C’ est le film de mon anniversaire…
Peux tu reconnaître qui est a coté de moi?
There is an attached file (anniversaire.asx):
Codec not found
Download Codecs
-----------------------------------------
As you can guess, instead of watching a birthday (anniversaire) movie, you end up with the file “codecs.exe” being downloaded and executed on your PC.
Avast marks the email as clean and doesn’t detect any viral code in “codecs.exe”. But the way “codecs.exe” is delivered, is so suspicious that this file must be some kind of malware.
I have checked who registered t35.com but the identity is protected. I have inform namecheap.com (the registrar).
Feel free to contact me if you need more explanation and thanks for your great product.
Complete email headers follow:
From: - Sun Feb 11 08:46:15 2007
X-Account-Key: account2
X-UIDL: 1171147011.20627.mrelay2-2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: saiico@hotmail.com
Delivered-To: online.fr-drr@free.fr
Received: (qmail 20616 invoked from network); 10 Feb 2007 22:36:51 -0000
Received: from 201.37.63.125 (HELO hotmail.com) (201.37.63.125) by mrelay2-2.free.fr with SMTP; 10 Feb 2007 22:36:51 -0000
Message-ID: 20070210223637810.ZXIRQ6Ot1bA5GkU4Tkld@mx1.free.fr
From: saiico@hotmail.comsaiico@hotmail.com
To: drr@free.frdrr@free.fr
Subject: Anniversaire
Date: Sat, 10 Feb 2007 20:36:37 -0200
MIME-Version: 1.0
X-Priority: 0
X-MSMail-Priority:
Content-Type: multipart/mixed; boundary=“----_=_NextPart_000_000098D3.051E5DBD”
X-ProXaD-SC: Score=35
X-Antivirus: avast! (VPS 000712-4, 11/02/2007), Inbound message
X-Antivirus-Status: Clean
You were right to suspect the file. VirusTotal shows it is malware:
Antivirus Version Update Result
AntiVir 7.3.1.36 02.09.2007 TR/Dldr.VB.FT.39
Authentium 4.93.8 02.09.2007 no virus found
Avast 4.7.936.0 02.11.2007 no virus found
AVG 386 02.10.2007 no virus found
BitDefender 7.2 02.11.2007 Trojan.Downloader.VB.ACL
CAT-QuickHeal 9.00 02.09.2007 no virus found
ClamAV devel-20060426 02.10.2007 no virus found
DrWeb 4.33 02.10.2007 Trojan.DownLoader.18513
eSafe 7.0.14.0 02.09.2007 no virus found
eTrust-Vet 30.4.3384 02.10.2007 no virus found
Ewido 4.0 02.10.2007 Downloader.VB.ft
Fortinet 2.85.0.0 02.11.2007 W32/VB.ft!tr.dldr
F-Prot 4.2.1.29 02.09.2007 no virus found
F-Secure 6.70.13030.0 02.10.2007 Trojan-Downloader.Win32.VB.ft
Ikarus T3.1.0.31 02.11.2007 Trojan-Downloader.Win32.VB.FT
Kaspersky 4.0.2.24 02.11.2007 Trojan-Downloader.Win32.VB.ft
McAfee 4960 02.09.2007 no virus found
Microsoft 1.2204 02.11.2007 no virus found
NOD32v2 2051 02.10.2007 a variant of Win32/TrojanDownloader.VB.FI
Norman 5.80.02 02.09.2007 no virus found
Panda 9.0.0.4 02.10.2007 no virus found
Prevx1 V2 02.11.2007 no virus found
Sophos 4.13.0 02.08.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 no virus found
Symantec 10 02.11.2007 Downloader
TheHacker 6.1.6.056 02.11.2007 Trojan/Downloader.VB.ft
UNA 1.83 02.09.2007 no virus found
VBA32 3.11.2 02.10.2007 Trojan-Downloader.Win32.VB.ft
VirusBuster 4.3.19:9 02.10.2007 no virus found
Please could you break the link to the malware so it is not clickable? We don’t want anybody downloading the malware by mistake.
You can send the file to virus@avast.com in a zipped and password protected archive. (Use the password: virus and mention this an the malware name in the e-mail).
I have also received this mail this morning and I think I have clicked on the attched file… but not sure…
Can you tell me how to do to check if I have the virus and how to remove it if it’s the case… ?
The fastest & easyest way would be to scan with a program that already detects this trojan. Try Ewido/AVG antispyware (www.ewido.net) and/or Dr.Web CureIT (http://www.freedrweb.com/cureit/)