Re: new WIN virus?

To: Atom 'Smasher' <atom@xxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: new WIN virus?
From: Gregor Lawatscheck <gpel@xxxxxxxx>
Date: Fri, 30 Jan 2004 04:04:33 +0100
In-reply-to: <Pine.BSF.4.58.0401290056100.39640@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: MPeX.net GmbH
References: <Pine.BSF.4.58.0401290056100.39640@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

Atom 'Smasher' wrote:
[...]

the original spam, the page that it requests, and the suspicious "exe"
file:
        http://smasher.suspicious.org/tmp/live-virus.tgz

[...]

updatte.exe was tested on:
   yahoo-mail
   http://www.kaspersky.com/remoteviruschk.html
   http://www.dials.ru/english/www_av/
   http://www.rav.ro/scan/indexn.php
and they all reported that the file poses no threat. i suspect they're
wrong.

I've submitted this file to AVERT WebImmune ( https://www.webimmune.net) and they now detect it asa password phishing Trojan called "pws-polk". I've also sent a sample tonewvirus (at) kaspersky.com so they get a chance to update their signatures.


- Gregor

References:
- new WIN virus?
  - From: Atom 'Smasher'

Prev by Date: Re: RFC: virus handling
Next by Date: Re: MS to stop allowing passwords in URLs
Previous by thread: Re: new WIN virus?
Next by thread: Re: new WIN virus?
Index(es):
- Date
- Thread