Full Disclosure mailing list archives
Another brazilian banking trojan variant, detected by some AV vendors, but not all
From: "Pedro Hugo" <phugo () highspeedweb net>
Date: Tue, 4 Oct 2005 20:10:23 +0100
Hi, Here goes another banking trojan. Some AV vendors classify it as a variant. It's packed with UPX 1.93, and it can be unpacked by using the official UPX 1.93. Results from virustotal.com: Antivirus Version Update Result AntiVir 6.32.0.6 10.04.2005 TR/Spy.Banker.add.67 Avast 4.6.695.0 09.30.2005 no virus found AVG 718 10.04.2005 PSW.Banker.GRG Avira 6.32.0.6 10.04.2005 TR/Spy.Banker.add.67 BitDefender 7.2 10.04.2005 Trojan.Banker.Delf.A0715A92 CAT-QuickHeal 8.00 10.04.2005 TrojanSpy.Banker.add ClamAV devel-20050917 10.04.2005 Trojan.Spy.Banker-97 DrWeb 4.32b 10.02.2005 Trojan.PWS.Banker.based eTrust-Iris 7.1.194.0 10.04.2005 Win32/Bancos.Variant!PWS!Trojan eTrust-Vet 11.9.1.0 10.04.2005 no virus found Fortinet 2.48.0.0 10.04.2005 Spy/Banker F-Prot 3.16c 10.04.2005 no virus found Ikarus 0.2.59.0 10.04.2005 no virus found Kaspersky 4.0.2.24 10.04.2005 Trojan-Spy.Win32.Banker.add McAfee 4596 10.04.2005 PWS-Banker.gen.b NOD32v2 1.1241 10.04.2005 a variant of Win32/Spy.Banker.VJ Norman 5.70.10 10.04.2005 no virus found Panda 8.02.00 10.04.2005 Trj/Banker.gen Sophos 3.98.0 10.04.2005 no virus found Symantec 8.0 10.04.2005 no virus found TheHacker 5.8.2.117 10.03.2005 no virus found VBA32 3.10.4 10.04.2005 MalwareScope.Trojan-Spy.Banker.52 TrendMicro OfficeScan doesn't detect it (since the pattern is the same for all products, we can assume TrendMicro doesn't detect it). Attached is the original file, if you can't download it from the site. Sorry for the noise, but I hope all or some AV vendors are listening and can benefit from this. Best Regards, Pedro Hugo _____ From: cartoes () virtualcards com br [mailto:cartoes () virtualcards com br] Subject: Você recebeu um cartão virtual! <http://www.brandweer-brummen.nl/Upimages/cartao.exe> VIRTUALCARD <http://www.brandweer-brummen.nl/Upimages/cartao.exe> S <http://www.brandweer-brummen.nl/Upimages/cartao.exe> PARA VOCÊ!!! Tudo bem com você?! Você acaba de receber um VIRTUALCARDS, os cartões mais animados da Web, enviado por alguém que te ama muito. Para visualizá-lo, basta clicar no link abaixo e pronto! <http://www.brandweer-brummen.nl/Upimages/cartao.exe> Clique <http://www.brandweer-brummen.nl/Upimages/cartao.exe> aqui para visualizar o seu cartão <http://www.brandweer-brummen.nl/Upimages/cartao.exe> <http://www.brandweer-brummen.nl/Upimages/cartao.exe> ---------------------------------------------------------------------------- ---- <javascript:ol('http://www.virtualcards.com.br/');> Um grande abraço da Equipe VIRTUALCARDS. ---------------------------------------------------------------------------- ---- <http://www.brandweer-brummen.nl/Upimages/cartao.exe> Informações <http://www.brandweer-brummen.nl/Upimages/cartao.exe> sobre este e-mail Este e-mail foi gerado automaticamente. Não responda. | <http://www.brandweer-brummen.nl/Upimages/cartao.exe> Termos do Serviço e Política de Privacidade | Copyright © 2001 - 2005 VITALEWEB - BRASIL Todos os Direitos Reservados - All Rights Reserved <http://www.brandweer-brummen.nl/Upimages/cartao.exe> <file:///D|/Secrets%20Of%20Black%20Arts/Nova%20pasta/virtualcards_arquivos/d ummy.htm>
Attachment:
cartao.e__
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Another brazilian banking trojan variant, detected by some AV vendors, but not all Pedro Hugo (Oct 04)