Photo_13308.zip/Backdoor.Win32.SdBot.esy

[Malekal_morte]

Se propage par le fichier contenant le fichier Photo_13308.zip (se trouve dans %windir%) contenant le fichier Photo_13308.jpg-www.hotmail.com

Message de propagation :

looooook :p
loooooooooooool
omg check this out man this is funny
you got to see this

L'infection ajoute la ligne suivante sur HijackThis :

O4 - HKLM\..\Run: [secdrive.exe] C:\WINDOWS\pchealth\helpctr\binaries\secdrive.exe

Complete scanning result of "Photo_13308.jpg-www.hotmail.com", processed in VirusTotal at 06/30/2008 14:43:15 (CET).

[ file data ]
* name..: Photo_13308.jpg-www.hotmail.com
* size..: 139522
* md5...: edd92d9e9200e7d6c0215a705e45e294
* sha1..: f2cd9ab9e6f4ceb1883c06eb8499afc0cd432f6b
* peid..: EXE Shield v0.1b - v0.3b, v0.3 -> SMoKE

[ scan result ]
AhnLab-V3 2008.6.27.1/20080630 found nothing
AntiVir 7.8.0.59/20080630 found [Worm/SdBot.139522]
Authentium 5.1.0.4/20080629 found nothing
Avast 4.8.1195.0/20080628 found [Win32:IRCBot-AND]
AVG 7.5.0.516/20080630 found nothing
BitDefender 7.2/20080630 found nothing
CAT-QuickHeal 9.50/20080628 found nothing
ClamAV 0.93.1/20080630 found nothing
DrWeb 4.44.0.09170/20080630 found nothing
eSafe 7.0.17.0/20080629 found [Suspicious File]
eTrust-Vet 31.6.5914/20080630 found nothing
Ewido 4.0/20080627 found nothing
F-Prot 4.4.4.56/20080629 found nothing
F-Secure 7.60.13501.0/20080626 found nothing
Fortinet 3.14.0.0/20080630 found nothing
GData 2.0.7306.1023/20080630 found [Backdoor.Win32.SdBot.esy]
Ikarus T3.1.1.26.0/20080630 found [Virus.Win32.IRCBot.AND]
Kaspersky 7.0.0.125/20080630 found [Backdoor.Win32.SdBot.esy]
McAfee 5327/20080627 found nothing
Microsoft 1.3704/20080630 found [Worm:Win32/Neeris.O]
NOD32v2 3226/20080630 found [IRC/SdBot]
Norman 5.80.02/20080627 found nothing
Panda 9.0.0.4/20080629 found nothing
Prevx1 V2/20080630 found nothing
Rising 20.51.02.00/20080630 found nothing
Sophos 4.30.0/20080630 found [Mal/Packer]
Sunbelt 3.0.1176.1/20080626 found nothing
Symantec 10/20080630 found [W32.Spybot.Worm]
TheHacker 6.2.96.364/20080628 found nothing
TrendMicro 8.700.0.1004/20080630 found nothing
VBA32 3.12.6.8/20080630 found [Backdoor.Win32.SdBot.esy]
VirusBuster 4.5.11.0/20080630 found nothing
Webwasher-Gateway 6.6.2/20080630 found [Worm.SdBot.139522]

[ notes ]
packers (Avast): RLPack

[Malekal_morte]

Ajoutés en BDS/Xili.42496 et Worm/Autorun.ehf par Antivir.

Filename Result
euSp2.exe MALWARE

The file 'euSp2.exe' has been determined to be 'MALWARE'. Our analysts named the threat BDS/Xili.42496. The term "BDS/" denotes a Backdoor-Server program. Backdoor-Server programs are used to spy out, modify or delete data.Detection is added to our virus definition file (VDF) starting with version 7.00.05.26.

Filename Result
eSp1.exe MALWARE

The file 'eSp1.exe' has been determined to be 'MALWARE'. Our analysts named the threat Worm/Autorun.ehf. The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.).Detection is added to our virus definition file (VDF) starting with version 7.00.05.26.

Scan des fichiers au lendemain :

Complete scanning result of "eSp1.exe", processed in VirusTotal at 07/01/2008 10:00:28 (CET).

[ file data ]
* name: eSp1.exe
* size: 42496
* md5.: a68edba3068eaccd5259662358d1b45e
* sha1: faf1a7bec504d99d4acd6a6eb6357a131c86e753
* peid..: BobSoft Mini Delphi -> BoB / BobSoft

[ scan result ]
AhnLab-V3 2008.7.1.0/20080701 found nothing
AntiVir 7.8.0.59/20080701 found [Worm/Autorun.ehf]
Authentium 5.1.0.4/20080701 found nothing
Avast 4.8.1195.0/20080630 found nothing
AVG 7.5.0.516/20080630 found [Worm/Generic.IJY]
BitDefender 7.2/20080701 found [Trojan.Agent.AIZX]
CAT-QuickHeal 9.50/20080630 found nothing
ClamAV 0.93.1/20080701 found nothing
DrWeb 4.44.0.09170/20080701 found [Trojan.Inject.3581]
eSafe 7.0.17.0/20080629 found nothing
eTrust-Vet 31.6.5916/20080701 found nothing
Ewido 4.0/20080627 found nothing
F-Prot 4.4.4.56/20080701 found nothing
F-Secure 7.60.13501.0/20080626 found nothing
Fortinet 3.14.0.0/20080701 found [PossibleThreat]
GData 2.0.7306.1023/20080701 found [Worm.Win32.AutoRun.ehf]
Ikarus T3.1.1.26/20080701 found [Worm.Win32.AutoRun.ehf]
Kaspersky 7.0.0.125/20080701 found [Worm.Win32.AutoRun.ehf]
McAfee 5328/20080630 found nothing
Microsoft 1.3704/20080701 found [VirTool:Win32/Injector.gen!D]
NOD32v2 3230/20080701 found [Win32/AutoRun.RB]
Norman 5.80.02/20080630 found nothing
Panda 9.0.0.4/20080701 found nothing
Prevx1 V2/20080701 found nothing
Rising 20.51.11.00/20080701 found nothing
Sophos 4.30.0/20080701 found nothing
Sunbelt 3.1.1509.1/20080701 found nothing
Symantec 10/20080701 found nothing
TheHacker 6.2.96.365/20080701 found nothing
TrendMicro 8.700.0.1004/20080701 found nothing
VBA32 3.12.6.8/20080630 found nothing
VirusBuster 4.5.11.0/20080630 found nothing
Webwasher-Gateway 6.6.2/20080701 found [Worm.Autorun.ehf]

Complete scanning result of "euSp2.exe", processed in VirusTotal at 07/01/2008 10:00:28 (CET).

[ file data ]
* name: euSp2.exe
* size: 42496
* md5.: 5f9103e4685d74e51bf22d7acd705445
* sha1: f194d2ef3dc750def679e13950f19569e300304c
* peid..: BobSoft Mini Delphi -> BoB / BobSoft

[ scan result ]
AhnLab-V3 2008.7.1.0/20080701 found nothing
AntiVir 7.8.0.59/20080701 found [BDS/Xili.42496]
Authentium 5.1.0.4/20080701 found nothing
Avast 4.8.1195.0/20080630 found nothing
AVG 7.5.0.516/20080630 found [Worm/Generic.IJY]
BitDefender 7.2/20080701 found [Trojan.Agent.AIZX]
CAT-QuickHeal 9.50/20080630 found nothing
ClamAV 0.93.1/20080701 found nothing
DrWeb 4.44.0.09170/20080701 found [Trojan.Inject.3581]
eSafe 7.0.17.0/20080629 found nothing
eTrust-Vet 31.6.5916/20080701 found nothing
Ewido 4.0/20080627 found nothing
F-Prot 4.4.4.56/20080701 found nothing
F-Secure 7.60.13501.0/20080626 found nothing
Fortinet 3.14.0.0/20080701 found [PossibleThreat]
GData 2.0.7306.1023/20080701 found [Worm.Win32.AutoRun.ehf]
Ikarus T3.1.1.26/20080701 found [Trojan.Agent.AIZX]
Kaspersky 7.0.0.125/20080701 found [Worm.Win32.AutoRun.ehf]
McAfee 5328/20080630 found nothing
Microsoft 1.3704/20080701 found [VirTool:Win32/Injector.gen!D]
NOD32v2 3230/20080701 found [Win32/AutoRun.RB]
Norman 5.80.02/20080630 found nothing
Panda 9.0.0.4/20080701 found nothing
Prevx1 V2/20080701 found [Worm]
Rising 20.51.11.00/20080701 found nothing
Sophos 4.30.0/20080701 found nothing
Sunbelt 3.1.1509.1/20080701 found nothing
Symantec 10/20080701 found [Trojan.Vundo]
TheHacker 6.2.96.365/20080701 found nothing
TrendMicro 8.700.0.1004/20080701 found nothing
VBA32 3.12.6.8/20080630 found nothing
VirusBuster 4.5.11.0/20080630 found nothing
Webwasher-Gateway 6.6.2/20080701 found [Trojan.Backdoor.Xili.42496]

[Malekal_morte]

Ajoutés par Antivir hier.

Please find a detailed report concerning each individual sample below:

Filename Result
eSp2.exe MALWARE

The file 'eSp2.exe' has been determined to be 'MALWARE'. Our analysts discovered that the file is a Trojan. In general this kind of programs contains harmful functionality called payload. Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result
euSp3.exe MALWARE

The file 'euSp3.exe' has been determined to be 'MALWARE'. Our analysts discovered that the file is a Trojan. In general this kind of programs contains harmful functionality called payload. Detection will be added to our virus definition file (VDF) with one of the next updates.