Reporting suspected new trojan

[seaephpea]

I have a suspected trojan downloader on my PC and I have a reasonable hunch which file initially caused the infection, yet it is not being picked up by Nod32/Spybot/AdAware/Trojan Hunter.

Is there somewhere I could submit the file for analysis?

The chief symptom is that Firefox is starting (windowless) at startup and is trying to connect to pichingo.redirectme.net using TCP port 2000.

I e-mailed the "report abuse" address for "redirectme.net" and they have now disabled that account, which I presume means it is now "mostly harmless" at least.

Thanks,

cfp

[Joliet Jake]

Just two posts above your own...

http://www.wilderssecurity.com/showp...9&postcount=18

and welcome to the forum seaephpea.

[seaephpea]

Ooops how embarassing. Sorry!

cfp

Can you find the suspected file and submit to ESET as well as to VirusTotal .

[seaephpea]

I've already submitted it to Eset. I'll submit it to VirusTotal as well though.

cfp

[seaephpea]

Results removed due to forum rules. In short more antiviruses failed to find anything than did, and NOD32 was in the first group.

[Londonbeat]

Hello seaephpea

You may want to modify your post as I don't think we are allowed to post any screenshots or info from virustotal or jotti on here anymore.

Quote:

Originally Posted by Londonbeat

Hello seaephpea

You may want to modify your post as I don't think we are allowed to post any screenshots or info from virustotal or jotti on here anymore.

I know we are some kind of forbidden to post VT's reports but the point here is not to show who detect this and who doesn't but to see if this is not a False Positive . Obviously , it is not as wee see however ESET will add it when they find it appropriate (http://www.wilderssecurity.com/showp...9&postcount=18)

Quote:

Originally Posted by seaephpea

I've already submitted it to Eset.

Thank you !

Seaephpea , I recommend you check your NOD32 settings with Blackspear's tutorial and perform full scan with NOD32 . Also run Ewido Micro .

Good luck !

[Marcos]

Quote:

Originally Posted by HiTech_boy

...but to see if this is not a False Positive . Obviously , it is not...

The fact that a file os flagged by more AVs does not automatically indicates that it's not a false positive. Actually, I've come across a bunch of files flagged by more AVs which were actually false positives. This does not seem to be the case, however, and detection will be added shortly.

[seaephpea]

I ran an Ewido Anti-Spyware scan yesterday and I think that has cleaned it. Firefox is no longer being started at log-in at least.

I'll give Ewido Micro a go too though to be safe.

cfp

[seaephpea]

Ahh Ewido Micro is Ewido Anti-Spyware. I hadn't realised.

cfp

Quote:

Originally Posted by Marcos

The fact that a file os flagged by more AVs does not automatically indicates that it's not a false positive. Actually, I've come across a bunch of files flagged by more AVs which were actually false positives.

You are right , Marcos ! Sorry !

Quote:

Originally Posted by Marcos

, however, and detection will be added shortly

,
which is excellent !

[seaephpea]

OK the infected file gets put in C:\windows\system32\micorsoft.exe (note misspelling). I'm sure I looked at system32 by date modified, but I must have missed it.

cfp

[pykko]

Just send it to sample@eset.com

[Marcos]

I for one don't think it's still undetected :-)

[pykko]

that's a good news then.