The Ximian-Evolution spammer has been busy: 4-pack of malware, pathetic AV detection (Oc...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The XimianEvolution spammer has been very busy today.

Sent me a 4-pack of spam fun!

None of these had been seen by VT.  Detection rates of 7, 9, 10 and 28
out of 54.  Clearly, initial detection (within 1 or 2 hours of the file
going wild) gives poor results, and detection after 24 hours rises to
50%.

VT links:

Detection rate: 28/54
https://www.virustotal.com/en/file/83f8afcf19c7b8c209b4b0dc90511909dbe682836741d61e5f3a7b6e9c29a7db/analysis/1414017956/

Detection rate: 9/54
https://www.virustotal.com/en/file/7036786ee33c0e124a5388ddc47506bc1e225e232291e88fd3cff55e93c78acb/analysis/1414017987/

Detection rate: 10/53
https://www.virustotal.com/en/file/57d565a328d32ac6ec68285789b300c4bf4aa078c968e2a20dbb0f29d1863c0d/analysis/1414018038/

Detection rate: 7/54
https://www.virustotal.com/en/file/483b8bb536bad068d10a72e60006b01ab977ea7ba5ee8425f02a520f44c19956/analysis/1414018083/

Get your copy (a 4-pack!) here:
http://www.filedropper.com/note0183copy

Here's where these came from:

========================================

Return-Path:  

Received:
from arrowhair.com ([67.169.141.111])
from lakelanddivorcelawyers.com ([204.89.60.10])
from connecticuttruckaccidentlawyers.com ([96.61.203.86])
from iowatruckaccidentlawyers.com ([24.28.14.237])

From:

Subject:
Your order # NR17-MUNGED has been completed
Notice to Appear in Court
Hearing of your case in Court
Notice to Appear in Court

Tue, 21 Oct 2014 02:46:23
Wed, 22 Oct 2014 13:23:12
Wed, 22 Oct 2014 17:34:11
Wed, 22 Oct 2014 16:40:27

X-Mailer:
XimianEvolution1.4.6

----------------------------
Hello,

TICKET NUMBER / ET-09309743  
SEAT / 51F/ZONE 1  
DATE / TIME 17 NOVEMBER, 2014, 09:35 AM  
ARRIVING / Overland Park  
FORM OF PAYMENT / XXXXXX  
TOTAL PRICE / 284.48 USD  
REF / KE.9659 ST / OK  
BAG / 7PC  

Your ticket is attached.  
To use your ticket you should print it.  

Thank you for using our airline company services.  
Delta Air Lines.
----------------------------
Notice to Appear,

The copy of the court notice is attached to this letter.

Note: If you do not attend the hearing the judge may hear the case in
your absence.

Truly yours,
Clerk to the Court,
Isabella Tailor
----------------------------
Notice to Appear,

The copy of the court notice is attached to this letter.

Note: If you do not attend the hearing the judge may hear the case in
your absence.

Truly yours,
Clerk to the Court,
Abigail Smith
----------------------------
Notice to Appear,

The copy of the court notice is attached to this letter.

Note: If you do not attend the hearing the judge may hear the case in
your absence.

Truly yours,
Clerk to the Court,
Betty Smith
----------------------------

Re: The Ximian-Evolution spammer has been busy: 4-pack of malware, pathetic AV detection (Oct 22/2014)

Here are the AV programs that are your best-bet for initial detection
(time-zero) for the Ximian-Evolution infectors:

AegisLab          Troj.W32.Yakes
Avast             Win32:GenMalicious-AFX
ESET-NOD32        a variant of Win32/Kryptik.BWOY
ESET-NOD32        Win32/TrojanDownloader.Zortob.H
F-Prot            W32/Zbot.QU3.gen!Eldorado
Fortinet          W32/Kryptik.DVNM!tr
Kaspersky         Net-Worm.Win32.Aspxor.dvtm
McAfee            Packed-BZ!B8306C23ECE5
McAfee            Downloader-FAII!A15A8D2FC892
McAfee-GW-Edition BehavesLike.Win32.Downloader.ch
Rising            PE:Malware.FakeDOC@CV!1.9C3C
Sophos            Mal/Wonton-G
Sophos            Troj/Weels-Z
TrendMicro-HC     TROJ_GEN.F0D1H0ZJM14
VBA32             BScope.P2P-Worm.Palevo
VIPRE             Trojan.Win32.Generic.pak!cobra


Here is the Malware Detection Hall of Shame:

AVware       Agnitum        Antiy-AVL     Baidu-Int.
Bkav         CAT-QuickHeal  CMC           ClamAV
Comodo       Ikarus         Jiangmin      K7AntiVirus
K7GW         Kingsoft       Malwarebytes  Norman
Qihoo-360    Symantec       Tencent       TheHacker  
TotalDefense Zillya         Zoner

For TrendMicro, TrendMicro-HC and VIPRE it's a crapshoot.

Site Timeline