Keep your eyes open!

| 1 Comment

Two hours ago I received a mail in one of the many mail accounts that I have that included a link and message from someone I didn't know. The text and subject was in Spanish (Trigger 1), the message came from someone I didn't know (Trigger 2) and it was linked to a site in the UK (Trigger 3) that I don't know either.

I decided to carefully check out the links and sure enough after I took some precautions, I downloaded a file named foto07_euevc.jpg__-____Tipo_-_Ima.jpg.sCR. It is supposed to look like an image in JPEG format, but the .scr extension was a dead giveaway for me : a screen saver.

I uploaded the sample to virustotal and only 16 of the 32 different scanning engines that examined the file were triggered. Out of that 50%, quite a few only marked it suspicious due to heuristic scanning, which makes the sample possibly new and/or unknown. Samples will be distributed and if this is new, most scanners should have virus definitions updated soon. (Results can be found here : Virustotal Scan Results)

I've sent a mail to the webmaster of the site that is abused to spread the links, though the file itself is served from elsewhere.

For the time being, I suggest blocking, from which the actual file is served. (Sanitized URL : http : / / www . laeslnetwork . com / board /images / anmf / - explore only if you know what you're doing!)

Update(s) : I made an error while handling the suspicious file - it once again shows you gotta be careful when dealing with malware. I really should dedicate a machine to it, or run a VM session to make sure whatever happens, things remain under control.

I knew something was amiss when two new files appeared in a directory I browse regulary, and it usually doesn't contain any .dat files. Now it did, so I launched ProcessExplorer and started hunting down my adversary. I've identified and killed the wnupd.exe process, deleted the wnupd.exe file in the temp directory and removed the run entry in the registry for the Ltaskup.exe file that was also dropped in my windows/media folder. 1 cold boot later, my machine is clean again.

I've found some results when searching for wnupd.exe and Ltaskup.exe, and this virus/malware may have first been seen in Spain on September 4th,2007. Makes me wonder why only 50% of the virus scanners pick it up?!

Update 2 : The sample I submitted to F-Secure (I do read their blog in my RSS newsreader and think high of them and their products) was analyzed and - as I expected - tagged as malicious. A signature will be added to their database for the next release of their virus scanner. A sample also has been sent to the guys at Sophos (currently analyzing), and the sample has also been submitted to AVG.

Update 3 : AVG Tech support just got back to me and identified the sample as a new variant of the Trojan Downloader.Banload. Seems I caught something new after all! Still waiting on the Sophos analysis...

Update 4 : Sophos analysis results arrived in my mailbox 18 minutes ago and they have added detection for the new sample. Info can be found at : Troj/Dloadr-BFJ.

1 Comment

It's CSI, ServMe style! Whoo!

Leave a comment

Monthly Archives


OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.13-en

About this Entry

This page contains a single entry by ServMe published on November 13, 2007 3:16 PM.

Shit. Fan. Yummy. Not. was the previous entry in this blog.

Feel my words is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.