Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - From the Mailbag InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

From the Mailbag

Published: 2007-03-22
Last Updated: 2007-03-23 09:13:49 UTC
by Chris Carboni (Version: 1)
0 comment(s)
From the Mailbag:

New Trojan?

Kathy writes:
"We've been hit in a major way by some type of password stealing trojan which is similar to Backdoor.Berbew.N" She goes on to say "The symptoms are the same as what's reported for Expiro.a - it appears to infect about every EXE on the local and all network drives. We're pretty sure the infection vector is through Windows file shares but haven't confirmed that. An infected workstation tries to go to various Russian web sites"


Virustotal shows ...

Antivirus Version Update Result
AhnLab-V3 2007.3.23.0 03.22.2007 no virus found
AntiVir 7.3.1.44 03.22.2007 no virus found
Authentium 4.93.8 03.22.2007 no virus found
Avast 4.7.936.0 03.21.2007 no virus found
AVG 7.5.0.447 03.22.2007 no virus found
BitDefender 7.2 03.22.2007 no virus found
CAT-QuickHeal 9.00 03.21.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 03.22.2007 no virus found
DrWeb 4.33 03.22.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3501 03.22.2007 no virus found
Ewido 4.0 03.22.2007 no virus found
FileAdvisor 1 03.22.2007 no virus found
Fortinet 2.85.0.0 03.22.2007 suspicious
F-Prot 4.3.1.45 03.21.2007 no virus found
F-Secure 6.70.13030.0 03.22.2007 no virus found
Ikarus T3.1.1.3 03.22.2007 Trojan-Downloader.Win32.Small.AIP
Kaspersky 4.0.2.24 03.22.2007 no virus found
McAfee 4989 03.21.2007 no virus found
Microsoft 1.2306 03.22.2007 no virus found
NOD32v2 2136 03.22.2007 no virus found
Norman 5.80.02 03.22.2007 no virus found
Panda 9.0.0.4 03.22.2007 Suspicious file
Prevx1 V2 03.22.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.22.2007 no virus found
Symantec 10 03.22.2007 W32.Kakavex
TheHacker 6.1.6.079 03.22.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.22.2007 suspected of Downloader.Small.21 (paranoid heuristics)
VirusBuster 4.3.7:9 03.22.2007 no virus found
Webwasher-Gateway 6.0.1 03.22.2007 Virus.Win32.FileInfector.gen (suspicious)


Traffic from Yahoo?

Kurt writes to tell us that "It appears the yahoo owned ip ranges are nailing several of our websites enough to take the machines down."

If anyone else is seeing heavy volume from Yahoo addresses, let us know and include packets if you can.

Firefox 2.0.0.3

We've had several readers mention that Firefox 2.0.0.3 is out. You can get your copy from all the usual sources.


Spam in Any Language ...

Duncan writes in to tell us of some spam he was able to block
"F-Secure published an update around 10:12 GMT this morning after we sent them a sample, and Sophos released an IDE update at 13:19 GMT. F-Secure called it Trojan-Spy:W32/Agent.QY, and Sophos called it Troj/BanSpy-C.

Looking at the virus tracking logs we maintain, the 'outbreak' was more of a small flurry, as the entries for our custom ClamAV rule stopped by noon GMT, and there have been no hits across the 150ish node network for the vendor-given names.

The only affected domains were in the Netherlands, and hosted on MXs with '.nl' as the TLD - so I'm guessing the code did a quick and dirty to see if the MX was in the Netherlands before sending the mail."

Handler Maarten Van Horenbeeck was able to read the spam and notes:

"...the e-mail pretends to be from ABN Amro, a large Dutch bank.

The message is completely in Dutch and tries to get the user to execute the attached file "ms_ssl3_upd.exe". This supposedly enables SSLv3 support, which 'will be required as of tomorrow' to access their e-banking site. The e-mail contains a number of typos, strange use of words and exclamation marks which makes it obvious to any reader who looks at it in detail that it is in fact a spoof.

ABN Amro has had a Dutch press release on their site regarding this e-mail since yesterday:
http://www.abnamro.nl/nl/overabnamro/internetcriminaliteit.html?pos=lb_20070321_nepsite"

Thanks Maarten

Chris Carboni - HOD
Keywords:
0 comment(s)
Diary Archives