Paypal phishing attachment, interesting results

Discussion in 'other anti-virus software' started by supergravy, Aug 25, 2006.

Thread Status:
Not open for further replies.
  1. supergravy

    supergravy Registered Member

    Jul 25, 2006
    Oxford, UK
    Yesterday I recieved a Paypal phishing email that was a little better then the usual. Instead of including links asking for my personal info, it wanted me to open a zipped attachment that would show the fraud activity that had occurred on my account. Being in AV testing mode lately, I couldn't help but check out the attachment.

    The interesting part is that Yahoo Mail scanned the download with Norton AV 2006, declared it clean and allowed me to download it. This happened on a machine at work that is also running Norton and did not detect anything. As this was a work machine I put the file on a USB stick and left it alone until I got home.

    Once home I went back to my Yahoo mail account on a machine running KAV6. Yahoo still showed the file as clean and let me begin to download. Kaspersky immediately started squeeling and declared it infected by Win32/TrojanDownloader.Agent.AUM trojan. My laptop running NOD32 detected the same.

    I am thankful for good AV programs like KAV and NOD32! Many of my friends and relatives would have taken Norton/Yahoo's word that this was clean and opened it up. Frankly I am surprised that not all AV programs would detect this. Here is what had to say about the file:

    Scanner Scanner Version Result Scan Time
    ArcaVir 1.0.3 Clean 1.00597 secs
    avast! 2.0.0 Clean 0.0270441 secs
    AVG Anti Virus 7.1.30 Downloader.Agent.FBL 1.92365 secs
    Avira Desktop 1.1.6-32 Trojan/Dldr.Agent.aum 3.3255 secs
    BitDefender 7.1 Trojan.Downloader.Agent.AUM 4.09331 secs
    ClamAV 0.88/1728 Trojan.Downloader.Small-2242 0.0242629 secs
    Dr. Web 4.33.0 Trojan.DownLoader.12341 5.57629 secs
    F-PROT 4.6.5 W32/Downloader.AFRJ 0.463414 secs
    H+BEDV AntiVir NULL Trojan/Dldr.Agent.aum 3.43864 secs
    Ikarus PSCAN 2.32 Clean 7.52984 secs
    NOD32 2.51.1 Win32/TrojanDownloader.Agent.AUM trojan 2.09968 secs
    Norman Virus Control 5.70.01 Suspicious_F.gen 4.12276 secs
    Sophos Sweep 4.05.0 Clean 2.81337 secs
    VBA32 3.11.0 Clean 2.37423 secs
    VirusBuster 2005 1.2.4 Trojan.DL.Agent.PMJ 1.43007 secs

    By the way, today Yahoo mail is also detecting this as malware and won't let me download this attachment. :cautious:
  2. ASpace

    ASpace Guest

    Norton is one way back top products . . . . . . :D

    Good to see ! :D

    It's time you asked your friends to change their Norton products with something better :) ;)

    Yes , Norton got updated :rolleyes:

    Thanks for the information ,next time use VirusTotal for most acurate results :thumb:
  3. supergravy

    supergravy Registered Member

    Jul 25, 2006
    Oxford, UK
    No worries! I pre-empted all of my friends and family's clicking habits long ago with NOD32, and in a couple of cases Bitdefender. And as much knowledge as each was willing to take in. None have been infected in years. I occasionally VNC into a few and help with spyware scans too.

    Here is what VirusTotal had to say about this particular file. I am a little surprised that Avast didn't detect anything, I generally like the program. Wish that I had run VirusTotal right after getting the file, I think many are just now detecting this.

    AntiVir 08.25.2006 TR/Dldr.Agent.aum
    Authentium 4.93.8 08.25.2006 W32/Downloader.AFRJ
    Avast 4.7.844.0 08.24.2006 no virus found
    AVG 386 08.24.2006 Downloader.Agent.FBL
    BitDefender 7.2 08.25.2006 Trojan.Downloader.Agent.AUM
    CAT-QuickHeal 8.00 08.24.2006 (Suspicious) - DNAScan
    ClamAV devel-20060426 08.25.2006 Trojan.Downloader.Small-2242
    DrWeb 4.33 08.25.2006 Trojan.DownLoader.12341
    eTrust-InoculateIT 23.72.106 08.25.2006 Win32/SillyDL.8332!Trojan
    eTrust-Vet 30.3.3039 08.25.2006 Win32/Clagger.AI
    Ewido 4.0 08.25.2006 Downloader.Agent.aum
    Fortinet 08.24.2006 Clagge!tr
    F-Prot 3.16f 08.23.2006 security risk named W32/Downloader.AFRJ
    F-Prot4 08.24.2006 W32/Downloader.AFRJ
    Ikarus 08.24.2006 Trojan-Downloader.Win32.Agent.aum
    Kaspersky 08.25.2006 Trojan-Downloader.Win32.Agent.aum
    McAfee 4837 08.24.2006 no virus found
    Microsoft 1.1560 08.25.2006 TrojanDownloader:Win32/Agent.DS
    NOD32v2 1.1724 08.24.2006 Win32/TrojanDownloader.Agent.AUM
    Norman 5.90.23 08.25.2006 W32/Agent.AIXD
    Panda 08.24.2006 Trj/Nabload.JZ
    Sophos 4.08.0 08.25.2006 Troj/Clagge-Gen
    Symantec 8.0 08.25.2006 Downloader.Bancos
    TheHacker 08.24.2006 no virus found
    UNA 1.83 08.25.2006 no virus found
    VBA32 3.11.0 08.23.2006 suspected of Downloader.Harnig.40 (paranoid heuristics)
    Aditional Information
    File size: 5331 bytes
    MD5: dcc418e43091c28fbfe3b16d939733c8
    SHA1: 46c2b6391d4b189dd4374a39200ffdd0acf83d20
  4. andyrock

    andyrock Registered Member

    Mar 27, 2006
    I also use from time to time because virustotal is always saturated with lots of requests...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.