New email worm variant

A

Art

Missed by some scanners:
******************************************
File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
being scanned by VirusTotal in this moment. Results will be shown as
they're generated.

Antivirus Version Update Result
AntiVir 7.3.1.34 02.06.2007 TR/Crypt.ULPM.Gen
Authentium 4.93.8 02.06.2007 Possibly a new variant of
W32/CodeCru-based!Maximus
Avast 4.7.936.0 02.06.2007 Win32:Tibs-AIE
AVG 386 02.06.2007 no virus found
BitDefender 7.2 02.05.2007 Trojan.Peed.Gen
CAT-QuickHeal 9.00 02.06.2007 no virus found
ClamAV devel-20060426 02.06.2007 Trojan.Downloader.Tibs.Gen-1
DrWeb 4.33 02.06.2007 Trojan.Packed.12
eSafe 7.0.14.0 02.06.2007 suspicious Trojan/Worm
eTrust-InoculateIT 30.4.3372 02.06.2007 no virus found
eTrust-Vet 30.4.3372 02.06.2007 no virus found
Ewido 4.0 02.06.2007 no virus found
Fortinet 2.85.0.0 02.06.2007 no virus found
F-Prot 4.2.1.29 02.06.2007 W32/CodeCru-based!Maximus
Ikarus T3.1.0.31 02.06.2007 no virus found
Kaspersky 4.0.2.24 02.06.2007 Email-Worm.Win32.Zhelatin.r
McAfee 4957 02.06.2007 no virus found
Microsoft 1.2101 02.06.2007 Win32/Vxidl.gen!B
NOD32v2 2040 02.06.2007 no virus found
Norman 5.80.02 02.06.2007 W32/Tibs.gen30
Panda 9.0.0.4 02.06.2007 Suspicious file
Prevx1 V2 02.06.2007 no virus found
Sophos 4.13.0 02.05.2007 Mal/HckPk-A
Sunbelt 2.2.907.0 02.02.2007 no virus found
Symantec 10 02.06.2007 no virus found
TheHacker 6.1.6.052 02.05.2007 no virus found
UNA 1.83 02.06.2007 no virus found

Aditional Information
File size: 51192 bytes
MD5: 73aeb5b6ff55e48cc8c22dfa021413f1
SHA1: 41bd57d29cbd95fee7fa235458588bd6a083c140
 
D

Duh_OZ

Missed by some scanners:
******************************************
File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
being scanned by VirusTotal in this moment. Results will be shown as
they're generated.

<snip>
Sunbelt 2.2.907.0 02.02.2007 no virus found
</snip>
Click to expand...
==========
Will Sunbelt ever catch one? I've submitted 6 different variants
over the past month - Sunbelt zip, zero, zilch.
 
B

Bill Blevins

Art said:
Missed by some scanners:
******************************************
File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
being scanned by VirusTotal in this moment. Results will be shown as
they're generated.

Antivirus Version Update Result
AntiVir 7.3.1.34 02.06.2007 TR/Crypt.ULPM.Gen
Authentium 4.93.8 02.06.2007 Possibly a new variant of
W32/CodeCru-based!Maximus
Avast 4.7.936.0 02.06.2007 Win32:Tibs-AIE
AVG 386 02.06.2007 no virus found
BitDefender 7.2 02.05.2007 Trojan.Peed.Gen
CAT-QuickHeal 9.00 02.06.2007 no virus found
ClamAV devel-20060426 02.06.2007 Trojan.Downloader.Tibs.Gen-1
DrWeb 4.33 02.06.2007 Trojan.Packed.12
eSafe 7.0.14.0 02.06.2007 suspicious Trojan/Worm
eTrust-InoculateIT 30.4.3372 02.06.2007 no virus found
eTrust-Vet 30.4.3372 02.06.2007 no virus found
Ewido 4.0 02.06.2007 no virus found
Fortinet 2.85.0.0 02.06.2007 no virus found
F-Prot 4.2.1.29 02.06.2007 W32/CodeCru-based!Maximus
Ikarus T3.1.0.31 02.06.2007 no virus found
Kaspersky 4.0.2.24 02.06.2007 Email-Worm.Win32.Zhelatin.r
McAfee 4957 02.06.2007 no virus found
Microsoft 1.2101 02.06.2007 Win32/Vxidl.gen!B
NOD32v2 2040 02.06.2007 no virus found
Norman 5.80.02 02.06.2007 W32/Tibs.gen30
Panda 9.0.0.4 02.06.2007 Suspicious file
Prevx1 V2 02.06.2007 no virus found
Sophos 4.13.0 02.05.2007 Mal/HckPk-A
Sunbelt 2.2.907.0 02.02.2007 no virus found
Symantec 10 02.06.2007 no virus found
TheHacker 6.1.6.052 02.05.2007 no virus found
UNA 1.83 02.06.2007 no virus found

Aditional Information
File size: 51192 bytes
MD5: 73aeb5b6ff55e48cc8c22dfa021413f1
SHA1: 41bd57d29cbd95fee7fa235458588bd6a083c140
Click to expand...

No surprise that AVG didn't hit on it.
 
R

Roger Grady

Art said:
Missed by some scanners:
******************************************
File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
being scanned by VirusTotal in this moment. Results will be shown as
they're generated.
Click to expand...

I've been getting variations of this since Jan. 18, total of 25 as of
this afternoon. AVG calls it downloader.tibs. There have been numerous
variations and different file names. In most cases AVG does not
recognize it at first, but if I manually check for updates later in
the day it will. Apparently I'm one of the lucky early recipients.
Normally I just let AVG do its once a day update, but lately I've been
checking manually. I've found as many as 3 updates in one day.


Roger Grady (e-mail address removed)
To reply by email, remove "qlfit." from address
 
Top