New Virus Sample (June 14)

Discussion in 'Anti-Virus' started by Virus Guy, Jun 15, 2012.

  1. Virus Guy

    Virus Guy Guest

    I received a new spam e-mail containing viral attachments yesterday.

    So sad to see that yahoo did not detect these files and block the e-mail
    from being sent.

    The attachments were:

    tt.xls.exe (589 kb)
    tt.pdf.exe (569 kb)

    Both files were detected by 50% of A-V apps @ VirusTotal yesterday when
    they were submitted.

    E-mail originates from 41.220.69.62 (Lagos, Nigeria).

    The files can be downloaded here:

    http://www.fileden.com/files/2012/6/15/3316408/June14.rar

    Password is "a" (no quotes).

    Here's the full spam:

    ============
    Return-Path: <>
    Received: from nm12-vm4.bullet.mail.ne1.yahoo.com ([98.138.91.172])
    Wed, 13 June 2012 21:57:43 -0400
    Received: from [41.220.69.62] by web110310.mail.gq1.yahoo.com via HTTP
    Wed, 13 Jun 2012 18:57:34 PDT
    X-Mailer: YahooMailClassic/15.0.6 YahooMailWebService/0.8.118.349524
    From: Dr Datti Williams <>
    Reply-To:
    Subject: hello

    Hello,
    I saw your website and I am interested in your products.
    Attached is a list for what we need and quantity.
    Please check and quote similar items.
    Any question please let us know.
    We want to know if products can be designed and labelled
    (client private label) as seen on this attached list.
    Please download the attachment and confirm to us.

    I’ll be waiting for Your quotation.

    Look forward to hearing from you soon.

    Best regards
    nancy lee

    attachments_2012_06_07.zip

    Content-Type: application/x-zip-compressed;
    name="attachments_2012_06_07.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="attachments_2012_06_07.zip"
     
    Virus Guy, Jun 15, 2012
    #1
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    ==================
    This file was already analysed by VirusTotal on 2012-06-11 15:45:36.

    Detection ratio: 0/42

    You can take a look at the last analysis or analyse it again now.
    ===================

    Detection ratio: 0 / 42
    Analysis date: 2012-06-15 13:58:14 UTC ( 0 minutes ago )

    I'm not sure if these secondary payloads are supposed to be detectable
    by AV programs.

    This one wasn't flagged by any AV apps on June 11, and today (June 15)
    it still isin't.

    What is this file anyways?
     
    Virus Guy, Jun 15, 2012
    #2
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest

    Yes, the bin file hosted by marriscollege.org.md-35.webhostbox.net.

    What is it (what type of compression, what does it contain) and why
    doesn't any AV package detect or recognize it?
     
    Virus Guy, Jun 16, 2012
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.