I Found A New Trojan!!!!

I found a new Trojan. TDS detects nothing. Nor does virusscan.jotti.org.

IM me if you would like the file!

Here are the strings from the DLL:

!This program cannot be run in DOS mode.
\Microsoft\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%sxtempx.xxx
SeDebugPrivilege
Mozilla/5.0
%windir%\hosts.sam
%SystemRoot%\system32\drivers\etc\hosts
ExitThread
kernel32.dll
LoadLibraryA
Process32Next
Process32First
CreateToolhelp32Snapshot
Software\Microsoft\Internet Explorer\Main
Placeholder_Data
teenspicy.com
evo.sexfab.com
IsUserAdmin
setupapi.dll
st_log.dat
sm_log.dat
sc_log.dat
rvd_wfdsfsdffsddas1mhgfdsdk
RegisterServiceProcess
Software\Microsoft\Internet Explorer\Main\Helpers
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
%sContent-Disposition: attachment; filename="%s"
%sContent-Transfer-Encoding: base64
%sContent-Type: application/octet-stream; name="%s"
See Attach
%sContent-Transfer-Encoding: 8bit
%sContent-Type: text/plain; charset=Windows-1251
%sMIME-Version: 1.0
%sSubject: %08X_%08X
From: <%s>
Date: %a
RCPT TO:<%s>
MAIL FROM:<%s>
%s::%u::%s:%u->%s:%u
_except_handler3
MSVCRT.dll
_adjust_fdiv
GetVersion
DeleteFileA
CloseHandle
CreateFileA
GetSystemDirectoryA
GetCurrentProcess
CreateProcessA
ExpandEnvironmentStringsA
GetFileSize
CreateThread
GetTickCount
ExitThread
GetCurrentThreadId
TerminateThread
VirtualFreeEx
WaitForSingleObject
CreateRemoteThread
WriteProcessMemory
GetProcAddress
GetModuleHandleA
VirtualAllocEx
OpenProcess
GetLastError
LoadLibraryA
CreateMutexA
GetCurrentProcessId
GetModuleFileNameA
FreeLibrary
GetVersionExA
GetDiskFreeSpaceExA
GetDriveTypeA
GetLogicalDriveStringsA
GlobalMemoryStatus
KERNEL32.dll
DispatchMessageA
TranslateMessage
GetMessageA
PostQuitMessage
DestroyWindow
DefWindowProcA
CreateWindowExA
RegisterClassA
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegOpenKeyExA
RegEnumValueA
RegDeleteValueA
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
ADVAPI32.dll
WS2_32.dll
InternetCloseHandle
FtpPutFileA
InternetConnectA
InternetOpenA
InternetReadFile
InternetOpenUrlA
WININET.dll
Dllcode.dll
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
download.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
1+10191W1i1n1
2.2O2e2q2z2
:=:J:U:\:r:~:
? ?(?.?4?@?K?S?Y?_?e?|?
1T2i2n2s2y2
:*:3:=:Q:\:q:
:G;M;S;Y;l;
;%<L<Z<b<g<m<s<y<
=-=6=<=A=I=T=\=b=h=n=t=">
4"4(4-434:4H4P4X4^4r4
5$5.555_5h5r5
9"9)90979>9E9L9S9Z9a9h9o9v9
;M<S<c<w<G=Y=^=
=2?C?U?_?f?n?
0"0*00060G0Z0`0f0l0r0}0
4/5S5]5c5u5
8I9P9]9f9y9
:C:W:l:~:
;$;
6 7W7a7s7}7
8%8D8L8R8X8b8
= =*=3=F=P=e=s=|=
=%>B>H>N>T>Z>`>f>l>r>x>~>

 

Did you anti-virus detect it?

Evey trojan I've ever gotten, NOD32 detected it before TDS3 did...

 

NOD32 could not detect it. I scanned the file over at virusscan.jotti.org and it found nothing.

 

Run the file through Norman's online Sandbox,M8.Congrats if it is a new find!

http://sandbox.norman.no/live.html

 

Nice one. Could you please be so kind as to zip and submit it to submit@diamondcs.com.au and if you send it to this board webmaster@wilderssecurity.com there will be taken care of forwarding it to all labs. Thanks a lot and please keep us informed.

Maybe it is not detected for not being malicious enough?

 

Is that "random" text a telltale sign? Because I've got this in Prevx home (which keeps crashing) I edited the regular text out