Новая версия Bagle: Trojan-Proxy.Win32.Mitglieder.ee

[MOCT]

Пошел новый вал писем с троянскими программами. Отправитель "Вика", текст "В архиве фото с нудисткого пляжа. Там я и Ленка.". Пока детектируют так:

Antivirus Version Update Result
AntiVir 6.35.0.21 07.08.2006 HEUR/Trojan.Downloader
Authentium 4.93.8 07.07.2006 could be infected with an unknown virus
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.09.2006 Trojan.Proxy.Mitglieder.B
CAT-QuickHeal 8.00 07.07.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.07.2006 Trojan.Bagle.BH
DrWeb 4.33 07.07.2006 DLOADER.Trojan
eTrust-InoculateIT 23.72.63 07.08.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 no virus found
Ewido 3.5 07.08.2006 no virus found
Fortinet 2.77.0.0 07.09.2006 suspicious
F-Prot 3.16f 07.07.2006 could be infected with an unknown virus
F-Prot4 4.2.1.29 07.07.2006 Possibly a new unknown PE_Virus!Maximus
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.09.2006 Trojan-Proxy.Win32.Mitglieder.ee
McAfee 4802 07.07.2006 Proxy-Mitglieder
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1651 07.08.2006 a variant of Win32/TrojanProxy.Mitglieder
Norman 5.90.23 07.07.2006 W32/Malware
Panda 9.0.0.4 07.08.2006 Suspicious file
Sophos 4.07.0 07.08.2006 W32/Bagle-Gen
Symantec 8.0 07.09.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.08.2006 no virus found
VBA32 3.11.0 07.08.2006 suspected of Email-Worm.Bagle.1
VirusBuster 4.3.7:9 07.08.2006 no virus found


Aditional Information
File size: 8752 bytes
MD5: 1871312991b02e5ccab7e7fb793b0920
SHA1: f671893cf86db74281813aa46439dd470ff55be9
packers: FSG
packers: FSG
Norman SandBox:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Decompressing FSG.
* File length: 8752 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32winhost.exe.

[ Changes to registry ]
* Creates key "HKCUSoftwareTimeout".
* Sets value "uid"="238131497" in key "HKCUSoftwareTimeout".
* Sets value "port"="" in key "HKCUSoftwareTimeout".
* Sets value "pid"="
" in key "HKCUSoftwareTimeout".
* Creates value "winhost.exe"="C:WINDOWSSYSTEM32winhost.exe" in key "HKCUSoftwareMicrosoftWindowsCurrentVersionRun ".
* Creates key "HKLMSystemCurrentControlSetServicesSharedAccessPa rametersFirewallPolicyStandardProfileAuthorizedApp licationsList".
* Creates key "HKLMSystemControlSet001ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Creates key "HKLMSystemControlSet002ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Sets value "%"="" in key "HKLMSystemControlSet002ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Creates key "HKLMSystemControlSet003ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Sets value "%"="" in key "HKLMSystemControlSet003ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Sets value "%"="" in key "HKLMSystemCurrentControlSetServicesSharedAccessPa rametersFirewallPolicyStandardProfileAuthorizedApp licationsList".
* Sets value "%"="" in key "HKLMSystemControlSet001ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://thehiphops.com?p=0&dhgdhf=238131497

[MOCT]

Следующая версия. Отправитель "Света", тема письма "Ну и как?", в письме текст "На фото Ленка прикалывалась, сняла лифчик. У меня никак фотки не отправлялись, размер большой был, я их сейчас заархивировала.шаыл" и файл photo.exe

Antivirus Version Update Result
AntiVir 6.35.1.0 07.27.2006 HEUR/Trojan.Downloader
Authentium 4.93.8 07.28.2006 could be infected with an unknown virus
Avast 4.7.844.0 07.26.2006 no virus found
AVG 386 07.27.2006 no virus found
BitDefender 7.2 07.28.2006 Trojan.Proxy.Mitglieder.EG
CAT-QuickHeal 8.00 07.26.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.27.2006 Trojan.Bagle.BH
DrWeb 4.33 07.27.2006 DLOADER.Trojan
eTrust-InoculateIT 23.72.80 07.28.2006 no virus found
eTrust-Vet 12.6.2312 07.27.2006 no virus found
Ewido 4.0 07.27.2006 no virus found
Fortinet 2.77.0.0 07.27.2006 W32/Mitglieder.EG!tr
F-Prot 3.16f 07.27.2006 could be infected with an unknown virus
F-Prot4 4.2.1.29 07.27.2006 Possibly a new unknown PE_Virus!Maximus
Ikarus 0.2.65.0 07.27.2006 no virus found
Kaspersky 4.0.2.24 07.28.2006 Trojan-Proxy.Win32.Mitglieder.eg
McAfee 4816 07.27.2006 Proxy-Mitglieder
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1682 07.27.2006 a variant of Win32/TrojanProxy.Mitglieder
Norman 5.90.23 07.27.2006 W32/Malware
Panda 9.0.0.4 07.27.2006 Trj/Mitglieder.JV
Sophos 4.07.0 07.28.2006 W32/Bagle-Gen
Symantec 8.0 07.28.2006 no virus found
TheHacker 5.9.8.182 07.27.2006 no virus found
UNA 1.83 07.27.2006 no virus found
VBA32 3.11.0 07.27.2006 suspected of Email-Worm.Bagle.1
VirusBuster 4.3.7:9 07.27.2006 no virus found


Aditional Information
File size: 8736 bytes
MD5: fced72e72eabfb9fc904e89ad7f1ecd3
SHA1: 9ababeeca7cad70f940fd101f7a198b8e44fbdb6
packers: FSG
packers: FSG
Norman SandBox:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Decompressing FSG.
* File length: 8736 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32winhost.exe.

[ Changes to registry ]
* Creates key "HKCUSoftwareTimeout".
* Sets value "uid"="238131497" in key "HKCUSoftwareTimeout".
* Sets value "port"="" in key "HKCUSoftwareTimeout".
* Sets value "pid"="
" in key "HKCUSoftwareTimeout".
* Creates value "winhost.exe"="C:WINDOWSSYSTEM32winhost.exe" in key "HKCUSoftwareMicrosoftWindowsCurrentVersionRun ".
* Creates key "HKLMSystemCurrentControlSetServicesSharedAccessPa rametersFirewallPolicyStandardProfileAuthorizedApp licationsList".
* Creates key "HKLMSystemControlSet001ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Creates key "HKLMSystemControlSet002ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Sets value "%"="" in key "HKLMSystemControlSet002ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Creates key "HKLMSystemControlSet003ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Sets value "%"="" in key "HKLMSystemControlSet003ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".
* Sets value "%"="" in key "HKLMSystemCurrentControlSetServicesSharedAccessPa rametersFirewallPolicyStandardProfileAuthorizedApp licationsList".
* Sets value "%"="" in key "HKLMSystemControlSet001ServicesSharedAccessParame tersFirewallPolicyStandardProfileAuthorizedApplica tionsList".

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://thehiphops.com?p=0&dhgdhf=238131497