- Joined
- Mar 5, 2002
- Messages
- 25,751
- Reaction score
- 1,210
It is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents” that have been seen lately.
The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:
Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 2.85.0.0 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 9.0.0.4 06.15.2007 Suspicious file
The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text ...
“DOUBLE CLICK THE ICON ABOVE
TO VIEW THE DOCUMENT DETAILS”
The icon represents a “Packaged Object”.
Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Name: C_PROFOR~1.EXE
Publisher: Unknown Publisher
Type: Application
The three copies that have been seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.
A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:
Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 2.85.0.0 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 9.0.0.4 06.15.2007 Suspicious file
The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text ...
“DOUBLE CLICK THE ICON ABOVE
TO VIEW THE DOCUMENT DETAILS”
The icon represents a “Packaged Object”.
Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Name: C_PROFOR~1.EXE
Publisher: Unknown Publisher
Type: Application
The three copies that have been seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.
A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!