Needless to say, the email does not come from Microsoft.
File details
Filename: video.avi.exe
File size: 110080 bytes
MD5...: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
PEiD..: -
QUOTEFile video.avi.exe received on 07.31.2008 06:58:50 (CET)
AhnLab-V3 2008.7.29.1 2008.07.31 -
AntiVir 7.8.1.12 2008.07.30 HEUR/Crypted
Authentium 5.1.0.4 2008.07.30 -
Avast 4.8.1195.0 2008.07.30 -
AVG 8.0.0.156 2008.07.30 Downloader.FraudLoad.A
BitDefender 7.2 2008.07.31 -
CAT-QuickHeal 9.50 2008.07.30 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.31 -
DrWeb 4.44.0.09170 2008.07.31 -
eSafe 7.0.17.0 2008.07.29 Suspicious File
eTrust-Vet 31.6.5997 2008.07.31 -
Ewido 4.0 2008.07.30 -
F-Prot 4.4.4.56 2008.07.30 -
F-Secure 7.60.13501.0 2008.07.31 Trojan-Downloader:W32/Zlob.HUN
Fortinet 3.14.0.0 2008.07.31 -
GData 2.0.7306.1023 2008.07.31 Trojan-Downloader.Win32.FraudLoad.vati
Ikarus T3.1.1.34.0 2008.07.31 -
Kaspersky 7.0.0.125 2008.07.31 Trojan-Downloader.Win32.FraudLoad.vati
McAfee 5350 2008.07.30 Fakealert-AG.gen
Microsoft 1.3704 2008.07.28 -
NOD32v2 3311 2008.07.30 -
Norman 5.80.02 2008.07.30 -
Panda 9.0.0.4 2008.07.30 -
PCTools 4.4.2.0 2008.07.30 -
Prevx1 V2 2008.07.31 -
Rising 20.55.30.00 2008.07.31 -
Sophos 4.31.0 2008.07.31 Mal/TibsPk-D
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.31 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.30 -
VBA32 3.12.8.1 2008.07.29 -
ViRobot 2008.7.30.1317 2008.07.30 -
VirusBuster 4.5.11.0 2008.07.30 -
Webwasher-Gateway 6.6.2 2008.07.31 Heuristic.Crypted
Notes
A closer look reveals that a fake / rogue antivirus will be downloaded to your computer, Antivirus XP 2008. We notice the presence of
- avxp-08.com
- youpornztube.net
The file structure and the domains are very similar to 0.exe who was downloaded by c:\boot.bak.
Reference: Exploiting redirects in Flash content.
A mutex is created to mark its presence on the system.
