Yet another trojan being spammed. This time
another gsbill.exe. Rechnung, gsbill, and photoarticle seem to be
on the rise these days (maybe for the holidays hehehe). Anyway, the
advisory for this will be up soon.
And oh, it seems that gsbill has veered from its “You have ordered the following…” to email
details similar to that of Sober. Check out the advisory page later
to see what i mean. Possibly the malware author saw the success of
Sober’s social engineering tactics and decided to try it out.
Possibly. Or maybe this gsbill is another worm? We’ll see later as
soon as analysis of the file is finished.
another gsbill.exe. Rechnung, gsbill, and photoarticle seem to be
on the rise these days (maybe for the holidays hehehe). Anyway, the
advisory for this will be up soon.
And oh, it seems that gsbill has veered from its “You have ordered the following…” to email
details similar to that of Sober. Check out the advisory page later
to see what i mean. Possibly the malware author saw the success of
Sober’s social engineering tactics and decided to try it out.
Possibly. Or maybe this gsbill is another worm? We’ll see later as
soon as analysis of the file is finished.
Update (JJ,
05 December 2005 21:24:49)
Nope not a worm. Still a trojan:
TROJ_DANMEC.F.
TROJ_DANMEC.F.
Update (JJ,
06 December 2005 11:11:54)
On second thought, it will now be detected
as TROJ_DANMEC.E. A repacked version, this is. And yet again we are
seeing repacked variants of this malware, this time with an MD5 of
ed1e18049f51127976506fb8c0c87ef4. Current count for this is
12.
as TROJ_DANMEC.E. A repacked version, this is. And yet again we are
seeing repacked variants of this malware, this time with an MD5 of
ed1e18049f51127976506fb8c0c87ef4. Current count for this is
12.