trojans posing as virus patch in e-mail

Discussion in 'malware problems & news' started by herbalist, Apr 12, 2007.

Thread Status:
Not open for further replies.
  1. herbalist

    herbalist Guest

    This turned up in my spamcatcher today, supposedly from the site administrator.
    Titled: Virus Activity Detected!
    The "text" is an image file.
    http://i138.photobucket.com/albums/q277/herbalist-rick/ShowLetter.gif
    The attachment is a passworded zip file named patch9108.zip

    Why am I posting this when infected attachments posing as patches are old news? By password protecting the zip file, several AVs don't detect the infected contents.
    VirusTotal scan of passworded zip file.
    VirusTotal scan of extracted file.
    It appears that quite a few AVs have trouble with password protected zip files.
    The payload is a Zhelatin variant, a rootkit based mailing worm that also terminates security software and disables several system utilities such as regedit and msconfig.
    Rick
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
Loading...
Thread Status:
Not open for further replies.