Malekal's forum

[Malekal_morte]

Autre fausse e-card voir : trojan-downloader-win32-fraudload-t13123.html#p102215

Installe le rootkit TDSSServ : smart-antivirus-2009-t13940.html#p107005
(Pour se désinfecter : Supprimer TDSSServ/TDSServ rootkit)

Fichier e-card.exe reçu le 2008.09.08 20:12:38 (CET)
Situation actuelle: terminé
Résultat: 1/36 (2.78%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.9.6.0 2008.09.08 -
AntiVir 7.8.1.28 2008.09.08 -
Authentium 5.1.0.4 2008.09.08 -
Avast 4.8.1195.0 2008.09.08 -
AVG 8.0.0.161 2008.09.08 -
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.08 -
DrWeb 4.44.0.09170 2008.09.08 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6077 2008.09.08 -
Ewido 4.0 2008.09.08 -
F-Prot 4.4.4.56 2008.09.08 -
F-Secure 8.0.14332.0 2008.09.08 -
Fortinet 3.112.0.0 2008.09.08 -
GData 19 2008.09.08 -
Ikarus T3.1.1.34.0 2008.09.08 Trojan-Downloader.Delf.OAQ
K7AntiVirus 7.10.446 2008.09.08 -
Kaspersky 7.0.0.125 2008.09.08 -
McAfee 5379 2008.09.08 -
Microsoft 1.3903 2008.09.08 -
NOD32v2 3426 2008.09.08 -
Norman 5.80.02 2008.09.08 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.08 -
Prevx1 V2 2008.09.08 -
Rising 20.61.02.00 2008.09.08 -
Sophos 4.33.0 2008.09.08 -
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.08 -
VBA32 3.12.8.5 2008.09.08 -
ViRobot 2008.9.8.1367 2008.09.08 -
VirusBuster 4.5.11.0 2008.09.08 -
Webwasher-Gateway 6.6.2 2008.09.08 -
Information additionnelle
File size: 249856 bytes
MD5...: 5db015fab89e1f0a1b27a5e6ec886ae5
SHA1..: 0eefff968f66455a21397b2759085acc165f04ee

[Malekal_morte]

Après Les faux mails "You've received a greeting eCard"...... une version FunnyPostcard

Objet : FunnyPostcard

You've received a e-card from our Free Electronic Card Service.
To view your customized greeting card, simply click on the following Internet location:

hxxp://www.priceform.com/e-card.exe

Regards Webmaster

[Malekal_morte]

ou comment recycler un mail avec une autre tromperie....
e-card en patch Microsoft ....

Dear Microsoft Customer,

You are receiving the message because you version of Microsoft Windows is affected by a dangerous security velnerability.

In order to prevent possible risk of system instability, Microsoft urges you to update at your earliest convenience.

We are providing a free update to all Microsoft users.

You can update your system for free by visiting the official website for this patch at hxxp://singil.org/e-card.exe

Thank you for your understanding in this matter.

Regards,
Art Maurer
Customer Service Rep.
Microsoft Corp.

Fichier e-card.exe.1 reçu le 2008.09.11 21:37:33 (CET)
Situation actuelle: terminé
Résultat: 5/36 (13.89%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - Win32/Bugnraw!generic
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan-Downloader.Delf.OAQ
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - TrojanDropper:Win32/Rooter.B
NOD32v2 - - a variant of Win32/TrojanDropper.Agent.NNK
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - Troj/Meredrop-A
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - -
Information additionnelle
MD5: d139022257005cd17c4341c231e74617
SHA1: 023683e73a3ec2ad573d9d7135ce0bd737c20d0b

[Malekal_morte]

la dernière ecard en plus de braviax et du rootkit TDSSServ installe aussi un autre rootkit de type Goldun (keylogger pour voler mot de passe et accès aux banques).

Parent process:
Path: C:\Documents and Settings\SuperCanard\Bureau\e-card.exe
PID: 1984
Child process:
Path: C:\Documents and Settings\SuperCanard\Local Settings\Temp\_jerken.exe
Command line:"C:\DOCUME~1\SUPERC~1\LOCALS~1\Temp\_jerken.exe"

Process:
Path: C:\WINDOWS\system32\services.exe
PID: 656
Information: Applications Services et Contrôleur (Microsoft Corporation)
Registry Group: Services
Object:
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\krnlcab

Process:
Path: C:\WINDOWS\system32\services.exe
PID: 656
Information: Applications Services et Contrôleur (Microsoft Corporation)
Registry Group: Services
Object:
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\krnlcab
Registry value: ImagePath
Type: REG_EXPAND_SZ
Value: system32\krnlcab.sys

Fichier _jerken.exe reçu le 2008.09.11 22:18:48 (CET)
Situation actuelle: terminé
Résultat: 5/36 (13.89%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.9.12.0 2008.09.11 -
AntiVir 7.8.1.28 2008.09.11 -
Authentium 5.1.0.4 2008.09.11 -
Avast 4.8.1195.0 2008.09.11 -
AVG 8.0.0.161 2008.09.11 -
BitDefender 7.2 2008.09.11 -
CAT-QuickHeal 9.50 2008.09.11 -
ClamAV 0.93.1 2008.09.11 -
DrWeb 4.44.0.09170 2008.09.11 -
eSafe 7.0.17.0 2008.09.11 Suspicious File
eTrust-Vet 31.6.6084 2008.09.11 -
Ewido 4.0 2008.09.11 -
F-Prot 4.4.4.56 2008.09.11 -
F-Secure 8.0.14332.0 2008.09.11 Suspicious:W32/Malware!Gemini
Fortinet 3.113.0.0 2008.09.11 -
GData 19 2008.09.11 -
Ikarus T3.1.1.34.0 2008.09.11 -
K7AntiVirus 7.10.452 2008.09.11 -
Kaspersky 7.0.0.125 2008.09.11 -
McAfee 5382 2008.09.11 -
Microsoft 1.3903 2008.09.11 -
NOD32v2 3435 2008.09.11 -
Norman 5.80.02 2008.09.11 -
Panda 9.0.0.4 2008.09.11 -
PCTools 4.4.2.0 2008.09.11 -
Prevx1 V2 2008.09.11 -
Rising 20.61.32.00 2008.09.11 -
Sophos 4.33.0 2008.09.11 Troj/Meredrop-A
Sunbelt 3.1.1628.1 2008.09.11 -
Symantec 10 2008.09.11 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.11 PAK_Generic.001
VBA32 3.12.8.5 2008.09.10 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.9.11.1373 2008.09.11 -
VirusBuster 4.5.11.0 2008.09.11 -
Webwasher-Gateway 6.6.2 2008.09.11 -
Information additionnelle
File size: 34931 bytes
MD5...: 6ba40e29db8fb6f9145fde7a45708875
SHA1..: dc71418b90df1e62fdea6e014e88013fb46c7884

Fichier cabpck.dll reçu le 2008.09.11 21:53:21 (CET)
Situation actuelle: terminé
Résultat: 5/36 (13.89%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.9.12.0 2008.09.11 -
AntiVir 7.8.1.28 2008.09.11 -
Authentium 5.1.0.4 2008.09.11 -
Avast 4.8.1195.0 2008.09.11 -
AVG 8.0.0.161 2008.09.11 -
BitDefender 7.2 2008.09.11 -
CAT-QuickHeal 9.50 2008.09.11 -
ClamAV 0.93.1 2008.09.11 -
DrWeb 4.44.0.09170 2008.09.11 -
eSafe 7.0.17.0 2008.09.11 Suspicious File
eTrust-Vet 31.6.6083 2008.09.10 -
Ewido 4.0 2008.09.11 -
F-Prot 4.4.4.56 2008.09.11 -
F-Secure 8.0.14332.0 2008.09.11 -
Fortinet 3.113.0.0 2008.09.11 -
GData 19 2008.09.11 -
Ikarus T3.1.1.34.0 2008.09.11 -
K7AntiVirus 7.10.452 2008.09.11 -
Kaspersky 7.0.0.125 2008.09.11 -
McAfee 5382 2008.09.11 -
Microsoft 1.3903 2008.09.11 -
NOD32v2 3435 2008.09.11 -
Norman 5.80.02 2008.09.11 -
Panda 9.0.0.4 2008.09.11 -
PCTools 4.4.2.0 2008.09.11 -
Prevx1 V2 2008.09.11 Suspicious
Rising 20.61.32.00 2008.09.11 -
Sophos 4.33.0 2008.09.11 Mal/TinyDL-T
Sunbelt 3.1.1628.1 2008.09.11 -
Symantec 10 2008.09.11 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.11 PAK_Generic.001
VBA32 3.12.8.5 2008.09.10 suspected of Trojan-Spy.Banker.49 (paranoid heuristics)
ViRobot 2008.9.11.1373 2008.09.11 -
VirusBuster 4.5.11.0 2008.09.11 -
Webwasher-Gateway 6.6.2 2008.09.11 -
Information additionnelle
File size: 23159 bytes
MD5...: 965704f893eb9f9d398542b9ec96e9fd
SHA1..: 954a5fa00bf5185164d2698ad776a539c641e2b8

Fichier driver.sys reçu le 2008.09.11 22:27:58 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 9/36 (25%)

Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.9.12.0 2008.09.11 -
AntiVir 7.8.1.28 2008.09.11 TR/Rootkit.Gen
Authentium 5.1.0.4 2008.09.11 W32/Goldun.gen3
Avast 4.8.1195.0 2008.09.11 -
AVG 8.0.0.161 2008.09.11 -
BitDefender 7.2 2008.09.11 -
CAT-QuickHeal 9.50 2008.09.11 -
ClamAV 0.93.1 2008.09.11 -
DrWeb 4.44.0.09170 2008.09.11 -
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6084 2008.09.11 Win32/ProcHide!generic
Ewido 4.0 2008.09.11 -
F-Prot 4.4.4.56 2008.09.11 W32/Goldun.gen3
F-Secure 8.0.14332.0 2008.09.11 Suspicious:W32/Malware!Gemini
Fortinet 3.113.0.0 2008.09.11 -
GData 19 2008.09.11 -
Ikarus T3.1.1.34.0 2008.09.11 Backdoor.Win32.Agent.fpj
K7AntiVirus 7.10.452 2008.09.11 -
Kaspersky 7.0.0.125 2008.09.11 -
McAfee 5382 2008.09.11 -
Microsoft 1.3903 2008.09.11 Backdoor:Win32/Haxdoor
NOD32v2 3435 2008.09.11 -
Norman 5.80.02 2008.09.11 -
Panda 9.0.0.4 2008.09.11 -
PCTools 4.4.2.0 2008.09.11 -
Prevx1 V2 2008.09.11 -
Rising 20.61.32.00 2008.09.11 -
Sophos 4.33.0 2008.09.11 -
Sunbelt 3.1.1628.1 2008.09.11 -
Symantec 10 2008.09.11 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.11 -
VBA32 3.12.8.5 2008.09.10 suspected of Rootkit.Agent.10
ViRobot 2008.9.11.1373 2008.09.11 -
VirusBuster 4.5.11.0 2008.09.11 -
Webwasher-Gateway 6.6.2 2008.09.11 Trojan.Rootkit.Gen
Information additionnelle
File size: 8672 bytes
MD5...: c4d437dc90ee2f0393600521e10a66c3
SHA1..: 78637554aa224f8b233de107857a7ab4d5ad97a8

[Malekal_morte]

Nouvelle campagne haxdoor :

Sujet du mail : You have received an eCard

Message :

Good day.

You have received an eCard

To pick up your eCard, open attached file

We hope you enjoy you eCard.

Thank You!

Process:
Path: C:\Documents and Settings\Malekal_morte\Desktop\card.exe
PID: 1232
Registry Group: Winlogon
Object:
Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod


Process:
Path: C:\Documents and Settings\Malekal_morte\Desktop\card.exe
PID: 1232
Registry Group: Winlogon
Object:
Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
Registry value: DllName
Type: REG_EXPAND_SZ
Value: gzipmod.dll


Parent process:
Path: C:\Documents and Settings\Malekal_morte\Desktop\card.exe
PID: 1232
Child process:
Path: C:\WINDOWS\system32\rundll32.exe
Information: Run a DLL as an App (Microsoft Corporation)
Command line:C:\WINDOWS\system32\rundll32.exe gzipmod.dll,gzipmod C:\Documents and Settings\Malekal_morte\Desktop\card.exe

et le driver :

Process:
Path: C:\WINDOWS\system32\services.exe
PID: 720
Information: Services and Controller app (Microsoft Corporation)
Driver:
Path: C:\WINDOWS\system32\vbagz.sys

Fichier card.zip reçu le 2008.10.30 14:04:52 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 10/36 (27.78%)

Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.10.30.1 2008.10.30 -
AntiVir 7.9.0.10 2008.10.30 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.10.30 -
Avast 4.8.1248.0 2008.10.29 -
AVG 8.0.0.161 2008.10.30 -
BitDefender 7.2 2008.10.30 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.30 -
DrWeb 4.44.0.09170 2008.10.30 -
eSafe 7.0.17.0 2008.10.29 Suspicious File
eTrust-Vet 31.6.6180 2008.10.29 -
Ewido 4.0 2008.10.30 -
F-Prot 4.4.4.56 2008.10.29 -
F-Secure 8.0.14332.0 2008.10.30 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.30 -
Ikarus T3.1.1.44.0 2008.10.30 Backdoor.Win32.Haxdoor
K7AntiVirus 7.10.512 2008.10.30 -
Kaspersky 7.0.0.125 2008.10.30 -
McAfee 5418 2008.10.30 New Malware.j
Microsoft 1.4005 2008.10.30 -
NOD32 3570 2008.10.30 -
Norman 5.80.02 2008.10.29 -
Panda 9.0.0.4 2008.10.29 Suspicious file
PCTools 4.4.2.0 2008.10.30 -
Prevx1 V2 2008.10.30 -
Rising 21.01.32.00 2008.10.30 -
SecureWeb-Gateway 6.7.6 2008.10.30 Trojan.Crypt.XPACK.Gen
Sophos 4.35.0 2008.10.30 Troj/Agent-ICH
Sunbelt 3.1.1764.1 2008.10.29 Trojan-Spy.Win32.Goldun.ayt
Symantec 10 2008.10.30 -
TheHacker 6.3.1.1.134 2008.10.30 -
TrendMicro 8.700.0.1004 2008.10.30 PAK_Generic.001
VBA32 3.12.8.9 2008.10.30 suspected of Trojan-Spy.Banker.49 (paranoid heuristics)
ViRobot 2008.10.30.1445 2008.10.30 -
VirusBuster 4.5.11.0 2008.10.29 -
Information additionnelle
File size: 33198 bytes
MD5...: f92d6a6c688954bdefbbb4f2dda1c013
SHA1..: 91db2ce4e8a08d3ebeb1f6e9c6d4ea4032f90073

[Malekal_morte]

Code: Tout sélectionner

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

http://allrussianstrip.com/ecard.exe

Your card will be aviailable for pick-up beginning for the next 30
days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

~~

Code: Tout sélectionner

1245083796.383   3492 192.168.1.120 TCP_MISS/200 88396 GET http://allrussianstrip.com/ecard.exe - DIRECT/94.103.89.126 application/x-msdownload

Fichier ecard.exe reçu le 2009.06.15 16:32:42 (UTC)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 4/41 (9.76%)

Antivirus Version Dernière mise à jour Résultat
a-squared 4.5.0.18 2009.06.15 -
AhnLab-V3 5.0.0.2 2009.06.15 -
AntiVir 7.9.0.187 2009.06.15 -
Antiy-AVL 2.0.3.1 2009.06.15 -
Authentium 5.1.2.4 2009.06.15 W32/Trojan3.AYE
Avast 4.8.1335.0 2009.06.15 -
AVG 8.5.0.339 2009.06.15 -
BitDefender 7.2 2009.06.15 -
CAT-QuickHeal 10.00 2009.06.15 -
ClamAV 0.94.1 2009.06.15 -
Comodo 1336 2009.06.15 -
DrWeb 5.0.0.12182 2009.06.15 -
eSafe 7.0.17.0 2009.06.15 Suspicious File
eTrust-Vet 31.6.6556 2009.06.12 -
F-Prot 4.4.4.56 2009.06.14 -
F-Secure 8.0.14470.0 2009.06.15 -
Fortinet 3.117.0.0 2009.06.15 -
GData 19 2009.06.15 -
Ikarus T3.1.1.59.0 2009.06.15 -
Jiangmin 11.0.706 2009.06.15 -
K7AntiVirus 7.10.762 2009.06.12 -
Kaspersky 7.0.0.125 2009.06.15 -
McAfee 5646 2009.06.14 -
McAfee+Artemis 5646 2009.06.14 -
McAfee-GW-Edition 6.7.6 2009.06.15 Win32.LooksLike.Sality
Microsoft 1.4701 2009.06.15 -
NOD32 4156 2009.06.15 Win32/Spy.Zbot.JF
Norman 6.01.09 2009.06.15 -
nProtect 2009.1.8.0 2009.06.15 -
Panda 10.0.0.14 2009.06.14 -
PCTools 4.4.2.0 2009.06.12 -
Prevx 3.0 2009.06.15 -
Rising 21.34.04.00 2009.06.15 -
Sophos 4.42.0 2009.06.15 -
Sunbelt 3.2.1858.2 2009.06.14 -
Symantec 1.4.4.12 2009.06.15 -
TheHacker 6.3.4.3.345 2009.06.15 -
TrendMicro 8.950.0.1092 2009.06.15 -
VBA32 3.12.10.7 2009.06.14 -
ViRobot 2009.6.15.1787 2009.06.15 -
VirusBuster 4.6.5.0 2009.06.15 -
Information additionnelle
File size: 88064 bytes
MD5...: 7d1fad2886e40c14133f3b5f45a57e4f
SHA1..: dce99a846f9037413988c13d1ce3fe47522aa63f

[Malekal_morte]

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

hxtp://mercadoabc.com.br/ecard.exe

Your card will be aviailable for pick-up beginning for the next 30
days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

Même que là : worldpay-card-transaction-confirmation-invoice-7788-exe-t19730.html#p159035

Fichier ecard.exe reçu le 2009.06.18 14:24:45 (UTC)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 5/41 (12.2%)

Antivirus Version Dernière mise à jour Résultat
a-squared 4.5.0.18 2009.06.18 -
AhnLab-V3 5.0.0.2 2009.06.18 -
AntiVir 7.9.0.191 2009.06.18 -
Antiy-AVL 2.0.3.1 2009.06.18 -
Authentium 5.1.2.4 2009.06.18 -
Avast 4.8.1335.0 2009.06.17 -
AVG 8.5.0.339 2009.06.18 -
BitDefender 7.2 2009.06.18 -
CAT-QuickHeal 10.00 2009.06.18 -
ClamAV 0.94.1 2009.06.18 -
Comodo 1363 2009.06.18 -
DrWeb 5.0.0.12182 2009.06.18 -
eSafe 7.0.17.0 2009.06.18 Suspicious File
eTrust-Vet 31.6.6567 2009.06.18 -
F-Prot 4.4.4.56 2009.06.17 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.18 -
GData 19 2009.06.18 -
Ikarus T3.1.1.59.0 2009.06.18 -
Jiangmin 11.0.706 2009.06.18 -
K7AntiVirus 7.10.766 2009.06.17 -
Kaspersky 7.0.0.125 2009.06.18 -
McAfee 5649 2009.06.17 -
McAfee+Artemis 5649 2009.06.17 Artemis!E6A65EFD7F58
McAfee-GW-Edition 6.7.6 2009.06.18 Win32.LooksLike.Sality
Microsoft 1.4701 2009.06.18 PWS:Win32/Zbot.PO
NOD32 4167 2009.06.18 -
Norman 6.01.09 2009.06.18 -
nProtect 2009.1.8.0 2009.06.18 -
Panda 10.0.0.14 2009.06.18 Suspicious file
PCTools 4.4.2.0 2009.06.17 -
Prevx 3.0 2009.06.18 -
Rising 21.34.34.00 2009.06.18 -
Sophos 4.42.0 2009.06.18 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.18 -
TheHacker 6.3.4.3.348 2009.06.17 -
TrendMicro 8.950.0.1094 2009.06.18 -
VBA32 3.12.10.7 2009.06.18 -
ViRobot 2009.6.18.1794 2009.06.18 -
VirusBuster 4.6.5.0 2009.06.18 -
Information additionnelle
File size: 88576 bytes
MD5...: e6a65efd7f588e5321af04b39e6e7ec7
SHA1..: ff023ec03e2c5c984ee77c8f97b6a04a58b6ccb8

[Malekal_morte]

La campagne de mails avec des liens infectieux ecard continuent :

Sujet : Your friend has made you an greeding e-card at 123greetings.com

Dear xxxx,

Your friend has made you an greeding e-card

Your e-card will be available with us for the next 30 days. If you wish to keep
the e-card longer, you may save it on your computer or take a print.

To view a copy of the e-card you have sent click on the following Internet address or
copy & paste it into your browser's address box.

hxxp://istitutomicoterapico.it/ecard.exe

Best wishes,

Postmaster,

Une version aussi une image avec coeur qui rappelle les campagnes du ver Storm de la Saint Valentin



A la clef du Zeus/Zbot :

Fichier ecard.exe reçu le 2009.06.26 07:44:45 (UTC)
Situation actuelle: terminé
Résultat: 15/41 (36.59%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus Version Dernière mise à jour Résultat
a-squared 4.5.0.18 2009.06.26 Trojan-Spy.Win32.Zbot!IK
AhnLab-V3 5.0.0.2 2009.06.25 -
AntiVir 7.9.0.196 2009.06.25 -
Antiy-AVL 2.0.3.1 2009.06.26 -
Authentium 5.1.2.4 2009.06.25 -
Avast 4.8.1335.0 2009.06.25 -
AVG 8.5.0.339 2009.06.25 Win32/Cryptor
BitDefender 7.2 2009.06.26 -
CAT-QuickHeal 10.00 2009.06.26 -
ClamAV 0.94.1 2009.06.26 -
Comodo 1427 2009.06.26 -
DrWeb 5.0.0.12182 2009.06.26 Trojan.PWS.Panda.122
eSafe 7.0.17.0 2009.06.25 -
eTrust-Vet 31.6.6580 2009.06.26 -
F-Prot 4.4.4.56 2009.06.25 -
F-Secure 8.0.14470.0 2009.06.25 Trojan:W32/Zbot.OUW
Fortinet 3.117.0.0 2009.06.26 -
GData 19 2009.06.26 -
Ikarus T3.1.1.59.0 2009.06.26 Trojan-Spy.Win32.Zbot
Jiangmin 11.0.706 2009.06.26 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.26 Trojan-Spy.Win32.Zbot.xgh
McAfee 5657 2009.06.25 -
McAfee+Artemis 5657 2009.06.25 Artemis!984EC3946B72
McAfee-GW-Edition 6.7.6 2009.06.25 Win32.Vulnerable.gen!High (suspicious)
Microsoft 1.4803 2009.06.26 PWS:Win32/Zbot.gen!R
NOD32 4190 2009.06.26 a variant of Win32/Spy.Zbot.SK
Norman 6.01.09 2009.06.25 -
nProtect 2009.1.8.0 2009.06.26 -
Panda 10.0.0.16 2009.06.26 Suspicious file
PCTools 4.4.2.0 2009.06.25 -
Prevx 3.0 2009.06.26 Medium Risk Malware
Rising 21.35.40.00 2009.06.26 -
Sophos 4.43.0 2009.06.26 Mal/Zbot-O
Sunbelt 3.2.1858.2 2009.06.25 Trojan-Spy.Win32.Zbot.gen
Symantec 1.4.4.12 2009.06.26 Infostealer.Banker.C
TheHacker 6.3.4.3.354 2009.06.25 -
TrendMicro 8.950.0.1094 2009.06.26 -
VBA32 3.12.10.7 2009.06.26 -
ViRobot 2009.6.25.1804 2009.06.25 -
VirusBuster 4.6.5.0 2009.06.25 -
Information additionnelle
File size: 82944 bytes
MD5 : 984ec3946b7244c8fff631e202fc2f8a
SHA1 : dad61ca9655d9b4a8c61dd5a30350749033b3124

[Malekal_morte]

Depuis quelques jours, la campagne Zeus/Zbot semble terminé, les emails de fausses ecard conduisent maintenant à des sites WEB de ventes de viagra.

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

hxxp://happyaglow.com

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

ou avec des images...

Sujet: You have a new message!