New email worm variant

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Missed by some scanners:
File "Flash_Postcard.exe" received on 02.06.2007 at 18:42:27 (CET) is
being scanned by VirusTotal in this moment. Results will be shown as
they're generated.

Antivirus    Version    Update    Result
AntiVir    02.06.2007    TR/Crypt.ULPM.Gen
Authentium    4.93.8    02.06.2007    Possibly a new variant of
Avast    4.7.936.0    02.06.2007    Win32:Tibs-AIE
AVG    386    02.06.2007    no virus found
BitDefender    7.2    02.05.2007    Trojan.Peed.Gen
CAT-QuickHeal    9.00    02.06.2007    no virus found
ClamAV    devel-20060426    02.06.2007    Trojan.Downloader.Tibs.Gen-1
DrWeb    4.33    02.06.2007    Trojan.Packed.12
eSafe    02.06.2007    suspicious Trojan/Worm
eTrust-InoculateIT    30.4.3372    02.06.2007    no virus found
eTrust-Vet    30.4.3372    02.06.2007    no virus found
Ewido    4.0    02.06.2007    no virus found
Fortinet    02.06.2007    no virus found
F-Prot    02.06.2007    W32/CodeCru-based!Maximus
Ikarus    T3.1.0.31    02.06.2007    no virus found
Kaspersky    02.06.2007 Email-Worm.Win32.Zhelatin.r
McAfee    4957    02.06.2007    no virus found
Microsoft    1.2101    02.06.2007    Win32/Vxidl.gen!B
NOD32v2    2040    02.06.2007    no virus found
Norman    5.80.02    02.06.2007    W32/Tibs.gen30
Panda    02.06.2007    Suspicious file
Prevx1    V2    02.06.2007    no virus found
Sophos    4.13.0    02.05.2007    Mal/HckPk-A
Sunbelt    2.2.907.0    02.02.2007    no virus found
Symantec    10    02.06.2007    no virus found
TheHacker    02.05.2007    no virus found
UNA    1.83    02.06.2007    no virus found

Aditional Information
File size: 51192 bytes
MD5: 73aeb5b6ff55e48cc8c22dfa021413f1
SHA1: 41bd57d29cbd95fee7fa235458588bd6a083c140

Re: New email worm variant

Quoted text here. Click to load it
Will Sunbelt ever catch one?   I've submitted 6 different variants
over the past month - Sunbelt zip, zero, zilch.

Re: New email worm variant

Art wrote:
Quoted text here. Click to load it

No surprise that AVG didn't hit on it.

Bill Blevins
PGP Key ID: 0x5A4D07B0

Re: New email worm variant

Quoted text here. Click to load it

I've been getting variations of this since Jan. 18, total of 25 as of
this afternoon. AVG calls it downloader.tibs. There have been numerous
variations and different file names. In most cases AVG does not
recognize it at first, but if I manually check for updates later in
the day it will. Apparently I'm one of the lucky early recipients.
Normally I just let AVG do its once a day update, but lately I've been
checking manually. I've found as many as 3 updates in one day.

Roger Grady
 To reply by email, remove "qlfit." from address

Site Timeline