Virus

this virus nod32 can not find, but avp yet already does this

~Link Removed - Ron~

will soon be a renovation of the bases nod32?

 

I checked that page before Ron removes the link and I believe that there is no malware there . Site Advisor confirms.Possible false positive for AVP/KAV.

 

If you still have a copy of the file, submit it to PC Tools threat expert (see below):

http://www.pctools.com/threat-expert/

Submitting it there will give you a report via email about the file's characteristics and behaviour. Then at least you will have a vague idea of whether it is actually malicious or not. If threat expert does not detect and suspicious behaviour, then its probably an FP with KAV.

 

Ditto, i also checked and got no warning of malware, and Firefox WOT (like site-advisor) flags the website as trustworthy.

 

~jpgs containing link to malware removed. - Ron~

 

I tried the link in the first pic with Dr.Web and got the following result. It looks like Avira,ArcaVir,AVG, VBA32 are flagging the file as well. Did you send sample(s) to Eset like ronjor suggested? If not, I can...

http://img.photobucket.com/albums/v219/NAMOR/drweb.png

 

It looks like it is indeed malware. I checked the demo.exe file, and it is infected with a trojan horse. I think those of you who who have visited the site may already be infected. I do not think, however that the PHP file is infected.

demo.exe is infected, detected by ArcaVir, AntiVir, AVG, Dr.Web, Kaspersky and VBA32. Apparently it is a trojan downloader. I am submitting it to PC Tools Threat Expert for further analysis. AVG picked this up on my computer as well (even the free edition detects this).

Those of you who visited the webpage with an AV that didn't detect this, watch out, check your PC carefully. But this may yet be an FP. I will submit a thorough report of this file once I get feedback from PC Tools.

 

I gave him reference, which have deleted in the first message.

 

I checked the PHP link and Drweb's realtime scanner didn't find anything while the java applet was being launched, but scanning my Docs and Settings folder resulted in the following.

http://img.photobucket.com/albums/v219/NAMOR/drweb2.png

 

Got the results from Threat Expert. It says that this file (demo.exe) is 100% malware.

1)There was a new process created in the system:

Process name: [filename of the sample#1]
Process filename: [path and filename of the sample#1]
Main module size: 229, 376 bytes

2)There was a new memory page created in the address space of the system processes:

Process Name: svchost.exe
Process filename: %System%\svchost.exe

The data identified by the following URL was then requested from a remote web server (website removed for safety reasons)

Analysis of the Downloaded file:

1)The following files were created in the system:

- %System%\rsvp32_2.dll (ASPack packed)
- [file and pathname of the sample #1]
- %System%\sporder.dll

2) There is a new process created in the system:

Process name: Name of the sample
Process filename: File and pathname of the sample #1
Size: 86,016 bytes

New kernel mode driver is installed in the system:

%System%\drivers\ws2ifsl.sys

3)

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\009609f2-4582-4efb-b9b4-5fd3ff48d7d3
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\3acfb079-93af-4c85-aa69-944c63daf039
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\48e4d553-95e2-48c3-82db-249281f76f12
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\4c7f0322-1f28-4126-80ae-5dd9a4bd8fa0
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\724c5150-695c-4d29-a376-ebd8c3ac2889
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\8e5b72f4-01c0-4826-b4fe-fd6e2e0e3717
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\d39c6198-0f0d-48b9-acbd-3d78af92e24e
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\d9657a0d-302e-4aad-b393-e2f15c808bd7
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\dcc6770b-cd25-4ef2-b0df-a2e5b5ef0c34
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\e5f08471-2083-4f1a-ab28-5212bce3aa47
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\Enum

The newly created registry values are detailed in the attached text file.

I hope this post was of some help

I'll look at the PHP file a little bit later.

 

OT: Thanks for posting that Threat Expert site Firecat, didn't even know it was there. Handy place...

 

Am not bashing Nod32 as I have it installed on my system and I have always preferred it.

But I am hearing more and more cases like this and I am wondering if I made the right decision. I think I need to switch to KAV. What is happening with Nod32?

 

That's why you shouldn't rely on site rating tools. However, Link Scanner flagged that website as malicious

All AVs miss malware samples every day. Don't forget that this is the ESET support forum, so we should expect more people complaining than being thankful

 

Indeed, a lesson learnt there! I am still learning...

Running an online scan now with Kaspersky Online Scanner, just to clean out anything that got in. Also thinking of cashing in on that 30% off "switch to kaspersky" offer

Not sure what to do now!

 

You're in the right way
Regarding site rating tools, I've found that Link Scanner is the most accurate and/or the first to flag a compromised site which previously was rated as safe. According to this test, Trend Micro's Trend Protect is also better than SiteAdvisor (the oldest site rating tool).
Still, you should make the final decision about visiting a site or not. Site rating tools rely heavily on blacklists (Link Scanner also has a engine which looks for exploits) and blacklists are always playing catch up with the bad guys.

Browse inside a sandbox or a virtual machine

 

Do what you must. Try asking Eset for support (i.e. send the sample to them if you have it), if you are not satisfied, start a thread in the other AV forums for advice on which AV to switch to if you are planning to do that.

In future, practice safe hex and do not visit unknown websites.

BTW, the downloaded file by the demo.exe is detected by NOD32 as "probably a variant of Win32/Genetik trojan".

 

Thankyou for the advice, very much appreciated!

Im going to look into Trend Protect now, from what I read from the link you kindly posted, it seems like a worthwhile download! I shall also look into sandboxing as well. Interesting concept that i have been reading about for a while...

Kaspersky web scanner is coming up clean for the moment. I only clicked on the .php link... stupidly i know... and the general concensus i have read here is that it was safe, (plus the java appplet NAMOR described never got time to load before i realised the error of my ways) so it may turn out okay .

Cheers for the advice Firecat, i dont have a sample (never touched the two links that were posted most recently), so i doubt asking ESET anything will do much.

Ill just stick with NOD32, considering that it detects the demo.exe trojan of which you speak.

Thanks again

 

The demo.exe file itself is not detected, but the file downloaded by it named zupastik.exe is detected by NOD32. Just thought I'd make that clear. ~Snip~

 

If you have that demo.exe submit it to ESET labs , pls .

 

I need to submit it to samples<at>eset.com, right?

Do I need to include anything specific apart from a short description and the password of the archive?

 

Ahhh i see! Well ill stick to NOD32 anyway.

So does demo.exe just download zupastik.exe? Looking at the analysis you made of Demo.exe, it doesnt appear to be a virus itself, just the delivery mechanism for the trojan. I should have read that analysis properly

Do you think eset would add detection for such a file as demo.exe? Seeing as though it is only the downloader for the virus itself? and the fact that NOD32 detects the downloaded virus anyway?

 

Eset already detects a lot of Trojan Downloaders. This may not be in priority for them, but if they have the sample, they'll add it one day, maybe few weeks or few months later. So its best to send the sample to them.

I'll send it by tomorrow (Feeling lazy at the moment).

 

ahhh i understand. Well im happy as long as nod32 detects the trojan being downloaded. I agree that the downloaders are probably not their priority, especially if nod picks up the downloaded nasty bit.

Thanks everyone for your answers and advice, and for putting up with my questions!

I learnt a lot from this

 

You have never submitted file to AV vendor ? Never to ESET ? ? ?

Just submit the file , link to this thread , short description ; if in a password-protected archive , the password also... and yes , samples @ eset . com