Possible phishing?

[mvandemar]

Hello,

Just got an email directing me to a site pretending to be an e-greeting card site. I checked it out, and they have some program that they are claiming is the newest Flash player (it isn't). They are using Javascript to attempt to get the user to install it. I downloaded the program and scanned it, but Avast did not recognize it as a virus or a worm, although I highly suspect that it is a phishing program. Domain is hosted and a non-reverse DNS'd address, newly registered, can't figure out who the host is.

The site address and the program are located at:
**edited out**

The executable is:
**edited out**

What do you think? Is this something Avast should have in it's virus definition?

Thanks.

-Michael

[Lisandro]

Please, do not post links to infected (or suspicious files here), people could unadvertedely click on them 
Although, Dr. Web says it's clean...

[mvandemar]

Edited out the links.

I know it's not what it purports to be though. It is not Flash, they are spoofing another website, it follows the behavior patterns of someone trying to install a trojan. I know it's not getting picked up by AV programs, which is exactly why it concerns me. If it is a new virus and/or trojan, and neither my nor your AV is detecting it, then the spread threat would be fairly high, wouldn't it?

-Michael

[Lisandro]

If it is a new virus and/or trojan, and neither my nor your AV is detecting it, then the spread threat would be fairly high, wouldn't it?

Michael, send the info by email to Alwil.
Maybe to virus (at) avast.com
We need a 'official' word about it, specially if it is not a known virus...

[mvandemar]

Wow, 17649 posts and you're not official yet? :p

Ok, zipped it up in a passworded protcted file and sent the details to them. I asked for confirmation as to whether or not it was actually a virus or trojan, do you know if they tend to reply to reports like that?

-Michael

[mvandemar]

Grrrr!

Our e-mail content detector has just been triggered by a message you sent:
  To: virus@avast.com
  Subject:  Avast not recognizing this
  Date: Wed Aug  9 12:42:35 2006

One or more of the attachments (install_flash_player.zip, install_flash_player.exe) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Hm... any ideas?

-Michael

Edit - ok, renamed the .exe to .ex_ and used WinRAR instead of Winzip, seems to have worked.

[mvandemar]

Ok, using VirusTotal.com it says it's passing the test of 9 engines, including Avast, McAfee, Symantec, and DrWeb... but failing on many others.

Not sure if the link works without a cookie (would think it would) but here's the report:
http://www.virustotal.com/vt/en/resultadof?b639ccc7fd2339b7cb3b6420435079a5

-Michael

[polonus]

Hi mvandemar,

Good find, possible a new variety of the Hanlo generic trojan downloader, with haxdoor characteristics as well. These new varieties are hardened against the detection of the big AV scanners, that is why MacAfee and Symantic did not alert.

Another of this variety is decribed here:
http://www.sophos.com/security/analyses/trojhanlob.html

Look if there are traces of file2.exe and load.exe on your computer.
Another type is described here by Nod (Spanish):
http://www.vsantivirus.com/trojandownloader-hanlo-d.htm

But anyway good you have sent it to avast, they can bite their teeth at this new one, and protect us all from it.
If you have the Netcraft toolbar or the Trustwatch add-on, report this page as fraud/phishing to them, so surfers are aptly warned not to go there. Better safe than sorry,

polonus

[DavidR]

Grrrr!
<snip>
Edit - ok, renamed the .exe to .ex_ and used WinRAR instead of Winzip, seems to have worked.

For the future, you could also add the suspect files to the virus chest. Open the virus chest, User Files, then click File, Add, navigate to the files and add them to the User Files section of the chest. Once in the chest you can right click on the file and select email to Alwil Software, this way you don't have to zip and password protect the files avast looks after this.

The ISP/Service/Site is kidding itself if it thinks restricting extensions is a security measure when it is so easily circumvented as to make the measure worthless.

[mvandemar]

If you have the Netcraft toolbar or the Trustwatch add-on, report this page as fraud/phishing to them, so surfers are aptly warned not to go there. Better safe than sorry,

Actually, I don't have either. PM'ing you the url in case you have them, I hope you don't mind.

For the future, you could also add the suspect files to the virus chest. Open the virus chest, User Files, then click File, Add, navigate to the files and add them to the User Files section of the chest. Once in the chest you can right click on the file and select email to Alwil Software, this way you don't have to zip and password protect the files avast looks after this.

Thank you, I did not know that, and yes, you are right. I hate it when hosts do that. It would be different if it were from an actual scan, but to base it on extensions is silly.

-Michael

[mvandemar]

Grrrr!
<snip>
Edit - ok, renamed the .exe to .ex_ and used WinRAR instead of Winzip, seems to have worked.

For the future, you could also add the suspect files to the virus chest. Open the virus chest, User Files, then click File, Add, navigate to the files and add them to the User Files section of the chest. Once in the chest you can right click on the file and select email to Alwil Software, this way you don't have to zip and password protect the files avast looks after this.

The ISP/Service/Site is kidding itself if it thinks restricting extensions is a security measure when it is so easily circumvented as to make the measure worthless.

Ok, this is too much. ".tmp" files are not allowed because Microsoft said they can be dangerous.

Our e-mail content detector has just been triggered by a message you sent:
  To: virus@avast.com
  Subject:  avast!
  Date: Wed Aug  9 14:21:54 2006

One or more of the attachments (unp138675358.tmp) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: Report: MailScanner: Dangerous attachment according to Microsoft Q883260 (unp138675358.tmp)

--
MailScanner
Email Virus Scanner
StayHosted

Do the tech teams read these boards? If that filtering is common practice then they should modify how the "report to Avast" functionality works in order to use a different extension...

-Michael

[DavidR]

Yes the Alwil team do monitor and participate in these forums, filtering on extension alone isn't common and is stupid, if just changing the extension gets around the restriction if not backed up by a scan is an absolute waste if everyones time.

Strange that MS didn't include .doc or .xls as potentially dangerous if they are going to say .tmp is, they are hardly going to restrict every MS Office file type so the double standard is amazing.

Microsoft Outlook Express, Microsoft Windows Messenger, Microsoft MSN Messenger, and Microsoft Internet Explorer use the Attachment Manager to handle e-mail attachments and Internet downloads.

So this is probably coming from Outlook Express and you can disable this restriction, Tools, Options, Security, untick Do not allow attachments ......... that is enabled by default, see image.

With this unticked hopefully you shouldn't suffer from any restriction.

[Spiritsongs]

   Hi MVandemar :

      The "Clearing House" of possible phishs should be :

    http://www.castlecops.com/f122-Phishing_Fraud_and_Dastardly_Deeds.html .

[polonus]

Hi mvandermar,

To-day I got a mail from Netcraft toolbar that they received notification, and they would look into the matter and take appropriate action to whatever they'll find there. So you can be assured the matter will be tackled, and surfers be secure.

polonus (anti-malware fighter)