There is a spate of Valentine e-cards going 'round, with either an embedded file or a link to it, which seems (according to postings at ca.com) to be the Waledac trojan. The several iterations of it that I’ve discovered are all named loveu.exe. Many though probably not all of the domains hosting it are registered at the Chinese spam-haven NIC known as ENAME. Source: http://rss.uribl.com/nic/XIAMEN_ENAME_NETWORK_TECHNOLOGY_CORPORATION_LIMITED_DBA_ENAME_CORP.html (search page for “valentine”)
The sites are scripted to automatically download and execute the file.
Fortunately I have scripting disabled, but was curious so I download the file for examination. I ran Avast!'s scanner and the finding was negative. So I decided to submit it.
You don’t take submissions??
Okay, I’ll use Jotti, at your suggestion. Uploading.
While I’ve been waiting for those results I alerted Shadowserver and sudosecure.net, both of whom have been tracking Waledac - quite publicly - since last November or so.
Okay, here are the Jotti results: Status: INFECTED/MALWARE MD5: 4d1b3d51fdaaf609aa3e6741108cfcd3 Packers detected:
Scanner results
Scan taken on 14 Feb 2009 03:59:14 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found a variant of Win32/Kryptik.HG Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found Trojan.Waledac.Gen!Pac.6 VBA32 Found nothing
Hi, Electronic War reports,
Virus samples, and (I believe) links to suspicious sites can be emailed to virus@avast.com Any files sent should be zipped and password protected, and the password included in the body of the text.
Samples that have been moved by the user to the chest can be submitted direct from the chest.
Hope this helps, and that you can do same.
More info here: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=199&nav=0,1
Not at all sure why I would take the time to figure how to move a false negative into the Chest. The information provided above should be sufficient to find the virus files if anyone wants to take a proactive approach toward product-improvement.
These e-cards are being shot out right now for Valentine’s Day. Whoops, too late.
Following sent to US federal authorities:
Russians operating illegal "Glavmed" online pharmacies (as "Canadian Pharmacy", etc) propagate trojan-horse virus
Hello,
I found several websites hosting the Waledac trojan as scripted downloads which auto-execute. They are evidently linked to "greeting cards", sent by the Russian
operators of illegal online pharmacies, in order to turn recipients' machines into spambots to promote their criminal enterprises.
See http://rss.uribl.com/nic/XIAMEN_ENAME_NETWORK_TECHNOLOGY_CORPORATION_LIMITED_DBA_ENAME_CORP.html and look for 'valentine' in the name, for a few of these.
For example
funnyvalentinessite.com
thevalentineparty.com
valentinesupersite.com
yourvalentinepoems.com
At that same site you will find domains which link directly or via dynamic-redirection services (e.g., OpenDNS.com) to pharmacy sites selling counterfeit pharmaceuticals and controlled substances.
The sites I list above are scripted to download and execute loveu.exe or kit.exe
I scanned one of these files with Avast! and got negative detection. I tried to submit the file to Avast but they have no way to do so, referring customers instead to the Jotti online scanner.
Of the twenty antivirus programs tested, only two returned a positive detection, and only VirusBuster detected it properly by name. I contacted the Hungarian publishers of that software, to inform
them of this, so that they might update their website.
Theirs was the only one I could find that properly identified the threat, although it was somewhat out of date.
That information may be found here:
http://www.virusbuster.hu/en/viruslab/alerts/090227-waledac
Good information on Glavmed can be found at http://ikillspammers.blogspot.com
and
http://ksforum.inboxrevenge.com/viewtopic.php?f=1&t=2182&start=75
Thanks for reading.