Sponsored by..

Wednesday, 10 September 2008

SpamCop phish

Some people will phish for anything - in this case they are trying to get access to SpamCop accounts. Go figure. Reply to address is 2020sarah@live.com.




Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal

This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.

WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.

YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.

Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.

BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE

1)Full Email Address:
2)password:
3)date of birth:

Thanks for your understanding.

SPAMCOP.NET WEBMAIL INTERNET SERVICE


PestPatrol: SillyDl FFL in wuauclt.exe

It looks like CA PestPatrol might have a false positive, detecting SillyDl FFL in C:\windows\system32\wuauclt.exe. This is a component of Windows Update, and in the case of the false positive it is a 124,184 byte file with an internal version number of 5.8.0.2469.

PestPatrol does not appear to be trying to delete the file, it is merely blocking access to it. Updating your Windows Update components should clear the problem. CA usually fix these false positives in a day or so.

The current signature version is 2008.9.9.15. Note that the PestPatrol engine is used in some other products, not all of which have the CA name on them.

Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru

Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.

  • 51com.ru
  • acr34.ru
  • asl39.ru
  • net83.ru

Tuesday, 9 September 2008

SQL Injection: ave2.cn / %61%76%65%32%2E%63%6E

This SQL Injection attack seems to be aimed at Chinese language sites. The code injected points to http://%61%76%65%32%2E%63%6E which is trivially encoded and is a reference to ave2.cn hosted on 219.129.239.251.

ave2.cn then calls asp-18.cn, asp-12.cn and www.hxg006.cn (all hosted on 219.129.239.251).

Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard ave2.cn as being VERY dangerous.

Robtex reports the following domains on 219.129.239.251, all of which are probably worth avoiding:

  • hs7yue.cn
  • hxg008.cn
  • jzm015.cn
  • doups.cn
  • hxg008.cn
  • jzm013.cn
  • jzm014.cn
  • jzm015.cn
  • qingfeng01.cn

Monday, 8 September 2008

Asprox: 64do.com

Possibly the final Asprox domain on the day in 64do.com - add this to your block or scan list.

Asprox: "aspx" domains

Keep an eye out for these following Asprox domains, all recently registered to the email address druid00091@aol.com. Block them or scan your logs for them.

  • 24aspx.com
  • 2aspx.net
  • 6aspx.com
  • 9aspx.net
  • aspx46.com
These domains follow the same pattern as this one and this one.

Asprox: 19ssl.net

Another "druid00091@aol.com" domain (following on from this one and this one) , this type 19ssl.net, which is being actively used as part of the SQL injection attacks. The top level of this domain also has a copy of the (presumably legitimate) nescodirect.com site (this behavious is noted elsewhere).

Domain name: 19ssl.net

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.19ssl.net
ns2.19ssl.net
ns3.19ssl.net

Asprox: 24aspx.com

The latest domain name used in the recent Asprox SQL Injection attacks appears to be 24aspx.com. Perhaps the Asprox guys are boasting a little with the domain name? Certainly these SQL injection attacks still seem to serve a useful purpose for them, although the number of vulnerable servers keeps dropping. Anyway, block this one or check your logs for it.

The email addressed used to register this domain is identical to the one used for the "Luksus Jobs" scam email. No big news here, the Asprox botnet is used for a wide variety of things, it's just odd to see druid00091@aol.com come up twice in such a short period.

It's also notable that they've switched back to .com from .ru, but this time registered through Chinese registrar BIZCN.COM.


Domain name: 24aspx.com

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.24aspx.com
ns2.24aspx.com
ns3.24aspx.com

Created: 2008-09-06
Expires: 2009-09-06

"Job Opportunity at Luksus" / luksus-jobs.org scam

Luksus Media is a wholly legitimate Finnish company, but this attempt to recruit a money mule does not come from Luksus, just from a company trying to trade on its name.

This scam is being run by the same people behind the Asprox SQL injection attacks that have been doing to rounds (more information after the email).




Subject: Job Opportunity at Luksus

We have reviewed your resume and would like to introduce you to our
current vacancy.
Luksus, with headquarters in Helsinki, Finland, serves the luxury
lifestyle and offers unparalleled access to the finest luxury
goods. We offer a unique mix of brands, partnerships, and product
expertise. We are currently hiring, work at home positions, to
provide administrative assistance with sales in North America.
Candidates for the job should possess excellent organizational
skills as well as the ability to efficiently multi-task. Ideal
candidates have a strong focus on day-to-day operational
excellence. The candidate should be motivated, proactive, be able
to learn and adapt quickly.

Other duties include, but are not limited to:

* Incorporating effective priorities for the virtual office function
* Administer day-to-day financial responsibilities for clients
* Reporting online daily
* Preparing brief summary reports, and weekly financial reports

Salary part-time (3 hours per day, Monday-Friday): $1,200/month,
plus commission.

If you are interested in this position please send us an email to
Sandra.Collins@luksus-jobs.org expressing your interest and we will
forward you the detailed job description and the working agreement.

Thank You,
Luksus Team



Normally, WHOIS data is pretty useless, but sometimes the email address can give a clue:

Domain ID: D153950800-LROR
Domain Name: LUKSUS-JOBS.ORG
Created On: 28-Aug-2008 11: 34: 57 UTC
Last Updated On: 28-Aug-2008 14: 23: 25 UTC
Expiration Date: 28-Aug-2009 11: 34: 57 UTC
Sponsoring Registrar: Bizcn.com, Inc. (R1248-LROR)
Status: CLIENT TRANSFER PROHIBITED
Status: TRANSFER PROHIBITED
Registrant ID: orgfm19923291709
Registrant Name: Fero Muia
Registrant Organization: Fero Muia
Registrant Street1: 3213 po box
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 12310
Registrant Country: US
Registrant Phone: +1.9917721121
Registrant Phone Ext.:
Registrant FAX: +1.9917721121
Registrant FAX Ext.:
Registrant Email: druid00091@aol.com
Admin ID: orgfm19923292728
Admin Name: Fero Muia
Admin Organization: Fero Muia
Admin Street1: 3213 po box
Admin Street2:
Admin Street3:
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 12310
Admin Country: US
Admin Phone: +1.9917721121
Admin Phone Ext.:
Admin FAX: +1.9917721121
Admin FAX Ext.:
Admin Email: druid00091@aol.com
Tech ID: orgfm19923293349
Tech Name: Fero Muia
Tech Organization: Fero Muia
Tech Street1: 3213 po box
Tech Street2:
Tech Street3:
Tech City: New York
Tech State/Province: NY
Tech Postal Code: 12310
Tech Country: US
Tech Phone: +1.9917721121
Tech Phone Ext.:
Tech FAX: +1.9917721121
Tech FAX Ext.:
Tech Email: druid00091@aol.com
Name Server: NS1.RELEASEBPB.COM
Name Server: NS2.RELEASEBPB.COM


druid00091@aol.com is an address being used to register today's latest SQL injection domains too, proving that they are linked. releasebpb.com is a set of name servers which are only associated with malware domains, ns1.releasebpb.com is on 194.150.120.47 on ns2.releasebpb.com is on 20.31.85.15.

This type of fraud doesn't use a website to entice people, but it is looking for an email response. In this case, email is delivered to mx.luksus-jobs.org on 12.192.82.225 which is on the AT&T network.

It's hard to tell which of these IPs are part of the Asprox botnet and which ones are rented (usually with fake credit card details). Nonetheless, it gives a glimpse into just how large and efficient these operations can be.

Thursday, 4 September 2008

CNOOC (www.cnooc.com.cn) scam

CNOOC (www.cnooc.com.cn) are a legitimate oil exploration and petrochemicals firm in China. The following job offer is a money mule scam, NOT from CNOOC but from someone pretending to be them. Don't be tempted.





CNOOC Oil Base Group Ltd.
Address:6 Dongzhimenwai Xiaojie,
Dongcheng District, Beijing, China 100027
Telephone:010-8452101, 010-8453198
Fax:010-6460250
EMail:cnooccorporation@yahoo.com.hk
Website:www.cnooc.com.cn


Good Day,

JOB OPPORTUNITY


We are exporters base in China , we deal on Oilexploitation, technical
service, chemicals, fertilizar production, refining,natural gas, power
generation,financial services, logistic services and new energies
development. Visit our corporate website: www.cnooc.com.cn


We have costumers in Asia, Europe, America , Australia , Canada and
Africa.

Our company (CNOOC) was established in 1982. We are interested in
employing
company services, to work with us as our payment agent our north America
customers will make payment to you on our behalf for goods and raw
materials we supplied to our customers in North America.

If your company is interested in working with us,we will be
very glad, Subject to your satisfaction, your company reward of
working with us as a Payment Officer is 5% of any Payment
your company receive from our costumers.

Most payment ranges from $300,000.00 to $3.3 Million US Dollars
Please if you are interested forward the following info to us:

1. Your Full Name:
2. Payment should be made to: Company?s Name:
3. Your Full Contact Address:
4. Phone/Fax Number:
5. Occupation:


Thanks for your corporations.


Yours Sincerely,


Mr. Wu Mengfei
Chief Financial Officer.



Asprox: jic2.ru

Another new addition to the list of Asprox domains is jic2.ru, again registered via Naunet, so block this or check your logs for access. Again, searching your logs for ".ru/script.js"will help locate suspect activity.

Wednesday, 3 September 2008

"Bangui" malware domains

A whole set of domains distributing malware, currently based on 206.53.51.119 and allegedly registered to someone in Bangui (although most likely it is the RBN again). These domains are being used in blog spam and also what appears to be PHP and ASP injection attacks.

Unlike some injection attacks, the pages carry some scraped text that's relevant to the URL. Combine this with the inbound links created through spam and injection attacks and you have a very black hat SEO campaign. Yahoo! seems to be more prone to this type of SEO than Google.

The pages on these domains use a javascript redirector (menu.js) to end up at a set of fake video and rogue anti-malware sites that install all sorts of nasty things.. again, these endpoints have the hallmark of the RBN.

  • Afwwwf.info
  • Apostit.info
  • Bcuioc.info
  • Bglkhg.org
  • Bihuru.org
  • Biiwhw.info
  • Bikgfjr.info
  • Bioblor.info
  • Bioqw.info
  • Biowfr.info
  • Bkjksl.org
  • Bkssdoue.info
  • Bloiw.org
  • Bocaca.org
  • Cascaa.info
  • Cbasoa.info
  • Cbr1000rrxx.info
  • Csccons.org
  • Cskaa.org
  • Eomnb.info
  • Fasca.info
  • Fasfw555.info
  • Fasw.org
  • Fbkshk.org
  • Fdsaa.org
  • Firstnax.org
  • Fjkjfjoi.info
  • Fjwiojnc.info
  • Flsab.info
  • Foeww.org
  • Foxrat.info
  • Fsaff.org
  • Fsafvn.info
  • Fsancao.info
  • Fsanp.org
  • Fsaqq.info
  • Fsaw.org
  • Fsfa22rr.info
  • Fsfkg.info
  • Fsfworg
  • Fsgkle.org
  • Fsjklhg.info
  • Fskjhgkb.info
  • Fullmediabase.net
  • Fwe75r4fyf65.cn
  • Fwfds.org
  • Fwfisow.org
  • Fwjijc.org
  • Fwoijwh.org
  • Gcoigkm.org
  • Gewop.info
  • Gjgkgjhew.org
  • Golodnijya.org
  • Gucwd.org
  • Hellodolly5k.net
  • Hellodomy5k.net
  • Hhkjj.org
  • Hkljccc.info
  • Hodnejgreat.info
  • Hofhwbc.info
  • Hohotv.org
  • Homosapien5k.net
  • Hrr553.info
  • Hudinarjiii.cn
  • Itgfbn.org
  • Jfldsh.org
  • Jflhg.info
  • Jlbyuo.org
  • Jnbq.info
  • Jowely.org
  • Jplhnh.info
  • Juiok.org
  • Jumpsert.org
  • Jwionw.info
  • Kiwedox.org
  • Kjhiofw.org
  • Kjhlfsh.org
  • Knwponc.org
  • Madnes.info
  • Mazafaker.com
  • Mfpwjmc.org
  • Mkmcsss.org
  • Mpfwmcs.org
  • Mpkcmzz.org
  • Mpmccz.org
  • Mybestz5k.net
  • Nado1000traffa.info
  • Nfeow.org
  • Nfwojw.org
  • Nfwon.org
  • Nhphpkj.info
  • Nifa422.info
  • Njpaw.info
  • Nosdsh.org
  • Pokoder.org
  • Sonvfs.org
  • Werbin.org
  • Wfwcn.org
  • Wn59whgp3w.cn
  • Workfox.info
  • Yzfr1yamahad.info

Tuesday, 2 September 2008

Asprox: 2b24.ru

These domains seem to be today's current Asprox SQL Injection domains - check for them in your logs or block them. 2b24.ru seems to be new, the rest have been around for a few days. The exploit is still using a script called script.js to run.

  • 2b24.ru
  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • mj5f.ru
  • oc32.ru
  • vwsc.ru

Monday, 1 September 2008

"WorldWide Offshore Integrated Systems Inc"

Another money mule scam, this time claiming to be from "WorldWide Offshore Integrated Systems Inc" of New York, a company that does not exist according to the New York Division of Corporations. Also, there are no Google matches for that search term... except that there will be since I've posted this. Oh, you can figure out what I mean.

Originating IP is 78.175.218.143 in Turkey. Also, I can't think of many "WorldWide " corporations that have to use Yahoo!'s free email service.




Subject: Looking for a job? Good chance for you!
Date: Mon, September 1, 2008 4:38 pm



Hello.

WorldWide Offshore Integrated Systems Inc. is a custom software development company
located in New York, USA.

We offer full cycle custom software programming services, from product idea,
offshore software development to outsourcing support and enhancement.
WorldWide Offshore Integrated Systems Inc. employs a large pool of software
engineers coming from different backgrounds.
We are able to balance product development efforts and project duration to your
business needs.

WorldWide Offshore Integrated Systems Inc. customer service department is currently
offering employment for residents
in order to provide it's new branch with qualified personnel.
The private client support desk is responsible for following up client enquiries,
helping the clients to understand how WorldWide Offshore Integrated Systems Inc. can
save them money on foreign
currency transactions, and developing new business through referrals.

First of all you need no prior experience, even though we are value
your current knowledge, but we will provide all necessary training when
you will join us.

If you're a customer service fanatic, and enjoy working in a challenging and
rewarding environment,
please see below for our current list of opportunities.

Requirements:

è Proficiency in MS Word, Excel & Internet
è Excellent communication skills both oral and written

- This work does not require any experience!
- This is a work at home

You will be paid USD 2500 per 2 weeks.

Should you have any questions regarding this letter,
our offer of employment or anything else, please write me an e-mail.
We are excited to have you join our organization and look forward to working with you.


If you are interested in our position reply to e-mail worldwide61@yahoo.com


Best regards,
Katrin Olley
Employment Manager


Asprox: cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, oc32.ru and vwsc.ru

Another bunch of Asprox SQL injection domains to block or monitor for, all quite new:

  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • oc32.ru
  • vwsc.ru
Alternatively, look for .ru/script.js in your logs which should pick up most of them.

Update: here's another one - mj5f.ru

Friday, 29 August 2008

Atrivo / Intercage

Atrivo, Inc (also known as Intercage) and their main customer, Esthost (related to Estdomains) might well be a familiar name to people working in IT security. Atrivo is based is California and is run by one Emil Kacperski, so it has always surprised me that such a small operator should be a persistent host of malware.

Well, Atrivo's activities have not gone un-noticed by HostExploit.com who have produced a whitepaper and diagram and a YouTube video explaining how Atrivo's network is involved in a typical PC exploit.

Brian Krebs at the Washington Post has a comprehensive commentary. Note in particular the comments from "Emil K." at the bottom of the article. The RBN blog also has a comment here. Fascinating stuff.

Thursday, 28 August 2008

Where a link turns into a lawsuit

I've seen some daft excesses in local politics in my time, but over Sheboygan, Wisconsin, things have taken a new twist... with a lawsuit over a link.

Jennifer Reisinger operates a website called Sheboygan Spirit which appears to be very critical of local officials and also a now defunct web design business called Brat City Web Design. She was also involved in a campaign to recall the elected mayor, which probably didn't endear her to some city officials.

Last year, the city filed a lawsuit against Ms Reisinger. Why? Because one of her sites carried a link to the Sheboygan Police Department (oops). First, the city sent a cease and desist asking her to remove it, and when she refused to do so they initiated a criminal investigation and legal proceedings.

Remember, this is just a link to the local police department. Not a link to illegal or confidential material. Of course, really the city didn't have a leg to stand on and in November 2007 decided not to pursue the case.

But Ms Reisinger wasn't finished, and a few days ago filed a counter-suit alleging loss of business and a violation of first amendment rights. It looks like it could be a significant case.. depending on the outcome.

There's more information in this item at the Milwaukee Journal Sentinel, and also here at the Citizen Media Law Project.

Wednesday, 27 August 2008

"Bank of America Installation and Upgrade Warning."

The bad guys are busy today, here's another fake bank "upgrade" leading to malware, following on from this one.


Subject: Bank of America Installation and Upgrade Warning.
From: "Bank Of America Update Service Department"
Date: Wed, August 27, 2008 2:23 pm

Attention All Bank of America Customers.
Security & Fraud Protection Update.

At Bank of America, were committed to keeping your information confidential and
secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of
fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.

You can download the latest security pack from our Customer Service Department>>

Sincerely, Jodie William.
2008 Bank of America Corporation. All rights reserved.
This leads to a very convoluted URL with an executable Setup_BankofAmericaclientno4508832.exe - virus detection for this one is a bit poor. Malware is identified variously as TR/ATRAPS.Gen (AntiVir & WebWasher), DeepScan:Generic.Malware.dld!!.083539B0 (BitDefender) and one or two others come up with a generic detection.

Incidentally, the URLs used in both attacks are incredibly long and convoluted.. and not terribly convicincing.

Avoid these "bank certificates" at all costs.

Tilde.exe in C:\Windows\System32 folder


This isn't really about tilde.exe at all, but a file called C:\Windows\System32\~.exe that has a habit of showing up on laptops that have been playing up with frequent browser crashes.

~.exe is kind of an odd name for a file, and crucially it's an ungoogleable name, because Google uses the tilde mark for its Synonym Search function.

Probing more deeply at the file shows that is is 34,616 bytes in size and is described internally as "Microsoft® Remote Std I/O Shell". The version information gives the following details:

  • Company: Microsoft Corporation
  • File Version: 6.0.6001.16470 (fbl_tools(patst).070215-1229)
  • Internal name: remote.exe
  • Language: Language Neutral
  • Original File name: remote.exe
  • Product Name: Microsoft® Windows® Operating System
  • Product Version: 6.0.6001.16470
The icon is identical to the remote.exe sometimes supplied with various Microsoft debugging or support tools. Indeed, it does seem to be just another version of remote.exe which is a component of Microsoft's SMS server.

The ~.exe file may also be accompanied by a couple of strange-looking .dat files, for example __c0084F92.dat or __c00E460A.dat which on closer examination are actually executables.

It does genuinely seem to be a bit of Microsoft software, but in this case it would appear to be acting as a trojan downloader. The .dat files are lilely to be the second stage of the infection, and this could well be related to all the fake anti-virus products that have been promoted recently.

~.exe is detected variously as Trojan-Downloader.Win32.Agent.abnd, Win32/TrojanDownloader.Agent.ABND or Trojan:Win32/Vundo.gen!V (VirusTotal results here). The .dat file shows up variously as Trojan-Downloader:W32/FakeAlert.AN, TROJ_TIBS.CKN, Tibs.gen222, not-a-virus:AdWare.Win32.Agent.ekj (VirusTotal results here and here).

Removal: delete the ~.exe file and any unusual looking .dat files that match the above pattern. If the trojan is active, then one of the .dat files will be locked. The F-Secure Online Scanner seems to be able to safely remove this trojan, although a reboot will be required.

This is the first time that I have seen a Microsoft SMS component used in this way. Presumably it attempts to connect up to a back-end server that I have not yet been able to identify. It may well be that a corporate firewall would block such behaviour.

Tuesday, 26 August 2008

"Colonial Bank Emergency Alert System"

Emergency alert system? Nope, malware download more likely.

Subject: Colonial Bank Emergency Alert System.
From: "Colonial Bank Account Support"
Date: Tue, August 26, 2008 8:35 pm

Dear Colonial Bank Customers. Protect your passwords!

- Never write down your passwords.
- Never share passwords with anyone.
- Change your password every few months.
- Change your password if you think it has been compromised.

For a password to be strong and hard to break, it should be at least nine characters
long, contain characters from each of the following three groups: letters (uppercase
and lowercase), numerals, symbols (all characters not defined as letters or
numerals), not contain your name or user name and not be a common word or name.
Be sure your computer is up-to-date with security patches, anti-virus, and
anti-spyware protection.
Download our latest all-in-one Internet software from our Customer Service
Department to make your online life completely secured.

Press here to Start>>

Sincerely, Parker Wheeler.
2003-2008 Colonial bank Support Team
VirusTotal detections are a mixed bag:

File ColonialDigicertx_509.exe received on 08.26.2008 23:52:05 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.8.21.02008.08.26-
AntiVir7.8.1.232008.08.26HEUR/Crypted
Authentium5.1.0.42008.08.26-
Avast4.8.1195.02008.08.26-
AVG8.0.0.1612008.08.26-
BitDefender7.22008.08.26DeepScan:Generic.
Malware.dld!!.6B08AD0D
CAT-QuickHeal9.502008.08.26(Suspicious) - DNAScan
ClamAV0.93.12008.08.26PUA.Packed.MEW-1
DrWeb4.44.0.091702008.08.26-
eSafe7.0.17.02008.08.26Win32.Stration
eTrust-Vet31.6.60502008.08.26-
Ewido4.02008.08.26-
F-Prot4.4.4.562008.08.26-
F-Secure7.60.13501.02008.08.26Suspicious:W32/Malware!Gemini
Fortinet3.14.0.02008.08.26-
GData192008.08.26-
IkarusT3.1.1.34.02008.08.26Trojan-Proxy.Win32.Small.DT
K7AntiVirus7.10.4282008.08.25-
Kaspersky7.0.0.1252008.08.26-
McAfee53702008.08.26-
Microsoft1.38072008.08.25PWS:Win32/Uloadis.A
NOD32v233902008.08.26-
Norman5.80.022008.08.26W32/Suspicious_M.gen2
Panda9.0.0.42008.08.26-
PCTools4.4.2.02008.08.26Packed/MEW
Prevx1V22008.08.26-
Rising20.59.11.002008.08.26-
Sophos4.32.02008.08.26Mal/EncPk-BA
Sunbelt3.1.1582.12008.08.26VIPRE.Suspicious
Symantec102008.08.26-
TheHacker6.3.0.6.0602008.08.23W32/Behav-Heuristic-066
TrendMicro8.700.0.10042008.08.26Cryp_MEW-11
VBA323.12.8.42008.08.26-
ViRobot2008.8.26.13502008.08.26-
VirusBuster4.5.11.02008.08.26Packed/MEW