Mal/Dropper-L

We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was “Hot Pictures.” Sunbelt Software’s analysis of this file is really good. You can view that online here.
The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.
I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.
I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).

File lgame.exe received on 08.13.2007 15:00:28 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.13
AntiVir 7.4.0.60 2007.08.13 Worm/Ntech.D
Authentium 4.93.8 2007.08.11
Avast 4.7.1029.0 2007.08.13 Win32:Agent-JYG
AVG 7.5.0.476 2007.08.13
BitDefender 7.2 2007.08.13 DeepScan:Generic.PWS.Games.4.2D9F7732
CAT-QuickHeal 9.00 2007.08.13
ClamAV 0.91 2007.08.13 Trojan.Dropper-2099
DrWeb 4.33 2007.08.13 BackDoor.Bulknet
eSafe 7.0.15.0 2007.08.10
eTrust-Vet 31.1.5055 2007.08.13 Win32/Cutwail!generic
Ewido 4.0 2007.08.13
FileAdvisor 1 2007.08.13
Fortinet 2.91.0.0 2007.08.13
F-Prot 4.3.2.48 2007.08.10
F-Secure 6.70.13030.0 2007.08.13 Trojan-Downloader:W32/Agent.BRK
Ikarus T3.1.1.12 2007.08.13 Trojan-Downloader.Win32.Agent.brk
Kaspersky 4.0.2.24 2007.08.13 Trojan-Downloader.Win32.Agent.brk
McAfee 5095 2007.08.10
Microsoft 1.2704 2007.08.13
NOD32v2 2455 2007.08.13 a variant of Win32/TrojanDownloader.Agent.BRK
Norman 5.80.02 2007.08.13
Panda 9.0.0.4 2007.08.12
Prevx1 V2 2007.08.13
Rising 19.36.02.00 2007.08.13
Sophos 4.20.0 2007.08.12 Mal/Dropper-L
Sunbelt 2.2.907.0 2007.08.11
Symantec 10 2007.08.13 Trojan.Pandex
TheHacker 6.1.8.167 2007.08.13
VBA32 3.12.2.2 2007.08.11
VirusBuster 4.3.26:9 2007.08.12
Webwasher-Gateway 6.0.1 2007.08.13 Worm.Ntech.D
 
Additional information
File size: 20992 bytes
MD5: dfade0d9b21be4fd57dd6975d9fe7ccd
SHA1: 31786e2b62ce7b79c9bed6bd0cfd9c01b3ef67e6

update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we’d already caught those messages.