Re: Executing files with ".jpg" extensions
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 02/24/05
- Previous message: Vanguard: "Re: BHO"
- In reply to: Joel Rubin: "Executing files with ".jpg" extensions"
- Next in thread: David H. Lipman: "Re: Executing files with ".jpg" extensions"
- Reply: David H. Lipman: "Re: Executing files with ".jpg" extensions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Feb 2005 17:08:50 -0500
I went to http://manvestmarketing.com and it wanted to save/install a file; AIG.EXE.
The following is the report form Virus Total.
Antivirus Version Update Result
AntiVir 6.29.0.16 02.24.2005 TR/Proxy.Small.AV.1
AVG 718 02.22.2005 no virus found
BitDefender 7.0 02.24.2005 Trojan.Proxy.Small.AV
ClamAV devel-20050130 02.24.2005 no virus found
DrWeb 4.32b 02.24.2005 Trojan.Proxy.193
eTrust-Iris 7.1.194.0 02.23.2005 no virus found
eTrust-Vet 11.7.0.0 02.24.2005 no virus found
Fortinet 2.51 02.24.2005 no virus found
F-Prot 3.16a 02.24.2005 security risk named W32/Goldun.D@pws
Ikarus 2.32 02.24.2005 Trojan-Proxy.Win32.Small.AV
Kaspersky 4.0.2.24 02.24.2005 Trojan-Proxy.Win32.Small.av
NOD32v2 1.1007 02.23.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 02.22.2005 W32/Malware
Panda 8.02.00 02.24.2005 Trj/Small.FJ
Sybari 7.5.1314 02.24.2005 Troj/Proxy-H
Symantec 8.0 02.24.2005 no virus found
Both Mcafee (v7.1E, ENGINE v4400, DAT 4433) and Trend Sysclean (Pattern File 442) failed to detect an infector however McAfee Webimmune provided an "inconclusive" result.
-- Dave "Joel Rubin" <jmrubin@ix.netcom.com> wrote in message news:VprTd.12082$x53.3290@newsread3.news.atl.earthlink.net... | I just got an attachment with what probably is the Goldun-I e-gold | phishing trojan but attached as a JPG file. | | I was suspicious so I eyeballed the file (using cygwin less and | strings, both ported from Unix) and it was definitely a Windows | Portable Executable, not a JPG, and it had strings similar to those | in: | | http://www.sophos.com/virusinfo/analyses/trojgolduni.html | | including the string listed there: | | http://manvestmarketing.com/1/gold.php | | and, by the way, as what is undoubtedly a mere coincidence, the email | came from the same IP as manvestmarketing.com. | | (By the way, be careful with the website - I think that if you go to | the / page of the website with MSIE it will open a window and run a | little trojan, /aig.exe, that will make your box an open proxy.) | | Anyway, my issue is "Ain't it dangerous for Windows to run a file with | a fake .jpg extension as an executable? Ain't that a great bit of | social engineering for someone trying to get you to open | email-attached malware?" | | IMHO, social engineering quality (whatcha do to get the mark to bite) | is much more important to the spread of malware than technical | excellence. |
- Previous message: Vanguard: "Re: BHO"
- In reply to: Joel Rubin: "Executing files with ".jpg" extensions"
- Next in thread: David H. Lipman: "Re: Executing files with ".jpg" extensions"
- Reply: David H. Lipman: "Re: Executing files with ".jpg" extensions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
