Strange Malware

Hi folks,

Yesterday at office, we received an email with an attachment,with 14 kb and unfortunately, the person gave 2 clicks, and the malware was installed.So I checked my Outpost log, and it was blocked trying to connect to Google.It created a folder called systemreg inside Programs Files, and it starts everytime you boot the computer (6 MB).My problem is: I have scanned this file with NOD32, Microsoft Antispyware, Spybot S&D, Ad-Aware Pro 1.05, TDS-3, Trojan Hunter and Pest Patrol. So I zipped it with a password and sent to Eset and Kaspersky too.Until now, I didn´t get any answer from them and the only way to solve it was using Norton´s Go Back and True Image.I tested the file in my computer and Microsoft Antispyware and Process Guard blocked it, but the computer that got the malware, Microsoft Antispyware wasn´t working,it seems it was disabled or something.If it is a rootkit, where I can find a tool to test it ( I know Process Guard prevents it), but I´d like to know what to do.

Best Regards,

DonKid.

 

It´s a Trojan, Kaspersky and Dr. Web already detects it. I´m wainting for a new update,
to see if NOD32 will detect it.

 

Thanks for keeping us up-to-date DK, much appreciated.

Cheers

 

No problem. I hope an update can solve it, since I´ve sent this file same day to Eset and Kaspersky, but not to Dr. Web. I think I´ll send it to TDS-3 team too.

Best Regards,

DonKid.

 

Not sure if this is what you want, but Sysinternals have recently released a free tool to detect root kits Its output is not for those who do not like a challenge

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

 

You can also use much simpler http://greatis.com/unhackme/. Although it is payway there is a demo and it is very easy and fast to use.

EDIT: Sorry I missed where you said it is a trojan. Glad you found it.

Thanks,

Chris

 

Thanks folks for help me.

By the way, version 1.1008 is NOT detecting it yet

Best Regards,

DonKid.

 

Which name uses KAV to detect this trojan?

 

Hi Sir_carew.

File: cartaovirtual
INFECTED/MALWARE
Packers detected:
UPX

AntiVir
No viruses found (1.19 seconds taken)
Avast
No viruses found (4.53 seconds taken)
AVG Antivirus
No viruses found (1.15 seconds taken)
BitDefender
No viruses found (1.47 seconds taken)
ClamAV
No viruses found (1.89 seconds taken)
Dr.Web
No viruses found (2.41 seconds taken)
F-Prot Antivirus
No viruses found (0.23 seconds taken)
Fortinet
No viruses found (1.22 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.VB.ta (1.90 seconds taken)
mks_vir
No viruses found (0.27 seconds taken)
NOD32
No viruses found (0.54 seconds taken)
Norman Virus Control
No viruses found (0.67 seconds taken)

I know that Dr.Web and mks_vir already detects it.

Best Regards,

DonKid.

 

That scanner is not scanning for malware because it is based on Linux system and some vendors do not detect malwares under Zinux platform

Trie www.virustotal.com

 

I'm pretty sure that the platform the server is running on has no bearing on the workings of the AV engines used.

 

Did you end up sending it to DCS ?

 

Jotti doesn't use NOD32's "Potentially dangerous applications" settings
because it is a Linux server.
http://virusscan.jotti.org/

However, virustotal does use the NOD's "Potentially dangerous applications"
setting because it is using Windows for the scan. http://www.virustotal.com/flash/index_en.html

So you may see some different results with NOD using the different scanners.

 

Yes, the same day I told.

today, NOD version 1.1014 and not yet.

Service load:
0% 100%
File: cartaovirtual.com.scr
Status:
INFECTED/MALWARE
Packers detected:
UPX

AntiVir
TR/Cartao (0.37 seconds taken)
Avast
Win32:Trojano-977 (1.53 seconds taken)
AVG Antivirus
VB.V (0.47 seconds taken)
BitDefender
Trojan.VB.TA (0.46 seconds taken)
ClamAV
No viruses found (0.60 seconds taken)
Dr.Web
Trojan.Horas (0.87 seconds taken)
F-Prot Antivirus
No viruses found (0.09 seconds taken)
Fortinet
No viruses found (0.46 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.VB.ta (1.01 seconds taken)
mks_vir
Trojan.Vb.Ta (0.25 seconds taken)
NOD32
No viruses found (0.54 seconds taken)
Norman Virus Control
No viruses found (0.67 seconds taken)

And TDS-3 can´t detect it yet.

Best Regards,

DonKid.

 

OK I tried see the results:

Antivirus Version Update Result
AntiVir 6.29.0.16 03.01.2005 TR/Cartao
AVG 718 03.01.2005 VB.V
BitDefender 7.0 03.01.2005 Trojan.VB.TA
ClamAV devel-20050130 03.01.2005 no virus found
DrWeb 4.32b 03.01.2005 Trojan.Horas
eTrust-Iris 7.1.194.0 03.01.2005 Win32/Bancos.14336!Downloader
eTrust-Vet 11.7.0.0 03.01.2005 no virus found
Fortinet 2.51 03.01.2005 no virus found
F-Prot 3.16a 03.01.2005 no virus found
Ikarus 2.32 03.01.2005 no virus found
Kaspersky 4.0.2.24 03.01.2005 Trojan.Win32.VB.ta
NOD32v2 1.1014 03.01.2005 no virus found
Norman 5.70.10 03.01.2005 no virus found
Panda 8.02.00 03.01.2005 no virus found
Sybari 7.5.1314 03.01.2005 Win32/Bancos.14336!Downloader
Symantec 8.0 03.01.2005 no virus found

Funny is that I´ve sent this file to several companies included Symantec and it can´t detect it yet.

Best Regards,

DonKid.

 

TDS-3 is detecting this trojan with last update

Best Regards,

DonKid.

 

Thanks for the info DonKid!

 

No problem.

What I like about TDS-3, it detected the trojan that was zipped and with password that I´ve sent to Eset last week.
Unfortunately, NOD can´t detect a zipped virus with password.
Hope Eset can improve it soon.

Best Regards,

DonKid.

 

No program can scan inside password protected archives. Just imagine how many years it would take to figure out the right password comprising of several characters using brute force.

 

Marcos,

I believe in you, but I´m looking the zipped file with password at my desktop and TDS-3 detected it today, and I´m sure its with password, since I try to unzip it and Winzip asked me to type my password.

Best Regards,

DonKid.

 

If we pick up a signature from a password protected archive, it would be detected also. This is how it works in the case of some Netsky's variants.

 

Ok, no problem.

I´ll test it protected by password when NOD32 could be able to detect it.

Thanks for explanations.

Best Regards,

DonKid.

 

I guess your trojan has been deemed as "not important enough" to include in the update.
yeap it happens a lot, sometimes it takes them anywhere from 2 weeks to a month to add an "non important" malware.

Quite a shame but hey that's life according to Eset.

 

I've been in touch with DonKid and the sample he sent is actually going to be added shortly. It's really not a problem to add a signature even if it's not an ITW threat.

 

Thanks a lot.

Fortunatelly we have a great forum.

Best Regards,

DonKid.