Trojan-Downloader.Win32.Small.aon

[Duh_OZ]

Just an FYI:

Got a bounced e-mail that had a jpg.zip attachment. Unzipped to a
..jpg.exe file. Trend Micro (through e-mail client) said it was clean.
Mcafee also said it was clean. Submitted to virustotal and 2 called
it Trojan-Downloader.Win32.Small.aon, 3 said it was suspicious and 12
said clean.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| Just an FYI:
|
| Got a bounced e-mail that had a jpg.zip attachment. Unzipped to a
| .jpg.exe file. Trend Micro (through e-mail client) said it was clean.
| Mcafee also said it was clean. Submitted to virustotal and 2 called
| it Trojan-Downloader.Win32.Small.aon, 3 said it was suspicious and 12
| said clean.

That's good information but it would have been even /*better*/ if you had actually posted
the Virus Total results.

 

[Duh_Oz]

That's good information but it would have been even /*better*/ if you had actually posted
the Virus Total results.

--

Details, details.

Down to 10 now I see.
===================

AntiVir 6.30.0.7 17.03.2005 no ha encontrado virus
AVG 718 15.03.2005 no ha encontrado virus
BitDefender 7.0 17.03.2005 BehavesLike:Trojan.Downloader
ClamAV devel-20050307 17.03.2005 no ha encontrado virus
DrWeb 4.32b 17.03.2005 Trojan.DownLoader.1914
eTrust-Iris 7.1.194.0 17.03.2005 no ha encontrado virus
eTrust-Vet 11.7.0.0 17.03.2005 no ha encontrado virus
Fortinet 2.51 16.03.2005 no ha encontrado virus
F-Prot 3.16a 16.03.2005 no ha encontrado virus
Ikarus 2.32 17.03.2005 suspicious program sequence found
Kaspersky 4.0.2.24 17.03.2005 Trojan-Downloader.Win32.Small.aon
McAfee 4448 16.03.2005 no ha encontrado virus
NOD32v2 1.1027 16.03.2005 no ha encontrado virus
Norman 5.70.10 17.03.2005 W32/Downloader
Panda 8.02.00 17.03.2005 no ha encontrado virus
Sybari 7.5.1314 17.03.2005 Trojan-Downloader.Win32.Small.aon
Symantec 8.0 16.03.2005 no ha encontrado virus
===================

 

[David H. Lipman]

From: "Duh_Oz" <[email protected]>

| Details, details.
|
| Down to 10 now I see.
| ===================
|
| AntiVir 6.30.0.7 17.03.2005 no ha encontrado virus
| AVG 718 15.03.2005 no ha encontrado virus
| BitDefender 7.0 17.03.2005 BehavesLike:Trojan.Downloader
| ClamAV devel-20050307 17.03.2005 no ha encontrado virus
| DrWeb 4.32b 17.03.2005 Trojan.DownLoader.1914
| eTrust-Iris 7.1.194.0 17.03.2005 no ha encontrado virus
| eTrust-Vet 11.7.0.0 17.03.2005 no ha encontrado virus
| Fortinet 2.51 16.03.2005 no ha encontrado virus
| F-Prot 3.16a 16.03.2005 no ha encontrado virus
| Ikarus 2.32 17.03.2005 suspicious program sequence found
| Kaspersky 4.0.2.24 17.03.2005 Trojan-Downloader.Win32.Small.aon
| McAfee 4448 16.03.2005 no ha encontrado virus
| NOD32v2 1.1027 16.03.2005 no ha encontrado virus
| Norman 5.70.10 17.03.2005 W32/Downloader
| Panda 8.02.00 17.03.2005 no ha encontrado virus
| Sybari 7.5.1314 17.03.2005 Trojan-Downloader.Win32.Small.aon
| Symantec 8.0 16.03.2005 no ha encontrado virus
| ===================

Thank You !

 

[Roger Wilco]

Just an FYI:

Got a bounced e-mail that had a jpg.zip attachment. Unzipped to a
.jpg.exe file. Trend Micro (through e-mail client) said it was clean.
Mcafee also said it was clean. Submitted to virustotal and 2 called
it Trojan-Downloader.Win32.Small.aon, 3 said it was suspicious and 12
said clean.

That's not what they said. Any scanner that says something like that
would just as easily certify their scanned emails as virus free.

 

[Colin Rosenstiel]

McAfee 4448 16.03.2005 no ha encontrado virus

I got 4449 this morning.

Colin Rosenstiel

 

[Duh_OZ]

Still getting attachments, but now it is up to .AOW

AntiVir no ha encontrado virus
AVG no ha encontrado virus
BitDefender BehavesLike:Trojan.Downloader
ClamAV Trojan.Dropper.Small.AOW
DrWeb no ha encontrado virus
eTrust-Iris no ha encontrado virus
eTrust-Vet no ha encontrado virus
Fortinet no ha encontrado virus
F-Prot no ha encontrado virus
Ikarus suspicious program sequence found
Kaspersky no ha encontrado virus
McAfee no ha encontrado virus
NOD32v2 no ha encontrado virus
Norman W32/Downloader
Panda no ha encontrado virus
Sybari W32/Downloade
Symantec no ha encontrado virus

 

[Duh_OZ]

It keeps going and going and.... up to .aqj This time it was a link,
I guess their attachments were getting blocked. Had McAfee scan it
(downloaded latest defs beforehand and rebooted) but it showed nothing
suspicious, yet the totalvirus has McAfee showing 'New Win32'
(03.30.2005 defs used).

Oh well at least it is keeping some Russians occupied.
=================
AntiVir no ha encontrado virus
AVG no ha encontrado virus
BitDefender BehavesLike:Trojan.Downloader
ClamAV no ha encontrado virus
DrWeb Trojan.DownLoader.2075
eTrust-Iris no ha encontrado virus
eTrust-Vet no ha encontrado virus
Fortinet no ha encontrado virus
F-Prot no ha encontrado virus
Ikarus no ha encontrado virus
Kaspersky Trojan-Downloader.Win32.Small.aqj
McAfee New Win32
NOD32v2 no ha encontrado virus
Norman no ha encontrado virus
Panda no ha encontrado virus
Sybari New Win32
Symantec no ha encontrado virus

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| It keeps going and going and.... up to .aqj This time it was a link,
| I guess their attachments were getting blocked. Had McAfee scan it
| (downloaded latest defs beforehand and rebooted) but it showed nothing
| suspicious, yet the totalvirus has McAfee showing 'New Win32'
| (03.30.2005 defs used).
|
| Oh well at least it is keeping some Russians occupied.
| =================
| AntiVir no ha encontrado virus
| AVG no ha encontrado virus
| BitDefender BehavesLike:Trojan.Downloader
| ClamAV no ha encontrado virus
| DrWeb Trojan.DownLoader.2075
| eTrust-Iris no ha encontrado virus
| eTrust-Vet no ha encontrado virus
| Fortinet no ha encontrado virus
| F-Prot no ha encontrado virus
| Ikarus no ha encontrado virus
| Kaspersky Trojan-Downloader.Win32.Small.aqj
| McAfee New Win32
| NOD32v2 no ha encontrado virus
| Norman no ha encontrado virus
| Panda no ha encontrado virus
| Sybari New Win32
| Symantec no ha encontrado virus

The declaration "New Win32" is a Heuristic find. Basically, it is unkbown but if it walks
lkie a duck and squacks like a duck it has a very good chance of being a duck.

Depending on what version of VirusScan and if it is corp/enterprise or a retail version, you
would have to enable Hueristics (programs and/or macros) in VirusScan.

http://vil.nai.com/vil/content/v_99324.htm

 

[Duh_OZ]

| McAfee New Win32

The declaration "New Win32" is a Heuristic find. Basically, it is unknown but if it walks
lkie a duck and squacks like a duck it has a very good chance of being a duck.

Depending on what version of VirusScan and if it is corp/enterprise or a retail version, you
would have to enable Hueristics (programs and/or macros) in VirusScan.

http://vil.nai.com/vil/content/v_99324.htm

========
Got yah! It wasn't like I was going to open it anyway :0)

Malware still being "disguised" with a .jpg followed by a bunch of
spaces and then .exe. People still fall for that *sigh*

 

[Ian JP Kenefick]

It keeps going and going and.... up to .aqj This time it was a link,
I guess their attachments were getting blocked. Had McAfee scan it
(downloaded latest defs beforehand and rebooted) but it showed nothing
suspicious, yet the totalvirus has McAfee showing 'New Win32'
(03.30.2005 defs used).

You probably don't have program heuristics enabled. New Win32 is a
heuristic detection.

 

[Ian JP Kenefick]

Malware still being "disguised" with a .jpg followed by a bunch of
spaces and then .exe. People still fall for that *sigh*

And how! Most malware uses long file names to exploit peoples
carelessness and lack of understanding.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| ========
| Got yah! It wasn't like I was going to open it anyway :0)
|
| Malware still being "disguised" with a .jpg followed by a bunch of
| spaces and then .exe. People still fall for that *sigh*

Yeah... That's called Social Engineering.

About once a month, and EXE disguised as a video file is posted to the binaries photo News
Group that has the "MultiDropper-DC" Trojan.

"Vid1.avi
..exe "

There are *many* spaces between the .AVI extension and the real .EXE extension.