what is this? new malware?

[kreepz]

is this new malware?

hello, i was checking my email yesterday @ hotmail.com and while there i got
an email from a nicole smith. in the email was a attachment of what
appeared to be a valid jpg file "nicole256.jpg" however when put my mouse on
the image i noticed the link on the status bar was not to a jpg file but to
another site "http://xxx.241.xxx.30/pics/nicole256.php". needless to say,
it was a spoofed link to an "exe" file. i downloaded the file and scanned
it with avp kav 7.0 with the very latest definitions and it found nothing
wrong with the file. not even as suspicios. i have included 3 screenshots
and what appeared as a suspicious string of the source code of the hotmail
page (see below). i also included an image of the scan from virus total,
several scanners did register it as malware and a couple as suspicious.
this is a new thing for me because hotmail always restricts executables as
attachments but this one seemed to get by with no problem.

when i submitted the file at KAV site for a scan and it told me the file was
ok.


i also included the source code of the hotmail page at the time of recieving
this.


the email itself.
http://img141.imageshack.us/img141/3420/nicoleey4.jpg

the script in the email page
http://img299.imageshack.us/img299/9241/suspiciousscriptkz0.jpg

virus total file scans
http://img297.imageshack.us/img297/885/19233463di3.jpg
http://img522.imageshack.us/img522/5752/98914782at9.jpg

 

[Duh_OZ]

is this new malware?

hello, i was checking my email yesterday @ hotmail.com and while there i got
an email from a nicole smith. in the email was a attachment of what
appeared to be a valid jpg file "nicole256.jpg" however when put my mouse on
the image i noticed the link on the status bar was not to a jpg file but to
another site "http://xxx.241.xxx.30/pics/nicole256.php". needless to say,
it was a spoofed link to an "exe" file. i downloaded the file and scanned
it with avp kav 7.0 with the very latest definitions and it found nothing
wrong with the file. not even as suspicious.

===============
I've gotten just a few of those in the last few days. The first day
Kaspersky missed it (VIA virustotal), the next day I received another
e-mail, different location but same file. Kap flagged it as Trojan-
Downloader.Win32.Agent.jhj

 

[kreepz]

really you got KAV to detect it? after getting the latest updates, it still
registers the file as "ok"

here is an cap of the file scan.
http://img46.imageshack.us/img46/9199/kasry0.jpg

 

[David H. Lipman]

From: "kreepz" <(remove" _-" to reply)[email protected]>

| really you got KAV to detect it? after getting the latest updates, it still
| registers the file as "ok"
|
| here is an cap of the file scan.
| http://img46.imageshack.us/img46/9199/kasry0.jpg
|

It could be a new or different variant.

 

[Duh_OZ]

From: "kreepz" <(remove" _-" to reply)[email protected]>

| really you got KAV to detect it? after getting the latest updates, it still
| registers the file as "ok"
|
| here is an cap of the file scan.
|http://img46.imageshack.us/img46/9199/kasry0.jpg
|

It could be a new or different variant.

========
Very true - I can't seem to get to any of the images so I can't
compare the VT results with the ones from the malware I had links to.

 

[kreepz]

if you couldn't see the images, then here is the link to the v.t. results.

here is the link to the VT analysis:
http://www.virustotal.com/analisis/04b9cde797d8bbfc2a49513957b4c8f4

 

[kreepz]

what i like to know is how they got they got an executable attachment to get
through as an attachment. i can't even send myself an executable with
hotmail.

 

[Duh_OZ]

what i like to know is how they got they got an executable attachment to get
through as an attachment. i can't even send myself an executable with
hotmail.

===========
It was just a link to the executable, correct? Not the actual .exe
file as the attachment?

Definitely different malware then I had received. I know you had it
scanned by K, did you also submit the file directly to them(although
VT should do that??)

 

[Duh_Oz]

I saw the (file) link you posted on a blog - seems K now has it
properly ID'ed:
Kaspersky 7.0.0.125 2008.02.24 Trojan.BAT.Qhost.u

 

[kreepz]

that's the funny thing. the link was to
"http://xxx.241.xxx.30/pics/nicole256.php" (omitted some numbers from link).
this of course would turn into a live executable file if clicked on.

here is a screenshot to see what i am talking about.
http://img141.imageshack.us/img141/3420/nicoleey4.jpg

===========
It was just a link to the executable, correct? Not the actual .exe
file as the attachment?

Definitely different malware then I had received. I know you had it
scanned by K, did you also submit the file directly to them(although
VT should do that??)

yes i have and yet to recive any type of feedback friom kav. i wonder why.

 

[kreepz]

yeah! finally!!! it got both the script and the executable file nailed
down now.

detected: Trojan program Trojan-Downloader.JS.Agent.biu File: D:\My
Documents\My Downloads\Suspects\Nicole256\nicoleSuspiciousCode.TXT <--
detected: Trojan program Trojan.BAT.Qhost.u File: D:\My Documents\My
Downloads\Suspects\Nicole256\Nicole256.jpg.exe <---

gonna run it by virus total to see if any other av programs detects it as
well.