nod32 not catching this one in the wild

Discussion in 'ESET NOD32 Antivirus' started by vtol, Apr 8, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Apr 8, 2010
    just around the next corner
    highly probable malware received via email, zipped attachment containing Facebook_document_56757.exe

    Dear user of facebook,

    Because of the measures taken to provide safety to our clients, your password has been changed.
    You can find your new password in attached document.

    Your Facebook.

    Additional information
    File size: 59392 bytes
    MD5 : f1c88e12dddb0d3684a8cb2fd0a5d52b
    SHA1 : 5eeb0a8f1891a61d8862bf5ea7a299f2828a7dd9
    SHA256: 4d296f1d5cbd172176a120460adf7b330735d5cac5f6f874c92f547057c69d13
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1F470
    timedatestamp.....: 0x46807471 (Tue Jun 26 04:05:37 2007)
    machinetype.......: 0x14C (Intel I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    UPX0 0x1000 0x12000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    UPX1 0x13000 0xD000 0xC600 7.86 3f9f87858e265c748c2d10498efa77b8
    .rsrc 0x20000 0x2000 0x1400 4.91 fd53f2329373c641a547409215e545c9

    ( 5 imports )

    > comctl32.dll: PropertySheetW
    > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    > msvcrt.dll: free
    > oleaut32.dll: VariantInit
    > shlwapi.dll: StrCatW

    ( 0 exports )
    TrID : File type identification
    Win32 Executable Generic (38.4%)
    Win32 Dynamic Link Library (generic) (34.2%)
    Clipper DOS Executable (9.1%)
    Generic Win/DOS Executable (9.0%)
    DOS Executable Generic (9.0%)
    ssdeep: 1536:baniByYM1rIPKyaTH2zkr5gNM89FPsw2hn7V1NnYSo8z:b5ByYTPDiHekrir9aj7uSoo
    sigcheck: publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    Prevx Info:
    PEiD : -
    packers (Kaspersky): PE_Patch.UPX, UPX
    packers (F-Prot): UPX
    RDS : NSRL Reference Data Set
    Last edited: Apr 8, 2010
  2. Cudni

    Cudni Global Moderator

    May 24, 2009
  3. Marcos

    Marcos Eset Staff Account

    Nov 22, 2002
    I assume it was added to the last update issued a couple of hours ago.
  4. vtol

    vtol Registered Member

    Apr 8, 2010
    just around the next corner
    did submit the sample even prior posting here.

    and yes, it is in the update and now classified as Win32/Oficla.FV trojan

    what is worrisome though that is slipped under nod32's radar, not even advanced heuristics did detect it, considering that content of the file does not conceal its intention much. however, to be thorough and fair nod32 would have blocked the russian urls contacted to suck more stuff to the system
    Last edited: Apr 9, 2010
Thread Status:
Not open for further replies.