[Dshield] Virus on www.messengertools.[removethis].org

dshield.org@keithbergen.com dshield.org at keithbergen.com
Sat Oct 22 20:35:18 GMT 2005


All,

FYI. I have downloaded it and can send it as an encrypted zip to anybody
that would like to look at it.

Keith.

-----Original Message-----
From: irc-security-bounces at lists.irc-unity.org
[mailto:irc-security-bounces at lists.irc-unity.org] On Behalf Of
irc-security at keithbergen.com
Sent: Saturday, October 22, 2005 2:41 PM
To: a2d5f7c41c154a5dbbe0387a444468f7.protect at whoisguard.com;
abuse at serverkompetenz.de
Cc: 'IRC Security Discussion List'
Subject: [irc-security] Virus on www.messengertools.[removethis].org


The web site www.messengertools.[removethis].org is propagating a virus.
Please take
appropriate action to take the site down.

CC: IRC Security Discussion List.


Results of a file scan
This is a report processed by VirusTotal on 10/22/2005 at 20:30:59 (CET)
after scanning the file "file_67353.exe" file.
Antivirus Version Update Result 
AntiVir 6.32.0.6 10.22.2005 no virus found 
Avast 4.6.695.0 10.21.2005 no virus found 
AVG 718 10.21.2005 no virus found 
Avira 6.32.0.6 10.22.2005 no virus found 
BitDefender 7.2 10.22.2005 no virus found 
CAT-QuickHeal 8.00 10.22.2005 I-Worm.VB.q 
ClamAV devel-20050917 10.21.2005 no virus found 
DrWeb 4.32b 10.22.2005 no virus found 
eTrust-Iris 7.1.194.0 10.22.2005 no virus found 
eTrust-Vet 11.9.1.0 10.21.2005 no virus found 
Fortinet 2.48.0.0 10.22.2005 W32/VB.Q-net 
F-Pro t 3.16c 10.20.2005 no virus found 
Ikarus 0.2.59.0 10.21.2005 no virus found 
Kaspersky 4.0.2.24 10.22.2005 IM-Worm.Win32.VB.q 
McAfee 4610 10.21.2005 no virus found 
NOD32v2 1.1263 10.21.2005 a variant of Win32/VB.AAM 
Norman 5.70.10 10.21.2005 W32/Antbot.A 
Panda 8.02.00 10.22.2005 W32/Kelvir.DG.worm 
Sophos 3.98.0 10.22.2005 no virus found 
Symantec 8.0 10.22.2005 no virus found 
TheHacker 5.8.4.127 10.21.2005 no virus found 
VBA32 3.10.4 10.21.2005 IM-Worm.Win32.VB.q 


========================================================================
================

Norman Scanner Engine 5.83.  7
Sandbox 05.83, dated 20/09-2005

Your message ID (for later reference): 20051022-898

file_67353.exe : [SANDBOX] contains a security risk - W32/Malware
(Signature: W32/Antbot.A)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Applications uses MSVBVM60.DLL (Visual Basic 6).
    * Form uses id Timer.
    * Form uses id Form.
    * Form uses id Messenger.
    * Suspicious Project.
    * File length:        53760 bytes.

 [ Process/window information ]
    * Creates a COM object with CLSID
{FCFB3D23-A0FA-1068-A738-08002B3371B5} : VBRuntime.
    * Creates a COM object with CLSID
{E93AD7C1-C347-11D1-A3E2-00A0C90AEA82} : VBRuntime6.


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information
source only.



More information about the list mailing list