Anti-Spyware Forums


Reply
Thread Tools Display Modes

New Virus Sample (June 14)

 
 
Virus Guy
Guest
Posts: n/a

 
      15-06-2012, 01:02 PM
I received a new spam e-mail containing viral attachments yesterday.

So sad to see that yahoo did not detect these files and block the e-mail
from being sent.

The attachments were:

tt.xls.exe (589 kb)
tt.pdf.exe (569 kb)

Both files were detected by 50% of A-V apps @ VirusTotal yesterday when
they were submitted.

E-mail originates from 41.220.69.62 (Lagos, Nigeria).

The files can be downloaded here:

http://www.fileden.com/files/2012/6/...408/June14.rar

Password is "a" (no quotes).

Here's the full spam:

============
Return-Path: <(E-Mail Removed)>
Received: from nm12-vm4.bullet.mail.ne1.yahoo.com ([98.138.91.172])
Wed, 13 June 2012 21:57:43 -0400
Received: from [41.220.69.62] by web110310.mail.gq1.yahoo.com via HTTP
Wed, 13 Jun 2012 18:57:34 PDT
X-Mailer: YahooMailClassic/15.0.6 YahooMailWebService/0.8.118.349524
From: Dr Datti Williams <(E-Mail Removed)>
Reply-To: (E-Mail Removed)
Subject: hello

Hello,
I saw your website and I am interested in your products.
Attached is a list for what we need and quantity.
Please check and quote similar items.
Any question please let us know.
We want to know if products can be designed and labelled
(client private label) as seen on this attached list.
Please download the attachment and confirm to us.

I’ll be waiting for Your quotation.

Look forward to hearing from you soon.

Best regards
nancy lee

attachments_2012_06_07.zip

Content-Type: application/x-zip-compressed;
name="attachments_2012_06_07.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="attachments_2012_06_07.zip"
 
Reply With Quote
 
 
 
 
Virus Guy
Guest
Posts: n/a

 
      15-06-2012, 02:03 PM
"David H. Lipman" wrote:

> C2 - marriscollege.org.md-35.webhostbox.net/kb1/data.bin


==================
This file was already analysed by VirusTotal on 2012-06-11 15:45:36.

Detection ratio: 0/42

You can take a look at the last analysis or analyse it again now.
===================

Detection ratio: 0 / 42
Analysis date: 2012-06-15 13:58:14 UTC ( 0 minutes ago )

I'm not sure if these secondary payloads are supposed to be detectable
by AV programs.

This one wasn't flagged by any AV apps on June 11, and today (June 15)
it still isin't.

What is this file anyways?
 
Reply With Quote
 
 
 
 
Virus Guy
Guest
Posts: n/a

 
      16-06-2012, 12:31 PM
"David H. Lipman" wrote:

> > What is this file anyways?

>
> What file, the .BIN ?


Yes, the bin file hosted by marriscollege.org.md-35.webhostbox.net.

What is it (what type of compression, what does it contain) and why
doesn't any AV package detect or recognize it?
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New viral sample available for upload (April 21) Virus Guy Anti-Virus 4 24-04-2012 01:04 PM
New malware sample (Dec 28) Black-hole Virus Guy Anti-Virus 3 30-12-2011 02:16 AM
New viral sample (Dec 8) Virus Guy Anti-Virus 6 09-12-2011 01:09 AM
Where can get the Virus sample ? HC Anti-Virus 3 29-06-2004 02:17 PM


All times are GMT. The time now is 09:05 PM.