Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New UrSnif/Haxdoor Variant

Published: 2006-10-13
Last Updated: 2006-10-14 03:30:26 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
A number of readers reported a new variant of "Haxdoor" attachements. As usual, AV will not pick up this new virus for the most part. See below for a sample e-mail as submitted by our reader Derek. He ran the attachement through virustotal. Only e-Trust, Ikrasus and Panda picked it up as suspect.

Thank you for ordering from our internet shop. If you paid with a 
credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply
as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting
archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat
software and can be viewed with Adobe Acrobat Reader. If you do not
already have this viewer configured on a local drive, you may download
it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your
items in stock (NY, TN, UT & CA). We strive to ship all orders the same
day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!

Update:
One of our reader (Matthew) has notified us that McAfee is able to identify this new
trojan and had already provided "extra.dat" support to allow customers to update
their definitions (all platforms).

Running through VirusTotal again, other anti-virus scanners are starting to detect
this malware. Below are those with positive results:
Authentium 4.93.8 10.13.2006 W32/Goldun.NK
AVG 386 10.13.2006 Downloader.Generic2.TFP
BitDefender 7.2 10.14.2006 Trojan.Downloader.Agent.APP
ClamAV devel-20060426 10.13.2006 Trojan.Downloader.Small-2854
eTrust-InoculateIT 23.73.22 10.13.2006 Win32/Ursnif.MJI!Trojan
eTrust-Vet 30.3.3131 10.13.2006 Win32/Ursnif!downloader
DrWeb 4.33 10.14.2006 Trojan.DownLoader.14120
Fortinet 2.82.0.0 10.13.2006 W32/Dloader.AYT!tr.dldr
F-Prot 3.16f 10.13.2006 security risk named W32/Goldun.NK
F-Prot4 4.2.1.29 10.13.2006 W32/Goldun.NK
Ikarus 0.2.65.0 10.13.2006 Win32.Outbreak
Kaspersky 4.0.2.24 10.14.2006 Trojan.Win32.Small.kn
McAfee 4873 10.13.2006 Downloader-AXM
Microsoft 1.1603 10.14.2006 TrojanDownloader:Win32/Agent.EP
NOD32v2 1.1803 10.13.2006 Win32/TrojanDownloader.Small.NPO
Norman 5.80.02 10.13.2006 W32/DLoader.BAOZ
Panda 9.0.0.4 10.14.2006 Trj/SpyForms.J

Keywords:
0 comment(s)
Diary Archives