Unrecognizable yet "dangerous" file...

Recently I read in a greek forum about a keygen.exe file that if you tried to run it, it would do the following (according to what others said, by hex editing it):

Deletes:

C:\Program Files\winupdates
C:\Windows\system32\gpedit.msc
C:\Windows\System32\cmd.exe
C:\Windows\pchealth\helpctr\binaries\msconfig.exe
C:\Windows\regedit.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\command.com
C:\Program Files\winupdates\

Disables:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Changes the first page of IE and loads ads from:

hxxp://www.gmter.com/main/
hxxp://www.whatsfind.com/route.html

When they uploaded the file to Jotti's and Virustotal only 5 antivirus seemed to find something suspicious with it at that time (about 10 days ago):

Avast: Win32:VB-MO
BitDefender: Generic.Malware.Ssp.D9920CC9
DrWeb: Trojan.Popuper
Fortinet: suspicious
Panda: Suspicious file

One guy also said that he sent the file to Eset through email following the regular procedure, but till now NOD32 doesn't seem to recognize it...just yesterday Kaspersky reognized the uncompressed file as "Trojan.Win32.VB.aje" and the compressed as "virus modification: password protected exe".

For testing purposes (and I hope I don't break any rules)

Removed file. No links to suspected or confirmed malware on these forums. Read the Terms of Service - Ron

DO NOT RUN IT JUST FOR THE SAKE OF IT...IT WILL DAMAGE YOUR SYSTEM!

My personal question is, if Eset is aware of it...

 

I apologise for that...

Should I really sent this file again? As I mentioned I can confirm that at least one more have done this a few days ago...

 

There.

 

I've got a better one.

ESET should have recieved this file twice - both in the last five minutes (once from virustotal and once from ThreatSense.Net)
If detection is never added then that's OK with me. I understand that means it was no threat.

Cheers

 

Yes...the old sample submission problem. ESET is again very "fast". I don't think Kaspersky add it as a threat and it's not. See that KAV is detecting it as a virus ..it has no "not-a-virus" label.

 

Hmm...I wouldn't go that far to say "no threat", especially if it has already been recognized as the exact opposite by other software.

Personally speaking, since I'm not experience in the matter, I can't say for sure if it falls into the trojan/virus category, but it does seem quiet harmful. I'd love to know though if this kind of file justifies such a "title".

I waited about 9-10 days before deciding to open a thread about it and taking under consideration first that it had already been submitted to both Jotti, Virustotal and Eset. Problem is that if I run this at the moment, nobody is gonna stop it from provoking havoc to my system and my question is if any antivirus should warn me about it.

 

Well, I didn;t say that blipblop. I said the opposite...the file is dangerous.
Btw, Norman added detection for it..... ESET sleeping...

 

No amount of goading Eset will work, you are well aware of this

Blackspear.

 

Hehe...yeah I know pykko. My post was referring to "NOD32 user" actually, but I was 1 minute late and it seemed like I was responding to your.

I do hope that Eset will eventually look into this. After all I decided to mention it around here, not in order to bash Eset's great work in general, but to focus into this asap. All I can tell regarding my conversations in that aforementioned forum is that heuristics didn't help much in this case unfortunately.

 

After you mentioned keygen.exe I fired up some old p2p software and punched in the keyword 'keygen.exe' and pulled down the first 50 matches. All of them with just 2 exceptions was detected by at least one scanner at virustotal. Generally about 95%+ of executable files obtained via p2p are detected by something at virustotal. Generally only a small percentage of these will be likely to get directly added to NOD32's detection because of reasons mentioned elsewhere.

I have it on very good authority that the sample I mentioned above quote 'does nothing'. Note that it is still detected by three different products anyway.

blipblop with the sample you mentioned above - Quote 'Files are not deleted in any way (that are part of windows), but It just disables part of the registry....zoo sample'

I might add that if there were files missing, then something else must have done it.

Cheers

 

nod32_user....
this file is a threat whether you like to admitt it or not. It's ok for you to disable parts of the registry and to download adds?

 

The first file will be added most likely in the upcoming update, the other appears to be benign - it does perform any suspicious action. BTW, it seem to be a trojan that changes some system policies and regiters itself in the run key so nothing extraordinary.

 

thx, Marcos for the news.

 

here's the updated result from virustotal.com.

 

Thanks for the confirmation Marcos

Cheers

 

Thanks for taking care of it!

Honestly I was a bit surprised that heuristics didn't help much in this case...by intuition alone and according to what I read from others, it didn't seem that "special". You could tell its actions (more or less) even by simple hex editing it.

Nevertheless good work...