Imon detected it, but AMON did not... why?

Yesterday I´ve reicived an e-mail trojan. Dowloaded it and IMON blocked it. Today, i´ve downloaded again, IMON and AMON didn´t detect it... Tried the NOD32 scanner, and it did not detect it... Submited to Virustotal, and NOD32 and KAV and others didn´t detected it... maybe it was a false positive and some nod32 update have fixed this false positive? I don´t think so, because i´ve tried to execute the aplication, but zonealarm blocked it...

 

.....

 

Screenshot from nod32 quarantine (Imon detected it yesterday):

 

None can help me? I´ve submited the file to Eset, but didn´t get answer yet...

 

I've seen this happen a few times (speedfan for one). It probably was a false/positive and they fixed it.
But just to be on the safe side, keep it in quarantine and submit it to virustotal or jottis in a few days.

 

But I really think its not a false positive. I´ve reicived it on my e-mail, and it has all the characteristics of an bad mail... like "click here and get a gift..."! Very suspicious...


Also, I´ve submited it to Kaspersky, and the answer is:

"Hello.
Malicious software was found in the attached file.


INFECTED Trojan-Downloader.Win32.Banload.iv


It's detection was included in the next update.
Please update your base nomore later. 1 hour.
Thank you for your help.
-----------------
Regards, Leonid Khovansky
Virus Analyst, Kaspersky Lab."

Congratilations for Kaspersky for the fast answer. i´ve submited it to Eset about 2 hours ago, and didn´t get answer. Tired to wait, submited to KAV Labs about 12 minutes ago, and just got the answer...

 

I would wait for Marcos or Happy Bytes to give more information.

 

I'm waiting for more info from our engineers right now Most likely it ceased to be detected because the generic signature for SpyBanbra was rebuilt. This is not SpyBanbra, but seems to be actually a trojan downloader.

 

From the next update, it will be detected as follows. You can consider this an official response from Eset:

 

Hi POS:

The file, if run, attempts to download the real infiltration (same name or voxcard2.exe which NOD32 stops with IMON (if running/enabled) or AMON).

This would be as Marcos stated - a Trojan Downloader

It is packed with UPX 1.25

http://www.badsite1.com/images/voxcard.exe a variant of Win32/Spy.Banbra.DT trojan
http://www.badsite2.com/doc/voxcard2.exe a variant of Win32/Spy.Banbra.DT trojan
http://www.badsite3.com/images/voxcard.exe a variant of Win32/Spy.Banbra.DT trojan

AMON file C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\G1QVSLEB\voxcard[1].exe a variant of Win32/Spy.Banbra.DT trojan quarantined - deleted Event occurred on a new file created by the application: c:\voxcard.exe. The file was moved to quarantine. You may close this window.


If allowed to run freely, it creates:
c:\windows\wupdmgr.exe - a variant of Win32/Spy.Banbra.DT trojan (set to run from HKLM/Software/Microsoft/Windows/CurrentVersion/Run at boot)
c:\Explorer.EXE - a variant of Win32/Spy.Banbra.DT trojan

 

When Will be the next update?

 

Is this it?

NOD32 - 1.1301 (20051123) / posted 20:37)
Virus signature database updates:
Win32/Bagle, Win32/Rbot (4), Win32/Spy.Banbra.DT, Win32/Spy.Bancos.U (2), Win32/Spy.Banker.NGX (2)

 

No, its not. Just downloaded the file again and nod32 still does not detect it...

 

It will in the next update (1.1302)

 

I know, but when will be update 1.1302 avaliable? A lot of people here in Brazil are reiciving this e-mail with this trojan...

 

Also KAV has just done an update, and now it can detect this malware... Eset must be faster...

 

It is now detected in the 1.1302 definitions.

 

Just a last question:

I´ve testes the trojan yesterday, when NOD still coudn´t detect it... I´ve executed it, and it start downloading 2 others trojans ( Win32/Spy.Banbra.DT) ... NOD32 IMON said it has stopped both trojans... so I blocked internet conections using Zonealarm and everything was just fine... But after this, I opened Windows Explorer and NOD32 found the Win32/Spy.Banbra.DT trojan there... (c:\), and deleted it...


What I don´t understand is: Didn´t NOD32 IMON block it? It said it has blocked, so why the trojan was there? By the way, I think the trojan was corrupted, so if NOD32 AMON detected it, is it considerated a False Positive?

Only iexplorer.exe is configured to High efficience in IMON..

 

You executed it, well aware that it was infact a trojan? ...
Do a complete system scan and delete anything NOD finds.

And also, it seems to me that you downloaded the file before the 1.1302 update was released, so it could be that file AMON detected later on. Do remember that your browser has a cache where it stores files in. Unpacking programs stores files in the %temp% folder, like Winzip and WinRAR.

 

I think you didn´t understand what I meant... its not your fault, I´m brazilian, and my english is very poor...

The trojan voxcard.exe that I´ve executed downloads other 2 trojans. NOD32 didn´t have a signature for this trojan untill 1.1302 update. But NOD32 has the signatures for the other 2 trojans that voxcard.exe downloads..

So, I´ve executed the trojan voxcard.exe, and it has downloaded 2 others trojans (both called Win32/Spy.Banbra.DT). When downloading, NOD32 IMON, said that has blocked the two Win32/Spy.Banbra.DT trojans. But after all, when I opened Windows Explorer, NOD32 AMON has detected one of the two Win32/Spy.Banbra.DT ( after this I´ve made a scan and nod32 found the other).

The question is: Why the Win32/Spy.Banbra.DT trojans were in my HardDisk if NOD32 said that IMON has blocked both?

 

Ah now I understand I agree, that's pretty weird actually.

Edit:
Ok you say IMON blocked 2 threats. In the signature update it says: Win32/TrojanDownloader.Banload.NAB (2)
The (2) indicates that another 'subsignature' was added - That's probably why it is detecting it now

If only the trojan was added "voxcard.exe" there would be no ().

 

But NOD32 IMON has detected the other 2 trojans before the update... and it said it has blocked both... so why they are in my HD?

 

Because there is a total of 4 threats.

1: The trojan itself (added in the update)
2: The file that it downloads (blocked by IMON)
3: Another file that it downloads again (blocked by IMON)
4: The new subsignature (added in the update) Thats why you see: Win32/TrojanDownloader.Banload.NAB (2)