SANS: New email virus making the rounds


We are currently analyzing a copy of .. something. Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia...message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Thursday, 12th January 2006 12:26AM