iTunes trojan not detected

Discussion in 'ESET NOD32 Antivirus' started by slightlymad, May 26, 2010.

Thread Status:
Not open for further replies.
  1. slightlymad

    slightlymad Registered Member

    Joined:
    May 26, 2010
    Posts:
    5
    I received an email purporting to be from iTunes with the following message:

    Hello!

    You have received an iTunes Gift Certificate in the amount of $50.00 You can find your certificate code in attachment below.

    Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

    iTunes Store.


    The attachment was a zipped file containing an exe file named iTunes_certificate_247.exe.

    I scanned the file with Nod32 but it came up clear. To be on the safe side I Googled for 'iTunes gift certificate virus' and there were plenty of results on the subject, including this site which, interestingly, says that 'At the time of writing, 15 of the 41 AV engines did detect the trojan.'

    Just thought I'd issue a warning...
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. slightlymad

    slightlymad Registered Member

    Joined:
    May 26, 2010
    Posts:
    5
    Thanks, Cudni - I didn't realise I could do that... I'll send to Eset straight away.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    According to the name I assume it could be a variant of the Oficla trojan. We're not aware of any undetected recent variants, could you check and make sure you scanned the file with the most current version of the signature db 5146?

    Edit: I've found a new variant right now, it'll be added asap.
     
  5. slightlymad

    slightlymad Registered Member

    Joined:
    May 26, 2010
    Posts:
    5
    It's actually called 'Gift_Certificate_231.zip' - sorry, I simply copied and pasted from the site that I linked to, assuming the file name was the same.

    And yes, I'm using the current version, 5146.

    "Number of threats found: 0".

    I've just seen your edit, Marcos - do I still need to submit the file to Eset?
     
  6. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'd submit anyway. Just in case the variant Marcos has isn't the same as yours.
     
  7. slightlymad

    slightlymad Registered Member

    Joined:
    May 26, 2010
    Posts:
    5
    File submitted...
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We've received one file Gift_Certificate_131.exe via ThreatSense.Net that is detected. If you have submitted a different file, let me know the subject you used.
     
  9. slightlymad

    slightlymad Registered Member

    Joined:
    May 26, 2010
    Posts:
    5
    I sent Gift_Certificate_231.zip via email with the subject line 'Definite infection!'.

    Update: Nod32 has updated to version 5147 and has now detected the virus: Win 32 /Oficla .EU trojan
     
    Last edited: May 26, 2010
  10. ESS474

    ESS474 Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    201
    Location:
    S?o Paulo (Brazil)
    Good work ESET. :) :thumb:
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    I got that one today also: At the time 10:30am EST VirusTotal detected 19/41

    __________ ESET NOD32 Antivirus warning, version of virus signature database 5147 (20100526) __________

    Warning, ESET NOD32 Antivirus found the following threats in the message:

    part000.txt - is OK
    Gift_Certificate_431.zip - Win32/Oficla.EU trojan
    Gift_Certificate_431.zip > ZIP > Gift_Certificate_431.exe - Win32/Oficla.EU trojan

    Thanks Eset!

    TH
     
  12. gaelicvalley

    gaelicvalley Registered Member

    Joined:
    May 27, 2010
    Posts:
    2
    Hi

    I got this Oficla. EU trojan infected email too (with "Gift_Certificate_131.exe" attached to it), now my question is how do I get rid of it, as all NOD32 will is quarantine it, as it say it can't delete it as this trojan thing is in an archive or something...

    What can I do?
     
  13. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Quarantine it then delete from quarantine - or just delete the email.
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    With default settings it will delete it before it gets to your inbox but for some reason if it is in quarantine just delete from there!

    TH
     
    Last edited: May 27, 2010
  15. gaelicvalley

    gaelicvalley Registered Member

    Joined:
    May 27, 2010
    Posts:
    2
    Thanks for the info, had no idea I could delete the stuff in the quarantine
     
Thread Status:
Not open for further replies.