New Virus on the loose

I have just received an email that looks legit with an attachment about DHL’s document tracker.
File is zipped, but opening it in WinRAR, it’s an EXE file. Extracting it in a folder, looks like a PDF file, so it must be a diversion, that lets other user thinks its a PDF file since it used an icon of a PDF file, but in fact, it’s an EXE file.

I tried it running in a computer protected with DeepFreeze. When I run the file, the computer automatically shutdown.

Don’t know what should happen after shutdown since that computer has DeepFreeze. Everything restores to normal on reboot.

Anyway, I already quarantine the file in my PC and have submitted to Avast. Currently, it’s undetectable with Avast.

I’m hoping that this will be added to Avast’s virus database ASAP, so that it can be blocked right away.

since this has to do with virus it should have been posted it he “virus and worms” section :wink:

upload the file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here

Sorry, for the wrong thread.
I did, submit to virustotal and only 3/43 detected the virus.

It actually looks legit as the email came from support5boc@dhl.com, dhl.com is a legit website.
With message:

Dear customer.

The parcel was sent our home address.
And it will arrive within 7 business day.

More information and the tracking number
are attached in the document below.

Thank you.

I did, submit to virustotal and only 3/43 detected the virus.
could you shear the result with us?

http://www.virustotal.com/file-scan/report.html?id=8e74199ee7c10149cf62f13f9ea47bc87ea4fe04057d044a4fae3e23903ef143-1299249232

Thanks :wink:

The VT result is now 7/43
http://www.virustotal.com/file-scan/report.html?id=8e74199ee7c10149cf62f13f9ea47bc87ea4fe04057d044a4fae3e23903ef143-1299253700

That was fast.

Not detected by Malwarebytes, but will be soon :wink:

http://www.virustotal.com/file-scan/report.html?id=8e74199ee7c10149cf62f13f9ea47bc87ea4fe04057d044a4fae3e23903ef143-1299290706

16/43 now but nothing from avast yet…

I’m curious how an exe file gets an icon that looks like PDF. Doesn’t the associated app determine the icon of a file?

Nope. You can change any file’s icon if you want. You can even create an icon of your face and use it as an icon of any file.

The From: address has absolutely no value regarding legitimacy of the sender. You can put just anything there. See the mail headers.

Not for *.EXE files.

Makes sense now that I think about it. After all, exe files aren’t even really associated with any app.

Most .exe files actually have the image to be displayed incorporated inside the file.

So something which is an exe file yet displaying a PDF icon would be highly suspect as it is clearly intended to deceive.

No, you’re right. Again, now that I think about it, the different Windows accessor programs (e.g. task manager) are all exe files with custom icons.

It’s amazing how infrequently I actually work with exe files directly in their folders, so I rarely see the “exe”. Windows…gotta luv it. Most of it is app files. Mostly M$ Office documents. So different from my *nix geeky coding days. No wonder I lost track of the icon promiscuousness of exe files. I have become a corporate Windows user bot. It’s not as icky as I use to think of it as, from the geeky side of the fence.