dorgane
February 23rd, 2010, 11:29 PM
hi,
sorry for my bad english, i have an question.
I search active malware in France, i have send an file : IM88532.JPG-www.facebook.com.exe ( MD5 : 38f06b4bb8e9af0b9b409bcabab3a237 )
-{ Quote: "
Analyse :
======
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG
Value=EnableFileTracing
REG_DWORD=#00#00#00#00
Value=EnableConsoleTracing
REG_DWORD=#00#00#00#00
Value=FileTracingMask
REG_DWORD=#00#00#ff#ff
Value=ConsoleTracingMask
REG_DWORD=#00#00#ff#ff
Value=MaxFileSize
REG_DWORD=#00#00#10#00
Value=FileDirectory
REG_EXPAND_SZ~#2325windir#2325\tracing#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Value=Firewall Administrating
REG_SZ~%SystemRoot%\infocard.exe#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Value=Firewall Administrating
REG_SZ~%SystemRoot%\infocard.exe#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Value=LogSessionName
REG_EXPAND_SZ~stdout#2300
Value=Active
REG_DWORD=#01#00#00#00
Value=ControlFlags
REG_DWORD=#01#00#00#00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Value=Guid
REG_SZ~710adbf0-ce88-40b4-a50d-231ada6593f0#2300
Value=BitNames
REG_SZ~ NAP_TRACE_BASE NAP_TRACE_NETSH#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Value=LogSessionName
REG_EXPAND_SZ~stdout#2300
Value=Active
REG_DWORD=#01#00#00#00
Value=ControlFlags
REG_DWORD=#01#00#00#00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Value=Guid
REG_SZ~b0278a28-76f1-4e15-b1df-14b209a12613#2300
Value=BitNames
REG_SZ~ Error Unusual Info Debug#2300
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTFAT\0000\Control
Value=ActiveService
REG_SZ~Fastfat#2300
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
Value=Epoch
REG_DWORD=#29#00#00#00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Value~%Desktop%\IM88532.JPG-www.facebook.com.exe#00
REG_SZ~%SystemRoot%\infocard.exe:*:Enabled:Firewall Administrating#2300
file :
=====
%SystemRoot%/infocard.exe" }-
after few hours this worm has detected :
-{ Quote: "23/02/2010 14:45:56 Real-time file system protection file C:\users\inster\desktop\samples - ne pas ouvrir\im88532.jpg-www.facebook.com\im88532.jpg-www.facebook.com.exe a variant of Win32/Injector.AXW trojan cleaned by deleting - quarantined PC-de-Inster\Inster Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe. " }-
but after again few hours i have an email :
-{ Quote: "Le 23/02/2010 21:08, ESET-Ukraine Support Team a écrit :
> IM88532.JPG-www.facebook.com.exe - IRC/SdBot trojan " }-
and i have an other detection for THIS file (is not an other) :
-{ Quote: "23/02/2010 21:40:33 Real-time file system protection file C:\Users\Inster\Desktop\samples - ne pas ouvrir\IM88532.JPG-www.facebook.com\IM88532.JPG-www.facebook.com.exe IRC/SdBot trojan cleaned by deleting - quarantined PC-de-Inster\Inster Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe. " }-
Now i have send an other, ( 2192e7f5593bd75f502f3cf07bf0e682 with named too : IM88532.JPG-www.facebook.com.exe )
is pending.
but my question, why i have 2 differente detection for on file ? it is infocard.exe make different detection ?
thank you for help, it is for my blog, follow and help friend ;)
Eset'Fan
Aranud.fr
sorry for my bad english, i have an question.
I search active malware in France, i have send an file : IM88532.JPG-www.facebook.com.exe ( MD5 : 38f06b4bb8e9af0b9b409bcabab3a237 )
-{ Quote: "
Analyse :
======
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG
Value=EnableFileTracing
REG_DWORD=#00#00#00#00
Value=EnableConsoleTracing
REG_DWORD=#00#00#00#00
Value=FileTracingMask
REG_DWORD=#00#00#ff#ff
Value=ConsoleTracingMask
REG_DWORD=#00#00#ff#ff
Value=MaxFileSize
REG_DWORD=#00#00#10#00
Value=FileDirectory
REG_EXPAND_SZ~#2325windir#2325\tracing#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Value=Firewall Administrating
REG_SZ~%SystemRoot%\infocard.exe#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Value=Firewall Administrating
REG_SZ~%SystemRoot%\infocard.exe#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Value=LogSessionName
REG_EXPAND_SZ~stdout#2300
Value=Active
REG_DWORD=#01#00#00#00
Value=ControlFlags
REG_DWORD=#01#00#00#00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Value=Guid
REG_SZ~710adbf0-ce88-40b4-a50d-231ada6593f0#2300
Value=BitNames
REG_SZ~ NAP_TRACE_BASE NAP_TRACE_NETSH#2300
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Value=LogSessionName
REG_EXPAND_SZ~stdout#2300
Value=Active
REG_DWORD=#01#00#00#00
Value=ControlFlags
REG_DWORD=#01#00#00#00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Value=Guid
REG_SZ~b0278a28-76f1-4e15-b1df-14b209a12613#2300
Value=BitNames
REG_SZ~ Error Unusual Info Debug#2300
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTFAT\0000\Control
Value=ActiveService
REG_SZ~Fastfat#2300
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
Value=Epoch
REG_DWORD=#29#00#00#00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Value~%Desktop%\IM88532.JPG-www.facebook.com.exe#00
REG_SZ~%SystemRoot%\infocard.exe:*:Enabled:Firewall Administrating#2300
file :
=====
%SystemRoot%/infocard.exe" }-
after few hours this worm has detected :
-{ Quote: "23/02/2010 14:45:56 Real-time file system protection file C:\users\inster\desktop\samples - ne pas ouvrir\im88532.jpg-www.facebook.com\im88532.jpg-www.facebook.com.exe a variant of Win32/Injector.AXW trojan cleaned by deleting - quarantined PC-de-Inster\Inster Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe. " }-
but after again few hours i have an email :
-{ Quote: "Le 23/02/2010 21:08, ESET-Ukraine Support Team a écrit :
> IM88532.JPG-www.facebook.com.exe - IRC/SdBot trojan " }-
and i have an other detection for THIS file (is not an other) :
-{ Quote: "23/02/2010 21:40:33 Real-time file system protection file C:\Users\Inster\Desktop\samples - ne pas ouvrir\IM88532.JPG-www.facebook.com\IM88532.JPG-www.facebook.com.exe IRC/SdBot trojan cleaned by deleting - quarantined PC-de-Inster\Inster Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe. " }-
Now i have send an other, ( 2192e7f5593bd75f502f3cf07bf0e682 with named too : IM88532.JPG-www.facebook.com.exe )
is pending.
but my question, why i have 2 differente detection for on file ? it is infocard.exe make different detection ?
thank you for help, it is for my blog, follow and help friend ;)
Eset'Fan
Aranud.fr