win32:Kapucen]
AVG 7.5.0.516/20080213 found [Win32/Puce.C]
BitDefender 7.2/20080213 found [Win32.Worm.P2P.Puce.G]
CAT-QuickHeal None/20080213 found [I-Worm.Kapucen.b]
ClamAV 0.92/20080213 found [Worm.Puce.E]
DrWeb 4.44.0.09170/20080213 found [Win32.HLLW.Puce]
eTrust-Vet 31.3.5532/20080212 found [Win32/Puce.D]
F-Prot 4.4.2.54/20080212 found [W32/Kapucen.gen1@p2p]
F-Secure 6.70.13260.0/20080213 found [P2P-Worm.Win32.Kapucen.b]
Fortinet 3.14.0.0/20080213 found [W32/Kapucen.B!worm.p2p]
Ikarus T3.1.1.20/20080213 found [P2P-Worm.Win32.Kapucen.b]
Kaspersky 7.0.0.125/20080213 found [P2P-Worm.Win32.Kapucen.b]
McAfee 5228/20080212 found [W32/Puce]
Microsoft 1.3204/20080213 found [Worm:Win32/Puce.Y]
NOD32v2 2872/20080213 found [Win32/Kapucen.B]
Norman 5.80.02/20080212 found [Kapucen.A]
Panda 9.0.0.4/20080213 found [W32/Puce.E.worm]
Prevx1 V2/20080213 found [TROJAN.MUDROP.DU]
Sophos 4.26.0/20080213 found [W32/Puce-H]
Symantec 10/20080213 found [W32.Ecup]
VirusBuster 4.3.26:9/20080213 found [Worm.Kapucen.A]
Webwasher-Gateway 6.6.2/20080213 found [Worm.P2P.Kapucen.Gen]

AcroIEHelper.dll - 32929bace82a07c26c1d3877176cb2a9

* submitter: Milkdad
* name: AcroIEHelper.dll
* size: 227894
* md5.: 32929bace82a07c26c1d3877176cb2a9


AntiVir 7.6.0.62/20080212 found [TR/Dldr.Delf.eqb.1]
AVG 7.5.0.516/20080211 found [Downloader.Generic6.AICW]
BitDefender 7.2/20080212 found [Trojan.Downloader.Codec.E]
CAT-QuickHeal None/20080211 found [TrojanDownloader.Delf.eqb]
F-Prot 4.4.2.54/20080211 found [W32/Banload.E.gen!Eldorado]
F-Secure 6.70.13260.0/20080212 found [Trojan-Downloader.Win32.Delf.eqb]
Fortinet 3.14.0.0/20080212 found [W32/Delf.EQB!tr.dldr]
Ikarus T3.1.1.20/20080212 found [Trojan-Downloader.Delf.OGX]
Kaspersky 7.0.0.125/20080212 found [Trojan-Downloader.Win32.Delf.eqb]
Microsoft 1.3204/20080211 found [Trojan:Win32/Delflob.I]
Prevx1 V2/20080212 found [Generic.Malware]
Webwasher-Gateway 6.6.2/20080212 found [Trojan.Dldr.Delf.eqb.1]

packers: ASPack
Av's that added because of your submission:

Avira: TR/Dldr.Delf.eqb.1

And so it begins.....

The new wave of storm is flowing just in time for Valentines. At the time of this post I've only recieved 3 emails for it and I imagine a lot more to come.

The first with the subject "Phone Love" and a body that simply contained the following:

Love Machine http:// 24.131.212.16/

I of course went to the page to get the newest version and this was the image I found

Onto the next one I received:
Subject: Valentine Invitation
Body:

Happy Valentine's Day! http:// 200.75.106.166

<---And yet another pretty pic Now for the third:

Subject: Be My Valentine
Body:

Valentine Friends http:// 59.92.53.16/

Ahh another pretty pic, reminds me a elementary school.

The ones thing all of the files have in common is no detection at the time of the post!
Be very careful opening any valentines emails that you receive they could be more trouble than you ever wanted.

http:// 24.131.212.16/ - valentine.exe MD5: d1789d5bbc74bcf4def368f9b9db303e
http:// 200.75.106.166/ - valentine.exe MD5: 8ef7be6c05aca940b1e9cf677d471a41
http:// 59.92.53.16/ - valentine.exe MD5: 74ca598169f8fdee49d04e22c8ac7514

While I was writing this I received another one but it seems to be dead already. Here is the info from it.

Subject: You're Super Sweet
Body:

Love Rose http:// 203.128.211.219/

I've stayed away from the technical details here at least for now. Our friends over at asert.arbornetworks.com have posted some details check it out at:
http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/

Edit:

Here's some more if the images:


More subject lines and bodies:

Just you: Rockin' Valentine http:// 71.156.93.100/
Rockin' Valentine: My Love http:// 65.34.217.24/
Rockin' Valentine: Powerful Love http:// 58.63.155.16/
My Heart: World Love http:// 76.68.144.52/

Safe surfing!
Uploadmalware.com

The Mega-D botnet that everyone was led to believe was so huge apparently isn't according to a recent blog post at asert.arbornetworks.com

SecureWorks: Ozdok/Mega-D Trojan Analysis

by Danny McPherson

Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D.

It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here, as well as some detailed bits on behaviors of the Trojan itself.

Based solely on the hostnames provided in the analysis we (Jose, actually) was able to find three samples in our database, with dates all well over a year old:

Read the full story at the link below.

http://asert.arbornetworks.com/2008/02/secureworks-ozdokmega-d-trojan-analysis/

video.exe - 9f36a92add503d6c08a97d5dc0d5eb8c

* name: video.exe
* size: 91831
* md5.: 9f36a92add503d6c08a97d5dc0d5eb8c


AntiVir 7.6.0.62/20080208 found [TR/Dropper.Gen]
eSafe 7.0.15.0/20080128 found [suspicious Trojan/Worm]
Ikarus T3.1.1.20/20080210 found [Trojan-Spy.Win32.Banker.caw]
Panda 9.0.0.4/20080209 found [Suspicious file]
VBA32 3.12.6.0/20080209 found [suspected of Trojan-IM.VB.1 (paranoid heuristics)]
Webwasher-Gateway 6.6.2/20080209 found [Trojan.Dropper.Gen]


packers: UPX_LZMA
AV's that added because of your submission:

Trojan-Downloader.Win32.Banload.hjl

album_leticia.exe - 532c3c5674bb03464d4d990c291d8a14

* name: album_leticia.exe
* size: 14794
* md5.: 532c3c5674bb03464d4d990c291d8a14


ClamAV 0.92/20080210 found [Trojan.Downloader-13210]
Rising 20.29.22.00/20080130 found [Trojan.DL.Win32.Agent.ejs]
Webwasher-Gateway 6.6.2/20080210 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

AV's that added based on your submission:

Avira Lab: TR/Dldr.Agent.iwf
Kaspersky: Trojan-Downloader.Win32.Agent.iwf

elxxfghg.dll- 227f6af6fb4ae8063b5f7348fd9694ee

* name: elxxfghg.dll
* size: 80084 bytes
* md5.: 227f6af6fb4ae8063b5f7348fd9694ee


AntiVir 7.6.0.62/20080210 found [TR/Dldr.ConHook.Gen]
Avast 4.7.1098.0/20080210 found [Win32:TratBHO]
AVG 7.5.0.516/20080210 found [Lop]
BitDefender 7.2/20080210 found [Trojan.Vundo.DYM]
DrWeb 4.44.0.09170/20080210 found [Trojan.Virtumod.272]
eTrust-Vet 31.3.5522/20080208 found [Win32/Vundo.MO]
F-Prot 4.4.2.54/20080210 found [W32/Virtumonde.G.gen!Eldorado]
Ikarus T3.1.1.20/20080210 found [not-a-virus:AdWare.Win32.Virtumonde]
Kaspersky 7.0.0.125/20080210 found [not-a-virus:AdWare.Win32.Virtumonde.gen]
Microsoft 1.3204/20080210 found [Trojan:Win32/Vundo.gen!A]
Norman 5.80.02/20080208 found [W32/Virtumonde.KYQ]
Panda 9.0.0.4/20080210 found [Suspicious file]
Sophos 4.26.0/20080210 found [Troj/Virtum-Gen]
Symantec 10/20080210 found [Trojan.Adclicker]
TheHacker 6.2.9.215/20080209 found [Adware/Virtumonde.gen]
VirusBuster 4.3.26:9/20080210 found [Adware.Vundo.V.Gen]
Webwasher-Gateway 6.6.2/20080210 found [Trojan.Dldr.ConHook.Gen]

sbsm.exe - ead7b53b7a67d39dfe74ff6fe981d389

* size: 2759 bytes
* md5.: ead7b53b7a67d39dfe74ff6fe981d389

AVG 7.5.0.516/20080211 found [Downloader.Zlob]
F-Secure 6.70.13260.0/20080211 found [Trojan-Downloader.Win32.Zlob.hku]
Kaspersky 7.0.0.125/20080211 found [Trojan-Downloader.Win32.Zlob.hku]
NOD32v2 2865/20080211 found [Win32/TrojanDownloader.Zlob.BPH]
Prevx1 V2/20080211 found [Downloader.Zlob]
Symantec 10/20080211 found [Trojan.Startpage]
VirusBuster 4.3.26:9/20080211 found [Trojan.DL.Zlob.Gen.34]


Edit 1: Added by Ikarus as Virus.Win32.Zlob.AJV
Edit 2: Added by Avira as TR/Dldr.Zlob.hku
Edit 3: Added by DrWeb as Virus: Trojan.Popuper