We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was “Hot Pictures.” Sunbelt Software’s analysis of this file is really good. You can view that online here.
The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.
I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.
I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).
| File lgame.exe received on 08.13.2007 15:00:28 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2007.8.9.2 | 2007.08.13 | – |
| AntiVir | 7.4.0.60 | 2007.08.13 | Worm/Ntech.D |
| Authentium | 4.93.8 | 2007.08.11 | – |
| Avast | 4.7.1029.0 | 2007.08.13 | Win32:Agent-JYG |
| AVG | 7.5.0.476 | 2007.08.13 | – |
| BitDefender | 7.2 | 2007.08.13 | DeepScan:Generic.PWS.Games.4.2D9F7732 |
| CAT-QuickHeal | 9.00 | 2007.08.13 | – |
| ClamAV | 0.91 | 2007.08.13 | Trojan.Dropper-2099 |
| DrWeb | 4.33 | 2007.08.13 | BackDoor.Bulknet |
| eSafe | 7.0.15.0 | 2007.08.10 | – |
| eTrust-Vet | 31.1.5055 | 2007.08.13 | Win32/Cutwail!generic |
| Ewido | 4.0 | 2007.08.13 | – |
| FileAdvisor | 1 | 2007.08.13 | – |
| Fortinet | 2.91.0.0 | 2007.08.13 | – |
| F-Prot | 4.3.2.48 | 2007.08.10 | – |
| F-Secure | 6.70.13030.0 | 2007.08.13 | Trojan-Downloader:W32/Agent.BRK |
| Ikarus | T3.1.1.12 | 2007.08.13 | Trojan-Downloader.Win32.Agent.brk |
| Kaspersky | 4.0.2.24 | 2007.08.13 | Trojan-Downloader.Win32.Agent.brk |
| McAfee | 5095 | 2007.08.10 | – |
| Microsoft | 1.2704 | 2007.08.13 | – |
| NOD32v2 | 2455 | 2007.08.13 | a variant of Win32/TrojanDownloader.Agent.BRK |
| Norman | 5.80.02 | 2007.08.13 | – |
| Panda | 9.0.0.4 | 2007.08.12 | – |
| Prevx1 | V2 | 2007.08.13 | – |
| Rising | 19.36.02.00 | 2007.08.13 | – |
| Sophos | 4.20.0 | 2007.08.12 | Mal/Dropper-L |
| Sunbelt | 2.2.907.0 | 2007.08.11 | – |
| Symantec | 10 | 2007.08.13 | Trojan.Pandex |
| TheHacker | 6.1.8.167 | 2007.08.13 | – |
| VBA32 | 3.12.2.2 | 2007.08.11 | – |
| VirusBuster | 4.3.26:9 | 2007.08.12 | – |
| Webwasher-Gateway | 6.0.1 | 2007.08.13 | Worm.Ntech.D |
| Additional information | |||
| File size: 20992 bytes | |||
| MD5: dfade0d9b21be4fd57dd6975d9fe7ccd | |||
| SHA1: 31786e2b62ce7b79c9bed6bd0cfd9c01b3ef67e6 | |||
update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we’d already caught those messages.