New email worm variant

New email worm variant

Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
New email worm variant Art 02-06-2007
Posted by Art on February 6, 2007, 12:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Missed by some scanners:
******************************************
File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
being scanned by VirusTotal in this moment. Results will be shown as
they're generated.

Antivirus        Version        Update        Result
AntiVir        7.3.1.34        02.06.2007        TR/Crypt.ULPM.Gen
Authentium        4.93.8        02.06.2007        Possibly a new variant of
W32/CodeCru-based!Maximus
Avast        4.7.936.0        02.06.2007        Win32:Tibs-AIE
AVG        386        02.06.2007        no virus found
BitDefender        7.2        02.05.2007        Trojan.Peed.Gen
CAT-QuickHeal        9.00        02.06.2007        no virus found
ClamAV        devel-20060426        02.06.2007        Trojan.Downloader.Tibs.Gen-1
DrWeb        4.33        02.06.2007        Trojan.Packed.12
eSafe        7.0.14.0        02.06.2007        suspicious Trojan/Worm
eTrust-InoculateIT        30.4.3372        02.06.2007        no virus found
eTrust-Vet        30.4.3372        02.06.2007        no virus found
Ewido        4.0        02.06.2007        no virus found
Fortinet        2.85.0.0        02.06.2007        no virus found
F-Prot        4.2.1.29        02.06.2007        W32/CodeCru-based!Maximus
Ikarus        T3.1.0.31        02.06.2007        no virus found
Kaspersky        4.0.2.24        02.06.2007 Email-Worm.Win32.Zhelatin.r
McAfee        4957        02.06.2007        no virus found
Microsoft        1.2101        02.06.2007        Win32/Vxidl.gen!B
NOD32v2        2040        02.06.2007        no virus found
Norman        5.80.02        02.06.2007        W32/Tibs.gen30
Panda        9.0.0.4        02.06.2007        Suspicious file
Prevx1        V2        02.06.2007        no virus found
Sophos        4.13.0        02.05.2007        Mal/HckPk-A
Sunbelt        2.2.907.0        02.02.2007        no virus found
Symantec        10        02.06.2007        no virus found
TheHacker        6.1.6.052        02.05.2007        no virus found
UNA        1.83        02.06.2007        no virus found

Aditional Information
File size: 51192 bytes
MD5: 73aeb5b6ff55e48cc8c22dfa021413f1
SHA1: 41bd57d29cbd95fee7fa235458588bd6a083c140

Posted by Duh_OZ on February 6, 2007, 9:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Missed by some scanners:
> ******************************************
> File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
> being scanned by VirusTotal in this moment. Results will be shown as
> they're generated.
>
><snip>
> Sunbelt 2.2.907.0 02.02.2007 no virus found
></snip>
==========
Will Sunbelt ever catch one? I've submitted 6 different variants
over the past month - Sunbelt zip, zero, zilch.


Posted by Bill Blevins on February 6, 2007, 9:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Art wrote:
> Missed by some scanners:
> ******************************************
> File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
> being scanned by VirusTotal in this moment. Results will be shown as
> they're generated.
>
> Antivirus        Version        Update        Result
> AntiVir        7.3.1.34        02.06.2007        TR/Crypt.ULPM.Gen
> Authentium        4.93.8        02.06.2007        Possibly a new variant of
> W32/CodeCru-based!Maximus
> Avast        4.7.936.0        02.06.2007        Win32:Tibs-AIE
> AVG        386        02.06.2007        no virus found
> BitDefender        7.2        02.05.2007        Trojan.Peed.Gen
> CAT-QuickHeal        9.00        02.06.2007        no virus found
> ClamAV        devel-20060426        02.06.2007        Trojan.Downloader.Tibs.Gen-1
> DrWeb        4.33        02.06.2007        Trojan.Packed.12
> eSafe        7.0.14.0        02.06.2007        suspicious Trojan/Worm
> eTrust-InoculateIT        30.4.3372        02.06.2007        no virus found
> eTrust-Vet        30.4.3372        02.06.2007        no virus found
> Ewido        4.0        02.06.2007        no virus found
> Fortinet        2.85.0.0        02.06.2007        no virus found
> F-Prot        4.2.1.29        02.06.2007        W32/CodeCru-based!Maximus
> Ikarus        T3.1.0.31        02.06.2007        no virus found
> Kaspersky        4.0.2.24        02.06.2007 Email-Worm.Win32.Zhelatin.r
> McAfee        4957        02.06.2007        no virus found
> Microsoft        1.2101        02.06.2007        Win32/Vxidl.gen!B
> NOD32v2        2040        02.06.2007        no virus found
> Norman        5.80.02        02.06.2007        W32/Tibs.gen30
> Panda        9.0.0.4        02.06.2007        Suspicious file
> Prevx1        V2        02.06.2007        no virus found
> Sophos        4.13.0        02.05.2007        Mal/HckPk-A
> Sunbelt        2.2.907.0        02.02.2007        no virus found
> Symantec        10        02.06.2007        no virus found
> TheHacker        6.1.6.052        02.05.2007        no virus found
> UNA        1.83        02.06.2007        no virus found
>
> Aditional Information
> File size: 51192 bytes
> MD5: 73aeb5b6ff55e48cc8c22dfa021413f1
> SHA1: 41bd57d29cbd95fee7fa235458588bd6a083c140

No surprise that AVG didn't hit on it.

--
Bill Blevins
bill@billblevins.com
PGP Key ID: 0x5A4D07B0

Posted by Roger Grady on February 7, 2007, 11:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>Missed by some scanners:
>******************************************
>File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
>being scanned by VirusTotal in this moment. Results will be shown as
>they're generated.

I've been getting variations of this since Jan. 18, total of 25 as of
this afternoon. AVG calls it downloader.tibs. There have been numerous
variations and different file names. In most cases AVG does not
recognize it at first, but if I manually check for updates later in
the day it will. Apparently I'm one of the lucky early recipients.
Normally I just let AVG do its once a day update, but lately I've been
checking manually. I've found as many as 3 updates in one day.


Roger Grady k9opo@sbcglobal.qlfit.net
To reply by email, remove "qlfit." from address

Similar ThreadsPosted
Email worm... need help identifying. - epjvwek.gif (0/1) January 7, 2006, 3:59 pm
Email worm... need help identifying. - epjvwek.gif (1/1) January 7, 2006, 3:59 pm
AVG email scanner hangs/continues to scan endlessly after email download November 10, 2006, 10:21 am
McAfee Email Proxy error with Eudora Email-crash! August 10, 2006, 4:18 pm
Re: New variant? July 1, 2008, 9:09 am
Another Mytob variant November 27, 2005, 8:56 am
New variant of Feebs January 25, 2006, 6:20 pm
New Haxdoor Variant August 13, 2006, 9:11 pm
Key Logger variant? November 5, 2006, 10:09 pm
New Storm variant? September 6, 2007, 11:00 am

The site map in XML format XML site map

Contact Us | Privacy Policy