Skip navigation.
Home

Malware

Win32.Bagle.U@mm

Bagel.U Bagel variant.

MD5: bbe239359da199a09abff39452c1f3e0
SHA1: 964b9d83a435d6f258f7dda7e0f56f7bef1b60df

AntiVir Found Worm/Bagle.U.2
ArcaVir Found Worm.Beagle.U
Avast Found Win32:Beagle-U
AVG Antivirus Found I-Worm/Bagle.U
BitDefender Found Win32.Bagle.U@mm
ClamAV Found Worm.Bagle.U
Dr.Web Found Win32.HLLM.Beagle.based
F-Prot Antivirus Found W32/Bagle.U@mm
Fortinet Found W32/Bagle.U-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.s
NOD32 Found Win32/Bagle.U
Norman Virus Control Found Bagle.U@mm
UNA Found I-Worm.Bagle.s
VBA32 Found Win32.Worm.Bagle.s

W32/Netsky.B@mm

Another virus in recent email, apparently still in circulation.

MD5 (of zip per email): c6afed3d21cc77e55d59b0bbaf483a7c
SHA1: 35068c9691157887f0746c4fc977bc99f982f79d

Finally something everyone agrees on:

AntiVir Found Worm/NetSky.#1
ArcaVir Found Worm.Netsky.B
Avast Found Win32:Netsky-B
AVG Antivirus Found I-Worm/Netsky.B
BitDefender Found Win32.Netsky.B@mm
ClamAV Found Worm.SomeFool.Gen-2
Dr.Web Found Win32.HLLM.Netsky.based
F-Prot Antivirus Found W32/Netsky.B@mm
Fortinet Found W32/Netsky.B-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.NetSky.b
NOD32 Found Win32/Netsky.B

HTML.Phishing.Bank-1

Found this attached to an email, Clamav caught it, none of the others did.

MD5: b542a99d11181bc71f40628a72c4c80d
SHA1: f823712163961bfb59d894089fc466648fdae962

Zip contains GIF file attached to email, along with the orignal email with hostnames removed.

IMG-7.pif AIM Malware

| |

Notes in the Report.rtf

Password for attachment zip == infected

img7.pif
MD5SUM: 8cb6b40527571f3156e8147eaf3d137b
SHA1SUM: edd0a1b715954871d67f7f9d5db09d2a4913113a
SHA256SUM: 50b8b770e4b561221245c119d05e6369601aed158086f58bff811cf2961220c7

PACKER: PECompact 2.x
REF:
DATE FOUND: 01/28/2006
VECTOR: AOL Instant Messenger
THREAT: SdBot
CME #:

REcon Malicious Code Analysis Video / Slides

Video and Slides are up for the Malicious Code Analysis presentation that Ryan Russell and Nicolas Brulez gave at REcon '05

http://2005.recon.cx/recon2005/papers/Ryan_Russel-Nicolas_Brulez/

Check it out-
Tebodell

Nyxem.E

NOTE: Thanks jupe, I really appreciate the contribution. I am attaching some more related files and some new stuff. V.

Nyxem.E is a mass mailing worm that also tries to spread using remote shares. Rename this sample to Attachment.bhx, then uncompress using a utility like Winzip.

Unknown Executable

| |

This executable was found by one of our constituents. I am not sure what it does. It is not detected by anti-virus, (except Panda, maybe). It has curious icons in it, and appears to be written with Delphi. Googling for some randomly chosen binary strings inside the icon revealed several compromised php and cvs sites serving up executables with this image.

Besides this, the machine was a run-of-the-mill IRC bot.

backdoor.ircbot

| |

Update: Thanks to NED we have some more potential varients of this one. The password is "infected" and they could use some more analysis. If I get time ill try to break the packing on them. (morphine, etc)

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 34b72db0fea7ad88546b76596a6fc7f0
SHA1SUM: d7c11f5cb9ddb024c880c6d8c2e7868d8bdedaa5
SHA256SUM: 6e05e6ee8cf2ce407f40e8700ac929ce1d4999317de454d918419105d30e9a9c
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] SVKP - Slovak Protector encrypted !
#################################

Backdoor.Botnachala

| |

start.exe backdoor.botnachala

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 2eb58d7431b558c29ec2c18f6d8b495b
SHA1SUM: 4e74377003143ea90953c5b069563aa7ca7c7188
SHA256SUM: 93a050723fa3a3b4fff0cd419de2140d0db7702610273538eea71571aab9201d
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] UPX [unknown / modified] !
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
#################################

Worm.Sircam

| |

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 85faf716b82e92aea53e5e04e632b30a
SHA1SUM: 933a7354f9c156bd1a81ef40375b5feba58b07e0
SHA256SUM: 1a3fa638879d1a5dd7e931dea8ef064c567e0eb91728090d517dcfc22b735c91
A/V SCAN: Worm.Sircam
#################################

Syndicate content