Author Topic: Email from Ebay gives a Trojan Horse Found when opened (Read 6395 times)

dan633 · « **on:** November 30, 2009, 05:33:10 AM »

Two days in a row I opened Email from ebay@ebay.com (one way) to notify me of a win with an invoice. It is Legit mail. I feel confident these are False Positive. The Info for the first:

File Name: hxxp://maranack.com/documents/?s=577
Maleware Name: JS:Downloader-FT [Trj]
Malware Type: Trojan Horse
VPS version: 091128-0, 11/28/2009

The second one:

File Name: hxxp://kuzibrak.com/documents/?s=572
Malware Name: JS:Downloader-FT [Trj]
Malware Type: Trojan Horse
VPS version: 091128-0, 11/28/2009

I have seen several posting with Ebay in the text, is this a problem that is being worked on? Thanks, Dan

Soure73 · « **Reply #1 on:** November 30, 2009, 07:51:22 AM »

To be sure if that a false positive or a real threat upload the files to www.virustotal.com and post the results here.

dan633 · « **Reply #2 on:** November 30, 2009, 08:49:21 PM »

Per your request I sent both in and results were the same. It is posted here:
----------------------------------------------

From: scan@virustotal.com
Sent: Mon 11/30/09 3:14 AM

Complete scanning result of "Trojan found-2.txt", processed in VirusTotal at 11/30/2009 09:13:54 (CET). [ file data ]* name..: Trojan found-2.txt* size..: 5102* md5...: 2bd959d4d85508e1a8731eb95a21f554* sha1..: 1d82433a8351b36b147f474fa137b6b0467317d7* peid..: - [ scan result ]a-squared 4.5.0.43/20091130 found nothingAhnLab-V3 5.0.0.2/20091128 found nothingAntiVir 7.9.1.79/20091129 found nothingAntiy-AVL 2.0.3.7/20091130 found nothingAuthentium 5.2.0.5/20091129 found nothingAvast 4.8.1351.0/20091129 found nothingAVG 8.5.0.426/20091129 found nothingBitDefender 7.2/20091130 found nothingCAT-QuickHeal 10.00/20091130 found nothingClamAV 0.94.1/20091130 found nothingComodo 3087/20091130 found nothingDrWeb 5.0.0.12182/20091130 found nothingeSafe 7.0.17.0/20091129 found nothingeTrust-Vet 35.1.7146/20091127 found nothingF-Prot 4.5.1.85/20091129 found nothingF-Secure 9.0.15370.0/20091129 found nothingFortinet 4.0.14.0/20091130 found nothingGData 19/20091130 found nothingIkarus T3.1.1.74.0/20091130 found nothingJiangmin 11.0.800/20091129 found nothingK7AntiVirus 7.10.906/20091127 found nothingKaspersky 7.0.0.125/20091130 found nothingMcAfee 5817/20091129 found nothingMcAfee+Artemis 5817/20091129 found nothingMcAfee-GW-Edition 6.8.5/20091130 found nothingMicrosoft 1.5302/20091130 found nothingNOD32 4647/20091129 found nothingNorman 6.03.02/20091127 found nothingnProtect 2009.1.8.0/20091128 found nothingPanda 10.0.2.2/20091129 found nothingPCTools 7.0.3.5/20091130 found nothingPrevx 3.0/20091130 found nothingRising 22.24.00.04/20091130 found nothingSophos 4.48.0/20091130 found nothingSunbelt 3.2.1858.2/20091129 found nothingSymantec 1.4.4.12/20091130 found nothingTheHacker 6.5.0.2.081/20091128 found nothingTrendMicro 9.100.0.1001/20091130 found nothingVBA32 3.12.12.0/20091130 found nothingViRobot 2009.11.30.2061/20091130 found nothingVirusBuster 5.0.21.0/20091129 found nothing

scythe944 · « **Reply #3 on:** November 30, 2009, 08:53:28 PM »

A link to the virustotal page works too... easier to read. Just for future reference.

Looks like they all found nothing. Maybe upload the file to avast so they can add it to their definitions.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and possible false positive in the subject.

micky77 · « **Reply #4 on:** November 30, 2009, 08:57:24 PM »

You have not sent a file to VT, just some txt file. The alerts are from malicious websites that Avast has blocked. Why are you confident they are FP's

You should disable the links by changing the http to hxxp

Hermite15 · « **Reply #5 on:** November 30, 2009, 09:28:25 PM »

yeah, disable your links

polonus · « **Reply #6 on:** November 30, 2009, 09:49:19 PM »

I guess that kuzibrak dot com is now being cleansed as I get this there:

Code: [Select]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"><title></title>
</head>
<body>
</body>
</html>

HTML 4.01 Transitional (has all elements and attributes, iframe labeled excluded):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

pol

CharleyO · « **Reply #7 on:** December 01, 2009, 08:33:40 AM »

***

As for the maranack (dot) com/documents/?s=577 site, it is most likely infected. See the links below:

http://www.UnmaskParasites.com/security-report/?page=maranack.com/documents/%3Fs%3D577

http://www.google.com/safebrowsing/diagnostic?site=maranack.com

***

Author Topic: Email from Ebay gives a Trojan Horse Found when opened (Read 6395 times)

dan633

Email from Ebay gives a Trojan Horse Found when opened

Soure73

Re: Email from Ebay gives a Trojan Horse Found when opened

dan633

Re: Email from Ebay gives a Trojan Horse Found when opened

scythe944

Re: Email from Ebay gives a Trojan Horse Found when opened

micky77

Re: Email from Ebay gives a Trojan Horse Found when opened

Hermite15

Re: Email from Ebay gives a Trojan Horse Found when opened

polonus

Re: Email from Ebay gives a Trojan Horse Found when opened

CharleyO

Re: Email from Ebay gives a Trojan Horse Found when opened