New alert, is this detected by avast...Trojan Zbot inside zip file

[polonus]

Alan1998 alerted me to this: Site: brennerveiculos dot com dot br/cache/efax_9057733019_pdf.zip
This is a malware threat outbreak : http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=31347
It is related to the Zeus trojan: http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Date&search=&colsearch=All&ascordesc=DESC&quantity=All&page=0?iframe=true Trojan Zbot inside zip file -> https://malwr.com/analysis/YzY1ODgwMzU5MTNjNDkzMDkyOTExNzA1NjNjZTQwNzY/
So far only one to detect on VT:

{"timestamp": "1382274374", "sha256": "b0f86ff6803336a76241bdd22daa46ea6fed5859147d85acb0030d3e4d49d4aa", "analysis_url": "/en/url/b0f86ff6803336a76241bdd22daa46ea6fed5859147d85acb0030d3e4d49d4aa/analysis/1382274374/", "result": 1, "verbose_msg": "Invalid URL"}]

polonus

[Secondmineboy]

The server on brennerveiculos dot com is not reachable for me at the moment.

I am getting no Data.

[Pondus]

site is down 
http://www.downforeveryoneorjustme.com/http://brennerveiculos.com.br

[polonus]

Hi Steven Winderlich and Pondus,

Thanks you both for that good news.
It has been taken down and for a good reason.
At least Alan1998 has some good answers,
why he should not go and download that file.
Others are secure to have missed that threat.
Again for how long seeing the IP and domain history here:
http://myip.ms/info/whois/200.143.116.25/k/588959722/website/brennerveiculos.com.br

polonus

[Secondmineboy]

Normally these sites are just up for a few hours or sometimes some days.

And then when antiviruses start to detect them they go dowm, use another server and start from the beginning.

[polonus]

Yes and this PHISH from that IP seems still up and kicking: Up(nil):   200.143.116.25    to 200.143.116.25   caciva dot com dot br   hxtp://www.caciva.com.br/imagens/banners/paypals/   DNS status DNSBL   listed

pol

[Pondus]

Yes and this PHISH from that IP seems still up and kicking: Up(nil):   200.143.116.25    to 200.143.116.25   caciva dot com dot br   hxtp://www.caciva.com.br/imagens/banners/paypals/   DNS status DNSBL   listed

pol

Listed at PhishTank
http://www.phishtank.com/phish_detail.php?phish_id=1371684

and that means protection for those who use OpenDNS

[Michael (alan1998)]

I caught it. I also have Zeus on the Virtual Machine. The URL was in the proccess of being taken down when I found it. very slow. Took a few tries to get the file.

The file was saved as .scr (Screen Saver). It is Zeus though.

[Secondmineboy]

I had no luck to get the file. Not even in a VM with Ubuntu 13.10.

Site seems to be down.

Can you upload the file somewhere and post the link here?

[Michael (alan1998)]

Will try to yes.

[Michael (alan1998)]

Deleted by OP

[Secondmineboy]

File is blocked by Mediafire.

Do you have another source to upload?

Like Google Drive or something else?

You could upload it on Wikisend: http://wikisend.com/

[Secondmineboy]

It works. And the file is blocked as FileRep Metagen (Drp)
and Dropper-Gen by Avast.

[Secondmineboy]

It blocked by almost everyone out there except from Bitdefender and Panda: https://www.virustotal.com/de/file/e65315616ee6ac28ec9e8f0f43ddb0f189a81b515369a72fc8a6b69db280d829/analysis/1382295546/

[Secondmineboy]

I dont have a WindowsVM at the moment just Ubuntu and Linux Mint.

But i will set up one when i have time.