iTunes trojan not detected

I received an email purporting to be from iTunes with the following message:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00 You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The attachment was a zipped file containing an exe file named iTunes_certificate_247.exe.

I scanned the file with Nod32 but it came up clear. To be on the safe side I Googled for 'iTunes gift certificate virus' and there were plenty of results on the subject, including this site which, interestingly, says that 'At the time of writing, 15 of the 41 AV engines did detect the trojan.'

Just thought I'd issue a warning...

 

submit it to Eset if you have a mo
http://kb.eset.com/esetkb/index?page=content&id=SOLN141

 

Thanks, Cudni - I didn't realise I could do that... I'll send to Eset straight away.

 

According to the name I assume it could be a variant of the Oficla trojan. We're not aware of any undetected recent variants, could you check and make sure you scanned the file with the most current version of the signature db 5146?

Edit: I've found a new variant right now, it'll be added asap.

 

It's actually called 'Gift_Certificate_231.zip' - sorry, I simply copied and pasted from the site that I linked to, assuming the file name was the same.

And yes, I'm using the current version, 5146.

"Number of threats found: 0".

I've just seen your edit, Marcos - do I still need to submit the file to Eset?

 

I'd submit anyway. Just in case the variant Marcos has isn't the same as yours.

 

File submitted...

 

We've received one file Gift_Certificate_131.exe via ThreatSense.Net that is detected. If you have submitted a different file, let me know the subject you used.

 

I sent Gift_Certificate_231.zip via email with the subject line 'Definite infection!'.

Update: Nod32 has updated to version 5147 and has now detected the virus: Win 32 /Oficla .EU trojan

 

Good work ESET.

 

I got that one today also: At the time 10:30am EST VirusTotal detected 19/41

__________ ESET NOD32 Antivirus warning, version of virus signature database 5147 (20100526) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

part000.txt - is OK
Gift_Certificate_431.zip - Win32/Oficla.EU trojan
Gift_Certificate_431.zip > ZIP > Gift_Certificate_431.exe - Win32/Oficla.EU trojan

Thanks Eset!

TH

 

Hi

I got this Oficla. EU trojan infected email too (with "Gift_Certificate_131.exe" attached to it), now my question is how do I get rid of it, as all NOD32 will is quarantine it, as it say it can't delete it as this trojan thing is in an archive or something...

What can I do?

 

Quarantine it then delete from quarantine - or just delete the email.

 

With default settings it will delete it before it gets to your inbox but for some reason if it is in quarantine just delete from there!

TH

 

Thanks for the info, had no idea I could delete the stuff in the quarantine